|
|
5/5
|
Device
|
Writes to Master Boot Record (MBR)
|
-
|
|
|
-
Writes 512 bytes to master boot record (MBR).
|
|
|
4/5
|
File System
|
Modifies content of user files
|
Ransomware
|
|
|
-
Modifies the content of multiple user files. This is an indicator for an encryption attempt.
|
|
|
4/5
|
File System
|
Renames user files
|
Ransomware
|
|
|
-
Renames multiple user files. This is an indicator for an encryption attempt.
|
|
|
4/5
|
OS
|
Modifies Windows automatic backups
|
-
|
|
|
-
Deletes Windows volume shadow copies.
|
|
|
4/5
|
File System
|
Known malicious file
|
Trojan
|
|
|
-
File "C:\Users\EEBsYm5\Desktop\2017-04-03-EITest-Rig-EK-payload-matrix-ransomware-variant.exe" is a known malicious file.
|
|
|
4/5
|
Injection
|
Writes into the memory of another running process
|
-
|
|
|
-
"c:\users\eebsym5\appdata\roaming\vmfccerykvqy\xey8d7zi.exe" modifies memory of "c:\users\eebsym5\appdata\roaming\vmfccerykvqy\xey8d7zi.exe"
|
|
|
4/5
|
Injection
|
Modifies control flow of another process
|
-
|
|
|
-
"c:\users\eebsym5\appdata\roaming\vmfccerykvqy\xey8d7zi.exe" alters context of "c:\users\eebsym5\appdata\roaming\vmfccerykvqy\xey8d7zi.exe"
|
|
|
3/5
|
Process
|
Creates an unusally large number of processes
|
-
|
|
|
-
Above average number of processes were monitored.
|
|
|
2/5
|
Anti Analysis
|
Resolves APIs dynamically to possibly evade static detection
|
-
|
|
|
-
Resolves an unusually high number of APIs.
|
|
|
2/5
|
Injection
|
Writes into the memory of a process running from a created or modified executable
|
-
|
|
|
-
"c:\users\eebsym5\desktop\2017-04-03-eitest-rig-ek-payload-matrix-ransomware-variant.exe" modifies memory of "c:\users\eebsym5\desktop\2017-04-03-eitest-rig-ek-payload-matrix-ransomware-variant.exe"
|
|
|
-
"c:\users\eebsym5\appdata\local\temp\cnuu8vyt.exe" modifies memory of "c:\users\eebsym5\appdata\local\temp\cnuu8vyt.exe"
|
|
|
-
"c:\users\eebsym5\appdata\local\temp\nhsgkr2p.exe" modifies memory of "c:\users\eebsym5\appdata\local\temp\nhsgkr2p.exe"
|
|
|
-
"c:\users\eebsym5\appdata\local\temp\yaqb5zg8.exe" modifies memory of "c:\users\eebsym5\appdata\local\temp\yaqb5zg8.exe"
|
|
|
-
"c:\users\eebsym5\appdata\roaming\micros~1\lsfkrhur.exe" modifies memory of "c:\users\eebsym5\appdata\roaming\micros~1\lsfkrhur.exe"
|
|
|
-
"c:\users\eebsym5\appdata\local\micros~1\sypykbck.exe" modifies memory of "c:\users\eebsym5\appdata\local\micros~1\sypykbck.exe"
|
|
|
-
"c:\users\eebsym5\appdata\local\temp\wtsk8wxh.exe" modifies memory of "c:\users\eebsym5\appdata\local\temp\wtsk8wxh.exe"
|
|
|
-
"c:\users\eebsym5\appdata\local\temp\f8a3iwa6.exe" modifies memory of "c:\users\eebsym5\appdata\local\temp\f8a3iwa6.exe"
|
|
|
-
"c:\users\eebsym5\appdata\local\temp\bkm66byk.exe" modifies memory of "c:\users\eebsym5\appdata\local\temp\bkm66byk.exe"
|
|
|
-
"c:\users\eebsym5\appdata\local\temp\hvgo9ckx.exe" modifies memory of "c:\users\eebsym5\appdata\local\temp\hvgo9ckx.exe"
|
|
|
-
"c:\users\eebsym5\appdata\local\temp\gym4nxcu.exe" modifies memory of "c:\users\eebsym5\appdata\local\temp\gym4nxcu.exe"
|
|
|
-
"c:\users\eebsym5\appdata\local\temp\w588h5dn.exe" modifies memory of "c:\users\eebsym5\appdata\local\temp\w588h5dn.exe"
|
|
|
-
"c:\users\eebsym5\appdata\local\temp\wspgagwn.exe" modifies memory of "c:\users\eebsym5\appdata\local\temp\wspgagwn.exe"
|
|
|
2/5
|
Injection
|
Modifies control flow of a process running from a created or modified executable
|
-
|
|
|
-
"c:\users\eebsym5\desktop\2017-04-03-eitest-rig-ek-payload-matrix-ransomware-variant.exe" alters context of "c:\users\eebsym5\desktop\2017-04-03-eitest-rig-ek-payload-matrix-ransomware-variant.exe"
|
|
|
-
"c:\users\eebsym5\appdata\local\temp\cnuu8vyt.exe" alters context of "c:\users\eebsym5\appdata\local\temp\cnuu8vyt.exe"
|
|
|
-
"c:\users\eebsym5\appdata\local\temp\nhsgkr2p.exe" alters context of "c:\users\eebsym5\appdata\local\temp\nhsgkr2p.exe"
|
|
|
-
"c:\users\eebsym5\appdata\local\temp\yaqb5zg8.exe" alters context of "c:\users\eebsym5\appdata\local\temp\yaqb5zg8.exe"
|
|
|
-
"c:\users\eebsym5\appdata\roaming\micros~1\lsfkrhur.exe" alters context of "c:\users\eebsym5\appdata\roaming\micros~1\lsfkrhur.exe"
|
|
|
-
"c:\users\eebsym5\appdata\local\micros~1\sypykbck.exe" alters context of "c:\users\eebsym5\appdata\local\micros~1\sypykbck.exe"
|
|
|
-
"c:\users\eebsym5\appdata\local\temp\wtsk8wxh.exe" alters context of "c:\users\eebsym5\appdata\local\temp\wtsk8wxh.exe"
|
|
|
-
"c:\users\eebsym5\appdata\local\temp\f8a3iwa6.exe" alters context of "c:\users\eebsym5\appdata\local\temp\f8a3iwa6.exe"
|
|
|
-
"c:\users\eebsym5\appdata\local\temp\bkm66byk.exe" alters context of "c:\users\eebsym5\appdata\local\temp\bkm66byk.exe"
|
|
|
-
"c:\users\eebsym5\appdata\local\temp\hvgo9ckx.exe" alters context of "c:\users\eebsym5\appdata\local\temp\hvgo9ckx.exe"
|
|
|
-
"c:\users\eebsym5\appdata\local\temp\gym4nxcu.exe" alters context of "c:\users\eebsym5\appdata\local\temp\gym4nxcu.exe"
|
|
|
-
"c:\users\eebsym5\appdata\local\temp\w588h5dn.exe" alters context of "c:\users\eebsym5\appdata\local\temp\w588h5dn.exe"
|
|
|
-
"c:\users\eebsym5\appdata\local\temp\wspgagwn.exe" alters context of "c:\users\eebsym5\appdata\local\temp\wspgagwn.exe"
|
|
|
1/5
|
Process
|
Creates process with hidden window
|
-
|
|
|
-
The process "C:\Users\EEBsYm5\Desktop\2017-04-03-EITest-Rig-EK-payload-matrix-ransomware-variant.exe" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C type "C:\Users\EEBsYm5\Desktop\2017-0~1.EXE" > "C:\Users\EEBsYm5\AppData\Roaming\VMFCCE~1\XEY8d7zI.exe"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C type "C:\Users\EEBsYm5\AppData\Roaming\VMFCCE~1\XEY8d7zI.exe" > "C:\Users\EEBsYm5\AppData\Local\Temp\CNuu8Vyt.exe" && "C:\Users\EEBsYm5\AppData\Local\Temp\CNuu8Vyt.exe" "C:\Users\EEBsYm5\AppData\Roaming\vMfCCeRYkvQy\" "7l6OWDI9Fmrsoy1O" "PREPARING" "60000"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C type "C:\Users\EEBsYm5\AppData\Roaming\VMFCCE~1\XEY8d7zI.exe" > "C:\Users\EEBsYm5\AppData\Local\Temp\NhsgKr2p.exe" && "C:\Users\EEBsYm5\AppData\Local\Temp\NhsgKr2p.exe" "C:\Users\EEBsYm5\AppData\Roaming\vMfCCeRYkvQy\" "7l6OWDI9Fmrsoy1O" "MASTER_STARTED" "60000"" starts with hidden window.
|
|
|
-
The process "C:\Users\EEBsYm5\AppData\Local\Temp\CNuu8Vyt.exe" starts with hidden window.
|
|
|
-
The process "C:\Users\EEBsYm5\AppData\Roaming\vMfCCeRYkvQy\XEY8d7zI.exe" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C "C:\Users\EEBsYm5\AppData\Roaming\vMfCCeRYkvQy\RiKWxOaL.cmd"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C type "C:\Users\EEBsYm5\AppData\Roaming\VMFCCE~1\XEY8d7zI.exe" > "C:\Users\EEBsYm5\AppData\Local\Temp\yAQb5Zg8.exe" && "C:\Users\EEBsYm5\AppData\Local\Temp\yAQb5Zg8.exe" "C:\Users\EEBsYm5\AppData\Roaming\vMfCCeRYkvQy\" "7l6OWDI9Fmrsoy1O" "START" "60000"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C type "C:\Users\EEBsYm5\AppData\Roaming\VMFCCE~1\XEY8d7zI.exe" > "C:\Users\EEBsYm5\AppData\Roaming\MICROS~1\LSfkRHur.exe" && "C:\Users\EEBsYm5\AppData\Roaming\MICROS~1\LSfkRHur.exe" "C:\Users\EEBsYm5\AppData\Roaming\vMfCCeRYkvQy\XEY8d7zI.exe" "C:\Users\EEBsYm5\AppData\Local\Microsoft\Sypykbck.exe" 1" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C type "C:\Users\EEBsYm5\AppData\Roaming\VMFCCE~1\XEY8d7zI.exe" > "C:\Users\EEBsYm5\AppData\Local\MICROS~1\Sypykbck.exe" && "C:\Users\EEBsYm5\AppData\Local\MICROS~1\Sypykbck.exe" "C:\Users\EEBsYm5\AppData\Roaming\vMfCCeRYkvQy\XEY8d7zI.exe" "C:\Users\EEBsYm5\AppData\Roaming\Microsoft\LSfkRHur.exe" 2" starts with hidden window.
|
|
|
-
The process "C:\Users\EEBsYm5\AppData\Local\Temp\NhsgKr2p.exe" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C "C:\Users\EEBsYm5\AppData\Roaming\vMfCCeRYkvQy\DGaezHhx.cmd"" starts with hidden window.
|
|
|
-
The process "C:\Users\EEBsYm5\AppData\Local\Temp\yAQb5Zg8.exe" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C "C:\Users\EEBsYm5\AppData\Roaming\vMfCCeRYkvQy\2btKHTzb.cmd"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C "C:\Users\EEBsYm5\AppData\Roaming\vMfCCeRYkvQy\QQZAKkLZ.cmd"" starts with hidden window.
|
|
|
-
The process "C:\Users\EEBsYm5\AppData\Roaming\MICROS~1\LSfkRHur.exe" starts with hidden window.
|
|
|
-
The process "C:\Users\EEBsYm5\AppData\Local\MICROS~1\Sypykbck.exe" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C type "C:\Users\EEBsYm5\AppData\Roaming\VMFCCE~1\XEY8d7zI.exe" > "C:\Users\EEBsYm5\AppData\Local\Temp\Wtsk8WxH.exe" && "C:\Users\EEBsYm5\AppData\Local\Temp\Wtsk8WxH.exe" "C:\Users\EEBsYm5\AppData\Roaming\vMfCCeRYkvQy\" "7l6OWDI9Fmrsoy1O" "LOCAL_3188F4D96148D062" "60000"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C type "C:\Users\EEBsYm5\AppData\Roaming\VMFCCE~1\XEY8d7zI.exe" > "C:\Users\EEBsYm5\AppData\Local\Temp\F8a3iwA6.exe" && "C:\Users\EEBsYm5\AppData\Local\Temp\F8a3iwA6.exe" "C:\Users\EEBsYm5\AppData\Roaming\vMfCCeRYkvQy\" "7l6OWDI9Fmrsoy1O" "WIN_6.1_32|ADMIN_YES|INT_4" "60000"" starts with hidden window.
|
|
|
-
The process "C:\Users\EEBsYm5\AppData\Local\Temp\Wtsk8WxH.exe" starts with hidden window.
|
|
|
-
The process "C:\Users\EEBsYm5\AppData\Local\Temp\F8a3iwA6.exe" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C "C:\Users\EEBsYm5\AppData\Roaming\vMfCCeRYkvQy\8Nkh0cv7.cmd"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C "C:\Users\EEBsYm5\AppData\Roaming\vMfCCeRYkvQy\Gy2dwmVF.cmd"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C type "C:\Users\EEBsYm5\AppData\Roaming\VMFCCE~1\XEY8d7zI.exe" > "C:\Users\EEBsYm5\AppData\Local\Temp\bkM66bYk.exe" && "C:\Users\EEBsYm5\AppData\Local\Temp\bkM66bYk.exe" "C:\Users\EEBsYm5\AppData\Roaming\vMfCCeRYkvQy\" "7l6OWDI9Fmrsoy1O" "340_LESS_1GB" "60000"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C type "C:\Users\EEBsYm5\AppData\Roaming\VMFCCE~1\XEY8d7zI.exe" > "C:\Users\EEBsYm5\AppData\Local\Temp\GYm4NxCU.exe" && "C:\Users\EEBsYm5\AppData\Local\Temp\GYm4NxCU.exe" "C:\Users\EEBsYm5\AppData\Roaming\vMfCCeRYkvQy\" "7l6OWDI9Fmrsoy1O" "FILESEXTLIST" "60000" "C:\Users\EEBsYm5\AppData\Roaming\vMfCCeRYkvQy\7l6OWDI9Fmrsoy1O.elst" "1"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C type "C:\Users\EEBsYm5\AppData\Roaming\VMFCCE~1\XEY8d7zI.exe" > "C:\Users\EEBsYm5\AppData\Local\Temp\hvGO9ckx.exe" && "C:\Users\EEBsYm5\AppData\Local\Temp\hvGO9ckx.exe" "C:\Users\EEBsYm5\AppData\Roaming\vMfCCeRYkvQy\" "7l6OWDI9Fmrsoy1O" "FIXLNKVIEW" "60000"" starts with hidden window.
|
|
|
-
The process "C:\Users\EEBsYm5\AppData\Local\Temp\bkM66bYk.exe" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /f && reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v "29" /t REG_SZ /f /d "C:\Users\EEBsYm5\AppData\Roaming\MICROS~1\Windows\7l6OWDI9Fmrsoy1O.ico,0"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C type "C:\Users\EEBsYm5\AppData\Roaming\VMFCCE~1\XEY8d7zI.exe" > "C:\Users\EEBsYm5\AppData\Local\Temp\w588H5dN.exe" && "C:\Users\EEBsYm5\AppData\Local\Temp\w588H5dN.exe" "C:\Users\EEBsYm5\AppData\Roaming\vMfCCeRYkvQy\" "7l6OWDI9Fmrsoy1O" "CIP_STARTED" "60000"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C "C:\Users\EEBsYm5\AppData\Roaming\vMfCCeRYkvQy\1A4qO2RH.cmd"" starts with hidden window.
|
|
|
-
The process "C:\Users\EEBsYm5\AppData\Local\Temp\hvGO9ckx.exe" starts with hidden window.
|
|
|
-
The process "C:\Users\EEBsYm5\AppData\Local\Temp\GYm4NxCU.exe" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C CACLS "C:\Users\All Users\Microsoft\RAC\PublishedData\RacWmiDatabase.sdf" /E /G %USERNAME%:F /C & ATTRIB -R -A -H "C:\Users\All Users\Microsoft\RAC\PublishedData\RacWmiDatabase.sdf"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C "C:\Users\EEBsYm5\AppData\Roaming\vMfCCeRYkvQy\sQFgqtRn.cmd"" starts with hidden window.
|
|
|
-
The process "C:\Users\EEBsYm5\AppData\Local\Temp\w588H5dN.exe" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C "C:\Users\EEBsYm5\AppData\Roaming\vMfCCeRYkvQy\KGiXH98V.cmd"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C "C:\Users\EEBsYm5\AppData\Roaming\vMfCCeRYkvQy\p0mhdE5X.cmd"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C "C:\Users\EEBsYm5\AppData\Roaming\vMfCCeRYkvQy\WlLsor5U.cmd"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C type "C:\Users\EEBsYm5\AppData\Roaming\BL0CKE~1.RTF" > "C:\Users\ALLUSE~1\MICROS~1\RAC\PUBLIS~1\Bl0cked-ReadMe.rtf"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C attrib -r -s -h "C:\Users\ALLUSE~1\MICROS~1\RAC\PUBLIS~1\desktop.ini" & del /f /q "C:\Users\ALLUSE~1\MICROS~1\RAC\PUBLIS~1\desktop.ini" & type "C:\Users\EEBsYm5\AppData\Roaming\VMFCCE~1\XEY8d7zI.exe" > "C:\Users\ALLUSE~1\MICROS~1\RAC\PUBLIS~1\desktop.ini" && attrib +h "C:\Users\ALLUSE~1\MICROS~1\RAC\PUBLIS~1\desktop.ini" && attrib +h "C:\Users\ALLUSE~1\MICROS~1\RAC\PUBLIS~1"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C CACLS "C:\Users\All Users\Microsoft\RAC\StateData\RacDatabase.sdf" /E /G %USERNAME%:F /C & ATTRIB -R -A -H "C:\Users\All Users\Microsoft\RAC\StateData\RacDatabase.sdf"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C type "C:\Users\EEBsYm5\AppData\Roaming\BL0CKE~1.RTF" > "C:\Users\ALLUSE~1\MICROS~1\RAC\STATED~1\Bl0cked-ReadMe.rtf"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C attrib -r -s -h "C:\Users\ALLUSE~1\MICROS~1\RAC\STATED~1\desktop.ini" & del /f /q "C:\Users\ALLUSE~1\MICROS~1\RAC\STATED~1\desktop.ini" & type "C:\Users\EEBsYm5\AppData\Roaming\VMFCCE~1\XEY8d7zI.exe" > "C:\Users\ALLUSE~1\MICROS~1\RAC\STATED~1\desktop.ini" && attrib +h "C:\Users\ALLUSE~1\MICROS~1\RAC\STATED~1\desktop.ini" && attrib +h "C:\Users\ALLUSE~1\MICROS~1\RAC\STATED~1"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\EEBsYm5\DOCUME~1\2w7_ew\5OWEKS~1\NRWDON~1\1VHPWY~1\BS0-NM~1.XLS" "C:\Users\EEBsYm5\DOCUME~1\2w7_ew\5OWEKS~1\NRWDON~1\1VHPWY~1\BS0-Nm2046.xlsx.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C type "C:\Users\EEBsYm5\AppData\Roaming\BL0CKE~1.RTF" > "C:\Users\EEBsYm5\DOCUME~1\2w7_ew\5OWEKS~1\NRWDON~1\1VHPWY~1\Bl0cked-ReadMe.rtf"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C attrib -r -s -h "C:\Users\EEBsYm5\DOCUME~1\2w7_ew\5OWEKS~1\NRWDON~1\1VHPWY~1\desktop.ini" & del /f /q "C:\Users\EEBsYm5\DOCUME~1\2w7_ew\5OWEKS~1\NRWDON~1\1VHPWY~1\desktop.ini" & type "C:\Users\EEBsYm5\AppData\Roaming\VMFCCE~1\XEY8d7zI.exe" > "C:\Users\EEBsYm5\DOCUME~1\2w7_ew\5OWEKS~1\NRWDON~1\1VHPWY~1\desktop.ini" && attrib +h "C:\Users\EEBsYm5\DOCUME~1\2w7_ew\5OWEKS~1\NRWDON~1\1VHPWY~1\desktop.ini" && attrib +h "C:\Users\EEBsYm5\DOCUME~1\2w7_ew\5OWEKS~1\NRWDON~1\1VHPWY~1"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\EEBsYm5\DOCUME~1\2w7_ew\5OWEKS~1\WXMD5U~1\CFAWII~1.XLS" "C:\Users\EEBsYm5\DOCUME~1\2w7_ew\5OWEKS~1\WXMD5U~1\Cf aWIIkKxWa7MD7fCc.xlsx.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C type "C:\Users\EEBsYm5\AppData\Roaming\BL0CKE~1.RTF" > "C:\Users\EEBsYm5\DOCUME~1\2w7_ew\5OWEKS~1\WXMD5U~1\Bl0cked-ReadMe.rtf"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C attrib -r -s -h "C:\Users\EEBsYm5\DOCUME~1\2w7_ew\5OWEKS~1\WXMD5U~1\desktop.ini" & del /f /q "C:\Users\EEBsYm5\DOCUME~1\2w7_ew\5OWEKS~1\WXMD5U~1\desktop.ini" & type "C:\Users\EEBsYm5\AppData\Roaming\VMFCCE~1\XEY8d7zI.exe" > "C:\Users\EEBsYm5\DOCUME~1\2w7_ew\5OWEKS~1\WXMD5U~1\desktop.ini" && attrib +h "C:\Users\EEBsYm5\DOCUME~1\2w7_ew\5OWEKS~1\WXMD5U~1\desktop.ini" && attrib +h "C:\Users\EEBsYm5\DOCUME~1\2w7_ew\5OWEKS~1\WXMD5U~1"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\EEBsYm5\DOCUME~1\7JMXGW~1.XLS" "C:\Users\EEBsYm5\DOCUME~1\7jmxgwY9.xlsx.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C type "C:\Users\EEBsYm5\AppData\Roaming\BL0CKE~1.RTF" > "C:\Users\EEBsYm5\DOCUME~1\Bl0cked-ReadMe.rtf"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C attrib -r -s -h "C:\Users\EEBsYm5\DOCUME~1\desktop.ini" & del /f /q "C:\Users\EEBsYm5\DOCUME~1\desktop.ini" & type "C:\Users\EEBsYm5\AppData\Roaming\VMFCCE~1\XEY8d7zI.exe" > "C:\Users\EEBsYm5\DOCUME~1\desktop.ini" && attrib +h "C:\Users\EEBsYm5\DOCUME~1\desktop.ini" && attrib +h "C:\Users\EEBsYm5\DOCUME~1"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\EEBsYm5\DOCUME~1\BUW1GW~1.XLS" "C:\Users\EEBsYm5\DOCUME~1\bUW1gWS4k.xlsx.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\EEBsYm5\DOCUME~1\FCFNNE~1\P939UI~1.XLS" "C:\Users\EEBsYm5\DOCUME~1\FCFNNE~1\P939uI0IUIKwHsX.xlsx.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C type "C:\Users\EEBsYm5\AppData\Roaming\BL0CKE~1.RTF" > "C:\Users\EEBsYm5\DOCUME~1\FCFNNE~1\Bl0cked-ReadMe.rtf"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C attrib -r -s -h "C:\Users\EEBsYm5\DOCUME~1\FCFNNE~1\desktop.ini" & del /f /q "C:\Users\EEBsYm5\DOCUME~1\FCFNNE~1\desktop.ini" & type "C:\Users\EEBsYm5\AppData\Roaming\VMFCCE~1\XEY8d7zI.exe" > "C:\Users\EEBsYm5\DOCUME~1\FCFNNE~1\desktop.ini" && attrib +h "C:\Users\EEBsYm5\DOCUME~1\FCFNNE~1\desktop.ini" && attrib +h "C:\Users\EEBsYm5\DOCUME~1\FCFNNE~1"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\EEBsYm5\DOCUME~1\GJVVZA~1.XLS" "C:\Users\EEBsYm5\DOCUME~1\gjVvzAf3d4AVCevrZIj.xlsx.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\EEBsYm5\DOCUME~1\MUUM~1.XLS" "C:\Users\EEBsYm5\DOCUME~1\Muum.xlsx.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\EEBsYm5\DOCUME~1\QFL-BV~1.XLS" "C:\Users\EEBsYm5\DOCUME~1\qFL-bVPAqe.xlsx.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\EEBsYm5\DOCUME~1\2w7_ew\5OWEKS~1\5DDJXD~1.XLS" "C:\Users\EEBsYm5\DOCUME~1\2w7_ew\5OWEKS~1\5d djXdWwSLPL XJ.xls.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C type "C:\Users\EEBsYm5\AppData\Roaming\BL0CKE~1.RTF" > "C:\Users\EEBsYm5\DOCUME~1\2w7_ew\5OWEKS~1\Bl0cked-ReadMe.rtf"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C attrib -r -s -h "C:\Users\EEBsYm5\DOCUME~1\2w7_ew\5OWEKS~1\desktop.ini" & del /f /q "C:\Users\EEBsYm5\DOCUME~1\2w7_ew\5OWEKS~1\desktop.ini" & type "C:\Users\EEBsYm5\AppData\Roaming\VMFCCE~1\XEY8d7zI.exe" > "C:\Users\EEBsYm5\DOCUME~1\2w7_ew\5OWEKS~1\desktop.ini" && attrib +h "C:\Users\EEBsYm5\DOCUME~1\2w7_ew\5OWEKS~1\desktop.ini" && attrib +h "C:\Users\EEBsYm5\DOCUME~1\2w7_ew\5OWEKS~1"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\EEBsYm5\DOCUME~1\2w7_ew\OASES7~1.XLS" "C:\Users\EEBsYm5\DOCUME~1\2w7_ew\Oases7ZDuwJ0FV.xls.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C type "C:\Users\EEBsYm5\AppData\Roaming\BL0CKE~1.RTF" > "C:\Users\EEBsYm5\DOCUME~1\2w7_ew\Bl0cked-ReadMe.rtf"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C attrib -r -s -h "C:\Users\EEBsYm5\DOCUME~1\2w7_ew\desktop.ini" & del /f /q "C:\Users\EEBsYm5\DOCUME~1\2w7_ew\desktop.ini" & type "C:\Users\EEBsYm5\AppData\Roaming\VMFCCE~1\XEY8d7zI.exe" > "C:\Users\EEBsYm5\DOCUME~1\2w7_ew\desktop.ini" && attrib +h "C:\Users\EEBsYm5\DOCUME~1\2w7_ew\desktop.ini" && attrib +h "C:\Users\EEBsYm5\DOCUME~1\2w7_ew"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\EEBsYm5\DOCUME~1\2w7_ew\xJ2fmd\LIM3LQ~1.XLS" "C:\Users\EEBsYm5\DOCUME~1\2w7_ew\xJ2fmd\lim3Lqu-K6HO.xls.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C type "C:\Users\EEBsYm5\AppData\Roaming\BL0CKE~1.RTF" > "C:\Users\EEBsYm5\DOCUME~1\2w7_ew\xJ2fmd\Bl0cked-ReadMe.rtf"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C attrib -r -s -h "C:\Users\EEBsYm5\DOCUME~1\2w7_ew\xJ2fmd\desktop.ini" & del /f /q "C:\Users\EEBsYm5\DOCUME~1\2w7_ew\xJ2fmd\desktop.ini" & type "C:\Users\EEBsYm5\AppData\Roaming\VMFCCE~1\XEY8d7zI.exe" > "C:\Users\EEBsYm5\DOCUME~1\2w7_ew\xJ2fmd\desktop.ini" && attrib +h "C:\Users\EEBsYm5\DOCUME~1\2w7_ew\xJ2fmd\desktop.ini" && attrib +h "C:\Users\EEBsYm5\DOCUME~1\2w7_ew\xJ2fmd"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\EEBsYm5\Desktop\GbkI\FTTFHT~1\TQ3YPK~1.DOC" "C:\Users\EEBsYm5\Desktop\GbkI\FTTFHT~1\Tq3yPk_6C.docx.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C type "C:\Users\EEBsYm5\AppData\Roaming\BL0CKE~1.RTF" > "C:\Users\EEBsYm5\Desktop\GbkI\FTTFHT~1\Bl0cked-ReadMe.rtf"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C attrib -r -s -h "C:\Users\EEBsYm5\Desktop\GbkI\FTTFHT~1\desktop.ini" & del /f /q "C:\Users\EEBsYm5\Desktop\GbkI\FTTFHT~1\desktop.ini" & type "C:\Users\EEBsYm5\AppData\Roaming\VMFCCE~1\XEY8d7zI.exe" > "C:\Users\EEBsYm5\Desktop\GbkI\FTTFHT~1\desktop.ini" && attrib +h "C:\Users\EEBsYm5\Desktop\GbkI\FTTFHT~1\desktop.ini" && attrib +h "C:\Users\EEBsYm5\Desktop\GbkI\FTTFHT~1"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\EEBsYm5\DOCUME~1\-V83XF~1.DOC" "C:\Users\EEBsYm5\DOCUME~1\-V83XFbt5-FsW.docx.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\EEBsYm5\DOCUME~1\2VGMMR~1.DOC" "C:\Users\EEBsYm5\DOCUME~1\2VgMmRhPzB7.docx.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\EEBsYm5\DOCUME~1\8RVD3E~1.DOC" "C:\Users\EEBsYm5\DOCUME~1\8rVd3erYRX.docx.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\EEBsYm5\DOCUME~1\D2POZD~1.DOC" "C:\Users\EEBsYm5\DOCUME~1\D2poZdDEdi.docx.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\EEBsYm5\DOCUME~1\ERN4JQ~1.DOC" "C:\Users\EEBsYm5\DOCUME~1\ERN4JQpRpgZde9N.docx.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\EEBsYm5\DOCUME~1\M9MMOP~1.DOC" "C:\Users\EEBsYm5\DOCUME~1\M9MmOpgceUJDVTGEEh.docx.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\EEBsYm5\DOCUME~1\QXDEHM~1.DOC" "C:\Users\EEBsYm5\DOCUME~1\qXDEHmzN LrwSQhutJ.docx.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\EEBsYm5\Desktop\Lp6Y\hqVibu00\u7E2T\92pj.doc" "C:\Users\EEBsYm5\Desktop\Lp6Y\hqVibu00\u7E2T\92pj.doc.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C type "C:\Users\EEBsYm5\AppData\Roaming\BL0CKE~1.RTF" > "C:\Users\EEBsYm5\Desktop\Lp6Y\hqVibu00\u7E2T\Bl0cked-ReadMe.rtf"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C attrib -r -s -h "C:\Users\EEBsYm5\Desktop\Lp6Y\hqVibu00\u7E2T\desktop.ini" & del /f /q "C:\Users\EEBsYm5\Desktop\Lp6Y\hqVibu00\u7E2T\desktop.ini" & type "C:\Users\EEBsYm5\AppData\Roaming\VMFCCE~1\XEY8d7zI.exe" > "C:\Users\EEBsYm5\Desktop\Lp6Y\hqVibu00\u7E2T\desktop.ini" && attrib +h "C:\Users\EEBsYm5\Desktop\Lp6Y\hqVibu00\u7E2T\desktop.ini" && attrib +h "C:\Users\EEBsYm5\Desktop\Lp6Y\hqVibu00\u7E2T"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\EEBsYm5\DOCUME~1\2w7_ew\5OWEKS~1\NRWDON~1\1VHPWY~1\UZYEGR~1.DOC" "C:\Users\EEBsYm5\DOCUME~1\2w7_ew\5OWEKS~1\NRWDON~1\1VHPWY~1\UzyEGr8akjufgS.doc.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\EEBsYm5\DOCUME~1\2w7_ew\5OWEKS~1\WXMD5U~1\WNPDVD~1.DOC" "C:\Users\EEBsYm5\DOCUME~1\2w7_ew\5OWEKS~1\WXMD5U~1\WnPdVDXwSUv.doc.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\EEBsYm5\DOCUME~1\2w7_ew\xJ2fmd\BDJO8C~1.DOC" "C:\Users\EEBsYm5\DOCUME~1\2w7_ew\xJ2fmd\bDJO8cWgfh9q_unjpPU-.doc.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\EEBsYm5\DOCUME~1\BmSmSSu.doc" "C:\Users\EEBsYm5\DOCUME~1\BmSmSSu.doc.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\EEBsYm5\Desktop\PWKWXR~1.ODS" "C:\Users\EEBsYm5\Desktop\pWkwXr56WJA6 l5.ods.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\EEBsYm5\DOCUME~1\2w7_ew\5OWEKS~1\9bQDI69.ods" "C:\Users\EEBsYm5\DOCUME~1\2w7_ew\5OWEKS~1\9bQDI69.ods.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\EEBsYm5\DOCUME~1\2w7_ew\IJFQBH~1.ODS" "C:\Users\EEBsYm5\DOCUME~1\2w7_ew\IJFqBHm_BK63v.ods.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\EEBsYm5\DOCUME~1\2w7_ew\xJ2fmd\iu1VEIcz.ods" "C:\Users\EEBsYm5\DOCUME~1\2w7_ew\xJ2fmd\iu1VEIcz.ods.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\EEBsYm5\DOCUME~1\FCFNNE~1\VBKNJI~1.ODS" "C:\Users\EEBsYm5\DOCUME~1\FCFNNE~1\VBKNjIyz39y.ods.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\EEBsYm5\Desktop\EGB3US~1.ODT" "C:\Users\EEBsYm5\Desktop\egB3USbk0IDbq.odt.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\EEBsYm5\DOCUME~1\2w7_ew\5OWEKS~1\WXMD5U~1\VAFVM9~1.ODT" "C:\Users\EEBsYm5\DOCUME~1\2w7_ew\5OWEKS~1\WXMD5U~1\vaFvM9aFd9qECGT.odt.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\EEBsYm5\DOCUME~1\FCFNNE~1\0Q56T.odt" "C:\Users\EEBsYm5\DOCUME~1\FCFNNE~1\0Q56T.odt.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\EEBsYm5\DOCUME~1\2w7_ew\5OWEKS~1\NRWDON~1\1VHPWY~1\TGRDF2~1.PDF" "C:\Users\EEBsYm5\DOCUME~1\2w7_ew\5OWEKS~1\NRWDON~1\1VHPWY~1\tgRDf2UBQ_aR.pdf.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\EEBsYm5\DOCUME~1\2w7_ew\5OWEKS~1\THCV85~1.PDF" "C:\Users\EEBsYm5\DOCUME~1\2w7_ew\5OWEKS~1\Thcv85KW1KoWsUQP.pdf.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\EEBsYm5\DOCUME~1\2w7_ew\xJ2fmd\TAXJKD~1.PDF" "C:\Users\EEBsYm5\DOCUME~1\2w7_ew\xJ2fmd\TAXJKdn0yOKX7tSSpc.pdf.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\EEBsYm5\Desktop\BKWVSD~1.JPG" "C:\Users\EEBsYm5\Desktop\bkwVSdvUcmd7uNf_5 x.jpg.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\EEBsYm5\Desktop\Lp6Y\hqVibu00\u7E2T\4_IRBU~1.JPG" "C:\Users\EEBsYm5\Desktop\Lp6Y\hqVibu00\u7E2T\4_Irbu3SMZgt2KGk_cO7.jpg.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\EEBsYm5\Desktop\m41m.jpg" "C:\Users\EEBsYm5\Desktop\m41m.jpg.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\EEBsYm5\Pictures\AR0_1P~1.JPG" "C:\Users\EEBsYm5\Pictures\aR0_1pZCSZwjfY.jpg.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C type "C:\Users\EEBsYm5\AppData\Roaming\BL0CKE~1.RTF" > "C:\Users\EEBsYm5\Pictures\Bl0cked-ReadMe.rtf"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C attrib -r -s -h "C:\Users\EEBsYm5\Pictures\desktop.ini" & del /f /q "C:\Users\EEBsYm5\Pictures\desktop.ini" & type "C:\Users\EEBsYm5\AppData\Roaming\VMFCCE~1\XEY8d7zI.exe" > "C:\Users\EEBsYm5\Pictures\desktop.ini" && attrib +h "C:\Users\EEBsYm5\Pictures\desktop.ini" && attrib +h "C:\Users\EEBsYm5\Pictures"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\EEBsYm5\Pictures\If0lC.jpg" "C:\Users\EEBsYm5\Pictures\If0lC.jpg.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\EEBsYm5\Pictures\isdKb.jpg" "C:\Users\EEBsYm5\Pictures\isdKb.jpg.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\EEBsYm5\Pictures\KYWWKR~1.JPG" "C:\Users\EEBsYm5\Pictures\kYWWkRklabLUzyrJ9.jpg.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\EEBsYm5\Pictures\LR0AR2~1\J4M1CX~1\EEJHG5~1.JPG" "C:\Users\EEBsYm5\Pictures\LR0AR2~1\J4M1CX~1\EEJhG5emgLWHUyVz.jpg.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C type "C:\Users\EEBsYm5\AppData\Roaming\BL0CKE~1.RTF" > "C:\Users\EEBsYm5\Pictures\LR0AR2~1\J4M1CX~1\Bl0cked-ReadMe.rtf"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C attrib -r -s -h "C:\Users\EEBsYm5\Pictures\LR0AR2~1\J4M1CX~1\desktop.ini" & del /f /q "C:\Users\EEBsYm5\Pictures\LR0AR2~1\J4M1CX~1\desktop.ini" & type "C:\Users\EEBsYm5\AppData\Roaming\VMFCCE~1\XEY8d7zI.exe" > "C:\Users\EEBsYm5\Pictures\LR0AR2~1\J4M1CX~1\desktop.ini" && attrib +h "C:\Users\EEBsYm5\Pictures\LR0AR2~1\J4M1CX~1\desktop.ini" && attrib +h "C:\Users\EEBsYm5\Pictures\LR0AR2~1\J4M1CX~1"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\EEBsYm5\Pictures\LR0AR2~1\J4M1CX~1\QGVEFX~1.JPG" "C:\Users\EEBsYm5\Pictures\LR0AR2~1\J4M1CX~1\qgVefxhoS8T3s19q574.jpg.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\EEBsYm5\Pictures\LR0AR2~1\J4M1CX~1\U8SH0R~1.JPG" "C:\Users\EEBsYm5\Pictures\LR0AR2~1\J4M1CX~1\u8sH0rXco9.jpg.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\EEBsYm5\Pictures\LR0AR2~1\QO_V_I~1.JPG" "C:\Users\EEBsYm5\Pictures\LR0AR2~1\QO_v_Iwy7B17SYlN-.jpg.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C type "C:\Users\EEBsYm5\AppData\Roaming\BL0CKE~1.RTF" > "C:\Users\EEBsYm5\Pictures\LR0AR2~1\Bl0cked-ReadMe.rtf"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C attrib -r -s -h "C:\Users\EEBsYm5\Pictures\LR0AR2~1\desktop.ini" & del /f /q "C:\Users\EEBsYm5\Pictures\LR0AR2~1\desktop.ini" & type "C:\Users\EEBsYm5\AppData\Roaming\VMFCCE~1\XEY8d7zI.exe" > "C:\Users\EEBsYm5\Pictures\LR0AR2~1\desktop.ini" && attrib +h "C:\Users\EEBsYm5\Pictures\LR0AR2~1\desktop.ini" && attrib +h "C:\Users\EEBsYm5\Pictures\LR0AR2~1"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\EEBsYm5\Pictures\WO_IX7~1.JPG" "C:\Users\EEBsYm5\Pictures\wo_IX7FkjtTmLgs.jpg.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\ALLUSE~1\Adobe\Acrobat\10.0\REPLIC~1\Security\DIRECT~1.ACR" "C:\Users\ALLUSE~1\Adobe\Acrobat\10.0\REPLIC~1\Security\directories.acrodata.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C type "C:\Users\EEBsYm5\AppData\Roaming\BL0CKE~1.RTF" > "C:\Users\ALLUSE~1\Adobe\Acrobat\10.0\REPLIC~1\Security\Bl0cked-ReadMe.rtf"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C attrib -r -s -h "C:\Users\ALLUSE~1\Adobe\Acrobat\10.0\REPLIC~1\Security\desktop.ini" & del /f /q "C:\Users\ALLUSE~1\Adobe\Acrobat\10.0\REPLIC~1\Security\desktop.ini" & type "C:\Users\EEBsYm5\AppData\Roaming\VMFCCE~1\XEY8d7zI.exe" > "C:\Users\ALLUSE~1\Adobe\Acrobat\10.0\REPLIC~1\Security\desktop.ini" && attrib +h "C:\Users\ALLUSE~1\Adobe\Acrobat\10.0\REPLIC~1\Security\desktop.ini" && attrib +h "C:\Users\ALLUSE~1\Adobe\Acrobat\10.0\REPLIC~1\Security"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C CACLS "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png" /E /G %USERNAME%:F /C & ATTRIB -R -A -H "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C type "C:\Users\EEBsYm5\AppData\Roaming\BL0CKE~1.RTF" > "C:\Users\ALLUSE~1\MICROS~1\DEVICE~1\Device\{11352~1\Bl0cked-ReadMe.rtf"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C attrib -r -s -h "C:\Users\ALLUSE~1\MICROS~1\DEVICE~1\Device\{11352~1\desktop.ini" & del /f /q "C:\Users\ALLUSE~1\MICROS~1\DEVICE~1\Device\{11352~1\desktop.ini" & type "C:\Users\EEBsYm5\AppData\Roaming\VMFCCE~1\XEY8d7zI.exe" > "C:\Users\ALLUSE~1\MICROS~1\DEVICE~1\Device\{11352~1\desktop.ini" && attrib +h "C:\Users\ALLUSE~1\MICROS~1\DEVICE~1\Device\{11352~1\desktop.ini" && attrib +h "C:\Users\ALLUSE~1\MICROS~1\DEVICE~1\Device\{11352~1"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C CACLS "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png" /E /G %USERNAME%:F /C & ATTRIB -R -A -H "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C CACLS "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png" /E /G %USERNAME%:F /C & ATTRIB -R -A -H "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C CACLS "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png" /E /G %USERNAME%:F /C & ATTRIB -R -A -H "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C CACLS "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png" /E /G %USERNAME%:F /C & ATTRIB -R -A -H "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C type "C:\Users\EEBsYm5\AppData\Roaming\BL0CKE~1.RTF" > "C:\Users\ALLUSE~1\MICROS~1\DEVICE~1\Device\{8702D~1\Bl0cked-ReadMe.rtf"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C attrib -r -s -h "C:\Users\ALLUSE~1\MICROS~1\DEVICE~1\Device\{8702D~1\desktop.ini" & del /f /q "C:\Users\ALLUSE~1\MICROS~1\DEVICE~1\Device\{8702D~1\desktop.ini" & type "C:\Users\EEBsYm5\AppData\Roaming\VMFCCE~1\XEY8d7zI.exe" > "C:\Users\ALLUSE~1\MICROS~1\DEVICE~1\Device\{8702D~1\desktop.ini" && attrib +h "C:\Users\ALLUSE~1\MICROS~1\DEVICE~1\Device\{8702D~1\desktop.ini" && attrib +h "C:\Users\ALLUSE~1\MICROS~1\DEVICE~1\Device\{8702D~1"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C CACLS "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png" /E /G %USERNAME%:F /C & ATTRIB -R -A -H "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\ALLUSE~1\MICROS~1\MF\Active.GRL" "C:\Users\ALLUSE~1\MICROS~1\MF\Active.GRL.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C type "C:\Users\EEBsYm5\AppData\Roaming\BL0CKE~1.RTF" > "C:\Users\ALLUSE~1\MICROS~1\MF\Bl0cked-ReadMe.rtf"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C attrib -r -s -h "C:\Users\ALLUSE~1\MICROS~1\MF\desktop.ini" & del /f /q "C:\Users\ALLUSE~1\MICROS~1\MF\desktop.ini" & type "C:\Users\EEBsYm5\AppData\Roaming\VMFCCE~1\XEY8d7zI.exe" > "C:\Users\ALLUSE~1\MICROS~1\MF\desktop.ini" && attrib +h "C:\Users\ALLUSE~1\MICROS~1\MF\desktop.ini" && attrib +h "C:\Users\ALLUSE~1\MICROS~1\MF"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\ALLUSE~1\MICROS~1\MF\Pending.GRL" "C:\Users\ALLUSE~1\MICROS~1\MF\Pending.GRL.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\ALLUSE~1\MICROS~1\OFFICE\UICAPT~1\1036\ENVELO~1.TRX" "C:\Users\ALLUSE~1\MICROS~1\OFFICE\UICAPT~1\1036\ENVELOPR.DLL.trx_dll.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C type "C:\Users\EEBsYm5\AppData\Roaming\BL0CKE~1.RTF" > "C:\Users\ALLUSE~1\MICROS~1\OFFICE\UICAPT~1\1036\Bl0cked-ReadMe.rtf"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C attrib -r -s -h "C:\Users\ALLUSE~1\MICROS~1\OFFICE\UICAPT~1\1036\desktop.ini" & del /f /q "C:\Users\ALLUSE~1\MICROS~1\OFFICE\UICAPT~1\1036\desktop.ini" & type "C:\Users\EEBsYm5\AppData\Roaming\VMFCCE~1\XEY8d7zI.exe" > "C:\Users\ALLUSE~1\MICROS~1\OFFICE\UICAPT~1\1036\desktop.ini" && attrib +h "C:\Users\ALLUSE~1\MICROS~1\OFFICE\UICAPT~1\1036\desktop.ini" && attrib +h "C:\Users\ALLUSE~1\MICROS~1\OFFICE\UICAPT~1\1036"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\ALLUSE~1\MICROS~1\OFFICE\UICAPT~1\1036\GRINTL~1.TRX" "C:\Users\ALLUSE~1\MICROS~1\OFFICE\UICAPT~1\1036\GRINTL32.DLL.trx_dll.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\ALLUSE~1\MICROS~1\OFFICE\UICAPT~1\1036\GRINTL~2.TRX" "C:\Users\ALLUSE~1\MICROS~1\OFFICE\UICAPT~1\1036\GRINTL32.REST.trx_dll.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\ALLUSE~1\MICROS~1\OFFICE\UICAPT~1\1036\MAPIRD~1.TRX" "C:\Users\ALLUSE~1\MICROS~1\OFFICE\UICAPT~1\1036\MAPIR.DLL.trx_dll.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\ALLUSE~1\MICROS~1\OFFICE\UICAPT~1\1036\MOR6IN~1.TRX" "C:\Users\ALLUSE~1\MICROS~1\OFFICE\UICAPT~1\1036\MOR6INT.REST.trx_dll.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\ALLUSE~1\MICROS~1\OFFICE\UICAPT~1\1036\MSOINT~1.TRX" "C:\Users\ALLUSE~1\MICROS~1\OFFICE\UICAPT~1\1036\MSOINTL.DLL.trx_dll.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\ALLUSE~1\MICROS~1\OFFICE\UICAPT~1\1036\MSOINT~2.TRX" "C:\Users\ALLUSE~1\MICROS~1\OFFICE\UICAPT~1\1036\MSOINTL.REST.trx_dll.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\ALLUSE~1\MICROS~1\OFFICE\UICAPT~1\1036\OMSINT~1.TRX" "C:\Users\ALLUSE~1\MICROS~1\OFFICE\UICAPT~1\1036\OMSINTL.DLL.trx_dll.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\ALLUSE~1\MICROS~1\OFFICE\UICAPT~1\1036\ONINTL~1.TRX" "C:\Users\ALLUSE~1\MICROS~1\OFFICE\UICAPT~1\1036\ONINTL.DLL.trx_dll.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\ALLUSE~1\MICROS~1\OFFICE\UICAPT~1\1036\ONINTL~2.TRX" "C:\Users\ALLUSE~1\MICROS~1\OFFICE\UICAPT~1\1036\ONINTL.REST.trx_dll.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\ALLUSE~1\MICROS~1\OFFICE\UICAPT~1\1036\OUTLLI~1.TRX" "C:\Users\ALLUSE~1\MICROS~1\OFFICE\UICAPT~1\1036\OUTLLIBR.DLL.trx_dll.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\ALLUSE~1\MICROS~1\OFFICE\UICAPT~1\1036\OUTLLI~2.TRX" "C:\Users\ALLUSE~1\MICROS~1\OFFICE\UICAPT~1\1036\OUTLLIBR.REST.trx_dll.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\ALLUSE~1\MICROS~1\OFFICE\UICAPT~1\1036\OUTLWV~1.TRX" "C:\Users\ALLUSE~1\MICROS~1\OFFICE\UICAPT~1\1036\OUTLWVW.DLL.trx_dll.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\ALLUSE~1\MICROS~1\OFFICE\UICAPT~1\1036\PPINTL~1.TRX" "C:\Users\ALLUSE~1\MICROS~1\OFFICE\UICAPT~1\1036\PPINTL.DLL.trx_dll.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\ALLUSE~1\MICROS~1\OFFICE\UICAPT~1\1036\PPINTL~2.TRX" "C:\Users\ALLUSE~1\MICROS~1\OFFICE\UICAPT~1\1036\PPINTL.REST.trx_dll.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\ALLUSE~1\MICROS~1\OFFICE\UICAPT~1\1036\PUB6IN~1.TRX" "C:\Users\ALLUSE~1\MICROS~1\OFFICE\UICAPT~1\1036\PUB6INTL.DLL.trx_dll.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\ALLUSE~1\MICROS~1\OFFICE\UICAPT~1\1036\PUB6IN~2.TRX" "C:\Users\ALLUSE~1\MICROS~1\OFFICE\UICAPT~1\1036\PUB6INTL.REST.trx_dll.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\ALLUSE~1\MICROS~1\OFFICE\UICAPT~1\1036\PUBWZI~1.TRX" "C:\Users\ALLUSE~1\MICROS~1\OFFICE\UICAPT~1\1036\PUBWZINT.REST.trx_dll.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\ALLUSE~1\MICROS~1\OFFICE\UICAPT~1\1036\SGRESD~1.TRX" "C:\Users\ALLUSE~1\MICROS~1\OFFICE\UICAPT~1\1036\SGRES.DLL.trx_dll.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\ALLUSE~1\MICROS~1\OFFICE\UICAPT~1\1036\STINTL~1.TRX" "C:\Users\ALLUSE~1\MICROS~1\OFFICE\UICAPT~1\1036\STINTL.DLL.trx_dll.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\ALLUSE~1\MICROS~1\OFFICE\UICAPT~1\1036\VISBRR~1.TRX" "C:\Users\ALLUSE~1\MICROS~1\OFFICE\UICAPT~1\1036\VISBRRES.DLL.trx_dll.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\ALLUSE~1\MICROS~1\OFFICE\UICAPT~1\1036\VISINT~1.TRX" "C:\Users\ALLUSE~1\MICROS~1\OFFICE\UICAPT~1\1036\VISINTL.DLL.trx_dll.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\ALLUSE~1\MICROS~1\OFFICE\UICAPT~1\1036\WWINTL~1.TRX" "C:\Users\ALLUSE~1\MICROS~1\OFFICE\UICAPT~1\1036\WWINTL.DLL.trx_dll.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\ALLUSE~1\MICROS~1\OFFICE\UICAPT~1\1036\WWINTL~2.TRX" "C:\Users\ALLUSE~1\MICROS~1\OFFICE\UICAPT~1\1036\WWINTL.REST.trx_dll.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\ALLUSE~1\MICROS~1\OFFICE\UICAPT~1\1036\XLINTL~1.TRX" "C:\Users\ALLUSE~1\MICROS~1\OFFICE\UICAPT~1\1036\XLINTL32.DLL.trx_dll.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\ALLUSE~1\MICROS~1\OFFICE\UICAPT~1\1036\XLINTL~2.TRX" "C:\Users\ALLUSE~1\MICROS~1\OFFICE\UICAPT~1\1036\XLINTL32.REST.trx_dll.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\ALLUSE~1\MICROS~1\OFFICE\UICAPT~1\1036\XLSLIC~1.TRX" "C:\Users\ALLUSE~1\MICROS~1\OFFICE\UICAPT~1\1036\XLSLICER.DLL.trx_dll.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\ALLUSE~1\MICROS~1\OFFICE\UICAPT~1\3082\ENVELO~1.TRX" "C:\Users\ALLUSE~1\MICROS~1\OFFICE\UICAPT~1\3082\ENVELOPR.DLL.trx_dll.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C type "C:\Users\EEBsYm5\AppData\Roaming\BL0CKE~1.RTF" > "C:\Users\ALLUSE~1\MICROS~1\OFFICE\UICAPT~1\3082\Bl0cked-ReadMe.rtf"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C attrib -r -s -h "C:\Users\ALLUSE~1\MICROS~1\OFFICE\UICAPT~1\3082\desktop.ini" & del /f /q "C:\Users\ALLUSE~1\MICROS~1\OFFICE\UICAPT~1\3082\desktop.ini" & type "C:\Users\EEBsYm5\AppData\Roaming\VMFCCE~1\XEY8d7zI.exe" > "C:\Users\ALLUSE~1\MICROS~1\OFFICE\UICAPT~1\3082\desktop.ini" && attrib +h "C:\Users\ALLUSE~1\MICROS~1\OFFICE\UICAPT~1\3082\desktop.ini" && attrib +h "C:\Users\ALLUSE~1\MICROS~1\OFFICE\UICAPT~1\3082"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\ALLUSE~1\MICROS~1\OFFICE\UICAPT~1\3082\GRINTL~1.TRX" "C:\Users\ALLUSE~1\MICROS~1\OFFICE\UICAPT~1\3082\GRINTL32.DLL.trx_dll.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\ALLUSE~1\MICROS~1\OFFICE\UICAPT~1\3082\GRINTL~2.TRX" "C:\Users\ALLUSE~1\MICROS~1\OFFICE\UICAPT~1\3082\GRINTL32.REST.trx_dll.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\ALLUSE~1\MICROS~1\OFFICE\UICAPT~1\3082\MAPIRD~1.TRX" "C:\Users\ALLUSE~1\MICROS~1\OFFICE\UICAPT~1\3082\MAPIR.DLL.trx_dll.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\ALLUSE~1\MICROS~1\OFFICE\UICAPT~1\3082\MOR6IN~1.TRX" "C:\Users\ALLUSE~1\MICROS~1\OFFICE\UICAPT~1\3082\MOR6INT.REST.trx_dll.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\ALLUSE~1\MICROS~1\OFFICE\UICAPT~1\3082\MSOINT~1.TRX" "C:\Users\ALLUSE~1\MICROS~1\OFFICE\UICAPT~1\3082\MSOINTL.DLL.trx_dll.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\ALLUSE~1\MICROS~1\OFFICE\UICAPT~1\3082\MSOINT~2.TRX" "C:\Users\ALLUSE~1\MICROS~1\OFFICE\UICAPT~1\3082\MSOINTL.REST.trx_dll.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\ALLUSE~1\MICROS~1\OFFICE\UICAPT~1\3082\OMSINT~1.TRX" "C:\Users\ALLUSE~1\MICROS~1\OFFICE\UICAPT~1\3082\OMSINTL.DLL.trx_dll.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\ALLUSE~1\MICROS~1\OFFICE\UICAPT~1\3082\ONINTL~1.TRX" "C:\Users\ALLUSE~1\MICROS~1\OFFICE\UICAPT~1\3082\ONINTL.DLL.trx_dll.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\ALLUSE~1\MICROS~1\OFFICE\UICAPT~1\3082\ONINTL~2.TRX" "C:\Users\ALLUSE~1\MICROS~1\OFFICE\UICAPT~1\3082\ONINTL.REST.trx_dll.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\ALLUSE~1\MICROS~1\OFFICE\UICAPT~1\3082\OUTLLI~1.TRX" "C:\Users\ALLUSE~1\MICROS~1\OFFICE\UICAPT~1\3082\OUTLLIBR.DLL.trx_dll.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\ALLUSE~1\MICROS~1\OFFICE\UICAPT~1\3082\OUTLLI~2.TRX" "C:\Users\ALLUSE~1\MICROS~1\OFFICE\UICAPT~1\3082\OUTLLIBR.REST.trx_dll.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\ALLUSE~1\MICROS~1\OFFICE\UICAPT~1\3082\OUTLWV~1.TRX" "C:\Users\ALLUSE~1\MICROS~1\OFFICE\UICAPT~1\3082\OUTLWVW.DLL.trx_dll.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\ALLUSE~1\MICROS~1\OFFICE\UICAPT~1\3082\PPINTL~1.TRX" "C:\Users\ALLUSE~1\MICROS~1\OFFICE\UICAPT~1\3082\PPINTL.DLL.trx_dll.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\ALLUSE~1\MICROS~1\OFFICE\UICAPT~1\3082\PPINTL~2.TRX" "C:\Users\ALLUSE~1\MICROS~1\OFFICE\UICAPT~1\3082\PPINTL.REST.trx_dll.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\ALLUSE~1\MICROS~1\OFFICE\UICAPT~1\3082\PUB6IN~1.TRX" "C:\Users\ALLUSE~1\MICROS~1\OFFICE\UICAPT~1\3082\PUB6INTL.DLL.trx_dll.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\ALLUSE~1\MICROS~1\OFFICE\UICAPT~1\3082\PUB6IN~2.TRX" "C:\Users\ALLUSE~1\MICROS~1\OFFICE\UICAPT~1\3082\PUB6INTL.REST.trx_dll.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\ALLUSE~1\MICROS~1\OFFICE\UICAPT~1\3082\PUBWZI~1.TRX" "C:\Users\ALLUSE~1\MICROS~1\OFFICE\UICAPT~1\3082\PUBWZINT.REST.trx_dll.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\ALLUSE~1\MICROS~1\OFFICE\UICAPT~1\3082\SGRESD~1.TRX" "C:\Users\ALLUSE~1\MICROS~1\OFFICE\UICAPT~1\3082\SGRES.DLL.trx_dll.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\ALLUSE~1\MICROS~1\OFFICE\UICAPT~1\3082\STINTL~1.TRX" "C:\Users\ALLUSE~1\MICROS~1\OFFICE\UICAPT~1\3082\STINTL.DLL.trx_dll.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\ALLUSE~1\MICROS~1\OFFICE\UICAPT~1\3082\VISBRR~1.TRX" "C:\Users\ALLUSE~1\MICROS~1\OFFICE\UICAPT~1\3082\VISBRRES.DLL.trx_dll.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\ALLUSE~1\MICROS~1\OFFICE\UICAPT~1\3082\VISINT~1.TRX" "C:\Users\ALLUSE~1\MICROS~1\OFFICE\UICAPT~1\3082\VISINTL.DLL.trx_dll.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\ALLUSE~1\MICROS~1\OFFICE\UICAPT~1\3082\WWINTL~1.TRX" "C:\Users\ALLUSE~1\MICROS~1\OFFICE\UICAPT~1\3082\WWINTL.DLL.trx_dll.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C type "C:\Users\EEBsYm5\AppData\Roaming\VMFCCE~1\XEY8d7zI.exe" > "C:\Users\EEBsYm5\AppData\Local\Temp\WsPgAGWN.exe" && "C:\Users\EEBsYm5\AppData\Local\Temp\WsPgAGWN.exe" "C:\Users\EEBsYm5\AppData\Roaming\vMfCCeRYkvQy\" "7l6OWDI9Fmrsoy1O" "100_OK" "60000"" starts with hidden window.
|
|
|
-
The process "C:\Users\EEBsYm5\AppData\Local\Temp\WsPgAGWN.exe" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\ALLUSE~1\MICROS~1\OFFICE\UICAPT~1\3082\WWINTL~2.TRX" "C:\Users\ALLUSE~1\MICROS~1\OFFICE\UICAPT~1\3082\WWINTL.REST.trx_dll.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\ALLUSE~1\MICROS~1\OFFICE\UICAPT~1\3082\XLINTL~1.TRX" "C:\Users\ALLUSE~1\MICROS~1\OFFICE\UICAPT~1\3082\XLINTL32.DLL.trx_dll.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C "C:\Users\EEBsYm5\AppData\Roaming\vMfCCeRYkvQy\CbFFjy09.cmd"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\ALLUSE~1\MICROS~1\OFFICE\UICAPT~1\3082\XLINTL~2.TRX" "C:\Users\ALLUSE~1\MICROS~1\OFFICE\UICAPT~1\3082\XLINTL32.REST.trx_dll.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\ALLUSE~1\MICROS~1\OFFICE\UICAPT~1\3082\XLSLIC~1.TRX" "C:\Users\ALLUSE~1\MICROS~1\OFFICE\UICAPT~1\3082\XLSLICER.DLL.trx_dll.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile10.bmp" /E /G %USERNAME%:F /C & ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile10.bmp"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C type "C:\Users\EEBsYm5\AppData\Roaming\BL0CKE~1.RTF" > "C:\Users\ALLUSE~1\MICROS~1\USERAC~1\DEFAUL~1\Bl0cked-ReadMe.rtf"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C attrib -r -s -h "C:\Users\ALLUSE~1\MICROS~1\USERAC~1\DEFAUL~1\desktop.ini" & del /f /q "C:\Users\ALLUSE~1\MICROS~1\USERAC~1\DEFAUL~1\desktop.ini" & type "C:\Users\EEBsYm5\AppData\Roaming\VMFCCE~1\XEY8d7zI.exe" > "C:\Users\ALLUSE~1\MICROS~1\USERAC~1\DEFAUL~1\desktop.ini" && attrib +h "C:\Users\ALLUSE~1\MICROS~1\USERAC~1\DEFAUL~1\desktop.ini" && attrib +h "C:\Users\ALLUSE~1\MICROS~1\USERAC~1\DEFAUL~1"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile11.bmp" /E /G %USERNAME%:F /C & ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile11.bmp"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile12.bmp" /E /G %USERNAME%:F /C & ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile12.bmp"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile13.bmp" /E /G %USERNAME%:F /C & ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile13.bmp"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile14.bmp" /E /G %USERNAME%:F /C & ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile14.bmp"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile15.bmp" /E /G %USERNAME%:F /C & ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile15.bmp"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile16.bmp" /E /G %USERNAME%:F /C & ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile16.bmp"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile17.bmp" /E /G %USERNAME%:F /C & ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile17.bmp"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile18.bmp" /E /G %USERNAME%:F /C & ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile18.bmp"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile19.bmp" /E /G %USERNAME%:F /C & ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile19.bmp"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile20.bmp" /E /G %USERNAME%:F /C & ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile20.bmp"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile21.bmp" /E /G %USERNAME%:F /C & ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile21.bmp"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile22.bmp" /E /G %USERNAME%:F /C & ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile22.bmp"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile23.bmp" /E /G %USERNAME%:F /C & ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile23.bmp"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile24.bmp" /E /G %USERNAME%:F /C & ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile24.bmp"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile25.bmp" /E /G %USERNAME%:F /C & ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile25.bmp"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile26.bmp" /E /G %USERNAME%:F /C & ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile26.bmp"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile27.bmp" /E /G %USERNAME%:F /C & ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile27.bmp"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile28.bmp" /E /G %USERNAME%:F /C & ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile28.bmp"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile29.bmp" /E /G %USERNAME%:F /C & ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile29.bmp"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile30.bmp" /E /G %USERNAME%:F /C & ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile30.bmp"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile31.bmp" /E /G %USERNAME%:F /C & ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile31.bmp"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile32.bmp" /E /G %USERNAME%:F /C & ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile32.bmp"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile33.bmp" /E /G %USERNAME%:F /C & ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile33.bmp"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile34.bmp" /E /G %USERNAME%:F /C & ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile34.bmp"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile35.bmp" /E /G %USERNAME%:F /C & ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile35.bmp"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile36.bmp" /E /G %USERNAME%:F /C & ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile36.bmp"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile37.bmp" /E /G %USERNAME%:F /C & ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile37.bmp"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile38.bmp" /E /G %USERNAME%:F /C & ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile38.bmp"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile39.bmp" /E /G %USERNAME%:F /C & ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile39.bmp"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile40.bmp" /E /G %USERNAME%:F /C & ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile40.bmp"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile41.bmp" /E /G %USERNAME%:F /C & ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile41.bmp"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile42.bmp" /E /G %USERNAME%:F /C & ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile42.bmp"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile43.bmp" /E /G %USERNAME%:F /C & ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile43.bmp"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile44.bmp" /E /G %USERNAME%:F /C & ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile44.bmp"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\ALLUSE~1\MICROS~1\USERAC~1\guest.bmp" "C:\Users\ALLUSE~1\MICROS~1\USERAC~1\guest.bmp.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C type "C:\Users\EEBsYm5\AppData\Roaming\BL0CKE~1.RTF" > "C:\Users\ALLUSE~1\MICROS~1\USERAC~1\Bl0cked-ReadMe.rtf"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C attrib -r -s -h "C:\Users\ALLUSE~1\MICROS~1\USERAC~1\desktop.ini" & del /f /q "C:\Users\ALLUSE~1\MICROS~1\USERAC~1\desktop.ini" & type "C:\Users\EEBsYm5\AppData\Roaming\VMFCCE~1\XEY8d7zI.exe" > "C:\Users\ALLUSE~1\MICROS~1\USERAC~1\desktop.ini" && attrib +h "C:\Users\ALLUSE~1\MICROS~1\USERAC~1\desktop.ini" && attrib +h "C:\Users\ALLUSE~1\MICROS~1\USERAC~1"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\ALLUSE~1\MICROS~1\USERAC~1\user.bmp" "C:\Users\ALLUSE~1\MICROS~1\USERAC~1\user.bmp.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\ALLUSE~1\MICROS~2\Hx.hxn" "C:\Users\ALLUSE~1\MICROS~2\Hx.hxn.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C type "C:\Users\EEBsYm5\AppData\Roaming\BL0CKE~1.RTF" > "C:\Users\ALLUSE~1\MICROS~2\Bl0cked-ReadMe.rtf"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C attrib -r -s -h "C:\Users\ALLUSE~1\MICROS~2\desktop.ini" & del /f /q "C:\Users\ALLUSE~1\MICROS~2\desktop.ini" & type "C:\Users\EEBsYm5\AppData\Roaming\VMFCCE~1\XEY8d7zI.exe" > "C:\Users\ALLUSE~1\MICROS~2\desktop.ini" && attrib +h "C:\Users\ALLUSE~1\MICROS~2\desktop.ini" && attrib +h "C:\Users\ALLUSE~1\MICROS~2"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\ALLUSE~1\MICROS~2\HX_103~1.HXW" "C:\Users\ALLUSE~1\MICROS~2\Hx_1033_MKWD_K.HxW.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\ALLUSE~1\MICROS~2\HX_103~2.HXW" "C:\Users\ALLUSE~1\MICROS~2\Hx_1033_MKWD_NamedURL.HxW.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\ALLUSE~1\MICROS~2\HX_103~1.HXH" "C:\Users\ALLUSE~1\MICROS~2\Hx_1033_MTOC_Hx.HxH.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\ALLUSE~1\MICROS~2\HX_103~1.HXD" "C:\Users\ALLUSE~1\MICROS~2\Hx_1033_MValidator.HxD.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C CACLS "C:\Users\All Users\Microsoft Help\Hx_1033_MValidator.Lck" /E /G %USERNAME%:F /C & ATTRIB -R -A -H "C:\Users\All Users\Microsoft Help\Hx_1033_MValidator.Lck"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\ALLUSE~1\MICROS~2\MSEXCE~1.HXN" "C:\Users\ALLUSE~1\MICROS~2\MS.EXCEL.14.1033.hxn.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\ALLUSE~1\MICROS~2\MSEXCE~2.HXN" "C:\Users\ALLUSE~1\MICROS~2\MS.EXCEL.DEV.14.1033.hxn.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\ALLUSE~1\MICROS~2\MSGRAP~1.HXN" "C:\Users\ALLUSE~1\MICROS~2\MS.GRAPH.14.1033.hxn.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\ALLUSE~1\MICROS~2\MSGROO~1.HXN" "C:\Users\ALLUSE~1\MICROS~2\MS.GROOVE.14.1033.hxn.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\ALLUSE~1\MICROS~2\MSINFO~1.HXN" "C:\Users\ALLUSE~1\MICROS~2\MS.INFOPATH.14.1033.hxn.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\ALLUSE~1\MICROS~2\MSINFO~2.HXN" "C:\Users\ALLUSE~1\MICROS~2\MS.INFOPATHEDITOR.14.1033.hxn.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\ALLUSE~1\MICROS~2\MSMSAC~1.HXN" "C:\Users\ALLUSE~1\MICROS~2\MS.MSACCESS.14.1033.hxn.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\ALLUSE~1\MICROS~2\MSMSAC~2.HXN" "C:\Users\ALLUSE~1\MICROS~2\MS.MSACCESS.DEV.14.1033.hxn.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\ALLUSE~1\MICROS~2\MSMSOU~1.HXN" "C:\Users\ALLUSE~1\MICROS~2\MS.MSOUC.14.1033.hxn.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\ALLUSE~1\MICROS~2\MSMSPU~1.HXN" "C:\Users\ALLUSE~1\MICROS~2\MS.MSPUB.14.1033.hxn.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\ALLUSE~1\MICROS~2\MSMSPU~2.HXN" "C:\Users\ALLUSE~1\MICROS~2\MS.MSPUB.DEV.14.1033.hxn.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\ALLUSE~1\MICROS~2\MSMSTO~1.HXN" "C:\Users\ALLUSE~1\MICROS~2\MS.MSTORE.14.1033.hxn.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\ALLUSE~1\MICROS~2\MSOIS1~1.HXN" "C:\Users\ALLUSE~1\MICROS~2\MS.OIS.14.1033.hxn.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\ALLUSE~1\MICROS~2\MSONEN~1.HXN" "C:\Users\ALLUSE~1\MICROS~2\MS.ONENOTE.14.1033.hxn.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\ALLUSE~1\MICROS~2\MSOUTL~1.HXN" "C:\Users\ALLUSE~1\MICROS~2\MS.OUTLOOK.14.1033.hxn.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\ALLUSE~1\MICROS~2\MSOUTL~2.HXN" "C:\Users\ALLUSE~1\MICROS~2\MS.OUTLOOK.DEV.14.1033.hxn.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\ALLUSE~1\MICROS~2\MSPOWE~1.HXN" "C:\Users\ALLUSE~1\MICROS~2\MS.POWERPNT.14.1033.hxn.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\ALLUSE~1\MICROS~2\MSPOWE~2.HXN" "C:\Users\ALLUSE~1\MICROS~2\MS.POWERPNT.DEV.14.1033.hxn.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\ALLUSE~1\MICROS~2\MSSETL~1.HXN" "C:\Users\ALLUSE~1\MICROS~2\MS.SETLANG.14.1033.hxn.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\ALLUSE~1\MICROS~2\MSVISI~1.HXN" "C:\Users\ALLUSE~1\MICROS~2\MS.VISIO.14.1033.hxn.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\ALLUSE~1\MICROS~2\MSVISI~3.HXN" "C:\Users\ALLUSE~1\MICROS~2\MS.VISIO.DEV.14.1033.hxn.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\ALLUSE~1\MICROS~2\MSVISI~4.HXN" "C:\Users\ALLUSE~1\MICROS~2\MS.VISIO.SHAPESHEET.14.1033.hxn.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\ALLUSE~1\MICROS~2\MSE1C9~1.HXN" "C:\Users\ALLUSE~1\MICROS~2\MS.VISIO_PRM.14.1033.hxn.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\ALLUSE~1\MICROS~2\MSVISI~2.HXN" "C:\Users\ALLUSE~1\MICROS~2\MS.VISIO_STD.14.1033.hxn.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\ALLUSE~1\MICROS~2\MSWINP~1.HXN" "C:\Users\ALLUSE~1\MICROS~2\MS.WINPROJ.14.1033.hxn.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\ALLUSE~1\MICROS~2\MSWINP~2.HXN" "C:\Users\ALLUSE~1\MICROS~2\MS.WINPROJ.DEV.14.1033.hxn.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\ALLUSE~1\MICROS~2\MSWINW~1.HXN" "C:\Users\ALLUSE~1\MICROS~2\MS.WINWORD.14.1033.hxn.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\ALLUSE~1\MICROS~2\MSWINW~2.HXN" "C:\Users\ALLUSE~1\MICROS~2\MS.WINWORD.DEV.14.1033.hxn.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\ALLUSE~1\MICROS~2\nslist.hxl" "C:\Users\ALLUSE~1\MICROS~2\nslist.hxl.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\ALLUSE~1\PACKAG~1\{33D1F~1\state.rsm" "C:\Users\ALLUSE~1\PACKAG~1\{33D1F~1\state.rsm.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C type "C:\Users\EEBsYm5\AppData\Roaming\BL0CKE~1.RTF" > "C:\Users\ALLUSE~1\PACKAG~1\{33D1F~1\Bl0cked-ReadMe.rtf"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C attrib -r -s -h "C:\Users\ALLUSE~1\PACKAG~1\{33D1F~1\desktop.ini" & del /f /q "C:\Users\ALLUSE~1\PACKAG~1\{33D1F~1\desktop.ini" & type "C:\Users\EEBsYm5\AppData\Roaming\VMFCCE~1\XEY8d7zI.exe" > "C:\Users\ALLUSE~1\PACKAG~1\{33D1F~1\desktop.ini" && attrib +h "C:\Users\ALLUSE~1\PACKAG~1\{33D1F~1\desktop.ini" && attrib +h "C:\Users\ALLUSE~1\PACKAG~1\{33D1F~1"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\ALLUSE~1\PACKAG~1\{E6E75~1\state.rsm" "C:\Users\ALLUSE~1\PACKAG~1\{E6E75~1\state.rsm.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C type "C:\Users\EEBsYm5\AppData\Roaming\BL0CKE~1.RTF" > "C:\Users\ALLUSE~1\PACKAG~1\{E6E75~1\Bl0cked-ReadMe.rtf"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C attrib -r -s -h "C:\Users\ALLUSE~1\PACKAG~1\{E6E75~1\desktop.ini" & del /f /q "C:\Users\ALLUSE~1\PACKAG~1\{E6E75~1\desktop.ini" & type "C:\Users\EEBsYm5\AppData\Roaming\VMFCCE~1\XEY8d7zI.exe" > "C:\Users\ALLUSE~1\PACKAG~1\{E6E75~1\desktop.ini" && attrib +h "C:\Users\ALLUSE~1\PACKAG~1\{E6E75~1\desktop.ini" && attrib +h "C:\Users\ALLUSE~1\PACKAG~1\{E6E75~1"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\ALLUSE~1\PACKAG~1\{F325F~1\state.rsm" "C:\Users\ALLUSE~1\PACKAG~1\{F325F~1\state.rsm.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C type "C:\Users\EEBsYm5\AppData\Roaming\BL0CKE~1.RTF" > "C:\Users\ALLUSE~1\PACKAG~1\{F325F~1\Bl0cked-ReadMe.rtf"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C attrib -r -s -h "C:\Users\ALLUSE~1\PACKAG~1\{F325F~1\desktop.ini" & del /f /q "C:\Users\ALLUSE~1\PACKAG~1\{F325F~1\desktop.ini" & type "C:\Users\EEBsYm5\AppData\Roaming\VMFCCE~1\XEY8d7zI.exe" > "C:\Users\ALLUSE~1\PACKAG~1\{F325F~1\desktop.ini" && attrib +h "C:\Users\ALLUSE~1\PACKAG~1\{F325F~1\desktop.ini" && attrib +h "C:\Users\ALLUSE~1\PACKAG~1\{F325F~1"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\Default\Contacts\ADMINI~1.CON" "C:\Users\Default\Contacts\Administrator.contact.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C type "C:\Users\EEBsYm5\AppData\Roaming\BL0CKE~1.RTF" > "C:\Users\Default\Contacts\Bl0cked-ReadMe.rtf"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C attrib -r -s -h "C:\Users\Default\Contacts\desktop.ini" & del /f /q "C:\Users\Default\Contacts\desktop.ini" & type "C:\Users\EEBsYm5\AppData\Roaming\VMFCCE~1\XEY8d7zI.exe" > "C:\Users\Default\Contacts\desktop.ini" && attrib +h "C:\Users\Default\Contacts\desktop.ini" && attrib +h "C:\Users\Default\Contacts"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\Default\FAVORI~1\Links\WEBSLI~1.URL" "C:\Users\Default\FAVORI~1\Links\Web Slice Gallery.url.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C type "C:\Users\EEBsYm5\AppData\Roaming\BL0CKE~1.RTF" > "C:\Users\Default\FAVORI~1\Links\Bl0cked-ReadMe.rtf"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C attrib -r -s -h "C:\Users\Default\FAVORI~1\Links\desktop.ini" & del /f /q "C:\Users\Default\FAVORI~1\Links\desktop.ini" & type "C:\Users\EEBsYm5\AppData\Roaming\VMFCCE~1\XEY8d7zI.exe" > "C:\Users\Default\FAVORI~1\Links\desktop.ini" && attrib +h "C:\Users\Default\FAVORI~1\Links\desktop.ini" && attrib +h "C:\Users\Default\FAVORI~1\Links"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\Default\FAVORI~1\MICROS~1\IEADD-~1.URL" "C:\Users\Default\FAVORI~1\MICROS~1\IE Add-on site.url.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C type "C:\Users\EEBsYm5\AppData\Roaming\BL0CKE~1.RTF" > "C:\Users\Default\FAVORI~1\MICROS~1\Bl0cked-ReadMe.rtf"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C attrib -r -s -h "C:\Users\Default\FAVORI~1\MICROS~1\desktop.ini" & del /f /q "C:\Users\Default\FAVORI~1\MICROS~1\desktop.ini" & type "C:\Users\EEBsYm5\AppData\Roaming\VMFCCE~1\XEY8d7zI.exe" > "C:\Users\Default\FAVORI~1\MICROS~1\desktop.ini" && attrib +h "C:\Users\Default\FAVORI~1\MICROS~1\desktop.ini" && attrib +h "C:\Users\Default\FAVORI~1\MICROS~1"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\Default\FAVORI~1\MICROS~1\IESITE~1.URL" "C:\Users\Default\FAVORI~1\MICROS~1\IE site on Microsoft.com.url.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\Default\FAVORI~1\MICROS~1\MICROS~2.URL" "C:\Users\Default\FAVORI~1\MICROS~1\Microsoft At Home.url.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\Default\FAVORI~1\MICROS~1\MICROS~3.URL" "C:\Users\Default\FAVORI~1\MICROS~1\Microsoft At Work.url.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\Default\FAVORI~1\MICROS~1\MICROS~1.URL" "C:\Users\Default\FAVORI~1\MICROS~1\Microsoft Store.url.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\Default\FAVORI~1\MSNWEB~1\MSNAUT~1.URL" "C:\Users\Default\FAVORI~1\MSNWEB~1\MSN Autos.url.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C type "C:\Users\EEBsYm5\AppData\Roaming\BL0CKE~1.RTF" > "C:\Users\Default\FAVORI~1\MSNWEB~1\Bl0cked-ReadMe.rtf"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C attrib -r -s -h "C:\Users\Default\FAVORI~1\MSNWEB~1\desktop.ini" & del /f /q "C:\Users\Default\FAVORI~1\MSNWEB~1\desktop.ini" & type "C:\Users\EEBsYm5\AppData\Roaming\VMFCCE~1\XEY8d7zI.exe" > "C:\Users\Default\FAVORI~1\MSNWEB~1\desktop.ini" && attrib +h "C:\Users\Default\FAVORI~1\MSNWEB~1\desktop.ini" && attrib +h "C:\Users\Default\FAVORI~1\MSNWEB~1"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\Default\FAVORI~1\MSNWEB~1\MSNENT~1.URL" "C:\Users\Default\FAVORI~1\MSNWEB~1\MSN Entertainment.url.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\Default\FAVORI~1\MSNWEB~1\MSNMON~1.URL" "C:\Users\Default\FAVORI~1\MSNWEB~1\MSN Money.url.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\Default\FAVORI~1\MSNWEB~1\MSNSPO~1.URL" "C:\Users\Default\FAVORI~1\MSNWEB~1\MSN Sports.url.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\Default\FAVORI~1\MSNWEB~1\MSN.url" "C:\Users\Default\FAVORI~1\MSNWEB~1\MSN.url.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\Default\FAVORI~1\MSNWEB~1\MSNBCN~1.URL" "C:\Users\Default\FAVORI~1\MSNWEB~1\MSNBC News.url.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\Default\NTUSER~1.LOG" "C:\Users\Default\NTUSER.DAT.LOG1.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C type "C:\Users\EEBsYm5\AppData\Roaming\BL0CKE~1.RTF" > "C:\Users\Default\Bl0cked-ReadMe.rtf"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C CACLS "C:\Users\Default\NTUSER.DAT.LOG2" /E /G %USERNAME%:F /C & ATTRIB -R -A -H "C:\Users\Default\NTUSER.DAT.LOG2"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C CACLS "C:\Users\Default\Searches\Everywhere.search-ms" /E /G %USERNAME%:F /C & ATTRIB -R -A -H "C:\Users\Default\Searches\Everywhere.search-ms"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\Default\Searches\EVERYW~1.SEA" "C:\Users\Default\Searches\Everywhere.search-ms.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C type "C:\Users\EEBsYm5\AppData\Roaming\BL0CKE~1.RTF" > "C:\Users\Default\Searches\Bl0cked-ReadMe.rtf"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C attrib -r -s -h "C:\Users\Default\Searches\desktop.ini" & del /f /q "C:\Users\Default\Searches\desktop.ini" & type "C:\Users\EEBsYm5\AppData\Roaming\VMFCCE~1\XEY8d7zI.exe" > "C:\Users\Default\Searches\desktop.ini" && attrib +h "C:\Users\Default\Searches\desktop.ini" && attrib +h "C:\Users\Default\Searches"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C CACLS "C:\Users\Default\Searches\Indexed Locations.search-ms" /E /G %USERNAME%:F /C & ATTRIB -R -A -H "C:\Users\Default\Searches\Indexed Locations.search-ms"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\Default\Searches\INDEXE~1.SEA" "C:\Users\Default\Searches\Indexed Locations.search-ms.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\EEBsYm5\Contacts\ADMINI~1.CON" "C:\Users\EEBsYm5\Contacts\Administrator.contact.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C type "C:\Users\EEBsYm5\AppData\Roaming\BL0CKE~1.RTF" > "C:\Users\EEBsYm5\Contacts\Bl0cked-ReadMe.rtf"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C attrib -r -s -h "C:\Users\EEBsYm5\Contacts\desktop.ini" & del /f /q "C:\Users\EEBsYm5\Contacts\desktop.ini" & type "C:\Users\EEBsYm5\AppData\Roaming\VMFCCE~1\XEY8d7zI.exe" > "C:\Users\EEBsYm5\Contacts\desktop.ini" && attrib +h "C:\Users\EEBsYm5\Contacts\desktop.ini" && attrib +h "C:\Users\EEBsYm5\Contacts"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\EEBsYm5\Contacts\IHNVBH~1.CON" "C:\Users\EEBsYm5\Contacts\ihnvbh euuncnh.contact.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\EEBsYm5\Contacts\LODKDA~1.CON" "C:\Users\EEBsYm5\Contacts\lodkd auftnm.contact.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\EEBsYm5\Contacts\MNEUCU~1.CON" "C:\Users\EEBsYm5\Contacts\mneuc uhnfghgg.contact.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\EEBsYm5\Contacts\OFHBNH~1.CON" "C:\Users\EEBsYm5\Contacts\ofhbnh edferrr.contact.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\EEBsYm5\Contacts\UOSJFL~1.CON" "C:\Users\EEBsYm5\Contacts\uosjfl sidvllie.contact.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\EEBsYm5\Desktop\59NIYO~1.PNG" "C:\Users\EEBsYm5\Desktop\59nIYoZ1Klx-.png.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\EEBsYm5\Desktop\6UVpef.wav" "C:\Users\EEBsYm5\Desktop\6UVpef.wav.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\EEBsYm5\Desktop\95ICX9~1.BMP" "C:\Users\EEBsYm5\Desktop\95ICx9P6yb.bmp.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\EEBsYm5\Desktop\9CDGYB~1.BMP" "C:\Users\EEBsYm5\Desktop\9CDgy bLN0e-uZnqSYBc.bmp.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\EEBsYm5\Desktop\BCUGG-~1.PNG" "C:\Users\EEBsYm5\Desktop\BcUgG-6ytRMwdapH.png.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\EEBsYm5\Desktop\Bwuwh.wav" "C:\Users\EEBsYm5\Desktop\Bwuwh.wav.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\EEBsYm5\Desktop\CKLVAY~1.FLV" "C:\Users\EEBsYm5\Desktop\CKLvAyoW1loaz.flv.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\EEBsYm5\Desktop\DCFT2D~1.OTS" "C:\Users\EEBsYm5\Desktop\dcFt2Dy7M6d8J9.ots.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\EEBsYm5\Desktop\DDLQZM~1.PNG" "C:\Users\EEBsYm5\Desktop\DDlQzm1zrUmfqtdJ.png.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\EEBsYm5\Desktop\GbkI\BON4K7~1.AVI" "C:\Users\EEBsYm5\Desktop\GbkI\bON4k7zjy0QFC_kDVvV.avi.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C type "C:\Users\EEBsYm5\AppData\Roaming\BL0CKE~1.RTF" > "C:\Users\EEBsYm5\Desktop\GbkI\Bl0cked-ReadMe.rtf"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C attrib -r -s -h "C:\Users\EEBsYm5\Desktop\GbkI\desktop.ini" & del /f /q "C:\Users\EEBsYm5\Desktop\GbkI\desktop.ini" & type "C:\Users\EEBsYm5\AppData\Roaming\VMFCCE~1\XEY8d7zI.exe" > "C:\Users\EEBsYm5\Desktop\GbkI\desktop.ini" && attrib +h "C:\Users\EEBsYm5\Desktop\GbkI\desktop.ini" && attrib +h "C:\Users\EEBsYm5\Desktop\GbkI"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\EEBsYm5\Desktop\GbkI\FTTFHT~1\1UP3L~1.BMP" "C:\Users\EEBsYm5\Desktop\GbkI\FTTFHT~1\1up3 l.bmp.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\EEBsYm5\Desktop\GbkI\FTTFHT~1\65OAv.bmp" "C:\Users\EEBsYm5\Desktop\GbkI\FTTFHT~1\65OAv.bmp.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\EEBsYm5\Desktop\GbkI\WTCCLC~1.WAV" "C:\Users\EEBsYm5\Desktop\GbkI\WtCCLcHrwK.wav.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\EEBsYm5\Desktop\GCAP-7~1.BMP" "C:\Users\EEBsYm5\Desktop\gcAp-7-i61tX.bmp.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\EEBsYm5\Desktop\KAWGR8~1.SWF" "C:\Users\EEBsYm5\Desktop\kawGr8UmxCuLrfZA.swf.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\EEBsYm5\Desktop\Lp6Y\E-AGGM~1.MKV" "C:\Users\EEBsYm5\Desktop\Lp6Y\e-AggmA P_oioCEdo08.mkv.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C type "C:\Users\EEBsYm5\AppData\Roaming\BL0CKE~1.RTF" > "C:\Users\EEBsYm5\Desktop\Lp6Y\Bl0cked-ReadMe.rtf"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C attrib -r -s -h "C:\Users\EEBsYm5\Desktop\Lp6Y\desktop.ini" & del /f /q "C:\Users\EEBsYm5\Desktop\Lp6Y\desktop.ini" & type "C:\Users\EEBsYm5\AppData\Roaming\VMFCCE~1\XEY8d7zI.exe" > "C:\Users\EEBsYm5\Desktop\Lp6Y\desktop.ini" && attrib +h "C:\Users\EEBsYm5\Desktop\Lp6Y\desktop.ini" && attrib +h "C:\Users\EEBsYm5\Desktop\Lp6Y"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\EEBsYm5\Desktop\Lp6Y\hqVibu00\CII3ZM~1.WAV" "C:\Users\EEBsYm5\Desktop\Lp6Y\hqVibu00\cii3Zm5ag7.wav.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C type "C:\Users\EEBsYm5\AppData\Roaming\BL0CKE~1.RTF" > "C:\Users\EEBsYm5\Desktop\Lp6Y\hqVibu00\Bl0cked-ReadMe.rtf"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C attrib -r -s -h "C:\Users\EEBsYm5\Desktop\Lp6Y\hqVibu00\desktop.ini" & del /f /q "C:\Users\EEBsYm5\Desktop\Lp6Y\hqVibu00\desktop.ini" & type "C:\Users\EEBsYm5\AppData\Roaming\VMFCCE~1\XEY8d7zI.exe" > "C:\Users\EEBsYm5\Desktop\Lp6Y\hqVibu00\desktop.ini" && attrib +h "C:\Users\EEBsYm5\Desktop\Lp6Y\hqVibu00\desktop.ini" && attrib +h "C:\Users\EEBsYm5\Desktop\Lp6Y\hqVibu00"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\EEBsYm5\Desktop\Lp6Y\hqVibu00\LUKOKO~1.PNG" "C:\Users\EEBsYm5\Desktop\Lp6Y\hqVibu00\LUKOkovEeIsTMf0.png.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\EEBsYm5\Desktop\Lp6Y\hqVibu00\OXP9RC~1.AVI" "C:\Users\EEBsYm5\Desktop\Lp6Y\hqVibu00\OXP9rCEqmjhd9gNfz.avi.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\EEBsYm5\Desktop\Lp6Y\hqVibu00\Q--QNZ~1.BMP" "C:\Users\EEBsYm5\Desktop\Lp6Y\hqVibu00\Q--qnZ17d.bmp.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\EEBsYm5\Desktop\MPZFED~1.FLV" "C:\Users\EEBsYm5\Desktop\mPZFEDoY9Zi_en.flv.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\EEBsYm5\Desktop\SXGPQH~1.ODP" "C:\Users\EEBsYm5\Desktop\SXGpQHv i4OFxmN5_1.odp.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\EEBsYm5\Desktop\TDXT9-~1.PPT" "C:\Users\EEBsYm5\Desktop\Tdxt9-_3mYM7NtN.pptx.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\EEBsYm5\Desktop\TWV414~1.PPT" "C:\Users\EEBsYm5\Desktop\tWV414DCFHSA.ppt.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\EEBsYm5\Desktop\VX2E_A~1.BMP" "C:\Users\EEBsYm5\Desktop\VX2e_AgjuFQyd1Woq.bmp.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\EEBsYm5\DOCUME~1\1UB93Z~1.PPT" "C:\Users\EEBsYm5\DOCUME~1\1uB93z-ou.pptx.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\EEBsYm5\DOCUME~1\2w7_ew\5OWEKS~1\NRWDON~1\1VHPWY~1\GOL7OX~1.CSV" "C:\Users\EEBsYm5\DOCUME~1\2w7_ew\5OWEKS~1\NRWDON~1\1VHPWY~1\g ol7OxwE18leXod.csv.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\EEBsYm5\DOCUME~1\2w7_ew\5OWEKS~1\NRWDON~1\1VHPWY~1\RIBQ70~1\IYDSDI~1.PPT" "C:\Users\EEBsYm5\DOCUME~1\2w7_ew\5OWEKS~1\NRWDON~1\1VHPWY~1\RIBQ70~1\iyDSdIsdd3hcv.pptx.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C type "C:\Users\EEBsYm5\AppData\Roaming\BL0CKE~1.RTF" > "C:\Users\EEBsYm5\DOCUME~1\2w7_ew\5OWEKS~1\NRWDON~1\1VHPWY~1\RIBQ70~1\Bl0cked-ReadMe.rtf"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C attrib -r -s -h "C:\Users\EEBsYm5\DOCUME~1\2w7_ew\5OWEKS~1\NRWDON~1\1VHPWY~1\RIBQ70~1\desktop.ini" & del /f /q "C:\Users\EEBsYm5\DOCUME~1\2w7_ew\5OWEKS~1\NRWDON~1\1VHPWY~1\RIBQ70~1\desktop.ini" & type "C:\Users\EEBsYm5\AppData\Roaming\VMFCCE~1\XEY8d7zI.exe" > "C:\Users\EEBsYm5\DOCUME~1\2w7_ew\5OWEKS~1\NRWDON~1\1VHPWY~1\RIBQ70~1\desktop.ini" && attrib +h "C:\Users\EEBsYm5\DOCUME~1\2w7_ew\5OWEKS~1\NRWDON~1\1VHPWY~1\RIBQ70~1\desktop.ini" && attrib +h "C:\Users\EEBsYm5\DOCUME~1\2w7_ew\5OWEKS~1\NRWDON~1\1VHPWY~1\RIBQ70~1"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\EEBsYm5\DOCUME~1\2w7_ew\5OWEKS~1\RD4BMP~1.OTS" "C:\Users\EEBsYm5\DOCUME~1\2w7_ew\5OWEKS~1\rd4bMPAMmCyKiYpJrFwO.ots.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\EEBsYm5\DOCUME~1\2w7_ew\5OWEKS~1\WXMD5U~1\ieMCxg.pps" "C:\Users\EEBsYm5\DOCUME~1\2w7_ew\5OWEKS~1\WXMD5U~1\ieMCxg.pps.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\EEBsYm5\DOCUME~1\2w7_ew\AK_FOD~1.OTS" "C:\Users\EEBsYm5\DOCUME~1\2w7_ew\aK_FOd5jl.ots.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\EEBsYm5\DOCUME~1\2w7_ew\MXJQIS~1.OTS" "C:\Users\EEBsYm5\DOCUME~1\2w7_ew\mXjqIsUDXYxFeYxzgw.ots.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\EEBsYm5\DOCUME~1\2w7_ew\xJ2fmd\oR2F.csv" "C:\Users\EEBsYm5\DOCUME~1\2w7_ew\xJ2fmd\oR2F.csv.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\EEBsYm5\DOCUME~1\FCFNNE~1\GAY66U~1.OTS" "C:\Users\EEBsYm5\DOCUME~1\FCFNNE~1\gaY66uwM4.ots.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\EEBsYm5\DOCUME~1\FCFNNE~1\MMWJ0D~1.ODP" "C:\Users\EEBsYm5\DOCUME~1\FCFNNE~1\Mmwj0D0mDfuQB5wXA.odp.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\EEBsYm5\DOCUME~1\FCFNNE~1\UFL3TY~1.PPT" "C:\Users\EEBsYm5\DOCUME~1\FCFNNE~1\UFl3tyKJKu.ppt.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\EEBsYm5\DOCUME~1\FCFNNE~1\wj5G.ppt" "C:\Users\EEBsYm5\DOCUME~1\FCFNNE~1\wj5G.ppt.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\EEBsYm5\DOCUME~1\FUT5WR~1.PPT" "C:\Users\EEBsYm5\DOCUME~1\fUt5wrAPeTu.pptx.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\EEBsYm5\DOCUME~1\KC6Z~1.PPT" "C:\Users\EEBsYm5\DOCUME~1\kC6z.pptx.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C CACLS "C:\Users\EEBsYm5\Documents\My Shapes\Favorites.vss" /E /G %USERNAME%:F /C & ATTRIB -R -A -H "C:\Users\EEBsYm5\Documents\My Shapes\Favorites.vss"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C type "C:\Users\EEBsYm5\AppData\Roaming\BL0CKE~1.RTF" > "C:\Users\EEBsYm5\DOCUME~1\MYSHAP~1\Bl0cked-ReadMe.rtf"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C attrib -r -s -h "C:\Users\EEBsYm5\DOCUME~1\MYSHAP~1\desktop.ini" & del /f /q "C:\Users\EEBsYm5\DOCUME~1\MYSHAP~1\desktop.ini" & type "C:\Users\EEBsYm5\AppData\Roaming\VMFCCE~1\XEY8d7zI.exe" > "C:\Users\EEBsYm5\DOCUME~1\MYSHAP~1\desktop.ini" && attrib +h "C:\Users\EEBsYm5\DOCUME~1\MYSHAP~1\desktop.ini" && attrib +h "C:\Users\EEBsYm5\DOCUME~1\MYSHAP~1"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\EEBsYm5\DOCUME~1\NGDM~1.PPT" "C:\Users\EEBsYm5\DOCUME~1\Ngdm.pptx.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C move /Y "C:\Users\EEBsYm5\DOCUME~1\OUTLOO~1\FEASF@~1.PST" "C:\Users\EEBsYm5\DOCUME~1\OUTLOO~1\feasf@efw.com.pst.b10cked"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C type "C:\Users\EEBsYm5\AppData\Roaming\BL0CKE~1.RTF" > "C:\Users\EEBsYm5\DOCUME~1\OUTLOO~1\Bl0cked-ReadMe.rtf"" starts with hidden window.
|
|
|
-
The process ""C:\Windows\system32\cmd.exe" /C attrib -r -s -h "C:\Users\EEBsYm5\DOCUME~1\OUTLOO~1\desktop.ini" & del /f /q "C:\Users\EEBsYm5\DOCUME~1\OUTLOO~1\desktop.ini" & type "C:\Users\EEBsYm5\AppData\Roaming\VMFCCE~1\XEY8d7zI.exe" > "C:\Users\EEBsYm5\DOCUME~1\OUTLOO~1\desktop.ini" && attrib +h "C:\Users\EEBsYm5\DOCUME~1\OUTLOO~1\desktop.ini" && attrib +h "C:\Users\EEBsYm5\DOCUME~1\OUTLOO~1"" starts with hidden window.
|
|
|
1/5
|
Process
|
Reads from memory of another process
|
-
|
|
|
-
"c:\users\eebsym5\desktop\2017-04-03-eitest-rig-ek-payload-matrix-ransomware-variant.exe" reads from "C:\Users\EEBsYm5\Desktop\2017-04-03-EITest-Rig-EK-payload-matrix-ransomware-variant.exe".
|
|
|
-
"c:\users\eebsym5\appdata\local\temp\cnuu8vyt.exe" reads from "C:\Users\EEBsYm5\AppData\Local\Temp\CNuu8Vyt.exe".
|
|
|
-
"c:\users\eebsym5\appdata\roaming\vmfccerykvqy\xey8d7zi.exe" reads from "C:\Users\EEBsYm5\AppData\Roaming\vMfCCeRYkvQy\XEY8d7zI.exe".
|
|
|
-
"c:\users\eebsym5\appdata\local\temp\nhsgkr2p.exe" reads from "C:\Users\EEBsYm5\AppData\Local\Temp\NhsgKr2p.exe".
|
|
|
-
"c:\users\eebsym5\appdata\local\temp\yaqb5zg8.exe" reads from "C:\Users\EEBsYm5\AppData\Local\Temp\yAQb5Zg8.exe".
|
|
|
-
"c:\users\eebsym5\appdata\roaming\micros~1\lsfkrhur.exe" reads from "C:\Users\EEBsYm5\AppData\Roaming\MICROS~1\LSfkRHur.exe".
|
|
|
-
"c:\users\eebsym5\appdata\local\micros~1\sypykbck.exe" reads from "C:\Users\EEBsYm5\AppData\Local\MICROS~1\Sypykbck.exe".
|
|
|
-
"c:\users\eebsym5\appdata\local\temp\wtsk8wxh.exe" reads from "C:\Users\EEBsYm5\AppData\Local\Temp\Wtsk8WxH.exe".
|
|
|
-
"c:\users\eebsym5\appdata\local\temp\f8a3iwa6.exe" reads from "C:\Users\EEBsYm5\AppData\Local\Temp\F8a3iwA6.exe".
|
|
|
-
"c:\users\eebsym5\appdata\local\temp\bkm66byk.exe" reads from "C:\Users\EEBsYm5\AppData\Local\Temp\bkM66bYk.exe".
|
|
|
-
"c:\users\eebsym5\appdata\local\temp\hvgo9ckx.exe" reads from "C:\Users\EEBsYm5\AppData\Local\Temp\hvGO9ckx.exe".
|
|
|
-
"c:\users\eebsym5\appdata\local\temp\gym4nxcu.exe" reads from "C:\Users\EEBsYm5\AppData\Local\Temp\GYm4NxCU.exe".
|
|
|
-
"c:\users\eebsym5\appdata\local\temp\w588h5dn.exe" reads from "C:\Users\EEBsYm5\AppData\Local\Temp\w588H5dN.exe".
|
|
|
-
"c:\users\eebsym5\appdata\local\temp\wspgagwn.exe" reads from "C:\Users\EEBsYm5\AppData\Local\Temp\WsPgAGWN.exe".
|
|
|
1/5
|
Process
|
Creates a page with write and execute permissions
|
-
|
|
|
-
Allocates a page in a foreign process with "PAGE_EXECUTE_READWRITE" permissions, often used to dynamically unpack code.
|
|
|
1/5
|
Process
|
Creates system object
|
-
|
|
|
-
Creates mutex with name "13StarterProcessMutex4".
|
|
|
-
Creates mutex with name "24MainProcessMutex5".
|
|
|
-
Creates mutex with name "35Brother1ProcessMutex6".
|
|
|
-
Creates mutex with name "46Brother2ProcessMutex7".
|
|
|
|
|
|
1/5
|
Network
|
Performs DNS request
|
-
|
|
|
-
Resolves host name "statcs.s76.r53.com.ua".
|
|
|
-
Resolves host name "localhost".
|
|
|
1/5
|
Masquerade
|
Changes folder appearance
|
Riskware
|
|
|
-
Folder "c:\users\alluse~1\micros~1\rac\publis~1" has a changed appearance.
|
|
|
-
Folder "c:\users\alluse~1\micros~1\rac\stated~1" has a changed appearance.
|
|
|
-
Folder "c:\users\eebsym5\docume~1\2w7_ew\5oweks~1\nrwdon~1\1vhpwy~1" has a changed appearance.
|
|
|
-
Folder "c:\users\eebsym5\docume~1\2w7_ew\5oweks~1\wxmd5u~1" has a changed appearance.
|
|
|
-
Folder "c:\users\eebsym5\docume~1" has a changed appearance.
|
|
|
-
Folder "c:\users\eebsym5\docume~1\fcfnne~1" has a changed appearance.
|
|
|
-
Folder "c:\users\eebsym5\docume~1\2w7_ew\5oweks~1" has a changed appearance.
|
|
|
-
Folder "c:\users\eebsym5\docume~1\2w7_ew" has a changed appearance.
|
|
|
-
Folder "c:\users\eebsym5\docume~1\2w7_ew\xj2fmd" has a changed appearance.
|
|
|
-
Folder "c:\users\eebsym5\desktop\gbki\fttfht~1" has a changed appearance.
|
|
|
-
Folder "c:\users\eebsym5\desktop\lp6y\hqvibu00\u7e2t" has a changed appearance.
|
|
|
-
Folder "c:\users\eebsym5\pictures" has a changed appearance.
|
|
|
-
Folder "c:\users\eebsym5\pictures\lr0ar2~1\j4m1cx~1" has a changed appearance.
|
|
|
-
Folder "c:\users\eebsym5\pictures\lr0ar2~1" has a changed appearance.
|
|
|
-
Folder "c:\users\alluse~1\adobe\acrobat\10.0\replic~1\security" has a changed appearance.
|
|
|
-
Folder "c:\users\alluse~1\micros~1\device~1\device\{11352~1" has a changed appearance.
|
|
|
-
Folder "c:\users\alluse~1\micros~1\device~1\device\{8702d~1" has a changed appearance.
|
|
|
-
Folder "c:\users\alluse~1\micros~1\mf" has a changed appearance.
|
|
|
-
Folder "c:\users\alluse~1\micros~1\office\uicapt~1\1036" has a changed appearance.
|
|
|
-
Folder "c:\users\alluse~1\micros~1\office\uicapt~1\3082" has a changed appearance.
|
|
|
-
Folder "c:\users\alluse~1\micros~1\userac~1\defaul~1" has a changed appearance.
|
|
|
-
Folder "c:\users\alluse~1\micros~1\userac~1" has a changed appearance.
|
|
|
1/5
|
File System
|
Creates an unusually large number of files
|
-
|
|
|
-
Creates an unusually large number of files.
|
