Technical Information
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'df43efbc70c1b3d01262a4a5a2e4cecd' = '"%TEMP%\server.exe" ..'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] 'df43efbc70c1b3d01262a4a5a2e4cecd' = '"%TEMP%\server.exe" ..'
- %APPDATA%\microsoft\windows\start menu\programs\startup\client.exe
- '%WINDIR%\syswow64\netsh.exe' firewall add allowedprogram "%TEMP%\server.exe" "server.exe" ENABLE
- %TEMP%\fjrjb1r9.0.vb
- %APPDATA%\random\default\qip 2012.exe
- %TEMP%\agwf5lyd.0.vb
- %TEMP%\agwf5lyd.cmdline
- %TEMP%\agwf5lyd.out
- %TEMP%\vbcc5af.tmp
- %TEMP%\resc5b0.tmp
- %APPDATA%\random\default\telegram.exe
- %TEMP%\resd318.tmp
- %TEMP%\hmsnhnht.0.vb
- %TEMP%\hmsnhnht.out
- %TEMP%\vbccc34.tmp
- %TEMP%\rescc35.tmp
- %APPDATA%\random\default\total commander 64 bit.exe
- %TEMP%\tgcizlup.0.vb
- %TEMP%\tgcizlup.cmdline
- %TEMP%\tgcizlup.out
- %TEMP%\vbcbd65.tmp
- %TEMP%\resbd66.tmp
- %TEMP%\hmsnhnht.cmdline
- %TEMP%\vbcd317.tmp
- %TEMP%\wtbbboi0.0.vb
- %TEMP%\vbca534.tmp
- %TEMP%\resa535.tmp
- %APPDATA%\random\optional\winamp.exe
- %TEMP%\vbn5ey4s.0.vb
- %TEMP%\vbn5ey4s.cmdline
- %TEMP%\vbn5ey4s.out
- %TEMP%\vbcaef4.tmp
- %TEMP%\resaef5.tmp
- %APPDATA%\random\default\icq.exe
- %TEMP%\qkpblepb.0.vb
- %TEMP%\qkpblepb.cmdline
- %TEMP%\qkpblepb.out
- %TEMP%\vbcb6b1.tmp
- %TEMP%\resb6b2.tmp
- %APPDATA%\random\default\mail.ru agent.exe
- %TEMP%\wtbbboi0.cmdline
- %TEMP%\zfcdqiuw.cmdline
- %TEMP%\wtbbboi0.out
- %TEMP%\vbc711a.tmp
- %APPDATA%\random\default\acrobat reader dc.exe
- %APPDATA%\random\default\mozilla thunderbird.exe
- %TEMP%\29emgkty.cmdline
- %TEMP%\29emgkty.out
- %TEMP%\vbc434.tmp
- %TEMP%\res445.tmp
- %APPDATA%\random\default\opera.exe
- %TEMP%\u1pgra5b.0.vb
- %TEMP%\u1pgra5b.cmdline
- %TEMP%\bghtz8nt.0.vb
- %TEMP%\u1pgra5b.out
- %TEMP%\resc21.tmp
- %APPDATA%\random\default\steam.exe
- %TEMP%\lykp5_bv.0.vb
- %TEMP%\lykp5_bv.cmdline
- %TEMP%\lykp5_bv.out
- %TEMP%\vbc11db.tmp
- %TEMP%\resfcb7.tmp
- %TEMP%\vbcfca6.tmp
- %TEMP%\29emgkty.0.vb
- %TEMP%\5-pm5cax.out
- %TEMP%\5-pm5cax.cmdline
- %TEMP%\bghtz8nt.cmdline
- %TEMP%\vbce9f1.tmp
- %TEMP%\rese9f2.tmp
- %APPDATA%\random\default\google chrome.exe
- %TEMP%\t_blouis.0.vb
- %TEMP%\t_blouis.cmdline
- %TEMP%\t_blouis.out
- %TEMP%\zfcdqiuw.0.vb
- %TEMP%\vbceff9.tmp
- %TEMP%\zfcdqiuw.out
- %APPDATA%\random\default\mirc.exe
- %TEMP%\7jsgo5sy.cmdline
- %TEMP%\7jsgo5sy.out
- %TEMP%\vbcf65f.tmp
- %TEMP%\resf670.tmp
- %APPDATA%\random\default\mozilla firefox.exe
- %TEMP%\5-pm5cax.0.vb
- %TEMP%\reseffa.tmp
- %TEMP%\bghtz8nt.out
- %TEMP%\7jsgo5sy.0.vb
- %APPDATA%\random\optional\qip 2012.exe
- %TEMP%\res9e23.tmp
- %TEMP%\vbc9e22.tmp
- %TEMP%\7rptppll.0.vb
- %TEMP%\7rptppll.cmdline
- %TEMP%\7rptppll.out
- %TEMP%\vbc53ab.tmp
- %TEMP%\res53ac.tmp
- %APPDATA%\random\mail.ru agent.exe
- %TEMP%\gbhawzuv.0.vb
- %TEMP%\gbhawzuv.cmdline
- %TEMP%\gbhawzuv.out
- %TEMP%\vbc5afb.tmp
- %TEMP%\res5b0b.tmp
- %APPDATA%\random\opera.exe
- %TEMP%\a4biy_dp.0.vb
- %TEMP%\a4biy_dp.cmdline
- %TEMP%\a4biy_dp.out
- %TEMP%\vbc4c7a.tmp
- %TEMP%\b_6dyebk.cmdline
- %APPDATA%\random\internet explorer.exe
- %TEMP%\b_6dyebk.out
- %TEMP%\b_6dyebk.0.vb
- %TEMP%\vbc3d9c.tmp
- %TEMP%\fjrjb1r9.out
- %TEMP%\vbc314c.tmp
- %TEMP%\res314d.tmp
- %TEMP%\582.exe
- %APPDATA%\client.exe
- %TEMP%\v9vr4ep3.0.vb
- %TEMP%\v9vr4ep3.cmdline
- %TEMP%\vbc6103.tmp
- %TEMP%\res11dc.tmp
- %TEMP%\v9vr4ep3.out
- %APPDATA%\random\google chrome.exe
- %TEMP%\iybe4jqp.0.vb
- %TEMP%\iybe4jqp.cmdline
- %TEMP%\iybe4jqp.out
- %TEMP%\vbc44cc.tmp
- %TEMP%\res44cd.tmp
- %APPDATA%\random\icq.exe
- %TEMP%\fjrjb1r9.cmdline
- %TEMP%\res3d9d.tmp
- %TEMP%\vbcc11.tmp
- %TEMP%\res6114.tmp
- %TEMP%\0zwfmhia.out
- %TEMP%\3ymqevyw.0.vb
- %TEMP%\3ymqevyw.cmdline
- %TEMP%\3ymqevyw.out
- %TEMP%\vbc87f4.tmp
- %TEMP%\res8804.tmp
- %APPDATA%\random\optional\mail.ru agent.exe
- %TEMP%\res4c7b.tmp
- %TEMP%\myrdalyc.0.vb
- %TEMP%\myrdalyc.out
- %TEMP%\vbc9405.tmp
- %TEMP%\res9415.tmp
- %APPDATA%\random\optional\mozilla thunderbird.exe
- %TEMP%\xb3zcss2.0.vb
- %TEMP%\xb3zcss2.cmdline
- %TEMP%\xb3zcss2.out
- %TEMP%\vbc8297.tmp
- %TEMP%\myrdalyc.cmdline
- %APPDATA%\random\optional\launch internet explorer browser.exe
- %TEMP%\res8298.tmp
- %TEMP%\toeauduk.out
- %TEMP%\toeauduk.cmdline
- %TEMP%\server.exe
- %TEMP%\vbc6a27.tmp
- %TEMP%\res6a38.tmp
- %APPDATA%\random\windows media player.exe
- %TEMP%\apkjwpxk.0.vb
- %TEMP%\apkjwpxk.cmdline
- %APPDATA%\random\windows explorer.exe
- %TEMP%\apkjwpxk.out
- %TEMP%\0zwfmhia.0.vb
- %TEMP%\res711b.tmp
- %TEMP%\xqnd15si.0.vb
- %TEMP%\xqnd15si.cmdline
- %TEMP%\xqnd15si.out
- %TEMP%\vbc7c60.tmp
- %TEMP%\res7c61.tmp
- %APPDATA%\random\optional\icq.exe
- %TEMP%\0zwfmhia.cmdline
- %TEMP%\toeauduk.0.vb
- %APPDATA%\random\optional\google chrome.exe
- %APPDATA%\random\default\winamp.exe
- %TEMP%\res314d.tmp
- %TEMP%\rescc35.tmp
- %TEMP%\wtbbboi0.cmdline
- %TEMP%\resc5b0.tmp
- %TEMP%\vbcc5af.tmp
- %TEMP%\agwf5lyd.cmdline
- %TEMP%\agwf5lyd.out
- %TEMP%\agwf5lyd.0.vb
- %TEMP%\vbccc34.tmp
- %TEMP%\vbn5ey4s.cmdline
- %TEMP%\hmsnhnht.out
- %TEMP%\hmsnhnht.cmdline
- %TEMP%\hmsnhnht.0.vb
- %TEMP%\resd318.tmp
- %TEMP%\vbcd317.tmp
- %TEMP%\tgcizlup.out
- %TEMP%\wtbbboi0.0.vb
- %TEMP%\wtbbboi0.out
- %TEMP%\qkpblepb.out
- %TEMP%\qkpblepb.0.vb
- %TEMP%\qkpblepb.cmdline
- %TEMP%\vbcb6b1.tmp
- %TEMP%\resb6b2.tmp
- %TEMP%\vbn5ey4s.0.vb
- %TEMP%\vbca534.tmp
- %TEMP%\tgcizlup.0.vb
- %TEMP%\vbcaef4.tmp
- %TEMP%\resaef5.tmp
- %TEMP%\zfcdqiuw.0.vb
- %TEMP%\zfcdqiuw.cmdline
- %TEMP%\zfcdqiuw.out
- %TEMP%\vbcbd65.tmp
- %TEMP%\vbn5ey4s.out
- %TEMP%\resbd66.tmp
- %TEMP%\tgcizlup.cmdline
- %TEMP%\bghtz8nt.0.vb
- %TEMP%\5-pm5cax.out
- %TEMP%\res445.tmp
- %TEMP%\vbc434.tmp
- %TEMP%\29emgkty.out
- %TEMP%\29emgkty.0.vb
- %TEMP%\29emgkty.cmdline
- %TEMP%\vbcc11.tmp
- %TEMP%\5-pm5cax.0.vb
- %TEMP%\u1pgra5b.0.vb
- %TEMP%\u1pgra5b.out
- %TEMP%\u1pgra5b.cmdline
- %TEMP%\res11dc.tmp
- %TEMP%\vbc11db.tmp
- %TEMP%\lykp5_bv.out
- %TEMP%\5-pm5cax.cmdline
- %TEMP%\vbcfca6.tmp
- %TEMP%\apkjwpxk.cmdline
- %TEMP%\bghtz8nt.cmdline
- %TEMP%\reseffa.tmp
- %TEMP%\vbceff9.tmp
- %TEMP%\t_blouis.cmdline
- %TEMP%\rese9f2.tmp
- %TEMP%\bghtz8nt.out
- %TEMP%\vbce9f1.tmp
- %TEMP%\t_blouis.out
- %TEMP%\7jsgo5sy.0.vb
- %TEMP%\7jsgo5sy.cmdline
- %TEMP%\7jsgo5sy.out
- %TEMP%\resfcb7.tmp
- %TEMP%\t_blouis.0.vb
- %TEMP%\resf670.tmp
- %TEMP%\vbcf65f.tmp
- %TEMP%\resa535.tmp
- %TEMP%\xb3zcss2.out
- %TEMP%\xb3zcss2.0.vb
- %TEMP%\b_6dyebk.cmdline
- %TEMP%\b_6dyebk.out
- %TEMP%\b_6dyebk.0.vb
- %TEMP%\res53ac.tmp
- %TEMP%\vbc53ab.tmp
- %TEMP%\7rptppll.0.vb
- %TEMP%\7rptppll.cmdline
- %TEMP%\a4biy_dp.0.vb
- %TEMP%\res5b0b.tmp
- %TEMP%\vbc5afb.tmp
- %TEMP%\gbhawzuv.cmdline
- %TEMP%\gbhawzuv.0.vb
- %TEMP%\gbhawzuv.out
- %TEMP%\res6114.tmp
- %TEMP%\vbc4c7a.tmp
- %TEMP%\res4c7b.tmp
- %TEMP%\vbc314c.tmp
- %TEMP%\v9vr4ep3.out
- %TEMP%\iybe4jqp.cmdline
- %TEMP%\iybe4jqp.0.vb
- %TEMP%\iybe4jqp.out
- %TEMP%\vbc44cc.tmp
- %TEMP%\res44cd.tmp
- %TEMP%\7rptppll.out
- %TEMP%\v9vr4ep3.cmdline
- %TEMP%\a4biy_dp.out
- %TEMP%\vbc3d9c.tmp
- %TEMP%\res3d9d.tmp
- %TEMP%\fjrjb1r9.0.vb
- %TEMP%\fjrjb1r9.out
- %TEMP%\fjrjb1r9.cmdline
- %TEMP%\v9vr4ep3.0.vb
- %TEMP%\vbc6103.tmp
- %TEMP%\a4biy_dp.cmdline
- %TEMP%\toeauduk.out
- %TEMP%\vbc87f4.tmp
- %TEMP%\3ymqevyw.0.vb
- %TEMP%\3ymqevyw.out
- %TEMP%\3ymqevyw.cmdline
- %TEMP%\toeauduk.cmdline
- %TEMP%\res6a38.tmp
- %TEMP%\res8804.tmp
- %TEMP%\res9415.tmp
- %TEMP%\myrdalyc.cmdline
- %TEMP%\res9e23.tmp
- %TEMP%\vbc9e22.tmp
- %TEMP%\xb3zcss2.cmdline
- %TEMP%\vbc9405.tmp
- %TEMP%\myrdalyc.0.vb
- %TEMP%\myrdalyc.out
- %TEMP%\resc21.tmp
- %TEMP%\lykp5_bv.0.vb
- %TEMP%\res8298.tmp
- %TEMP%\xqnd15si.cmdline
- %TEMP%\xqnd15si.out
- %TEMP%\xqnd15si.0.vb
- %TEMP%\vbc7c60.tmp
- %TEMP%\res7c61.tmp
- %TEMP%\apkjwpxk.out
- %TEMP%\toeauduk.0.vb
- %TEMP%\apkjwpxk.0.vb
- %TEMP%\vbc711a.tmp
- %TEMP%\res711b.tmp
- %TEMP%\0zwfmhia.cmdline
- %TEMP%\0zwfmhia.0.vb
- %TEMP%\0zwfmhia.out
- %TEMP%\vbc6a27.tmp
- %TEMP%\vbc8297.tmp
- %TEMP%\lykp5_bv.cmdline
- from %APPDATA%\microsoft\internet explorer\quick launch\user pinned\taskbar\google chrome.lnk to %APPDATA%\random\google chrome.lnk
- from C:\users\public\desktop\opera.lnk to %APPDATA%\random\default\opera.lnk
- from C:\users\public\desktop\mozilla thunderbird.lnk to %APPDATA%\random\default\mozilla thunderbird.lnk
- from C:\users\public\desktop\mozilla firefox.lnk to %APPDATA%\random\default\mozilla firefox.lnk
- from C:\users\public\desktop\mirc.lnk to %APPDATA%\random\default\mirc.lnk
- from C:\users\public\desktop\google chrome.lnk to %APPDATA%\random\default\google chrome.lnk
- from C:\users\public\desktop\acrobat reader dc.lnk to %APPDATA%\random\default\acrobat reader dc.lnk
- from %HOMEPATH%\desktop\total commander 64 bit.lnk to %APPDATA%\random\default\total commander 64 bit.lnk
- from %HOMEPATH%\desktop\telegram.lnk to %APPDATA%\random\default\telegram.lnk
- from %HOMEPATH%\desktop\qip 2012.lnk to %APPDATA%\random\default\qip 2012.lnk
- from %HOMEPATH%\desktop\mail.ru agent.lnk to %APPDATA%\random\default\mail.ru agent.lnk
- from %HOMEPATH%\desktop\icq.lnk to %APPDATA%\random\default\icq.lnk
- from %APPDATA%\microsoft\internet explorer\quick launch\window switcher.lnk to %APPDATA%\random\optional\window switcher.lnk
- from C:\users\public\desktop\steam.lnk to %APPDATA%\random\default\steam.lnk
- from %APPDATA%\microsoft\internet explorer\quick launch\winamp.lnk to %APPDATA%\random\optional\winamp.lnk
- from %APPDATA%\microsoft\internet explorer\quick launch\qip 2012.lnk to %APPDATA%\random\optional\qip 2012.lnk
- from %APPDATA%\microsoft\internet explorer\quick launch\mozilla thunderbird.lnk to %APPDATA%\random\optional\mozilla thunderbird.lnk
- from %APPDATA%\microsoft\internet explorer\quick launch\mail.ru agent.lnk to %APPDATA%\random\optional\mail.ru agent.lnk
- from %APPDATA%\microsoft\internet explorer\quick launch\launch internet explorer browser.lnk to %APPDATA%\random\optional\launch internet explorer browser.lnk
- from %APPDATA%\microsoft\internet explorer\quick launch\icq.lnk to %APPDATA%\random\optional\icq.lnk
- from %APPDATA%\microsoft\internet explorer\quick launch\google chrome.lnk to %APPDATA%\random\optional\google chrome.lnk
- from %APPDATA%\microsoft\internet explorer\quick launch\user pinned\taskbar\windows media player.lnk to %APPDATA%\random\windows media player.lnk
- from %APPDATA%\microsoft\internet explorer\quick launch\user pinned\taskbar\windows explorer.lnk to %APPDATA%\random\windows explorer.lnk
- from %APPDATA%\microsoft\internet explorer\quick launch\user pinned\taskbar\opera.lnk to %APPDATA%\random\opera.lnk
- from %APPDATA%\microsoft\internet explorer\quick launch\user pinned\taskbar\mail.ru agent.lnk to %APPDATA%\random\mail.ru agent.lnk
- from %APPDATA%\microsoft\internet explorer\quick launch\user pinned\taskbar\internet explorer.lnk to %APPDATA%\random\internet explorer.lnk
- from %APPDATA%\microsoft\internet explorer\quick launch\user pinned\taskbar\icq.lnk to %APPDATA%\random\icq.lnk
- from %APPDATA%\microsoft\internet explorer\quick launch\shows desktop.lnk to %APPDATA%\random\optional\shows desktop.lnk
- from C:\users\public\desktop\winamp.lnk to %APPDATA%\random\default\winamp.lnk
- %APPDATA%\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Google Chrome.lnk
- C:\Users\Public\Desktop\Opera.lnk
- C:\Users\Public\Desktop\Mozilla Thunderbird.lnk
- C:\Users\Public\Desktop\Mozilla Firefox.lnk
- C:\Users\Public\Desktop\mIRC.lnk
- C:\Users\Public\Desktop\Google Chrome.lnk
- C:\Users\Public\Desktop\Acrobat Reader DC.lnk
- %HOMEPATH%\Desktop\Total Commander 64 bit.lnk
- %HOMEPATH%\Desktop\Telegram.lnk
- %HOMEPATH%\Desktop\QIP 2012.lnk
- %HOMEPATH%\Desktop\Mail.Ru Agent.lnk
- %HOMEPATH%\Desktop\ICQ.lnk
- C:\Users\Public\Desktop\Steam.lnk
- %APPDATA%\Microsoft\Internet Explorer\Quick Launch\Winamp.lnk
- %APPDATA%\Microsoft\Internet Explorer\Quick Launch\Mozilla Thunderbird.lnk
- %APPDATA%\Microsoft\Internet Explorer\Quick Launch\Mail.Ru Agent.lnk
- %APPDATA%\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
- %APPDATA%\Microsoft\Internet Explorer\Quick Launch\ICQ.lnk
- %APPDATA%\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
- %APPDATA%\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Windows Media Player.lnk
- %APPDATA%\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Windows Explorer.lnk
- %APPDATA%\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Opera.lnk
- %APPDATA%\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Mail.Ru Agent.lnk
- %APPDATA%\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Internet Explorer.lnk
- %APPDATA%\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\ICQ.lnk
- %APPDATA%\Microsoft\Internet Explorer\Quick Launch\QIP 2012.lnk
- C:\Users\Public\Desktop\Winamp.lnk
- '14#.#1.246.87':9797
- '14#.#1.246.87':9696
- '%TEMP%\582.exe'
- '%TEMP%\server.exe'
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RESA535.tmp" "%TEMP%\vbcA534.tmp"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\vbn5ey4s.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RESAEF5.tmp" "%TEMP%\vbcAEF4.tmp"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\qkpblepb.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RESB6B2.tmp" "%TEMP%\vbcB6B1.tmp"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\wtbbboi0.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RESBD66.tmp" "%TEMP%\vbcBD65.tmp"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\agwf5lyd.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RESC5B0.tmp" "%TEMP%\vbcC5AF.tmp"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\hmsnhnht.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RESCC35.tmp" "%TEMP%\vbcCC34.tmp"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\lykp5_bv.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\tgcizlup.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\bghtz8nt.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RESE9F2.tmp" "%TEMP%\vbcE9F1.tmp"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\t_blouis.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RESEFFA.tmp" "%TEMP%\vbcEFF9.tmp"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\7jsgo5sy.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RESF670.tmp" "%TEMP%\vbcF65F.tmp"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\5-pm5cax.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RESFCB7.tmp" "%TEMP%\vbcFCA6.tmp"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\29emgkty.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES445.tmp" "%TEMP%\vbc434.tmp"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\u1pgra5b.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RESC21.tmp" "%TEMP%\vbcC11.tmp"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\fjrjb1r9.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\zfcdqiuw.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES9E23.tmp" "%TEMP%\vbc9E22.tmp"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\xb3zcss2.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES314D.tmp" "%TEMP%\vbc314C.tmp"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\v9vr4ep3.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES3D9D.tmp" "%TEMP%\vbc3D9C.tmp"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\iybe4jqp.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES44CD.tmp" "%TEMP%\vbc44CC.tmp"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\b_6dyebk.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES4C7B.tmp" "%TEMP%\vbc4C7A.tmp"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\7rptppll.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES53AC.tmp" "%TEMP%\vbc53AB.tmp"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\gbhawzuv.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES5B0B.tmp" "%TEMP%\vbc5AFB.tmp"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\a4biy_dp.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RESD318.tmp" "%TEMP%\vbcD317.tmp"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES6114.tmp" "%TEMP%\vbc6103.tmp"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES6A38.tmp" "%TEMP%\vbc6A27.tmp"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\apkjwpxk.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES711B.tmp" "%TEMP%\vbc711A.tmp"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\xqnd15si.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES7C61.tmp" "%TEMP%\vbc7C60.tmp"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\toeauduk.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES8298.tmp" "%TEMP%\vbc8297.tmp"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\3ymqevyw.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES8804.tmp" "%TEMP%\vbc87F4.tmp"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\myrdalyc.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES9415.tmp" "%TEMP%\vbc9405.tmp"' (with hidden window)
- '%WINDIR%\syswow64\netsh.exe' firewall add allowedprogram "%TEMP%\server.exe" "server.exe" ENABLE' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\0zwfmhia.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES11DC.tmp" "%TEMP%\vbc11DB.tmp"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\fjrjb1r9.cmdline"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RESAEF5.tmp" "%TEMP%\vbcAEF4.tmp"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\qkpblepb.cmdline"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RESB6B2.tmp" "%TEMP%\vbcB6B1.tmp"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\wtbbboi0.cmdline"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RESBD66.tmp" "%TEMP%\vbcBD65.tmp"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\agwf5lyd.cmdline"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RESC5B0.tmp" "%TEMP%\vbcC5AF.tmp"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\hmsnhnht.cmdline"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RESCC35.tmp" "%TEMP%\vbcCC34.tmp"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\tgcizlup.cmdline"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RESA535.tmp" "%TEMP%\vbcA534.tmp"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\vbn5ey4s.cmdline"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RESD318.tmp" "%TEMP%\vbcD317.tmp"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\t_blouis.cmdline"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RESEFFA.tmp" "%TEMP%\vbcEFF9.tmp"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\7jsgo5sy.cmdline"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RESF670.tmp" "%TEMP%\vbcF65F.tmp"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\5-pm5cax.cmdline"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RESFCB7.tmp" "%TEMP%\vbcFCA6.tmp"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\29emgkty.cmdline"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES445.tmp" "%TEMP%\vbc434.tmp"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\u1pgra5b.cmdline"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RESC21.tmp" "%TEMP%\vbcC11.tmp"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\bghtz8nt.cmdline"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RESE9F2.tmp" "%TEMP%\vbcE9F1.tmp"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\zfcdqiuw.cmdline"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES9E23.tmp" "%TEMP%\vbc9E22.tmp"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\xb3zcss2.cmdline"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\v9vr4ep3.cmdline"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES3D9D.tmp" "%TEMP%\vbc3D9C.tmp"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\iybe4jqp.cmdline"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES44CD.tmp" "%TEMP%\vbc44CC.tmp"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\b_6dyebk.cmdline"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES4C7B.tmp" "%TEMP%\vbc4C7A.tmp"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\7rptppll.cmdline"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES53AC.tmp" "%TEMP%\vbc53AB.tmp"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\gbhawzuv.cmdline"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES5B0B.tmp" "%TEMP%\vbc5AFB.tmp"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\a4biy_dp.cmdline"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES314D.tmp" "%TEMP%\vbc314C.tmp"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES6114.tmp" "%TEMP%\vbc6103.tmp"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES6A38.tmp" "%TEMP%\vbc6A27.tmp"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\apkjwpxk.cmdline"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES711B.tmp" "%TEMP%\vbc711A.tmp"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\xqnd15si.cmdline"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES7C61.tmp" "%TEMP%\vbc7C60.tmp"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\toeauduk.cmdline"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES8298.tmp" "%TEMP%\vbc8297.tmp"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\3ymqevyw.cmdline"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES8804.tmp" "%TEMP%\vbc87F4.tmp"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\myrdalyc.cmdline"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES9415.tmp" "%TEMP%\vbc9405.tmp"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\0zwfmhia.cmdline"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\lykp5_bv.cmdline"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES11DC.tmp" "%TEMP%\vbc11DB.tmp"