Technical Information
- [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] '8DOP1RQg4GnGwCbd.exe' = '%APPDATA%\Microsoft\Windows\Start Menu\8DOP1RQg4GnGwCbd.exe'
- %APPDATA%\microsoft\windows\start menu\programs\startup\8dop1rqg4gngwcbd.exe.vbs
- %APPDATA%\microsoft\windows\start menu\programs\startup\8dop1rqg4gngwcbd.exe
- <SYSTEM32>\tasks\chrome
- %APPDATA%\microsoft\windows\start menu\8dop1rqg4gngwcbd.exe
- %TEMP%\89fsldc1.out
- %TEMP%\89fsldc1.cmdline
- %TEMP%\89fsldc1.0.vb
- %APPDATA%\gbdtjwstuki\anmskytpcy\launch internet explorer browser.exe
- %TEMP%\res4489.tmp
- %TEMP%\vbc4488.tmp
- %TEMP%\cu-2dw5b.out
- %TEMP%\cu-2dw5b.cmdline
- %TEMP%\cu-2dw5b.0.vb
- %TEMP%\vbc488f.tmp
- %APPDATA%\gbdtjwstuki\anmskytpcy\icq.exe
- %TEMP%\vbc4071.tmp
- %TEMP%\cgof1raz.out
- %TEMP%\cgof1raz.cmdline
- %TEMP%\cgof1raz.0.vb
- %APPDATA%\gbdtjwstuki\anmskytpcy\google chrome.exe
- %TEMP%\res3bee.tmp
- %TEMP%\vbc3bed.tmp
- %TEMP%\ujhmubal.out
- %TEMP%\ujhmubal.cmdline
- %TEMP%\res4072.tmp
- %TEMP%\res4890.tmp
- %APPDATA%\gbdtjwstuki\anmskytpcy\mail.ru agent.exe
- %TEMP%\sgyrvmdv.0.vb
- %TEMP%\vbc58ac.tmp
- %TEMP%\-kuuryjt.out
- %TEMP%\-kuuryjt.cmdline
- %TEMP%\-kuuryjt.0.vb
- %APPDATA%\gbdtjwstuki\anmskytpcy\winamp.exe
- %TEMP%\res5532.tmp
- %TEMP%\vbc5531.tmp
- %TEMP%\5y-luinb.out
- %TEMP%\5y-luinb.cmdline
- %TEMP%\5y-luinb.0.vb
- %APPDATA%\gbdtjwstuki\anmskytpcy\qip 2012.exe
- %TEMP%\res5031.tmp
- %TEMP%\vbc5021.tmp
- %TEMP%\iujuvei1.out
- %TEMP%\iujuvei1.cmdline
- %TEMP%\iujuvei1.0.vb
- %APPDATA%\gbdtjwstuki\anmskytpcy\mozilla thunderbird.exe
- %TEMP%\res4c3a.tmp
- %TEMP%\vbc4c39.tmp
- %TEMP%\sgyrvmdv.out
- %TEMP%\sgyrvmdv.cmdline
- %TEMP%\ujhmubal.0.vb
- %TEMP%\res58bd.tmp
- %APPDATA%\gbdtjwstuki\windows media player.exe
- %TEMP%\vbc37a7.tmp
- %TEMP%\riiqesgq.cmdline
- %TEMP%\riiqesgq.0.vb
- %APPDATA%\gbdtjwstuki\icq.exe
- %TEMP%\res1b56.tmp
- %TEMP%\vbc1b55.tmp
- %TEMP%\w0cvr5db.out
- %TEMP%\w0cvr5db.cmdline
- %TEMP%\w0cvr5db.0.vb
- %APPDATA%\gbdtjwstuki\google chrome.exe
- %TEMP%\riiqesgq.out
- %TEMP%\res1693.tmp
- %TEMP%\gjtfwjla.out
- %TEMP%\gjtfwjla.cmdline
- %TEMP%\gjtfwjla.0.vb
- %APPDATA%\8dop1rqg4gngwcbd.exe
- %TEMP%\resc43.tmp
- %TEMP%\vbcc42.tmp
- %TEMP%\bw-pv-t4.out
- %TEMP%\bw-pv-t4.cmdline
- %TEMP%\bw-pv-t4.0.vb
- %TEMP%\vbc1692.tmp
- %TEMP%\vbc2279.tmp
- %TEMP%\res227a.tmp
- %APPDATA%\gbdtjwstuki\internet explorer.exe
- %TEMP%\bliawjib.out
- %TEMP%\bliawjib.cmdline
- %TEMP%\bliawjib.0.vb
- %APPDATA%\gbdtjwstuki\windows explorer.exe
- %TEMP%\res32a7.tmp
- %TEMP%\vbc32a6.tmp
- %TEMP%\_-i5cfiz.out
- %TEMP%\_-i5cfiz.cmdline
- %TEMP%\_-i5cfiz.0.vb
- %APPDATA%\gbdtjwstuki\opera.exe
- %TEMP%\res2dd4.tmp
- %TEMP%\vbc2dc4.tmp
- %TEMP%\imaltkv7.out
- %TEMP%\imaltkv7.cmdline
- %TEMP%\imaltkv7.0.vb
- %APPDATA%\gbdtjwstuki\mail.ru agent.exe
- %TEMP%\res2912.tmp
- %TEMP%\vbc2911.tmp
- %TEMP%\i5if_i9g.out
- %TEMP%\i5if_i9g.cmdline
- %TEMP%\i5if_i9g.0.vb
- %TEMP%\res37a8.tmp
- %APPDATA%\gbdtjwstuki\cwwiejyaob\icq.exe
- %TEMP%\resc43.tmp
- %TEMP%\89fsldc1.cmdline
- %TEMP%\89fsldc1.0.vb
- %TEMP%\vbc488f.tmp
- %TEMP%\res4890.tmp
- %TEMP%\cu-2dw5b.cmdline
- %TEMP%\cu-2dw5b.out
- %TEMP%\cu-2dw5b.0.vb
- %TEMP%\vbc3bed.tmp
- %TEMP%\vbc4488.tmp
- %TEMP%\cgof1raz.cmdline
- %TEMP%\cgof1raz.out
- %TEMP%\cgof1raz.0.vb
- %TEMP%\vbc4071.tmp
- %TEMP%\res4072.tmp
- %TEMP%\ujhmubal.0.vb
- %TEMP%\ujhmubal.out
- %TEMP%\res4489.tmp
- %TEMP%\ujhmubal.cmdline
- %TEMP%\89fsldc1.out
- %TEMP%\iujuvei1.cmdline
- %TEMP%\-kuuryjt.out
- %TEMP%\vbc58ac.tmp
- %TEMP%\res58bd.tmp
- %TEMP%\5y-luinb.cmdline
- %TEMP%\5y-luinb.0.vb
- %TEMP%\5y-luinb.out
- %TEMP%\vbc5531.tmp
- %TEMP%\vbc4c39.tmp
- %TEMP%\res4c3a.tmp
- %TEMP%\iujuvei1.0.vb
- %TEMP%\iujuvei1.out
- %TEMP%\vbc5021.tmp
- %TEMP%\res5031.tmp
- %TEMP%\sgyrvmdv.cmdline
- %TEMP%\sgyrvmdv.0.vb
- %TEMP%\sgyrvmdv.out
- %TEMP%\res5532.tmp
- %TEMP%\res3bee.tmp
- %TEMP%\bliawjib.out
- %TEMP%\bliawjib.0.vb
- %TEMP%\res227a.tmp
- %TEMP%\w0cvr5db.cmdline
- %TEMP%\w0cvr5db.out
- %TEMP%\w0cvr5db.0.vb
- %TEMP%\vbc1b55.tmp
- %TEMP%\res1b56.tmp
- %TEMP%\riiqesgq.out
- %TEMP%\gjtfwjla.out
- %TEMP%\gjtfwjla.0.vb
- %TEMP%\vbc1692.tmp
- %TEMP%\res1693.tmp
- %TEMP%\bw-pv-t4.cmdline
- %TEMP%\bw-pv-t4.out
- %TEMP%\bw-pv-t4.0.vb
- %TEMP%\vbcc42.tmp
- %TEMP%\gjtfwjla.cmdline
- %TEMP%\riiqesgq.0.vb
- %TEMP%\vbc2279.tmp
- %TEMP%\riiqesgq.cmdline
- %TEMP%\bliawjib.cmdline
- %TEMP%\imaltkv7.0.vb
- %TEMP%\vbc37a7.tmp
- %TEMP%\res37a8.tmp
- %TEMP%\_-i5cfiz.0.vb
- %TEMP%\_-i5cfiz.cmdline
- %TEMP%\_-i5cfiz.out
- %TEMP%\vbc32a6.tmp
- %TEMP%\res32a7.tmp
- %TEMP%\imaltkv7.cmdline
- %TEMP%\res2912.tmp
- %TEMP%\imaltkv7.out
- %TEMP%\vbc2dc4.tmp
- %TEMP%\res2dd4.tmp
- %TEMP%\i5if_i9g.0.vb
- %TEMP%\i5if_i9g.out
- %TEMP%\i5if_i9g.cmdline
- %TEMP%\vbc2911.tmp
- %TEMP%\-kuuryjt.0.vb
- %TEMP%\-kuuryjt.cmdline
- from %APPDATA%\microsoft\internet explorer\quick launch\user pinned\taskbar\google chrome.lnk to %APPDATA%\gbdtjwstuki\google chrome.lnk
- from C:\users\public\desktop\opera.lnk to %APPDATA%\gbdtjwstuki\cwwiejyaob\opera.lnk
- from C:\users\public\desktop\mozilla thunderbird.lnk to %APPDATA%\gbdtjwstuki\cwwiejyaob\mozilla thunderbird.lnk
- from C:\users\public\desktop\mozilla firefox.lnk to %APPDATA%\gbdtjwstuki\cwwiejyaob\mozilla firefox.lnk
- from C:\users\public\desktop\mirc.lnk to %APPDATA%\gbdtjwstuki\cwwiejyaob\mirc.lnk
- from C:\users\public\desktop\google chrome.lnk to %APPDATA%\gbdtjwstuki\cwwiejyaob\google chrome.lnk
- from C:\users\public\desktop\acrobat reader dc.lnk to %APPDATA%\gbdtjwstuki\cwwiejyaob\acrobat reader dc.lnk
- from %HOMEPATH%\desktop\total commander 64 bit.lnk to %APPDATA%\gbdtjwstuki\cwwiejyaob\total commander 64 bit.lnk
- from %HOMEPATH%\desktop\telegram.lnk to %APPDATA%\gbdtjwstuki\cwwiejyaob\telegram.lnk
- from %HOMEPATH%\desktop\qip 2012.lnk to %APPDATA%\gbdtjwstuki\cwwiejyaob\qip 2012.lnk
- from %HOMEPATH%\desktop\mail.ru agent.lnk to %APPDATA%\gbdtjwstuki\cwwiejyaob\mail.ru agent.lnk
- from %HOMEPATH%\desktop\icq.lnk to %APPDATA%\gbdtjwstuki\cwwiejyaob\icq.lnk
- from %APPDATA%\microsoft\internet explorer\quick launch\window switcher.lnk to %APPDATA%\gbdtjwstuki\anmskytpcy\window switcher.lnk
- from C:\users\public\desktop\steam.lnk to %APPDATA%\gbdtjwstuki\cwwiejyaob\steam.lnk
- from %APPDATA%\microsoft\internet explorer\quick launch\winamp.lnk to %APPDATA%\gbdtjwstuki\anmskytpcy\winamp.lnk
- from %APPDATA%\microsoft\internet explorer\quick launch\qip 2012.lnk to %APPDATA%\gbdtjwstuki\anmskytpcy\qip 2012.lnk
- from %APPDATA%\microsoft\internet explorer\quick launch\mozilla thunderbird.lnk to %APPDATA%\gbdtjwstuki\anmskytpcy\mozilla thunderbird.lnk
- from %APPDATA%\microsoft\internet explorer\quick launch\mail.ru agent.lnk to %APPDATA%\gbdtjwstuki\anmskytpcy\mail.ru agent.lnk
- from %APPDATA%\microsoft\internet explorer\quick launch\launch internet explorer browser.lnk to %APPDATA%\gbdtjwstuki\anmskytpcy\launch internet explorer browser.lnk
- from %APPDATA%\microsoft\internet explorer\quick launch\icq.lnk to %APPDATA%\gbdtjwstuki\anmskytpcy\icq.lnk
- from %APPDATA%\microsoft\internet explorer\quick launch\google chrome.lnk to %APPDATA%\gbdtjwstuki\anmskytpcy\google chrome.lnk
- from %APPDATA%\microsoft\internet explorer\quick launch\user pinned\taskbar\windows media player.lnk to %APPDATA%\gbdtjwstuki\windows media player.lnk
- from %APPDATA%\microsoft\internet explorer\quick launch\user pinned\taskbar\windows explorer.lnk to %APPDATA%\gbdtjwstuki\windows explorer.lnk
- from %APPDATA%\microsoft\internet explorer\quick launch\user pinned\taskbar\opera.lnk to %APPDATA%\gbdtjwstuki\opera.lnk
- from %APPDATA%\microsoft\internet explorer\quick launch\user pinned\taskbar\mail.ru agent.lnk to %APPDATA%\gbdtjwstuki\mail.ru agent.lnk
- from %APPDATA%\microsoft\internet explorer\quick launch\user pinned\taskbar\internet explorer.lnk to %APPDATA%\gbdtjwstuki\internet explorer.lnk
- from %APPDATA%\microsoft\internet explorer\quick launch\user pinned\taskbar\icq.lnk to %APPDATA%\gbdtjwstuki\icq.lnk
- from %APPDATA%\microsoft\internet explorer\quick launch\shows desktop.lnk to %APPDATA%\gbdtjwstuki\anmskytpcy\shows desktop.lnk
- from C:\users\public\desktop\winamp.lnk to %APPDATA%\gbdtjwstuki\cwwiejyaob\winamp.lnk
- %APPDATA%\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Google Chrome.lnk
- %APPDATA%\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\ICQ.lnk
- %APPDATA%\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Internet Explorer.lnk
- %APPDATA%\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Mail.Ru Agent.lnk
- %APPDATA%\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Opera.lnk
- %APPDATA%\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Windows Explorer.lnk
- %APPDATA%\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Windows Media Player.lnk
- %APPDATA%\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
- %APPDATA%\Microsoft\Internet Explorer\Quick Launch\ICQ.lnk
- %APPDATA%\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
- %APPDATA%\Microsoft\Internet Explorer\Quick Launch\Mail.Ru Agent.lnk
- %APPDATA%\Microsoft\Internet Explorer\Quick Launch\Mozilla Thunderbird.lnk
- %APPDATA%\Microsoft\Internet Explorer\Quick Launch\QIP 2012.lnk
- %APPDATA%\Microsoft\Internet Explorer\Quick Launch\Winamp.lnk
- %HOMEPATH%\Desktop\ICQ.lnk
- DNS ASK mo######ystem.duckdns.org
- '%APPDATA%\microsoft\windows\start menu\8dop1rqg4gngwcbd.exe'
- '%WINDIR%\microsoft.net\framework\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\-kuuryjt.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES58BD.tmp" "%TEMP%\vbc58AC.tmp"' (with hidden window)
- '%WINDIR%\microsoft.net\framework\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\ywea2lvb.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES5D7F.tmp" "%TEMP%\vbc5D7E.tmp"' (with hidden window)
- '%WINDIR%\microsoft.net\framework\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\8f3am1yz.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES6010.tmp" "%TEMP%\vbc5FFF.tmp"' (with hidden window)
- '%WINDIR%\microsoft.net\framework\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\zmm3dccl.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES6C35.tmp" "%TEMP%\vbc6A11.tmp"' (with hidden window)
- '%WINDIR%\microsoft.net\framework\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\kpb9l4po.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES6E0A.tmp" "%TEMP%\vbc6E09.tmp"' (with hidden window)
- '%WINDIR%\microsoft.net\framework\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\kcvprf-q.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\_-i5cfiz.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES74D0.tmp" "%TEMP%\vbc74CF.tmp"' (with hidden window)
- '%WINDIR%\microsoft.net\framework\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES7686.tmp" "%TEMP%\vbc7685.tmp"' (with hidden window)
- '%WINDIR%\microsoft.net\framework\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\wtdmsjdk.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES783B.tmp" "%TEMP%\vbc783A.tmp"' (with hidden window)
- '%WINDIR%\microsoft.net\framework\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\cpgzjffv.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES79D1.tmp" "%TEMP%\vbc79D0.tmp"' (with hidden window)
- '%WINDIR%\microsoft.net\framework\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\-4rlhl6c.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES7C04.tmp" "%TEMP%\vbc7C03.tmp"' (with hidden window)
- '%WINDIR%\microsoft.net\framework\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\z1tx9ctq.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES7E85.tmp" "%TEMP%\vbc7E84.tmp"' (with hidden window)
- '%WINDIR%\microsoft.net\framework\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\hrbb9pso.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES800B.tmp" "%TEMP%\vbc800A.tmp"' (with hidden window)
- '%WINDIR%\microsoft.net\framework\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\5y-luinb.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES5532.tmp" "%TEMP%\vbc5531.tmp"' (with hidden window)
- '%WINDIR%\microsoft.net\framework\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES5031.tmp" "%TEMP%\vbc5021.tmp"' (with hidden window)
- '%WINDIR%\microsoft.net\framework\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\iujuvei1.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES4C3A.tmp" "%TEMP%\vbc4C39.tmp"' (with hidden window)
- '%WINDIR%\microsoft.net\framework\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RESC43.tmp" "%TEMP%\vbcC42.tmp"' (with hidden window)
- '%WINDIR%\syswow64\schtasks.exe' /create /sc minute /mo 1 /tn "Chrome" /tr "%APPDATA%\Microsoft\Windows\Start Menu\8DOP1RQg4GnGwCbd.exe"' (with hidden window)
- '%WINDIR%\microsoft.net\framework\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\gjtfwjla.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES1693.tmp" "%TEMP%\vbc1692.tmp"' (with hidden window)
- '%WINDIR%\microsoft.net\framework\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\w0cvr5db.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES1B56.tmp" "%TEMP%\vbc1B55.tmp"' (with hidden window)
- '%WINDIR%\microsoft.net\framework\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\riiqesgq.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES227A.tmp" "%TEMP%\vbc2279.tmp"' (with hidden window)
- '%WINDIR%\microsoft.net\framework\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\i5if_i9g.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES2912.tmp" "%TEMP%\vbc2911.tmp"' (with hidden window)
- '%WINDIR%\microsoft.net\framework\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\imaltkv7.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\uqxxk0bz.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\emkulwrp.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES2DD4.tmp" "%TEMP%\vbc2DC4.tmp"' (with hidden window)
- '%WINDIR%\microsoft.net\framework\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\bliawjib.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES37A8.tmp" "%TEMP%\vbc37A7.tmp"' (with hidden window)
- '%WINDIR%\microsoft.net\framework\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\ujhmubal.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES3BEE.tmp" "%TEMP%\vbc3BED.tmp"' (with hidden window)
- '%WINDIR%\microsoft.net\framework\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\cgof1raz.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES4072.tmp" "%TEMP%\vbc4071.tmp"' (with hidden window)
- '%WINDIR%\microsoft.net\framework\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\cu-2dw5b.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES4489.tmp" "%TEMP%\vbc4488.tmp"' (with hidden window)
- '%WINDIR%\microsoft.net\framework\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\89fsldc1.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES4890.tmp" "%TEMP%\vbc488F.tmp"' (with hidden window)
- '%WINDIR%\microsoft.net\framework\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\sgyrvmdv.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\bw-pv-t4.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES32A7.tmp" "%TEMP%\vbc32A6.tmp"' (with hidden window)
- '%WINDIR%\microsoft.net\framework\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES82F9.tmp" "%TEMP%\vbc82F8.tmp"' (with hidden window)
- '%WINDIR%\microsoft.net\framework\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\bw-pv-t4.cmdline"
- '%WINDIR%\microsoft.net\framework\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\-kuuryjt.cmdline"
- '%WINDIR%\microsoft.net\framework\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES58BD.tmp" "%TEMP%\vbc58AC.tmp"
- '%WINDIR%\microsoft.net\framework\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\ywea2lvb.cmdline"
- '%WINDIR%\microsoft.net\framework\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES5D7F.tmp" "%TEMP%\vbc5D7E.tmp"
- '%WINDIR%\microsoft.net\framework\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\8f3am1yz.cmdline"
- '%WINDIR%\microsoft.net\framework\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES6010.tmp" "%TEMP%\vbc5FFF.tmp"
- '%WINDIR%\microsoft.net\framework\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\zmm3dccl.cmdline"
- '%WINDIR%\microsoft.net\framework\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES6C35.tmp" "%TEMP%\vbc6A11.tmp"
- '%WINDIR%\microsoft.net\framework\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\kpb9l4po.cmdline"
- '%WINDIR%\microsoft.net\framework\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES6E0A.tmp" "%TEMP%\vbc6E09.tmp"
- '%WINDIR%\microsoft.net\framework\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\kcvprf-q.cmdline"
- '%WINDIR%\microsoft.net\framework\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\_-i5cfiz.cmdline"
- '%WINDIR%\microsoft.net\framework\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES74D0.tmp" "%TEMP%\vbc74CF.tmp"
- '%WINDIR%\microsoft.net\framework\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES7686.tmp" "%TEMP%\vbc7685.tmp"
- '%WINDIR%\microsoft.net\framework\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\wtdmsjdk.cmdline"
- '%WINDIR%\microsoft.net\framework\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES783B.tmp" "%TEMP%\vbc783A.tmp"
- '%WINDIR%\microsoft.net\framework\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\cpgzjffv.cmdline"
- '%WINDIR%\microsoft.net\framework\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES79D1.tmp" "%TEMP%\vbc79D0.tmp"
- '%WINDIR%\microsoft.net\framework\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\-4rlhl6c.cmdline"
- '%WINDIR%\microsoft.net\framework\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES7C04.tmp" "%TEMP%\vbc7C03.tmp"
- '%WINDIR%\microsoft.net\framework\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\z1tx9ctq.cmdline"
- '%WINDIR%\microsoft.net\framework\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES7E85.tmp" "%TEMP%\vbc7E84.tmp"
- '%WINDIR%\microsoft.net\framework\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\hrbb9pso.cmdline"
- '%WINDIR%\microsoft.net\framework\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES800B.tmp" "%TEMP%\vbc800A.tmp"
- '%WINDIR%\microsoft.net\framework\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\5y-luinb.cmdline"
- '%WINDIR%\microsoft.net\framework\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES5532.tmp" "%TEMP%\vbc5531.tmp"
- '%WINDIR%\microsoft.net\framework\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES5031.tmp" "%TEMP%\vbc5021.tmp"
- '%WINDIR%\microsoft.net\framework\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\iujuvei1.cmdline"
- '%WINDIR%\microsoft.net\framework\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES4C3A.tmp" "%TEMP%\vbc4C39.tmp"
- '%WINDIR%\syswow64\schtasks.exe' /create /sc minute /mo 1 /tn "Chrome" /tr "%APPDATA%\Microsoft\Windows\Start Menu\8DOP1RQg4GnGwCbd.exe"
- '%WINDIR%\microsoft.net\framework\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\gjtfwjla.cmdline"
- '%WINDIR%\microsoft.net\framework\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES1693.tmp" "%TEMP%\vbc1692.tmp"
- '%WINDIR%\microsoft.net\framework\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\w0cvr5db.cmdline"
- '%WINDIR%\microsoft.net\framework\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES1B56.tmp" "%TEMP%\vbc1B55.tmp"
- '%WINDIR%\microsoft.net\framework\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\riiqesgq.cmdline"
- '<SYSTEM32>\taskeng.exe' {D63CBA7E-7488-455F-B382-798F20041D3C} S-1-5-21-1960123792-2022915161-3775307078-1001:bxepltqefeyb\user:Interactive:[1]
- '%WINDIR%\microsoft.net\framework\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES227A.tmp" "%TEMP%\vbc2279.tmp"
- '%WINDIR%\microsoft.net\framework\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\i5if_i9g.cmdline"
- '%WINDIR%\microsoft.net\framework\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES2912.tmp" "%TEMP%\vbc2911.tmp"
- '%WINDIR%\microsoft.net\framework\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\imaltkv7.cmdline"
- '%WINDIR%\microsoft.net\framework\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\uqxxk0bz.cmdline"
- '%WINDIR%\microsoft.net\framework\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\emkulwrp.cmdline"
- '%WINDIR%\microsoft.net\framework\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES2DD4.tmp" "%TEMP%\vbc2DC4.tmp"
- '%WINDIR%\microsoft.net\framework\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\bliawjib.cmdline"
- '%WINDIR%\microsoft.net\framework\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES37A8.tmp" "%TEMP%\vbc37A7.tmp"
- '%WINDIR%\microsoft.net\framework\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\ujhmubal.cmdline"
- '%WINDIR%\microsoft.net\framework\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES3BEE.tmp" "%TEMP%\vbc3BED.tmp"
- '%WINDIR%\microsoft.net\framework\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\cgof1raz.cmdline"
- '%WINDIR%\microsoft.net\framework\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES4072.tmp" "%TEMP%\vbc4071.tmp"
- '%WINDIR%\microsoft.net\framework\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\cu-2dw5b.cmdline"
- '%WINDIR%\microsoft.net\framework\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES4489.tmp" "%TEMP%\vbc4488.tmp"
- '%WINDIR%\microsoft.net\framework\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\89fsldc1.cmdline"
- '%WINDIR%\microsoft.net\framework\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES4890.tmp" "%TEMP%\vbc488F.tmp"
- '%WINDIR%\microsoft.net\framework\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\sgyrvmdv.cmdline"
- '%WINDIR%\microsoft.net\framework\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RESC43.tmp" "%TEMP%\vbcC42.tmp"
- '%WINDIR%\microsoft.net\framework\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES32A7.tmp" "%TEMP%\vbc32A6.tmp"
- '%WINDIR%\microsoft.net\framework\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES82F9.tmp" "%TEMP%\vbc82F8.tmp"