Technical Information
- [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'CISCO' = '%APPDATA%\CISCO.exe'
- %APPDATA%\microsoft\windows\start menu\programs\startup\cisco.exe
- %APPDATA%\microsoft\windows\start menu\programs\startup\cisco.lnk
- <SYSTEM32>\tasks\cisco
- %APPDATA%\cisco.exe
- %TEMP%\hwyoa_jv.0.vb
- %TEMP%\hwyoa_jv.cmdline
- %TEMP%\hwyoa_jv.out
- %TEMP%\vbc22c7.tmp
- %TEMP%\res22d8.tmp
- %APPDATA%\cisco\windows explorer.exe
- %TEMP%\r_g8i3um.0.vb
- %TEMP%\r_g8i3um.cmdline
- %TEMP%\r_g8i3um.out
- %TEMP%\vbc2671.tmp
- %TEMP%\res2672.tmp
- %APPDATA%\cisco\windows media player.exe
- %TEMP%\ypenyscb.0.vb
- %TEMP%\ypenyscb.cmdline
- %TEMP%\ypenyscb.out
- %TEMP%\vbc2a1a.tmp
- %TEMP%\res2a1b.tmp
- %TEMP%\0bxvuhx3.0.vb
- %APPDATA%\cisco\cisco\launch internet explorer browser.exe
- %TEMP%\res3391.tmp
- %TEMP%\vbc3390.tmp
- %TEMP%\m1liwign.out
- %TEMP%\m1liwign.cmdline
- %APPDATA%\cisco\cisco\icq.exe
- %TEMP%\m1liwign.0.vb
- %TEMP%\res2d67.tmp
- %TEMP%\vbc2d56.tmp
- %TEMP%\3az-tsqi.out
- %TEMP%\3az-tsqi.cmdline
- %TEMP%\3az-tsqi.0.vb
- %APPDATA%\cisco\cisco\google chrome.exe
- %TEMP%\0bxvuhx3.cmdline
- %APPDATA%\cisco\opera.exe
- %TEMP%\res1f0f.tmp
- %TEMP%\vbc1f0e.tmp
- %TEMP%\ewjvbanb.0.vb
- %TEMP%\ewjvbanb.cmdline
- %TEMP%\ewjvbanb.out
- %TEMP%\vbc898.tmp
- %TEMP%\res899.tmp
- %TEMP%\i0f206qt.0.vb
- %TEMP%\i0f206qt.cmdline
- %TEMP%\i0f206qt.out
- %TEMP%\vbcd2c.tmp
- %TEMP%\resd2d.tmp
- %APPDATA%\cisco\google chrome.exe
- %TEMP%\yuz_de-0.0.vb
- %TEMP%\yuz_de-0.cmdline
- %TEMP%\yuz_de-0.out
- %TEMP%\vbc11fe.tmp
- %TEMP%\res11ff.tmp
- %APPDATA%\cisco\icq.exe
- %TEMP%\thjeuehv.cmdline
- %TEMP%\thjeuehv.0.vb
- %APPDATA%\cisco\mail.ru agent.exe
- %TEMP%\res1b46.tmp
- %TEMP%\vbc1b45.tmp
- %TEMP%\frrtufbd.out
- %TEMP%\frrtufbd.0.vb
- %TEMP%\frrtufbd.cmdline
- %APPDATA%\cisco\internet explorer.exe
- %TEMP%\res157a.tmp
- %TEMP%\vbc1579.tmp
- %TEMP%\kidxpwg5.out
- %TEMP%\kidxpwg5.cmdline
- %TEMP%\kidxpwg5.0.vb
- %TEMP%\thjeuehv.out
- %TEMP%\0bxvuhx3.out
- %APPDATA%\microsoft\windows\start menu\programs\startup\cisco.exe
- %TEMP%\vbc22c7.tmp
- %TEMP%\hwyoa_jv.0.vb
- %TEMP%\hwyoa_jv.out
- %TEMP%\hwyoa_jv.cmdline
- %TEMP%\res2672.tmp
- %TEMP%\vbc2671.tmp
- %TEMP%\r_g8i3um.cmdline
- %TEMP%\r_g8i3um.0.vb
- %TEMP%\r_g8i3um.out
- %TEMP%\res2a1b.tmp
- %TEMP%\vbc2a1a.tmp
- %TEMP%\ypenyscb.0.vb
- %TEMP%\ypenyscb.out
- %TEMP%\ypenyscb.cmdline
- %TEMP%\res2d67.tmp
- %TEMP%\vbc2d56.tmp
- %TEMP%\3az-tsqi.cmdline
- %TEMP%\3az-tsqi.out
- %TEMP%\3az-tsqi.0.vb
- %TEMP%\res3391.tmp
- %TEMP%\vbc3390.tmp
- %TEMP%\m1liwign.out
- %TEMP%\m1liwign.cmdline
- %TEMP%\m1liwign.0.vb
- %TEMP%\0bxvuhx3.cmdline
- %TEMP%\0bxvuhx3.0.vb
- %TEMP%\0bxvuhx3.out
- %TEMP%\res22d8.tmp
- %APPDATA%\cisco\cisco\icq.exe
- %TEMP%\thjeuehv.0.vb
- %TEMP%\thjeuehv.out
- %TEMP%\res899.tmp
- %TEMP%\vbc898.tmp
- %TEMP%\ewjvbanb.cmdline
- %TEMP%\ewjvbanb.out
- %TEMP%\ewjvbanb.0.vb
- %TEMP%\resd2d.tmp
- %TEMP%\vbcd2c.tmp
- %TEMP%\i0f206qt.cmdline
- %TEMP%\i0f206qt.0.vb
- %TEMP%\i0f206qt.out
- %TEMP%\res11ff.tmp
- %TEMP%\vbc11fe.tmp
- %TEMP%\yuz_de-0.cmdline
- %TEMP%\yuz_de-0.out
- %TEMP%\yuz_de-0.0.vb
- %TEMP%\res157a.tmp
- %TEMP%\vbc1579.tmp
- %TEMP%\kidxpwg5.cmdline
- %TEMP%\kidxpwg5.0.vb
- %TEMP%\kidxpwg5.out
- %TEMP%\res1b46.tmp
- %TEMP%\vbc1b45.tmp
- %TEMP%\frrtufbd.cmdline
- %TEMP%\frrtufbd.out
- %TEMP%\frrtufbd.0.vb
- %TEMP%\res1f0f.tmp
- %TEMP%\vbc1f0e.tmp
- %TEMP%\thjeuehv.cmdline
- %APPDATA%\cisco\cisco\google chrome.exe
- from %APPDATA%\microsoft\internet explorer\quick launch\user pinned\taskbar\google chrome.lnk to %APPDATA%\cisco\google chrome.lnk
- from C:\users\public\desktop\acrobat reader dc.lnk to %APPDATA%\cisco\cisco\acrobat reader dc.lnk
- from %HOMEPATH%\desktop\total commander 64 bit.lnk to %APPDATA%\cisco\cisco\total commander 64 bit.lnk
- from %HOMEPATH%\desktop\telegram.lnk to %APPDATA%\cisco\cisco\telegram.lnk
- from %APPDATA%\microsoft\internet explorer\quick launch\window switcher.lnk to %APPDATA%\cisco\cisco\window switcher.lnk
- from %APPDATA%\microsoft\internet explorer\quick launch\winamp.lnk to %APPDATA%\cisco\cisco\winamp.lnk
- from %APPDATA%\microsoft\internet explorer\quick launch\shows desktop.lnk to %APPDATA%\cisco\cisco\shows desktop.lnk
- from %APPDATA%\microsoft\internet explorer\quick launch\qip 2012.lnk to %APPDATA%\cisco\cisco\qip 2012.lnk
- from %APPDATA%\microsoft\internet explorer\quick launch\mozilla thunderbird.lnk to %APPDATA%\cisco\cisco\mozilla thunderbird.lnk
- from C:\users\public\desktop\mirc.lnk to %APPDATA%\cisco\cisco\mirc.lnk
- from %APPDATA%\microsoft\internet explorer\quick launch\mail.ru agent.lnk to %APPDATA%\cisco\cisco\mail.ru agent.lnk
- from %APPDATA%\microsoft\internet explorer\quick launch\icq.lnk to %APPDATA%\cisco\cisco\icq.lnk
- from %APPDATA%\microsoft\internet explorer\quick launch\google chrome.lnk to %APPDATA%\cisco\cisco\google chrome.lnk
- from %APPDATA%\microsoft\internet explorer\quick launch\user pinned\taskbar\windows media player.lnk to %APPDATA%\cisco\windows media player.lnk
- from %APPDATA%\microsoft\internet explorer\quick launch\user pinned\taskbar\windows explorer.lnk to %APPDATA%\cisco\windows explorer.lnk
- from %APPDATA%\microsoft\internet explorer\quick launch\user pinned\taskbar\opera.lnk to %APPDATA%\cisco\opera.lnk
- from %APPDATA%\microsoft\internet explorer\quick launch\user pinned\taskbar\mail.ru agent.lnk to %APPDATA%\cisco\mail.ru agent.lnk
- from %APPDATA%\microsoft\internet explorer\quick launch\user pinned\taskbar\internet explorer.lnk to %APPDATA%\cisco\internet explorer.lnk
- from %APPDATA%\microsoft\internet explorer\quick launch\user pinned\taskbar\icq.lnk to %APPDATA%\cisco\icq.lnk
- from %APPDATA%\microsoft\internet explorer\quick launch\launch internet explorer browser.lnk to %APPDATA%\cisco\cisco\launch internet explorer browser.lnk
- from C:\users\public\desktop\mozilla firefox.lnk to %APPDATA%\cisco\cisco\mozilla firefox.lnk
- %APPDATA%\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Google Chrome.lnk
- %APPDATA%\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\ICQ.lnk
- %APPDATA%\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Internet Explorer.lnk
- %APPDATA%\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Mail.Ru Agent.lnk
- %APPDATA%\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Opera.lnk
- %APPDATA%\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Windows Explorer.lnk
- %APPDATA%\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Windows Media Player.lnk
- %APPDATA%\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
- %APPDATA%\Microsoft\Internet Explorer\Quick Launch\ICQ.lnk
- %APPDATA%\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
- %APPDATA%\Microsoft\Internet Explorer\Quick Launch\Mail.Ru Agent.lnk
- DNS ASK pe####no.ddns.net
- '%APPDATA%\cisco.exe'
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES4DD0.tmp" "%TEMP%\vbc4DB0.tmp"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\a4szfl0u.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES5419.tmp" "%TEMP%\vbc5418.tmp"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\jb-gzn9u.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES55DE.tmp" "%TEMP%\vbc55DD.tmp"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\xpdx495b.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES5811.tmp" "%TEMP%\vbc5810.tmp"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\bwpcnvsw.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES59E6.tmp" "%TEMP%\vbc59E5.tmp"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES4C2A.tmp" "%TEMP%\vbc4C29.tmp"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\b-c3ftun.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\uva-a9vf.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES5F73.tmp" "%TEMP%\vbc5F63.tmp"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\eq_9nrqj.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES6148.tmp" "%TEMP%\vbc6147.tmp"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\akqpjaeb.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES63C9.tmp" "%TEMP%\vbc63B8.tmp"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\3bwdqqyl.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES655F.tmp" "%TEMP%\vbc655E.tmp"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\ikyms0hp.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES6792.tmp" "%TEMP%\vbc6791.tmp"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES5BF9.tmp" "%TEMP%\vbc5BF8.tmp"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\qvxizfeu.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\2rvs53fp.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES3EFB.tmp" "%TEMP%\vbc3ECB.tmp"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\0bxvuhx3.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES899.tmp" "%TEMP%\vbc898.tmp"' (with hidden window)
- '<SYSTEM32>\schtasks.exe' /create /sc minute /mo 1 /tn "CISCO" /tr "%APPDATA%\CISCO.exe"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\i0f206qt.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RESD2D.tmp" "%TEMP%\vbcD2C.tmp"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\yuz_de-0.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES11FF.tmp" "%TEMP%\vbc11FE.tmp"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\kidxpwg5.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES157A.tmp" "%TEMP%\vbc1579.tmp"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\frrtufbd.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES1B46.tmp" "%TEMP%\vbc1B45.tmp"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\ewjvbanb.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\thjeuehv.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\hwyoa_jv.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES22D8.tmp" "%TEMP%\vbc22C7.tmp"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\r_g8i3um.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES2672.tmp" "%TEMP%\vbc2671.tmp"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\ypenyscb.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES2A1B.tmp" "%TEMP%\vbc2A1A.tmp"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\3az-tsqi.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES2D67.tmp" "%TEMP%\vbc2D56.tmp"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\m1liwign.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES3391.tmp" "%TEMP%\vbc3390.tmp"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES1F0F.tmp" "%TEMP%\vbc1F0E.tmp"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\sozxrtyh.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES6ADD.tmp" "%TEMP%\vbc6ADC.tmp"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\dw20.exe' -x -s 612
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES4C2A.tmp" "%TEMP%\vbc4C29.tmp"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\b-c3ftun.cmdline"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES4DD0.tmp" "%TEMP%\vbc4DB0.tmp"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\a4szfl0u.cmdline"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES5419.tmp" "%TEMP%\vbc5418.tmp"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\jb-gzn9u.cmdline"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES55DE.tmp" "%TEMP%\vbc55DD.tmp"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\xpdx495b.cmdline"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES5811.tmp" "%TEMP%\vbc5810.tmp"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\bwpcnvsw.cmdline"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES59E6.tmp" "%TEMP%\vbc59E5.tmp"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\uva-a9vf.cmdline"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES5BF9.tmp" "%TEMP%\vbc5BF8.tmp"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\qvxizfeu.cmdline"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES5F73.tmp" "%TEMP%\vbc5F63.tmp"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\eq_9nrqj.cmdline"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES6148.tmp" "%TEMP%\vbc6147.tmp"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\akqpjaeb.cmdline"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES63C9.tmp" "%TEMP%\vbc63B8.tmp"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\3bwdqqyl.cmdline"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES655F.tmp" "%TEMP%\vbc655E.tmp"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\ikyms0hp.cmdline"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES6792.tmp" "%TEMP%\vbc6791.tmp"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\2rvs53fp.cmdline"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\sozxrtyh.cmdline"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES3EFB.tmp" "%TEMP%\vbc3ECB.tmp"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES3391.tmp" "%TEMP%\vbc3390.tmp"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\dw20.exe' -x -s 724
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\ewjvbanb.cmdline"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES899.tmp" "%TEMP%\vbc898.tmp"
- '<SYSTEM32>\schtasks.exe' /create /sc minute /mo 1 /tn "CISCO" /tr "%APPDATA%\CISCO.exe"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\i0f206qt.cmdline"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RESD2D.tmp" "%TEMP%\vbcD2C.tmp"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\yuz_de-0.cmdline"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES11FF.tmp" "%TEMP%\vbc11FE.tmp"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\kidxpwg5.cmdline"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES157A.tmp" "%TEMP%\vbc1579.tmp"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\frrtufbd.cmdline"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES1B46.tmp" "%TEMP%\vbc1B45.tmp"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\thjeuehv.cmdline"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES1F0F.tmp" "%TEMP%\vbc1F0E.tmp"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\hwyoa_jv.cmdline"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES22D8.tmp" "%TEMP%\vbc22C7.tmp"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\r_g8i3um.cmdline"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES2672.tmp" "%TEMP%\vbc2671.tmp"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\ypenyscb.cmdline"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES2A1B.tmp" "%TEMP%\vbc2A1A.tmp"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\3az-tsqi.cmdline"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES2D67.tmp" "%TEMP%\vbc2D56.tmp"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\m1liwign.cmdline"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\0bxvuhx3.cmdline"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES6ADD.tmp" "%TEMP%\vbc6ADC.tmp"