Technical Information
- %APPDATA%\microsoft\windows\start menu\programs\startup\<File name>.exe
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] 'NoFolderOptions' = '00000001'
- crss.exe
- %TEMP%\fo4vcoch.0.cs
- %TEMP%\vujjg2jq.dll
- %TEMP%\ifufuigo.0.cs
- %TEMP%\ifufuigo.cmdline
- %TEMP%\ifufuigo.out
- %TEMP%\csce342.tmp
- %TEMP%\rese343.tmp
- %TEMP%\ifufuigo.dll
- %TEMP%\cscdd28.tmp
- %TEMP%\resdd29.tmp
- %TEMP%\mjqniroq.0.cs
- %TEMP%\csce650.tmp
- %TEMP%\rese651.tmp
- %TEMP%\mjqniroq.dll
- %TEMP%\fvbpnkp2.0.cs
- %TEMP%\fvbpnkp2.cmdline
- %TEMP%\fvbpnkp2.out
- %TEMP%\csce9ca.tmp
- %TEMP%\mjqniroq.cmdline
- %TEMP%\mjqniroq.out
- %TEMP%\vujjg2jq.out
- %TEMP%\vujjg2jq.cmdline
- %TEMP%\vujjg2jq.0.cs
- %TEMP%\fo4vcoch.out
- %TEMP%\csccdc6.tmp
- %TEMP%\rescdc7.tmp
- %TEMP%\fo4vcoch.dll
- %APPDATA%\crss.exe
- %TEMP%\xqi1wmed.0.cs
- %TEMP%\xqi1wmed.cmdline
- %TEMP%\xqi1wmed.out
- %TEMP%\fo4vcoch.cmdline
- %TEMP%\cscd519.tmp
- %TEMP%\xqi1wmed.dll
- %TEMP%\xs2gcodj.0.cs
- %TEMP%\xs2gcodj.cmdline
- %TEMP%\xs2gcodj.out
- %TEMP%\cscda2a.tmp
- %TEMP%\resda2b.tmp
- %TEMP%\xs2gcodj.dll
- %APPDATA%\stealer2.exe
- %TEMP%\resd51a.tmp
- %TEMP%\rese9cb.tmp
- %TEMP%\fvbpnkp2.dll
- %TEMP%\rescdc7.tmp
- %TEMP%\rese343.tmp
- %TEMP%\csce342.tmp
- %TEMP%\ifufuigo.out
- %TEMP%\ifufuigo.0.cs
- %TEMP%\ifufuigo.cmdline
- %TEMP%\ifufuigo.dll
- %TEMP%\rese651.tmp
- %TEMP%\xqi1wmed.cmdline
- %TEMP%\csce650.tmp
- %TEMP%\mjqniroq.cmdline
- %TEMP%\mjqniroq.0.cs
- %TEMP%\mjqniroq.dll
- %TEMP%\rese9cb.tmp
- %TEMP%\csce9ca.tmp
- %TEMP%\fvbpnkp2.dll
- %TEMP%\fvbpnkp2.0.cs
- %TEMP%\vujjg2jq.cmdline
- %TEMP%\vujjg2jq.dll
- %TEMP%\vujjg2jq.out
- %TEMP%\vujjg2jq.0.cs
- %TEMP%\cscdd28.tmp
- %TEMP%\fo4vcoch.out
- %TEMP%\fo4vcoch.dll
- %TEMP%\fo4vcoch.cmdline
- %TEMP%\fo4vcoch.0.cs
- %TEMP%\resd51a.tmp
- %TEMP%\cscd519.tmp
- %TEMP%\xqi1wmed.dll
- %TEMP%\fvbpnkp2.out
- %TEMP%\mjqniroq.out
- %TEMP%\xqi1wmed.0.cs
- %TEMP%\resda2b.tmp
- %TEMP%\cscda2a.tmp
- %TEMP%\xs2gcodj.out
- %TEMP%\xs2gcodj.cmdline
- %TEMP%\xs2gcodj.0.cs
- %TEMP%\xs2gcodj.dll
- %TEMP%\resdd29.tmp
- %TEMP%\csccdc6.tmp
- %TEMP%\xqi1wmed.out
- %TEMP%\fvbpnkp2.cmdline
- '%APPDATA%\crss.exe'
- '%APPDATA%\stealer2.exe'
- '%WINDIR%\microsoft.net\framework\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\fo4vcoch.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RESCDC7.tmp" "%TEMP%\CSCCDC6.tmp"' (with hidden window)
- '%WINDIR%\microsoft.net\framework\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\xqi1wmed.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RESD51A.tmp" "%TEMP%\CSCD519.tmp"' (with hidden window)
- '%WINDIR%\microsoft.net\framework\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\xs2gcodj.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RESDA2B.tmp" "%TEMP%\CSCDA2A.tmp"' (with hidden window)
- '%WINDIR%\microsoft.net\framework\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\vujjg2jq.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RESDD29.tmp" "%TEMP%\CSCDD28.tmp"' (with hidden window)
- '%WINDIR%\microsoft.net\framework\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\ifufuigo.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RESE343.tmp" "%TEMP%\CSCE342.tmp"' (with hidden window)
- '%WINDIR%\microsoft.net\framework\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\mjqniroq.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RESE651.tmp" "%TEMP%\CSCE650.tmp"' (with hidden window)
- '%WINDIR%\microsoft.net\framework\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\fvbpnkp2.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RESE9CB.tmp" "%TEMP%\CSCE9CA.tmp"' (with hidden window)
- '%WINDIR%\microsoft.net\framework\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\fo4vcoch.cmdline"
- '%WINDIR%\microsoft.net\framework\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RESCDC7.tmp" "%TEMP%\CSCCDC6.tmp"
- '%WINDIR%\microsoft.net\framework\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\xqi1wmed.cmdline"
- '%WINDIR%\microsoft.net\framework\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RESD51A.tmp" "%TEMP%\CSCD519.tmp"
- '%WINDIR%\microsoft.net\framework\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\xs2gcodj.cmdline"
- '%WINDIR%\microsoft.net\framework\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RESDA2B.tmp" "%TEMP%\CSCDA2A.tmp"
- '%WINDIR%\microsoft.net\framework\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\vujjg2jq.cmdline"
- '%WINDIR%\microsoft.net\framework\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RESDD29.tmp" "%TEMP%\CSCDD28.tmp"
- '%WINDIR%\microsoft.net\framework\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\ifufuigo.cmdline"
- '%WINDIR%\microsoft.net\framework\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RESE343.tmp" "%TEMP%\CSCE342.tmp"
- '%WINDIR%\microsoft.net\framework\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\mjqniroq.cmdline"
- '%WINDIR%\microsoft.net\framework\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RESE651.tmp" "%TEMP%\CSCE650.tmp"
- '%WINDIR%\microsoft.net\framework\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\fvbpnkp2.cmdline"
- '%WINDIR%\microsoft.net\framework\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RESE9CB.tmp" "%TEMP%\CSCE9CA.tmp"