Trojan.DownLoader41.10248

Technical Information

To ensure autorun and distribution

Modifies the following registry keys

[<HKLM>\Software\Microsoft\Windows\CurrentVersion\Run] 'iexplore' = '"%ProgramFiles(x86)%\Internet Explorer\iedvtool\iexplore.exe"'
[<HKLM>\Software\Microsoft\Windows\CurrentVersion\Run] 'wininit' = '"C:\MSOCache\All Users\{90140000-00A1-0409-1000-0000000FF1CE}-C\wininit.exe"'
[<HKLM>\Software\Microsoft\Windows\CurrentVersion\Run] 'services' = '"<SYSTEM32>\Wwanpref\services.exe"'
[<HKLM>\Software\Microsoft\Windows\CurrentVersion\Run] 'taskhost' = '"<SYSTEM32>\PrintBrmUi\taskhost.exe"'
[<HKLM>\Software\Microsoft\Windows\CurrentVersion\Run] 'reviewbrokercrtCommonsessionperfDll' = '"C:\reviewbrokercrtCommon\94dfcaErtMmvX\reviewbrokercrtCommonsessionperfDll.exe"'
[<HKLM>\Software\Microsoft\Windows\CurrentVersion\Run] 'services' = '"<SYSTEM32>\rdrleakdiag\services.exe"'
[<HKLM>\Software\Microsoft\Windows\CurrentVersion\Run] 'Idle' = '"<Current directory>\Idle.exe"'

Creates or modifies the following files

<SYSTEM32>\tasks\firefox default browser agent 377b139a175f0261
%APPDATA%\microsoft\windows\start menu\programs\startup\svchostsw.exe
<SYSTEM32>\tasks\iexplore
<SYSTEM32>\tasks\wininit
<SYSTEM32>\tasks\services
<SYSTEM32>\tasks\taskhost
<SYSTEM32>\tasks\reviewbrokercrtcommonsessionperfdll
<SYSTEM32>\tasks\idle

Malicious functions

Injects code into

the following system processes:

%WINDIR%\syswow64\explorer.exe
%WINDIR%\explorer.exe

Searches for registry branches where third party applications store passwords

[<HKCU>\Software\Martin Prikryl]
[<HKLM>\Software\Wow6432Node\Martin Prikryl]

Reads files which store third party applications passwords

%APPDATA%\mozilla\firefox\profiles.ini
%LOCALAPPDATA%\google\chrome\user data\default\login data
%LOCALAPPDATA%\google\chrome\user data\default\cookies
%APPDATA%\opera software\opera stable\login data
%APPDATA%\thunderbird\profiles.ini

Searches for windows to

detect analytical utilities:

ClassName: 'RegmonClass', WindowName: ''
ClassName: 'FilemonClass', WindowName: ''
ClassName: 'PROCMON_WINDOW_CLASS', WindowName: ''

Modifies file system

Creates the following files

%APPDATA%\ajruiat
%TEMP%\cef4.tmp
%TEMP%\cf04.tmp
%TEMP%\cf34.tmp
%TEMP%\cf64.tmp
%TEMP%\d05f.tmp
%TEMP%\d07f.tmp
%TEMP%\d0be.tmp
%TEMP%\d0bf.tmp
%TEMP%\d0df.tmp
%TEMP%\d0f0.tmp
%TEMP%\d110.tmp
%TEMP%\d121.tmp
%TEMP%\d151.tmp
%TEMP%\d151.tmp-shm
<SYSTEM32>\printbrmui\taskhost.exe
<SYSTEM32>\printbrmui\b75386f1303e64d8139363b71e44ac16341adf4e
C:\reviewbrokercrtcommon\94dfcaertmmvx\reviewbrokercrtcommonsessionperfdll.exe
C:\reviewbrokercrtcommon\94dfcaertmmvx\9cc5d3383d58065f0ef6567dd82d631d7e042dec
<SYSTEM32>\rdrleakdiag\services.exe
<SYSTEM32>\rdrleakdiag\c5b4cb5e9653cce737f29f72ba880dd4c4bab27d
<Current directory>\idle.exe
<Current directory>\6ccacd8608530fba3a93e87ae2225c7032aa18c1
%TEMP%\xlzyllkhhp
%TEMP%\cc54.tmp
%TEMP%\cic5iz3ani.bat
%TEMP%\cc24.tmp-shm
%LOCALAPPDATA%\microsoft\vault\4bf4c442-9b8a-41a0-b380-dd4a704ddb28\policy.vpol
%APPDATA%\dhhsbdj
%TEMP%\f565.exe
%TEMP%\ff36.exe
%ALLUSERSPROFILE%\runtimebroker.exe
%TEMP%\1305.exe
C:\reviewbrokercrtcommon\94dfcaertmmvx.bat
C:\reviewbrokercrtcommon\reviewbrokercrtcommonsessionperfdll.exe
C:\reviewbrokercrtcommon\kb5vrhbv.vbe
%TEMP%\38de.exe
%TEMP%\s.bat
%TEMP%\650d.exe
%TEMP%\766c.exe
%TEMP%\38de.exe.pid
%ProgramFiles(x86)%\internet explorer\iedvtool\iexplore.exe
%ProgramFiles(x86)%\internet explorer\iedvtool\9db6e019d4f04ef534d0f91b3462d805c40e9d20
C:\msocache\all users\{90140000-00a1-0409-1000-0000000ff1ce}-c\wininit.exe
C:\msocache\all users\{90140000-00a1-0409-1000-0000000ff1ce}-c\560854153607923c4c5f107085a7db67be01f252
%TEMP%\a22e.exe
<SYSTEM32>\wwanpref\services.exe
<SYSTEM32>\wwanpref\c5b4cb5e9653cce737f29f72ba880dd4c4bab27d
%ALLUSERSPROFILE%\microsoft\vault\ac658cb4-9126-49bd-b877-31eedab3f204\policy.vpol
%ALLUSERSPROFILE%\microsoft\vault\ac658cb4-9126-49bd-b877-31eedab3f204\3ccd5499-87a8-4b10-a215-608888dd3b55.vsch
%ALLUSERSPROFILE%\microsoft\vault\ac658cb4-9126-49bd-b877-31eedab3f204\2f1a6504-0641-44cf-8bb5-3612d865f2e5.vsch
%TEMP%\cc24.tmp
nul

Sets the 'hidden' attribute to the following files

%APPDATA%\ajruiat
%APPDATA%\dhhsbdj

Deletes the following files

%TEMP%\cc24.tmp-shm
%TEMP%\d151.tmp-shm
%TEMP%\d121.tmp
%TEMP%\d110.tmp
%TEMP%\d0f0.tmp
%TEMP%\d0df.tmp
%TEMP%\d0bf.tmp
%TEMP%\d0be.tmp
%TEMP%\d07f.tmp
%TEMP%\d05f.tmp
%TEMP%\cf64.tmp
%TEMP%\cf34.tmp
%TEMP%\cf04.tmp
%TEMP%\cef4.tmp
%TEMP%\cc54.tmp
%TEMP%\cc24.tmp
%TEMP%\d151.tmp
%TEMP%\xlzyllkhhp

Deletes itself.

Network activity

Connects to

'91.##1.19.52':80
'bi###co2ver.eu':80
'nt##.co.th':80
'ho#i.de':443
've####ano-party.it':80
'ca###atches.com':443
'tr####matfors.se':80
'al####services.in':80
'we#####horsereview.com':80
'pa####nasaares.fi':80
'hi####reworks.ch':80
'ju##k.org':80
'be##ake.com':443
'cc###asur.com':443
'ma###uleen.com':80
'ti#####metalsheet.com':80
'fo##eco.org':443
'el##sco.gr':443
'bo###sluis.nl':443
'sm####gue.com.ar':80
'fi######erein-kaisten.ch':80
'ev#l.ee':80
'ua##na.com':80
'co#####ofaviation.com':80
'ny##bek.com':80
'an##kaz.com':443
'tu####novypochod.sk':443
'tc###teria.dk':80
'he##ool.ee':80
're#####ebnbcabins.com':443
'te##ki.com':80
'um######edition-aargau.ch':443
'hv##r.com':443
'ky###oga.com':80
'sp######eshoppefranklin.com':443
'hi##ocom.hr':80
'su###conti.eu':80
'ob###htweine.ch':443
'ob###uehle.ch':443
'bo##co.com':443
'5k##.com':443
'de####guide.co.uk':443
've######globalwallet.com':80
'js###eningen.ch':80
'th####elens.co.za':80
'du####usic.com.ar':80
'ph####.jacksonhuang.com':80
'ts#.org.in':80
'ho#######rancegreatdunmow.co.uk':80
'le##a.dk':80
'ma####cleanusa.com':443
'10###wthroad.ie':443
'pa#####teconfluence.be':443
'gr####amatskola.lv':443
'wa####ftware.co.uk':80
'ne###rk9.biz':443
'ko#####l-rideklub.dk':80
'nu#######taldeescobar.com.ar':80
'so######eslogisticas3pl.com':80
'tu####agency.com':80
'co####osalta.org.ar':80
'lb#.se':443
'to###hmid.ch':80
'ed###dpunset.es':443
'ac####-network.org':443
'mi#####upholster.co.uk':80
'la###romat.no':80
'el###ducto.cl':80
'cs####otocol.com':443
'si##iu.dk':80
'ja####laxman.com':443
'fa##ud.ro':80
'ke####bsmith.com':443
'at##mel.ee':80
'os####ilho.com.br':443
'hu#####ranslations.com':80
'da###-ke.net':80
'ma######uringevent.co.uk':443
'od####rfwetter.de':80
'gr####society.ro':443
'ab##.org.br':80
'en###rockas.cl':80
'mo###store.com':443
'ma####auleadjou.com':80
'st####ozzone.com':80
're#####listforjuly1.xyz':80
'da######arten-hamburg.de':80
'be####bahiscim.com':80
'ca####gfalkudden.se':443
'to###g2000.com':80
'pj##lima.pl':80
'vi###nova.be':80
'le###peele.com':443
'ja####xposures.com':443
'in###ogroup.com':443
'ma####tmaynen.com':80
'p-##s.ch':443
'pa###rasbox.pub':80
'pa###dstak.com':80
'co#######-office-headquator.com':443
'mg####oup.com.au':80
'te##te.in':443
'pu##en.com':443
'ga####haus-lampe.de':80
'av#####productions.nl':443
'pi#####nsforskola.se':80
'ro###nwest.best':443
'18#.#91.34.170':8888
'x1.#.lencr.org':80
'microsoft.com':80
'ms#####rchcenter.top':443
'wa####and.com.hk':443
'mo###eghetop.it':80
'au####e-energie.fr':443
'pa###dstak.com':443
'me##puu.ee':80
'wi####tarquin.co.uk':80
'lu###hoo.com':443
'su#######rsonaltraining.co.uk':443
'or#####arnaval.co.za':80
'19#.#6.146.22':47861
'sp####moshaver.ir':80
'ma###dany.de':80
'er####namasaza.si':80
'ph###natura.se':80
'fi##z.de':443
'pa#l.ee':80
'gr###er.house':443
'co###eklatch.be':80
'an###obike.org':80
'pl###int.com':80
'no####aevents.nl':80
'ep##ess.ee':80
'el######seasidesuites.com':80
'hi####uan.com.sg':443
'me##ham.org':80
'ch#######ishfilmfestival.com':443
'sa##s3.org':443
'le######tofailpodcast.com':80
'rk##c.nl':80
'ma####sgalore.com':443
'of#####ngarden.co.uk':80
'cl###kind.com':443
'gp#.ee':443
'sa###ordell.dk':80
'mi#####habortion.com':443
'av##tour.pl':80
'bi####herheit.de':80
'va###keuruu.fi':443
'po#####onedigital.co.uk':80
'do#####hakshuka.co.il':443
'hd##.net':80
'te#####odturnings.com':443
'ex###vagario.mx':80
'ru###fhecke.be':80
'go###lex.com':443
'kl###ridders.de':80
'ba####tudios.com':443
'tu##nq.am':443
'no######n-for-errors.com':80
'bi##oe.be':80
'gi###aradise.sk':443
'ba#h.cz':80
'bc#.ch':443
'be######reetingcards.co.uk':443
'gr######g-foundation.org':80
'dv#.dk':80

TCP

HTTP GET requests

http://re#####listforjuly1.xyz/raccon.exe
http://18#.##1.34.170:8888/bots/chkVersion?cu#################### via 18#.#91.34.170
http://18#.##1.34.170:8888/project/active via 18#.#91.34.170
http://18#.##1.34.170:8888/gw?wo########## via 18#.#91.34.170
http://18#.##1.34.170:8888/gw?wo##### via 18#.#91.34.170
http://re#####listforjuly1.xyz/reestr.exe

HTTP POST requests

http://19#.##.146.22:47861/ via 19#.#6.146.22
http://re#####listforjuly1.xyz/

Other

'ro###nwest.best':443
'p-##s.ch':443
'co#######-office-headquator.com':443
'bo##co.com':443
'bo###sluis.nl':443
'ho#i.de':443
'ca###atches.com':443
'cc###asur.com':443
'fo##eco.org':443
'hv##r.com':443
'ob###htweine.ch':443
'el##sco.gr':443
'do#####hakshuka.co.il':443
'ke####bsmith.com':443
'ma######uringevent.co.uk':443
'ed###dpunset.es':443
'5k##.com':443
'gr####society.ro':443
'10###wthroad.ie':443
'os####ilho.com.br':443
'mo###store.com':443
'va###keuruu.fi':443
'sp######eshoppefranklin.com':443
're#####ebnbcabins.com':443
'mi#####habortion.com':443
'ms#####rchcenter.top':443
'su#######rsonaltraining.co.uk':443
'tu##nq.am':443
'go###lex.com':443
'te#####odturnings.com':443
'bc#.ch':443
'be######reetingcards.co.uk':443
'av#####productions.nl':443
'pu##en.com':443
'te##te.in':443
'ca####gfalkudden.se':443
'hi####uan.com.sg':443
'ja####xposures.com':443
'sa##s3.org':443
'ma####sgalore.com':443
'ch#######ishfilmfestival.com':443
'fi##z.de':443
'gp#.ee':443
'cl###kind.com':443
'tu####novypochod.sk':443
'le###peele.com':443
'gr####amatskola.lv':443
'pa#####teconfluence.be':443

UDP

DNS ASK re#####listforjuly1.xyz
DNS ASK no####aevents.nl
DNS ASK hi####uan.com.sg
DNS ASK el######seasidesuites.com
DNS ASK ch#######ishfilmfestival.com
DNS ASK me##ham.org
DNS ASK si##iu.dk
DNS ASK of#####ngarden.co.uk
DNS ASK sa##s3.org
DNS ASK co#####ofaviation.com
DNS ASK ep##ess.ee
DNS ASK um######edition-aargau.ch
DNS ASK ja####laxman.com
DNS ASK cl###kind.com
DNS ASK gp#.ee
DNS ASK fi##z.de
DNS ASK mi#####habortion.com
DNS ASK lb#.se
DNS ASK ma####auleadjou.com
DNS ASK ua##na.com
DNS ASK rk##c.nl
DNS ASK le######tofailpodcast.com
DNS ASK go###lex.com
DNS ASK ma####sgalore.com
DNS ASK an###obike.org
DNS ASK bi##oe.be
DNS ASK no######n-for-errors.com
DNS ASK bc#.ch
DNS ASK ba#h.cz
DNS ASK ti#####metalsheet.com
DNS ASK be######reetingcards.co.uk
DNS ASK av##tour.pl
DNS ASK ph###natura.se
DNS ASK el##sco.gr
DNS ASK fi######erein-kaisten.ch
DNS ASK mi#####upholster.co.uk
DNS ASK bi####herheit.de
DNS ASK gr###er.house
DNS ASK co###eklatch.be
DNS ASK pl###int.com
DNS ASK pl###itness.hr
DNS ASK el###ducto.cl
DNS ASK mo###store.com
DNS ASK ac####-network.org
DNS ASK sa###ordell.dk
DNS ASK id#####affinginc.net
DNS ASK tu##nq.am
DNS ASK ny##bek.com
DNS ASK he##ool.ee
DNS ASK ts#.org.in
DNS ASK de####gymnasiet.se
DNS ASK th####elens.co.za
DNS ASK kr####rservice.ch
DNS ASK ry##klev.ru
DNS ASK bo###sluis.nl
DNS ASK os######sadenreinigung.ch
DNS ASK bi###co2ver.eu
DNS ASK ne###rk9.biz
DNS ASK ab##.org.br
DNS ASK ma####cleanusa.com
DNS ASK pa###denhaut.ch
DNS ASK wa####ftware.co.uk
DNS ASK cl######beachbootcamp.com
DNS ASK fp#####tspartners.com
DNS ASK nu#######taldeescobar.com.ar
DNS ASK cc###asur.com
DNS ASK so######eslogisticas3pl.com
DNS ASK mu###vision.tv
DNS ASK ho#i.de
DNS ASK ba####feline.org.uk
DNS ASK tu####novypochod.sk
DNS ASK an##kaz.com
DNS ASK ev#l.ee
DNS ASK te##ki.com
DNS ASK re#####ebnbcabins.com
DNS ASK hv##r.com
DNS ASK um####firmen365.ch
DNS ASK ke####bsmith.com
DNS ASK be##kov.com
DNS ASK si###rknospe.ch
DNS ASK bo##co.com
DNS ASK tc###teria.dk
DNS ASK uk####enthouses.com
DNS ASK hu#####ranslations.com
DNS ASK hi##ocom.hr
DNS ASK od####rfwetter.de
DNS ASK to###gi.doyu.jp
DNS ASK ob###htweine.ch
DNS ASK su###conti.eu
DNS ASK co####osalta.org.ar
DNS ASK ob###uehle.ch
DNS ASK sp######uetzen-aarwangen.ch
DNS ASK ky###oga.com
DNS ASK sp######eshoppefranklin.com
DNS ASK kl###ridders.de
DNS ASK ru###fhecke.be
DNS ASK gi###aradise.sk
DNS ASK pa####nasaares.fi
DNS ASK ju##k.org
DNS ASK hi####reworks.ch
DNS ASK pi#####nsforskola.se
DNS ASK be##ake.com
DNS ASK ma###uleen.com
DNS ASK pu##en.com
DNS ASK fo##eco.org
DNS ASK ma###dany.de
DNS ASK pj##lima.pl
DNS ASK or#####arnaval.co.za
DNS ASK en###rockas.cl
DNS ASK ve######globalwallet.com
DNS ASK da######arten-hamburg.de
DNS ASK be####bahiscim.com
DNS ASK ca####gfalkudden.se
DNS ASK fa##n.se
DNS ASK ma######uringevent.co.uk
DNS ASK to###g2000.com
DNS ASK av#####productions.nl
DNS ASK sm####gue.com.ar
DNS ASK ca###rflux.com
DNS ASK sp####moshaver.ir
DNS ASK tr####matfors.se
DNS ASK x1.#.lencr.org
DNS ASK te##te.in
DNS ASK ms#####rchcenter.top
DNS ASK microsoft.com
DNS ASK au####e-energie.fr
DNS ASK ca###atches.com
DNS ASK ve####ano-party.it
DNS ASK pa###dstak.com
DNS ASK lu###hoo.com
DNS ASK vi###nova.be
DNS ASK ro###nwest.best
DNS ASK al####services.in
DNS ASK we#####horsereview.com
DNS ASK nt##.co.th
DNS ASK wa####and.com.hk
DNS ASK mo###eghetop.it
DNS ASK ga####haus-lampe.de
DNS ASK wi####tarquin.co.uk
DNS ASK su#######rsonaltraining.co.uk
DNS ASK p-##s.ch
DNS ASK me##puu.ee
DNS ASK er####namasaza.si
DNS ASK la###romat.no
DNS ASK 10###wthroad.ie
DNS ASK pa#####teconfluence.be
DNS ASK zu###hbybike.ch
DNS ASK gn####llorca.com
DNS ASK gr######g-foundation.org
DNS ASK ko#####l-rideklub.dk
DNS ASK ex###vagario.mx
DNS ASK dv#.dk
DNS ASK mg####oup.com.au
DNS ASK ho#######rancegreatdunmow.co.uk
DNS ASK gr####amatskola.lv
DNS ASK do#####hakshuka.co.il
DNS ASK pa#l.ee
DNS ASK ba####tudios.com
DNS ASK va###keuruu.fi
DNS ASK st####ozzone.com
DNS ASK de####guide.co.uk
DNS ASK po#####onedigital.co.uk
DNS ASK hd##.net
DNS ASK de###dvis.eu
DNS ASK te#####odturnings.com
DNS ASK tu####agency.com
DNS ASK le##a.dk
DNS ASK ph####.jacksonhuang.com
DNS ASK le###peele.com
DNS ASK ja####xposures.com
DNS ASK la#####acatering.com
DNS ASK in###ogroup.com
DNS ASK cs####otocol.com
DNS ASK fa##ud.ro
DNS ASK az####arketing.com
DNS ASK ma####tmaynen.com
DNS ASK at##mel.ee
DNS ASK da###-ke.net
DNS ASK jt####matizacion.cl
DNS ASK os####ilho.com.br
DNS ASK to####duerring.com
DNS ASK gr####society.ro
DNS ASK ed###dpunset.es
DNS ASK 5k##.com
DNS ASK st#####lsenautobody.com
DNS ASK to###hmid.ch
DNS ASK js###eningen.ch
DNS ASK du####usic.com.ar
DNS ASK co#######-office-headquator.com
DNS ASK pa###rasbox.pub
DNS ASK en####lonsuites.com
'localhost':123

Miscellaneous

Searches for the following windows

ClassName: 'EDIT' WindowName: ''
ClassName: 'Registry Monitor - Sysinternals: www.sysinternals.com' WindowName: ''
ClassName: '18467-41' WindowName: ''
ClassName: 'File Monitor - Sysinternals: www.sysinternals.com' WindowName: ''
ClassName: 'Process Monitor - Sysinternals: www.sysinternals.com' WindowName: ''

Creates and executes the following

'%TEMP%\f565.exe'
'%APPDATA%\ajruiat'
'<SYSTEM32>\rdrleakdiag\services.exe'
'%TEMP%\a22e.exe'
'%TEMP%\650d.exe'
'%WINDIR%\syswow64\wscript.exe' "C:\reviewbrokercrtCommon\kB5VrhbV.vbe"
'%TEMP%\766c.exe'
'C:\reviewbrokercrtcommon\reviewbrokercrtcommonsessionperfdll.exe'
'%TEMP%\1305.exe'
'%ALLUSERSPROFILE%\runtimebroker.exe'
'%TEMP%\ff36.exe'
'%TEMP%\38de.exe'
'<SYSTEM32>\cmd.exe' /C "%TEMP%\cIC5iz3aNi.bat"' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /c ""C:\reviewbrokercrtCommon\94dfcaErtMmvX.bat" "' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /Q /C %LOCALAPPDATA%\Temp/s.bat' (with hidden window)
'%ALLUSERSPROFILE%\runtimebroker.exe' ' (with hidden window)
'%APPDATA%\ajruiat' ' (with hidden window)

Executes the following

'%WINDIR%\syswow64\cmd.exe' /c ""C:\reviewbrokercrtCommon\94dfcaErtMmvX.bat" "
'%WINDIR%\syswow64\cmd.exe' /Q /C %LOCALAPPDATA%\Temp/s.bat
'<SYSTEM32>\schtasks.exe' /create /tn "iexplore" /sc ONLOGON /tr "'%ProgramFiles(x86)%\Internet Explorer\iedvtool\iexplore.exe'" /rl HIGHEST /f
'<SYSTEM32>\schtasks.exe' /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-1000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f
'%WINDIR%\syswow64\explorer.exe'
'%WINDIR%\explorer.exe'
'<SYSTEM32>\schtasks.exe' /create /tn "services" /sc ONLOGON /tr "'<SYSTEM32>\Wwanpref\services.exe'" /rl HIGHEST /f
'<SYSTEM32>\schtasks.exe' /create /tn "taskhost" /sc ONLOGON /tr "'<SYSTEM32>\PrintBrmUi\taskhost.exe'" /rl HIGHEST /f
'<SYSTEM32>\schtasks.exe' /create /tn "reviewbrokercrtCommonsessionperfDll" /sc ONLOGON /tr "'C:\reviewbrokercrtCommon\94dfcaErtMmvX\reviewbrokercrtCommonsessionperfDll.exe'" /rl HIGHEST /f
'<SYSTEM32>\schtasks.exe' /create /tn "services" /sc ONLOGON /tr "'<SYSTEM32>\rdrleakdiag\services.exe'" /rl HIGHEST /f
'<SYSTEM32>\schtasks.exe' /create /tn "Idle" /sc ONLOGON /tr "'<Current directory>\Idle.exe'" /rl HIGHEST /f
'<SYSTEM32>\cmd.exe' /C "%TEMP%\cIC5iz3aNi.bat"
'<SYSTEM32>\chcp.com' 65001
'<SYSTEM32>\w32tm.exe' /stripchart /computer:localhost /period:5 /dataonly /samples:2
'<SYSTEM32>\taskeng.exe' {A9650D67-7DC6-4E3C-96C0-FD8D9E163A27} S-1-5-21-1960123792-2022915161-3775307078-1001:dtpzodzwfi\user:Interactive:[1]

Technologies

Terminology

Training and education

Myths

Technical Information

Curing recommendations

Free trial