Technical Information
- [<HKLM>\Software\Microsoft\Windows\CurrentVersion\Run] 'iexplore' = '"%ProgramFiles(x86)%\Internet Explorer\iedvtool\iexplore.exe"'
- [<HKLM>\Software\Microsoft\Windows\CurrentVersion\Run] 'wininit' = '"C:\MSOCache\All Users\{90140000-00A1-0409-1000-0000000FF1CE}-C\wininit.exe"'
- [<HKLM>\Software\Microsoft\Windows\CurrentVersion\Run] 'services' = '"<SYSTEM32>\Wwanpref\services.exe"'
- [<HKLM>\Software\Microsoft\Windows\CurrentVersion\Run] 'taskhost' = '"<SYSTEM32>\PrintBrmUi\taskhost.exe"'
- [<HKLM>\Software\Microsoft\Windows\CurrentVersion\Run] 'reviewbrokercrtCommonsessionperfDll' = '"C:\reviewbrokercrtCommon\94dfcaErtMmvX\reviewbrokercrtCommonsessionperfDll.exe"'
- [<HKLM>\Software\Microsoft\Windows\CurrentVersion\Run] 'services' = '"<SYSTEM32>\rdrleakdiag\services.exe"'
- [<HKLM>\Software\Microsoft\Windows\CurrentVersion\Run] 'Idle' = '"<Current directory>\Idle.exe"'
- <SYSTEM32>\tasks\firefox default browser agent 377b139a175f0261
- %APPDATA%\microsoft\windows\start menu\programs\startup\svchostsw.exe
- <SYSTEM32>\tasks\iexplore
- <SYSTEM32>\tasks\wininit
- <SYSTEM32>\tasks\services
- <SYSTEM32>\tasks\taskhost
- <SYSTEM32>\tasks\reviewbrokercrtcommonsessionperfdll
- <SYSTEM32>\tasks\idle
- %WINDIR%\syswow64\explorer.exe
- %WINDIR%\explorer.exe
- [<HKCU>\Software\Martin Prikryl]
- [<HKLM>\Software\Wow6432Node\Martin Prikryl]
- %APPDATA%\mozilla\firefox\profiles.ini
- %LOCALAPPDATA%\google\chrome\user data\default\login data
- %LOCALAPPDATA%\google\chrome\user data\default\cookies
- %APPDATA%\opera software\opera stable\login data
- %APPDATA%\thunderbird\profiles.ini
- ClassName: 'RegmonClass', WindowName: ''
- ClassName: 'FilemonClass', WindowName: ''
- ClassName: 'PROCMON_WINDOW_CLASS', WindowName: ''
- %APPDATA%\ajruiat
- %TEMP%\cef4.tmp
- %TEMP%\cf04.tmp
- %TEMP%\cf34.tmp
- %TEMP%\cf64.tmp
- %TEMP%\d05f.tmp
- %TEMP%\d07f.tmp
- %TEMP%\d0be.tmp
- %TEMP%\d0bf.tmp
- %TEMP%\d0df.tmp
- %TEMP%\d0f0.tmp
- %TEMP%\d110.tmp
- %TEMP%\d121.tmp
- %TEMP%\d151.tmp
- %TEMP%\d151.tmp-shm
- <SYSTEM32>\printbrmui\taskhost.exe
- <SYSTEM32>\printbrmui\b75386f1303e64d8139363b71e44ac16341adf4e
- C:\reviewbrokercrtcommon\94dfcaertmmvx\reviewbrokercrtcommonsessionperfdll.exe
- C:\reviewbrokercrtcommon\94dfcaertmmvx\9cc5d3383d58065f0ef6567dd82d631d7e042dec
- <SYSTEM32>\rdrleakdiag\services.exe
- <SYSTEM32>\rdrleakdiag\c5b4cb5e9653cce737f29f72ba880dd4c4bab27d
- <Current directory>\idle.exe
- <Current directory>\6ccacd8608530fba3a93e87ae2225c7032aa18c1
- %TEMP%\xlzyllkhhp
- %TEMP%\cc54.tmp
- %TEMP%\cic5iz3ani.bat
- %TEMP%\cc24.tmp-shm
- %LOCALAPPDATA%\microsoft\vault\4bf4c442-9b8a-41a0-b380-dd4a704ddb28\policy.vpol
- %APPDATA%\dhhsbdj
- %TEMP%\f565.exe
- %TEMP%\ff36.exe
- %ALLUSERSPROFILE%\runtimebroker.exe
- %TEMP%\1305.exe
- C:\reviewbrokercrtcommon\94dfcaertmmvx.bat
- C:\reviewbrokercrtcommon\reviewbrokercrtcommonsessionperfdll.exe
- C:\reviewbrokercrtcommon\kb5vrhbv.vbe
- %TEMP%\38de.exe
- %TEMP%\s.bat
- %TEMP%\650d.exe
- %TEMP%\766c.exe
- %TEMP%\38de.exe.pid
- %ProgramFiles(x86)%\internet explorer\iedvtool\iexplore.exe
- %ProgramFiles(x86)%\internet explorer\iedvtool\9db6e019d4f04ef534d0f91b3462d805c40e9d20
- C:\msocache\all users\{90140000-00a1-0409-1000-0000000ff1ce}-c\wininit.exe
- C:\msocache\all users\{90140000-00a1-0409-1000-0000000ff1ce}-c\560854153607923c4c5f107085a7db67be01f252
- %TEMP%\a22e.exe
- <SYSTEM32>\wwanpref\services.exe
- <SYSTEM32>\wwanpref\c5b4cb5e9653cce737f29f72ba880dd4c4bab27d
- %ALLUSERSPROFILE%\microsoft\vault\ac658cb4-9126-49bd-b877-31eedab3f204\policy.vpol
- %ALLUSERSPROFILE%\microsoft\vault\ac658cb4-9126-49bd-b877-31eedab3f204\3ccd5499-87a8-4b10-a215-608888dd3b55.vsch
- %ALLUSERSPROFILE%\microsoft\vault\ac658cb4-9126-49bd-b877-31eedab3f204\2f1a6504-0641-44cf-8bb5-3612d865f2e5.vsch
- %TEMP%\cc24.tmp
- nul
- %APPDATA%\ajruiat
- %APPDATA%\dhhsbdj
- %TEMP%\cc24.tmp-shm
- %TEMP%\d151.tmp-shm
- %TEMP%\d121.tmp
- %TEMP%\d110.tmp
- %TEMP%\d0f0.tmp
- %TEMP%\d0df.tmp
- %TEMP%\d0bf.tmp
- %TEMP%\d0be.tmp
- %TEMP%\d07f.tmp
- %TEMP%\d05f.tmp
- %TEMP%\cf64.tmp
- %TEMP%\cf34.tmp
- %TEMP%\cf04.tmp
- %TEMP%\cef4.tmp
- %TEMP%\cc54.tmp
- %TEMP%\cc24.tmp
- %TEMP%\d151.tmp
- %TEMP%\xlzyllkhhp
- '91.##1.19.52':80
- 'bi###co2ver.eu':80
- 'nt##.co.th':80
- 'ho#i.de':443
- 've####ano-party.it':80
- 'ca###atches.com':443
- 'tr####matfors.se':80
- 'al####services.in':80
- 'we#####horsereview.com':80
- 'pa####nasaares.fi':80
- 'hi####reworks.ch':80
- 'ju##k.org':80
- 'be##ake.com':443
- 'cc###asur.com':443
- 'ma###uleen.com':80
- 'ti#####metalsheet.com':80
- 'fo##eco.org':443
- 'el##sco.gr':443
- 'bo###sluis.nl':443
- 'sm####gue.com.ar':80
- 'fi######erein-kaisten.ch':80
- 'ev#l.ee':80
- 'ua##na.com':80
- 'co#####ofaviation.com':80
- 'ny##bek.com':80
- 'an##kaz.com':443
- 'tu####novypochod.sk':443
- 'tc###teria.dk':80
- 'he##ool.ee':80
- 're#####ebnbcabins.com':443
- 'te##ki.com':80
- 'um######edition-aargau.ch':443
- 'hv##r.com':443
- 'ky###oga.com':80
- 'sp######eshoppefranklin.com':443
- 'hi##ocom.hr':80
- 'su###conti.eu':80
- 'ob###htweine.ch':443
- 'ob###uehle.ch':443
- 'bo##co.com':443
- '5k##.com':443
- 'de####guide.co.uk':443
- 've######globalwallet.com':80
- 'js###eningen.ch':80
- 'th####elens.co.za':80
- 'du####usic.com.ar':80
- 'ph####.jacksonhuang.com':80
- 'ts#.org.in':80
- 'ho#######rancegreatdunmow.co.uk':80
- 'le##a.dk':80
- 'ma####cleanusa.com':443
- '10###wthroad.ie':443
- 'pa#####teconfluence.be':443
- 'gr####amatskola.lv':443
- 'wa####ftware.co.uk':80
- 'ne###rk9.biz':443
- 'ko#####l-rideklub.dk':80
- 'nu#######taldeescobar.com.ar':80
- 'so######eslogisticas3pl.com':80
- 'tu####agency.com':80
- 'co####osalta.org.ar':80
- 'lb#.se':443
- 'to###hmid.ch':80
- 'ed###dpunset.es':443
- 'ac####-network.org':443
- 'mi#####upholster.co.uk':80
- 'la###romat.no':80
- 'el###ducto.cl':80
- 'cs####otocol.com':443
- 'si##iu.dk':80
- 'ja####laxman.com':443
- 'fa##ud.ro':80
- 'ke####bsmith.com':443
- 'at##mel.ee':80
- 'os####ilho.com.br':443
- 'hu#####ranslations.com':80
- 'da###-ke.net':80
- 'ma######uringevent.co.uk':443
- 'od####rfwetter.de':80
- 'gr####society.ro':443
- 'ab##.org.br':80
- 'en###rockas.cl':80
- 'mo###store.com':443
- 'ma####auleadjou.com':80
- 'st####ozzone.com':80
- 're#####listforjuly1.xyz':80
- 'da######arten-hamburg.de':80
- 'be####bahiscim.com':80
- 'ca####gfalkudden.se':443
- 'to###g2000.com':80
- 'pj##lima.pl':80
- 'vi###nova.be':80
- 'le###peele.com':443
- 'ja####xposures.com':443
- 'in###ogroup.com':443
- 'ma####tmaynen.com':80
- 'p-##s.ch':443
- 'pa###rasbox.pub':80
- 'pa###dstak.com':80
- 'co#######-office-headquator.com':443
- 'mg####oup.com.au':80
- 'te##te.in':443
- 'pu##en.com':443
- 'ga####haus-lampe.de':80
- 'av#####productions.nl':443
- 'pi#####nsforskola.se':80
- 'ro###nwest.best':443
- '18#.#91.34.170':8888
- 'x1.#.lencr.org':80
- 'microsoft.com':80
- 'ms#####rchcenter.top':443
- 'wa####and.com.hk':443
- 'mo###eghetop.it':80
- 'au####e-energie.fr':443
- 'pa###dstak.com':443
- 'me##puu.ee':80
- 'wi####tarquin.co.uk':80
- 'lu###hoo.com':443
- 'su#######rsonaltraining.co.uk':443
- 'or#####arnaval.co.za':80
- '19#.#6.146.22':47861
- 'sp####moshaver.ir':80
- 'ma###dany.de':80
- 'er####namasaza.si':80
- 'ph###natura.se':80
- 'fi##z.de':443
- 'pa#l.ee':80
- 'gr###er.house':443
- 'co###eklatch.be':80
- 'an###obike.org':80
- 'pl###int.com':80
- 'no####aevents.nl':80
- 'ep##ess.ee':80
- 'el######seasidesuites.com':80
- 'hi####uan.com.sg':443
- 'me##ham.org':80
- 'ch#######ishfilmfestival.com':443
- 'sa##s3.org':443
- 'le######tofailpodcast.com':80
- 'rk##c.nl':80
- 'ma####sgalore.com':443
- 'of#####ngarden.co.uk':80
- 'cl###kind.com':443
- 'gp#.ee':443
- 'sa###ordell.dk':80
- 'mi#####habortion.com':443
- 'av##tour.pl':80
- 'bi####herheit.de':80
- 'va###keuruu.fi':443
- 'po#####onedigital.co.uk':80
- 'do#####hakshuka.co.il':443
- 'hd##.net':80
- 'te#####odturnings.com':443
- 'ex###vagario.mx':80
- 'ru###fhecke.be':80
- 'go###lex.com':443
- 'kl###ridders.de':80
- 'ba####tudios.com':443
- 'tu##nq.am':443
- 'no######n-for-errors.com':80
- 'bi##oe.be':80
- 'gi###aradise.sk':443
- 'ba#h.cz':80
- 'bc#.ch':443
- 'be######reetingcards.co.uk':443
- 'gr######g-foundation.org':80
- 'dv#.dk':80
- http://re#####listforjuly1.xyz/raccon.exe
- http://18#.##1.34.170:8888/bots/chkVersion?cu#################### via 18#.#91.34.170
- http://18#.##1.34.170:8888/project/active via 18#.#91.34.170
- http://18#.##1.34.170:8888/gw?wo########## via 18#.#91.34.170
- http://18#.##1.34.170:8888/gw?wo##### via 18#.#91.34.170
- http://re#####listforjuly1.xyz/reestr.exe
- http://19#.##.146.22:47861/ via 19#.#6.146.22
- http://re#####listforjuly1.xyz/
- 'ro###nwest.best':443
- 'p-##s.ch':443
- 'co#######-office-headquator.com':443
- 'bo##co.com':443
- 'bo###sluis.nl':443
- 'ho#i.de':443
- 'ca###atches.com':443
- 'cc###asur.com':443
- 'fo##eco.org':443
- 'hv##r.com':443
- 'ob###htweine.ch':443
- 'el##sco.gr':443
- 'do#####hakshuka.co.il':443
- 'ke####bsmith.com':443
- 'ma######uringevent.co.uk':443
- 'ed###dpunset.es':443
- '5k##.com':443
- 'gr####society.ro':443
- '10###wthroad.ie':443
- 'os####ilho.com.br':443
- 'mo###store.com':443
- 'va###keuruu.fi':443
- 'sp######eshoppefranklin.com':443
- 're#####ebnbcabins.com':443
- 'mi#####habortion.com':443
- 'ms#####rchcenter.top':443
- 'su#######rsonaltraining.co.uk':443
- 'tu##nq.am':443
- 'go###lex.com':443
- 'te#####odturnings.com':443
- 'bc#.ch':443
- 'be######reetingcards.co.uk':443
- 'av#####productions.nl':443
- 'pu##en.com':443
- 'te##te.in':443
- 'ca####gfalkudden.se':443
- 'hi####uan.com.sg':443
- 'ja####xposures.com':443
- 'sa##s3.org':443
- 'ma####sgalore.com':443
- 'ch#######ishfilmfestival.com':443
- 'fi##z.de':443
- 'gp#.ee':443
- 'cl###kind.com':443
- 'tu####novypochod.sk':443
- 'le###peele.com':443
- 'gr####amatskola.lv':443
- 'pa#####teconfluence.be':443
- DNS ASK re#####listforjuly1.xyz
- DNS ASK no####aevents.nl
- DNS ASK hi####uan.com.sg
- DNS ASK el######seasidesuites.com
- DNS ASK ch#######ishfilmfestival.com
- DNS ASK me##ham.org
- DNS ASK si##iu.dk
- DNS ASK of#####ngarden.co.uk
- DNS ASK sa##s3.org
- DNS ASK co#####ofaviation.com
- DNS ASK ep##ess.ee
- DNS ASK um######edition-aargau.ch
- DNS ASK ja####laxman.com
- DNS ASK cl###kind.com
- DNS ASK gp#.ee
- DNS ASK fi##z.de
- DNS ASK mi#####habortion.com
- DNS ASK lb#.se
- DNS ASK ma####auleadjou.com
- DNS ASK ua##na.com
- DNS ASK rk##c.nl
- DNS ASK le######tofailpodcast.com
- DNS ASK go###lex.com
- DNS ASK ma####sgalore.com
- DNS ASK an###obike.org
- DNS ASK bi##oe.be
- DNS ASK no######n-for-errors.com
- DNS ASK bc#.ch
- DNS ASK ba#h.cz
- DNS ASK ti#####metalsheet.com
- DNS ASK be######reetingcards.co.uk
- DNS ASK av##tour.pl
- DNS ASK ph###natura.se
- DNS ASK el##sco.gr
- DNS ASK fi######erein-kaisten.ch
- DNS ASK mi#####upholster.co.uk
- DNS ASK bi####herheit.de
- DNS ASK gr###er.house
- DNS ASK co###eklatch.be
- DNS ASK pl###int.com
- DNS ASK pl###itness.hr
- DNS ASK el###ducto.cl
- DNS ASK mo###store.com
- DNS ASK ac####-network.org
- DNS ASK sa###ordell.dk
- DNS ASK id#####affinginc.net
- DNS ASK tu##nq.am
- DNS ASK ny##bek.com
- DNS ASK he##ool.ee
- DNS ASK ts#.org.in
- DNS ASK de####gymnasiet.se
- DNS ASK th####elens.co.za
- DNS ASK kr####rservice.ch
- DNS ASK ry##klev.ru
- DNS ASK bo###sluis.nl
- DNS ASK os######sadenreinigung.ch
- DNS ASK bi###co2ver.eu
- DNS ASK ne###rk9.biz
- DNS ASK ab##.org.br
- DNS ASK ma####cleanusa.com
- DNS ASK pa###denhaut.ch
- DNS ASK wa####ftware.co.uk
- DNS ASK cl######beachbootcamp.com
- DNS ASK fp#####tspartners.com
- DNS ASK nu#######taldeescobar.com.ar
- DNS ASK cc###asur.com
- DNS ASK so######eslogisticas3pl.com
- DNS ASK mu###vision.tv
- DNS ASK ho#i.de
- DNS ASK ba####feline.org.uk
- DNS ASK tu####novypochod.sk
- DNS ASK an##kaz.com
- DNS ASK ev#l.ee
- DNS ASK te##ki.com
- DNS ASK re#####ebnbcabins.com
- DNS ASK hv##r.com
- DNS ASK um####firmen365.ch
- DNS ASK ke####bsmith.com
- DNS ASK be##kov.com
- DNS ASK si###rknospe.ch
- DNS ASK bo##co.com
- DNS ASK tc###teria.dk
- DNS ASK uk####enthouses.com
- DNS ASK hu#####ranslations.com
- DNS ASK hi##ocom.hr
- DNS ASK od####rfwetter.de
- DNS ASK to###gi.doyu.jp
- DNS ASK ob###htweine.ch
- DNS ASK su###conti.eu
- DNS ASK co####osalta.org.ar
- DNS ASK ob###uehle.ch
- DNS ASK sp######uetzen-aarwangen.ch
- DNS ASK ky###oga.com
- DNS ASK sp######eshoppefranklin.com
- DNS ASK kl###ridders.de
- DNS ASK ru###fhecke.be
- DNS ASK gi###aradise.sk
- DNS ASK pa####nasaares.fi
- DNS ASK ju##k.org
- DNS ASK hi####reworks.ch
- DNS ASK pi#####nsforskola.se
- DNS ASK be##ake.com
- DNS ASK ma###uleen.com
- DNS ASK pu##en.com
- DNS ASK fo##eco.org
- DNS ASK ma###dany.de
- DNS ASK pj##lima.pl
- DNS ASK or#####arnaval.co.za
- DNS ASK en###rockas.cl
- DNS ASK ve######globalwallet.com
- DNS ASK da######arten-hamburg.de
- DNS ASK be####bahiscim.com
- DNS ASK ca####gfalkudden.se
- DNS ASK fa##n.se
- DNS ASK ma######uringevent.co.uk
- DNS ASK to###g2000.com
- DNS ASK av#####productions.nl
- DNS ASK sm####gue.com.ar
- DNS ASK ca###rflux.com
- DNS ASK sp####moshaver.ir
- DNS ASK tr####matfors.se
- DNS ASK x1.#.lencr.org
- DNS ASK te##te.in
- DNS ASK ms#####rchcenter.top
- DNS ASK microsoft.com
- DNS ASK au####e-energie.fr
- DNS ASK ca###atches.com
- DNS ASK ve####ano-party.it
- DNS ASK pa###dstak.com
- DNS ASK lu###hoo.com
- DNS ASK vi###nova.be
- DNS ASK ro###nwest.best
- DNS ASK al####services.in
- DNS ASK we#####horsereview.com
- DNS ASK nt##.co.th
- DNS ASK wa####and.com.hk
- DNS ASK mo###eghetop.it
- DNS ASK ga####haus-lampe.de
- DNS ASK wi####tarquin.co.uk
- DNS ASK su#######rsonaltraining.co.uk
- DNS ASK p-##s.ch
- DNS ASK me##puu.ee
- DNS ASK er####namasaza.si
- DNS ASK la###romat.no
- DNS ASK 10###wthroad.ie
- DNS ASK pa#####teconfluence.be
- DNS ASK zu###hbybike.ch
- DNS ASK gn####llorca.com
- DNS ASK gr######g-foundation.org
- DNS ASK ko#####l-rideklub.dk
- DNS ASK ex###vagario.mx
- DNS ASK dv#.dk
- DNS ASK mg####oup.com.au
- DNS ASK ho#######rancegreatdunmow.co.uk
- DNS ASK gr####amatskola.lv
- DNS ASK do#####hakshuka.co.il
- DNS ASK pa#l.ee
- DNS ASK ba####tudios.com
- DNS ASK va###keuruu.fi
- DNS ASK st####ozzone.com
- DNS ASK de####guide.co.uk
- DNS ASK po#####onedigital.co.uk
- DNS ASK hd##.net
- DNS ASK de###dvis.eu
- DNS ASK te#####odturnings.com
- DNS ASK tu####agency.com
- DNS ASK le##a.dk
- DNS ASK ph####.jacksonhuang.com
- DNS ASK le###peele.com
- DNS ASK ja####xposures.com
- DNS ASK la#####acatering.com
- DNS ASK in###ogroup.com
- DNS ASK cs####otocol.com
- DNS ASK fa##ud.ro
- DNS ASK az####arketing.com
- DNS ASK ma####tmaynen.com
- DNS ASK at##mel.ee
- DNS ASK da###-ke.net
- DNS ASK jt####matizacion.cl
- DNS ASK os####ilho.com.br
- DNS ASK to####duerring.com
- DNS ASK gr####society.ro
- DNS ASK ed###dpunset.es
- DNS ASK 5k##.com
- DNS ASK st#####lsenautobody.com
- DNS ASK to###hmid.ch
- DNS ASK js###eningen.ch
- DNS ASK du####usic.com.ar
- DNS ASK co#######-office-headquator.com
- DNS ASK pa###rasbox.pub
- DNS ASK en####lonsuites.com
- 'localhost':123
- ClassName: 'EDIT' WindowName: ''
- ClassName: 'Registry Monitor - Sysinternals: www.sysinternals.com' WindowName: ''
- ClassName: '18467-41' WindowName: ''
- ClassName: 'File Monitor - Sysinternals: www.sysinternals.com' WindowName: ''
- ClassName: 'Process Monitor - Sysinternals: www.sysinternals.com' WindowName: ''
- '%TEMP%\f565.exe'
- '%APPDATA%\ajruiat'
- '<SYSTEM32>\rdrleakdiag\services.exe'
- '%TEMP%\a22e.exe'
- '%TEMP%\650d.exe'
- '%WINDIR%\syswow64\wscript.exe' "C:\reviewbrokercrtCommon\kB5VrhbV.vbe"
- '%TEMP%\766c.exe'
- 'C:\reviewbrokercrtcommon\reviewbrokercrtcommonsessionperfdll.exe'
- '%TEMP%\1305.exe'
- '%ALLUSERSPROFILE%\runtimebroker.exe'
- '%TEMP%\ff36.exe'
- '%TEMP%\38de.exe'
- '<SYSTEM32>\cmd.exe' /C "%TEMP%\cIC5iz3aNi.bat"' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c ""C:\reviewbrokercrtCommon\94dfcaErtMmvX.bat" "' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /Q /C %LOCALAPPDATA%\Temp/s.bat' (with hidden window)
- '%ALLUSERSPROFILE%\runtimebroker.exe' ' (with hidden window)
- '%APPDATA%\ajruiat' ' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c ""C:\reviewbrokercrtCommon\94dfcaErtMmvX.bat" "
- '%WINDIR%\syswow64\cmd.exe' /Q /C %LOCALAPPDATA%\Temp/s.bat
- '<SYSTEM32>\schtasks.exe' /create /tn "iexplore" /sc ONLOGON /tr "'%ProgramFiles(x86)%\Internet Explorer\iedvtool\iexplore.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-1000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f
- '%WINDIR%\syswow64\explorer.exe'
- '%WINDIR%\explorer.exe'
- '<SYSTEM32>\schtasks.exe' /create /tn "services" /sc ONLOGON /tr "'<SYSTEM32>\Wwanpref\services.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "taskhost" /sc ONLOGON /tr "'<SYSTEM32>\PrintBrmUi\taskhost.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "reviewbrokercrtCommonsessionperfDll" /sc ONLOGON /tr "'C:\reviewbrokercrtCommon\94dfcaErtMmvX\reviewbrokercrtCommonsessionperfDll.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "services" /sc ONLOGON /tr "'<SYSTEM32>\rdrleakdiag\services.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "Idle" /sc ONLOGON /tr "'<Current directory>\Idle.exe'" /rl HIGHEST /f
- '<SYSTEM32>\cmd.exe' /C "%TEMP%\cIC5iz3aNi.bat"
- '<SYSTEM32>\chcp.com' 65001
- '<SYSTEM32>\w32tm.exe' /stripchart /computer:localhost /period:5 /dataonly /samples:2
- '<SYSTEM32>\taskeng.exe' {A9650D67-7DC6-4E3C-96C0-FD8D9E163A27} S-1-5-21-1960123792-2022915161-3775307078-1001:dtpzodzwfi\user:Interactive:[1]