BackDoor.RevetratNET.2

Technical Information

To ensure autorun and distribution

Modifies the following registry keys

[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'df43efbc70c1b3d01262a4a5a2e4cecd' = '"%TEMP%\server.exe" ..'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] 'df43efbc70c1b3d01262a4a5a2e4cecd' = '"%TEMP%\server.exe" ..'

Creates or modifies the following files

%APPDATA%\microsoft\windows\start menu\programs\startup\client.exe

Malicious functions

Executes the following

'%WINDIR%\syswow64\netsh.exe' firewall add allowedprogram "%TEMP%\server.exe" "server.exe" ENABLE

Modifies file system

Creates the following files

%TEMP%\fjrjb1r9.0.vb
%APPDATA%\random\default\qip 2012.exe
%TEMP%\agwf5lyd.0.vb
%TEMP%\agwf5lyd.cmdline
%TEMP%\agwf5lyd.out
%TEMP%\vbcc5af.tmp
%TEMP%\resc5b0.tmp
%APPDATA%\random\default\telegram.exe
%TEMP%\resd318.tmp
%TEMP%\hmsnhnht.0.vb
%TEMP%\hmsnhnht.out
%TEMP%\vbccc34.tmp
%TEMP%\rescc35.tmp
%APPDATA%\random\default\total commander 64 bit.exe
%TEMP%\tgcizlup.0.vb
%TEMP%\tgcizlup.cmdline
%TEMP%\tgcizlup.out
%TEMP%\vbcbd65.tmp
%TEMP%\resbd66.tmp
%TEMP%\hmsnhnht.cmdline
%TEMP%\vbcd317.tmp
%TEMP%\wtbbboi0.0.vb
%TEMP%\vbca534.tmp
%TEMP%\resa535.tmp
%APPDATA%\random\optional\winamp.exe
%TEMP%\vbn5ey4s.0.vb
%TEMP%\vbn5ey4s.cmdline
%TEMP%\vbn5ey4s.out
%TEMP%\vbcaef4.tmp
%TEMP%\resaef5.tmp
%APPDATA%\random\default\icq.exe
%TEMP%\qkpblepb.0.vb
%TEMP%\qkpblepb.cmdline
%TEMP%\qkpblepb.out
%TEMP%\vbcb6b1.tmp
%TEMP%\resb6b2.tmp
%APPDATA%\random\default\mail.ru agent.exe
%TEMP%\wtbbboi0.cmdline
%TEMP%\zfcdqiuw.cmdline
%TEMP%\wtbbboi0.out
%TEMP%\vbc711a.tmp
%APPDATA%\random\default\acrobat reader dc.exe
%APPDATA%\random\default\mozilla thunderbird.exe
%TEMP%\29emgkty.cmdline
%TEMP%\29emgkty.out
%TEMP%\vbc434.tmp
%TEMP%\res445.tmp
%APPDATA%\random\default\opera.exe
%TEMP%\u1pgra5b.0.vb
%TEMP%\u1pgra5b.cmdline
%TEMP%\bghtz8nt.0.vb
%TEMP%\u1pgra5b.out
%TEMP%\resc21.tmp
%APPDATA%\random\default\steam.exe
%TEMP%\lykp5_bv.0.vb
%TEMP%\lykp5_bv.cmdline
%TEMP%\lykp5_bv.out
%TEMP%\vbc11db.tmp
%TEMP%\resfcb7.tmp
%TEMP%\vbcfca6.tmp
%TEMP%\29emgkty.0.vb
%TEMP%\5-pm5cax.out
%TEMP%\5-pm5cax.cmdline
%TEMP%\bghtz8nt.cmdline
%TEMP%\vbce9f1.tmp
%TEMP%\rese9f2.tmp
%APPDATA%\random\default\google chrome.exe
%TEMP%\t_blouis.0.vb
%TEMP%\t_blouis.cmdline
%TEMP%\t_blouis.out
%TEMP%\zfcdqiuw.0.vb
%TEMP%\vbceff9.tmp
%TEMP%\zfcdqiuw.out
%APPDATA%\random\default\mirc.exe
%TEMP%\7jsgo5sy.cmdline
%TEMP%\7jsgo5sy.out
%TEMP%\vbcf65f.tmp
%TEMP%\resf670.tmp
%APPDATA%\random\default\mozilla firefox.exe
%TEMP%\5-pm5cax.0.vb
%TEMP%\reseffa.tmp
%TEMP%\bghtz8nt.out
%TEMP%\7jsgo5sy.0.vb
%APPDATA%\random\optional\qip 2012.exe
%TEMP%\res9e23.tmp
%TEMP%\vbc9e22.tmp
%TEMP%\7rptppll.0.vb
%TEMP%\7rptppll.cmdline
%TEMP%\7rptppll.out
%TEMP%\vbc53ab.tmp
%TEMP%\res53ac.tmp
%APPDATA%\random\mail.ru agent.exe
%TEMP%\gbhawzuv.0.vb
%TEMP%\gbhawzuv.cmdline
%TEMP%\gbhawzuv.out
%TEMP%\vbc5afb.tmp
%TEMP%\res5b0b.tmp
%APPDATA%\random\opera.exe
%TEMP%\a4biy_dp.0.vb
%TEMP%\a4biy_dp.cmdline
%TEMP%\a4biy_dp.out
%TEMP%\vbc4c7a.tmp
%TEMP%\b_6dyebk.cmdline
%APPDATA%\random\internet explorer.exe
%TEMP%\b_6dyebk.out
%TEMP%\b_6dyebk.0.vb
%TEMP%\vbc3d9c.tmp
%TEMP%\fjrjb1r9.out
%TEMP%\vbc314c.tmp
%TEMP%\res314d.tmp
%TEMP%\582.exe
%APPDATA%\client.exe
%TEMP%\v9vr4ep3.0.vb
%TEMP%\v9vr4ep3.cmdline
%TEMP%\vbc6103.tmp
%TEMP%\res11dc.tmp
%TEMP%\v9vr4ep3.out
%APPDATA%\random\google chrome.exe
%TEMP%\iybe4jqp.0.vb
%TEMP%\iybe4jqp.cmdline
%TEMP%\iybe4jqp.out
%TEMP%\vbc44cc.tmp
%TEMP%\res44cd.tmp
%APPDATA%\random\icq.exe
%TEMP%\fjrjb1r9.cmdline
%TEMP%\res3d9d.tmp
%TEMP%\vbcc11.tmp
%TEMP%\res6114.tmp
%TEMP%\0zwfmhia.out
%TEMP%\3ymqevyw.0.vb
%TEMP%\3ymqevyw.cmdline
%TEMP%\3ymqevyw.out
%TEMP%\vbc87f4.tmp
%TEMP%\res8804.tmp
%APPDATA%\random\optional\mail.ru agent.exe
%TEMP%\res4c7b.tmp
%TEMP%\myrdalyc.0.vb
%TEMP%\myrdalyc.out
%TEMP%\vbc9405.tmp
%TEMP%\res9415.tmp
%APPDATA%\random\optional\mozilla thunderbird.exe
%TEMP%\xb3zcss2.0.vb
%TEMP%\xb3zcss2.cmdline
%TEMP%\xb3zcss2.out
%TEMP%\vbc8297.tmp
%TEMP%\myrdalyc.cmdline
%APPDATA%\random\optional\launch internet explorer browser.exe
%TEMP%\res8298.tmp
%TEMP%\toeauduk.out
%TEMP%\toeauduk.cmdline
%TEMP%\server.exe
%TEMP%\vbc6a27.tmp
%TEMP%\res6a38.tmp
%APPDATA%\random\windows media player.exe
%TEMP%\apkjwpxk.0.vb
%TEMP%\apkjwpxk.cmdline
%APPDATA%\random\windows explorer.exe
%TEMP%\apkjwpxk.out
%TEMP%\0zwfmhia.0.vb
%TEMP%\res711b.tmp
%TEMP%\xqnd15si.0.vb
%TEMP%\xqnd15si.cmdline
%TEMP%\xqnd15si.out
%TEMP%\vbc7c60.tmp
%TEMP%\res7c61.tmp
%APPDATA%\random\optional\icq.exe
%TEMP%\0zwfmhia.cmdline
%TEMP%\toeauduk.0.vb
%APPDATA%\random\optional\google chrome.exe
%APPDATA%\random\default\winamp.exe

Deletes the following files

%TEMP%\res314d.tmp
%TEMP%\rescc35.tmp
%TEMP%\wtbbboi0.cmdline
%TEMP%\resc5b0.tmp
%TEMP%\vbcc5af.tmp
%TEMP%\agwf5lyd.cmdline
%TEMP%\agwf5lyd.out
%TEMP%\agwf5lyd.0.vb
%TEMP%\vbccc34.tmp
%TEMP%\vbn5ey4s.cmdline
%TEMP%\hmsnhnht.out
%TEMP%\hmsnhnht.cmdline
%TEMP%\hmsnhnht.0.vb
%TEMP%\resd318.tmp
%TEMP%\vbcd317.tmp
%TEMP%\tgcizlup.out
%TEMP%\wtbbboi0.0.vb
%TEMP%\wtbbboi0.out
%TEMP%\qkpblepb.out
%TEMP%\qkpblepb.0.vb
%TEMP%\qkpblepb.cmdline
%TEMP%\vbcb6b1.tmp
%TEMP%\resb6b2.tmp
%TEMP%\vbn5ey4s.0.vb
%TEMP%\vbca534.tmp
%TEMP%\tgcizlup.0.vb
%TEMP%\vbcaef4.tmp
%TEMP%\resaef5.tmp
%TEMP%\zfcdqiuw.0.vb
%TEMP%\zfcdqiuw.cmdline
%TEMP%\zfcdqiuw.out
%TEMP%\vbcbd65.tmp
%TEMP%\vbn5ey4s.out
%TEMP%\resbd66.tmp
%TEMP%\tgcizlup.cmdline
%TEMP%\bghtz8nt.0.vb
%TEMP%\5-pm5cax.out
%TEMP%\res445.tmp
%TEMP%\vbc434.tmp
%TEMP%\29emgkty.out
%TEMP%\29emgkty.0.vb
%TEMP%\29emgkty.cmdline
%TEMP%\vbcc11.tmp
%TEMP%\5-pm5cax.0.vb
%TEMP%\u1pgra5b.0.vb
%TEMP%\u1pgra5b.out
%TEMP%\u1pgra5b.cmdline
%TEMP%\res11dc.tmp
%TEMP%\vbc11db.tmp
%TEMP%\lykp5_bv.out
%TEMP%\5-pm5cax.cmdline
%TEMP%\vbcfca6.tmp
%TEMP%\apkjwpxk.cmdline
%TEMP%\bghtz8nt.cmdline
%TEMP%\reseffa.tmp
%TEMP%\vbceff9.tmp
%TEMP%\t_blouis.cmdline
%TEMP%\rese9f2.tmp
%TEMP%\bghtz8nt.out
%TEMP%\vbce9f1.tmp
%TEMP%\t_blouis.out
%TEMP%\7jsgo5sy.0.vb
%TEMP%\7jsgo5sy.cmdline
%TEMP%\7jsgo5sy.out
%TEMP%\resfcb7.tmp
%TEMP%\t_blouis.0.vb
%TEMP%\resf670.tmp
%TEMP%\vbcf65f.tmp
%TEMP%\resa535.tmp
%TEMP%\xb3zcss2.out
%TEMP%\xb3zcss2.0.vb
%TEMP%\b_6dyebk.cmdline
%TEMP%\b_6dyebk.out
%TEMP%\b_6dyebk.0.vb
%TEMP%\res53ac.tmp
%TEMP%\vbc53ab.tmp
%TEMP%\7rptppll.0.vb
%TEMP%\7rptppll.cmdline
%TEMP%\a4biy_dp.0.vb
%TEMP%\res5b0b.tmp
%TEMP%\vbc5afb.tmp
%TEMP%\gbhawzuv.cmdline
%TEMP%\gbhawzuv.0.vb
%TEMP%\gbhawzuv.out
%TEMP%\res6114.tmp
%TEMP%\vbc4c7a.tmp
%TEMP%\res4c7b.tmp
%TEMP%\vbc314c.tmp
%TEMP%\v9vr4ep3.out
%TEMP%\iybe4jqp.cmdline
%TEMP%\iybe4jqp.0.vb
%TEMP%\iybe4jqp.out
%TEMP%\vbc44cc.tmp
%TEMP%\res44cd.tmp
%TEMP%\7rptppll.out
%TEMP%\v9vr4ep3.cmdline
%TEMP%\a4biy_dp.out
%TEMP%\vbc3d9c.tmp
%TEMP%\res3d9d.tmp
%TEMP%\fjrjb1r9.0.vb
%TEMP%\fjrjb1r9.out
%TEMP%\fjrjb1r9.cmdline
%TEMP%\v9vr4ep3.0.vb
%TEMP%\vbc6103.tmp
%TEMP%\a4biy_dp.cmdline
%TEMP%\toeauduk.out
%TEMP%\vbc87f4.tmp
%TEMP%\3ymqevyw.0.vb
%TEMP%\3ymqevyw.out
%TEMP%\3ymqevyw.cmdline
%TEMP%\toeauduk.cmdline
%TEMP%\res6a38.tmp
%TEMP%\res8804.tmp
%TEMP%\res9415.tmp
%TEMP%\myrdalyc.cmdline
%TEMP%\res9e23.tmp
%TEMP%\vbc9e22.tmp
%TEMP%\xb3zcss2.cmdline
%TEMP%\vbc9405.tmp
%TEMP%\myrdalyc.0.vb
%TEMP%\myrdalyc.out
%TEMP%\resc21.tmp
%TEMP%\lykp5_bv.0.vb
%TEMP%\res8298.tmp
%TEMP%\xqnd15si.cmdline
%TEMP%\xqnd15si.out
%TEMP%\xqnd15si.0.vb
%TEMP%\vbc7c60.tmp
%TEMP%\res7c61.tmp
%TEMP%\apkjwpxk.out
%TEMP%\toeauduk.0.vb
%TEMP%\apkjwpxk.0.vb
%TEMP%\vbc711a.tmp
%TEMP%\res711b.tmp
%TEMP%\0zwfmhia.cmdline
%TEMP%\0zwfmhia.0.vb
%TEMP%\0zwfmhia.out
%TEMP%\vbc6a27.tmp
%TEMP%\vbc8297.tmp
%TEMP%\lykp5_bv.cmdline

Moves the following files

from %APPDATA%\microsoft\internet explorer\quick launch\user pinned\taskbar\google chrome.lnk to %APPDATA%\random\google chrome.lnk
from C:\users\public\desktop\opera.lnk to %APPDATA%\random\default\opera.lnk
from C:\users\public\desktop\mozilla thunderbird.lnk to %APPDATA%\random\default\mozilla thunderbird.lnk
from C:\users\public\desktop\mozilla firefox.lnk to %APPDATA%\random\default\mozilla firefox.lnk
from C:\users\public\desktop\mirc.lnk to %APPDATA%\random\default\mirc.lnk
from C:\users\public\desktop\google chrome.lnk to %APPDATA%\random\default\google chrome.lnk
from C:\users\public\desktop\acrobat reader dc.lnk to %APPDATA%\random\default\acrobat reader dc.lnk
from %HOMEPATH%\desktop\total commander 64 bit.lnk to %APPDATA%\random\default\total commander 64 bit.lnk
from %HOMEPATH%\desktop\telegram.lnk to %APPDATA%\random\default\telegram.lnk
from %HOMEPATH%\desktop\qip 2012.lnk to %APPDATA%\random\default\qip 2012.lnk
from %HOMEPATH%\desktop\mail.ru agent.lnk to %APPDATA%\random\default\mail.ru agent.lnk
from %HOMEPATH%\desktop\icq.lnk to %APPDATA%\random\default\icq.lnk
from %APPDATA%\microsoft\internet explorer\quick launch\window switcher.lnk to %APPDATA%\random\optional\window switcher.lnk
from C:\users\public\desktop\steam.lnk to %APPDATA%\random\default\steam.lnk
from %APPDATA%\microsoft\internet explorer\quick launch\winamp.lnk to %APPDATA%\random\optional\winamp.lnk
from %APPDATA%\microsoft\internet explorer\quick launch\qip 2012.lnk to %APPDATA%\random\optional\qip 2012.lnk
from %APPDATA%\microsoft\internet explorer\quick launch\mozilla thunderbird.lnk to %APPDATA%\random\optional\mozilla thunderbird.lnk
from %APPDATA%\microsoft\internet explorer\quick launch\mail.ru agent.lnk to %APPDATA%\random\optional\mail.ru agent.lnk
from %APPDATA%\microsoft\internet explorer\quick launch\launch internet explorer browser.lnk to %APPDATA%\random\optional\launch internet explorer browser.lnk
from %APPDATA%\microsoft\internet explorer\quick launch\icq.lnk to %APPDATA%\random\optional\icq.lnk
from %APPDATA%\microsoft\internet explorer\quick launch\google chrome.lnk to %APPDATA%\random\optional\google chrome.lnk
from %APPDATA%\microsoft\internet explorer\quick launch\user pinned\taskbar\windows media player.lnk to %APPDATA%\random\windows media player.lnk
from %APPDATA%\microsoft\internet explorer\quick launch\user pinned\taskbar\windows explorer.lnk to %APPDATA%\random\windows explorer.lnk
from %APPDATA%\microsoft\internet explorer\quick launch\user pinned\taskbar\opera.lnk to %APPDATA%\random\opera.lnk
from %APPDATA%\microsoft\internet explorer\quick launch\user pinned\taskbar\mail.ru agent.lnk to %APPDATA%\random\mail.ru agent.lnk
from %APPDATA%\microsoft\internet explorer\quick launch\user pinned\taskbar\internet explorer.lnk to %APPDATA%\random\internet explorer.lnk
from %APPDATA%\microsoft\internet explorer\quick launch\user pinned\taskbar\icq.lnk to %APPDATA%\random\icq.lnk
from %APPDATA%\microsoft\internet explorer\quick launch\shows desktop.lnk to %APPDATA%\random\optional\shows desktop.lnk
from C:\users\public\desktop\winamp.lnk to %APPDATA%\random\default\winamp.lnk

Substitutes the following files

%APPDATA%\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Google Chrome.lnk
C:\Users\Public\Desktop\Opera.lnk
C:\Users\Public\Desktop\Mozilla Thunderbird.lnk
C:\Users\Public\Desktop\Mozilla Firefox.lnk
C:\Users\Public\Desktop\mIRC.lnk
C:\Users\Public\Desktop\Google Chrome.lnk
C:\Users\Public\Desktop\Acrobat Reader DC.lnk
%HOMEPATH%\Desktop\Total Commander 64 bit.lnk
%HOMEPATH%\Desktop\Telegram.lnk
%HOMEPATH%\Desktop\QIP 2012.lnk
%HOMEPATH%\Desktop\Mail.Ru Agent.lnk
%HOMEPATH%\Desktop\ICQ.lnk
C:\Users\Public\Desktop\Steam.lnk
%APPDATA%\Microsoft\Internet Explorer\Quick Launch\Winamp.lnk
%APPDATA%\Microsoft\Internet Explorer\Quick Launch\Mozilla Thunderbird.lnk
%APPDATA%\Microsoft\Internet Explorer\Quick Launch\Mail.Ru Agent.lnk
%APPDATA%\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
%APPDATA%\Microsoft\Internet Explorer\Quick Launch\ICQ.lnk
%APPDATA%\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
%APPDATA%\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Windows Media Player.lnk
%APPDATA%\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Windows Explorer.lnk
%APPDATA%\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Opera.lnk
%APPDATA%\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Mail.Ru Agent.lnk
%APPDATA%\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Internet Explorer.lnk
%APPDATA%\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\ICQ.lnk
%APPDATA%\Microsoft\Internet Explorer\Quick Launch\QIP 2012.lnk
C:\Users\Public\Desktop\Winamp.lnk

Network activity

Connects to

'14#.#1.246.87':9797
'14#.#1.246.87':9696

Miscellaneous

Creates and executes the following

'%TEMP%\582.exe'
'%TEMP%\server.exe'
'%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RESA535.tmp" "%TEMP%\vbcA534.tmp"' (with hidden window)
'%WINDIR%\microsoft.net\framework64\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\vbn5ey4s.cmdline"' (with hidden window)
'%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RESAEF5.tmp" "%TEMP%\vbcAEF4.tmp"' (with hidden window)
'%WINDIR%\microsoft.net\framework64\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\qkpblepb.cmdline"' (with hidden window)
'%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RESB6B2.tmp" "%TEMP%\vbcB6B1.tmp"' (with hidden window)
'%WINDIR%\microsoft.net\framework64\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\wtbbboi0.cmdline"' (with hidden window)
'%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RESBD66.tmp" "%TEMP%\vbcBD65.tmp"' (with hidden window)
'%WINDIR%\microsoft.net\framework64\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\agwf5lyd.cmdline"' (with hidden window)
'%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RESC5B0.tmp" "%TEMP%\vbcC5AF.tmp"' (with hidden window)
'%WINDIR%\microsoft.net\framework64\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\hmsnhnht.cmdline"' (with hidden window)
'%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RESCC35.tmp" "%TEMP%\vbcCC34.tmp"' (with hidden window)
'%WINDIR%\microsoft.net\framework64\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\lykp5_bv.cmdline"' (with hidden window)
'%WINDIR%\microsoft.net\framework64\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\tgcizlup.cmdline"' (with hidden window)
'%WINDIR%\microsoft.net\framework64\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\bghtz8nt.cmdline"' (with hidden window)
'%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RESE9F2.tmp" "%TEMP%\vbcE9F1.tmp"' (with hidden window)
'%WINDIR%\microsoft.net\framework64\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\t_blouis.cmdline"' (with hidden window)
'%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RESEFFA.tmp" "%TEMP%\vbcEFF9.tmp"' (with hidden window)
'%WINDIR%\microsoft.net\framework64\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\7jsgo5sy.cmdline"' (with hidden window)
'%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RESF670.tmp" "%TEMP%\vbcF65F.tmp"' (with hidden window)
'%WINDIR%\microsoft.net\framework64\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\5-pm5cax.cmdline"' (with hidden window)
'%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RESFCB7.tmp" "%TEMP%\vbcFCA6.tmp"' (with hidden window)
'%WINDIR%\microsoft.net\framework64\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\29emgkty.cmdline"' (with hidden window)
'%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES445.tmp" "%TEMP%\vbc434.tmp"' (with hidden window)
'%WINDIR%\microsoft.net\framework64\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\u1pgra5b.cmdline"' (with hidden window)
'%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RESC21.tmp" "%TEMP%\vbcC11.tmp"' (with hidden window)
'%WINDIR%\microsoft.net\framework64\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\fjrjb1r9.cmdline"' (with hidden window)
'%WINDIR%\microsoft.net\framework64\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\zfcdqiuw.cmdline"' (with hidden window)
'%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES9E23.tmp" "%TEMP%\vbc9E22.tmp"' (with hidden window)
'%WINDIR%\microsoft.net\framework64\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\xb3zcss2.cmdline"' (with hidden window)
'%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES314D.tmp" "%TEMP%\vbc314C.tmp"' (with hidden window)
'%WINDIR%\microsoft.net\framework64\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\v9vr4ep3.cmdline"' (with hidden window)
'%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES3D9D.tmp" "%TEMP%\vbc3D9C.tmp"' (with hidden window)
'%WINDIR%\microsoft.net\framework64\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\iybe4jqp.cmdline"' (with hidden window)
'%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES44CD.tmp" "%TEMP%\vbc44CC.tmp"' (with hidden window)
'%WINDIR%\microsoft.net\framework64\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\b_6dyebk.cmdline"' (with hidden window)
'%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES4C7B.tmp" "%TEMP%\vbc4C7A.tmp"' (with hidden window)
'%WINDIR%\microsoft.net\framework64\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\7rptppll.cmdline"' (with hidden window)
'%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES53AC.tmp" "%TEMP%\vbc53AB.tmp"' (with hidden window)
'%WINDIR%\microsoft.net\framework64\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\gbhawzuv.cmdline"' (with hidden window)
'%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES5B0B.tmp" "%TEMP%\vbc5AFB.tmp"' (with hidden window)
'%WINDIR%\microsoft.net\framework64\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\a4biy_dp.cmdline"' (with hidden window)
'%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RESD318.tmp" "%TEMP%\vbcD317.tmp"' (with hidden window)
'%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES6114.tmp" "%TEMP%\vbc6103.tmp"' (with hidden window)
'%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES6A38.tmp" "%TEMP%\vbc6A27.tmp"' (with hidden window)
'%WINDIR%\microsoft.net\framework64\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\apkjwpxk.cmdline"' (with hidden window)
'%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES711B.tmp" "%TEMP%\vbc711A.tmp"' (with hidden window)
'%WINDIR%\microsoft.net\framework64\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\xqnd15si.cmdline"' (with hidden window)
'%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES7C61.tmp" "%TEMP%\vbc7C60.tmp"' (with hidden window)
'%WINDIR%\microsoft.net\framework64\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\toeauduk.cmdline"' (with hidden window)
'%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES8298.tmp" "%TEMP%\vbc8297.tmp"' (with hidden window)
'%WINDIR%\microsoft.net\framework64\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\3ymqevyw.cmdline"' (with hidden window)
'%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES8804.tmp" "%TEMP%\vbc87F4.tmp"' (with hidden window)
'%WINDIR%\microsoft.net\framework64\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\myrdalyc.cmdline"' (with hidden window)
'%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES9415.tmp" "%TEMP%\vbc9405.tmp"' (with hidden window)
'%WINDIR%\syswow64\netsh.exe' firewall add allowedprogram "%TEMP%\server.exe" "server.exe" ENABLE' (with hidden window)
'%WINDIR%\microsoft.net\framework64\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\0zwfmhia.cmdline"' (with hidden window)
'%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES11DC.tmp" "%TEMP%\vbc11DB.tmp"' (with hidden window)

Executes the following

'%WINDIR%\microsoft.net\framework64\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\fjrjb1r9.cmdline"
'%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RESAEF5.tmp" "%TEMP%\vbcAEF4.tmp"
'%WINDIR%\microsoft.net\framework64\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\qkpblepb.cmdline"
'%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RESB6B2.tmp" "%TEMP%\vbcB6B1.tmp"
'%WINDIR%\microsoft.net\framework64\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\wtbbboi0.cmdline"
'%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RESBD66.tmp" "%TEMP%\vbcBD65.tmp"
'%WINDIR%\microsoft.net\framework64\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\agwf5lyd.cmdline"
'%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RESC5B0.tmp" "%TEMP%\vbcC5AF.tmp"
'%WINDIR%\microsoft.net\framework64\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\hmsnhnht.cmdline"
'%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RESCC35.tmp" "%TEMP%\vbcCC34.tmp"
'%WINDIR%\microsoft.net\framework64\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\tgcizlup.cmdline"
'%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RESA535.tmp" "%TEMP%\vbcA534.tmp"
'%WINDIR%\microsoft.net\framework64\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\vbn5ey4s.cmdline"
'%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RESD318.tmp" "%TEMP%\vbcD317.tmp"
'%WINDIR%\microsoft.net\framework64\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\t_blouis.cmdline"
'%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RESEFFA.tmp" "%TEMP%\vbcEFF9.tmp"
'%WINDIR%\microsoft.net\framework64\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\7jsgo5sy.cmdline"
'%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RESF670.tmp" "%TEMP%\vbcF65F.tmp"
'%WINDIR%\microsoft.net\framework64\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\5-pm5cax.cmdline"
'%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RESFCB7.tmp" "%TEMP%\vbcFCA6.tmp"
'%WINDIR%\microsoft.net\framework64\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\29emgkty.cmdline"
'%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES445.tmp" "%TEMP%\vbc434.tmp"
'%WINDIR%\microsoft.net\framework64\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\u1pgra5b.cmdline"
'%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RESC21.tmp" "%TEMP%\vbcC11.tmp"
'%WINDIR%\microsoft.net\framework64\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\bghtz8nt.cmdline"
'%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RESE9F2.tmp" "%TEMP%\vbcE9F1.tmp"
'%WINDIR%\microsoft.net\framework64\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\zfcdqiuw.cmdline"
'%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES9E23.tmp" "%TEMP%\vbc9E22.tmp"
'%WINDIR%\microsoft.net\framework64\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\xb3zcss2.cmdline"
'%WINDIR%\microsoft.net\framework64\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\v9vr4ep3.cmdline"
'%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES3D9D.tmp" "%TEMP%\vbc3D9C.tmp"
'%WINDIR%\microsoft.net\framework64\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\iybe4jqp.cmdline"
'%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES44CD.tmp" "%TEMP%\vbc44CC.tmp"
'%WINDIR%\microsoft.net\framework64\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\b_6dyebk.cmdline"
'%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES4C7B.tmp" "%TEMP%\vbc4C7A.tmp"
'%WINDIR%\microsoft.net\framework64\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\7rptppll.cmdline"
'%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES53AC.tmp" "%TEMP%\vbc53AB.tmp"
'%WINDIR%\microsoft.net\framework64\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\gbhawzuv.cmdline"
'%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES5B0B.tmp" "%TEMP%\vbc5AFB.tmp"
'%WINDIR%\microsoft.net\framework64\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\a4biy_dp.cmdline"
'%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES314D.tmp" "%TEMP%\vbc314C.tmp"
'%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES6114.tmp" "%TEMP%\vbc6103.tmp"
'%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES6A38.tmp" "%TEMP%\vbc6A27.tmp"
'%WINDIR%\microsoft.net\framework64\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\apkjwpxk.cmdline"
'%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES711B.tmp" "%TEMP%\vbc711A.tmp"
'%WINDIR%\microsoft.net\framework64\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\xqnd15si.cmdline"
'%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES7C61.tmp" "%TEMP%\vbc7C60.tmp"
'%WINDIR%\microsoft.net\framework64\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\toeauduk.cmdline"
'%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES8298.tmp" "%TEMP%\vbc8297.tmp"
'%WINDIR%\microsoft.net\framework64\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\3ymqevyw.cmdline"
'%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES8804.tmp" "%TEMP%\vbc87F4.tmp"
'%WINDIR%\microsoft.net\framework64\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\myrdalyc.cmdline"
'%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES9415.tmp" "%TEMP%\vbc9405.tmp"
'%WINDIR%\microsoft.net\framework64\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\0zwfmhia.cmdline"
'%WINDIR%\microsoft.net\framework64\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\lykp5_bv.cmdline"
'%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES11DC.tmp" "%TEMP%\vbc11DB.tmp"

Технологии

Термины

Обучение и просвещение

Мифы

Technical Information

Рекомендации по лечению

Демо бесплатно на 14 дней