Technical Information
To ensure autorun and distribution
Modifies the following registry keys
- [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\] 'Client Server Runtime Subsystem' = '"%ALLUSERSPROFILE%\Application Data\Windows\csrss.exe"'
Creates the following files on removable media
- <Drive name for removable media>:\readme1.txt
- <Drive name for removable media>:\readme2.txt
- <Drive name for removable media>:\readme3.txt
- <Drive name for removable media>:\readme4.txt
- <Drive name for removable media>:\readme5.txt
- <Drive name for removable media>:\readme6.txt
- <Drive name for removable media>:\readme7.txt
- <Drive name for removable media>:\readme8.txt
- <Drive name for removable media>:\readme9.txt
- <Drive name for removable media>:\readme10.txt
Malicious functions
Creates and executes the following
- '%TEMP%\rade0614.tmp'
Modifies file system
Creates the following files
- %HOMEPATH%\local settings\<INETFILES>\content.ie5\z9pmdpek\1c[1].jpg
- C:\readme9.txt
- C:\readme8.txt
- C:\readme7.txt
- C:\readme6.txt
- C:\readme5.txt
- C:\readme4.txt
- C:\readme3.txt
- C:\readme2.txt
- C:\readme1.txt
- D:\readme10.txt
- D:\readme9.txt
- D:\readme8.txt
- C:\readme10.txt
- D:\readme7.txt
- D:\readme5.txt
- D:\readme4.txt
- D:\readme3.txt
- D:\readme2.txt
- D:\readme1.txt
- %TEMP%\6893a5~1\cached-microdescs.new
- %TEMP%\6893a5~1\cached-microdesc-consensus.tmp
- %TEMP%\6893a5~1\cached-certs.tmp
- %TEMP%\6893a5~1\unverified-microdesc-consensus.tmp
- %TEMP%\6893a5~1\state.tmp
- %ALLUSERSPROFILE%\application data\windows\csrss.exe
- %TEMP%\rade0614.tmp
- D:\readme6.txt
- %APPDATA%\mozilla\firefox\profiles\22ie2h77.default\extensions.json
Deletes the following files
- %TEMP%\6893a5~1\unverified-microdesc-consensus
- %TEMP%\6893a5~1\state
Moves the following files
- from %TEMP%\6893a5~1\state.tmp to %TEMP%\6893a5~1\state
- from %APPDATA%\mozilla\firefox\profiles\22ie2h77.default\prefs.js_20150820130023.backup to %APPDATA%\mozilla\firefox\profiles\22ie2h77.default\gjl3gilrxe1anlb6kc2s7nirqlbvzudg5hanpht8--gk6wwjurse5um+sc0pnecixbq83k3ehmmggpoip3cedg==.447001cea96717fe2e89.crypted000007
- from %APPDATA%\mozilla\firefox\profiles\22ie2h77.default\prefs.js_20150820125841.backup to %APPDATA%\mozilla\firefox\profiles\22ie2h77.default\mxbkapbdrxfnlpl1apk+-us2wvge28ojpiwssdjn3azjwocid+gbewnylcqoxlub1kjlt6wipmthwk3mi9l28g==.447001cea96717fe2e89.crypted000007
- from %APPDATA%\mozilla\firefox\profiles\22ie2h77.default\pluginreg.dat to %APPDATA%\mozilla\firefox\profiles\22ie2h77.default\moyr46ersk1l-hwfjth64siew9quqh2sxsx3wrnzw9m=.447001cea96717fe2e89.crypted000007
- from %APPDATA%\mozilla\firefox\profiles\22ie2h77.default\prefs.js to %APPDATA%\mozilla\firefox\profiles\22ie2h77.default\9gdbbllrhtnipi6l-yn8ia==.447001cea96717fe2e89.crypted000007
- from %APPDATA%\mozilla\firefox\profiles\22ie2h77.default\xulstore.json to %APPDATA%\mozilla\firefox\profiles\22ie2h77.default\89epxyhilageuhqxrcx9ojs9n1lxw8yvotzdru46qmc=.447001cea96717fe2e89.crypted000007
- from %APPDATA%\mozilla\firefox\profiles\22ie2h77.default\mimetypes.rdf to %APPDATA%\mozilla\firefox\profiles\22ie2h77.default\qbcg9kporz7lzfneelkpvm-p6qb6kmdbzjoxnyw7c2s=.447001cea96717fe2e89.crypted000007
- from %APPDATA%\mozilla\firefox\profiles\22ie2h77.default\extensions.json to %APPDATA%\mozilla\firefox\profiles\22ie2h77.default\nkt0v7fcziwvx7xrev6tmthwzivchstx0tbpgkg-8we=.447001cea96717fe2e89.crypted000007
- from %APPDATA%\mozilla\firefox\profiles\22ie2h77.default\extensions.ini to %APPDATA%\mozilla\firefox\profiles\22ie2h77.default\mtwjwy85wv0moi-hsz52npogevw7cx4fm8kwxfr0tt8=.447001cea96717fe2e89.crypted000007
- from %APPDATA%\mozilla\firefox\profiles\22ie2h77.default\user.js to %APPDATA%\mozilla\firefox\profiles\22ie2h77.default\enlh+rbifdjwof90kzwiow==.447001cea96717fe2e89.crypted000007
- from %APPDATA%\mozilla\firefox\profiles\22ie2h77.default\times.json to %APPDATA%\mozilla\firefox\profiles\22ie2h77.default\6eaxjn1swtytcflctg+yrk1svxqr9zlhgrjjqt61+h4=.447001cea96717fe2e89.crypted000007
- from %APPDATA%\mozilla\firefox\profiles\22ie2h77.default\compatibility.ini to %APPDATA%\mozilla\firefox\profiles\22ie2h77.default\r4dybwoq22jrpwfejdnds5xawm0uvdg32k8r3fyka2zhasowylv9qrggic5qn7j9.447001cea96717fe2e89.crypted000007
- from %APPDATA%\mozilla\firefox\profiles\22ie2h77.default\search-metadata.json to %APPDATA%\mozilla\firefox\profiles\22ie2h77.default\wncvlomc6y7rjdvjv+htaj9veauzahgvee8nkyhfsrmvfcocylcduovlwxdwywdd.447001cea96717fe2e89.crypted000007
- from %APPDATA%\mozilla\firefox\profiles\22ie2h77.default\revocations.txt to %APPDATA%\mozilla\firefox\profiles\22ie2h77.default\s+mkskxizqvn2yaeldbqri+4a+moroik9mkntjdcehg=.447001cea96717fe2e89.crypted000007
- from %APPDATA%\mozilla\firefox\profiles\22ie2h77.default\sitesecurityservicestate.txt to %APPDATA%\mozilla\firefox\profiles\22ie2h77.default\s2pjnzd39eo6p8f-ybzmcvmxwg-mvtqx4c7fcmscifkejr7vtm5933ue8eiexfvr4ahgjzm0eu3dtkomsvxxpq==.447001cea96717fe2e89.crypted000007
- from %APPDATA%\mozilla\firefox\profiles.ini to %APPDATA%\mozilla\firefox\khue42sx0axberoc5qeeenjz9otjsxyc+zx6hvysmhq=.447001cea96717fe2e89.crypted000007
- from %APPDATA%\mirc\scripts\popups.ini to %APPDATA%\mirc\scripts\tutlvhgmull9qdqoyx3vyce4odytozzffpqyajqyncm=.447001cea96717fe2e89.crypted000007
- from %APPDATA%\mirc\scripts\aliases.ini to %APPDATA%\mirc\scripts\fn8pfddhwax1mfc3qufmroviudkbbaa3sbjawwqhtwg=.447001cea96717fe2e89.crypted000007
- from %APPDATA%\mirc\urls.ini to %APPDATA%\mirc\jgqtuxxsh3xnqzjmhfllng==.447001cea96717fe2e89.crypted000007
- from %APPDATA%\mirc\servers.ini to %APPDATA%\mirc\93wl7zicq2c2jtirn61rw7dun0cfixyfse6ic7zv2yi=.447001cea96717fe2e89.crypted000007
- from %APPDATA%\mirc\mirc.ini to %APPDATA%\mirc\odpl5-zal4y+e6ixo+d46w==.447001cea96717fe2e89.crypted000007
- from %APPDATA%\microsoft\uproof\custom.dic to %APPDATA%\microsoft\uproof\jhrtu+hyppykpc5ijc55vgz7bfj9vb5vvkeqjtdivps=.447001cea96717fe2e89.crypted000007
- from %APPDATA%\microsoft\templates\normal.dotm to %APPDATA%\microsoft\templates\dv-s4xdry5nnmp3rblqnap9g7sfdmqiq0sn9viw-8z4=.447001cea96717fe2e89.crypted000007
- from %APPDATA%\microsoft\publisher\pubcmd12.dat to %APPDATA%\microsoft\publisher\toxkezrms6t9bnzomddeaj2awp-cpjt9akyqqt7uiy8=.447001cea96717fe2e89.crypted000007
- from %APPDATA%\microsoft\outlook\outlook.xml to %APPDATA%\microsoft\outlook\tr-yccbwfviihpsmx7zhny74fftbzdbyi1keap6bjic=.447001cea96717fe2e89.crypted000007
- from %APPDATA%\microsoft\outlook\outcmd.dat to %APPDATA%\microsoft\outlook\utkcultort-0-bh6sxrfstoh7hdzgx-fcsog49bwkju=.447001cea96717fe2e89.crypted000007
- from %APPDATA%\mozilla\firefox\profiles\22ie2h77.default\blocklist.xml to %APPDATA%\mozilla\firefox\profiles\22ie2h77.default\ekhxqnf45kqfbk5ko7mjoppx7kkw0uqnygrjxqqerdu=.447001cea96717fe2e89.crypted000007
- from %APPDATA%\mozilla\firefox\profiles\22ie2h77.default\addons.json to %APPDATA%\mozilla\firefox\profiles\22ie2h77.default\dfzw2pk+xfkvwqcvyqcezfdre8bjeg7rvqzbai7qz94=.447001cea96717fe2e89.crypted000007
- from %APPDATA%\mozilla\firefox\profiles\22ie2h77.default\search.json to %APPDATA%\mozilla\firefox\profiles\22ie2h77.default\lli82n78qd4an3krlu1imdhjwj1suvb8m7brwt++x-c=.447001cea96717fe2e89.crypted000007
- from %APPDATA%\mozilla\firefox\profiles\22ie2h77.default\secmod.db to %APPDATA%\mozilla\firefox\profiles\22ie2h77.default\ffxgpmm8dps0zstlae3ooc9bo31a3fxelgkqbzqt260=.447001cea96717fe2e89.crypted000007
- from %APPDATA%\mozilla\firefox\profiles\22ie2h77.default\sessioncheckpoints.json to %APPDATA%\mozilla\firefox\profiles\22ie2h77.default\wzzohu7sknixvl2gmy5xpumiddlqeok2a2c0bl10ujfwylu1keyo3usqxitpldoq.447001cea96717fe2e89.crypted000007
- from %APPDATA%\opera software\opera stable\update_prefs.json to %APPDATA%\opera software\opera stable\dlrfbbf1yegga8+ufd3psup2q92vyjr66+jilahtebvqvgxdzag8chuxzhjdcwk9.447001cea96717fe2e89.crypted000007
- from %APPDATA%\opera software\opera stable\thumbnails.db to %APPDATA%\opera software\opera stable\2fpijn3+foajdmvylqxgnivdubebh26uhhlr7v16sq4=.447001cea96717fe2e89.crypted000007
- from %APPDATA%\opera software\opera stable\siteprefs.json to %APPDATA%\opera software\opera stable\fe25cyx7v6ijdhgs5n2e75jqjkk9hao4y--k9+m15vy=.447001cea96717fe2e89.crypted000007
- from %APPDATA%\opera software\opera stable\preferences_20150820130020.backup to %APPDATA%\opera software\opera stable\l+rscfst59rqbgjkny46fgbajiulbxamby0ima-i30tmkd7njwqt5lzea1+bwu8x8ah+w4kgnl9hf+oodotbelvda0wnkvlenzp58+jajzo=.447001cea96717fe2e89.crypted000007
- from %APPDATA%\opera software\opera stable\preferences_20150820125838.backup to %APPDATA%\opera software\opera stable\hl90itvgpkih12g749twoq+je+h69wbw-ebnet4dy84pjvekj8dqj75g9v+qseqnh5rormwps4pg2ob3yop9w8sf1bmw7my3oqtc8ftxpso=.447001cea96717fe2e89.crypted000007
- from %APPDATA%\opera software\opera stable\opera_shutdown_ms.txt to %APPDATA%\opera software\opera stable\6t5vwbsh+xlfquv56pnu3ybgqwsi4l32u-wncfnylvar+wvrmurcowoomnmmysm7.447001cea96717fe2e89.crypted000007
- from %APPDATA%\opera software\opera stable\favorites.db to %APPDATA%\opera software\opera stable\ryyhw5ejrwxbllszu86ogdwfjkqnhzjnuig637h8r3c=.447001cea96717fe2e89.crypted000007
- from %APPDATA%\opera software\opera stable\web data_20150820130020.backup to %APPDATA%\opera software\opera stable\zpe8r0bxvbohpvmr1jrfdcesvmsad0zst8ksqfmjo0fbdvylc1nxilgsya+83++-+xus-qxoqw5v1-ajl-lfqg==.447001cea96717fe2e89.crypted000007
- from %APPDATA%\opera software\opera stable\default_partner_content.json to %APPDATA%\opera software\opera stable\mtmamyfdk2qsmqacb8wqso3l2zfvifmqvpufdbmlxlpt+wncmhghud0vtthn7nsnwowh33qfe6s50s2yyrw2ng==.447001cea96717fe2e89.crypted000007
- from %APPDATA%\opera software\opera stable\browser.js to %APPDATA%\opera software\opera stable\mbyybbgtncdjvw4xdohjzrmm5q+d7jo5aimx7vo2pnw=.447001cea96717fe2e89.crypted000007
- from %APPDATA%\opera software\opera stable\bookmarks_20150820130023.backup to %APPDATA%\opera software\opera stable\ty1td2i1zyeywiag5t4xxwwwosnfvxeahnskkj-lfu38ltrvc8uujp7njixzw92tmiyii3fwisqlazfinx-q9q==.447001cea96717fe2e89.crypted000007
- from %APPDATA%\opera software\opera stable\bookmarks_20150820130022.backup to %APPDATA%\opera software\opera stable\krnzzxmjmsquiqowwlrdyhnuxn5h5z5p-d99csh4yhqsz+z6oetocbyurcrb8q+3wcl+pjl1pisgo8ora+oqnq==.447001cea96717fe2e89.crypted000007
- from %APPDATA%\opera software\opera stable\web data_20150820125838.backup to %APPDATA%\opera software\opera stable\d0qbvccspexacsrflop22ghetebauh1tneg6o9ylbofbbmilw9p+o4k4fs+ux9ekj560rhfgbxhgrtvgp+fzfg==.447001cea96717fe2e89.crypted000007
- from %APPDATA%\opera software\opera stable\bookmarks_20150820130021.backup to %APPDATA%\opera software\opera stable\rqcpmy6bsbuxddullesse1-g82ebb3jfpbft389ey-2yusgc87rvr15mnzebr-gfchjtaxiyhntsl583xy-p+a==.447001cea96717fe2e89.crypted000007
- from %APPDATA%\opera software\opera stable\bookmarks_20150820125841.backup to %APPDATA%\opera software\opera stable\jfruqzx0kvpeqk0ezkmozdexsedxpqtm4pjyzjiqhmqyrnmtbacj7wq8em9pkonaokbhl63dztmf6in5g4n8zg==.447001cea96717fe2e89.crypted000007
- from %APPDATA%\opera software\opera stable\bookmarks_20150820125840.backup to %APPDATA%\opera software\opera stable\bpobs+hcl32e4a+lpke0qfx4non1+tiaqwi3mb2rs9xbn4xh430yj+dqvpcapbqld4f2rxdef4jb3na3udh4za==.447001cea96717fe2e89.crypted000007
- from %APPDATA%\opera software\opera stable\bookmarks_20150820125839.backup to %APPDATA%\opera software\opera stable\zesln8cyykyad54cxmi5wc7gsntge9jiv68tozzmgxvaz0w38zxmifut9m7ervnrbb-ur4f2qyfudcecrhbyxq==.447001cea96717fe2e89.crypted000007
- from %APPDATA%\opera software\opera stable\bookmarks_20150820125838.backup to %APPDATA%\opera software\opera stable\jqervgxj8xunelilh9hliokizptw2eumh8n6icyh7iy8um6on46moghh+pyrlnpstrvvtfdvb6qjn1299l8vrq==.447001cea96717fe2e89.crypted000007
- from %APPDATA%\opera software\opera stable\bookmarks.bak to %APPDATA%\opera software\opera stable\i8vhmzks6mobfr80bvlrtvwuafaystfxcdsemyeo9rq=.447001cea96717fe2e89.crypted000007
- from %APPDATA%\mozilla\firefox\profiles\22ie2h77.default\searchplugins\yandex.ru-130023.xml to %APPDATA%\mozilla\firefox\profiles\22ie2h77.default\searchplugins\y1ieeejbhb0ssesry4qfu7fd7aqppj3cydoz-kf-phql5+bmohsdnbxmy-fhwv3q.447001cea96717fe2e89.crypted000007
- from %APPDATA%\mozilla\firefox\profiles\22ie2h77.default\searchplugins\yandex.ru-125841.xml to %APPDATA%\mozilla\firefox\profiles\22ie2h77.default\searchplugins\dpzxfi4mvzalllxa8xuynuzck8sozhhu5jas-itri9aqcmhpjokdfsxq+tnt7tcn.447001cea96717fe2e89.crypted000007
- from %APPDATA%\mozilla\firefox\profiles\22ie2h77.default\healthreport\state.json to %APPDATA%\mozilla\firefox\profiles\22ie2h77.default\healthreport\6ylqei9f9nvaccpxjcd6ylwudi0sqd1notraqkotgw0=.447001cea96717fe2e89.crypted000007
- from %APPDATA%\mozilla\firefox\profiles\22ie2h77.default\webapps\webapps.json to %APPDATA%\mozilla\firefox\profiles\22ie2h77.default\webapps\hcemampcp1vofxbh2iu5atwyhfal8thxqlfwd22i4cy=.447001cea96717fe2e89.crypted000007
- from %APPDATA%\mozilla\firefox\profiles\22ie2h77.default\sessionstore-backups\recovery.js to %APPDATA%\mozilla\firefox\profiles\22ie2h77.default\sessionstore-backups\twgufqzw7jyv8cnnotxumsnkneluldy98casqv-v+dw=.447001cea96717fe2e89.crypted000007
- from %APPDATA%\mozilla\firefox\profiles\22ie2h77.default\sessionstore-backups\previous.js to %APPDATA%\mozilla\firefox\profiles\22ie2h77.default\sessionstore-backups\mo1sgcex-s-7psehdc4x3v-rwnwvmju5aifiktiooro=.447001cea96717fe2e89.crypted000007
- from %APPDATA%\mozilla\firefox\profiles\22ie2h77.default\datareporting\state.json to %APPDATA%\mozilla\firefox\profiles\22ie2h77.default\datareporting\fx4t5k-mckfarwarjiy+rktcy8t6jlbndrlwb7v95zm=.447001cea96717fe2e89.crypted000007
- from %APPDATA%\opera software\opera stable\bookmarks_20150820130020.backup to %APPDATA%\opera software\opera stable\6b7tapvfzukj6l4uac8rllccurkdxj4wqzo0pynkiffqqvxahaohrg8ncq5u4uq8m5mxaxoakkurklbivqonzq==.447001cea96717fe2e89.crypted000007
- from %APPDATA%\microsoft\office\recent\index.dat to %APPDATA%\microsoft\office\recent\gg4-or+bilze+wbp73wm1ribeuc8rvpw8l2gomfgrgc=.447001cea96717fe2e89.crypted000007
- from %APPDATA%\microsoft\internet explorer\brndlog.txt to %APPDATA%\microsoft\internet explorer\m5mwfmwgwmqm65xjifj97fkqldcpg1zuuivgm9+dkle=.447001cea96717fe2e89.crypted000007
- from %APPDATA%\icqm\icq\smiles\statuses\set01\status_35.bmp to %APPDATA%\icqm\icq\smiles\statuses\set01\chyudx+w6relrnukjvndhwxnnr-hdesvj+7xxipuvkk=.447001cea96717fe2e89.crypted000007
- from %APPDATA%\microsoft\internet explorer\brndlog.bak to %APPDATA%\microsoft\internet explorer\hh8lgpfohzcewdtkkc0afqyezas5gpqb9+qvp3mrht0=.447001cea96717fe2e89.crypted000007
- from %APPDATA%\icqm\icq\smiles\statuses\set01\telefon.bmp to %APPDATA%\icqm\icq\smiles\statuses\set01\ztfnshq2tih2eyggmyrzm2veflzd3euevtp5jevyxw8=.447001cea96717fe2e89.crypted000007
- from %APPDATA%\icqm\icq\smiles\statuses\set01\status_phone.bmp to %APPDATA%\icqm\icq\smiles\statuses\set01\himlnkew3flpzx7q3i7cszdhnobnttwsxqcdbrecfqc=.447001cea96717fe2e89.crypted000007
- from %APPDATA%\icqm\icq\smiles\statuses\set01\status_online_title.bmp to %APPDATA%\icqm\icq\smiles\statuses\set01\lmhj5hicprzbd2cnp2nfw-ijipfbro-goij-by6-lbzhxnkm8jjh+b6+qbgclker.447001cea96717fe2e89.crypted000007
- from %APPDATA%\icqm\icq\smiles\statuses\set01\status_online.bmp to %APPDATA%\icqm\icq\smiles\statuses\set01\o511pr80leb58jtwvzoxslgkwfpo5jotupfkqr50tbp3oxp3zrajorwyaek3kxau.447001cea96717fe2e89.crypted000007
- from %APPDATA%\icqm\icq\smiles\statuses\set01\status_offline_title.bmp to %APPDATA%\icqm\icq\smiles\statuses\set01\pr-ryzjgbwwhyak6rxvaazkzbcgixaedcgkpamhac-zvxddgks2huy9dslay2nh+.447001cea96717fe2e89.crypted000007
- from %APPDATA%\icqm\icq\smiles\statuses\set01\status_offline.bmp to %APPDATA%\icqm\icq\smiles\statuses\set01\b9ihqvtzlc46kyrsvlisx7wfaof0pidw6iqrjazemijswvp7cztu+ry8ks18e66d.447001cea96717fe2e89.crypted000007
- from %APPDATA%\icqm\icq\smiles\statuses\set01\status_mobile.bmp to %APPDATA%\icqm\icq\smiles\statuses\set01\akpjalgyh+bntefil8x0n7d0hysgnth1zvriilhfkemt5iwxnuumpborkpknfagl.447001cea96717fe2e89.crypted000007
- from %APPDATA%\icqm\icq\smiles\statuses\set01\status_invisible_title.bmp to %APPDATA%\icqm\icq\smiles\statuses\set01\je5twvvlgatl6ua-+fqqpjl9v5xiuk79dd5pvjlrv5snnnhlfa9kyk+jnpaec9cgnq8rsmxqohojre6sjumnvw==.447001cea96717fe2e89.crypted000007
- from %APPDATA%\icqm\icq\smiles\statuses\set01\status_invisible.bmp to %APPDATA%\icqm\icq\smiles\statuses\set01\gm3yye3idlpqctzqsq0ibhswan6-2azrj8arhc8nxlr3id2qwnp7kj2brvxhrrr+.447001cea96717fe2e89.crypted000007
- from %APPDATA%\icqm\icq\smiles\statuses\set01\status_gray_title.bmp to %APPDATA%\icqm\icq\smiles\statuses\set01\228muhkzdo+wz9xycjkyvbvesnujapz9eru6w92lttc-qvgaqd1llnomib+jyrcm.447001cea96717fe2e89.crypted000007
- from %APPDATA%\icqm\icq\smiles\statuses\set01\status_gray.bmp to %APPDATA%\icqm\icq\smiles\statuses\set01\ibmxr4jjqxowwzamvydnqd0hwr0e+kmb1falozbq9he=.447001cea96717fe2e89.crypted000007
- from %APPDATA%\icqm\icq\smiles\statuses\set01\v_institute.bmp to %APPDATA%\icqm\icq\smiles\statuses\set01\w8ly4j3ladl8ulcpejkbuap21dbbnnema8dhfnb9eqo=.447001cea96717fe2e89.crypted000007
- from %APPDATA%\icqm\icq\smiles\statuses\set01\vi_oshiblis_nomerom.bmp to %APPDATA%\icqm\icq\smiles\statuses\set01\odxx4ho2cuazwlhbya1rouegsz0xytgmna04zgngs6iucvcde8kerudls6o-pdq0.447001cea96717fe2e89.crypted000007
- from %APPDATA%\icqm\icq\smiles\statuses\set01\status_connecting.bmp to %APPDATA%\icqm\icq\smiles\statuses\set01\4txop1bcqgdpzd0b1u9rml5n5zkh9n87a2bjqpnammyx9+a6fto7srs+6msgjtpv.447001cea96717fe2e89.crypted000007
- from %APPDATA%\icqm\icq\smiles\statuses\set01\status_50.bmp to %APPDATA%\icqm\icq\smiles\statuses\set01\bck9l09lgznrwv2ug8plqapqxvm6sk0h23btxn+plyc=.447001cea96717fe2e89.crypted000007
- from %APPDATA%\icqm\icq\smiles\statuses\set01\status_49.bmp to %APPDATA%\icqm\icq\smiles\statuses\set01\v8ilcflnhjs8mgjkknft4jgqp+2afgpjgusfh8l+nua=.447001cea96717fe2e89.crypted000007
- from %APPDATA%\icqm\icq\smiles\statuses\set01\status_45.bmp to %APPDATA%\icqm\icq\smiles\statuses\set01\skk3lur05hf4ttbfsmzucw1y-s8vfcynf1-0feexog0=.447001cea96717fe2e89.crypted000007
- from %APPDATA%\icqm\icq\smiles\statuses\set01\status_44.bmp to %APPDATA%\icqm\icq\smiles\statuses\set01\od4vcugvpe2dsamqcngwm1x-cnho63y+9upc0jyuaem=.447001cea96717fe2e89.crypted000007
- from %APPDATA%\icqm\icq\smiles\statuses\set01\status_43.bmp to %APPDATA%\icqm\icq\smiles\statuses\set01\mf9nldtf6ogzsncb7peuactubicqr89ji3aekvacti4=.447001cea96717fe2e89.crypted000007
- from %APPDATA%\icqm\icq\smiles\statuses\set01\status_42.bmp to %APPDATA%\icqm\icq\smiles\statuses\set01\taycazbtrelzf+llwyf7i-tjjpgud+ouaozp6fie8du=.447001cea96717fe2e89.crypted000007
- from %APPDATA%\icqm\icq\smiles\statuses\set01\status_41.bmp to %APPDATA%\icqm\icq\smiles\statuses\set01\1ksns8flkpsl1i76oba67eea6345tvieaeeh3i4l+qc=.447001cea96717fe2e89.crypted000007
- from %APPDATA%\icqm\icq\smiles\statuses\set01\status_40.bmp to %APPDATA%\icqm\icq\smiles\statuses\set01\jt5-jwxjm2dtkh0t+p3sfxvuoaiqtg3p0ycn09sucqi=.447001cea96717fe2e89.crypted000007
- from %APPDATA%\icqm\icq\smiles\statuses\set01\status_38.bmp to %APPDATA%\icqm\icq\smiles\statuses\set01\kbnqujfkqwzqdzxhnv5paknh7+wjq6hlgpycmsutyjm=.447001cea96717fe2e89.crypted000007
- from %APPDATA%\icqm\icq\smiles\statuses\set01\status_37.bmp to %APPDATA%\icqm\icq\smiles\statuses\set01\imesovjyx7s591jyw+mith8sahwpj2ubfy-3shzftdg=.447001cea96717fe2e89.crypted000007
- from %APPDATA%\icqm\icq\smiles\statuses\set01\status_36.bmp to %APPDATA%\icqm\icq\smiles\statuses\set01\njgmtu5mdqcqrv--id8tmv1bgkgocff2ycske5asgss=.447001cea96717fe2e89.crypted000007
- from %APPDATA%\icqm\icq\smiles\statuses\set01\status_away_title.bmp to %APPDATA%\icqm\icq\smiles\statuses\set01\70aa+64nh-vg6-bi+eft4bqi1terq9uvfii44lskhwsb+jlbojjgywfdurqgxl4v.447001cea96717fe2e89.crypted000007
- from %APPDATA%\icqm\icq\smiles\statuses\set01\status_away.bmp to %APPDATA%\icqm\icq\smiles\statuses\set01\ewyfzjchdockrkqfkt7p0vxfa2gc9z7ccglxzc9ps2e=.447001cea96717fe2e89.crypted000007
- from %APPDATA%\icqm\icq\smiles\statuses\set01\v_shkole.bmp to %APPDATA%\icqm\icq\smiles\statuses\set01\0rqqyha16hvuoimkegfi2dzzbfx3bpckm98bapkpgsa=.447001cea96717fe2e89.crypted000007
- from %APPDATA%\icqm\icq\smiles\statuses\set01\wrong_data.bmp to %APPDATA%\icqm\icq\smiles\statuses\set01\qlibxhfymu+ctn9mslnm4mc0khaxgtuwu+4oj-digs0=.447001cea96717fe2e89.crypted000007
- from %APPDATA%\icqm\icq\smiles\statuses\vk\vkontakte_away.bmp to %APPDATA%\icqm\icq\smiles\statuses\vk\egmb6qtjq-g6zo21-tbl3szzndcxqawnzokkvedr8dbtswcabybf5plqar5whnif.447001cea96717fe2e89.crypted000007
- from %APPDATA%\microsoft\dbgclr\7.1\objbrow.dat to %APPDATA%\microsoft\dbgclr\7.1\fp3+zagk44i4ws5mvsqooihgehi3so-zmietgnews6s=.447001cea96717fe2e89.crypted000007
- from %APPDATA%\icqm\icq\video\video.swf to %APPDATA%\icqm\icq\video\09qgf8zfj5ijeryub4ogxizgaz+0s2a1dq7hbfin8oq=.447001cea96717fe2e89.crypted000007
- from %APPDATA%\icqm\icq\translation\mralang_uz.xml to %APPDATA%\icqm\icq\translation\bi5ztsul3icw2ttbnio4-qig8jwumsxapdjo9tkytle=.447001cea96717fe2e89.crypted000007
- from %APPDATA%\icqm\icq\translation\mralang_ua.xml to %APPDATA%\icqm\icq\translation\yrmb7r86tmhbtwgbhwej3n5hvex7lovb5hqphcrywfc=.447001cea96717fe2e89.crypted000007
- from %APPDATA%\icqm\icq\translation\mralang_tr.xml to %APPDATA%\icqm\icq\translation\57xpwhb79mevjifrhc8jtwgsz63toamsyafbqqm44nq=.447001cea96717fe2e89.crypted000007
- from %APPDATA%\icqm\icq\translation\mralang_ru.xml to %APPDATA%\icqm\icq\translation\eqctmlh4nexyjgwl9qiie2ftbdufd0o0dslwy2ag1ma=.447001cea96717fe2e89.crypted000007
- from %APPDATA%\icqm\icq\translation\mralang_pt.xml to %APPDATA%\icqm\icq\translation\t3udwom9sqgl7tb+cwglixobi1bzxagxwjgn94gtyqa=.447001cea96717fe2e89.crypted000007
- from %APPDATA%\icqm\icq\translation\mralang_kz.xml to %APPDATA%\icqm\icq\translation\e4iv6nq1wdt9aiczxgbdddvvcpoi7bfozhywqythydc=.447001cea96717fe2e89.crypted000007
- from %APPDATA%\icqm\icq\translation\mralang_en.xml to %APPDATA%\icqm\icq\translation\8ifs3oyxqr-8hhfuln7jluflyk4-egq2eokvjigbdlq=.447001cea96717fe2e89.crypted000007
- from %APPDATA%\icqm\icq\translation\mralang_de.xml to %APPDATA%\icqm\icq\translation\fbubcyiiw5qgmzwgrq6w1hju1ya13jpkazbsdjuqtgm=.447001cea96717fe2e89.crypted000007
- from %APPDATA%\icqm\icq\translation\mralang_cz.xml to %APPDATA%\icqm\icq\translation\ngj5+-k2y8iwnvsrobct04zc6eu0txg5v2ecs8oepsy=.447001cea96717fe2e89.crypted000007
- from %APPDATA%\icqm\icq\sounds\test_sound.wav to %APPDATA%\icqm\icq\sounds\easiul77haul9hnlg9uo9vqdt0f5ydaph9tgch6stvs=.447001cea96717fe2e89.crypted000007
- from %APPDATA%\microsoft\document building blocks\1033\building blocks.dotx to %APPDATA%\microsoft\document building blocks\1033\wav81jcygecnuysnvlllzjzqhrzwpv3ma7femzfklinh11129ekl-3f0kd8ygxam.447001cea96717fe2e89.crypted000007
- from %APPDATA%\icqm\icq\sounds\start.wav to %APPDATA%\icqm\icq\sounds\nehk3ltews1hdotthersn0tlnhn9kmigx-4+pshrjik=.447001cea96717fe2e89.crypted000007
- from %APPDATA%\icqm\icq\sounds\otprav.wav to %APPDATA%\icqm\icq\sounds\oiouxpslk8fttonveeai7o7yi4rr2cstbvjjejew1po=.447001cea96717fe2e89.crypted000007
- from %APPDATA%\icqm\icq\sounds\otprav.mp3 to %APPDATA%\icqm\icq\sounds\7+sbwjs9ucwcy4oz2qrj7ykg+rfyubjslmqipv0s8wa=.447001cea96717fe2e89.crypted000007
- from %APPDATA%\icqm\icq\sounds\message.mp3 to %APPDATA%\icqm\icq\sounds\apkb+15ersoyt8yakufsswnutrc5ujyqsgxgxasxuxq=.447001cea96717fe2e89.crypted000007
- from %APPDATA%\icqm\icq\sounds\letter.wav to %APPDATA%\icqm\icq\sounds\vsid0hvdmuhupg38ilhxtehrs9da57fnrg3hb-7uxzc=.447001cea96717fe2e89.crypted000007
- from %APPDATA%\icqm\icq\sounds\error.wav to %APPDATA%\icqm\icq\sounds\hvuziso8lbyqwvhu-sp6i9rjttcdgysxnhtkxf5d55e=.447001cea96717fe2e89.crypted000007
- from %APPDATA%\icqm\icq\sounds\conference.mp3 to %APPDATA%\icqm\icq\sounds\1h3gtbcz1rl+xftzn78ecxz0awljalwj5+nw6+7cg6o=.447001cea96717fe2e89.crypted000007
- from %APPDATA%\icqm\icq\sounds\busy.mp3 to %APPDATA%\icqm\icq\sounds\t0eizpeod7ewihuskuovca==.447001cea96717fe2e89.crypted000007
- from %APPDATA%\icqm\icq\sounds\auth.mp3 to %APPDATA%\icqm\icq\sounds\a5am4cbqz1-nr4vb7p+mnq==.447001cea96717fe2e89.crypted000007
- from %APPDATA%\icqm\icq\smiles\statuses\vk\vkontakte_online.bmp to %APPDATA%\icqm\icq\smiles\statuses\vk\d3h-mniq7i9kwapgy0gzkogobmjkosyqa+wyenncyohj3vx0qp+deps4l-hp73gt.447001cea96717fe2e89.crypted000007
- from %APPDATA%\icqm\icq\smiles\statuses\vk\vkontakte_offline.bmp to %APPDATA%\icqm\icq\smiles\statuses\vk\glvh-zquui2ewekbgkxlhhmqeisc80ikfmg-qe5xevtrordvrjx1bar-ckog468p.447001cea96717fe2e89.crypted000007
- from %APPDATA%\icqm\icq\smiles\statuses\vk\vkontakte_gray.bmp to %APPDATA%\icqm\icq\smiles\statuses\vk\kn5jukx9neekd-lg66bjh5kogwm1vrpnwjgu+wqlhg-u4rz4k849zcpfyscbdsog.447001cea96717fe2e89.crypted000007
- from %APPDATA%\icqm\icq\smiles\statuses\vk\vkontakte_busy.bmp to %APPDATA%\icqm\icq\smiles\statuses\vk\g209s5v0nbd24zpiqsxoonrvivfbqvveiubqp9aylneeh-86kboj8q6n-ylfgplv.447001cea96717fe2e89.crypted000007
- from %APPDATA%\icqm\icq\sounds\ring.mp3 to %APPDATA%\icqm\icq\sounds\h7jgqtzg2hdxpq0ddyrsqw==.447001cea96717fe2e89.crypted000007
- from %APPDATA%\opera software\opera stable\dictionaries\dictionaries.xml to %APPDATA%\opera software\opera stable\dictionaries\ko5nnbp7xk8mjdri2nj4hch7q2uci2rkhguiba5tbqc=.447001cea96717fe2e89.crypted000007
- from %APPDATA%\microsoft\msdn\7.0\objbrow.dat to %APPDATA%\microsoft\msdn\7.0\ojxwmzediyjq1-36aj1byoqrtcloeum3wr5hwzlzwvq=.447001cea96717fe2e89.crypted000007
- from %APPDATA%\opera software\opera stable\extension state\000003.log to %APPDATA%\opera software\opera stable\extension state\+koplnfnikadpaw81oseo0r-rfb8q-2z-p0feq0feam=.447001cea96717fe2e89.crypted000007
- from %TEMP%\microsoft .net framework 4.5 setup_20150820_123115526.html to %TEMP%\wtm5vr9uba68cmw38xjfhri0ywhqyn-xm5ofmeu1wwrjffvygpctki00ptuw6ipnh6rrcawltlgn1urgjvcjpc7bjw0vs-l03u0iue6ps-nwydcxk1zgdvz9ta8x9wnyl441ffuwdyjqxtst5ldxdpab4vkol0tnl7j4slboaak=.447001cea9671...
- from %TEMP%\opera installer\opera_installer_20150820123552.log to %TEMP%\opera installer\1saybcyvdwdesfz1tkivvqrqf7bdl6iimzndupof7aatp+hya3ope5ts3mozfj4nen0qjb54t2nx-5mqcx5skgq4d2ah2dsetfqek1emwy0=.447001cea96717fe2e89.crypted000007
- from %TEMP%\history\history.ie5\index.dat to %TEMP%\history\history.ie5\o5rpujukgr-yh6s-sl3umlyfqkhrbysqfek+tkmxrqy=.447001cea96717fe2e89.crypted000007
- from %TEMP%\cookies\index.dat to %TEMP%\cookies\ep0x9nzrrvqxyqdapl55hbbougzxm7d3cmxvfhpxoea=.447001cea96717fe2e89.crypted000007
- from %TEMP%\adobe_admlogs\adobe_gde.log to %TEMP%\adobe_admlogs\3czdjzd5ovwzctm5jkpsvm+u8iely76jvy32uffu-tc=.447001cea96717fe2e89.crypted000007
- from %TEMP%\adobe_admlogs\adobe_adm.log to %TEMP%\adobe_admlogs\jrcakyz47dry-r7iuoh7yg+wkvdp7lq16uzl+amqrii=.447001cea96717fe2e89.crypted000007
- from %TEMP%\7f4987fb1a6e43d69e3e94b29eb75926\seed.txt to %TEMP%\7f4987fb1a6e43d69e3e94b29eb75926\cgdtrr4gsalsfizao+u+-a==.447001cea96717fe2e89.crypted000007
- from %TEMP%\7f4987fb1a6e43d69e3e94b29eb75926\downloader.log to %TEMP%\7f4987fb1a6e43d69e3e94b29eb75926\1lvtcdkyufzvtydeedej871xzhrsrdcbnkvwz8iztu0=.447001cea96717fe2e89.crypted000007
- from %TEMP%\2.9.0.1467 (partner)\stdout.log to %TEMP%\2.9.0.1467 (partner)\tsahpv5nzplpkzfjyqyjg70whihlkg9z5ug+o9t5wjm=.447001cea96717fe2e89.crypted000007
- from %TEMP%\2.9.0.1467 (partner)\msiexec.exe@3176-3888-1.log to %TEMP%\2.9.0.1467 (partner)\ogkcicser5osxbxd0rwn10fc4wjk9-ldsayuiuepu5clui4+vov8kopoin6uktgphzcucftnyx3uvlzle7-3pq==.447001cea96717fe2e89.crypted000007
- from %TEMP%\2.9.0.1467 (partner)\msiexec.exe@3176-3884-1.log to %TEMP%\2.9.0.1467 (partner)\9ipxn+c1dvkox1dakel-twcncz-wfv249nnem02uwotfrkjfvonqf5fw1nwtkdsf8qbr37ruuo0gijowddzigw==.447001cea96717fe2e89.crypted000007
- from %TEMP%\2.9.0.1467 (partner)\msiexec.exe@3176-3864-1.log to %TEMP%\2.9.0.1467 (partner)\7owgvyys0jz2czi1+apar4bx6rrgxae5qa5aszvt8sevzvs4nc8eckhsrqnxjigajasrt9a9it5yvqgemf14-w==.447001cea96717fe2e89.crypted000007
- from %TEMP%\opera installer\opera_installer_20150820123555.log to %TEMP%\opera installer\h-qfzx6+hs8vv2rhetyavzhv3gpkqgj8to2dfzpgdwj-jdjjrcfqvsebzc0s5ev5tjsgvd7pqwhkzr7gwhyiww6y1zduvlphei+ny3imsjs=.447001cea96717fe2e89.crypted000007
- from %TEMP%\opera installer\opera_installer_20150820123553.log to %TEMP%\opera installer\rpd+ljif9gq+3bkrdem1s42np2-felbe3kn+8ipacmhrfmp3haooehkqsistrsoachy13w74j+-d6rr7s25mazybq739fvggkv5gvqjab6c=.447001cea96717fe2e89.crypted000007
- from %TEMP%\2.9.0.1467 (partner)\msiexec.exe@3176-3852-1.log to %TEMP%\2.9.0.1467 (partner)\npidqlai3u9vmyb+ilsipmyxyewvgo9zx4ddyonm9iryng5rzstpfsootdohh6dijaygwkkb1lwxkz0h+xegba==.447001cea96717fe2e89.crypted000007
- from %TEMP%\2.9.0.1467 (partner)\msiexec.exe@2296-3584-1.log to %TEMP%\2.9.0.1467 (partner)\ufkiv1dfqjhrdgy+6wzwohgwui7ol9bmdzwwkgzw-kkzvcgzvy-u37hitaxbxv88rpzwza2nkrvs8j-jq8bblg==.447001cea96717fe2e89.crypted000007
- from %TEMP%\2.9.0.1467 (partner)\msiexec.exe@2296-348-1.log to %TEMP%\2.9.0.1467 (partner)\9aeaz0uupqnnjdrbccvjnyv5p-ubx3afzy7hq1rwglsryuodx+cw1dt1qsq3kcsziednkwgylzedqorupqpoxq==.447001cea96717fe2e89.crypted000007
- from %TEMP%\2.9.0.1467 (partner)\msiexec.exe@2296-3304-1.log to %TEMP%\2.9.0.1467 (partner)\krbdsmauneyfzx0nkv1irupx78fuidv+owpqngpnuuxchtvaelcujqrm9wf3cdlbupds0ey8rwcgzrc6dvbxqq==.447001cea96717fe2e89.crypted000007
- from %TEMP%\2.9.0.1467 (partner)\msiexec.exe@2296-2980-1.log to %TEMP%\2.9.0.1467 (partner)\istzxyjcge4hzmc8gjkfhe+npi5fpnbzrusqswrofdloqoivykfvefor4yzqxwl18hvyg7tmtptdyux2ewdnow==.447001cea96717fe2e89.crypted000007
- from %TEMP%\2.9.0.1467 (partner)\msiexec.exe@2296-1128-1.log to %TEMP%\2.9.0.1467 (partner)\sw57ldjoniwdee-y9vk2akdmmiaypg4qwy1p8lxmqd0j95fdqhzg4vuf1cpicqholyeexxtfmx75szd8q1odoq==.447001cea96717fe2e89.crypted000007
- from %TEMP%\2.9.0.1467 (partner)\msiexec.exe@2296-1056-1.log to %TEMP%\2.9.0.1467 (partner)\a3v0ulk-cztqrrr5z2g7qsthu0r7egxxg5gc3jhsgj+xbl0dsfjcyq6fxbn4oiekeblyqldlacmbknoboklnkg==.447001cea96717fe2e89.crypted000007
- from %TEMP%\wallpaper.bmp to %TEMP%\fudi5gmju0wlkzabm6u1wpwuy6tpy9ur53jj-x5z2sa=.447001cea96717fe2e89.crypted000007
- from %TEMP%\omni.ja_20150820130017.zip to %TEMP%\09psvxfcycvhc0cluzqy+zwnrl+shqqzw11qqelqbcsziqze03tooru+eaji6qcojpxeod4r+d-d4lz-kogspg==.447001cea96717fe2e89.crypted000007
- from %TEMP%\omni.ja_20150820125829.zip to %TEMP%\scxoqa0iiptjkflvv96bjhvfldayaj60uyadxadlbl60f6lgetygu+lqaxi4ypkuqt7z6hqntoeaebs2xk8gsq==.447001cea96717fe2e89.crypted000007
- from %TEMP%\microsoft visual c++ 2010 x86 redistributable setup_20150820_123340645.html to %TEMP%\-i7ygp88dnzd0rxqfhalngfl05sjmgor3eym7p8dyjryspy6htek3y7a2+lsmwerynkgtljk919zk07oy3nahkcu937n1r+rvlldmddb-hjem+fkezbvjkhsffy400zmkexdlkjlgf5gpldt+fjfhfo2z4n+zotrtnnexxhzin16ih2pu+w0dd3+h5...
- from %TEMP%\microsoft .net framework 4.5.2 setup_20151215_221953317.html to %TEMP%\betjpnknh5q3c4+ficikxgj4lejc-guveb49isoqmkzvyzh04kafdurbyl5xnn-g2ggtk96jlkotyvnfw5lblnygm15gwsj0y7cefx8hiihz1gt0sxilwxda-c68i5q9yt3io251qhk6ls64b7osmrbormq-q2+ovrez0i4a-ro=.447001cea9671...
- from %TEMP%\2.9.0.1467 (partner)\msiexec.exe@3176-3792-1.log to %TEMP%\2.9.0.1467 (partner)\mq1uysqb9avndenrgkqucuebuebqf6mk1k81atfl+tvgx0gjcx6j0lqxmws6fefxyiywr9wxovprwud8b2crnq==.447001cea96717fe2e89.crypted000007
- from %TEMP%\2.9.0.1467 (partner)\msiexec.exe@3176-1704-1.log to %TEMP%\2.9.0.1467 (partner)\sfhiqd1kgaa00l8uywsvttziuqamiant8ovh8x9o57d3pdc13curh7dmfp-snkxtd4hcjn-k+xc3oxsfe2zijg==.447001cea96717fe2e89.crypted000007
- from %TEMP%\opera installer\opera_installer_20150820123618.log to %TEMP%\opera installer\mvw6ssr5kkuof-ou0ykyt8pv-zctui94a4hcc6fdvlgoyrzxpmzzyi32yl2cr82sbu7lcvriev48hqeaadl9y9xb+vkrnp5rfk+qfcwm+2o=.447001cea96717fe2e89.crypted000007
- from %TEMP%\opera installer\opera_installer_20160310145355.log to %TEMP%\opera installer\b56mi7lda51q-bpopfn3aulih4skrxmidesxdvg2wibuyuzqyoq1yfo0v9fl8iugw1hsmugjdttiw6+nuwjvmnyi0cz0ksyvhkpx8+foeea=.447001cea96717fe2e89.crypted000007
- from %TEMP%\opera installer\opera_installer_20160310145357.log to %TEMP%\opera installer\vuzqplzmowqbqvwqt+tt2n0ophzler9j62h63veyblaqnpwvffcrnkv5dsy1onw6gc4wjfjaeusi3ipmbj1kvp4amnuysakgymqounvoooa=.447001cea96717fe2e89.crypted000007
- from %TEMP%\6893a5~1\cached-certs.tmp to %TEMP%\6893a5~1\cached-certs
- from %TEMP%\6893a5~1\cached-microdesc-consensus.tmp to %TEMP%\6893a5~1\cached-microdesc-consensus
- from %HOMEPATH%\local settings\<INETFILES>\content.ie5\z9pmdpek\1c[1].jpg to %HOMEPATH%\local settings\<INETFILES>\content.ie5\z9pmdpek\s6hjomxi0hgnhkp08l5ufgcwltfsee8wnichkql135o=.447001cea96717fe2e89.crypted000007
- from %TEMP%\outlook logging\firstrun.log to %TEMP%\outlook logging\mrm8f1efokytfzucxmonutyvu6awdwspisfvuq3+51g=.447001cea96717fe2e89.crypted000007
- from %TEMP%\<INETFILES>\content.ie5\index.dat to %TEMP%\<INETFILES>\content.ie5\wfe+fbwyxrzrthayp22dbtkyyjavtt3k4rtmvfxamnc=.447001cea96717fe2e89.crypted000007
- from %TEMP%\pyl1.tmp\winboot\wubildr.tar to %TEMP%\pyl1.tmp\winboot\bi4oynaqlss0ocx4ghc05oep78u1aimapbwcog-ztj4=.447001cea96717fe2e89.crypted000007
- from %TEMP%\pyl1.tmp\data\images\user.bmp to %TEMP%\pyl1.tmp\data\images\ohcpq-lonaifddv2opbhpa==.447001cea96717fe2e89.crypted000007
- from %TEMP%\pyl1.tmp\data\images\ubuntu-vertical.bmp to %TEMP%\pyl1.tmp\data\images\votxm2yxs+knjz74tqzp2galsjeek-0knd+fjntba9keyodwwwkwplnctfwvqwk7.447001cea96717fe2e89.crypted000007
- from %TEMP%\pyl1.tmp\data\images\ubuntu-header.bmp to %TEMP%\pyl1.tmp\data\images\jbbajh8rwncmtygrzp4wly5oevf+jumhwnc2toxl+2vewaowuxmkf-vjcgbgtydk.447001cea96717fe2e89.crypted000007
- from %TEMP%\pyl1.tmp\data\images\ubuntu studio-vertical.bmp to %TEMP%\pyl1.tmp\data\images\+kt5ojfqwnazjowbkgt1gvqz6thyphdcqac5-tnpd87+l-mp2w53fnvqpogrbj3fqwpsos01m5lkefy4bxcd5g==.447001cea96717fe2e89.crypted000007
- from %TEMP%\pyl1.tmp\data\images\ubuntu studio-header.bmp to %TEMP%\pyl1.tmp\data\images\50iehiyvz66mein+azzvk3telou40tgt4aaayiqf4texb4c2whw9c8s4gsgqpdbf.447001cea96717fe2e89.crypted000007
- from %TEMP%\pyl1.tmp\data\images\preferences-desktop-locale.png to %TEMP%\pyl1.tmp\data\images\ztthvyjfdwpw-xlytgcgy72i+huhukl13rfh6ytvrwvqnoc2csvkmfa3x7ey6zn2yp9cv45fdwlmdum6e7cpag==.447001cea96717fe2e89.crypted000007
- from %TEMP%\6893a5~1\unverified-microdesc-consensus.tmp to %TEMP%\6893a5~1\unverified-microdesc-consensus
- from %TEMP%\pyl1.tmp\data\images\mythbuntu-vertical.bmp to %TEMP%\pyl1.tmp\data\images\sxohneia-rbma6nnz3gdkvflzzyznae7ary2muli00wf50tfoq2wbgkg5znsrtah.447001cea96717fe2e89.crypted000007
- from %TEMP%\pyl1.tmp\data\images\lubuntu-vertical.bmp to %TEMP%\pyl1.tmp\data\images\qutlwfsoi2zh+hz1i3l2qro-6zhrva0uwllkiruuuxtv5gczd48-vdaki0l+fqq0.447001cea96717fe2e89.crypted000007
- from %TEMP%\pyl1.tmp\data\images\lubuntu-header.bmp to %TEMP%\pyl1.tmp\data\images\pnpvskcdgzw0frweoleal-dvxydfzutn5ncwtkb6ulwafc0w48fyrqlwngh+gcoe.447001cea96717fe2e89.crypted000007
- from %TEMP%\pyl1.tmp\data\images\lock.bmp to %TEMP%\pyl1.tmp\data\images\u+nc2ermizduwvlk4q+-qa==.447001cea96717fe2e89.crypted000007
- from %TEMP%\pyl1.tmp\data\images\language.bmp to %TEMP%\pyl1.tmp\data\images\dq7s-svj5jc1u5cj5g-i96s7ejnxqwjq5zpjybuar-g=.447001cea96717fe2e89.crypted000007
- from %TEMP%\pyl1.tmp\data\images\kubuntu-vertical.bmp to %TEMP%\pyl1.tmp\data\images\vdih+knfpan7yanee+es9kv+t5pljswx59ahde8de72wsg5wbclwihwxspmtzqeb.447001cea96717fe2e89.crypted000007
- from %TEMP%\pyl1.tmp\data\images\kubuntu-header.bmp to %TEMP%\pyl1.tmp\data\images\vcrrdgx7bf4ufbpmebkx9vtevhdynxysaryk9ixqy3-ny-cd1g7b5rezqq7rvnio.447001cea96717fe2e89.crypted000007
- from %TEMP%\pyl1.tmp\data\images\install.bmp to %TEMP%\pyl1.tmp\data\images\ot2kqvtveshcqzixnq11wqpflipnp0pqysomy-bcwnw=.447001cea96717fe2e89.crypted000007
- from %TEMP%\pyl1.tmp\data\images\edubuntu-vertical.bmp to %TEMP%\pyl1.tmp\data\images\y2w0unqsv+v9kt05ebtrp6xz6jtaxtojd0+eurpfe2-acyra0vogjsaekegehvhq.447001cea96717fe2e89.crypted000007
- from %TEMP%\pyl1.tmp\data\images\edubuntu-header.bmp to %TEMP%\pyl1.tmp\data\images\pdx16qjokumanhvbnuqy4zhb07gkkclxzyzmnwmuopsqhk47qcf9ql4fvcuiko37.447001cea96717fe2e89.crypted000007
- from %TEMP%\pyl1.tmp\data\images\disksize.bmp to %TEMP%\pyl1.tmp\data\images\f-adipqw8d6tjjggs74vlsa0nz+lx4-ivclvizfosxq=.447001cea96717fe2e89.crypted000007
- from %TEMP%\pyl1.tmp\data\images\desktop.bmp to %TEMP%\pyl1.tmp\data\images\ibns4hdj-qao19baegfegsvbxwjhq82ub9akoqtzbfq=.447001cea96717fe2e89.crypted000007
- from %TEMP%\pyl1.tmp\data\isolist.ini to %TEMP%\pyl1.tmp\data\rjkk7dhkwnqgpegdtyln1cetrtcztmd5wq7nzlmkc7c=.447001cea96717fe2e89.crypted000007
- from %TEMP%\pyl1.tmp\data\images\mythbuntu-header.bmp to %TEMP%\pyl1.tmp\data\images\vb8wzeg-rnclhowskoyf-b4rz94wgazxm8nhqktwruoz8tvglwh4jvjz3tns9too.447001cea96717fe2e89.crypted000007
- from %TEMP%\microsoft .net framework 4.5 setup_20150831_105942303.html to %TEMP%\ctzetjixyscpku2sfazwvcxwmtflxqfiqbnmqvt2s-+qhq28+g-eyluuttc2x+jbheni6gjofcl1twn8bclfy584spg5pxlluiutxfumvcmkrda9s7wx+afed1vpptsluzaqsjyc6lsoip2lcwhxai5dap8+rx524pmusxodtus=.447001cea9671...
- from %TEMP%\microsoft .net framework 4 setup_20150831_105924687.html to %TEMP%\whmzjyernpaqazhr5terw8ju9b5noxzmsgmm7cyqrhyt4qtnfqierrrbaljs3setf4lmhlqecdcfp8bs4jwvzol9gglxf4wqjdlofvovmccczr7yz5tzys-r2rbuf9pyy6k65eka490pg4gxguwocq==.447001cea96717fe2e89.crypted00000...
- from %APPDATA%\telegram desktop\unins000.dat to %APPDATA%\telegram desktop\lzi758+8hch0b5znxlbvfmwvlemksgduzenisyvonp8=.447001cea96717fe2e89.crypted000007
- from %TEMP%\microsoft .net framework 4 setup_20150820_122814726.html to %TEMP%\z2h+itq6j+aw5qluc1ftmkbje9n4yp8fksuiseuoo3rdue53bghqtey+hxyewvgl2gkdkvlba4ptudwlznz-uyvpvyttraz+rqozv+djdyk6udw5i4gdvcg6napalco7eczowxt4q03drxexbwal4w==.447001cea96717fe2e89.crypted00000...
- from %TEMP%\adobesfx.log to %TEMP%\rfvvcoafstn0zktfynhcmxffwpn0bvcia1-clc+xfnk=.447001cea96717fe2e89.crypted000007
- from %TEMP%\adobearm_notlocked.log to %TEMP%\xjyfqpdxnw-rerkawzlec-wrqfkjk+qdeev5puy6x0ojmyxk-dkyjue4rjx4riwb.447001cea96717fe2e89.crypted000007
- from %TEMP%\adobearm.log to %TEMP%\nvf+sr-egqg+sxnr1zovawkr9q1b6ervylc9wkgws9s=.447001cea96717fe2e89.crypted000007
- from %TEMP%\setupexe(2015121523093290).log to %TEMP%\x262krzjqrtm8oqwxy5jz2ftfswt0pmilavul6pp8a9cl6yqffebdxdyiuvwazzmxeqk4ymg4teto-2yrcgy7g==.447001cea96717fe2e89.crypted000007
- from %TEMP%\setupexe(20151215230521214).log to %TEMP%\pkvuffit3oxljyrtuar9fmh7jrpylcics5e8rjkgt5pfy8fab6wrmfsbhwfuo6dy0xjppcvq8eh24+30f0gbrw==.447001cea96717fe2e89.crypted000007
- from %TEMP%\setupexe(201511201342324e4).log to %TEMP%\llk5w4ucqdjnheugbwcpefftamnpw0tdl9iuxikqz-ykf3m8mi1wooi2mmhcjyy7c9yjyeso79p94jodt7ppgg==.447001cea96717fe2e89.crypted000007
- from %APPDATA%\winrar\version.dat to %APPDATA%\winrar\ro3olp2x42ow+whwqbficcbfxgwhdkabwsfjj3zi+ia=.447001cea96717fe2e89.crypted000007
- from %APPDATA%\thunderbird\profiles\cr5sc40q.default\virtualfolders.dat to %APPDATA%\thunderbird\profiles\cr5sc40q.default\atux-tddfzzmvphpqarau1waqj5h9u5bnta+aetfrk3jcmw86svk11qxfr4g7foj.447001cea96717fe2e89.crypted000007
- from %APPDATA%\thunderbird\profiles\cr5sc40q.default\times.json to %APPDATA%\thunderbird\profiles\cr5sc40q.default\vt6upwk-px9olngrk-l-zutiljzjw+zhijkr93ivyh0=.447001cea96717fe2e89.crypted000007
- from %APPDATA%\thunderbird\profiles\cr5sc40q.default\sessioncheckpoints.json to %APPDATA%\thunderbird\profiles\cr5sc40q.default\psg9xfr+8mku-lhjoovaazb9zstbpvpwxuxlkiotzkv-zv6ctgk-lssypicsvcbf.447001cea96717fe2e89.crypted000007
- from %APPDATA%\thunderbird\profiles\cr5sc40q.default\session.json to %APPDATA%\thunderbird\profiles\cr5sc40q.default\yrvc12byrjdzqnwfux5o3qucmz0fmdsmrxwqke+xerk=.447001cea96717fe2e89.crypted000007
- from %TEMP%\aspnetsetup.log to %TEMP%\yaq+cgeh1rrjutmvsosoz-jra7e+ntufxdn293msctw=.447001cea96717fe2e89.crypted000007
- from %TEMP%\uxeventlog.txt to %TEMP%\qgdihpho9w96vhcow7xvo+n7x+vpcoea1rsk4pyhi64=.447001cea96717fe2e89.crypted000007
- from %APPDATA%\thunderbird\profiles\cr5sc40q.default\secmod.db to %APPDATA%\thunderbird\profiles\cr5sc40q.default\53uenymroghuwx4vxszesvgvtpgpjorlmdmpsdv4+iw=.447001cea96717fe2e89.crypted000007
- from %APPDATA%\thunderbird\profiles\cr5sc40q.default\localstore.rdf to %APPDATA%\thunderbird\profiles\cr5sc40q.default\onkbh6mj6ny5v5bbvse86kme-gd3o4uvgcyro0gntd4=.447001cea96717fe2e89.crypted000007
- from %APPDATA%\thunderbird\profiles\cr5sc40q.default\key3.db to %APPDATA%\thunderbird\profiles\cr5sc40q.default\z9otgc+hwpnkayj5q16dxw==.447001cea96717fe2e89.crypted000007
- from %APPDATA%\thunderbird\profiles\cr5sc40q.default\foldertree.json to %APPDATA%\thunderbird\profiles\cr5sc40q.default\12wt4rbwvvr1ggvnormp0ovfvgmyt0rvj4anscwurbo=.447001cea96717fe2e89.crypted000007
- from %APPDATA%\thunderbird\profiles\cr5sc40q.default\extensions.json to %APPDATA%\thunderbird\profiles\cr5sc40q.default\2d24u1ln-wsjwq7y-dq+lccyqlgsk7ntwxpotnmoon4=.447001cea96717fe2e89.crypted000007
- from %APPDATA%\thunderbird\profiles\cr5sc40q.default\extensions.ini to %APPDATA%\thunderbird\profiles\cr5sc40q.default\jv+qv5ybuuq2htm19xlb2skntezabpxikjsv-zwy-te=.447001cea96717fe2e89.crypted000007
- from %APPDATA%\thunderbird\profiles\cr5sc40q.default\compatibility.ini to %APPDATA%\thunderbird\profiles\cr5sc40q.default\jzbjfhitdpdvfcponxjfvwxruv5ka0o9nwv-ozl+9on4cw7cic79a4qyztq1osuv.447001cea96717fe2e89.crypted000007
- from %APPDATA%\thunderbird\profiles\cr5sc40q.default\cert8.db to %APPDATA%\thunderbird\profiles\cr5sc40q.default\koixc740o+e07e2u2vs3yw==.447001cea96717fe2e89.crypted000007
- from %APPDATA%\thunderbird\profiles\cr5sc40q.default\blocklist.xml to %APPDATA%\thunderbird\profiles\cr5sc40q.default\1+ph5nchzvvdoussyfp1dckagubh8htsi3g5f5r+-kq=.447001cea96717fe2e89.crypted000007
- from %APPDATA%\thunderbird\profiles.ini to %APPDATA%\thunderbird\1oceyrxfxh8+iws+8p9inim-redtz8smlrbpwrahxds=.447001cea96717fe2e89.crypted000007
- from %APPDATA%\telegram desktop\tdata\shortcuts-default.json to %APPDATA%\telegram desktop\tdata\jnp2iw7sfu1zpoc16iaga-dkljlo7ksegvxoxhlaynqbzdxuqfvenigfosgmzeuf.447001cea96717fe2e89.crypted000007
- from %APPDATA%\telegram desktop\tdata\shortcuts-custom.json to %APPDATA%\telegram desktop\tdata\dpr-jxtcpa75nxshbbw7dc-ieddqkjkzbilgxm6wjbluz1sm-fw-+zbvuckmdwky.447001cea96717fe2e89.crypted000007
- from %APPDATA%\thunderbird\profiles\cr5sc40q.default\prefs.js to %APPDATA%\thunderbird\profiles\cr5sc40q.default\vg5uzleyktzsotfnwpr1tq==.447001cea96717fe2e89.crypted000007
- from %APPDATA%\thunderbird\profiles\cr5sc40q.default\mailviews.dat to %APPDATA%\thunderbird\profiles\cr5sc40q.default\8mlxtbyszmn-7apdktyosxxqzpayvao7suwnzzkagay=.447001cea96717fe2e89.crypted000007
- from %TEMP%\aspnetsetup_00000.log to %TEMP%\jap2d9jwjnqok-1votm7rflgp8thun2rkagwcg5jmbyqcqwb7tudbo+cbokknkku.447001cea96717fe2e89.crypted000007
- from %TEMP%\aucheck_parser.txt to %TEMP%\+upxbermexnfo0gpn18ftw29fs8yv4h0u789t9dmwr3zunjfnu+7hh8zc9wezsnm.447001cea96717fe2e89.crypted000007
- from %TEMP%\wubi-14.04-rev286.log to %TEMP%\ae5deq1lszaihyvhdxtoweu2zsdgg37t1w4fkdtjujcpxn2hcxewxptdwjsiet95.447001cea96717fe2e89.crypted000007
- from %TEMP%\jusched.log to %TEMP%\8tdc-l9ujrtpddh6a6etaprg9m9oxbrgacg9rsmbxjk=.447001cea96717fe2e89.crypted000007
- from %TEMP%\jawshtml.html to %TEMP%\ebfxlj7jrkkfdlzktkwjh7wstfquiavnet5xtaqiqj0=.447001cea96717fe2e89.crypted000007
- from %TEMP%\java_install_reg.log to %TEMP%\jekg9rglzun9c7rqvehm-vub8ued7up3xylfi9mk35+qk2kkesa3shbus6to5ekp.447001cea96717fe2e89.crypted000007
- from %TEMP%\java_install.log to %TEMP%\nmiupjq7yrldltm2gba+ql2elxc0sgguk22wkh0agam=.447001cea96717fe2e89.crypted000007
- from %TEMP%\javadeployreg.log to %TEMP%\vsipo6jhs8xcp3dyadzbjthu3jh3dhcrhcyr9ry9gf4bxgzkl75smicxrqbpfbwc.447001cea96717fe2e89.crypted000007
- from %TEMP%\jaureg.log to %TEMP%\n31dnetpjetgvz33w8a8fntow0z8usiabzjrodyehec=.447001cea96717fe2e89.crypted000007
- from %TEMP%\dotnetfxsdk.log to %TEMP%\4gjlkl4tei5bgjtvu57oho7pdb2mxcgvt4u8+fcfop8=.447001cea96717fe2e89.crypted000007
- from %TEMP%\dotnetfx.log to %TEMP%\y91wdeslthyhklllnzotcfby+2nbm00c+8r8nirvfis=.447001cea96717fe2e89.crypted000007
- from %TEMP%\dd_xps.txt to %TEMP%\f8plq9uj-i2grprvdpwcgayixoiscpofbcjqreaerhg=.447001cea96717fe2e89.crypted000007
- from %TEMP%\dd_wcf_retca4a2a.txt to %TEMP%\ncbtqfouwqyygid1cjbuyvvfuxz7jjym1xyzs-v+nkhqdtxadhcbpbjovn9qa4ld.447001cea96717fe2e89.crypted000007
- from %TEMP%\dd_vcredist_x86_20151215221751_001_vcruntimeadditional_x86.log to %TEMP%\vyxieo1g4nobgb4aw9u-svm5x-jz4zc3aka0l9qovyptsvqhkmkzw7myiy+n7tsdtla0vncem+uszehb27d5djdqkduu2ayftkmpimnqu7uv8bpsxjkgw3uohfdnstwgu2t5jcfa2ba92tnzwblveitybd5kswuvtaeimkx0oka=.447001cea9671...
- from %TEMP%\dd_vcredist_x86_20151215221751_000_vcruntimeminimum_x86.log to %TEMP%\kfhnjtzirinfjjlpuimgsa2ud+ysdmu5uwyr5iwkwfgaghqxizdfyky+oy2s-opvc70-gp8l-ejntfjmr7z1vy+ggbzko2wbpgbmvz1yuvcuistufba1cxh2noqjocgq4uomacwi28sjxukscsgzrlj1dkhlglwhhxa87x9sji8=.447001cea9671...
- from %TEMP%\microsoft .net framework 3.0-kb976570_20150831_175648373.html to %TEMP%\shprann3ado03dvsmffhaxetkwt4xaqtydhoutsiducllfoq3vgos4lb+a0i7lghpqbrv1evza61cdjkvat8sjtuk9m3hdhcwuerlldq-k-dtgaayxo0hcohmocq4rp53wht+lazwzkqadj5g3u14bjvy9wu9zudbbnim4na-nq=.447001cea9671...
- from %TEMP%\dd_vcredist_x86_20151215221751.log to %TEMP%\cyawckp7c7shx9y3wa8l5btbzxfkk1zzdxz4-yhuad4vdiz4lxfbmljg6c+ebxwpv0adupygx4jaqf-wuvsbjl3b2jkm7d9obcniieqwesq=.447001cea96717fe2e89.crypted000007
- from %TEMP%\dd_net_framework30_setup7762.txt to %TEMP%\nr7ik2vheehwxla85lsujiyo9qoxry71xztp04hoaiek7pj7i8gpkars-hmpt1mhq83l9tqzhl2hol3wx8aqja==.447001cea96717fe2e89.crypted000007
- from %TEMP%\dd_net_framework20_setup74f9.txt to %TEMP%\cwgp1ihrgctilm-+k4gvd1yon7bijchvnymfdlga8ybafk0zm5p-agqsevy2nys9wvs2f+bmcfrvbbqxv6we4a==.447001cea96717fe2e89.crypted000007
- from %TEMP%\dd_ndp452-kb2901907-x86-x64-allos-enu_decompression_log.txt to %TEMP%\vckmzoivpv-pe6f9grqup4pl1xuekfyagdcjl6ulh+m7p4syliz3zkvtaduqc82v5tpluerhd4on79bdygg63sytcj1maxw+aoxodxcs7mqprvdiuqse30yrz826h5y5fbb1zucbglhxyvipkhzlr5ydfj5niiddryi4po95z6k=.447001cea9671...
- from %TEMP%\dd_dotnetfx45_full_setup_decompression_log.txt to %TEMP%\6flikjrqmh1ooey0wwpjwuau5zppkbn-pkgm3czd5ioewa+smshujurunqt-1vctgfsizancxl6h5ecdji7ym2faxncp5vdiu7znj7ystkg0ykcbzf7kxov3mq6zvzpr.447001cea96717fe2e89.crypted000007
- from %TEMP%\dd_dotnetfx40_full_x86_x64_decompression_log.txt to %TEMP%\ateju2ihsgwztdglqglddlk5psfanhmt2429lmn5jtiqr2gefbwmj+v5cuwtyqrnclac396je1muitatovrqziyrpudqht05-b1+rkdbh-6rxhpuq7jkn-3nzet4orss.447001cea96717fe2e89.crypted000007
- from %TEMP%\dd_dotnetfx35install.txt to %TEMP%\yoqpzdnvard384iveyu8uonmb9rqiom7q70mfprxqjwm-5tnbb-rja6xla-atfke.447001cea96717fe2e89.crypted000007
- from %TEMP%\dd_dotnetfx35error.txt to %TEMP%\j0jpyfyiz3xdqrodhtjxrf60jbubxpo1m93rzsoktqpp1ngsiwe1wfrio88xyynx.447001cea96717fe2e89.crypted000007
- from %TEMP%\dd_dotnetfx20install.txt to %TEMP%\dcnzb1axyrjjuhaqbfkfg883ifluxus3yo24o4cq113ijkelt875ggg3xfz19eys.447001cea96717fe2e89.crypted000007
- from %TEMP%\dd_dotnetfx20error.txt to %TEMP%\opcflwzqavy62riccfddy119ndk6lrghslzug+4grcyijozn485t5ftz3ir76gax.447001cea96717fe2e89.crypted000007
- from %TEMP%\dd_depcheck_netfx_exp_35.txt to %TEMP%\2pta-lddkg4fpphyanxu0ubeuwleq+m8czksylxll350ki4z4hdzaxsd+kxmpbf1xzcrvtudwkcsyxp0rs7zgw==.447001cea96717fe2e89.crypted000007
- from %TEMP%\dd_depcheck_netfx20_exp_35.txt to %TEMP%\fh69picekvbul8fgp2ggv9sykxoerq9ouueyzlbcbl9y5hwfkyz3zh97jeo9kijl0fse2fgudcvmxf4e9sh6jw==.447001cea96717fe2e89.crypted000007
- from %TEMP%\dd_clwireg.txt to %TEMP%\ucjzzxgwmx6ddsge51lrx6ocfpolpcy3j5zraiynfyw=.447001cea96717fe2e89.crypted000007
- from %TEMP%\dd_net_framework35_msi77c4.txt to %TEMP%\n11v60ajdprp4zf8wmk1dw7gjukajupy1fyauqgqm2ax+71a7+wekmwgro6pznslzzedbp8ug8w+go5blfaarg==.447001cea96717fe2e89.crypted000007
- from %APPDATA%\telegram desktop\log.txt to %APPDATA%\telegram desktop\rbymhzcjtq0dtp1xkkrnrw==.447001cea96717fe2e89.crypted000007
- from %APPDATA%\icqm\icq\smiles\statuses\set01\status_34.bmp to %APPDATA%\icqm\icq\smiles\statuses\set01\euryhspsgeksihs--tdlgcfsr3xme6s+yy8b0pupgdg=.447001cea96717fe2e89.crypted000007
Substitutes the following files
- %TEMP%\6893a5~1\state.tmp
- %TEMP%\6893a5~1\state
Deletes itself.
Modifies user data files (Trojan.Encoder).
Network activity
Connects to
- 'localhost':1039
- '86.#9.21.38':443
- '17#.#5.193.9':80
- '21#.#82.196.70':443
- '19#.#89.96.147':443
- '94.##.150.81':443
- 'localhost':56646
TCP
HTTP GET requests
- http://ka###viehdit.tk/wp-includes/ID3/1c.jpg
UDP
- DNS ASK ka###viehdit.tk
Miscellaneous
Creates and executes the following
- '<SYSTEM32>\cmd.exe' /c %TEMP%\radE0614.tmp' (with hidden window)
- '<SYSTEM32>\cmd.exe' ' (with hidden window)
Executes the following
- '<SYSTEM32>\cmd.exe' /c %TEMP%\radE0614.tmp
- '<SYSTEM32>\cmd.exe'
- '<SYSTEM32>\chcp.com'
