Worm.Win32.AutoItGen_2a11896020

by malwarelabrobot on October 2nd, 2017 in Malware Descriptions.

Trojan.Win32.Autoit.abljc (Kaspersky), Trojan.Win32.Sasfis.FD, VirTool.Win32.DelfInject.FD, Worm.Win32.AutoIt.FD, WormAutoItGen.YR (Lavasoft MAS)
Behaviour: Trojan, Worm, VirTool

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

Dynamic Analysis

Static Analysis

Network Activity

Map

Strings from Dumps

Removals

MD5: 2a11896020fa4303955f05b54cb64741
SHA1: dc865766bba1c50757ed3edf818a3dd53e8adc1a
SHA256: 62f061574dba6b512fa22b818c24b11d4c579cbbd23a411a50673d4c600e94fc
SSDeep: 49152:tgGRQGHRa1S9TVY94THr2hpvosWW 1tPTmNeQn1A x7xmUdnYcwstc568Cz0ziDx:3eEYUs0X1tPTGeom0O568Cz0mCK
Size: 3532433 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: Xacti, LLC
Created at: 2016-07-25 03:55:47
Analyzed on: Windows7 SP1 32-bit

Summary:

Worm. A program that is primarily replicating on networks or removable drives.

Payload

No specific payload has been found.

Process activity

The Worm creates the following process(es):

evb30D8.tmp:600
evb16A5.tmp:4092
evb1FF2.tmp:3916
evbD39D.tmp:3016
evb2D99.tmp:1004
evbFE9.tmp:996
evbE9A7.tmp:892
evb2526.tmp:1776
evb14EE.tmp:896
evbE32.tmp:3620
evbE134.tmp:3856
evb26DD.tmp:2924
evbCEB7.tmp:3360
evbC298.tmp:3816
evbC983.tmp:3200
evb7CEA.tmp:2848
evb5B35.tmp:3472
evbE7F0.tmp:3680
evbC5F6.tmp:2720
evbE492.tmp:3820
evb61F1.tmp:1996
evb6398.tmp:3828
evb3E40.tmp:2816
evb393B.tmp:3692
evbDC00.tmp:3400
evb597E.tmp:2868
evbC0F1.tmp:2820
evbF239.tmp:3992
evb90D.tmp:3328
evb4374.tmp:1740
evb22C.tmp:3120
evbF3E0.tmp:3780
evb94.tmp:3044
evbFA9C.tmp:2280
evb327F.tmp:1772
setupQW.exe:2944
evb77CA.tmp:2580
evb33D.tmp:2588
evbFEED.tmp:4004
evbD6FB.tmp:912
evbF76A.tmp:288
evbFDFA.tmp:3800
evb4DBD.tmp:2896
evb35DD.tmp:1804
evbEEDB.tmp:3240
evbFFB1.tmp:2328
evbED24.tmp:3696
evb2884.tmp:2700
evb1E4B.tmp:3352
evbBA49.tmp:4016
evbE649.tmp:140
evbDDB7.tmp:3484
evbFC53.tmp:4044
evb4C06.tmp:3336
Helper.exe:2772
Helper.exe:3808
Helper.exe:4064
evb3FF7.tmp:3004
CL_Debug_Log.txt:2544
evb2A4A.tmp:2904
evbEB7D.tmp:2580
evb6530.tmp:2396
evb603A.tmp:3832
evbDA59.tmp:2800
evb5CEC.tmp:2572
evb57D7.tmp:2844
evbAD4.tmp:1404
evbBF3A.tmp:3704
evb1ABE.tmp:2676
evbF73E.tmp:2224
evb4A30.tmp:944
evb1347.tmp:3896
evbC44F.tmp:1412
evbF8F5.tmp:552
evb5620.tmp:3056
evbD05E.tmp:3184
evbCD00.tmp:100
evb757.tmp:2564
evbF091.tmp:2804
evbC7DB.tmp:1704
%original file name%.exe:1900
t.exe:2044
evbCB39.tmp:3460
evb3AE2.tmp:2160
evb4889.tmp:2616
evb2BF2.tmp:2080
start.exe:2920
evb1190.tmp:3576
evb3784.tmp:2532
evb41CD.tmp:2732
evbD544.tmp:1320
evb46E2.tmp:1388
evb184C.tmp:1028
evb3426.tmp:2948
evbD1F5.tmp:2964
evb52C2.tmp:2960
evb75E4.tmp:892
evb2F40.tmp:1848
evbC8B.tmp:3160
evbE2EB.tmp:3784
evbD8A2.tmp:2828
evb511B.tmp:3488
evb187.tmp:4004
evbDF8D.tmp:2560
evb21D7.tmp:880
evb1C75.tmp:1192
evb4E5.tmp:2184
evb452B.tmp:2724
evb5479.tmp:960
evb3C99.tmp:3704
evb237F.tmp:264
evbFD36.tmp:2328
evb4F64.tmp:3064
evbF597.tmp:4008
evb5E93.tmp:3792

The Worm injects its code into the following process(es):

Helper.exe:3644
Ãƒâ€šÃƒÂ¨ÃƒÂ¤ÃƒÂ¦ÃƒÂ¥ÃƒÂ².exe:1956

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process evb30D8.tmp:600 makes changes in the file system.
The Worm deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb30D8.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb2F40.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb2F49.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb30F8.tmp (0 bytes)

The process evb16A5.tmp:4092 makes changes in the file system.
The Worm deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb1525.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb16A5.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb14EE.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb16C5.tmp (0 bytes)

The process evb1FF2.tmp:3916 makes changes in the file system.
The Worm deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb1E68.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb2012.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb1E4B.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb1FF2.tmp (0 bytes)

The process evbD39D.tmp:3016 makes changes in the file system.
The Worm deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbD3BD.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbD1F5.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbD39D.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbD26B.tmp (0 bytes)

The process evb2D99.tmp:1004 makes changes in the file system.
The Worm deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb2BFF.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb2D99.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb2BF2.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb2DB9.tmp (0 bytes)

The process evbFE9.tmp:996 makes changes in the file system.
The Worm deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb1009.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbE32.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbFE9.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbE61.tmp (0 bytes)

The process evbE9A7.tmp:892 makes changes in the file system.
The Worm deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbE9D6.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbE9A7.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbE7F0.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbE84B.tmp (0 bytes)

The process evb2526.tmp:1776 makes changes in the file system.
The Worm deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb2396.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb2546.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb2526.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb237F.tmp (0 bytes)

The process evb14EE.tmp:896 makes changes in the file system.
The Worm deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb150E.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb1347.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb1370.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb14EE.tmp (0 bytes)

The process evbE32.tmp:3620 makes changes in the file system.
The Worm deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbE32.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbCBC.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbC8B.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbE52.tmp (0 bytes)

The process evbE134.tmp:3856 makes changes in the file system.
The Worm deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbE154.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbDF8D.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbE134.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbDFF2.tmp (0 bytes)

The process evb26DD.tmp:2924 makes changes in the file system.
The Worm deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb253B.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb26DD.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb26FD.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb2526.tmp (0 bytes)

The process evbCEB7.tmp:3360 makes changes in the file system.
The Worm deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbCD00.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbCED7.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbCD7B.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbCEB7.tmp (0 bytes)

The process evbC298.tmp:3816 makes changes in the file system.
The Worm deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbC298.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbC17A.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbC2B8.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbC0F1.tmp (0 bytes)

The process evbC983.tmp:3200 makes changes in the file system.
The Worm deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbC9A3.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbC85D.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbC983.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbC7DB.tmp (0 bytes)

The process evb7CEA.tmp:2848 makes changes in the file system.
The Worm deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb77AE.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb77CA.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb7CEA.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb7D29.tmp (0 bytes)

The process evb5B35.tmp:3472 makes changes in the file system.
The Worm deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb5B35.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb5965.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb597E.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb5B55.tmp (0 bytes)

The process evbE7F0.tmp:3680 makes changes in the file system.
The Worm deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbE649.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbE6A6.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbE7F0.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbE810.tmp (0 bytes)

The process evbC5F6.tmp:2720 makes changes in the file system.
The Worm deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbC4D4.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbC5F6.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbC616.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbC44F.tmp (0 bytes)

The process evbE492.tmp:3820 makes changes in the file system.
The Worm deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbE34C.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbE2EB.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbE492.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbE4B2.tmp (0 bytes)

The process evb61F1.tmp:1996 makes changes in the file system.
The Worm deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb6211.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb61F1.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb603A.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb6009.tmp (0 bytes)

The process evb6398.tmp:3828 makes changes in the file system.
The Worm deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb61F1.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb61BE.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb6398.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb63B8.tmp (0 bytes)

The process evb3E40.tmp:2816 makes changes in the file system.
The Worm deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb3E40.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb3C92.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb3C99.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb3E60.tmp (0 bytes)

The process evb393B.tmp:3692 makes changes in the file system.
The Worm deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb3783.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb3784.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb395B.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb393B.tmp (0 bytes)

The process evbDC00.tmp:3400 makes changes in the file system.
The Worm deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbDC00.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbDAC4.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbDC20.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbDA59.tmp (0 bytes)

The process evb597E.tmp:2868 makes changes in the file system.
The Worm deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb57D7.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb59AE.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb597E.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb57B0.tmp (0 bytes)

The process evbC0F1.tmp:2820 makes changes in the file system.
The Worm deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbBFC5.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbBF3A.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbC111.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbC0F1.tmp (0 bytes)

The process evbF239.tmp:3992 makes changes in the file system.
The Worm deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbF091.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbF0E3.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbF239.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbF259.tmp (0 bytes)

The process evb90D.tmp:3328 makes changes in the file system.
The Worm deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb79E.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb90D.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb757.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb93D.tmp (0 bytes)

The process evb4374.tmp:1740 makes changes in the file system.
The Worm deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb41C0.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb4394.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb4374.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb41CD.tmp (0 bytes)

The process evb22C.tmp:3120 makes changes in the file system.
The Worm deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb24C.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb4E.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb94.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb22C.tmp (0 bytes)

The process evbF3E0.tmp:3780 makes changes in the file system.
The Worm deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbF288.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbF3E0.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbF239.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbF400.tmp (0 bytes)

The process evb94.tmp:3044 makes changes in the file system.
The Worm deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbFEA8.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbFEED.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbB4.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb94.tmp (0 bytes)

The process evbFA9C.tmp:2280 makes changes in the file system.
The Worm deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbF93C.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbFA9C.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbF8F5.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbFABC.tmp (0 bytes)

The process evb327F.tmp:1772 makes changes in the file system.
The Worm deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb30D8.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb329F.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb30DF.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb327F.tmp (0 bytes)

The process setupQW.exe:2944 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

%Program Files%\Widget 1.2\Ãƒâ€šÃƒÂ¨ÃƒÂ¤ÃƒÂ¦ÃƒÂ¥ÃƒÂ².exe (14857 bytes)
%Program Files%\Widget 1.2\images\gadget_button_2_normal.png (2 bytes)
%Program Files%\Widget 1.2\images\gadget_button_2_hover.png (3 bytes)
%Program Files%\Widget 1.2\images\gadget_button_0_hover.png (3 bytes)
%Program Files%\Widget 1.2\images\gadget_button_1_normal.png (2 bytes)
%Program Files%\Widget 1.2\lang\en-US.xml (61 bytes)
%Program Files%\Widget 1.2\images\gadget_button_2_pressed.png (3 bytes)
%Program Files%\Widget 1.2\images\gadget_button_3_hover.png (480 bytes)
%Program Files%\Widget 1.2\Uninstall.exe (3740 bytes)
%Program Files%\Widget 1.2\images\gadget_button_0_pressed.png (362 bytes)
%Program Files%\Widget 1.2\Gadget.Xml (2 bytes)
%Program Files%\Widget 1.2\images\gadget_button_1_pressed.png (6 bytes)
%Program Files%\Widget 1.2\images\gadget_button_3_pressed.png (3 bytes)
%Program Files%\Widget 1.2\images\gadget_button_4_hover.png (3 bytes)
%Program Files%\Widget 1.2\images\gadget_button_3_normal.png (1 bytes)
%Program Files%\Widget 1.2\images\gadget_button_0_normal.png (1 bytes)
%Program Files%\Widget 1.2\Uninstall.ini (3 bytes)
%Program Files%\Widget 1.2\images\gadget_button_4_normal.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\$inst\temp_0.tmp (674 bytes)
%Program Files%\Widget 1.2\images\gadget_button_1_hover.png (6 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\$inst\2.tmp (68 bytes)
%Program Files%\Widget 1.2\images\gadget_button_4_pressed.png (3 bytes)
%Program Files%\Widget 1.2\lang\de-De.xml (1 bytes)
%Program Files%\Widget 1.2\images\gadget_bg.png (24 bytes)
%Program Files%\Widget 1.2\TrayIcon.ico (1641 bytes)

The Worm deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\$inst (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\$inst\2.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\$inst\temp_0.tmp (0 bytes)

The process evb77CA.tmp:2580 makes changes in the file system.
The Worm deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb75BB.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb77CA.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb77F9.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb75E4.tmp (0 bytes)

The process evb33D.tmp:2588 makes changes in the file system.
The Worm deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb35E.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb33D.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb1D4.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb187.tmp (0 bytes)

The process evbFEED.tmp:4004 makes changes in the file system.
The Worm deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbFEED.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbFD36.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbFF0D.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbFCF4.tmp (0 bytes)

The process evbD6FB.tmp:912 makes changes in the file system.
The Worm deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbD544.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbD5B5.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbD71B.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbD6FB.tmp (0 bytes)

The process evbF76A.tmp:288 makes changes in the file system.
The Worm deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbF739.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbFA68.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbF797.tmp (0 bytes)

The process evbFDFA.tmp:3800 makes changes in the file system.
The Worm deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbFE1A.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbFC96.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbFC53.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbFDFA.tmp (0 bytes)

The process evb4DBD.tmp:2896 makes changes in the file system.
The Worm deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb4DDD.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb4C06.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb4BED.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb4DBD.tmp (0 bytes)

The process evb35DD.tmp:1804 makes changes in the file system.
The Worm deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb35DD.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb35FD.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb3426.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb3429.tmp (0 bytes)

The process evbEEDB.tmp:3240 makes changes in the file system.
The Worm deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbEEDB.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbED24.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbEEFB.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbED79.tmp (0 bytes)

The process evbFFB1.tmp:2328 makes changes in the file system.
The Worm deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbFFD1.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbFE3B.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbFDFA.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbFFB1.tmp (0 bytes)

The process evbED24.tmp:3696 makes changes in the file system.
The Worm deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbEBD4.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbED44.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbEB7D.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbED24.tmp (0 bytes)

The process evb2884.tmp:2700 makes changes in the file system.
The Worm deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb26DD.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb28A4.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb2884.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb26F0.tmp (0 bytes)

The process evb1E4B.tmp:3352 makes changes in the file system.
The Worm deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb1C75.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb1E4B.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb1E6B.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb1CD2.tmp (0 bytes)

The process evbBA49.tmp:4016 makes changes in the file system.
The Worm deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb8FC0.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb7CEA.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbE9A4.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbBA49.tmp (0 bytes)

The process evbE649.tmp:140 makes changes in the file system.
The Worm deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbE4F1.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbE649.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbE669.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbE492.tmp (0 bytes)

The process evbDDB7.tmp:3484 makes changes in the file system.
The Worm deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbDC69.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbDDB7.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbDC00.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbDDD7.tmp (0 bytes)

The process evbFC53.tmp:4044 makes changes in the file system.
The Worm deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbFAE1.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbFA9C.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbFC53.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbFC73.tmp (0 bytes)

The process evb4C06.tmp:3336 makes changes in the file system.
The Worm deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb4A30.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb4C06.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb4A29.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb4C26.tmp (0 bytes)

The process Helper.exe:2772 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\system.ini (0 bytes)

The process Helper.exe:3644 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbEB9D.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb150E.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb7CEA.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbE810.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbC111.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb30F8.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbD1F5.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb1927.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb4889.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb2546.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb5E93.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb3784.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb4A60.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbDF8D.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb656F.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb59AE.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb46E2.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbE9A4.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb5499.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbF75E.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb505.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb6398.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbFABC.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbC44F.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbE649.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb757.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbCB39.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb239F.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbED24.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbC983.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbF239.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb30D8.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb21F8.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb52E2.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbF400.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbDC00.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbAD4.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb1C95.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb2526.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb21D7.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb1190.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbC8B.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb16A5.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb5D0C.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb14EE.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbC298.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbD8A2.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb1347.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb2884.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbFE1A.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbFC73.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbD6FB.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbEEDB.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb57F7.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb4E5.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbE2EB.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbDA79.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb605A.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbF259.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb511B.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb35DD.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb93D.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbD216.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb5640.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbED44.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbDFAD.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb7604.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbD544.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb3C99.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb48A9.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb1C75.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbFD56.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbD39D.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbCED7.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb35E.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbF915.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb1009.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbE52.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbCD20.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb5B35.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbE669.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbC9A3.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbEEFB.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb327F.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb4F84.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbE154.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb7D29.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbCAB.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb184C.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb16C5.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb41CD.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbF73E.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb187.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbB4.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb2012.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbF8F5.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbF76A.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb1367.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbF0B2.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb4394.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb395B.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbC2B8.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb3B02.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbCD00.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbC5F6.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbBF5A.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb3CB9.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb11B0.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbE4B2.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb1E6B.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbC46F.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb77CA.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb3E40.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbFDFA.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbE30B.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb1ADE.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb786.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb3FF7.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb90D.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbCEB7.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbE32.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb2A4A.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb5EB3.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb2D99.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb61F1.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb6211.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb52C2.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb3446.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb35FD.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb3E60.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb393B.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb57D7.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb94.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbDDB7.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbC7DB.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb1ABE.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb597E.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbC7FC.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb452B.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbF597.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb37A4.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb2F60.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb2A6B.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb4702.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbD71B.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbDA59.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb3426.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb237F.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb26DD.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb4C06.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbAF4.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb2BF2.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbDC20.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbF5B7.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb5479.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbFFD1.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb26FD.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbE134.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb1E4B.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb1FF2.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb603A.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbFFB1.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbBF3A.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbFE9.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb4DDD.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbBA49.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb4DBD.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb24C.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbFA9C.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbE9A7.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbC0F1.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb33D.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb77F9.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbD3BD.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbE492.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb6530.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbCB5A.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbD8C2.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb454B.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb3AE2.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbFF0D.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb5620.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbFC53.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb28A4.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbC616.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbD07E.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbE7F0.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb2C12.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbD564.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbFEED.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb329F.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb75E4.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbF091.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbEB7D.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbFA68.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbD05E.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb5CEC.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb2F40.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbFD36.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbF3E0.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb63B8.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb513B.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbDDD7.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb4A30.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb5B55.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb4F64.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb4017.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb1B6.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb4374.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb22C.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb4C26.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbE9D6.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb41ED.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb2DB9.tmp (5 bytes)

The process Helper.exe:3808 makes changes in the file system.
The Worm deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbF76A.tmp (0 bytes)

The process Helper.exe:4064 makes changes in the file system.
The Worm deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbF76A.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbBA49.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbF16F.tmp (0 bytes)

The process evb3FF7.tmp:3004 makes changes in the file system.
The Worm deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb4017.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb3E40.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb3FF7.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb3E47.tmp (0 bytes)

The process CL_Debug_Log.txt:2544 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\32.exe (2284 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\SystemCheck.xml (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\start.bat (508 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\start2.bat (281 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\64.exe (3341 bytes)

The process evb2A4A.tmp:2904 makes changes in the file system.
The Worm deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb2895.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb2A4A.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb2884.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb2A6B.tmp (0 bytes)

The process evbEB7D.tmp:2580 makes changes in the file system.
The Worm deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbEA10.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbE9A7.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbEB7D.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbEB9D.tmp (0 bytes)

The process evb6530.tmp:2396 makes changes in the file system.
The Worm deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb6530.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb656F.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb6363.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb6398.tmp (0 bytes)

The process evb603A.tmp:3832 makes changes in the file system.
The Worm deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb5E64.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb5E93.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb605A.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb603A.tmp (0 bytes)

The process evbDA59.tmp:2800 makes changes in the file system.
The Worm deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbD8A2.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbDA79.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbD92E.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbDA59.tmp (0 bytes)

The process evb5CEC.tmp:2572 makes changes in the file system.
The Worm deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb5CEC.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb5B35.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb5D0C.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb5B1A.tmp (0 bytes)

The process evb57D7.tmp:2844 makes changes in the file system.
The Worm deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb57D7.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb55FB.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb5620.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb57F7.tmp (0 bytes)

The process evbAD4.tmp:1404 makes changes in the file system.
The Worm deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb90D.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb952.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbAF4.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbAD4.tmp (0 bytes)

The process evbBF3A.tmp:3704 makes changes in the file system.
The Worm deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbBF3A.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbBF5A.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbBCE8.tmp (0 bytes)

The process evb1ABE.tmp:2676 makes changes in the file system.
The Worm deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb184C.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb193A.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb1ADE.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb1ABE.tmp (0 bytes)

The process evbF73E.tmp:2224 makes changes in the file system.
The Worm deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbF75E.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbF5E2.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbF597.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbF73E.tmp (0 bytes)

The process evb4A30.tmp:944 makes changes in the file system.
The Worm deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb4A30.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb4874.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb4889.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb4A60.tmp (0 bytes)

The process evb1347.tmp:3896 makes changes in the file system.
The Worm deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb1367.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb1347.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb1190.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb11BB.tmp (0 bytes)

The process evbC44F.tmp:1412 makes changes in the file system.
The Worm deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbC298.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbC46F.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbC44F.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbC31F.tmp (0 bytes)

The process evbF8F5.tmp:552 makes changes in the file system.
The Worm deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbF915.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbF73E.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbF787.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbF8F5.tmp (0 bytes)

The process evb5620.tmp:3056 makes changes in the file system.
The Worm deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb5640.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb5466.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb5620.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb5479.tmp (0 bytes)

The process evbD05E.tmp:3184 makes changes in the file system.
The Worm deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbD07E.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbCEB7.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbD05E.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbCF30.tmp (0 bytes)

The process evbCD00.tmp:100 makes changes in the file system.
The Worm deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbCD00.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbCB39.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbCBB7.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbCD20.tmp (0 bytes)

The process evb757.tmp:2564 makes changes in the file system.
The Worm deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb786.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb757.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb4E5.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb5CA.tmp (0 bytes)

The process evbF091.tmp:2804 makes changes in the file system.
The Worm deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbEEDB.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbF091.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbF0B2.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbEF2E.tmp (0 bytes)

The process evbC7DB.tmp:1704 makes changes in the file system.
The Worm deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbC6B8.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbC7FC.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbC5F6.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbC7DB.tmp (0 bytes)

The process %original file name%.exe:1900 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\1337\t.exe (98962 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh79A2.tmp (112956 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh79A3.tmp\System.dll (23 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\1337\setupQW.exe (18372 bytes)

The Worm deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss7992.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh79A3.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh79A3.tmp\System.dll (0 bytes)

The process t.exe:2044 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh7D4A.tmp (101174 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\1337\start.exe (34072 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh7D4B.tmp\System.dll (23 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\1337\asacpiex.dll (68799 bytes)

The Worm deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss7D3A.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh7D4B.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh7D4B.tmp\System.dll (0 bytes)

The process evbCB39.tmp:3460 makes changes in the file system.
The Worm deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbCA02.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbC983.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbCB39.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbCB5A.tmp (0 bytes)

The process evb3AE2.tmp:2160 makes changes in the file system.
The Worm deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb3B02.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb3938.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb3AE2.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb393B.tmp (0 bytes)

The process evb4889.tmp:2616 makes changes in the file system.
The Worm deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb46E2.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb46CF.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb48A9.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb4889.tmp (0 bytes)

The process evb2BF2.tmp:2080 makes changes in the file system.
The Worm deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb2C12.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb2BF2.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb2A5A.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb2A4A.tmp (0 bytes)

The process start.exe:2920 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\start.bat (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aut8120.tmp (2569 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\CL_Debug_Log.txt (1711 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\CR_Debug_Log.txt (2 bytes)

The Worm deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aut8120.tmp (0 bytes)

The process evb1190.tmp:3576 makes changes in the file system.
The Worm deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb11B0.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb1016.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb1190.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbFE9.tmp (0 bytes)

The process evb3784.tmp:2532 makes changes in the file system.
The Worm deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb35DD.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb35DE.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb3784.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb37A4.tmp (0 bytes)

The process evb41CD.tmp:2732 makes changes in the file system.
The Worm deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb41ED.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb41CD.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb3FF7.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb3FEC.tmp (0 bytes)

The process evbD544.tmp:1320 makes changes in the file system.
The Worm deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbD544.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbD410.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbD39D.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbD564.tmp (0 bytes)

The process evb46E2.tmp:1388 makes changes in the file system.
The Worm deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb452B.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb46E2.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb452A.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb4702.tmp (0 bytes)

The process evb184C.tmp:1028 makes changes in the file system.
The Worm deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb184C.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb16A5.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb16CA.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb1927.tmp (0 bytes)

The process evb3426.tmp:2948 makes changes in the file system.
The Worm deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb3446.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb327F.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb3426.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb3284.tmp (0 bytes)

The process evbD1F5.tmp:2964 makes changes in the file system.
The Worm deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbD1F5.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbD0D5.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbD05E.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbD216.tmp (0 bytes)

The process evb52C2.tmp:2960 makes changes in the file system.
The Worm deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb50FC.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb52E2.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb52C2.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb511B.tmp (0 bytes)

The process evb75E4.tmp:892 makes changes in the file system.
The Worm deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb6530.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb7604.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb692D.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb75E4.tmp (0 bytes)

The process evb2F40.tmp:1848 makes changes in the file system.
The Worm deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb2D99.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb2F40.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb2DA4.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb2F60.tmp (0 bytes)

The process evbC8B.tmp:3160 makes changes in the file system.
The Worm deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbB07.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbC8B.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbAD4.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbCAB.tmp (0 bytes)

The process evbE2EB.tmp:3784 makes changes in the file system.
The Worm deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbE197.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbE134.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbE2EB.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbE30B.tmp (0 bytes)

The process evbD8A2.tmp:2828 makes changes in the file system.
The Worm deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbD8A2.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbD76A.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbD6FB.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbD8C2.tmp (0 bytes)

The process evb511B.tmp:3488 makes changes in the file system.
The Worm deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb513B.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb4F64.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb4F57.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb511B.tmp (0 bytes)

The process evb187.tmp:4004 makes changes in the file system.
The Worm deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb1B6.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbFFB1.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb1.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb187.tmp (0 bytes)

The process evbDF8D.tmp:2560 makes changes in the file system.
The Worm deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbDDB7.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbDE2E.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbDF8D.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbDFAD.tmp (0 bytes)

The process evb21D7.tmp:880 makes changes in the file system.
The Worm deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb201D.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb21D7.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb1FF2.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb21F8.tmp (0 bytes)

The process evb1C75.tmp:1192 makes changes in the file system.
The Worm deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb1C75.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb1C95.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb1ADF.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb1ABE.tmp (0 bytes)

The process evb4E5.tmp:2184 makes changes in the file system.
The Worm deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb4E5.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb505.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb379.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb33D.tmp (0 bytes)

The process evb452B.tmp:2724 makes changes in the file system.
The Worm deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb452B.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb4374.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb4375.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb454B.tmp (0 bytes)

The process evb5479.tmp:960 makes changes in the file system.
The Worm deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb5499.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb52C2.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb52B1.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb5479.tmp (0 bytes)

The process evb3C99.tmp:3704 makes changes in the file system.
The Worm deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb3C99.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb3ADD.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb3AE2.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb3CB9.tmp (0 bytes)

The process evb237F.tmp:264 makes changes in the file system.
The Worm deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb21F1.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb239F.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb21D7.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb237F.tmp (0 bytes)

The process evbFD36.tmp:2328 makes changes in the file system.
The Worm deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbFB2F.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbFD36.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbFD56.tmp (0 bytes)

The process evb4F64.tmp:3064 makes changes in the file system.
The Worm deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb4F84.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb4F64.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb4DA2.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb4DBD.tmp (0 bytes)

The process evbF597.tmp:4008 makes changes in the file system.
The Worm deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbF3E0.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbF597.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbF42D.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbF5B7.tmp (0 bytes)

The process evb5E93.tmp:3792 makes changes in the file system.
The Worm deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb5CBF.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb5CEC.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb5E93.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb5EB3.tmp (0 bytes)

Registry activity

The process setupQW.exe:2944 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Widget 1.2 1.2]
"InstallSource" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\1337\"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Widget 1.2 1.2]
"DisplayIcon" = "%Program Files%\Widget 1.2\Uninstall.exe"
"Publisher" = "Aqtepq"
"Language" = "1049"
"EstimatedSize" = "1061"
"InstallLocation" = "%Program Files%\Widget 1.2\"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WidjetPro]
"Widget 1.2" = "Widget 1.2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Widget 1.2 1.2]
"InstallDate" = "20171001"
"NoModify" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer]
"GlobalAssocChangedCounter" = "47"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Widget 1.2 1.2]
"VersionMinor" = "2"
"UninstallString" = "%Program Files%\Widget 1.2\Uninstall.exe"
"DisplayVersion" = "1.2"
"VersionMajor" = "1"
"DisplayName" = "Widget 1.2 1.2"
"NoRepair" = "1"

The Worm deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process %original file name%.exe:1900 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

The Worm deletes the following value(s) in system registry:

The process t.exe:2044 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

The Worm deletes the following value(s) in system registry:

The process Ãƒâ€šÃƒÂ¨ÃƒÂ¤ÃƒÂ¦ÃƒÂ¥ÃƒÂ².exe:1956 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKCU\Software\Ashampoo\Ashampoo Gadge It\Ãâ€™ÃÂ¸ÃÂ´ÃÂ¶ÃÂµÃ‘â€š]
"InStartup" = "True"
"AlwaysOnTop" = "True"

[HKCU\Software\Microsoft\Direct3D\MostRecentApplication]
"Name" = "Ãƒâ€šÃƒÂ¨ÃƒÂ¤ÃƒÂ¦ÃƒÂ¥ÃƒÂ².exe"

[HKCU\Software\Ashampoo\Ashampoo Gadge It\Ãâ€™ÃÂ¸ÃÂ´ÃÂ¶ÃÂµÃ‘â€š]
"Culture" = "en-US"
"Top" = "4"

"Left" = "1112"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

[HKCU\Software\Ashampoo\Ashampoo Gadge It\Ãâ€™ÃÂ¸ÃÂ´ÃÂ¶ÃÂµÃ‘â€š]
"FirstStart" = "True"
"NoSound" = "False"

To automatically run itself each time Windows is booted, the Worm adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Ãâ€™ÃÂ¸ÃÂ´ÃÂ¶ÃÂµÃ‘â€š" = "%Program Files%\Widget 1.2\Ãƒâ€šÃƒÂ¨ÃƒÂ¤ÃƒÂ¦ÃƒÂ¥ÃƒÂ².exe"

The Worm deletes the following value(s) in system registry:

Dropped PE files

MD5	File path
5fd1c5913efc5aa72eb25d9393e42154	c:\Program Files\Widget 1.2\Uninstall.exe
7ec2dc7b1f8f981bda11868fd9493234	c:\Program Files\Widget 1.2\Ã‚Ã¨Ã¤Ã¦Ã¥Ã².exe
75170ad2241322535bdecfb593a36005	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb6530.tmp
1547e328a2a31bbbd0872f0bf4d43be3	c:\Users\"%CurrentUserName%"\AppData\Roaming\1337\setupQW.exe
d5676405cdffddde484c5ad18ee4c6db	c:\Users\"%CurrentUserName%"\AppData\Roaming\1337\start.exe
dc084bb973bcd8848055834f9e338d84	c:\Users\"%CurrentUserName%"\AppData\Roaming\1337\t.exe
c7469faebcffe26ab31ab1969c2542fe	c:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Helper.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name:
Product Name:
Product Version:
Legal Copyright:
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 7.0.0.0
File Description: description
Comments:
Language: English (United States)

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	4096	24005	24064	4.48543	566b191b40fde4369ae73a05b57df1d2
.rdata	28672	4678	5120	3.46601	6389f916226544852e494114faf192ad
.data	36864	108568	1024	3.61864	72dcd89e8824ae186467be61797ed81e
.ndata	147456	32768	0	0	d41d8cd98f00b204e9800998ecf8427e
.rsrc	180224	17496	17920	3.78365	e25321868725faf414cd7f22c8356252

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 5
f4531e0297cc6c977114255f443dc2c7
dc084bb973bcd8848055834f9e338d84
cfb43a3a01053dba33367b16a198d824
ef9c75dacd44f0be1fa9aa211de3ce63
b70475753ba0741d1524be2f36a928fa

URLs

URL	IP
hxxp://ezstat.ru/1SbdV6	88.99.66.31

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /1SbdV6 HTTP/1.1

Connection: Keep-Alive

Content-Type: text/plain; Charset=UTF-8

Accept: */*

User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Host: ezstat.ru


HTTP/1.1 200 OK

Server: nginx

Date: Sat, 30 Sep 2017 22:48:00 GMT

Content-Type: image/png

Transfer-Encoding: chunked

Connection: keep-alive

Set-Cookie: PHPSESSID=2cmr9dkhaal6f2d6uua58l4hn3; path=/; HttpOnly

Pragma: no-cache

Set-Cookie: clhf03028ja=194.242.96.218; expires=Wed, 18-Jul-2029 05:49:51 GMT; Max-Age=372236511; path=/

Cache-Control: max-age=315360000

Expires: Thu, 31 Dec 2037 23:55:55 GMT

X-Frame-Options: SAMEORIGIN

74...PNG........IHDR.............%.V.....PLTE....z=.....tRNS.@..f....p
HYs.......... ......IDAT..c`.......qd.....IEND.B`...0..

The Worm connects to the servers at the folowing location(s):

taskeng.exe_2512:

.text

`.data

.rsrc

@.reloc

USER32.dll

msvcrt.dll

ntdll.dll

API-MS-Win-Core-Debug-L1-1-0.dll

API-MS-Win-Core-ErrorHandling-L1-1-0.dll

API-MS-Win-Core-File-L1-1-0.dll

API-MS-Win-Core-Handle-L1-1-0.dll

API-MS-Win-Core-Heap-L1-1-0.dll

API-MS-Win-Core-Interlocked-L1-1-0.dll

API-MS-Win-Core-LibraryLoader-L1-1-0.dll

API-MS-Win-Core-Misc-L1-1-0.dll

API-MS-Win-Core-ProcessEnvironment-L1-1-0.dll

API-MS-Win-Core-ProcessThreads-L1-1-0.dll

API-MS-Win-Core-Profile-L1-1-0.dll

API-MS-Win-Core-Synch-L1-1-0.dll

API-MS-Win-Core-SysInfo-L1-1-0.dll

API-MS-Win-Core-ThreadPool-L1-1-0.dll

API-MS-Win-Security-Base-L1-1-0.dll

ole32.dll

OLEAUT32.dll

RPCRT4.dll

KERNEL32.dll

.TBvf

d:\w7rtm\admin\wmi\jobs\server\session\session\main.cpp

Session::ChannelMsgReceived

d:\w7rtm\admin\wmi\jobs\server\session\session\session.cpp

d:\w7rtm\admin\wmi\jobs\server\session\session\clientchannel2.cpp

d:\w7rtm\admin\wmi\jobs\server\engine\task.cpp

d:\w7rtm\admin\wmi\jobs\server\engine\comhandlerbase.cpp

StopJobMsg

StartJobMsg

ClientPipeName

Invalid parameter passed to C runtime function.

d:\w7rtm\admin\wmi\jobs\common\xml\taskxmlreader.cpp

TaskScheduler.log

j%Xf;

d:\w7rtm\admin\wmi\jobs\server\engine\action.cpp

API-MS-WIN-Service-Management-L1-1-0.dll

API-MS-WIN-Service-winsvc-L1-1-0.dll

ADVAPI32.dll

SHELL32.dll

SHLWAPI.dll

SspiCli.dll

XmlLite.dll

MPR.dll

RegOpenKeyTransactedW

RegCloseKey

RegOpenKeyExW

RegNotifyChangeKeyValue

RegCreateKeyExW

FindExecutableW

MsgWaitForMultipleObjects

EnumThreadWindows

EnumWindows

GetProcessWindowStation

_wcmdln

_amsg_exit

GetProcessHeap

SetProcessShutdownParameters

TaskEng.pdb

version="5.1.0.0"

name="Microsoft.Windows.WMI.TaskScheduler.TaskEng"

<requestedExecutionLevel

8 8$8(878

3=4Z4w4

=!=(=0=4=?=>>

5 5U5_5

5b6u6

-131J1X1o1}1

=$=<=\=|=

Password

hXXp://schemas.microsoft.com/windows/2004/02/mit/task

Mieframe.dll

%SystemRoot%\SYSTEM32\cmd.exe

%SystemRoot%\System32\Tasks

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\Configuration

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\Handshake

WindowSeconds

InitializeCmdlineProcessing()

pCrimson provider registration failed for taskeng, hr=0x%x

CATCH_KNOWN: %S ==> hr=0x%x [%S(),%d,%S]

InteractiveTokenOrPassword

Murl

%d.%d

%s, (%d)

hXXp://schemas.microsoft.com/cdo/configuration/smtpconnectiontimeout

hXXp://schemas.microsoft.com/cdo/configuration/smtpauthenticate

hXXp://schemas.microsoft.com/cdo/configuration/sendusing

hXXp://schemas.microsoft.com/cdo/configuration/smtpserver

201ef99a-7fa0-444c-9399-19ba84f12a1a

C:\Windows\SYSTEM32\cmd.exe

6.1.7601.17514 (win7sp1_rtm.101119-1850)

taskeng.exe

Windows

Operating System

6.1.7601.17514

Helper.exe_3644:

.text

`.rdata

@.data

.rsrc

@.reloc

B.enigma1

.enigma2

j.Yf;

r%f;M

j.Xf;

j.Zf;

PSSSSSSh

Gt.Ht$

@Ew.AEw

Bv.TBv

Bv.SCv

kernel32.dll

?#%X.y

GetProcessWindowStation

operator

operand of unlimited repeat could match the empty string

POSIX named classes are supported only within a class

erroffset passed as NULL

POSIX collating elements are not supported

this version of PCRE is compiled without UTF support

PCRE does not support \L, \l, \N{name}, \U, or \u

support for \P, \p, and \X has not been compiled

this version of PCRE is not compiled with Unicode property support

\N is not supported in a class

RegDeleteKeyExW

advapi32.dll

Error text not found (please report)

WSOCK32.dll

VERSION.dll

WINMM.dll

COMCTL32.dll

MPR.dll

InternetCrackUrlW

HttpQueryInfoW

HttpOpenRequestW

HttpSendRequestW

FtpOpenFileW

FtpGetFileSize

InternetOpenUrlW

WININET.dll

PSAPI.DLL

IPHLPAPI.DLL

USERENV.dll

UxTheme.dll

GetProcessHeap

CreatePipe

GetWindowsDirectoryW

KERNEL32.dll

OpenWindowStationW

SetProcessWindowStation

CloseWindowStation

MapVirtualKeyW

EnumChildWindows

EnumWindows

VkKeyScanW

GetKeyState

GetKeyboardState

SetKeyboardState

GetAsyncKeyState

keybd_event

EnumThreadWindows

ExitWindowsEx

UnregisterHotKey

RegisterHotKey

GetKeyboardLayoutNameW

USER32.dll

SetViewportOrgEx

GDI32.dll

COMDLG32.dll

RegOpenKeyExW

RegCloseKey

RegCreateKeyExW

RegEnumKeyExW

RegDeleteKeyW

ADVAPI32.dll

ShellExecuteW

SHFileOperationW

ShellExecuteExW

SHELL32.dll

ole32.dll

OLEAUT32.dll

GetCPInfo

zcÁ

(V%dSS%

n..GGHHH

n...GGHHH

n ....HGHHHH

n  ....G.HHH

~~~~{~{{{{

n!! ....HGHHHH

n!!  .....HHHHHH

!!!  ....GGHHH

!!"".....HHHHnv

"""...-.nv

x.Zgu

_C.PV

GQ.ww

Px%4X

.WqmR"

9z.jg6a

V{fDKre.KNJ2

!X.sN

6.oQ_

'%cSG

.M E.nSH

\%Xjg

u4#:.pZ

6A:.jv

.iD%5

g.DU}m

/^ .vt

Z".Yild

<assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" language="*" processorArchitecture="*" publicKeyToken="6595b64144ccf1df"/>

<requestedExecutionLevel level="asInvoker" uiAccess="false"/>

<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>

<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>

<supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/>

<supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/>

<supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"/>

;$;*;0;6;<;|;

=#=(=-=2=7===

3.44484<4@4

3&323^3|3

9 9$9(9,9?9

?#?'? ?/?3?7?;???

4"4&4*4.424

7)868=8=:

= =$=(=,=0=4=8=

0 0$0(0,00040

3"3(313]3

1!1%1)1-1115191=1

< <*<4<{<

<$=4=8=<=

3 3(30383@3

.idata

.edata

P.reloc

P.rsrc

HL%fQ

$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)

oleaut32.dll

EVariantBadIndexError

!"#$%&*;<=>@[]^_`{|}

Uh0%S

ZwOpenKey

ZwEnumerateValueKey

ZwQueryKey

ZwQueryValueKey

ZwCreateKey

ZwEnumerateKey

ZwSetValueKey

ZwDeleteKey

ZwDeleteValueKey

ZwFlushKey

ZwLoadKey

ZwLoadKey2

ZwNotifyChangeKey

ZwQueryMultipleValueKey

ZwReplaceKey

ZwRestoreKey

ZwSaveKey

ZwSetInformationKey

ZwUnloadKey

ZwOpenKeyEx

ntdll.dll

ZwQuerySection, Unsupported class %d

KeySetValue unsupported value type

ZwQueryValueKey, unsupported class %d

ZwQueryKey, unsupported class %d

ZwQueryObject with unsupported class

WARNING ZwReadFileInformation with unsupported class

ZwSetInformationFile with unsupported class

sxs.dll

THookWindowsAPI

Cannot find function %s in library %s

Cannot find function ordinal %d in library %s

.section

user32.dll

GetKeyboardType

RegOpenKeyExA

RegOpenKeyA

GetWindowsDirectoryA

RtlFormatCurrentUserKeyPath

SHFolder.dll

shlwapi.dll

loaderx86.dll

KWindows

TntWindows

UrlMon

virtualboximportunit

2 2$2(2,2|2

6 6$6(6<6

8#8'8 8/83878;8?8:9`9

9"9&9*9.9

9'9/9<9_9}9

@ÞDaD

/AutoIt3ExecuteScript

/AutoIt3ExecuteLine

CMDLINE

CMDLINERAW

>>>AUTOIT NO CMDEXECUTE<<<

FTPSETPROXY

GUICTRLRECVMSG

GUICTRLSENDMSG

GUIGETMSG

GUIREGISTERMSG

HOTKEYSET

HTTPSETPROXY

HTTPSETUSERAGENT

ISKEYWORD

MAPKEYS

MSGBOX

REGENUMKEY

SHELLEXECUTE

SHELLEXECUTEWAIT

TCPACCEPT

TCPCLOSESOCKET

TCPCONNECT

TCPLISTEN

TCPNAMETOIP

TCPRECV

TCPSEND

TCPSHUTDOWN

TCPSTARTUP

TRAYGETMSG

UDPBIND

UDPCLOSESOCKET

UDPOPEN

UDPRECV

UDPSEND

UDPSHUTDOWN

UDPSTARTUP

SendKeyDownDelay

SendKeyDelay

TCPTimeout

mscoree.dll

combase.dll

- floating point support not loaded

- CRT not initialized

- Attempt to initialize the CRT more than once.

USER32.DLL

789:;<=>?

APPSKEY

WINDOWSDIR

AUTOITEXE

HOTKEYPRESSED

%s (%d) : ==> %s.:

Line %d:

Line %d (File "%s"):

%s (%d) : ==> %s:

AutoIt script files (*.au3, *.a3x)

*.au3;*.a3x

All files (*.*)

KEYS

\\?\UNC\

04090000

%u.%u.%u.%u

0.0.0.0

Mddddd

"%s" (%d) : ==> %s:

\??\%s

GUI_RUNDEFMSG

AUTOITCALLVARIABLE%d

255.255.255.255

Keyword

AUTOIT.ERROR

Null Object assignment in FOR..IN loop

Incorrect Object type in FOR..IN loop

3, 3, 14, 2

HKEY_LOCAL_MACHINE

HKEY_CLASSES_ROOT

HKEY_CURRENT_CONFIG

HKEY_CURRENT_USER

HKEY_USERS

%d/d/d

C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Helper.exe

AutoIt supports the __stdcall (WINAPI) and __cdecl calling conventions. The __stdcall (WINAPI) convention is used by default but __cdecl can be used instead. See the DllCall() documentation for details on changing the calling convention.

Missing operator in expression."Unbalanced brackets in expression.

Error parsing function call.0Incorrect number of parameters in function call.'"ReDim" used without an array variable.>Illegal text at the end of statement (one statement per line).1"If" statement has no matching "EndIf" statement.1"Else" statement with no matching "If" statement.2"EndIf" statement with no matching "If" statement.7Too many "Else" statements for matching "If" statement.3"While" statement has no matching "Wend" statement.4"Wend" statement with no matching "While" statement.%Variable used without being declared.XArray variable has incorrect number of subscripts or subscript dimension range exceeded.#Variable subscript badly formatted.*Subscript used on non-accessible variable.&Too many subscripts used for an array.0Missing subscript dimensions in "Dim" statement.NNo variable given for "Dim", "Local", "Global", "Struct" or "Const" statement.

0Expected a "=" operator in assignment statement.*Invalid keyword at the start of this line.

Invalid element in a DllStruct.*Unknown option or bad parameter specified.&Unable to load the internet libraries./"Struct" statement has no matching "EndStruct".HUnable to open file, the maximum number of open files has been exceeded.K"ContinueLoop" statement with no matching "While", "Do" or "For" statement.

Invalid file filter given.*Expected a variable in user function call.1"Do" statement has no matching "Until" statement.2"Until" statement with no matching "Do" statement.#"For" statement is badly formatted.2"Next" statement with no matching "For" statement.N"ExitLoop/ContinueLoop" statements only valid from inside a For/Do/While loop.1"For" statement has no matching "Next" statement.@"Case" statement with no matching "Select"or "Switch" statement.:"EndSelect" statement with no matching "Select" statement.ORecursion level has been exceeded - AutoIt will quit to prevent stack overflow.&Cannot make existing variables static.4Cannot make static variables into regular variables.

3This keyword cannot be used after a "Then" keyword.>"Select" statement is missing "EndSelect" or "Case" statement. "If" statements must have a "Then" keyword. Badly formated Struct statement."Cannot assign values to constants..Cannot make existing variables into constants.9Only Object-type variables allowed in a "With" statement.v"long_ptr", "int_ptr" and "short_ptr" DllCall() types have been deprecated. Use "long*", "int*" and "short*" instead.-Object referenced outside a "With" statement.)Nested "With" statements are not allowed."Variable must be of type "Object".1The requested action with this object has failed.8Variable appears more than once in function declaration.2ReDim array can not be initialized in this manner.1An array variable can not be used in this manner.

Can not redeclare a constant.5Can not redeclare a parameter inside a user function.HCan pass constants by reference only to parameters with "Const" keyword.*Can not initialize a variable with itself.$Incorrect way to use this parameter.:"EndSwitch" statement with no matching "Switch" statement.>"Switch" statement is missing "EndSwitch" or "Case" statement.H"ContinueCase" statement with no matching "Select"or "Switch" statement.

String missing closing quote.!Badly formated variable or macro.*Missing separator character after keyword.

ÞFAULT FOLDER%

Cheking.exe

%SYSTEM FOLDER%

%WINDOWS FOLDER%

%Cookies FOLDER%

hh.exe

write.exe

attrib.exe

chkdsk.exe

compact.exe

find.exe

help.exe

winver.exe

regsvr32.exe

replace.exe

dllhost.exe

ntvdm.exe

tcpsvcs.exe

Was not able to create virtual value at ImportCall_ZwSetValueKey

Was not able to create virtual key at ImportCall_ZwSetValueKey

ImportCall_ZwLoadKey

ImportCall_ZwLoadKey2

ImportCall_ZwNotifyChangeKey

ImportCall_ZwQueryMultipleValueKey

ImportCall_ZwReplaceKey

ImportCall_ZwRestoreKey

ImportCall_ZwSaveKey

ImportCall_ZwSetInformationKey

ImportCall_ZwUnloadKey

evb*.tmp

.manifest

Unsupported call of ZwSetVolumeInformationFile

<>:"/\|?*

7Dispatch methods do not support more than 64 parameters

Cannot assign a %s to a %s%String list does not allow duplicates

Cannot create file "%s". %s

Cannot open file "%s". %s

Invalid property value List capacity out of bounds (%d)

List count out of bounds (%d)

List index out of bounds (%d)

%s.Seek not implemented$Operation not allowed on sorted list

OLE error %.8x.Method '%s' not supported by automation object/Variant does not reference an automation object

%s (%s, line %d)

Abstract Error?Access violation at address %p in module '%s'. %s of address %p

System Error. Code: %d.

Invalid variant operation%Invalid variant operation (%s%.8x)

%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)

Operation not supported

External exception %x

Interface not supported

Invalid pointer operation

Invalid class typecast0Access violation at address %p. %s of address %p

Privileged instruction(Exception %s in module %s at %p.

Application Error1Format '%s' invalid or incompatible with argument

No argument for format '%s'"Variant method calls not supported

I/O error %d

Integer overflow Invalid floating point operation

Helper.exe_3644_rwx_0051C000_00001000:

ÞFAULT FOLDER%

Cheking.exe

Helper.exe_3644_rwx_0054F000_00005000:

ntdll.dll

.section

kernel32.dll

user32.dll

GetKeyboardType

advapi32.dll

RegOpenKeyExA

RegCloseKey

oleaut32.dll

RegOpenKeyA

GetWindowsDirectoryW

GetWindowsDirectoryA

GetCPInfo

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Terminate malicious process(es) (How to End a Process With the Task Manager):

evb30D8.tmp:600
evb16A5.tmp:4092
evb1FF2.tmp:3916
evbD39D.tmp:3016
evb2D99.tmp:1004
evbFE9.tmp:996
evbE9A7.tmp:892
evb2526.tmp:1776
evb14EE.tmp:896
evbE32.tmp:3620
evbE134.tmp:3856
evb26DD.tmp:2924
evbCEB7.tmp:3360
evbC298.tmp:3816
evbC983.tmp:3200
evb7CEA.tmp:2848
evb5B35.tmp:3472
evbE7F0.tmp:3680
evbC5F6.tmp:2720
evbE492.tmp:3820
evb61F1.tmp:1996
evb6398.tmp:3828
evb3E40.tmp:2816
evb393B.tmp:3692
evbDC00.tmp:3400
evb597E.tmp:2868
evbC0F1.tmp:2820
evbF239.tmp:3992
evb90D.tmp:3328
evb4374.tmp:1740
evb22C.tmp:3120
evbF3E0.tmp:3780
evb94.tmp:3044
evbFA9C.tmp:2280
evb327F.tmp:1772
setupQW.exe:2944
evb77CA.tmp:2580
evb33D.tmp:2588
evbFEED.tmp:4004
evbD6FB.tmp:912
evbF76A.tmp:288
evbFDFA.tmp:3800
evb4DBD.tmp:2896
evb35DD.tmp:1804
evbEEDB.tmp:3240
evbFFB1.tmp:2328
evbED24.tmp:3696
evb2884.tmp:2700
evb1E4B.tmp:3352
evbBA49.tmp:4016
evbE649.tmp:140
evbDDB7.tmp:3484
evbFC53.tmp:4044
evb4C06.tmp:3336
Helper.exe:2772
Helper.exe:3808
Helper.exe:4064
evb3FF7.tmp:3004
CL_Debug_Log.txt:2544
evb2A4A.tmp:2904
evbEB7D.tmp:2580
evb6530.tmp:2396
evb603A.tmp:3832
evbDA59.tmp:2800
evb5CEC.tmp:2572
evb57D7.tmp:2844
evbAD4.tmp:1404
evbBF3A.tmp:3704
evb1ABE.tmp:2676
evbF73E.tmp:2224
evb4A30.tmp:944
evb1347.tmp:3896
evbC44F.tmp:1412
evbF8F5.tmp:552
evb5620.tmp:3056
evbD05E.tmp:3184
evbCD00.tmp:100
evb757.tmp:2564
evbF091.tmp:2804
evbC7DB.tmp:1704
%original file name%.exe:1900
t.exe:2044
evbCB39.tmp:3460
evb3AE2.tmp:2160
evb4889.tmp:2616
evb2BF2.tmp:2080
start.exe:2920
evb1190.tmp:3576
evb3784.tmp:2532
evb41CD.tmp:2732
evbD544.tmp:1320
evb46E2.tmp:1388
evb184C.tmp:1028
evb3426.tmp:2948
evbD1F5.tmp:2964
evb52C2.tmp:2960
evb75E4.tmp:892
evb2F40.tmp:1848
evbC8B.tmp:3160
evbE2EB.tmp:3784
evbD8A2.tmp:2828
evb511B.tmp:3488
evb187.tmp:4004
evbDF8D.tmp:2560
evb21D7.tmp:880
evb1C75.tmp:1192
evb4E5.tmp:2184
evb452B.tmp:2724
evb5479.tmp:960
evb3C99.tmp:3704
evb237F.tmp:264
evbFD36.tmp:2328
evb4F64.tmp:3064
evbF597.tmp:4008
evb5E93.tmp:3792
Delete the original Worm file.
Delete or disinfect the following files created/modified by the Worm:

%Program Files%\Widget 1.2\Ãƒâ€šÃƒÂ¨ÃƒÂ¤ÃƒÂ¦ÃƒÂ¥ÃƒÂ².exe (14857 bytes)
%Program Files%\Widget 1.2\images\gadget_button_2_normal.png (2 bytes)
%Program Files%\Widget 1.2\images\gadget_button_2_hover.png (3 bytes)
%Program Files%\Widget 1.2\images\gadget_button_0_hover.png (3 bytes)
%Program Files%\Widget 1.2\images\gadget_button_1_normal.png (2 bytes)
%Program Files%\Widget 1.2\lang\en-US.xml (61 bytes)
%Program Files%\Widget 1.2\images\gadget_button_2_pressed.png (3 bytes)
%Program Files%\Widget 1.2\images\gadget_button_3_hover.png (480 bytes)
%Program Files%\Widget 1.2\Uninstall.exe (3740 bytes)
%Program Files%\Widget 1.2\images\gadget_button_0_pressed.png (362 bytes)
%Program Files%\Widget 1.2\Gadget.Xml (2 bytes)
%Program Files%\Widget 1.2\images\gadget_button_1_pressed.png (6 bytes)
%Program Files%\Widget 1.2\images\gadget_button_3_pressed.png (3 bytes)
%Program Files%\Widget 1.2\images\gadget_button_4_hover.png (3 bytes)
%Program Files%\Widget 1.2\images\gadget_button_3_normal.png (1 bytes)
%Program Files%\Widget 1.2\images\gadget_button_0_normal.png (1 bytes)
%Program Files%\Widget 1.2\Uninstall.ini (3 bytes)
%Program Files%\Widget 1.2\images\gadget_button_4_normal.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\$inst\temp_0.tmp (674 bytes)
%Program Files%\Widget 1.2\images\gadget_button_1_hover.png (6 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\$inst\2.tmp (68 bytes)
%Program Files%\Widget 1.2\images\gadget_button_4_pressed.png (3 bytes)
%Program Files%\Widget 1.2\lang\de-De.xml (1 bytes)
%Program Files%\Widget 1.2\images\gadget_bg.png (24 bytes)
%Program Files%\Widget 1.2\TrayIcon.ico (1641 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\system.ini (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbEB9D.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb150E.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb7CEA.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbE810.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbC111.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb30F8.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbD1F5.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb1927.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb4889.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb2546.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb5E93.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb3784.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb4A60.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbDF8D.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb656F.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb59AE.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb46E2.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbE9A4.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb5499.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbF75E.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb505.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb6398.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbFABC.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbC44F.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbE649.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb757.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbCB39.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb239F.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbED24.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbC983.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbF239.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb30D8.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb21F8.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb52E2.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbF400.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbDC00.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbAD4.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb1C95.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb2526.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb21D7.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb1190.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbC8B.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb16A5.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb5D0C.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb14EE.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbC298.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbD8A2.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb1347.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb2884.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbFE1A.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbFC73.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbD6FB.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbEEDB.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb57F7.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb4E5.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbE2EB.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbDA79.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb605A.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbF259.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb511B.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb35DD.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb93D.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbD216.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb5640.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbED44.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbDFAD.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb7604.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbD544.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb3C99.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb48A9.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb1C75.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbFD56.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbD39D.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbCED7.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb35E.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbF915.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb1009.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbE52.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbCD20.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb5B35.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbE669.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbC9A3.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbEEFB.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb327F.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb4F84.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbE154.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb7D29.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbCAB.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb184C.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb16C5.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb41CD.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbF73E.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb187.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbB4.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb2012.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbF8F5.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbF76A.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb1367.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbF0B2.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb4394.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb395B.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbC2B8.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb3B02.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbCD00.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbC5F6.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbBF5A.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb3CB9.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb11B0.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbE4B2.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb1E6B.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbC46F.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb77CA.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb3E40.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbFDFA.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbE30B.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb1ADE.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb786.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb3FF7.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb90D.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbCEB7.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbE32.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb2A4A.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb5EB3.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb2D99.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb61F1.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb6211.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb52C2.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb3446.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb35FD.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb3E60.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb393B.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb57D7.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb94.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbDDB7.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbC7DB.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb1ABE.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb597E.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbC7FC.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb452B.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbF597.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb37A4.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb2F60.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb2A6B.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb4702.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbD71B.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbDA59.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb3426.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb237F.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb26DD.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb4C06.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbAF4.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb2BF2.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbDC20.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbF5B7.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb5479.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbFFD1.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb26FD.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbE134.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb1E4B.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb1FF2.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb603A.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbFFB1.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbBF3A.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbFE9.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb4DDD.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbBA49.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb4DBD.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb24C.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbFA9C.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbE9A7.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbC0F1.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb33D.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb77F9.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbD3BD.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbE492.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb6530.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbCB5A.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbD8C2.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb454B.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb3AE2.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbFF0D.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb5620.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbFC53.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb28A4.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbC616.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbD07E.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbE7F0.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb2C12.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbD564.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbFEED.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb329F.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb75E4.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbF091.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbEB7D.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbFA68.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbD05E.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb5CEC.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb2F40.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbFD36.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbF3E0.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb63B8.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb513B.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbDDD7.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb4A30.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb5B55.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb4F64.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb4017.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb1B6.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb4374.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb22C.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb4C26.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evbE9D6.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb41ED.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\evb2DB9.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\32.exe (2284 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\SystemCheck.xml (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\start.bat (508 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\start2.bat (281 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\64.exe (3341 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\1337\t.exe (98962 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh79A2.tmp (112956 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh79A3.tmp\System.dll (23 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\1337\setupQW.exe (18372 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh7D4A.tmp (101174 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\1337\start.exe (34072 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh7D4B.tmp\System.dll (23 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\1337\asacpiex.dll (68799 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aut8120.tmp (2569 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\CL_Debug_Log.txt (1711 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\CR_Debug_Log.txt (2 bytes)
Delete the following value(s) in the autorun key (How to Work with System Registry):

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Ãâ€™ÃÂ¸ÃÂ´ÃÂ¶ÃÂµÃ‘â€š" = "%Program Files%\Widget 1.2\Ãƒâ€šÃƒÂ¨ÃƒÂ¤ÃƒÂ¦ÃƒÂ¥ÃƒÂ².exe"
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Permalink

Back to the blog

e-mail

Google+

Twitter

Facebook

Worm.Win32.AutoItGen_2a11896020

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Discover the new adaware antivirus 12

Our best antivirus yet

Worm.Win32.AutoItGen_2a11896020

E-mail

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Discover the new adaware antivirus 12

Our best antivirus yet