Technical Information
To ensure autorun and distribution
Modifies the following registry keys
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] 'mls' = '"%APPDATA%\RAC\mls.exe" -s'
Modifies file system
Creates the following files
- %TEMP%\35222819.tmp
- %TEMP%\rcx4cfe.tmp
- %TEMP%\rcx4d6c.tmp
- %TEMP%\rcx4e09.tmp
- %TEMP%\rcx4e58.tmp
- %TEMP%\rcx4ec7.tmp
- %TEMP%\rcx4f16.tmp
- %TEMP%\rcx4f84.tmp
- %TEMP%\rcx4fc4.tmp
- %TEMP%\1110022822.tmp
- %TEMP%\rcx5013.tmp
- %TEMP%\rcx5062.tmp
- %TEMP%\rcx50e0.tmp
- %TEMP%\rcx512f.tmp
- %TEMP%\rcx519d.tmp
- %TEMP%\rcx51ed.tmp
- %TEMP%\rcx523c.tmp
- %TEMP%\rcx527b.tmp
- %TEMP%\rcx52ca.tmp
- %TEMP%\rcx530a.tmp
- %TEMP%\rcx5359.tmp
- %TEMP%\rcx5398.tmp
- %TEMP%\2184822826.tmp
- %TEMP%\rcx53e8.tmp
- %TEMP%\rcx5427.tmp
- %TEMP%\rcx5495.tmp
- %TEMP%\rcx55df.tmp
- %TEMP%\rcx563d.tmp
- %TEMP%\rcx568c.tmp
- %TEMP%\rcx5739.tmp
- %TEMP%\rcx5788.tmp
- %TEMP%\3259722829.tmp
- %TEMP%\rcx57d8.tmp
- %TEMP%\rcx5817.tmp
- %TEMP%\rcx5876.tmp
- %TEMP%\rcx58b5.tmp
- %TEMP%\rcx5914.tmp
- %TEMP%\rcx5954.tmp
- %TEMP%\rcx59b2.tmp
- %TEMP%\rcx59e2.tmp
- %TEMP%\rcx5a31.tmp
- %TEMP%\rcx5a80.tmp
- %TEMP%\rcx5ad0.tmp
- %TEMP%\rcx5b0f.tmp
- %TEMP%\rcx5b6e.tmp
- %TEMP%\rcx5bbd.tmp
- %TEMP%\1057722832.tmp
- %TEMP%\rcx5c1c.tmp
- %TEMP%\rcx5c7a.tmp
- %TEMP%\rcx5cd9.tmp
- %TEMP%\rcx5d28.tmp
- %TEMP%\rcx5d87.tmp
- %TEMP%\rcx5dc7.tmp
- %TEMP%\rcx5e25.tmp
- %TEMP%\rcx5e74.tmp
- %TEMP%\rcx5ec4.tmp
- %TEMP%\rcx5f03.tmp
- %TEMP%\rcx5f71.tmp
- %TEMP%\rcx5fa1.tmp
- %TEMP%\2132622835.tmp
- %TEMP%\rcx6010.tmp
- %TEMP%\rcx604f.tmp
- %TEMP%\rcx609e.tmp
- %TEMP%\rcx610d.tmp
- %TEMP%\rcx617b.tmp
- %TEMP%\rcx61bb.tmp
- %TEMP%\rcx6239.tmp
- %TEMP%\rcx6278.tmp
- %TEMP%\rcx62d7.tmp
- %TEMP%\rcx6307.tmp
- %TEMP%\rcx6356.tmp
- %TEMP%\rcx63a5.tmp
- %TEMP%\3207422839.tmp
- %TEMP%\rcx6404.tmp
- %TEMP%\rcx6434.tmp
- %TEMP%\rcx6492.tmp
- %TEMP%\rcx64d2.tmp
- %TEMP%\rcx6521.tmp
- %TEMP%\rcx6551.tmp
- %TEMP%\rcx65b0.tmp
- %TEMP%\rcx65ff.tmp
- %TEMP%\rcx664e.tmp
- %TEMP%\rcx667e.tmp
- %TEMP%\rcx66dc.tmp
- %TEMP%\rcx670c.tmp
- %TEMP%\1005422842.tmp
- %TEMP%\rcx676b.tmp
- %TEMP%\rcx679b.tmp
- %TEMP%\3236723038.tmp
- %TEMP%\rcx525a.tmp
- %TEMP%\rcx52a9.tmp
- %TEMP%\rcx52f8.tmp
- %TEMP%\rcx5337.tmp
- %TEMP%\rcx5387.tmp
- %TEMP%\rcx53b6.tmp
- %TEMP%\rcx5415.tmp
- %TEMP%\rcx5455.tmp
- %TEMP%\rcx54a4.tmp
- %TEMP%\rcx54e3.tmp
- %TEMP%\rcx5532.tmp
- %TEMP%\rcx5572.tmp
- %TEMP%\1034723041.tmp
- %TEMP%\rcx55d1.tmp
- %TEMP%\rcx5610.tmp
- %TEMP%\rcx565f.tmp
- %TEMP%\rcx568f.tmp
- %TEMP%\rcx56de.tmp
- %TEMP%\rcx570e.tmp
- %TEMP%\rcx574e.tmp
- %TEMP%\rcx578d.tmp
- %TEMP%\rcx57ec.tmp
- %TEMP%\rcx581c.tmp
- %TEMP%\rcx587b.tmp
- %TEMP%\rcx58aa.tmp
- %TEMP%\rcx58fa.tmp
- %TEMP%\rcx5929.tmp
- %TEMP%\rcx5979.tmp
- %TEMP%\rcx59b8.tmp
- %TEMP%\2109623044.tmp
- %TEMP%\rcx5a17.tmp
- %TEMP%\rcx5a56.tmp
- %TEMP%\rcx5aa5.tmp
- %TEMP%\rcx5ad5.tmp
- %TEMP%\rcx5b34.tmp
- %TEMP%\rcx5b74.tmp
- %TEMP%\rcx5bc3.tmp
- %TEMP%\rcx5c02.tmp
- %TEMP%\rcx5c71.tmp
- %TEMP%\rcx5ca0.tmp
- %TEMP%\rcx5d0f.tmp
- %TEMP%\rcx5d4e.tmp
- %TEMP%\rcx5d8e.tmp
- %TEMP%\rcx5ddd.tmp
- %TEMP%\3184423048.tmp
- %TEMP%\rcx5e3c.tmp
- %TEMP%\rcx5e7b.tmp
- %TEMP%\rcx5ebb.tmp
- %TEMP%\rcx5efa.tmp
- %TEMP%\rcx5f3a.tmp
- %TEMP%\rcx5f6a.tmp
- %TEMP%\rcx5fb9.tmp
- %TEMP%\rcx5fe9.tmp
- %TEMP%\rcx6028.tmp
- %TEMP%\rcx6077.tmp
- %TEMP%\rcx60a7.tmp
- %TEMP%\rcx60d7.tmp
- %TEMP%\rcx6116.tmp
- %TEMP%\rcx6146.tmp
- %TEMP%\rcx6176.tmp
- %TEMP%\rcx61a6.tmp
- %TEMP%\982423051.tmp
- %TEMP%\rcx6205.tmp
- %TEMP%\rcx6225.tmp
- %TEMP%\rcx6274.tmp
- %TEMP%\rcx62a4.tmp
- %TEMP%\rcx62f3.tmp
- %TEMP%\rcx6313.tmp
- %TEMP%\rcx6353.tmp
- %TEMP%\rcx6373.tmp
- %TEMP%\rcx63a3.tmp
- %TEMP%\rcx63d3.tmp
- %TEMP%\rcx6412.tmp
- %TEMP%\rcx6433.tmp
- %TEMP%\rcx6472.tmp
- %TEMP%\rcx64b2.tmp
- %TEMP%\rcx64f1.tmp
- %TEMP%\rcx65a0.tmp
- %TEMP%\2057323054.tmp
- %TEMP%\rcx65ef.tmp
- %TEMP%\rcx660f.tmp
- %TEMP%\rcx663f.tmp
- %TEMP%\rcx6660.tmp
Deletes following files that it created itself
- %TEMP%\35222819.tmp
- %TEMP%\1110022822.tmp
- %TEMP%\2184822826.tmp
- %TEMP%\3259722829.tmp
- %TEMP%\1057722832.tmp
- %TEMP%\2132622835.tmp
- %TEMP%\3207422839.tmp
- %TEMP%\1005422842.tmp
- %TEMP%\3236723038.tmp
- %TEMP%\1034723041.tmp
- %TEMP%\2109623044.tmp
- %TEMP%\3184423048.tmp
- %TEMP%\982423051.tmp
- %TEMP%\2057323054.tmp
Moves the following files
- from %TEMP%\rcx4cfe.tmp to %TEMP%\35222819.tmp
- from %TEMP%\rcx4d6c.tmp to %TEMP%\35222819.tmp
- from %TEMP%\rcx4e58.tmp to %TEMP%\35222819.tmp
- from %TEMP%\rcx4f16.tmp to %TEMP%\35222819.tmp
- from %TEMP%\rcx4fc4.tmp to %TEMP%\35222819.tmp
- from %TEMP%\rcx5013.tmp to %TEMP%\1110022822.tmp
- from %TEMP%\rcx5062.tmp to %TEMP%\1110022822.tmp
- from %TEMP%\rcx512f.tmp to %TEMP%\1110022822.tmp
- from %TEMP%\rcx51ed.tmp to %TEMP%\1110022822.tmp
- from %TEMP%\rcx527b.tmp to %TEMP%\1110022822.tmp
- from %TEMP%\rcx530a.tmp to %TEMP%\1110022822.tmp
- from %TEMP%\rcx5398.tmp to %TEMP%\1110022822.tmp
- from %TEMP%\rcx53e8.tmp to %TEMP%\2184822826.tmp
- from %TEMP%\rcx5427.tmp to %TEMP%\2184822826.tmp
- from %TEMP%\rcx55df.tmp to %TEMP%\2184822826.tmp
- from %TEMP%\rcx568c.tmp to %TEMP%\2184822826.tmp
- from %TEMP%\rcx5788.tmp to %TEMP%\2184822826.tmp
- from %TEMP%\rcx57d8.tmp to %TEMP%\3259722829.tmp
- from %TEMP%\rcx5817.tmp to %TEMP%\3259722829.tmp
- from %TEMP%\rcx58b5.tmp to %TEMP%\3259722829.tmp
- from %TEMP%\rcx5954.tmp to %TEMP%\3259722829.tmp
- from %TEMP%\rcx59e2.tmp to %TEMP%\3259722829.tmp
- from %TEMP%\rcx5a80.tmp to %TEMP%\3259722829.tmp
- from %TEMP%\rcx5b0f.tmp to %TEMP%\3259722829.tmp
- from %TEMP%\rcx5bbd.tmp to %TEMP%\3259722829.tmp
- from %TEMP%\rcx5c1c.tmp to %TEMP%\1057722832.tmp
- from %TEMP%\rcx5c7a.tmp to %TEMP%\1057722832.tmp
- from %TEMP%\rcx5d28.tmp to %TEMP%\1057722832.tmp
- from %TEMP%\rcx5dc7.tmp to %TEMP%\1057722832.tmp
- from %TEMP%\rcx5e74.tmp to %TEMP%\1057722832.tmp
- from %TEMP%\rcx5f03.tmp to %TEMP%\1057722832.tmp
- from %TEMP%\rcx5fa1.tmp to %TEMP%\1057722832.tmp
- from %TEMP%\rcx6010.tmp to %TEMP%\2132622835.tmp
- from %TEMP%\rcx604f.tmp to %TEMP%\2132622835.tmp
- from %TEMP%\rcx610d.tmp to %TEMP%\2132622835.tmp
- from %TEMP%\rcx61bb.tmp to %TEMP%\2132622835.tmp
- from %TEMP%\rcx6278.tmp to %TEMP%\2132622835.tmp
- from %TEMP%\rcx6307.tmp to %TEMP%\2132622835.tmp
- from %TEMP%\rcx63a5.tmp to %TEMP%\2132622835.tmp
- from %TEMP%\rcx6404.tmp to %TEMP%\3207422839.tmp
- from %TEMP%\rcx6434.tmp to %TEMP%\3207422839.tmp
- from %TEMP%\rcx64d2.tmp to %TEMP%\3207422839.tmp
- from %TEMP%\rcx6551.tmp to %TEMP%\3207422839.tmp
- from %TEMP%\rcx65ff.tmp to %TEMP%\3207422839.tmp
- from %TEMP%\rcx667e.tmp to %TEMP%\3207422839.tmp
- from %TEMP%\rcx670c.tmp to %TEMP%\3207422839.tmp
- from %TEMP%\rcx676b.tmp to %TEMP%\1005422842.tmp
- from %TEMP%\rcx679b.tmp to %TEMP%\1005422842.tmp
- from %TEMP%\rcx525a.tmp to %TEMP%\3236723038.tmp
- from %TEMP%\rcx52a9.tmp to %TEMP%\3236723038.tmp
- from %TEMP%\rcx5337.tmp to %TEMP%\3236723038.tmp
- from %TEMP%\rcx53b6.tmp to %TEMP%\3236723038.tmp
- from %TEMP%\rcx5455.tmp to %TEMP%\3236723038.tmp
- from %TEMP%\rcx54e3.tmp to %TEMP%\3236723038.tmp
- from %TEMP%\rcx5572.tmp to %TEMP%\3236723038.tmp
- from %TEMP%\rcx55d1.tmp to %TEMP%\1034723041.tmp
- from %TEMP%\rcx5610.tmp to %TEMP%\1034723041.tmp
- from %TEMP%\rcx568f.tmp to %TEMP%\1034723041.tmp
- from %TEMP%\rcx570e.tmp to %TEMP%\1034723041.tmp
- from %TEMP%\rcx578d.tmp to %TEMP%\1034723041.tmp
- from %TEMP%\rcx581c.tmp to %TEMP%\1034723041.tmp
- from %TEMP%\rcx58aa.tmp to %TEMP%\1034723041.tmp
- from %TEMP%\rcx5929.tmp to %TEMP%\1034723041.tmp
- from %TEMP%\rcx59b8.tmp to %TEMP%\1034723041.tmp
- from %TEMP%\rcx5a17.tmp to %TEMP%\2109623044.tmp
- from %TEMP%\rcx5a56.tmp to %TEMP%\2109623044.tmp
- from %TEMP%\rcx5ad5.tmp to %TEMP%\2109623044.tmp
- from %TEMP%\rcx5b74.tmp to %TEMP%\2109623044.tmp
- from %TEMP%\rcx5c02.tmp to %TEMP%\2109623044.tmp
- from %TEMP%\rcx5ca0.tmp to %TEMP%\2109623044.tmp
- from %TEMP%\rcx5d4e.tmp to %TEMP%\2109623044.tmp
- from %TEMP%\rcx5ddd.tmp to %TEMP%\2109623044.tmp
- from %TEMP%\rcx5e3c.tmp to %TEMP%\3184423048.tmp
- from %TEMP%\rcx5e7b.tmp to %TEMP%\3184423048.tmp
- from %TEMP%\rcx5efa.tmp to %TEMP%\3184423048.tmp
- from %TEMP%\rcx5f6a.tmp to %TEMP%\3184423048.tmp
- from %TEMP%\rcx5fe9.tmp to %TEMP%\3184423048.tmp
- from %TEMP%\rcx6077.tmp to %TEMP%\3184423048.tmp
- from %TEMP%\rcx60d7.tmp to %TEMP%\3184423048.tmp
- from %TEMP%\rcx6146.tmp to %TEMP%\3184423048.tmp
- from %TEMP%\rcx61a6.tmp to %TEMP%\3184423048.tmp
- from %TEMP%\rcx6205.tmp to %TEMP%\982423051.tmp
- from %TEMP%\rcx6225.tmp to %TEMP%\982423051.tmp
- from %TEMP%\rcx62a4.tmp to %TEMP%\982423051.tmp
- from %TEMP%\rcx6313.tmp to %TEMP%\982423051.tmp
- from %TEMP%\rcx6373.tmp to %TEMP%\982423051.tmp
- from %TEMP%\rcx63d3.tmp to %TEMP%\982423051.tmp
- from %TEMP%\rcx6433.tmp to %TEMP%\982423051.tmp
- from %TEMP%\rcx64b2.tmp to %TEMP%\982423051.tmp
- from %TEMP%\rcx6521.tmp to %TEMP%\982423051.tmp
- from %TEMP%\rcx65ef.tmp to %TEMP%\2057323054.tmp
- from %TEMP%\rcx660f.tmp to %TEMP%\2057323054.tmp
- from %TEMP%\rcx6660.tmp to %TEMP%\2057323054.tmp
Substitutes the following files
- %TEMP%\35222819.tmp
- %TEMP%\1110022822.tmp
- %TEMP%\2184822826.tmp
- %TEMP%\3259722829.tmp
- %TEMP%\1057722832.tmp
- %TEMP%\2132622835.tmp
- %TEMP%\3207422839.tmp
- %TEMP%\3236723038.tmp
- %TEMP%\1034723041.tmp
- %TEMP%\2109623044.tmp
- %TEMP%\3184423048.tmp
- %TEMP%\982423051.tmp
- %TEMP%\rcx6521.tmp
- %TEMP%\rcx6551.tmp
- %TEMP%\2057323054.tmp
Network activity
Connects to
- 'wx###lytics.ru':80
UDP
- DNS ASK wx###lytics.ru
