Technical Information
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'aeEkEEcE.exe' = '%ALLUSERSPROFILE%\BWogoUMg\aeEkEEcE.exe'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'pUccUkoM.exe' = '%HOMEPATH%\fCkYUMIQ\pUccUkoM.exe'
- [<HKLM>\SYSTEM\ControlSet001\Services\FkYQcQph] 'Start' = '00000002'
- hidden files
- file extensions
- User Account Control (UAC)
- '%ALLUSERSPROFILE%\lwQggIEM\nwAEcgMA.exe'
- '%ALLUSERSPROFILE%\BWogoUMg\aeEkEEcE.exe'
- '%HOMEPATH%\fCkYUMIQ\pUccUkoM.exe'
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\tKYoQEMs.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\RQgYkUIc.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\qIYcMcEA.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\XIsYoAUg.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\eAoIsccw.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\xoEIMcEk.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\uswUYYEU.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\XCEowEAA.bat" "<Full path to virus>""
- '<SYSTEM32>\reg.exe' /c ""%TEMP%\pMEoMsEI.bat" "<Full path to virus>""
- '<SYSTEM32>\wbem\wmiadap.exe' /R /T
- '<SYSTEM32>\reg.exe'
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\sQQoQscQ.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\OAEggwsQ.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\FGcQkQUU.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\duEgMgQw.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\sEQQggkg.bat" "<Full path to virus>""
- '<SYSTEM32>\cscript.exe' %TEMP%\file.vbs
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\qeEAgAcQ.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\mgwIkocg.bat" "<Full path to virus>""
- '<SYSTEM32>\reg.exe' add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
- '<SYSTEM32>\reg.exe' add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
- '<SYSTEM32>\reg.exe' add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\VYcYEswk.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\ZykAMIwE.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\rQwwAUEI.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\XOkgcwkA.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\EOkkQsIU.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\NWwgcwEs.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\KYoQQUwM.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\AEMIAsMw.bat" "<Full path to virus>""
- <SYSTEM32>\reg.exe
- C:\RCX10.tmp
- %TEMP%\YuwEAYsI.bat
- <Current directory>\dssg.ico
- %TEMP%\eAoIsccw.bat
- %TEMP%\xoEIMcEk.bat
- <Current directory>\OCoA.ico
- <Current directory>\NAUo.exe
- <Current directory>\BwMM.ico
- %TEMP%\XIsYoAUg.bat
- <Current directory>\UoQC.exe
- %TEMP%\UAcIkUso.bat
- <Current directory>\JwEK.exe
- %TEMP%\uswUYYEU.bat
- C:\RCX11.tmp
- %TEMP%\sUMsoMQk.bat
- <Current directory>\TIQe.exe
- C:\RCXD.tmp
- %TEMP%\XOkgcwkA.bat
- <Current directory>\WwQY.ico
- <Current directory>\mAUU.exe
- %TEMP%\jocIsEUs.bat
- C:\RCXC.tmp
- <Current directory>\YGUE.ico
- <Current directory>\dcow.exe
- C:\RCXF.tmp
- C:\RCXE.tmp
- %TEMP%\rCsEgokE.bat
- <Current directory>\iKYw.ico
- <Current directory>\zkgk.exe
- %TEMP%\JcUYQIIY.bat
- %TEMP%\duEgMgQw.bat
- %TEMP%\XkEoocEU.bat
- %TEMP%\FGcQkQUU.bat
- C:\RCX14.tmp
- %TEMP%\OAEggwsQ.bat
- %TEMP%\OIcQYMsQ.bat
- %TEMP%\sQQoQscQ.bat
- %TEMP%\pMEoMsEI.bat
- %TEMP%\tCIAoEQE.bat
- %TEMP%\vMkQkAIQ.bat
- <Current directory>\mAMc.ico
- <Current directory>\jcIe.exe
- C:\RCX15.tmp
- <Current directory>\gkoM.exe
- %TEMP%\RQgYkUIc.bat
- %TEMP%\jmkUUoUM.bat
- <Current directory>\HssA.ico
- %TEMP%\OIwUokEs.bat
- C:\RCX12.tmp
- %TEMP%\qUoMAwwY.bat
- %TEMP%\tKYoQEMs.bat
- %TEMP%\XCEowEAA.bat
- %TEMP%\aUQUQgcQ.bat
- <Current directory>\ckgA.ico
- %TEMP%\pqEkEYwM.bat
- <Current directory>\zIoo.exe
- C:\RCX13.tmp
- %TEMP%\qIYcMcEA.bat
- <Current directory>\jKUg.ico
- %TEMP%\rMcEsowY.bat
- <Current directory>\kosA.ico
- <Current directory>\ysIi.exe
- %TEMP%\VYcYEswk.bat
- <Current directory>\KgoM.ico
- <Current directory>\qIIq.exe
- C:\RCX2.tmp
- C:\RCX4.tmp
- %TEMP%\FykscIMg.bat
- <Current directory>\KeYk.ico
- <Current directory>\JQcq.exe
- C:\RCX3.tmp
- %TEMP%\NWwgcwEs.bat
- <Current directory>\Kasg.ico
- %ALLUSERSPROFILE%\casg.txt
- %TEMP%\mgwIkocg.bat
- %TEMP%\NgwIEoAY.bat
- %TEMP%\sEQQggkg.bat
- <Current directory>\<Virus name>
- %ALLUSERSPROFILE%\lwQggIEM\nwAEcgMA.exe
- %TEMP%\EoIAMIAk.bat
- C:\RCX1.tmp
- %TEMP%\qeEAgAcQ.bat
- %TEMP%\GaUowMEQ.bat
- %TEMP%\XKgQsUUo.bat
- %TEMP%\file.vbs
- <Current directory>\zSYs.ico
- <Current directory>\osAc.exe
- C:\RCX9.tmp
- %TEMP%\ZykAMIwE.bat
- <Current directory>\PCok.ico
- %TEMP%\yQowwIkQ.bat
- %TEMP%\EOkkQsIU.bat
- <Current directory>\DOwU.ico
- <Current directory>\gYEy.exe
- <Current directory>\ugES.exe
- C:\RCXB.tmp
- %TEMP%\rQwwAUEI.bat
- <Current directory>\CEAY.ico
- <Current directory>\OQkM.exe
- C:\RCXA.tmp
- %TEMP%\CoAAUcQY.bat
- C:\RCX8.tmp
- <Current directory>\YwUg.ico
- <Current directory>\JIAu.exe
- C:\RCX6.tmp
- %TEMP%\zawQsEIw.bat
- <Current directory>\yIsw.exe
- C:\RCX5.tmp
- %TEMP%\KYoQQUwM.bat
- %TEMP%\RyUYoAcw.bat
- <Current directory>\fEQs.ico
- <Current directory>\fAgc.exe
- %TEMP%\AEMIAsMw.bat
- <Current directory>\jIkY.ico
- <Current directory>\bkQm.exe
- C:\RCX7.tmp
- %ALLUSERSPROFILE%\lwQggIEM\nwAEcgMA.exe
- %ALLUSERSPROFILE%\BWogoUMg\aeEkEEcE.exe
- %HOMEPATH%\fCkYUMIQ\pUccUkoM.exe
- <Current directory>\NAUo.exe
- <Current directory>\OCoA.ico
- <Current directory>\YGUE.ico
- %TEMP%\YuwEAYsI.bat
- <Current directory>\dssg.ico
- %TEMP%\qUoMAwwY.bat
- %TEMP%\UAcIkUso.bat
- <Current directory>\JwEK.exe
- <Current directory>\WwQY.ico
- %TEMP%\rCsEgokE.bat
- <Current directory>\jKUg.ico
- <Current directory>\TIQe.exe
- %TEMP%\sUMsoMQk.bat
- <Current directory>\dcow.exe
- <Current directory>\zkgk.exe
- <Current directory>\iKYw.ico
- %TEMP%\OIwUokEs.bat
- <Current directory>\ckgA.ico
- %TEMP%\XkEoocEU.bat
- %TEMP%\JcUYQIIY.bat
- <Current directory>\gkoM.exe
- <Current directory>\jcIe.exe
- %TEMP%\pMEoMsEI.bat
- %TEMP%\vMkQkAIQ.bat
- %TEMP%\tCIAoEQE.bat
- %TEMP%\jmkUUoUM.bat
- %TEMP%\pqEkEYwM.bat
- <Current directory>\UoQC.exe
- <Current directory>\BwMM.ico
- %TEMP%\aUQUQgcQ.bat
- %TEMP%\OIcQYMsQ.bat
- <Current directory>\zIoo.exe
- <Current directory>\HssA.ico
- <Current directory>\mAUU.exe
- <Current directory>\kosA.ico
- %TEMP%\FykscIMg.bat
- %TEMP%\rMcEsowY.bat
- <Current directory>\ysIi.exe
- <Current directory>\yIsw.exe
- <Current directory>\KeYk.ico
- <Current directory>\JQcq.exe
- <Current directory>\Kasg.ico
- %TEMP%\XKgQsUUo.bat
- <Current directory>\osAc.exe
- %TEMP%\EoIAMIAk.bat
- %TEMP%\NgwIEoAY.bat
- <Current directory>\qIIq.exe
- <Current directory>\KgoM.ico
- <Current directory>\zSYs.ico
- %TEMP%\GaUowMEQ.bat
- %TEMP%\zawQsEIw.bat
- %TEMP%\CoAAUcQY.bat
- <Current directory>\OQkM.exe
- <Current directory>\gYEy.exe
- <Current directory>\DOwU.ico
- <Current directory>\CEAY.ico
- %TEMP%\jocIsEUs.bat
- <Current directory>\PCok.ico
- <Current directory>\ugES.exe
- <Current directory>\bkQm.exe
- <Current directory>\jIkY.ico
- <Current directory>\JIAu.exe
- <Current directory>\YwUg.ico
- <Current directory>\fEQs.ico
- %TEMP%\yQowwIkQ.bat
- %TEMP%\RyUYoAcw.bat
- <Current directory>\fAgc.exe
- from C:\RCXF.tmp to <Current directory>\dcow.exe
- from C:\RCX10.tmp to <Current directory>\NAUo.exe
- from C:\RCXE.tmp to <Current directory>\zkgk.exe
- from C:\RCXC.tmp to <Current directory>\mAUU.exe
- from C:\RCXD.tmp to <Current directory>\TIQe.exe
- from C:\RCX14.tmp to <Current directory>\gkoM.exe
- from C:\RCX15.tmp to <Current directory>\jcIe.exe
- from C:\RCX13.tmp to <Current directory>\zIoo.exe
- from C:\RCX11.tmp to <Current directory>\JwEK.exe
- from C:\RCX12.tmp to <Current directory>\UoQC.exe
- from C:\RCXB.tmp to <Current directory>\ugES.exe
- from C:\RCX4.tmp to <Current directory>\JQcq.exe
- from C:\RCX5.tmp to <Current directory>\yIsw.exe
- from C:\RCX3.tmp to <Current directory>\ysIi.exe
- from C:\RCX1.tmp to <Current directory>\osAc.exe
- from C:\RCX2.tmp to <Current directory>\qIIq.exe
- from C:\RCX9.tmp to <Current directory>\gYEy.exe
- from C:\RCXA.tmp to <Current directory>\OQkM.exe
- from C:\RCX8.tmp to <Current directory>\fAgc.exe
- from C:\RCX6.tmp to <Current directory>\JIAu.exe
- from C:\RCX7.tmp to <Current directory>\bkQm.exe
- '19#.#86.45.170':9999
- '74.##5.232.51':80
- '20#.#7.164.69':9999
- '20#.#19.204.12':9999
- 74.##5.232.51/
- DNS ASK google.com
- ClassName: '' WindowName: 'pUccUkoM.exe'
- ClassName: 'Shell_TrayWnd' WindowName: ''
- ClassName: 'Indicator' WindowName: ''
- ClassName: '' WindowName: 'aeEkEEcE.exe'