Technical Information
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'aeEkEEcE.exe' = '%ALLUSERSPROFILE%\BWogoUMg\aeEkEEcE.exe'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'pUccUkoM.exe' = '%HOMEPATH%\fCkYUMIQ\pUccUkoM.exe'
- [<HKLM>\SYSTEM\ControlSet001\Services\FkYQcQph] 'Start' = '00000002'
- hidden files
- file extensions
- User Account Control (UAC)
- '%ALLUSERSPROFILE%\lwQggIEM\nwAEcgMA.exe'
- '%ALLUSERSPROFILE%\BWogoUMg\aeEkEEcE.exe'
- '%HOMEPATH%\fCkYUMIQ\pUccUkoM.exe'
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\eAEEEccI.bat" "<Full path to virus>""
- '<SYSTEM32>\reg.exe' 2892
- '<SYSTEM32>\cscript.exe' add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\pCEUccUw.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\xAUYQQwM.bat" "<Full path to virus>""
- '<SYSTEM32>\reg.exe' %TEMP%\file.vbs
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\hyYooYgw.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\mKIcAcwg.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\yqYwEMgs.bat" "<Full path to virus>""
- '<SYSTEM32>\reg.exe' /c ""%TEMP%\DocwkMMc.bat" "<Full path to virus>""
- '<SYSTEM32>\reg.exe'
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\aWUIoIoY.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\BgQsosQA.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\HCMoEQoY.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\AuMEQgIU.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\MycgcIUY.bat" "<Full path to virus>""
- '<SYSTEM32>\reg.exe' /c ""%TEMP%\MYkUIYcU.bat" "<Full path to virus>""
- '<SYSTEM32>\cscript.exe' add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
- '<SYSTEM32>\reg.exe' /c ""%TEMP%\hyIgsUEE.bat" "<Full path to virus>""
- '<SYSTEM32>\reg.exe' /c "<Current directory>\<Virus name>"
- '<SYSTEM32>\cscript.exe' add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\eiwcgEUg.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\gOcUQYUc.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\QEwgcQsM.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\jqQkEEIo.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\EmsAIYYA.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\IeoUUcAs.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\qQQgAAos.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\pgMAQMsw.bat" "<Full path to virus>""
- '<SYSTEM32>\reg.exe' add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
- '<SYSTEM32>\reg.exe' add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
- '<SYSTEM32>\reg.exe' add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
- '<SYSTEM32>\cscript.exe' %TEMP%\file.vbs
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\TqgcowMk.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\paQIQUIY.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\rCYMcEME.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\biEokIoE.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\VkoUUocQ.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\GGkAUMoU.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\zgIIsEkw.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\sAcsooEk.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\aEUIcIQA.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\VQccQwQE.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\ZKwgkcYs.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\LUUUAMYo.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\iKIocQoM.bat" "<Full path to virus>""
- <SYSTEM32>\cscript.exe
- <SYSTEM32>\cmd.exe
- <SYSTEM32>\reg.exe
- %TEMP%\XeoEEAoo.bat
- %TEMP%\eAEEEccI.bat
- %TEMP%\zgQMAkMs.bat
- %TEMP%\xAUYQQwM.bat
- %TEMP%\vkUMooEY.bat
- <Auxiliary element>
- C:\RCXD.tmp
- <Current directory>\qMkI.exe
- <Current directory>\JqQI.ico
- %TEMP%\aWUIoIoY.bat
- %TEMP%\YeQQMgoA.bat
- %TEMP%\hyIgsUEE.bat
- %TEMP%\aygswUYE.bat
- %TEMP%\YAckoYAg.bat
- <Current directory>\qQoK.exe
- C:\RCXE.tmp
- %TEMP%\pCEUccUw.bat
- <Current directory>\LUgU.ico
- %TEMP%\mKIcAcwg.bat
- %TEMP%\wGEAQgsE.bat
- %TEMP%\hyYooYgw.bat
- %TEMP%\ZskMogsk.bat
- %TEMP%\hYsgkIUw.bat
- <Current directory>\ekQI.exe
- %TEMP%\GGkAUMoU.bat
- C:\RCXB.tmp
- <Current directory>\SMQk.ico
- %TEMP%\FgcgscgI.bat
- %TEMP%\FyogQIwc.bat
- %TEMP%\ZkMgkskA.bat
- %TEMP%\DocwkMMc.bat
- C:\RCXC.tmp
- <Current directory>\hQES.exe
- %TEMP%\yqYwEMgs.bat
- %TEMP%\SEcEQkEo.bat
- %TEMP%\qOkcwAEs.bat
- <Current directory>\fKoo.ico
- %TEMP%\MYkUIYcU.bat
- C:\RCX13.tmp
- <Current directory>\fEoi.exe
- <Current directory>\xIAy.exe
- <Current directory>\SMwE.ico
- %TEMP%\qSkUIwYM.bat
- C:\RCX12.tmp
- %TEMP%\MycgcIUY.bat
- <Current directory>\jIsU.exe
- <Current directory>\skMk.ico
- %TEMP%\OgEwYoow.bat
- C:\RCX15.tmp
- <Current directory>\aqYs.ico
- %TEMP%\JCMMMgsk.bat
- C:\RCX14.tmp
- <Current directory>\fcQA.exe
- %TEMP%\XgYwoscE.bat
- C:\RCXF.tmp
- <Current directory>\kgYo.exe
- %TEMP%\CIswgEsY.bat
- %TEMP%\HCMoEQoY.bat
- %TEMP%\eiwcgEUg.bat
- %TEMP%\gOcUQYUc.bat
- <Current directory>\OAcE.ico
- %TEMP%\qGkggkUw.bat
- %TEMP%\BgQsosQA.bat
- <Current directory>\CkgW.exe
- <Current directory>\uGYs.ico
- %TEMP%\AuMEQgIU.bat
- C:\RCX11.tmp
- <Current directory>\igIk.exe
- <Current directory>\bOYY.ico
- %TEMP%\LcwQUcEQ.bat
- C:\RCX10.tmp
- <Current directory>\QIYM.ico
- <Current directory>\oMYU.exe
- %TEMP%\IeoUUcAs.bat
- %TEMP%\YKkkkoUs.bat
- C:\RCX2.tmp
- %TEMP%\qQQgAAos.bat
- %TEMP%\UuEQIoYc.bat
- %TEMP%\gesQUgIk.bat
- <Current directory>\DKAI.ico
- %TEMP%\paQIQUIY.bat
- <Current directory>\sQMc.ico
- %TEMP%\VAQsYgcQ.bat
- %TEMP%\ZKwgkcYs.bat
- <Current directory>\PEwi.exe
- %TEMP%\VQccQwQE.bat
- %TEMP%\ycksIEko.bat
- %TEMP%\aEUIcIQA.bat
- %TEMP%\xIMYwQws.bat
- %ALLUSERSPROFILE%\casg.txt
- %TEMP%\file.vbs
- %TEMP%\TqgcowMk.bat
- %TEMP%\pgMAQMsw.bat
- %TEMP%\vAQwMcwY.bat
- %ALLUSERSPROFILE%\lwQggIEM\nwAEcgMA.exe
- <Current directory>\<Virus name>
- %TEMP%\AOAIggkI.bat
- %TEMP%\uugYkwYw.bat
- %TEMP%\QEwgcQsM.bat
- C:\RCX1.tmp
- %TEMP%\EmsAIYYA.bat
- %TEMP%\UMUUQkww.bat
- %TEMP%\PaQEAcYA.bat
- %TEMP%\jqQkEEIo.bat
- <Current directory>\YoUI.exe
- <Current directory>\iSAM.ico
- C:\RCX3.tmp
- C:\RCX8.tmp
- <Current directory>\GAgm.exe
- <Current directory>\tcAY.exe
- <Current directory>\WuAE.ico
- %TEMP%\biEokIoE.bat
- C:\RCX7.tmp
- <Current directory>\CWco.ico
- %TEMP%\cagcYoEc.bat
- C:\RCX9.tmp
- %TEMP%\UcIMEMwI.bat
- <Current directory>\iQQc.exe
- %TEMP%\zgIIsEkw.bat
- C:\RCXA.tmp
- %TEMP%\VkMYoEIg.bat
- %TEMP%\rCYMcEME.bat
- <Current directory>\veoc.ico
- %TEMP%\VkoUUocQ.bat
- <Current directory>\yokM.exe
- C:\RCX4.tmp
- <Current directory>\DMUq.exe
- %TEMP%\yuoMEUsc.bat
- %TEMP%\LUUUAMYo.bat
- %TEMP%\iKIocQoM.bat
- %TEMP%\kWAcckEk.bat
- <Current directory>\ACsU.ico
- %TEMP%\VMEEkckw.bat
- %TEMP%\sAcsooEk.bat
- <Current directory>\KEso.exe
- <Current directory>\FsYM.ico
- <Current directory>\FMoE.ico
- C:\RCX6.tmp
- <Current directory>\Xssw.exe
- <Current directory>\uYMk.ico
- %TEMP%\uIAcAcgo.bat
- C:\RCX5.tmp
- %ALLUSERSPROFILE%\lwQggIEM\nwAEcgMA.exe
- %ALLUSERSPROFILE%\BWogoUMg\aeEkEEcE.exe
- %HOMEPATH%\fCkYUMIQ\pUccUkoM.exe
- %TEMP%\DocwkMMc.bat
- <Current directory>\LUgU.ico
- %TEMP%\zgQMAkMs.bat
- <Current directory>\qMkI.exe
- %TEMP%\ZkMgkskA.bat
- %TEMP%\qOkcwAEs.bat
- <Current directory>\qQoK.exe
- %TEMP%\aygswUYE.bat
- %TEMP%\YAckoYAg.bat
- %TEMP%\YeQQMgoA.bat
- %TEMP%\SEcEQkEo.bat
- %TEMP%\FyogQIwc.bat
- <Current directory>\QIYM.ico
- <Current directory>\ekQI.exe
- %TEMP%\ZskMogsk.bat
- %TEMP%\vkUMooEY.bat
- %TEMP%\XeoEEAoo.bat
- <Current directory>\SMQk.ico
- %TEMP%\FgcgscgI.bat
- <Current directory>\hQES.exe
- %TEMP%\qSkUIwYM.bat
- <Current directory>\SMwE.ico
- <Current directory>\xIAy.exe
- <Current directory>\uGYs.ico
- %TEMP%\XgYwoscE.bat
- <Current directory>\fcQA.exe
- <Current directory>\aqYs.ico
- %TEMP%\JCMMMgsk.bat
- <Current directory>\fEoi.exe
- <Current directory>\fKoo.ico
- %TEMP%\hyIgsUEE.bat
- <Current directory>\kgYo.exe
- %TEMP%\CIswgEsY.bat
- <Current directory>\JqQI.ico
- %TEMP%\qGkggkUw.bat
- <Current directory>\bOYY.ico
- <Current directory>\CkgW.exe
- <Current directory>\igIk.exe
- <Current directory>\OAcE.ico
- %TEMP%\LcwQUcEQ.bat
- <Current directory>\DKAI.ico
- %TEMP%\VAQsYgcQ.bat
- <Current directory>\oMYU.exe
- %TEMP%\ycksIEko.bat
- %TEMP%\xIMYwQws.bat
- %TEMP%\VMEEkckw.bat
- %TEMP%\yuoMEUsc.bat
- <Current directory>\sQMc.ico
- %TEMP%\kWAcckEk.bat
- <Current directory>\PEwi.exe
- %TEMP%\PaQEAcYA.bat
- %TEMP%\UMUUQkww.bat
- %TEMP%\uugYkwYw.bat
- %TEMP%\AOAIggkI.bat
- %TEMP%\vAQwMcwY.bat
- %TEMP%\gesQUgIk.bat
- %TEMP%\YKkkkoUs.bat
- %TEMP%\UuEQIoYc.bat
- <Current directory>\YoUI.exe
- <Current directory>\iSAM.ico
- <Current directory>\tcAY.exe
- <Current directory>\WuAE.ico
- %TEMP%\VkMYoEIg.bat
- <Current directory>\GAgm.exe
- <Current directory>\CWco.ico
- %TEMP%\hYsgkIUw.bat
- %TEMP%\wGEAQgsE.bat
- <Current directory>\veoc.ico
- %TEMP%\UcIMEMwI.bat
- <Current directory>\iQQc.exe
- <Current directory>\uYMk.ico
- %TEMP%\uIAcAcgo.bat
- <Current directory>\Xssw.exe
- <Current directory>\DMUq.exe
- <Current directory>\ACsU.ico
- <Current directory>\FMoE.ico
- %TEMP%\cagcYoEc.bat
- <Current directory>\yokM.exe
- <Current directory>\KEso.exe
- <Current directory>\FsYM.ico
- from C:\RCXE.tmp to <Current directory>\qQoK.exe
- from C:\RCXF.tmp to <Current directory>\kgYo.exe
- from C:\RCXD.tmp to <Current directory>\qMkI.exe
- from C:\RCXB.tmp to <Current directory>\ekQI.exe
- from C:\RCXC.tmp to <Current directory>\hQES.exe
- from C:\RCX13.tmp to <Current directory>\fEoi.exe
- from C:\RCX14.tmp to <Current directory>\fcQA.exe
- from C:\RCX12.tmp to <Current directory>\xIAy.exe
- from C:\RCX10.tmp to <Current directory>\igIk.exe
- from C:\RCX11.tmp to <Current directory>\CkgW.exe
- from C:\RCX4.tmp to <Current directory>\DMUq.exe
- from C:\RCX5.tmp to <Current directory>\Xssw.exe
- from C:\RCX3.tmp to <Current directory>\PEwi.exe
- from C:\RCX1.tmp to <Current directory>\YoUI.exe
- from C:\RCX2.tmp to <Current directory>\oMYU.exe
- from C:\RCX9.tmp to <Current directory>\tcAY.exe
- from C:\RCXA.tmp to <Current directory>\iQQc.exe
- from C:\RCX8.tmp to <Current directory>\GAgm.exe
- from C:\RCX6.tmp to <Current directory>\KEso.exe
- from C:\RCX7.tmp to <Current directory>\yokM.exe
- '19#.#86.45.170':9999
- '74.##5.232.51':80
- '20#.#7.164.69':9999
- '20#.#19.204.12':9999
- 74.##5.232.51/
- DNS ASK google.com
- ClassName: '' WindowName: 'pUccUkoM.exe'
- ClassName: 'Shell_TrayWnd' WindowName: ''
- ClassName: 'Indicator' WindowName: ''
- ClassName: '' WindowName: 'aeEkEEcE.exe'