Technical Information
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'AcIcUcAM.exe' = '%ALLUSERSPROFILE%\vesswIQA\AcIcUcAM.exe'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'jaQEcQMQ.exe' = '%HOMEPATH%\NIMMEwsg\jaQEcQMQ.exe'
- [<HKLM>\SYSTEM\ControlSet001\Services\FkYQcQph] 'Start' = '00000002'
- hidden files
- file extensions
- User Account Control (UAC)
- '%ALLUSERSPROFILE%\lwQggIEM\nwAEcgMA.exe'
- '%ALLUSERSPROFILE%\vesswIQA\AcIcUcAM.exe'
- '%HOMEPATH%\NIMMEwsg\jaQEcQMQ.exe'
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\DecUcgUw.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\MuMAIEcM.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\xyQYgQgg.bat" "<Full path to virus>""
- '<SYSTEM32>\wbem\wmiadap.exe' /R /T
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\IIQgYgoc.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\jsIgkAoM.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\nqYckIck.bat" "<Full path to virus>""
- '<SYSTEM32>\reg.exe' add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
- '<SYSTEM32>\reg.exe' add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
- '<SYSTEM32>\reg.exe' add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\UQgMkcsI.bat" "<Full path to virus>""
- '<SYSTEM32>\cscript.exe' %TEMP%\file.vbs
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\rykgkwME.bat" "<Full path to virus>""
- %TEMP%\jsIgkAoM.bat
- <Current directory>\oGIk.ico
- <Current directory>\poQy.exe
- %TEMP%\rCAwkgAE.bat
- <Current directory>\Cwsg.ico
- <Current directory>\yQsK.exe
- C:\RCX14.tmp
- C:\RCX15.tmp
- %TEMP%\qUIosoEY.bat
- <Current directory>\mSsk.ico
- <Current directory>\DUoi.exe
- C:\RCX16.tmp
- <Current directory>\pmkQ.ico
- %TEMP%\IIQgYgoc.bat
- <Current directory>\sgIY.exe
- %TEMP%\DecUcgUw.bat
- <Current directory>\YeUY.ico
- <Current directory>\cgcu.exe
- C:\RCX10.tmp
- C:\RCXF.tmp
- <Current directory>\SWwY.ico
- <Current directory>\MkQY.exe
- %TEMP%\IwwYoAQg.bat
- <Current directory>\seQU.ico
- <Current directory>\JUQC.exe
- C:\RCX13.tmp
- C:\RCX12.tmp
- C:\RCX11.tmp
- <Current directory>\tOwU.ico
- <Current directory>\XUsY.exe
- C:\RCX17.tmp
- <Current directory>\bSsI.ico
- <Current directory>\nkMM.exe
- C:\RCX1E.tmp
- C:\RCX1D.tmp
- C:\RCX1C.tmp
- <Current directory>\jqoU.ico
- <Current directory>\EAYE.exe
- <Current directory>\Jyoo.ico
- <Current directory>\hyQk.ico
- <Current directory>\sIci.exe
- %TEMP%\EEIQcYwk.bat
- <Current directory>\AcsO.exe
- <Current directory>\qgMi.exe
- C:\RCX1F.tmp
- <Current directory>\ruEo.ico
- <Current directory>\wGAY.ico
- <Current directory>\wocq.exe
- C:\RCX19.tmp
- C:\RCX18.tmp
- %TEMP%\SwUwcUgk.bat
- <Current directory>\sKMk.ico
- <Current directory>\WYYA.exe
- <Current directory>\aGgM.ico
- C:\RCX1B.tmp
- <Current directory>\aGkU.ico
- <Current directory>\TQwa.exe
- <Current directory>\sgYy.exe
- <Current directory>\VAwG.exe
- C:\RCX1A.tmp
- <Current directory>\lwAc.ico
- <Current directory>\eugE.ico
- <Current directory>\cgwS.exe
- C:\RCX3.tmp
- C:\RCX2.tmp
- %TEMP%\nqYckIck.bat
- %TEMP%\XgYkEQEI.bat
- <Current directory>\EUYS.exe
- <Current directory>\YUAA.ico
- C:\RCX5.tmp
- <Current directory>\HEcY.ico
- <Current directory>\iQwM.exe
- <Current directory>\LIIs.exe
- <Current directory>\XUkQ.exe
- C:\RCX4.tmp
- <Current directory>\PgAw.ico
- %TEMP%\KqYsIYEQ.bat
- %TEMP%\rykgkwME.bat
- %ALLUSERSPROFILE%\casg.txt
- <Current directory>\<Virus name>
- %ALLUSERSPROFILE%\lwQggIEM\nwAEcgMA.exe
- %TEMP%\wUwcUkYQ.bat
- %TEMP%\emIoUsUM.bat
- C:\RCX1.tmp
- %TEMP%\LSsMMUoo.bat
- <Current directory>\OcQM.ico
- %TEMP%\UQgMkcsI.bat
- <Current directory>\EegY.ico
- %TEMP%\file.vbs
- <Current directory>\LUsy.exe
- C:\RCX6.tmp
- C:\RCXC.tmp
- %TEMP%\bMEMkMoI.bat
- <Current directory>\DOUw.ico
- <Current directory>\ksoI.exe
- <Current directory>\lEIc.exe
- C:\RCXB.tmp
- <Current directory>\mYsg.ico
- <Current directory>\eoAe.exe
- C:\RCXE.tmp
- <Current directory>\xQUQ.ico
- <Current directory>\LsEK.exe
- <Current directory>\woES.exe
- C:\RCXD.tmp
- %TEMP%\MuMAIEcM.bat
- <Current directory>\CaYQ.ico
- <Current directory>\ycoQ.ico
- <Current directory>\xYsQ.exe
- C:\RCX8.tmp
- C:\RCX7.tmp
- <Current directory>\TUIU.ico
- %TEMP%\xyQYgQgg.bat
- <Current directory>\SIco.exe
- %TEMP%\muAUMsMQ.bat
- <Current directory>\Xwwa.exe
- C:\RCXA.tmp
- <Current directory>\jass.ico
- <Current directory>\RYkY.ico
- <Current directory>\kEAY.ico
- <Current directory>\HEUk.exe
- C:\RCX9.tmp
- %ALLUSERSPROFILE%\lwQggIEM\nwAEcgMA.exe
- %ALLUSERSPROFILE%\vesswIQA\AcIcUcAM.exe
- %HOMEPATH%\NIMMEwsg\jaQEcQMQ.exe
- %TEMP%\rCAwkgAE.bat
- <Current directory>\poQy.exe
- <Current directory>\yQsK.exe
- <Current directory>\Cwsg.ico
- <Current directory>\oGIk.ico
- %TEMP%\qUIosoEY.bat
- <Current directory>\DUoi.exe
- <Current directory>\sgIY.exe
- <Current directory>\pmkQ.ico
- <Current directory>\cgcu.exe
- <Current directory>\YeUY.ico
- <Current directory>\MkQY.exe
- <Current directory>\SWwY.ico
- %TEMP%\IwwYoAQg.bat
- <Current directory>\JUQC.exe
- <Current directory>\seQU.ico
- <Current directory>\XUsY.exe
- <Current directory>\tOwU.ico
- <Current directory>\EAYE.exe
- <Current directory>\jqoU.ico
- <Current directory>\TQwa.exe
- <Current directory>\aGkU.ico
- <Current directory>\nkMM.exe
- <Current directory>\Jyoo.ico
- <Current directory>\ruEo.ico
- <Current directory>\bSsI.ico
- <Current directory>\qgMi.exe
- <Current directory>\sKMk.ico
- <Current directory>\wocq.exe
- <Current directory>\mSsk.ico
- <Current directory>\WYYA.exe
- <Current directory>\wGAY.ico
- <Current directory>\sgYy.exe
- <Current directory>\lwAc.ico
- <Current directory>\VAwG.exe
- <Current directory>\aGgM.ico
- <Current directory>\xQUQ.ico
- <Current directory>\XUkQ.exe
- <Current directory>\YUAA.ico
- <Current directory>\eugE.ico
- %TEMP%\XgYkEQEI.bat
- <Current directory>\LIIs.exe
- <Current directory>\HEcY.ico
- <Current directory>\SIco.exe
- <Current directory>\PgAw.ico
- <Current directory>\iQwM.exe
- %TEMP%\emIoUsUM.bat
- <Current directory>\LUsy.exe
- %TEMP%\wUwcUkYQ.bat
- %TEMP%\KqYsIYEQ.bat
- <Current directory>\EegY.ico
- <Current directory>\OcQM.ico
- <Current directory>\cgwS.exe
- %TEMP%\LSsMMUoo.bat
- <Current directory>\EUYS.exe
- <Current directory>\mYsg.ico
- <Current directory>\eoAe.exe
- <Current directory>\jass.ico
- <Current directory>\ksoI.exe
- <Current directory>\DOUw.ico
- <Current directory>\CaYQ.ico
- <Current directory>\LsEK.exe
- %TEMP%\bMEMkMoI.bat
- <Current directory>\woES.exe
- <Current directory>\ycoQ.ico
- <Current directory>\HEUk.exe
- <Current directory>\TUIU.ico
- <Current directory>\xYsQ.exe
- <Current directory>\kEAY.ico
- <Current directory>\RYkY.ico
- <Current directory>\lEIc.exe
- %TEMP%\muAUMsMQ.bat
- <Current directory>\Xwwa.exe
- from C:\RCX15.tmp to <Current directory>\poQy.exe
- from C:\RCX16.tmp to <Current directory>\sgIY.exe
- from C:\RCX17.tmp to <Current directory>\DUoi.exe
- from C:\RCX14.tmp to <Current directory>\yQsK.exe
- from C:\RCX11.tmp to <Current directory>\cgcu.exe
- from C:\RCX12.tmp to <Current directory>\XUsY.exe
- from C:\RCX13.tmp to <Current directory>\JUQC.exe
- from C:\RCX18.tmp to <Current directory>\WYYA.exe
- from C:\RCX1D.tmp to <Current directory>\EAYE.exe
- from C:\RCX1E.tmp to <Current directory>\nkMM.exe
- from C:\RCX1F.tmp to <Current directory>\qgMi.exe
- from C:\RCX1C.tmp to <Current directory>\TQwa.exe
- from C:\RCX19.tmp to <Current directory>\wocq.exe
- from C:\RCX1A.tmp to <Current directory>\VAwG.exe
- from C:\RCX1B.tmp to <Current directory>\sgYy.exe
- from C:\RCX10.tmp to <Current directory>\MkQY.exe
- from C:\RCX5.tmp to <Current directory>\LIIs.exe
- from C:\RCX6.tmp to <Current directory>\iQwM.exe
- from C:\RCX7.tmp to <Current directory>\SIco.exe
- from C:\RCX4.tmp to <Current directory>\XUkQ.exe
- from C:\RCX1.tmp to <Current directory>\LUsy.exe
- from C:\RCX2.tmp to <Current directory>\EUYS.exe
- from C:\RCX3.tmp to <Current directory>\cgwS.exe
- from C:\RCX8.tmp to <Current directory>\xYsQ.exe
- from C:\RCXD.tmp to <Current directory>\eoAe.exe
- from C:\RCXE.tmp to <Current directory>\woES.exe
- from C:\RCXF.tmp to <Current directory>\LsEK.exe
- from C:\RCXC.tmp to <Current directory>\ksoI.exe
- from C:\RCX9.tmp to <Current directory>\HEUk.exe
- from C:\RCXA.tmp to <Current directory>\Xwwa.exe
- from C:\RCXB.tmp to <Current directory>\lEIc.exe
- '74.##5.232.51':80
- 74.##5.232.51/
- DNS ASK google.com
- ClassName: '' WindowName: 'jaQEcQMQ.exe'
- ClassName: 'Shell_TrayWnd' WindowName: ''
- ClassName: '' WindowName: 'Microsoft Windows'
- ClassName: 'Indicator' WindowName: ''
- ClassName: '' WindowName: 'AcIcUcAM.exe'