Technical Information
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'aeEkEEcE.exe' = '%ALLUSERSPROFILE%\BWogoUMg\aeEkEEcE.exe'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'pUccUkoM.exe' = '%HOMEPATH%\fCkYUMIQ\pUccUkoM.exe'
- [<HKLM>\SYSTEM\ControlSet001\Services\FkYQcQph] 'Start' = '00000002'
- hidden files
- file extensions
- User Account Control (UAC)
- '%ALLUSERSPROFILE%\lwQggIEM\nwAEcgMA.exe'
- '%ALLUSERSPROFILE%\BWogoUMg\aeEkEEcE.exe'
- '%HOMEPATH%\fCkYUMIQ\pUccUkoM.exe'
- '<SYSTEM32>\cscript.exe'
- '<SYSTEM32>\reg.exe' /c "<Current directory>\<Virus name>"
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\vIIscAIw.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\KMEkgwEg.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\xsoIAgww.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\gUQgckUQ.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\wQskgIII.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\dygQIQYQ.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\OaQAcwgI.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\ZAQoEoMU.bat" "<Full path to virus>""
- '<SYSTEM32>\cscript.exe' add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
- '<SYSTEM32>\reg.exe' /c ""%TEMP%\lisUAEQM.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\LaEkscgo.bat" "<Full path to virus>""
- '<SYSTEM32>\reg.exe'
- '<SYSTEM32>\cscript.exe' add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
- '<SYSTEM32>\reg.exe' /c ""%TEMP%\EIkQQgoc.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\yQIcwUAs.bat" "<Full path to virus>""
- '<SYSTEM32>\reg.exe' /c ""%TEMP%\puoswYoU.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\swUMsUgA.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\VycYAwkU.bat" "<Full path to virus>""
- '<SYSTEM32>\reg.exe' %TEMP%\file.vbs
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\ngoAokUE.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\tCwoMkos.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\beUscocQ.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\XysQIMIY.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\dMosgIQQ.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\gAIIYYYE.bat" "<Full path to virus>""
- '<SYSTEM32>\reg.exe' add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
- '<SYSTEM32>\reg.exe' add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
- '<SYSTEM32>\reg.exe' add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
- '<SYSTEM32>\cscript.exe' %TEMP%\file.vbs
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\QsYAUwwY.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\KikYksww.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\fYocQcUs.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\EkowgckM.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\dmowYMso.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\BOAUgcQg.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\AAsYAcYw.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\EakwEwME.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\YyUkgwwo.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\bCMUwsAI.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\uUgksYYw.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\KmQAsYsE.bat" "<Full path to virus>""
- <SYSTEM32>\cmd.exe
- <SYSTEM32>\cscript.exe
- <SYSTEM32>\reg.exe
- %TEMP%\gUQgckUQ.bat
- C:\RCX10.tmp
- %TEMP%\dygQIQYQ.bat
- %TEMP%\UIoMIgAI.bat
- <Current directory>\AWcc.ico
- %TEMP%\wQskgIII.bat
- %TEMP%\xyEoYksk.bat
- <Current directory>\ncgq.exe
- <Current directory>\nQsc.ico
- %TEMP%\OaQAcwgI.bat
- %TEMP%\qKwEwAow.bat
- <Current directory>\hqUk.ico
- %TEMP%\wqwcckIo.bat
- C:\RCX11.tmp
- <Current directory>\Zcou.exe
- %TEMP%\ZAQoEoMU.bat
- %TEMP%\EAQAIUkc.bat
- C:\RCXC.tmp
- <Current directory>\mYwS.exe
- <Current directory>\pMwM.exe
- <Current directory>\kgMc.ico
- C:\RCXB.tmp
- <Current directory>\hEQa.exe
- %TEMP%\tcUQAckE.bat
- <Current directory>\yEkc.ico
- C:\RCXD.tmp
- <Current directory>\tKwc.ico
- %TEMP%\GkIAwUko.bat
- C:\RCXF.tmp
- <Current directory>\sskq.exe
- <Current directory>\ouUk.ico
- %TEMP%\ngoAokUE.bat
- C:\RCXE.tmp
- <Current directory>\PMYw.exe
- <Current directory>\xAsq.exe
- C:\RCX14.tmp
- <Current directory>\eMkg.exe
- %TEMP%\NIEkwUYQ.bat
- %TEMP%\LaEkscgo.bat
- %TEMP%\VycYAwkU.bat
- %TEMP%\FmoEkIUk.bat
- <Current directory>\LqAM.ico
- %TEMP%\HoAgUgcc.bat
- %TEMP%\VWIkwAsU.bat
- %TEMP%\eCMMIYMI.bat
- <Current directory>\ZwgG.exe
- %TEMP%\Lwsckwck.bat
- C:\RCX15.tmp
- %TEMP%\HOMAkEAk.bat
- %TEMP%\lisUAEQM.bat
- <Current directory>\NmMA.ico
- %TEMP%\EIkQQgoc.bat
- %TEMP%\KMEkgwEg.bat
- %TEMP%\oUQUMAoY.bat
- %TEMP%\puoswYoU.bat
- %TEMP%\zwYEwkMw.bat
- C:\RCX12.tmp
- %TEMP%\vIIscAIw.bat
- %TEMP%\xsoIAgww.bat
- %TEMP%\FsUQAEMA.bat
- <Current directory>\vYkg.ico
- %TEMP%\swUMsUgA.bat
- %TEMP%\yQIcwUAs.bat
- %TEMP%\FUcEEEcg.bat
- %TEMP%\bkIsUoAA.bat
- %TEMP%\gcEEQkcE.bat
- <Current directory>\coIE.exe
- %TEMP%\GCMYMEIs.bat
- C:\RCX13.tmp
- <Current directory>\yggM.ico
- <Current directory>\Gwgq.exe
- <Current directory>\XAgc.ico
- %TEMP%\KikYksww.bat
- C:\RCX2.tmp
- %TEMP%\FiAwUUIs.bat
- %TEMP%\gAIIYYYE.bat
- %TEMP%\TEgIQIUg.bat
- %TEMP%\dMosgIQQ.bat
- %TEMP%\aaQAEQks.bat
- %TEMP%\EakwEwME.bat
- %TEMP%\xYQUwEYI.bat
- <Current directory>\FykI.ico
- %TEMP%\WCQEIscU.bat
- <Current directory>\dIsk.ico
- %TEMP%\YyUkgwwo.bat
- C:\RCX3.tmp
- <Current directory>\cwkm.exe
- %TEMP%\file.vbs
- %TEMP%\QsYAUwwY.bat
- %TEMP%\beUscocQ.bat
- %TEMP%\nGoAsUQM.bat
- %ALLUSERSPROFILE%\lwQggIEM\nwAEcgMA.exe
- <Current directory>\<Virus name>
- %TEMP%\oaMoswQA.bat
- %TEMP%\ZKwEwYYc.bat
- C:\RCX1.tmp
- %TEMP%\XysQIMIY.bat
- %ALLUSERSPROFILE%\casg.txt
- %TEMP%\mmYAUUoU.bat
- <Current directory>\qsAk.ico
- %TEMP%\tCwoMkos.bat
- <Current directory>\hwko.exe
- %TEMP%\ryEgkscE.bat
- <Current directory>\acgw.exe
- %TEMP%\AAsYAcYw.bat
- C:\RCX7.tmp
- <Current directory>\moky.exe
- <Current directory>\ggYM.ico
- %TEMP%\zikkEgsY.bat
- %TEMP%\dmowYMso.bat
- <Current directory>\IEME.exe
- <Current directory>\bUYI.ico
- C:\RCX8.tmp
- <Current directory>\OgUi.exe
- <Current directory>\KGcw.ico
- %TEMP%\BOAUgcQg.bat
- C:\RCXA.tmp
- <Current directory>\HQQI.ico
- %TEMP%\mmsEAYQg.bat
- C:\RCX9.tmp
- <Current directory>\MoIU.exe
- <Current directory>\CIoU.ico
- %TEMP%\EIUkcUgw.bat
- C:\RCX5.tmp
- <Current directory>\zwAc.exe
- %TEMP%\bCMUwsAI.bat
- C:\RCX4.tmp
- %TEMP%\KmQAsYsE.bat
- %TEMP%\BaUsoEoU.bat
- %TEMP%\uUgksYYw.bat
- <Current directory>\zogO.exe
- %TEMP%\fYocQcUs.bat
- %TEMP%\OEckAUgA.bat
- C:\RCX6.tmp
- %TEMP%\EkowgckM.bat
- %TEMP%\QEsUEgEc.bat
- <Current directory>\sgko.ico
- %TEMP%\LkcMgckI.bat
- %ALLUSERSPROFILE%\lwQggIEM\nwAEcgMA.exe
- %ALLUSERSPROFILE%\BWogoUMg\aeEkEEcE.exe
- %HOMEPATH%\fCkYUMIQ\pUccUkoM.exe
- <Current directory>\ncgq.exe
- <Current directory>\AWcc.ico
- %TEMP%\xyEoYksk.bat
- %TEMP%\UIoMIgAI.bat
- %TEMP%\EAQAIUkc.bat
- <Current directory>\nQsc.ico
- %TEMP%\wqwcckIo.bat
- %TEMP%\qKwEwAow.bat
- <Current directory>\Zcou.exe
- <Current directory>\tKwc.ico
- <Current directory>\yEkc.ico
- <Current directory>\pMwM.exe
- %TEMP%\tcUQAckE.bat
- <Current directory>\mYwS.exe
- <Current directory>\kgMc.ico
- %TEMP%\GkIAwUko.bat
- <Current directory>\sskq.exe
- <Current directory>\PMYw.exe
- <Current directory>\ouUk.ico
- %TEMP%\FsUQAEMA.bat
- %TEMP%\NIEkwUYQ.bat
- %TEMP%\FUcEEEcg.bat
- <Current directory>\vYkg.ico
- %TEMP%\HoAgUgcc.bat
- %TEMP%\VWIkwAsU.bat
- %TEMP%\lisUAEQM.bat
- <Current directory>\LqAM.ico
- <Current directory>\eMkg.exe
- %TEMP%\HOMAkEAk.bat
- <Current directory>\coIE.exe
- %TEMP%\zwYEwkMw.bat
- <Current directory>\hqUk.ico
- %TEMP%\oUQUMAoY.bat
- <Current directory>\xAsq.exe
- %TEMP%\gcEEQkcE.bat
- %TEMP%\puoswYoU.bat
- %TEMP%\FmoEkIUk.bat
- %TEMP%\GCMYMEIs.bat
- %TEMP%\bkIsUoAA.bat
- %TEMP%\xYQUwEYI.bat
- <Current directory>\cwkm.exe
- <Current directory>\Gwgq.exe
- <Current directory>\XAgc.ico
- <Current directory>\dIsk.ico
- <Current directory>\acgw.exe
- <Current directory>\FykI.ico
- %TEMP%\WCQEIscU.bat
- %TEMP%\BaUsoEoU.bat
- %TEMP%\aaQAEQks.bat
- %TEMP%\ZKwEwYYc.bat
- %TEMP%\ryEgkscE.bat
- %TEMP%\oaMoswQA.bat
- %TEMP%\nGoAsUQM.bat
- %TEMP%\mmYAUUoU.bat
- %TEMP%\FiAwUUIs.bat
- %TEMP%\TEgIQIUg.bat
- <Current directory>\hwko.exe
- <Current directory>\qsAk.ico
- %TEMP%\EIUkcUgw.bat
- %TEMP%\mmsEAYQg.bat
- <Current directory>\MoIU.exe
- <Current directory>\moky.exe
- <Current directory>\ggYM.ico
- <Current directory>\HQQI.ico
- <Current directory>\hEQa.exe
- <Current directory>\yggM.ico
- <Current directory>\OgUi.exe
- <Current directory>\KGcw.ico
- <Current directory>\bUYI.ico
- <Current directory>\zwAc.exe
- <Current directory>\CIoU.ico
- %TEMP%\QEsUEgEc.bat
- %TEMP%\LkcMgckI.bat
- %TEMP%\OEckAUgA.bat
- %TEMP%\zikkEgsY.bat
- <Current directory>\IEME.exe
- <Current directory>\zogO.exe
- <Current directory>\sgko.ico
- from C:\RCXE.tmp to <Current directory>\PMYw.exe
- from C:\RCXF.tmp to <Current directory>\sskq.exe
- from C:\RCXD.tmp to <Current directory>\pMwM.exe
- from C:\RCXB.tmp to <Current directory>\hEQa.exe
- from C:\RCXC.tmp to <Current directory>\mYwS.exe
- from C:\RCX13.tmp to <Current directory>\coIE.exe
- from C:\RCX14.tmp to <Current directory>\eMkg.exe
- from C:\RCX12.tmp to <Current directory>\xAsq.exe
- from C:\RCX10.tmp to <Current directory>\ncgq.exe
- from C:\RCX11.tmp to <Current directory>\Zcou.exe
- from C:\RCX4.tmp to <Current directory>\acgw.exe
- from C:\RCX5.tmp to <Current directory>\zwAc.exe
- from C:\RCX3.tmp to <Current directory>\cwkm.exe
- from C:\RCX1.tmp to <Current directory>\hwko.exe
- from C:\RCX2.tmp to <Current directory>\Gwgq.exe
- from C:\RCX9.tmp to <Current directory>\MoIU.exe
- from C:\RCXA.tmp to <Current directory>\OgUi.exe
- from C:\RCX8.tmp to <Current directory>\moky.exe
- from C:\RCX6.tmp to <Current directory>\zogO.exe
- from C:\RCX7.tmp to <Current directory>\IEME.exe
- '19#.#86.45.170':9999
- '74.##5.232.51':80
- '20#.#7.164.69':9999
- '20#.#19.204.12':9999
- 74.##5.232.51/
- DNS ASK google.com
- ClassName: '' WindowName: 'pUccUkoM.exe'
- ClassName: 'Shell_TrayWnd' WindowName: ''
- ClassName: 'Indicator' WindowName: ''
- ClassName: '' WindowName: 'aeEkEEcE.exe'