Technical Information
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'aeEkEEcE.exe' = '%ALLUSERSPROFILE%\BWogoUMg\aeEkEEcE.exe'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'pUccUkoM.exe' = '%HOMEPATH%\fCkYUMIQ\pUccUkoM.exe'
- [<HKLM>\SYSTEM\ControlSet001\Services\FkYQcQph] 'Start' = '00000002'
- hidden files
- file extensions
- User Account Control (UAC)
- '%ALLUSERSPROFILE%\lwQggIEM\nwAEcgMA.exe'
- '%ALLUSERSPROFILE%\BWogoUMg\aeEkEEcE.exe'
- '%HOMEPATH%\fCkYUMIQ\pUccUkoM.exe'
- '<SYSTEM32>\reg.exe' %TEMP%\file.vbs
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\vysUgows.bat" "<Full path to virus>""
- '<SYSTEM32>\reg.exe'
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\WeIYIEgA.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\PWwAswIA.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\RKoEIIMI.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\xOIkQgkg.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\SIwggUEI.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\zSUYgAMs.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\RMYEYsIM.bat" "<Full path to virus>""
- '<SYSTEM32>\cscript.exe' /c "<Current directory>\<Virus name>"
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\HQAQUwQo.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\ROQIokEM.bat" "<Full path to virus>""
- '<SYSTEM32>\cscript.exe' add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
- '<SYSTEM32>\reg.exe' /c ""%TEMP%\DewMAMEw.bat" "<Full path to virus>""
- '<SYSTEM32>\cscript.exe' /c ""%TEMP%\tAMggEQM.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\MsYoMcks.bat" "<Full path to virus>""
- '<SYSTEM32>\cscript.exe' add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\ZEQYwcsw.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\OiUcgsQc.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\AsUAosgA.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\ImIYMEsQ.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\BkQcMUQQ.bat" "<Full path to virus>""
- '<SYSTEM32>\cscript.exe' %TEMP%\file.vbs
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\AWEQQoQg.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\ooEUEMog.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\lEQQIcIs.bat" "<Full path to virus>""
- '<SYSTEM32>\reg.exe' add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
- '<SYSTEM32>\reg.exe' add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
- '<SYSTEM32>\reg.exe' add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\FKMAUQcM.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\PKQYMUos.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\vIQQMoYc.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\LAkIIQsk.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\gEskcoIs.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\cwooAIoQ.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\AEssgkwU.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\tIsMsMwg.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\nyMIMIsc.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\VQMQAQEg.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\mCckcAgM.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\bYgccQEw.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\IUksYoQE.bat" "<Full path to virus>""
- <SYSTEM32>\cscript.exe
- <SYSTEM32>\cmd.exe
- <SYSTEM32>\reg.exe
- %TEMP%\RKoEIIMI.bat
- %TEMP%\VMcUkokQ.bat
- %TEMP%\SIwggUEI.bat
- C:\RCXD.tmp
- <Current directory>\xWgw.ico
- <Current directory>\YgQC.exe
- %TEMP%\kOIkAYIM.bat
- <Current directory>\Zygw.ico
- %TEMP%\uggAgsQM.bat
- %TEMP%\zSUYgAMs.bat
- %TEMP%\fykwIocY.bat
- %TEMP%\RMYEYsIM.bat
- %TEMP%\ROkQkIIo.bat
- <Current directory>\OAEQ.exe
- C:\RCXE.tmp
- %TEMP%\xOIkQgkg.bat
- %TEMP%\cwooAIoQ.bat
- <Current directory>\mccE.ico
- <Current directory>\VIQK.exe
- %TEMP%\HYskQEEU.bat
- <Current directory>\DAAG.exe
- C:\RCXB.tmp
- %TEMP%\LAkIIQsk.bat
- %TEMP%\tskEoowE.bat
- %TEMP%\DWosscUg.bat
- %TEMP%\ImIYMEsQ.bat
- %TEMP%\lkskYwEw.bat
- %TEMP%\AEssgkwU.bat
- %TEMP%\tIsMsMwg.bat
- C:\RCXC.tmp
- %TEMP%\cwwIIIgI.bat
- %TEMP%\jmQMwUMI.bat
- %TEMP%\OiUcgsQc.bat
- %TEMP%\MOgEwYYk.bat
- %TEMP%\ROQIokEM.bat
- %TEMP%\CSYkEgoY.bat
- C:\RCX10.tmp
- %TEMP%\AsUAosgA.bat
- %TEMP%\mCcIoYkQ.bat
- <Current directory>\uGYg.ico
- %TEMP%\XQAYkYEM.bat
- %TEMP%\tAMggEQM.bat
- %TEMP%\DewMAMEw.bat
- %TEMP%\LMgocMMw.bat
- <Current directory>\rEIE.exe
- %TEMP%\HQAQUwQo.bat
- C:\RCX11.tmp
- %TEMP%\eIQkoEcg.bat
- <Current directory>\FwsM.exe
- C:\RCXF.tmp
- %TEMP%\PWwAswIA.bat
- %TEMP%\ROUoIMsE.bat
- %TEMP%\vysUgows.bat
- %TEMP%\buIkksoM.bat
- <Current directory>\IIck.ico
- %TEMP%\buYAMQoI.bat
- %TEMP%\ZEQYwcsw.bat
- <Current directory>\CmUw.ico
- <Current directory>\EMIu.exe
- %TEMP%\MsYoMcks.bat
- %TEMP%\WeIYIEgA.bat
- %TEMP%\MaEEskIw.bat
- %TEMP%\WAAUcYUs.bat
- C:\RCX3.tmp
- %TEMP%\AWEQQoQg.bat
- <Current directory>\DAwY.ico
- <Current directory>\QQIq.exe
- %TEMP%\AEIokckM.bat
- <Current directory>\gmMU.ico
- %TEMP%\BkQcMUQQ.bat
- <Current directory>\ckgk.exe
- %TEMP%\lEQQIcIs.bat
- C:\RCX5.tmp
- <Current directory>\WMAI.ico
- <Current directory>\iUAq.exe
- C:\RCX4.tmp
- %TEMP%\kogwYcUY.bat
- <Current directory>\NmIk.ico
- C:\RCX2.tmp
- %TEMP%\PKQYMUos.bat
- %TEMP%\pgYsUUwc.bat
- %TEMP%\FKMAUQcM.bat
- <Current directory>\<Virus name>
- %ALLUSERSPROFILE%\lwQggIEM\nwAEcgMA.exe
- %TEMP%\MUwEAEYA.bat
- %TEMP%\file.vbs
- %ALLUSERSPROFILE%\casg.txt
- <Current directory>\JmQo.ico
- <Current directory>\cgwU.exe
- %TEMP%\saIMUYAo.bat
- <Current directory>\gUEo.ico
- <Current directory>\sowG.exe
- C:\RCX1.tmp
- <Current directory>\ZMQW.exe
- %TEMP%\IYwYgoUE.bat
- <Current directory>\gqMI.ico
- <Current directory>\aEEe.exe
- %TEMP%\mCckcAgM.bat
- C:\RCX9.tmp
- %TEMP%\nyMIMIsc.bat
- %TEMP%\EgYoYMsg.bat
- C:\RCXA.tmp
- %TEMP%\gEskcoIs.bat
- %TEMP%\cyQswkgo.bat
- <Current directory>\jCAw.ico
- %TEMP%\HgMMIAQI.bat
- %TEMP%\GocoYcMI.bat
- %TEMP%\IUksYoQE.bat
- %TEMP%\bYgccQEw.bat
- %TEMP%\wEQswAoM.bat
- C:\RCX7.tmp
- %TEMP%\ooEUEMog.bat
- <Current directory>\LSQI.ico
- <Current directory>\zEgo.exe
- C:\RCX6.tmp
- %TEMP%\rQoMcQgE.bat
- <Current directory>\UWAU.ico
- <Current directory>\RYgu.exe
- <Current directory>\FKMw.ico
- <Current directory>\MEkk.exe
- %TEMP%\VQMQAQEg.bat
- %TEMP%\QIggEYIM.bat
- %TEMP%\UYYwYgIk.bat
- C:\RCX8.tmp
- %TEMP%\vIQQMoYc.bat
- %ALLUSERSPROFILE%\lwQggIEM\nwAEcgMA.exe
- %ALLUSERSPROFILE%\BWogoUMg\aeEkEEcE.exe
- %HOMEPATH%\fCkYUMIQ\pUccUkoM.exe
- <Current directory>\YgQC.exe
- <Current directory>\xWgw.ico
- %TEMP%\kOIkAYIM.bat
- %TEMP%\VMcUkokQ.bat
- %TEMP%\fykwIocY.bat
- <Current directory>\OAEQ.exe
- %TEMP%\ROkQkIIo.bat
- %TEMP%\uggAgsQM.bat
- <Current directory>\mccE.ico
- <Current directory>\jCAw.ico
- %TEMP%\tskEoowE.bat
- %TEMP%\HYskQEEU.bat
- <Current directory>\DAAG.exe
- <Current directory>\VIQK.exe
- %TEMP%\lkskYwEw.bat
- %TEMP%\cwwIIIgI.bat
- %TEMP%\DWosscUg.bat
- %TEMP%\CSYkEgoY.bat
- <Current directory>\EMIu.exe
- %TEMP%\eIQkoEcg.bat
- %TEMP%\mCcIoYkQ.bat
- %TEMP%\LMgocMMw.bat
- %TEMP%\XQAYkYEM.bat
- %TEMP%\MOgEwYYk.bat
- <Current directory>\CmUw.ico
- <Current directory>\IIck.ico
- %TEMP%\ROUoIMsE.bat
- %TEMP%\buYAMQoI.bat
- %TEMP%\jmQMwUMI.bat
- <Current directory>\Zygw.ico
- <Current directory>\FwsM.exe
- %TEMP%\WAAUcYUs.bat
- %TEMP%\MaEEskIw.bat
- %TEMP%\buIkksoM.bat
- <Current directory>\ckgk.exe
- <Current directory>\DAwY.ico
- <Current directory>\gmMU.ico
- %TEMP%\kogwYcUY.bat
- <Current directory>\ZMQW.exe
- <Current directory>\WMAI.ico
- <Current directory>\iUAq.exe
- <Current directory>\NmIk.ico
- <Current directory>\QQIq.exe
- <Current directory>\sowG.exe
- <Current directory>\gUEo.ico
- %TEMP%\MUwEAEYA.bat
- %TEMP%\pgYsUUwc.bat
- <Current directory>\JmQo.ico
- %TEMP%\AEIokckM.bat
- %TEMP%\saIMUYAo.bat
- <Current directory>\cgwU.exe
- %TEMP%\IYwYgoUE.bat
- %TEMP%\GocoYcMI.bat
- <Current directory>\MEkk.exe
- <Current directory>\FKMw.ico
- %TEMP%\cyQswkgo.bat
- <Current directory>\gqMI.ico
- %TEMP%\HgMMIAQI.bat
- <Current directory>\aEEe.exe
- %TEMP%\EgYoYMsg.bat
- <Current directory>\UWAU.ico
- %TEMP%\UYYwYgIk.bat
- %TEMP%\rQoMcQgE.bat
- <Current directory>\zEgo.exe
- <Current directory>\LSQI.ico
- %TEMP%\wEQswAoM.bat
- <Current directory>\RYgu.exe
- %TEMP%\QIggEYIM.bat
- from C:\RCXB.tmp to <Current directory>\DAAG.exe
- from C:\RCXC.tmp to <Current directory>\VIQK.exe
- from C:\RCX9.tmp to <Current directory>\MEkk.exe
- from C:\RCXA.tmp to <Current directory>\aEEe.exe
- from C:\RCXF.tmp to <Current directory>\FwsM.exe
- from C:\RCX10.tmp to <Current directory>\EMIu.exe
- from C:\RCXD.tmp to <Current directory>\YgQC.exe
- from C:\RCXE.tmp to <Current directory>\OAEQ.exe
- from C:\RCX3.tmp to <Current directory>\QQIq.exe
- from C:\RCX4.tmp to <Current directory>\ckgk.exe
- from C:\RCX1.tmp to <Current directory>\sowG.exe
- from C:\RCX2.tmp to <Current directory>\cgwU.exe
- from C:\RCX7.tmp to <Current directory>\zEgo.exe
- from C:\RCX8.tmp to <Current directory>\RYgu.exe
- from C:\RCX5.tmp to <Current directory>\iUAq.exe
- from C:\RCX6.tmp to <Current directory>\ZMQW.exe
- '19#.#86.45.170':9999
- '74.##5.232.51':80
- '20#.#7.164.69':9999
- '20#.#19.204.12':9999
- 74.##5.232.51/
- DNS ASK google.com
- ClassName: '' WindowName: 'aeEkEEcE.exe'
- ClassName: 'Shell_TrayWnd' WindowName: ''
- ClassName: 'Indicator' WindowName: ''
- ClassName: '' WindowName: 'pUccUkoM.exe'