Technical Information
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'aeEkEEcE.exe' = '%ALLUSERSPROFILE%\BWogoUMg\aeEkEEcE.exe'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'pUccUkoM.exe' = '%HOMEPATH%\fCkYUMIQ\pUccUkoM.exe'
- [<HKLM>\SYSTEM\ControlSet001\Services\FkYQcQph] 'Start' = '00000002'
- hidden files
- file extensions
- User Account Control (UAC)
- '%ALLUSERSPROFILE%\lwQggIEM\nwAEcgMA.exe'
- '%ALLUSERSPROFILE%\BWogoUMg\aeEkEEcE.exe'
- '%HOMEPATH%\fCkYUMIQ\pUccUkoM.exe'
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\jWAYEkAI.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\bUwkAEYs.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\NWgEIcwQ.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\NkUAEEME.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\AsIoMIEE.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\YeIUUMYQ.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\pMIAEQMU.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\VqcUwwEQ.bat" "<Full path to virus>""
- '<SYSTEM32>\reg.exe'
- '<SYSTEM32>\reg.exe' /c ""%TEMP%\nOYcQQYo.bat" "<Full path to virus>""
- '<SYSTEM32>\reg.exe' /c "<Current directory>\<Virus name>"
- '<SYSTEM32>\cscript.exe' /c "<Current directory>\<Virus name>"
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\rSMcIsok.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\kqsgYUow.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\kIswUwEw.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\zCAwkUEs.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\PgAYEkYw.bat" "<Full path to virus>""
- '<SYSTEM32>\cscript.exe' %TEMP%\file.vbs
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\KsEEEwIs.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\LYsckUAU.bat" "<Full path to virus>""
- '<SYSTEM32>\reg.exe' add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
- '<SYSTEM32>\reg.exe' add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
- '<SYSTEM32>\reg.exe' add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\UsAEEEMc.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\deUIsoQc.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\ZCEMUAIA.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\nUAYIEkY.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\rMoswAIE.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\reEogcAs.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\UegoUskc.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\zQIQUwcU.bat" "<Full path to virus>""
- <SYSTEM32>\reg.exe
- <SYSTEM32>\cscript.exe
- %TEMP%\kGwQQAgI.bat
- %TEMP%\bUwkAEYs.bat
- <Current directory>\hOUw.ico
- %TEMP%\koAoYwcA.bat
- <Current directory>\YIQE.ico
- %TEMP%\higYkUAE.bat
- C:\RCX10.tmp
- <Current directory>\fEEa.exe
- %TEMP%\rSMcIsok.bat
- %TEMP%\pigckIUg.bat
- <Current directory>\HUcO.exe
- <Current directory>\FMgI.ico
- %TEMP%\NWgEIcwQ.bat
- %TEMP%\VqcUwwEQ.bat
- C:\RCX11.tmp
- <Current directory>\cYcI.exe
- %TEMP%\jWAYEkAI.bat
- %TEMP%\dmskUcUw.bat
- %TEMP%\YeIUUMYQ.bat
- <Current directory>\lUQk.exe
- <Current directory>\HmEc.ico
- <Current directory>\fcAQ.exe
- %TEMP%\PekEIkMM.bat
- C:\RCXD.tmp
- %TEMP%\AsIoMIEE.bat
- %TEMP%\NkUAEEME.bat
- <Current directory>\DUAw.exe
- %TEMP%\aEkIwoYw.bat
- C:\RCXF.tmp
- %TEMP%\pMIAEQMU.bat
- C:\RCXE.tmp
- <Current directory>\bagg.ico
- %TEMP%\zSowYQQQ.bat
- %TEMP%\YkoIYMAM.bat
- <Current directory>\OYwG.exe
- %TEMP%\FakskEks.bat
- C:\RCX17.tmp
- %TEMP%\JAgAQYoI.bat
- C:\RCX16.tmp
- <Current directory>\BiAg.ico
- %TEMP%\nOYcQQYo.bat
- C:\RCX19.tmp
- <Current directory>\jogk.exe
- %TEMP%\JGQEwoQk.bat
- %TEMP%\teYEkkIs.bat
- <Current directory>\YUUw.exe
- <Current directory>\kQoc.ico
- <Current directory>\WKwo.ico
- C:\RCX18.tmp
- <Current directory>\DcoU.exe
- %TEMP%\GGMEMMko.bat
- C:\RCX13.tmp
- <Current directory>\ESso.ico
- %TEMP%\kqsgYUow.bat
- C:\RCX12.tmp
- %TEMP%\DYYMwUgE.bat
- <Current directory>\Lcoq.exe
- <Current directory>\BGQI.ico
- <Current directory>\FEwQ.exe
- <Current directory>\XisI.ico
- <Current directory>\xosU.ico
- C:\RCX15.tmp
- %TEMP%\kIswUwEw.bat
- <Current directory>\UYoM.exe
- %TEMP%\WYMcUEEw.bat
- C:\RCX14.tmp
- <Current directory>\KYUw.ico
- C:\RCX2.tmp
- <Current directory>\BkEo.exe
- <Current directory>\nyEg.ico
- %TEMP%\CuUUwsQM.bat
- %TEMP%\reEogcAs.bat
- <Current directory>\RgQE.ico
- %TEMP%\UegoUskc.bat
- %TEMP%\fosYsMMQ.bat
- <Current directory>\XIkY.exe
- <Current directory>\XWco.ico
- %TEMP%\rMoswAIE.bat
- C:\RCX4.tmp
- %TEMP%\zQIQUwcU.bat
- <Current directory>\bwEu.exe
- %TEMP%\ZMsgIEEc.bat
- C:\RCX3.tmp
- %TEMP%\TSskQgUs.bat
- %TEMP%\AOsEYsUE.bat
- %TEMP%\LYsckUAU.bat
- %TEMP%\PgAYEkYw.bat
- <Current directory>\OEYc.ico
- %ALLUSERSPROFILE%\lwQggIEM\nwAEcgMA.exe
- <Current directory>\<Virus name>
- %TEMP%\xgUUYAEw.bat
- %TEMP%\fWIMIoYo.bat
- %TEMP%\KsEEEwIs.bat
- %TEMP%\UsAEEEMc.bat
- %ALLUSERSPROFILE%\casg.txt
- <Current directory>\jEwe.exe
- %TEMP%\file.vbs
- %TEMP%\DwsscMYM.bat
- C:\RCX1.tmp
- C:\RCXA.tmp
- <Current directory>\EYME.exe
- %TEMP%\nUAYIEkY.bat
- %TEMP%\TYEYssEY.bat
- <Current directory>\FMsC.exe
- <Current directory>\qikg.ico
- <Current directory>\XMkA.ico
- C:\RCX9.tmp
- <Current directory>\jcQk.ico
- %TEMP%\pogQgwYY.bat
- C:\RCXC.tmp
- <Current directory>\GQkY.exe
- <Current directory>\kaUI.ico
- %TEMP%\zCAwkUEs.bat
- C:\RCXB.tmp
- <Current directory>\VwQW.exe
- %TEMP%\hgsgEcwc.bat
- <Current directory>\WMsU.ico
- %TEMP%\deUIsoQc.bat
- C:\RCX6.tmp
- <Current directory>\FUES.exe
- <Current directory>\nAkE.ico
- %TEMP%\cKIkQcEA.bat
- C:\RCX5.tmp
- <Current directory>\CwIA.exe
- <Current directory>\TIQw.ico
- %TEMP%\ZCEMUAIA.bat
- C:\RCX8.tmp
- <Current directory>\Gwwg.exe
- <Current directory>\SKIY.ico
- %TEMP%\AcUYcwIk.bat
- C:\RCX7.tmp
- <Current directory>\zMgs.exe
- %ALLUSERSPROFILE%\lwQggIEM\nwAEcgMA.exe
- %ALLUSERSPROFILE%\BWogoUMg\aeEkEEcE.exe
- %HOMEPATH%\fCkYUMIQ\pUccUkoM.exe
- <Current directory>\fEEa.exe
- %TEMP%\koAoYwcA.bat
- %TEMP%\higYkUAE.bat
- %TEMP%\kGwQQAgI.bat
- <Current directory>\YIQE.ico
- <Current directory>\hOUw.ico
- %TEMP%\DYYMwUgE.bat
- %TEMP%\pigckIUg.bat
- <Current directory>\cYcI.exe
- %TEMP%\dmskUcUw.bat
- %TEMP%\zSowYQQQ.bat
- <Current directory>\fcAQ.exe
- <Current directory>\KYUw.ico
- <Current directory>\lUQk.exe
- <Current directory>\DUAw.exe
- <Current directory>\bagg.ico
- <Current directory>\HmEc.ico
- %TEMP%\aEkIwoYw.bat
- <Current directory>\HUcO.exe
- <Current directory>\xosU.ico
- <Current directory>\OYwG.exe
- %TEMP%\JAgAQYoI.bat
- <Current directory>\DcoU.exe
- <Current directory>\BiAg.ico
- <Current directory>\kQoc.ico
- %TEMP%\nOYcQQYo.bat
- %TEMP%\FakskEks.bat
- <Current directory>\YUUw.exe
- <Current directory>\Lcoq.exe
- <Current directory>\BGQI.ico
- <Current directory>\FMgI.ico
- %TEMP%\GGMEMMko.bat
- <Current directory>\UYoM.exe
- <Current directory>\FEwQ.exe
- <Current directory>\XisI.ico
- <Current directory>\ESso.ico
- %TEMP%\WYMcUEEw.bat
- %TEMP%\PekEIkMM.bat
- <Current directory>\bwEu.exe
- <Current directory>\nyEg.ico
- %TEMP%\CuUUwsQM.bat
- <Current directory>\RgQE.ico
- %TEMP%\ZMsgIEEc.bat
- %TEMP%\cKIkQcEA.bat
- <Current directory>\CwIA.exe
- <Current directory>\XIkY.exe
- <Current directory>\XWco.ico
- %TEMP%\DwsscMYM.bat
- <Current directory>\jEwe.exe
- %TEMP%\xgUUYAEw.bat
- %TEMP%\AOsEYsUE.bat
- <Current directory>\OEYc.ico
- %TEMP%\fosYsMMQ.bat
- <Current directory>\BkEo.exe
- %TEMP%\fWIMIoYo.bat
- %TEMP%\TSskQgUs.bat
- <Current directory>\nAkE.ico
- <Current directory>\EYME.exe
- <Current directory>\XMkA.ico
- <Current directory>\qikg.ico
- %TEMP%\TYEYssEY.bat
- <Current directory>\VwQW.exe
- <Current directory>\GQkY.exe
- <Current directory>\jcQk.ico
- <Current directory>\kaUI.ico
- %TEMP%\pogQgwYY.bat
- %TEMP%\AcUYcwIk.bat
- <Current directory>\zMgs.exe
- <Current directory>\FUES.exe
- <Current directory>\WMsU.ico
- <Current directory>\SKIY.ico
- <Current directory>\TIQw.ico
- <Current directory>\FMsC.exe
- <Current directory>\Gwwg.exe
- %TEMP%\hgsgEcwc.bat
- from C:\RCX10.tmp to <Current directory>\fEEa.exe
- from C:\RCX11.tmp to <Current directory>\cYcI.exe
- from C:\RCX12.tmp to <Current directory>\HUcO.exe
- from C:\RCXD.tmp to <Current directory>\fcAQ.exe
- from C:\RCXE.tmp to <Current directory>\lUQk.exe
- from C:\RCXF.tmp to <Current directory>\DUAw.exe
- from C:\RCX16.tmp to <Current directory>\DcoU.exe
- from C:\RCX17.tmp to <Current directory>\OYwG.exe
- from C:\RCX18.tmp to <Current directory>\YUUw.exe
- from C:\RCX13.tmp to <Current directory>\Lcoq.exe
- from C:\RCX14.tmp to <Current directory>\UYoM.exe
- from C:\RCX15.tmp to <Current directory>\FEwQ.exe
- from C:\RCX4.tmp to <Current directory>\XIkY.exe
- from C:\RCX5.tmp to <Current directory>\CwIA.exe
- from C:\RCX6.tmp to <Current directory>\FUES.exe
- from C:\RCX1.tmp to <Current directory>\jEwe.exe
- from C:\RCX2.tmp to <Current directory>\BkEo.exe
- from C:\RCX3.tmp to <Current directory>\bwEu.exe
- from C:\RCXA.tmp to <Current directory>\EYME.exe
- from C:\RCXB.tmp to <Current directory>\VwQW.exe
- from C:\RCXC.tmp to <Current directory>\GQkY.exe
- from C:\RCX7.tmp to <Current directory>\zMgs.exe
- from C:\RCX8.tmp to <Current directory>\Gwwg.exe
- from C:\RCX9.tmp to <Current directory>\FMsC.exe
- '19#.#86.45.170':9999
- '74.##5.232.51':80
- '20#.#7.164.69':9999
- '20#.#19.204.12':9999
- 74.##5.232.51/
- DNS ASK google.com
- ClassName: '' WindowName: 'pUccUkoM.exe'
- ClassName: 'Shell_TrayWnd' WindowName: ''
- ClassName: 'Indicator' WindowName: ''
- ClassName: '' WindowName: 'aeEkEEcE.exe'