Technical Information
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'aeEkEEcE.exe' = '%ALLUSERSPROFILE%\BWogoUMg\aeEkEEcE.exe'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'pUccUkoM.exe' = '%HOMEPATH%\fCkYUMIQ\pUccUkoM.exe'
- hidden files
- file extensions
- User Account Control (UAC)
- '%ALLUSERSPROFILE%\BWogoUMg\aeEkEEcE.exe'
- '%HOMEPATH%\fCkYUMIQ\pUccUkoM.exe'
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\qcEYgAoQ.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\JcccAoIs.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\vsQwAAcE.bat" "<Full path to virus>""
- '<SYSTEM32>\reg.exe' /pid=2700
- '<SYSTEM32>\reg.exe' /pid=3888
- '<SYSTEM32>\reg.exe' /c ""%TEMP%\RAYYQwcI.bat" "<Full path to virus>""
- '<SYSTEM32>\cscript.exe' /pid=2540
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\jiYkEoME.bat" "<Full path to virus>""
- '<SYSTEM32>\reg.exe' /c "<Current directory>\<Virus name>"
- '<SYSTEM32>\cscript.exe' /pid=3088
- '<SYSTEM32>\reg.exe' /pid=3908
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\hykgYcAg.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\wOIYwQoU.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\NEoYYUkM.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\mEQsMAoM.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\CmEwccks.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\fmgccAsk.bat" "<Full path to virus>""
- '<SYSTEM32>\cscript.exe' /pid=3876
- '<SYSTEM32>\cscript.exe' /R /T
- '<SYSTEM32>\cscript.exe' /c "<Current directory>\<Virus name>"
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\pmUgswok.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\rqIIkIYU.bat" "<Full path to virus>""
- '<SYSTEM32>\reg.exe' /pid=3788
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\DQgAQQkU.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\FOUAoEIM.bat" "<Full path to virus>""
- '<SYSTEM32>\taskkill.exe' /FI "USERNAME eq %USERNAME%" /F /IM aeEkEEcE.exe
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\NcgYgwQw.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\deEwQwAQ.bat" "<Full path to virus>""
- '<SYSTEM32>\cscript.exe' %TEMP%\file.vbs
- '<SYSTEM32>\reg.exe' add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
- '<SYSTEM32>\reg.exe' add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
- '<SYSTEM32>\reg.exe' add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\SysQIUUU.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\oUMIMsgg.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\YsAIEUAA.bat" "<Full path to virus>""
- '<SYSTEM32>\reg.exe' /pid=3896
- '<SYSTEM32>\reg.exe' /pid=1376
- '<SYSTEM32>\reg.exe'
- '<SYSTEM32>\reg.exe' /pid=4080
- '<SYSTEM32>\reg.exe' /pid=2800
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\JQcEEkMs.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\xcUMMEwI.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\ccwUkcMk.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\qAAgggog.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\uikYYMYE.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\LwswsEMk.bat" "<Full path to virus>""
- <SYSTEM32>\cscript.exe
- <SYSTEM32>\cmd.exe
- <SYSTEM32>\reg.exe
- C:\RCXD.tmp
- %TEMP%\oAYoAsYM.bat
- <Current directory>\AcgK.ico
- <Current directory>\ksIa.exe
- <Current directory>\nwwI.exe
- C:\RCXC.tmp
- <Current directory>\MUIk.ico
- <Current directory>\pgYs.exe
- C:\RCXF.tmp
- %TEMP%\rqIIkIYU.bat
- %TEMP%\nIQMgggU.bat
- <Current directory>\DswS.exe
- %TEMP%\pmUgswok.bat
- C:\RCXE.tmp
- <Current directory>\NgcM.ico
- %TEMP%\vsQwAAcE.bat
- <Current directory>\RYko.ico
- %TEMP%\AygQsIYU.bat
- C:\RCX9.tmp
- %TEMP%\xIwcYgIY.bat
- <Current directory>\sggm.ico
- <Current directory>\Jwsk.exe
- <Current directory>\NIkM.exe
- %TEMP%\hykgYcAg.bat
- %TEMP%\CEkwocQI.bat
- <Current directory>\rYku.ico
- C:\RCXB.tmp
- C:\RCXA.tmp
- <Current directory>\SsIq.ico
- <Current directory>\kooW.exe
- <Current directory>\nUwS.ico
- C:\RCX14.tmp
- %TEMP%\uOAQockg.bat
- %TEMP%\fmgccAsk.bat
- <Current directory>\yMYy.exe
- %TEMP%\mEQsMAoM.bat
- %TEMP%\IUAIkwkM.bat
- <Current directory>\moMG.ico
- <Current directory>\rgEU.ico
- <Current directory>\WscK.ico
- <Current directory>\hkUs.exe
- C:\RCX16.tmp
- %TEMP%\AYkIYwwM.bat
- <Current directory>\sIIM.exe
- C:\RCX15.tmp
- %TEMP%\CmEwccks.bat
- C:\RCX11.tmp
- %TEMP%\baYoMcMA.bat
- %TEMP%\NEoYYUkM.bat
- <Current directory>\AkkQ.exe
- <Current directory>\hIEg.exe
- C:\RCX10.tmp
- <Current directory>\gcoO.ico
- <Current directory>\XIAI.ico
- <Current directory>\AkgO.exe
- C:\RCX13.tmp
- %TEMP%\wOIYwQoU.bat
- <Current directory>\WgsU.ico
- <Current directory>\lwAs.exe
- C:\RCX12.tmp
- %TEMP%\WMEsEkwM.bat
- %TEMP%\oMwUccMg.bat
- %TEMP%\xcUMMEwI.bat
- %TEMP%\UGQYcYso.bat
- %TEMP%\YsAIEUAA.bat
- %TEMP%\gCkosYQo.bat
- %TEMP%\hwwAgogI.bat
- %TEMP%\ccwUkcMk.bat
- %TEMP%\qAAgggog.bat
- %TEMP%\CMIssosc.bat
- %TEMP%\LwswsEMk.bat
- <Current directory>\DUQc.ico
- C:\RCX1.tmp
- %TEMP%\HIgcAUgg.bat
- <Current directory>\vIoa.ico
- <Current directory>\nwUy.exe
- %TEMP%\yKQIAIMo.bat
- %TEMP%\file.vbs
- %TEMP%\SysQIUUU.bat
- %TEMP%\oUMIMsgg.bat
- %TEMP%\SKsUssQY.bat
- <Current directory>\<Virus name>
- %TEMP%\VucgoMwk.bat
- %TEMP%\deEwQwAQ.bat
- %TEMP%\AKcAAYAI.bat
- %TEMP%\NcgYgwQw.bat
- %TEMP%\riUMQgMI.bat
- %TEMP%\FOUAoEIM.bat
- %TEMP%\ymgkIIMA.bat
- %TEMP%\DQgAQQkU.bat
- <Current directory>\YIsk.exe
- C:\RCX6.tmp
- <Current directory>\rwku.ico
- %TEMP%\JcccAoIs.bat
- %TEMP%\oeQwQoUU.bat
- C:\RCX5.tmp
- <Current directory>\XkgS.ico
- <Current directory>\GoEe.exe
- <Current directory>\csQI.exe
- <Current directory>\ukUS.exe
- C:\RCX8.tmp
- %TEMP%\qcEYgAoQ.bat
- <Current directory>\VMEU.ico
- %TEMP%\RAYYQwcI.bat
- C:\RCX7.tmp
- %TEMP%\qgUgwIQM.bat
- <Current directory>\BUoo.exe
- C:\RCX3.tmp
- %TEMP%\iocUAEUM.bat
- <Current directory>\LUwc.ico
- C:\RCX2.tmp
- %TEMP%\WGYMUUos.bat
- %TEMP%\uikYYMYE.bat
- %TEMP%\JQcEEkMs.bat
- %TEMP%\dioIssYw.bat
- <Current directory>\qIcY.ico
- <Current directory>\HcMA.exe
- C:\RCX4.tmp
- <Current directory>\xYMo.ico
- <Current directory>\ykcI.exe
- %TEMP%\jiYkEoME.bat
- %ALLUSERSPROFILE%\BWogoUMg\aeEkEEcE.exe
- %HOMEPATH%\fCkYUMIQ\pUccUkoM.exe
- %TEMP%\RAYYQwcI.bat
- %TEMP%\oAYoAsYM.bat
- <Current directory>\ksIa.exe
- <Current directory>\MUIk.ico
- <Current directory>\DswS.exe
- <Current directory>\NgcM.ico
- <Current directory>\pgYs.exe
- <Current directory>\AcgK.ico
- <Current directory>\rYku.ico
- <Current directory>\NIkM.exe
- <Current directory>\RYko.ico
- <Current directory>\sggm.ico
- %TEMP%\AygQsIYU.bat
- %TEMP%\CEkwocQI.bat
- <Current directory>\nwwI.exe
- <Current directory>\kooW.exe
- <Current directory>\SsIq.ico
- %TEMP%\IUAIkwkM.bat
- <Current directory>\yMYy.exe
- <Current directory>\AkgO.exe
- <Current directory>\WgsU.ico
- <Current directory>\sIIM.exe
- <Current directory>\rgEU.ico
- <Current directory>\moMG.ico
- %TEMP%\uOAQockg.bat
- %TEMP%\WMEsEkwM.bat
- <Current directory>\nUwS.ico
- <Current directory>\AkkQ.exe
- %TEMP%\nIQMgggU.bat
- <Current directory>\hIEg.exe
- <Current directory>\lwAs.exe
- <Current directory>\XIAI.ico
- <Current directory>\gcoO.ico
- %TEMP%\baYoMcMA.bat
- <Current directory>\Jwsk.exe
- <Current directory>\nwUy.exe
- <Current directory>\vIoa.ico
- %TEMP%\UGQYcYso.bat
- %TEMP%\HIgcAUgg.bat
- <Current directory>\DUQc.ico
- %TEMP%\WGYMUUos.bat
- %TEMP%\CMIssosc.bat
- <Current directory>\YIsk.exe
- %TEMP%\oMwUccMg.bat
- %TEMP%\VucgoMwk.bat
- %TEMP%\ymgkIIMA.bat
- %TEMP%\SKsUssQY.bat
- %TEMP%\yKQIAIMo.bat
- %TEMP%\gCkosYQo.bat
- %TEMP%\hwwAgogI.bat
- %TEMP%\riUMQgMI.bat
- %TEMP%\AKcAAYAI.bat
- <Current directory>\csQI.exe
- <Current directory>\rwku.ico
- <Current directory>\GoEe.exe
- <Current directory>\XkgS.ico
- <Current directory>\VMEU.ico
- %TEMP%\xIwcYgIY.bat
- %TEMP%\qgUgwIQM.bat
- <Current directory>\ukUS.exe
- %TEMP%\oeQwQoUU.bat
- <Current directory>\LUwc.ico
- <Current directory>\ykcI.exe
- <Current directory>\BUoo.exe
- %TEMP%\iocUAEUM.bat
- <Current directory>\HcMA.exe
- <Current directory>\qIcY.ico
- <Current directory>\xYMo.ico
- %TEMP%\dioIssYw.bat
- from C:\RCXF.tmp to <Current directory>\DswS.exe
- from C:\RCX10.tmp to <Current directory>\hIEg.exe
- from C:\RCXE.tmp to <Current directory>\pgYs.exe
- from C:\RCXC.tmp to <Current directory>\nwwI.exe
- from C:\RCXD.tmp to <Current directory>\ksIa.exe
- from C:\RCX14.tmp to <Current directory>\yMYy.exe
- from C:\RCX15.tmp to <Current directory>\sIIM.exe
- from C:\RCX13.tmp to <Current directory>\AkgO.exe
- from C:\RCX11.tmp to <Current directory>\AkkQ.exe
- from C:\RCX12.tmp to <Current directory>\lwAs.exe
- from C:\RCXB.tmp to <Current directory>\kooW.exe
- from C:\RCX4.tmp to <Current directory>\ykcI.exe
- from C:\RCX5.tmp to <Current directory>\HcMA.exe
- from C:\RCX3.tmp to <Current directory>\BUoo.exe
- from C:\RCX1.tmp to <Current directory>\nwUy.exe
- from C:\RCX2.tmp to <Current directory>\YIsk.exe
- from C:\RCX9.tmp to <Current directory>\Jwsk.exe
- from C:\RCXA.tmp to <Current directory>\NIkM.exe
- from C:\RCX8.tmp to <Current directory>\ukUS.exe
- from C:\RCX6.tmp to <Current directory>\GoEe.exe
- from C:\RCX7.tmp to <Current directory>\csQI.exe
- '19#.#86.45.170':9999
- '74.##5.232.51':80
- '20#.#7.164.69':9999
- '20#.#19.204.12':9999
- 74.##5.232.51/
- DNS ASK google.com
- ClassName: '' WindowName: 'Microsoft Windows'
- ClassName: '' WindowName: ''
- ClassName: '' WindowName: 'pUccUkoM.exe'
- ClassName: 'Indicator' WindowName: ''
- ClassName: '' WindowName: 'aeEkEEcE.exe'