Technical Information
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'aeEkEEcE.exe' = '%ALLUSERSPROFILE%\BWogoUMg\aeEkEEcE.exe'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'pUccUkoM.exe' = '%HOMEPATH%\fCkYUMIQ\pUccUkoM.exe'
- hidden files
- file extensions
- User Account Control (UAC)
- '%ALLUSERSPROFILE%\BWogoUMg\aeEkEEcE.exe'
- '%HOMEPATH%\fCkYUMIQ\pUccUkoM.exe'
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\qAQMkYMs.bat" "<Full path to virus>""
- '<SYSTEM32>\reg.exe' /pid=4004
- '<SYSTEM32>\reg.exe' /pid=3456
- '<SYSTEM32>\reg.exe' -Embedding
- '<SYSTEM32>\cscript.exe' /pid=3064
- '<SYSTEM32>\cscript.exe' /c "<Current directory>\<Virus name>"
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\TysQAUUY.bat" "<Full path to virus>""
- '<SYSTEM32>\wbem\wmiadap.exe' /R /T
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\kOosYgwc.bat" "<Full path to virus>""
- '<SYSTEM32>\cscript.exe' /pid=2760
- '<SYSTEM32>\reg.exe' %TEMP%\file.vbs
- '<SYSTEM32>\reg.exe' /pid=1372
- '<SYSTEM32>\reg.exe' /pid=1384
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\NIsMowIA.bat" "<Full path to virus>""
- '<SYSTEM32>\reg.exe' /pid=1736
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\poUMoooQ.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\zOswAQMQ.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\dYEMQMUc.bat" "<Full path to virus>""
- '<SYSTEM32>\cscript.exe' /pid=3604
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\SSIgkEQo.bat" "<Full path to virus>""
- '<SYSTEM32>\cscript.exe' /pid=3824
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\hQocsIYQ.bat" "<Full path to virus>""
- '<SYSTEM32>\cscript.exe' /pid=4084
- '<SYSTEM32>\reg.exe' /pid=2516
- '<SYSTEM32>\reg.exe' /pid=4024
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\icMUkgQg.bat" "<Full path to virus>""
- '<SYSTEM32>\taskkill.exe' /FI "USERNAME eq %USERNAME%" /F /IM aeEkEEcE.exe
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\IIkYgwIE.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\xSsEwwMs.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\pWgkooEk.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\CEEUksws.bat" "<Full path to virus>""
- '<SYSTEM32>\reg.exe' add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
- '<SYSTEM32>\reg.exe' add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
- '<SYSTEM32>\reg.exe' add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
- '<SYSTEM32>\cscript.exe' %TEMP%\file.vbs
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\PmUMAwIs.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\fMokkMIo.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\fEAQAwUs.bat" "<Full path to virus>""
- '<SYSTEM32>\reg.exe' /pid=2580
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\bMMcgEgM.bat" "<Full path to virus>""
- '<SYSTEM32>\reg.exe' /pid=3896
- '<SYSTEM32>\reg.exe' /pid=2972
- '<SYSTEM32>\cscript.exe'
- '<SYSTEM32>\reg.exe' /c "<Current directory>\<Virus name>"
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\CyMoMIEw.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\pYcgcUgg.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\MMkkgkoY.bat" "<Full path to virus>""
- '<SYSTEM32>\reg.exe'
- '<SYSTEM32>\reg.exe' /c ""%TEMP%\WMwkgkUc.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\pKIIEsMw.bat" "<Full path to virus>""
- <SYSTEM32>\cscript.exe
- <SYSTEM32>\cmd.exe
- <SYSTEM32>\reg.exe
- C:\RCX12.tmp
- <Current directory>\isgs.exe
- <Current directory>\ncUq.ico
- %TEMP%\PsIQAsoU.bat
- %TEMP%\bMMcgEgM.bat
- C:\RCX11.tmp
- <Current directory>\kUcU.ico
- %TEMP%\zWoYcAMg.bat
- <Current directory>\PAgg.exe
- <Current directory>\hUMg.ico
- C:\RCX14.tmp
- %TEMP%\MQwQgMgk.bat
- C:\RCX13.tmp
- <Current directory>\pMkS.exe
- %TEMP%\TysQAUUY.bat
- %TEMP%\kOosYgwc.bat
- %TEMP%\XEQQgUoM.bat
- %TEMP%\pKIIEsMw.bat
- <Current directory>\PIUK.exe
- <Current directory>\fUku.ico
- <Current directory>\lQoE.ico
- %TEMP%\HIkgEEYg.bat
- C:\RCXE.tmp
- <Current directory>\KMEu.exe
- C:\RCX10.tmp
- %TEMP%\WMwkgkUc.bat
- <Current directory>\WcQk.exe
- <Current directory>\BUoK.ico
- %TEMP%\kyQcEQYk.bat
- C:\RCXF.tmp
- <Current directory>\KoAm.exe
- <Current directory>\ScAE.ico
- %TEMP%\CoUIEsYQ.bat
- C:\RCX19.tmp
- %TEMP%\reokoMck.bat
- %TEMP%\poUMoooQ.bat
- C:\RCX18.tmp
- <Current directory>\PcIi.exe
- <Current directory>\vUki.exe
- <Current directory>\MYwQ.ico
- %TEMP%\zOswAQMQ.bat
- %TEMP%\FYYMwEAs.bat
- %TEMP%\JKAwkwQc.bat
- %TEMP%\dYEMQMUc.bat
- <Current directory>\EsMo.ico
- %TEMP%\NIsMowIA.bat
- C:\RCX1A.tmp
- <Current directory>\mMYg.exe
- <Current directory>\QMku.exe
- <Current directory>\pYkI.ico
- C:\RCX16.tmp
- %TEMP%\qAQMkYMs.bat
- <Current directory>\soYy.exe
- <Current directory>\IwQo.ico
- %TEMP%\mCwkcQAc.bat
- C:\RCX15.tmp
- %TEMP%\hQocsIYQ.bat
- %TEMP%\SSIgkEQo.bat
- %TEMP%\FGQIMUgU.bat
- <Current directory>\PUUy.ico
- <Current directory>\LYsW.ico
- %TEMP%\BEQgEcso.bat
- C:\RCX17.tmp
- <Current directory>\PIUe.exe
- %TEMP%\CEEUksws.bat
- C:\RCX3.tmp
- <Current directory>\yQEw.exe
- <Current directory>\tscu.ico
- %TEMP%\ISUYwsoE.bat
- %TEMP%\icMUkgQg.bat
- <Current directory>\qokw.exe
- <Current directory>\lIMc.ico
- %TEMP%\pWgkooEk.bat
- C:\RCX5.tmp
- <Current directory>\QkEM.ico
- %TEMP%\VCAcEoYg.bat
- C:\RCX4.tmp
- %TEMP%\aEEEssEw.bat
- <Current directory>\dgQo.exe
- <Current directory>\hsYs.ico
- %TEMP%\PmUMAwIs.bat
- %TEMP%\AAUgIIUI.bat
- %TEMP%\file.vbs
- <Current directory>\VwsY.ico
- %TEMP%\kIkEYwgA.bat
- %TEMP%\fMokkMIo.bat
- <Current directory>\<Virus name>
- %TEMP%\fwYkEEgs.bat
- <Current directory>\kEcQ.ico
- C:\RCX2.tmp
- <Current directory>\xgkw.exe
- %TEMP%\vUQIAscU.bat
- <Current directory>\fMwQ.exe
- %TEMP%\IIkYgwIE.bat
- C:\RCX1.tmp
- <Current directory>\DQgI.exe
- <Current directory>\OokQ.ico
- <Current directory>\uYkq.ico
- C:\RCXB.tmp
- %TEMP%\fEAQAwUs.bat
- %TEMP%\MMkkgkoY.bat
- %TEMP%\MeoAooww.bat
- C:\RCXA.tmp
- C:\RCXD.tmp
- <Current directory>\HoIm.exe
- %TEMP%\CyMoMIEw.bat
- %TEMP%\pYcgcUgg.bat
- C:\RCXC.tmp
- <Current directory>\IkYi.exe
- <Current directory>\iMsg.ico
- %TEMP%\hcYIAQAY.bat
- %TEMP%\xSsEwwMs.bat
- C:\RCX7.tmp
- <Current directory>\JcQm.ico
- %TEMP%\BmsUgwAs.bat
- C:\RCX6.tmp
- <Current directory>\BEkW.exe
- <Current directory>\qkgI.exe
- <Current directory>\AMce.ico
- %TEMP%\ycQwokkE.bat
- C:\RCX9.tmp
- <Current directory>\yUoY.exe
- <Current directory>\yQgk.ico
- C:\RCX8.tmp
- <Current directory>\qcgm.exe
- <Current directory>\bgoo.exe
- <Current directory>\SYkO.ico
- %ALLUSERSPROFILE%\BWogoUMg\aeEkEEcE.exe
- %HOMEPATH%\fCkYUMIQ\pUccUkoM.exe
- <Current directory>\kUcU.ico
- %TEMP%\WMwkgkUc.bat
- %TEMP%\zWoYcAMg.bat
- <Current directory>\isgs.exe
- %TEMP%\PsIQAsoU.bat
- <Current directory>\PAgg.exe
- <Current directory>\hUMg.ico
- <Current directory>\pMkS.exe
- <Current directory>\ncUq.ico
- <Current directory>\BUoK.ico
- %TEMP%\XEQQgUoM.bat
- <Current directory>\PIUK.exe
- <Current directory>\KMEu.exe
- <Current directory>\lQoE.ico
- <Current directory>\fUku.ico
- <Current directory>\ScAE.ico
- <Current directory>\WcQk.exe
- %TEMP%\kyQcEQYk.bat
- <Current directory>\KoAm.exe
- <Current directory>\vUki.exe
- <Current directory>\MYwQ.ico
- <Current directory>\PUUy.ico
- %TEMP%\FGQIMUgU.bat
- %TEMP%\CoUIEsYQ.bat
- <Current directory>\mMYg.exe
- <Current directory>\EsMo.ico
- %TEMP%\reokoMck.bat
- %TEMP%\FYYMwEAs.bat
- <Current directory>\PcIi.exe
- <Current directory>\IwQo.ico
- %TEMP%\mCwkcQAc.bat
- %TEMP%\MQwQgMgk.bat
- <Current directory>\soYy.exe
- <Current directory>\QMku.exe
- <Current directory>\PIUe.exe
- <Current directory>\LYsW.ico
- <Current directory>\pYkI.ico
- %TEMP%\BEQgEcso.bat
- <Current directory>\yQEw.exe
- <Current directory>\tscu.ico
- <Current directory>\lIMc.ico
- %TEMP%\aEEEssEw.bat
- <Current directory>\dgQo.exe
- <Current directory>\BEkW.exe
- <Current directory>\QkEM.ico
- <Current directory>\hsYs.ico
- %TEMP%\VCAcEoYg.bat
- <Current directory>\qokw.exe
- %TEMP%\vUQIAscU.bat
- <Current directory>\fMwQ.exe
- %TEMP%\kIkEYwgA.bat
- %TEMP%\AAUgIIUI.bat
- <Current directory>\VwsY.ico
- <Current directory>\kEcQ.ico
- %TEMP%\ISUYwsoE.bat
- %TEMP%\fwYkEEgs.bat
- <Current directory>\xgkw.exe
- <Current directory>\OokQ.ico
- <Current directory>\IkYi.exe
- %TEMP%\MeoAooww.bat
- <Current directory>\DQgI.exe
- %TEMP%\hcYIAQAY.bat
- <Current directory>\iMsg.ico
- %TEMP%\HIkgEEYg.bat
- <Current directory>\uYkq.ico
- <Current directory>\HoIm.exe
- <Current directory>\yQgk.ico
- %TEMP%\BmsUgwAs.bat
- <Current directory>\qcgm.exe
- <Current directory>\qkgI.exe
- <Current directory>\AMce.ico
- <Current directory>\JcQm.ico
- <Current directory>\SYkO.ico
- <Current directory>\yUoY.exe
- %TEMP%\ycQwokkE.bat
- <Current directory>\bgoo.exe
- from C:\RCX11.tmp to <Current directory>\WcQk.exe
- from C:\RCX12.tmp to <Current directory>\isgs.exe
- from C:\RCX13.tmp to <Current directory>\pMkS.exe
- from C:\RCXE.tmp to <Current directory>\KMEu.exe
- from C:\RCXF.tmp to <Current directory>\PIUK.exe
- from C:\RCX10.tmp to <Current directory>\KoAm.exe
- from C:\RCX14.tmp to <Current directory>\PAgg.exe
- from C:\RCX18.tmp to <Current directory>\PcIi.exe
- from C:\RCX19.tmp to <Current directory>\vUki.exe
- from C:\RCX1A.tmp to <Current directory>\mMYg.exe
- from C:\RCX15.tmp to <Current directory>\soYy.exe
- from C:\RCX16.tmp to <Current directory>\QMku.exe
- from C:\RCX17.tmp to <Current directory>\PIUe.exe
- from C:\RCX4.tmp to <Current directory>\yQEw.exe
- from C:\RCX5.tmp to <Current directory>\dgQo.exe
- from C:\RCX6.tmp to <Current directory>\BEkW.exe
- from C:\RCX1.tmp to <Current directory>\fMwQ.exe
- from C:\RCX2.tmp to <Current directory>\xgkw.exe
- from C:\RCX3.tmp to <Current directory>\qokw.exe
- from C:\RCX7.tmp to <Current directory>\qkgI.exe
- from C:\RCXB.tmp to <Current directory>\DQgI.exe
- from C:\RCXC.tmp to <Current directory>\IkYi.exe
- from C:\RCXD.tmp to <Current directory>\HoIm.exe
- from C:\RCX8.tmp to <Current directory>\qcgm.exe
- from C:\RCX9.tmp to <Current directory>\bgoo.exe
- from C:\RCXA.tmp to <Current directory>\yUoY.exe
- '19#.#86.45.170':9999
- '20#.#19.204.12':9999
- '20#.#7.164.69':9999
- DNS ASK google.com
- ClassName: '' WindowName: 'Microsoft Windows'
- ClassName: '' WindowName: ''
- ClassName: '' WindowName: 'pUccUkoM.exe'
- ClassName: 'Indicator' WindowName: ''
- ClassName: '' WindowName: 'aeEkEEcE.exe'