Technical Information
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'aeEkEEcE.exe' = '%ALLUSERSPROFILE%\BWogoUMg\aeEkEEcE.exe'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'pUccUkoM.exe' = '%HOMEPATH%\fCkYUMIQ\pUccUkoM.exe'
- [<HKLM>\SYSTEM\ControlSet001\Services\FkYQcQph] 'Start' = '00000002'
- hidden files
- file extensions
- User Account Control (UAC)
- '%ALLUSERSPROFILE%\lwQggIEM\nwAEcgMA.exe'
- '%ALLUSERSPROFILE%\BWogoUMg\aeEkEEcE.exe'
- '%HOMEPATH%\fCkYUMIQ\pUccUkoM.exe'
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\TSQoEwEQ.bat" "<Full path to virus>""
- '<SYSTEM32>\reg.exe' /c "<Current directory>\<Virus name>"
- '<SYSTEM32>\reg.exe' /c ""%TEMP%\cwYwUcYM.bat" "<Full path to virus>""
- '<SYSTEM32>\reg.exe' %TEMP%\file.vbs
- '<SYSTEM32>\reg.exe'
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\EKcIQQkQ.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\emEAAIwI.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\qsckMYQo.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\yasYEIcw.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\jEgQAAgk.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\YqoQkkUI.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\QqAgggcs.bat" "<Full path to virus>""
- '<SYSTEM32>\cscript.exe' add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
- '<SYSTEM32>\cscript.exe' add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\aGsgIAkQ.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\bkIgYEEI.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\OugQUEIk.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\nCMQMkoY.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\pwEMEsQo.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\tCAkQoMI.bat" "<Full path to virus>""
- '<SYSTEM32>\cscript.exe' /c "<Current directory>\<Virus name>"
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\aCIIgoYM.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\gQokkAUE.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\cKMAgwIo.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\SokgIAgU.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\BqMgsIQA.bat" "<Full path to virus>""
- '<SYSTEM32>\reg.exe' add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
- '<SYSTEM32>\reg.exe' add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
- '<SYSTEM32>\reg.exe' add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
- '<SYSTEM32>\cscript.exe' %TEMP%\file.vbs
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\cmgAAwAc.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\RooQgQQc.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\PwcQUIEc.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\YWocoUog.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\IYYowUMM.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\foUUMEgk.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\qQwMEAwA.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\VUowAgkM.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\nAggkgoY.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\QAgcckYQ.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\tcwsQcEU.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\YSkIosYk.bat" "<Full path to virus>""
- <SYSTEM32>\cscript.exe
- <SYSTEM32>\cmd.exe
- <SYSTEM32>\reg.exe
- %TEMP%\IYYowUMM.bat
- %TEMP%\cmIEUYEU.bat
- %TEMP%\qQwMEAwA.bat
- %TEMP%\gCwYIwAU.bat
- <Current directory>\VwYY.exe
- %TEMP%\nsIsUQgk.bat
- %TEMP%\PwcQUIEc.bat
- %TEMP%\pSEsgQoQ.bat
- %TEMP%\EKcIQQkQ.bat
- %TEMP%\OwsYcIEM.bat
- %TEMP%\emEAAIwI.bat
- %TEMP%\TwcUokoo.bat
- %TEMP%\foUUMEgk.bat
- %TEMP%\qgggUQQs.bat
- <Current directory>\EkQc.ico
- <Current directory>\tUgG.exe
- C:\RCXC.tmp
- <Current directory>\FWIY.ico
- <Current directory>\BaIQ.ico
- C:\RCXB.tmp
- %TEMP%\YSkIosYk.bat
- %TEMP%\lSkUEoUM.bat
- <Current directory>\Fwco.ico
- %TEMP%\YWocoUog.bat
- <Current directory>\MwIg.exe
- %TEMP%\JugAwAkA.bat
- <Current directory>\VwEu.exe
- C:\RCXD.tmp
- %TEMP%\tcwsQcEU.bat
- %TEMP%\BQUcUIYQ.bat
- %TEMP%\QqAgggcs.bat
- %TEMP%\EKAwsoAU.bat
- %TEMP%\tCAkQoMI.bat
- %TEMP%\toMQQwAY.bat
- %TEMP%\pwEMEsQo.bat
- %TEMP%\UiIcYAEc.bat
- %TEMP%\HeUgUQEE.bat
- %TEMP%\aGsgIAkQ.bat
- %TEMP%\WeIAwwkw.bat
- C:\RCXE.tmp
- %TEMP%\amkUwowU.bat
- %TEMP%\yaogEEws.bat
- %TEMP%\bkIgYEEI.bat
- %TEMP%\OugQUEIk.bat
- %TEMP%\yasYEIcw.bat
- %TEMP%\eccUAMkQ.bat
- %TEMP%\TSQoEwEQ.bat
- %TEMP%\roQEYEMQ.bat
- %TEMP%\qsckMYQo.bat
- %TEMP%\UAMoIQUo.bat
- %TEMP%\jEgQAAgk.bat
- %TEMP%\YqoQkkUI.bat
- %TEMP%\nCMQMkoY.bat
- %TEMP%\SGIkgwYk.bat
- %TEMP%\WoosEoYg.bat
- %TEMP%\fmcUIAIo.bat
- %TEMP%\RmQcEMMw.bat
- %TEMP%\cwYwUcYM.bat
- <Current directory>\SMUY.ico
- <Current directory>\AooS.exe
- C:\RCX2.tmp
- %TEMP%\LeUMMQEA.bat
- %TEMP%\puIgUEoU.bat
- %ALLUSERSPROFILE%\casg.txt
- %TEMP%\BqMgsIQA.bat
- C:\RCX3.tmp
- <Current directory>\fwMw.ico
- <Current directory>\gsco.exe
- <Current directory>\IUsc.exe
- %TEMP%\SokgIAgU.bat
- %TEMP%\KYgocgkU.bat
- <Current directory>\ZIsY.ico
- C:\RCX1.tmp
- %TEMP%\cmgAAwAc.bat
- %TEMP%\NmQUoUMo.bat
- %TEMP%\file.vbs
- <Current directory>\<Virus name>
- %ALLUSERSPROFILE%\lwQggIEM\nwAEcgMA.exe
- %TEMP%\TOMYIcEg.bat
- %TEMP%\aCIIgoYM.bat
- <Current directory>\vgAI.exe
- %TEMP%\cKMAgwIo.bat
- %TEMP%\smMIAMMg.bat
- %TEMP%\gQokkAUE.bat
- %TEMP%\vmEkAggk.bat
- <Current directory>\KKEc.ico
- <Current directory>\jaAg.ico
- <Current directory>\ykIs.exe
- C:\RCX9.tmp
- C:\RCX8.tmp
- %TEMP%\xWIsQkIU.bat
- <Current directory>\mscU.ico
- <Current directory>\Rcgc.exe
- C:\RCXA.tmp
- <Current directory>\mkUE.ico
- <Current directory>\UoYA.exe
- <Current directory>\iQwO.exe
- %TEMP%\QAgcckYQ.bat
- <Current directory>\QmkY.ico
- %TEMP%\BuMQAEsk.bat
- C:\RCX7.tmp
- <Current directory>\vsAg.ico
- <Current directory>\SgEU.exe
- C:\RCX5.tmp
- %TEMP%\nAggkgoY.bat
- %TEMP%\KCMUUAEs.bat
- C:\RCX4.tmp
- %TEMP%\RooQgQQc.bat
- %TEMP%\VUowAgkM.bat
- <Current directory>\vsUs.ico
- <Current directory>\oYwy.exe
- C:\RCX6.tmp
- %TEMP%\POQwQwkM.bat
- <Current directory>\YKAQ.ico
- <Current directory>\wMUo.exe
- %ALLUSERSPROFILE%\lwQggIEM\nwAEcgMA.exe
- %ALLUSERSPROFILE%\BWogoUMg\aeEkEEcE.exe
- %HOMEPATH%\fCkYUMIQ\pUccUkoM.exe
- %TEMP%\gCwYIwAU.bat
- %TEMP%\nsIsUQgk.bat
- <Current directory>\Fwco.ico
- %TEMP%\cmIEUYEU.bat
- %TEMP%\pSEsgQoQ.bat
- %TEMP%\qgggUQQs.bat
- %TEMP%\TwcUokoo.bat
- <Current directory>\FWIY.ico
- %TEMP%\lSkUEoUM.bat
- <Current directory>\mkUE.ico
- <Current directory>\UoYA.exe
- <Current directory>\tUgG.exe
- <Current directory>\VwEu.exe
- %TEMP%\JugAwAkA.bat
- <Current directory>\BaIQ.ico
- %TEMP%\OwsYcIEM.bat
- %TEMP%\BQUcUIYQ.bat
- %TEMP%\UiIcYAEc.bat
- %TEMP%\toMQQwAY.bat
- %TEMP%\EKAwsoAU.bat
- %TEMP%\HeUgUQEE.bat
- %TEMP%\amkUwowU.bat
- %TEMP%\yaogEEws.bat
- %TEMP%\SGIkgwYk.bat
- %TEMP%\eccUAMkQ.bat
- %TEMP%\roQEYEMQ.bat
- %TEMP%\UAMoIQUo.bat
- %TEMP%\fmcUIAIo.bat
- %TEMP%\cwYwUcYM.bat
- %TEMP%\WoosEoYg.bat
- %TEMP%\RmQcEMMw.bat
- %TEMP%\KYgocgkU.bat
- <Current directory>\SMUY.ico
- <Current directory>\AooS.exe
- <Current directory>\IUsc.exe
- <Current directory>\gsco.exe
- %TEMP%\KCMUUAEs.bat
- <Current directory>\ZIsY.ico
- %TEMP%\LeUMMQEA.bat
- %TEMP%\vmEkAggk.bat
- %TEMP%\NmQUoUMo.bat
- %TEMP%\TOMYIcEg.bat
- %TEMP%\smMIAMMg.bat
- <Current directory>\KKEc.ico
- %TEMP%\puIgUEoU.bat
- <Current directory>\vgAI.exe
- <Current directory>\fwMw.ico
- <Current directory>\ykIs.exe
- <Current directory>\mscU.ico
- <Current directory>\Rcgc.exe
- <Current directory>\jaAg.ico
- <Current directory>\QmkY.ico
- <Current directory>\iQwO.exe
- %TEMP%\BuMQAEsk.bat
- %TEMP%\xWIsQkIU.bat
- <Current directory>\vsAg.ico
- <Current directory>\SgEU.exe
- %TEMP%\POQwQwkM.bat
- <Current directory>\wMUo.exe
- <Current directory>\vsUs.ico
- <Current directory>\oYwy.exe
- <Current directory>\YKAQ.ico
- from C:\RCXA.tmp to <Current directory>\iQwO.exe
- from C:\RCX9.tmp to <Current directory>\ykIs.exe
- from C:\RCX8.tmp to <Current directory>\Rcgc.exe
- from C:\RCXD.tmp to <Current directory>\VwEu.exe
- from C:\RCXC.tmp to <Current directory>\tUgG.exe
- from C:\RCXB.tmp to <Current directory>\UoYA.exe
- from C:\RCX7.tmp to <Current directory>\oYwy.exe
- from C:\RCX3.tmp to <Current directory>\IUsc.exe
- from C:\RCX2.tmp to <Current directory>\AooS.exe
- from C:\RCX1.tmp to <Current directory>\vgAI.exe
- from C:\RCX6.tmp to <Current directory>\wMUo.exe
- from C:\RCX5.tmp to <Current directory>\SgEU.exe
- from C:\RCX4.tmp to <Current directory>\gsco.exe
- '19#.#86.45.170':9999
- '74.##5.232.51':80
- '20#.#7.164.69':9999
- '20#.#19.204.12':9999
- 74.##5.232.51/
- DNS ASK google.com
- ClassName: '' WindowName: 'pUccUkoM.exe'
- ClassName: 'Shell_TrayWnd' WindowName: ''
- ClassName: 'Indicator' WindowName: ''
- ClassName: '' WindowName: 'aeEkEEcE.exe'