Technical Information
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'AcIcUcAM.exe' = '%ALLUSERSPROFILE%\vesswIQA\AcIcUcAM.exe'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'jaQEcQMQ.exe' = '%HOMEPATH%\NIMMEwsg\jaQEcQMQ.exe'
- [<HKLM>\SYSTEM\ControlSet001\Services\FkYQcQph] 'Start' = '00000002'
- hidden files
- file extensions
- User Account Control (UAC)
- '%ALLUSERSPROFILE%\lwQggIEM\nwAEcgMA.exe'
- '%ALLUSERSPROFILE%\vesswIQA\AcIcUcAM.exe'
- '%HOMEPATH%\NIMMEwsg\jaQEcQMQ.exe'
- '<SYSTEM32>\reg.exe' /pid=3556
- '<SYSTEM32>\reg.exe' /pid=3984
- '<SYSTEM32>\cscript.exe' /pid=3848
- '<SYSTEM32>\cscript.exe' /c ""%TEMP%\HkMsowUc.bat" "<Full path to virus>""
- '<SYSTEM32>\reg.exe' /pid=132
- '<SYSTEM32>\cscript.exe' /pid=2512
- '<SYSTEM32>\reg.exe' /pid=3672
- '<SYSTEM32>\cscript.exe' /pid=3832
- '<SYSTEM32>\reg.exe' /c ""%TEMP%\GQwMkwsQ.bat" "<Full path to virus>""
- '<SYSTEM32>\reg.exe' /pid=3660
- '<SYSTEM32>\reg.exe' /c ""%TEMP%\AEIAgMkY.bat" "<Full path to virus>""
- '<SYSTEM32>\cscript.exe' /pid=296
- '<SYSTEM32>\reg.exe' /c ""%TEMP%\BSkgMgUo.bat" "<Full path to virus>""
- '<SYSTEM32>\cscript.exe' add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
- '<SYSTEM32>\reg.exe' /c ""%TEMP%\NAcQYwIg.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\bCcUMkEA.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\wswYQQMs.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\NMUAYcgc.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\EwMsIgYo.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\laUQocMU.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\oGoEIIos.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\KUUUkwkY.bat" "<Full path to virus>""
- '<SYSTEM32>\reg.exe' /pid=2836
- '<SYSTEM32>\reg.exe' /pid=1660
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\HAYcIAoY.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\sawssYAM.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\AQQAosUE.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\JGMcgIYU.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\zMwgIQss.bat" "<Full path to virus>""
- '<SYSTEM32>\reg.exe' /c "<Current directory>\<Virus name>"
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\TMIIwsEU.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\guwgkAAk.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\JMwEUAEM.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\CiIgAAMU.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\mUMQQwEU.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\LIoMwcYg.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\OYEMUEMo.bat" "<Full path to virus>""
- '<SYSTEM32>\reg.exe' add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
- '<SYSTEM32>\reg.exe' add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
- '<SYSTEM32>\reg.exe' add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\VYscIAwA.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\akUUckks.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\cKUYAEog.bat" "<Full path to virus>""
- '<SYSTEM32>\cscript.exe' %TEMP%\file.vbs
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\LeYswkMU.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\MwYUUcUE.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\aigAAwMw.bat" "<Full path to virus>""
- '<SYSTEM32>\reg.exe' /pid=3224
- '<SYSTEM32>\reg.exe' %TEMP%\file.vbs
- '<SYSTEM32>\cscript.exe' /pid=3608
- '<SYSTEM32>\cscript.exe' /pid=2792
- '<SYSTEM32>\cscript.exe' /pid=3000
- '<SYSTEM32>\reg.exe' /pid=2440
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\qIoYIMIU.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\SsUsYUwg.bat" "<Full path to virus>""
- '<SYSTEM32>\reg.exe'
- '<SYSTEM32>\cscript.exe' /pid=2600
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\pkUgAgko.bat" "<Full path to virus>""
- '<SYSTEM32>\reg.exe' /pid=1684
- <SYSTEM32>\cscript.exe
- <SYSTEM32>\cmd.exe
- <SYSTEM32>\reg.exe
- <Current directory>\UIwy.exe
- C:\RCX11.tmp
- %TEMP%\pkUgAgko.bat
- <Current directory>\eAQE.ico
- C:\RCX10.tmp
- %TEMP%\qIoYIMIU.bat
- %TEMP%\ccsUosco.bat
- %TEMP%\BQMkMYUY.bat
- %TEMP%\CMYEgYUY.bat
- %TEMP%\GQwMkwsQ.bat
- %TEMP%\AEIAgMkY.bat
- %TEMP%\EaEIMAAU.bat
- %TEMP%\NsYoccYs.bat
- %TEMP%\aigAAwMw.bat
- %TEMP%\MwYUUcUE.bat
- <Current directory>\nEUs.exe
- <Current directory>\qqwI.ico
- <Current directory>\rEcy.exe
- C:\RCXE.tmp
- %TEMP%\BMgMsMcE.bat
- <Current directory>\qwEi.exe
- %TEMP%\mUMQQwEU.bat
- C:\RCXD.tmp
- %TEMP%\LeYswkMU.bat
- %TEMP%\DyssAUwc.bat
- <Current directory>\SOwk.ico
- %TEMP%\SsUsYUwg.bat
- C:\RCXF.tmp
- %TEMP%\puAsUoUQ.bat
- <Current directory>\IUIs.ico
- <Current directory>\CYYG.exe
- %TEMP%\wikIAoIk.bat
- %TEMP%\bCcUMkEA.bat
- %TEMP%\sAsgcwcU.bat
- %TEMP%\wswYQQMs.bat
- %TEMP%\BQsMcQcU.bat
- %TEMP%\NMUAYcgc.bat
- %TEMP%\PsAYEAkc.bat
- %TEMP%\EwMsIgYo.bat
- %TEMP%\wUEggkYE.bat
- %TEMP%\laUQocMU.bat
- %TEMP%\hoYckkwQ.bat
- %TEMP%\oGoEIIos.bat
- %TEMP%\bYIwwUUg.bat
- %TEMP%\KUUUkwkY.bat
- %TEMP%\HmgEooUA.bat
- %TEMP%\AQQAosUE.bat
- %TEMP%\twowkwoo.bat
- %TEMP%\NAcQYwIg.bat
- %TEMP%\PMYIEwko.bat
- %TEMP%\HkMsowUc.bat
- %TEMP%\ZSgEYowM.bat
- %TEMP%\BSkgMgUo.bat
- %TEMP%\buMsIUoc.bat
- %TEMP%\HAYcIAoY.bat
- %TEMP%\iqIcIIMc.bat
- %TEMP%\JGMcgIYU.bat
- %TEMP%\VukcsAYc.bat
- %TEMP%\zMwgIQss.bat
- %TEMP%\ZCcIMYMA.bat
- %TEMP%\sawssYAM.bat
- %TEMP%\EkUscEgA.bat
- <Current directory>\hgYq.exe
- C:\RCX4.tmp
- %TEMP%\RUUAUEow.bat
- <Current directory>\dgsY.ico
- <Current directory>\SyEg.ico
- <Current directory>\YUwG.exe
- C:\RCX3.tmp
- <Current directory>\rIkQ.ico
- <Current directory>\OYIY.ico
- <Current directory>\xQok.exe
- C:\RCX6.tmp
- %TEMP%\NMgoYkIw.bat
- <Current directory>\YIAG.exe
- C:\RCX5.tmp
- %TEMP%\akUUckks.bat
- %TEMP%\cKUYAEog.bat
- %ALLUSERSPROFILE%\casg.txt
- %TEMP%\syQsUEgo.bat
- %TEMP%\VYscIAwA.bat
- <Current directory>\<Virus name>
- %ALLUSERSPROFILE%\lwQggIEM\nwAEcgMA.exe
- %TEMP%\XeAgAEEs.bat
- <Current directory>\XsEA.ico
- %TEMP%\bwcMIMoo.bat
- <Current directory>\JMMy.exe
- C:\RCX2.tmp
- <Current directory>\UmUY.ico
- <Current directory>\bYEm.exe
- %TEMP%\file.vbs
- C:\RCX1.tmp
- <Current directory>\BcIU.ico
- <Current directory>\jcUk.exe
- C:\RCXB.tmp
- %TEMP%\TKsYwAUs.bat
- <Current directory>\xAIk.exe
- C:\RCXA.tmp
- %TEMP%\CiIgAAMU.bat
- <Current directory>\ryQs.ico
- %TEMP%\LIoMwcYg.bat
- %TEMP%\sIoEEcQA.bat
- <Current directory>\GosM.ico
- C:\RCXC.tmp
- %TEMP%\XaAkMUMU.bat
- <Current directory>\IQUO.exe
- %TEMP%\OYEMUEMo.bat
- <Current directory>\uesI.ico
- %TEMP%\mcYUgAUE.bat
- <Current directory>\cMMA.ico
- <Current directory>\dYkI.exe
- C:\RCX7.tmp
- <Current directory>\OaQw.ico
- %TEMP%\JMwEUAEM.bat
- <Current directory>\GQIw.exe
- C:\RCX8.tmp
- <Current directory>\cAcY.exe
- C:\RCX9.tmp
- %TEMP%\CcggAkcY.bat
- <Current directory>\gGoE.ico
- %TEMP%\GYwwIUAw.bat
- %TEMP%\TMIIwsEU.bat
- %TEMP%\guwgkAAk.bat
- %ALLUSERSPROFILE%\lwQggIEM\nwAEcgMA.exe
- %ALLUSERSPROFILE%\vesswIQA\AcIcUcAM.exe
- %HOMEPATH%\NIMMEwsg\jaQEcQMQ.exe
- %TEMP%\BQMkMYUY.bat
- %TEMP%\NsYoccYs.bat
- <Current directory>\SOwk.ico
- %TEMP%\ccsUosco.bat
- %TEMP%\EaEIMAAU.bat
- %TEMP%\AEIAgMkY.bat
- %TEMP%\buMsIUoc.bat
- %TEMP%\CMYEgYUY.bat
- %TEMP%\ZSgEYowM.bat
- <Current directory>\rEcy.exe
- <Current directory>\qqwI.ico
- <Current directory>\qwEi.exe
- <Current directory>\GosM.ico
- %TEMP%\puAsUoUQ.bat
- %TEMP%\DyssAUwc.bat
- <Current directory>\nEUs.exe
- <Current directory>\CYYG.exe
- <Current directory>\IUIs.ico
- %TEMP%\PsAYEAkc.bat
- %TEMP%\wikIAoIk.bat
- %TEMP%\VukcsAYc.bat
- %TEMP%\BQsMcQcU.bat
- %TEMP%\sAsgcwcU.bat
- %TEMP%\wUEggkYE.bat
- %TEMP%\hoYckkwQ.bat
- %TEMP%\bYIwwUUg.bat
- %TEMP%\HmgEooUA.bat
- %TEMP%\twowkwoo.bat
- %TEMP%\HkMsowUc.bat
- %TEMP%\GQwMkwsQ.bat
- %TEMP%\BSkgMgUo.bat
- %TEMP%\PMYIEwko.bat
- %TEMP%\EkUscEgA.bat
- %TEMP%\iqIcIIMc.bat
- %TEMP%\ZCcIMYMA.bat
- %TEMP%\NAcQYwIg.bat
- <Current directory>\dgsY.ico
- <Current directory>\YIAG.exe
- %TEMP%\RUUAUEow.bat
- <Current directory>\hgYq.exe
- <Current directory>\rIkQ.ico
- <Current directory>\OYIY.ico
- <Current directory>\GQIw.exe
- %TEMP%\NMgoYkIw.bat
- <Current directory>\xQok.exe
- <Current directory>\bYEm.exe
- <Current directory>\XsEA.ico
- %TEMP%\XeAgAEEs.bat
- %TEMP%\syQsUEgo.bat
- %TEMP%\bwcMIMoo.bat
- <Current directory>\YUwG.exe
- <Current directory>\SyEg.ico
- <Current directory>\JMMy.exe
- <Current directory>\UmUY.ico
- <Current directory>\jcUk.exe
- <Current directory>\BcIU.ico
- <Current directory>\uesI.ico
- %TEMP%\TKsYwAUs.bat
- %TEMP%\XaAkMUMU.bat
- %TEMP%\sIoEEcQA.bat
- %TEMP%\BMgMsMcE.bat
- <Current directory>\IQUO.exe
- <Current directory>\ryQs.ico
- %TEMP%\GYwwIUAw.bat
- <Current directory>\dYkI.exe
- <Current directory>\OaQw.ico
- %TEMP%\mcYUgAUE.bat
- <Current directory>\cMMA.ico
- %TEMP%\CcggAkcY.bat
- <Current directory>\xAIk.exe
- <Current directory>\cAcY.exe
- <Current directory>\gGoE.ico
- from C:\RCXB.tmp to <Current directory>\jcUk.exe
- from C:\RCXC.tmp to <Current directory>\IQUO.exe
- from C:\RCX9.tmp to <Current directory>\cAcY.exe
- from C:\RCXA.tmp to <Current directory>\xAIk.exe
- from C:\RCXF.tmp to <Current directory>\CYYG.exe
- from C:\RCX10.tmp to <Current directory>\nEUs.exe
- from C:\RCXD.tmp to <Current directory>\qwEi.exe
- from C:\RCXE.tmp to <Current directory>\rEcy.exe
- from C:\RCX3.tmp to <Current directory>\YUwG.exe
- from C:\RCX4.tmp to <Current directory>\hgYq.exe
- from C:\RCX1.tmp to <Current directory>\bYEm.exe
- from C:\RCX2.tmp to <Current directory>\JMMy.exe
- from C:\RCX7.tmp to <Current directory>\GQIw.exe
- from C:\RCX8.tmp to <Current directory>\dYkI.exe
- from C:\RCX5.tmp to <Current directory>\YIAG.exe
- from C:\RCX6.tmp to <Current directory>\xQok.exe
- '74.##5.232.51':80
- 74.##5.232.51/
- DNS ASK google.com
- ClassName: '' WindowName: 'Microsoft Windows'
- ClassName: '' WindowName: 'jaQEcQMQ.exe'
- ClassName: 'Indicator' WindowName: ''
- ClassName: '' WindowName: 'AcIcUcAM.exe'