Technical Information
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'aeEkEEcE.exe' = '%ALLUSERSPROFILE%\BWogoUMg\aeEkEEcE.exe'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'pUccUkoM.exe' = '%HOMEPATH%\fCkYUMIQ\pUccUkoM.exe'
- [<HKLM>\SYSTEM\ControlSet001\Services\FkYQcQph] 'Start' = '00000002'
- hidden files
- file extensions
- User Account Control (UAC)
- '%ALLUSERSPROFILE%\lwQggIEM\nwAEcgMA.exe'
- '%ALLUSERSPROFILE%\BWogoUMg\aeEkEEcE.exe'
- '%HOMEPATH%\fCkYUMIQ\pUccUkoM.exe'
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\nQcYwQsQ.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\nisMEMIU.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\dSAccUwY.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\CUsoIoYI.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\QmoAowkg.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\isQUIoko.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\iaoQQoUU.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\HYcgMIkE.bat" "<Full path to virus>""
- '<SYSTEM32>\reg.exe' %TEMP%\file.vbs
- '<SYSTEM32>\reg.exe' /c "<Current directory>\<Virus name>"
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\hMosYwUI.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\bgskwwQY.bat" "<Full path to virus>""
- '<SYSTEM32>\cscript.exe' add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
- '<SYSTEM32>\cscript.exe'
- '<SYSTEM32>\reg.exe' /c ""%TEMP%\yOQUsoEc.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\sUYsAgco.bat" "<Full path to virus>""
- '<SYSTEM32>\reg.exe' /c ""%TEMP%\dasIkMwY.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\KgQkEMMc.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\vOccgkcA.bat" "<Full path to virus>""
- '<SYSTEM32>\cscript.exe' %TEMP%\file.vbs
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\joogsEIQ.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\FuAEQQEs.bat" "<Full path to virus>""
- '<SYSTEM32>\reg.exe' add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
- '<SYSTEM32>\reg.exe' add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\GyMYwEcE.bat" "<Full path to virus>""
- '<SYSTEM32>\reg.exe' add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\Dekcogsc.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\uaokQcgA.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\AsIQEkgs.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\siIcEYkk.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\DwEgwoIg.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\lUAYgYQE.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\gcsksIUI.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\cIIcggYg.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\IeEMYcwg.bat" "<Full path to virus>""
- <SYSTEM32>\cmd.exe
- <SYSTEM32>\cscript.exe
- <SYSTEM32>\reg.exe
- C:\RCXE.tmp
- %TEMP%\NUoMgoMY.bat
- <Current directory>\BOcs.ico
- <Current directory>\mIgO.exe
- C:\RCXD.tmp
- %TEMP%\HYcgMIkE.bat
- <Current directory>\lwcA.ico
- <Current directory>\hYoW.exe
- %TEMP%\iaoQQoUU.bat
- %TEMP%\cuUMEIAQ.bat
- %TEMP%\dQYwAwsU.bat
- C:\RCX10.tmp
- C:\RCXF.tmp
- <Current directory>\tyUw.ico
- <Current directory>\cEcs.exe
- %TEMP%\IEMQUggU.bat
- %TEMP%\QmoAowkg.bat
- <Current directory>\gAso.ico
- C:\RCXA.tmp
- %TEMP%\isQUIoko.bat
- <Current directory>\zmMs.ico
- <Current directory>\ugUW.exe
- <Current directory>\usAu.exe
- C:\RCXC.tmp
- <Current directory>\fckY.ico
- <Current directory>\Qcwa.exe
- <Current directory>\TcsS.exe
- C:\RCXB.tmp
- %TEMP%\iyYkIwkQ.bat
- <Current directory>\aUMI.ico
- %TEMP%\nisMEMIU.bat
- %TEMP%\TKgskUMk.bat
- %TEMP%\sUYsAgco.bat
- %TEMP%\DGkUkQAg.bat
- %TEMP%\gqgQIQgc.bat
- %TEMP%\dasIkMwY.bat
- <Current directory>\HAIc.exe
- C:\RCX13.tmp
- %TEMP%\hMosYwUI.bat
- C:\RCX14.tmp
- %TEMP%\biEIooQw.bat
- %TEMP%\DGEsskwo.bat
- %TEMP%\bgskwwQY.bat
- <Current directory>\CysU.ico
- %TEMP%\YGEMAcEs.bat
- <Current directory>\lUUa.exe
- C:\RCX11.tmp
- %TEMP%\CUsoIoYI.bat
- %TEMP%\XOIEIMEM.bat
- %TEMP%\OAEsQAgE.bat
- %TEMP%\nQcYwQsQ.bat
- <Current directory>\bQEE.ico
- <Current directory>\KcIs.exe
- <Current directory>\BeEA.ico
- %TEMP%\yOQUsoEc.bat
- %TEMP%\bggUoIwc.bat
- <Current directory>\IcYw.ico
- %TEMP%\EEIEAkQI.bat
- <Current directory>\aYMu.exe
- C:\RCX12.tmp
- %TEMP%\dSAccUwY.bat
- <Current directory>\wCAQ.ico
- <Current directory>\IIQi.exe
- C:\RCX2.tmp
- %ALLUSERSPROFILE%\casg.txt
- %TEMP%\YSEQogIg.bat
- %TEMP%\Dekcogsc.bat
- %TEMP%\cSAEsowc.bat
- %TEMP%\gcsksIUI.bat
- <Current directory>\bIIM.exe
- C:\RCX3.tmp
- %TEMP%\IeEMYcwg.bat
- <Current directory>\HaQw.ico
- %TEMP%\UoAwowII.bat
- %TEMP%\lUAYgYQE.bat
- %TEMP%\dEwUEIMY.bat
- %TEMP%\GyMYwEcE.bat
- %TEMP%\file.vbs
- %TEMP%\GEAgokEY.bat
- <Current directory>\<Virus name>
- %ALLUSERSPROFILE%\lwQggIEM\nwAEcgMA.exe
- %TEMP%\YUwsEEow.bat
- %TEMP%\vOccgkcA.bat
- <Current directory>\sQww.exe
- C:\RCX1.tmp
- %TEMP%\joogsEIQ.bat
- %TEMP%\tmcMEYwY.bat
- %TEMP%\JmgEswws.bat
- %TEMP%\FuAEQQEs.bat
- <Current directory>\wMos.ico
- %TEMP%\TgUkEkkI.bat
- C:\RCX7.tmp
- %TEMP%\DwEgwoIg.bat
- <Current directory>\YEYs.ico
- %TEMP%\siIcEYkk.bat
- %TEMP%\VKAkcQgk.bat
- <Current directory>\tuUM.ico
- <Current directory>\BEAu.exe
- <Current directory>\Egsy.exe
- C:\RCX9.tmp
- %TEMP%\yKUQgAAE.bat
- %TEMP%\KgQkEMMc.bat
- <Current directory>\aIgu.exe
- C:\RCX8.tmp
- %TEMP%\SWIcowcg.bat
- <Current directory>\Gekk.ico
- <Current directory>\sgYG.exe
- %TEMP%\owwYwgcI.bat
- C:\RCX4.tmp
- <Current directory>\SAEA.ico
- %TEMP%\cIIcggYg.bat
- %TEMP%\SKUsIkIs.bat
- %TEMP%\AsIQEkgs.bat
- %TEMP%\uaokQcgA.bat
- <Current directory>\fKsU.ico
- <Current directory>\tkMg.exe
- C:\RCX6.tmp
- %TEMP%\UWMkYMwg.bat
- <Current directory>\Wioc.ico
- <Current directory>\rAEG.exe
- C:\RCX5.tmp
- %ALLUSERSPROFILE%\lwQggIEM\nwAEcgMA.exe
- %ALLUSERSPROFILE%\BWogoUMg\aeEkEEcE.exe
- %HOMEPATH%\fCkYUMIQ\pUccUkoM.exe
- <Current directory>\hYoW.exe
- <Current directory>\BOcs.ico
- <Current directory>\lwcA.ico
- %TEMP%\NUoMgoMY.bat
- %TEMP%\dQYwAwsU.bat
- <Current directory>\tyUw.ico
- %TEMP%\cuUMEIAQ.bat
- <Current directory>\cEcs.exe
- <Current directory>\mIgO.exe
- <Current directory>\gAso.ico
- %TEMP%\iyYkIwkQ.bat
- <Current directory>\zmMs.ico
- <Current directory>\usAu.exe
- <Current directory>\Qcwa.exe
- <Current directory>\fckY.ico
- <Current directory>\TcsS.exe
- <Current directory>\aUMI.ico
- %TEMP%\dasIkMwY.bat
- <Current directory>\HAIc.exe
- %TEMP%\gqgQIQgc.bat
- %TEMP%\TKgskUMk.bat
- %TEMP%\YGEMAcEs.bat
- %TEMP%\DGEsskwo.bat
- %TEMP%\DGkUkQAg.bat
- <Current directory>\IcYw.ico
- %TEMP%\yOQUsoEc.bat
- <Current directory>\bQEE.ico
- %TEMP%\XOIEIMEM.bat
- %TEMP%\OAEsQAgE.bat
- <Current directory>\KcIs.exe
- %TEMP%\bggUoIwc.bat
- <Current directory>\BeEA.ico
- %TEMP%\EEIEAkQI.bat
- <Current directory>\aYMu.exe
- <Current directory>\ugUW.exe
- %TEMP%\dEwUEIMY.bat
- %TEMP%\TgUkEkkI.bat
- <Current directory>\IIQi.exe
- <Current directory>\wCAQ.ico
- <Current directory>\HaQw.ico
- %TEMP%\owwYwgcI.bat
- %TEMP%\SKUsIkIs.bat
- <Current directory>\bIIM.exe
- %TEMP%\UoAwowII.bat
- %TEMP%\JmgEswws.bat
- %TEMP%\tmcMEYwY.bat
- %TEMP%\YUwsEEow.bat
- %TEMP%\GEAgokEY.bat
- <Current directory>\wMos.ico
- %TEMP%\cSAEsowc.bat
- %TEMP%\YSEQogIg.bat
- <Current directory>\sQww.exe
- <Current directory>\Egsy.exe
- <Current directory>\YEYs.ico
- <Current directory>\tuUM.ico
- %TEMP%\SWIcowcg.bat
- <Current directory>\Gekk.ico
- %TEMP%\IEMQUggU.bat
- %TEMP%\yKUQgAAE.bat
- <Current directory>\aIgu.exe
- <Current directory>\BEAu.exe
- <Current directory>\rAEG.exe
- <Current directory>\Wioc.ico
- <Current directory>\sgYG.exe
- <Current directory>\SAEA.ico
- <Current directory>\tkMg.exe
- <Current directory>\fKsU.ico
- %TEMP%\UWMkYMwg.bat
- %TEMP%\VKAkcQgk.bat
- from C:\RCXD.tmp to <Current directory>\Qcwa.exe
- from C:\RCXE.tmp to <Current directory>\mIgO.exe
- from C:\RCXB.tmp to <Current directory>\usAu.exe
- from C:\RCXC.tmp to <Current directory>\TcsS.exe
- from C:\RCXF.tmp to <Current directory>\hYoW.exe
- from C:\RCX12.tmp to <Current directory>\aYMu.exe
- from C:\RCX13.tmp to <Current directory>\HAIc.exe
- from C:\RCX10.tmp to <Current directory>\cEcs.exe
- from C:\RCX11.tmp to <Current directory>\KcIs.exe
- from C:\RCXA.tmp to <Current directory>\ugUW.exe
- from C:\RCX3.tmp to <Current directory>\bIIM.exe
- from C:\RCX4.tmp to <Current directory>\sgYG.exe
- from C:\RCX1.tmp to <Current directory>\sQww.exe
- from C:\RCX2.tmp to <Current directory>\IIQi.exe
- from C:\RCX5.tmp to <Current directory>\rAEG.exe
- from C:\RCX8.tmp to <Current directory>\Egsy.exe
- from C:\RCX9.tmp to <Current directory>\aIgu.exe
- from C:\RCX6.tmp to <Current directory>\tkMg.exe
- from C:\RCX7.tmp to <Current directory>\BEAu.exe
- '19#.#86.45.170':9999
- '74.##5.232.51':80
- '20#.#7.164.69':9999
- '20#.#19.204.12':9999
- 74.##5.232.51/
- DNS ASK google.com
- ClassName: '' WindowName: 'aeEkEEcE.exe'
- ClassName: 'Shell_TrayWnd' WindowName: ''
- ClassName: 'Indicator' WindowName: ''
- ClassName: '' WindowName: 'pUccUkoM.exe'