Technical Information
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'aeEkEEcE.exe' = '%ALLUSERSPROFILE%\BWogoUMg\aeEkEEcE.exe'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'pUccUkoM.exe' = '%HOMEPATH%\fCkYUMIQ\pUccUkoM.exe'
- [<HKLM>\SYSTEM\ControlSet001\Services\FkYQcQph] 'Start' = '00000002'
- hidden files
- file extensions
- User Account Control (UAC)
- '%ALLUSERSPROFILE%\lwQggIEM\nwAEcgMA.exe'
- '%ALLUSERSPROFILE%\BWogoUMg\aeEkEEcE.exe'
- '%HOMEPATH%\fCkYUMIQ\pUccUkoM.exe'
- '<SYSTEM32>\reg.exe'
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\MEwQgoIc.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\rCMcwIQo.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\hMAEkMAQ.bat" "<Full path to virus>""
- '<SYSTEM32>\cscript.exe' add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\AAsMkkUs.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\Wegwsckk.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\IkAcQsUQ.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\meYMIMcQ.bat" "<Full path to virus>""
- '<SYSTEM32>\reg.exe' /c ""%TEMP%\JqksggcI.bat" "<Full path to virus>""
- '<SYSTEM32>\reg.exe' /c ""%TEMP%\zQYkEEUw.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\coEMkAkY.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\VcYskoAQ.bat" "<Full path to virus>""
- '<SYSTEM32>\reg.exe' /c ""%TEMP%\aAIgMUMU.bat" "<Full path to virus>""
- '<SYSTEM32>\cscript.exe'
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\rKYkQIkg.bat" "<Full path to virus>""
- '<SYSTEM32>\cscript.exe' /c ""%TEMP%\vSssoIYQ.bat" "<Full path to virus>""
- '<SYSTEM32>\reg.exe' <Auxiliary element>
- '<SYSTEM32>\reg.exe' /c "<Current directory>\<Virus name>"
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\IqoocMEU.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\RYwAocsE.bat" "<Full path to virus>""
- '<SYSTEM32>\reg.exe' %TEMP%\file.vbs
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\dUkMsQUQ.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\JKkkgwwA.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\BqIwIkIU.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\dIgcwkoM.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\IwAcIMsM.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\VSsckoAQ.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\oWUIAkcY.bat" "<Full path to virus>""
- '<SYSTEM32>\reg.exe' add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
- '<SYSTEM32>\reg.exe' add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
- '<SYSTEM32>\reg.exe' add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
- '<SYSTEM32>\cscript.exe' %TEMP%\file.vbs
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\ZCMwwocQ.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\juQYwQUg.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\TOUYUoIQ.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\wWIQgkQE.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\NYoUcEsI.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\hgIcQkAw.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\vokcMIUo.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\XcEgowIU.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\LEYUIEoo.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\jOQggwMQ.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\zcsEUUoU.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\vgEsUYwA.bat" "<Full path to virus>""
- <SYSTEM32>\cscript.exe
- <SYSTEM32>\cmd.exe
- <SYSTEM32>\reg.exe
- <SYSTEM32>\reg.exe
- <SYSTEM32>\cmd.exe
- %TEMP%\FWoYYgAc.bat
- %TEMP%\JqksggcI.bat
- %TEMP%\SuAEAkcA.bat
- %TEMP%\zQYkEEUw.bat
- C:\RCX9.tmp
- %TEMP%\meYMIMcQ.bat
- %TEMP%\puEMgYAY.bat
- %TEMP%\AgcswMEI.bat
- %TEMP%\MEwQgoIc.bat
- %TEMP%\XQEAAssk.bat
- %TEMP%\AAsMkkUs.bat
- <Current directory>\COMQ.ico
- <Current directory>\gAIs.exe
- C:\RCXA.tmp
- <Current directory>\xcQy.exe
- %TEMP%\FCgAcksE.bat
- <Current directory>\tUQw.exe
- %TEMP%\dUkMsQUQ.bat
- <Current directory>\vWwo.ico
- %TEMP%\hgIcQkAw.bat
- %TEMP%\VkIYYQIA.bat
- %TEMP%\NYoUcEsI.bat
- %TEMP%\Wegwsckk.bat
- %TEMP%\PkEgUkUY.bat
- <Current directory>\feoQ.ico
- %TEMP%\iGYIMcoQ.bat
- C:\RCX8.tmp
- %TEMP%\noUMkcwE.bat
- %TEMP%\IkAcQsUQ.bat
- %TEMP%\rqkcskEc.bat
- %TEMP%\XGIMcwQA.bat
- <Current directory>\zwAA.ico
- %TEMP%\coEMkAkY.bat
- %TEMP%\VcYskoAQ.bat
- %TEMP%\OEMEwIoA.bat
- %TEMP%\vSssoIYQ.bat
- %TEMP%\aaMgkMkk.bat
- %TEMP%\HEsccoIg.bat
- %TEMP%\rKYkQIkg.bat
- %TEMP%\yGksAwMg.bat
- %TEMP%\aAIgMUMU.bat
- <Current directory>\JoAI.exe
- %TEMP%\eKIcsEgM.bat
- C:\RCXD.tmp
- %TEMP%\RYwAocsE.bat
- %TEMP%\UkwAgggE.bat
- C:\RCXB.tmp
- %TEMP%\PYgoQQMg.bat
- <Current directory>\UMEA.exe
- %TEMP%\rCMcwIQo.bat
- <Current directory>\fKsw.ico
- %TEMP%\uswUgUoc.bat
- <Current directory>\ugsE.ico
- <Current directory>\XYQs.exe
- C:\RCXC.tmp
- %TEMP%\ZEwsAQko.bat
- %TEMP%\hMAEkMAQ.bat
- <Auxiliary element>
- %TEMP%\IqoocMEU.bat
- %TEMP%\VSsckoAQ.bat
- %TEMP%\yygUQQog.bat
- %TEMP%\IwAcIMsM.bat
- %ALLUSERSPROFILE%\casg.txt
- %TEMP%\JKwYksQo.bat
- %TEMP%\dIgcwkoM.bat
- %TEMP%\NmocgIws.bat
- %TEMP%\XcEgowIU.bat
- <Current directory>\qYQA.exe
- %TEMP%\jWgwYcwc.bat
- %TEMP%\sAcYgcwQ.bat
- <Current directory>\XCcU.ico
- %TEMP%\NwsEwoYg.bat
- %TEMP%\LEYUIEoo.bat
- %TEMP%\JKkkgwwA.bat
- %TEMP%\ZCMwwocQ.bat
- %TEMP%\file.vbs
- %TEMP%\eKIkAgwg.bat
- <Current directory>\<Virus name>
- %ALLUSERSPROFILE%\lwQggIEM\nwAEcgMA.exe
- %TEMP%\SOQkggEk.bat
- %TEMP%\IKgEQUUY.bat
- <Current directory>\xMsu.exe
- C:\RCX1.tmp
- <Current directory>\nSkA.ico
- %TEMP%\oWUIAkcY.bat
- %TEMP%\CyAEcswg.bat
- %TEMP%\BqIwIkIU.bat
- C:\RCX2.tmp
- <Current directory>\PicU.ico
- <Current directory>\QgUI.exe
- C:\RCX6.tmp
- %TEMP%\SyoAcwEI.bat
- %TEMP%\tIcgMQgc.bat
- C:\RCX5.tmp
- %TEMP%\TOUYUoIQ.bat
- C:\RCX7.tmp
- %TEMP%\wWIQgkQE.bat
- %TEMP%\CEgEIEYk.bat
- %TEMP%\TcccQcMc.bat
- %TEMP%\juQYwQUg.bat
- <Current directory>\wSsk.ico
- <Current directory>\KwYK.exe
- %TEMP%\vokcMIUo.bat
- C:\RCX3.tmp
- %TEMP%\vgEsUYwA.bat
- %TEMP%\FYwoUckI.bat
- <Current directory>\wEoA.exe
- %TEMP%\jOQggwMQ.bat
- %TEMP%\pGMQUkUI.bat
- <Current directory>\oocc.ico
- %TEMP%\AiAIgsks.bat
- <Current directory>\gmwE.ico
- <Current directory>\GgQW.exe
- C:\RCX4.tmp
- %TEMP%\zcsEUUoU.bat
- <Current directory>\bIUE.ico
- <Current directory>\TokW.exe
- %ALLUSERSPROFILE%\lwQggIEM\nwAEcgMA.exe
- %ALLUSERSPROFILE%\BWogoUMg\aeEkEEcE.exe
- %HOMEPATH%\fCkYUMIQ\pUccUkoM.exe
- %TEMP%\SuAEAkcA.bat
- %TEMP%\AgcswMEI.bat
- %TEMP%\zQYkEEUw.bat
- <Current directory>\feoQ.ico
- %TEMP%\rqkcskEc.bat
- <Current directory>\gAIs.exe
- %TEMP%\XQEAAssk.bat
- %TEMP%\JqksggcI.bat
- <Current directory>\tUQw.exe
- <Current directory>\vWwo.ico
- %TEMP%\noUMkcwE.bat
- %TEMP%\iGYIMcoQ.bat
- %TEMP%\FWoYYgAc.bat
- <Current directory>\xcQy.exe
- %TEMP%\PkEgUkUY.bat
- %TEMP%\puEMgYAY.bat
- %TEMP%\XGIMcwQA.bat
- <Current directory>\ugsE.ico
- %TEMP%\aaMgkMkk.bat
- <Current directory>\XYQs.exe
- %TEMP%\HEsccoIg.bat
- %TEMP%\yGksAwMg.bat
- %TEMP%\vSssoIYQ.bat
- %TEMP%\eKIcsEgM.bat
- %TEMP%\uswUgUoc.bat
- %TEMP%\PYgoQQMg.bat
- <Current directory>\COMQ.ico
- %TEMP%\UkwAgggE.bat
- <Current directory>\fKsw.ico
- %TEMP%\OEMEwIoA.bat
- <Current directory>\UMEA.exe
- %TEMP%\ZEwsAQko.bat
- %TEMP%\FCgAcksE.bat
- %TEMP%\sAcYgcwQ.bat
- %TEMP%\jWgwYcwc.bat
- %TEMP%\yygUQQog.bat
- %TEMP%\NwsEwoYg.bat
- %TEMP%\pGMQUkUI.bat
- <Current directory>\wEoA.exe
- <Current directory>\qYQA.exe
- <Current directory>\XCcU.ico
- %TEMP%\CyAEcswg.bat
- %TEMP%\IKgEQUUY.bat
- %TEMP%\SOQkggEk.bat
- %TEMP%\eKIkAgwg.bat
- %TEMP%\NmocgIws.bat
- <Current directory>\nSkA.ico
- %TEMP%\JKwYksQo.bat
- <Current directory>\xMsu.exe
- <Current directory>\PicU.ico
- %TEMP%\TcccQcMc.bat
- %TEMP%\SyoAcwEI.bat
- <Current directory>\QgUI.exe
- <Current directory>\KwYK.exe
- <Current directory>\wSsk.ico
- %TEMP%\CEgEIEYk.bat
- %TEMP%\VkIYYQIA.bat
- <Current directory>\TokW.exe
- %TEMP%\AiAIgsks.bat
- %TEMP%\FYwoUckI.bat
- <Current directory>\oocc.ico
- <Current directory>\GgQW.exe
- <Current directory>\gmwE.ico
- <Current directory>\bIUE.ico
- %TEMP%\tIcgMQgc.bat
- from C:\RCX9.tmp to <Current directory>\xcQy.exe
- from C:\RCX8.tmp to <Current directory>\tUQw.exe
- from C:\RCX7.tmp to <Current directory>\KwYK.exe
- from C:\RCXC.tmp to <Current directory>\XYQs.exe
- from C:\RCXB.tmp to <Current directory>\UMEA.exe
- from C:\RCXA.tmp to <Current directory>\gAIs.exe
- from C:\RCX3.tmp to <Current directory>\wEoA.exe
- from C:\RCX2.tmp to <Current directory>\qYQA.exe
- from C:\RCX1.tmp to <Current directory>\xMsu.exe
- from C:\RCX6.tmp to <Current directory>\QgUI.exe
- from C:\RCX5.tmp to <Current directory>\GgQW.exe
- from C:\RCX4.tmp to <Current directory>\TokW.exe
- '19#.#86.45.170':9999
- '74.##5.232.51':80
- '20#.#7.164.69':9999
- '20#.#19.204.12':9999
- 74.##5.232.51/
- DNS ASK google.com
- ClassName: '' WindowName: 'aeEkEEcE.exe'
- ClassName: 'Shell_TrayWnd' WindowName: ''
- ClassName: 'Indicator' WindowName: ''
- ClassName: '' WindowName: 'pUccUkoM.exe'