Technical Information
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'aeEkEEcE.exe' = '%ALLUSERSPROFILE%\BWogoUMg\aeEkEEcE.exe'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'pUccUkoM.exe' = '%HOMEPATH%\fCkYUMIQ\pUccUkoM.exe'
- hidden files
- file extensions
- User Account Control (UAC)
- '%ALLUSERSPROFILE%\BWogoUMg\aeEkEEcE.exe'
- '%HOMEPATH%\fCkYUMIQ\pUccUkoM.exe'
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\XgsEMAYI.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\cKwAAcQc.bat" "<Full path to virus>""
- '<SYSTEM32>\wbem\wmiadap.exe' /R /T
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\lCYUwYYI.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\nIgAwcIk.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\XsQkgkIM.bat" "<Full path to virus>""
- '<SYSTEM32>\taskkill.exe' /FI "USERNAME eq %USERNAME%" /F /IM aeEkEEcE.exe
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\MgIkgcEg.bat" "<Full path to virus>""
- '<SYSTEM32>\reg.exe' add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
- '<SYSTEM32>\reg.exe' add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
- '<SYSTEM32>\reg.exe' add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\leYMscEo.bat" "<Full path to virus>""
- '<SYSTEM32>\taskkill.exe' /FI "USERNAME eq %USERNAME%" /F /IM pUccUkoM.exe
- '<SYSTEM32>\cscript.exe' %TEMP%\file.vbs
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\TEsQkcsA.bat" "<Full path to virus>""
- C:\RCX7.tmp
- <Current directory>\swkU.exe
- %TEMP%\qcsUcAIk.bat
- C:\RCX8.tmp
- <Current directory>\GQkU.exe
- <Current directory>\XgYu.ico
- <Current directory>\PwAa.ico
- <Current directory>\scMM.ico
- %TEMP%\XgsEMAYI.bat
- C:\RCX5.tmp
- %TEMP%\lCYUwYYI.bat
- C:\RCX6.tmp
- <Current directory>\yEck.exe
- <Current directory>\SMAq.ico
- %TEMP%\asocYcQU.bat
- %TEMP%\XsQkgkIM.bat
- %TEMP%\nIgAwcIk.bat
- C:\RCXB.tmp
- <Current directory>\ogQA.exe
- C:\RCXA.tmp
- C:\RCX9.tmp
- <Current directory>\wAww.exe
- <Current directory>\gUAg.ico
- <Current directory>\zYUo.exe
- <Current directory>\hocO.ico
- %TEMP%\usYcYMwk.bat
- %TEMP%\uaoAggQQ.bat
- <Current directory>\RAMW.exe
- <Current directory>\mEMw.ico
- %TEMP%\MeIcAAQE.bat
- <Current directory>\BoQw.exe
- <Current directory>\Pkci.ico
- C:\RCX1.tmp
- %TEMP%\TEsQkcsA.bat
- <Current directory>\<Virus name>
- %TEMP%\yWwcUYcM.bat
- %TEMP%\file.vbs
- %TEMP%\FqkkYwIQ.bat
- %TEMP%\leYMscEo.bat
- <Current directory>\asoK.exe
- <Current directory>\ZIos.ico
- %TEMP%\gSQIksQE.bat
- <Current directory>\Igwg.exe
- <Current directory>\ookO.ico
- C:\RCX4.tmp
- %TEMP%\cKwAAcQc.bat
- %TEMP%\zYAgEQEo.bat
- C:\RCX2.tmp
- %TEMP%\MgIkgcEg.bat
- C:\RCX3.tmp
- <Current directory>\tsoi.exe
- <Current directory>\Xkcs.ico
- %ALLUSERSPROFILE%\BWogoUMg\aeEkEEcE.exe
- %HOMEPATH%\fCkYUMIQ\pUccUkoM.exe
- %TEMP%\qcsUcAIk.bat
- <Current directory>\GQkU.exe
- <Current directory>\XgYu.ico
- <Current directory>\PwAa.ico
- <Current directory>\yEck.exe
- <Current directory>\scMM.ico
- <Current directory>\swkU.exe
- <Current directory>\wAww.exe
- %TEMP%\asocYcQU.bat
- <Current directory>\ogQA.exe
- <Current directory>\SMAq.ico
- <Current directory>\hocO.ico
- <Current directory>\gUAg.ico
- %TEMP%\usYcYMwk.bat
- <Current directory>\zYUo.exe
- %TEMP%\uaoAggQQ.bat
- <Current directory>\mEMw.ico
- <Current directory>\BoQw.exe
- <Current directory>\Pkci.ico
- <Current directory>\RAMW.exe
- %TEMP%\yWwcUYcM.bat
- %TEMP%\FqkkYwIQ.bat
- %TEMP%\MeIcAAQE.bat
- %TEMP%\zYAgEQEo.bat
- <Current directory>\ZIos.ico
- <Current directory>\Igwg.exe
- <Current directory>\ookO.ico
- <Current directory>\asoK.exe
- <Current directory>\tsoi.exe
- <Current directory>\Xkcs.ico
- %TEMP%\gSQIksQE.bat
- from C:\RCX8.tmp to <Current directory>\GQkU.exe
- from C:\RCX7.tmp to <Current directory>\swkU.exe
- from C:\RCX9.tmp to <Current directory>\wAww.exe
- from C:\RCXB.tmp to <Current directory>\ogQA.exe
- from C:\RCXA.tmp to <Current directory>\zYUo.exe
- from C:\RCX6.tmp to <Current directory>\yEck.exe
- from C:\RCX2.tmp to <Current directory>\BoQw.exe
- from C:\RCX1.tmp to <Current directory>\RAMW.exe
- from C:\RCX3.tmp to <Current directory>\tsoi.exe
- from C:\RCX5.tmp to <Current directory>\Igwg.exe
- from C:\RCX4.tmp to <Current directory>\asoK.exe
- '19#.#86.45.170':9999
- '20#.#19.204.12':9999
- '20#.#7.164.69':9999
- DNS ASK google.com
- ClassName: '' WindowName: 'Microsoft Windows'
- ClassName: '' WindowName: ''
- ClassName: '' WindowName: 'pUccUkoM.exe'
- ClassName: 'Indicator' WindowName: ''
- ClassName: '' WindowName: 'aeEkEEcE.exe'