Technical Information
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'aeEkEEcE.exe' = '%ALLUSERSPROFILE%\BWogoUMg\aeEkEEcE.exe'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'pUccUkoM.exe' = '%HOMEPATH%\fCkYUMIQ\pUccUkoM.exe'
- [<HKLM>\SYSTEM\ControlSet001\Services\FkYQcQph] 'Start' = '00000002'
- hidden files
- file extensions
- User Account Control (UAC)
- '%ALLUSERSPROFILE%\lwQggIEM\nwAEcgMA.exe'
- '%ALLUSERSPROFILE%\BWogoUMg\aeEkEEcE.exe'
- '%HOMEPATH%\fCkYUMIQ\pUccUkoM.exe'
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\mWMQcAwg.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\HaQoUIQI.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\XIIUYcYc.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\mmAwcAMI.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\UIsIMswc.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\YCAQQwQo.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\oukMQIIA.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\sYssgEog.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\yqgUkEkA.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\vAwsgIcM.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\qIIggoQs.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\xswIUckk.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\bmQQIokk.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\MmsgIwcs.bat" "<Full path to virus>""
- '<SYSTEM32>\cscript.exe' %TEMP%\file.vbs
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\iawcgEoI.bat" "<Full path to virus>""
- '<SYSTEM32>\reg.exe' add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
- '<SYSTEM32>\reg.exe' add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
- '<SYSTEM32>\reg.exe' add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\nOoYEEAE.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\cgYQoEIQ.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\lqoEgswg.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\eYIUcwYk.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\agAoAgsA.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\zIwogsgI.bat" "<Full path to virus>""
- %TEMP%\mWMQcAwg.bat
- %TEMP%\pSAIMEIs.bat
- <Current directory>\zyUw.ico
- %TEMP%\mmYwcwUg.bat
- %TEMP%\YCAQQwQo.bat
- <Current directory>\Oows.exe
- C:\RCX11.tmp
- <Current directory>\pEUc.exe
- %TEMP%\HaUsUccw.bat
- <Current directory>\wewM.ico
- <Current directory>\ckQm.exe
- %TEMP%\XIIUYcYc.bat
- C:\RCX12.tmp
- %TEMP%\qaUQgAsk.bat
- %TEMP%\HaQoUIQI.bat
- %TEMP%\mmAwcAMI.bat
- %TEMP%\cukoMMAI.bat
- <Current directory>\RQwo.ico
- C:\RCXE.tmp
- C:\RCXD.tmp
- <Current directory>\bAsw.ico
- <Current directory>\JAQo.exe
- <Current directory>\twQE.exe
- <Current directory>\XMIi.exe
- C:\RCX10.tmp
- <Current directory>\hkQQ.ico
- <Current directory>\CQkU.ico
- C:\RCXF.tmp
- %TEMP%\UIsIMswc.bat
- %TEMP%\vssMgwQM.bat
- C:\RCX13.tmp
- %TEMP%\ZqwwYAMw.bat
- <Current directory>\ZAwA.ico
- <Current directory>\LAIk.exe
- C:\RCX17.tmp
- %TEMP%\oukMQIIA.bat
- <Current directory>\SuQQ.ico
- <Current directory>\oMAw.exe
- C:\RCX18.tmp
- %TEMP%\sYssgEog.bat
- %TEMP%\yqgUkEkA.bat
- %TEMP%\wisAEEYI.bat
- %TEMP%\hUwIIYMY.bat
- <Current directory>\qkcA.ico
- <Current directory>\PwUw.exe
- C:\RCX19.tmp
- C:\RCX14.tmp
- %TEMP%\qIIggoQs.bat
- <Current directory>\uSYA.ico
- <Current directory>\iocs.exe
- %TEMP%\vAwsgIcM.bat
- %TEMP%\KoAQkQMI.bat
- <Current directory>\XuYs.ico
- <Current directory>\esUA.exe
- C:\RCX16.tmp
- %TEMP%\xswIUckk.bat
- %TEMP%\vqgQAYIU.bat
- <Current directory>\XQEs.exe
- C:\RCX15.tmp
- %TEMP%\psYgYEQY.bat
- <Current directory>\ROUc.ico
- %TEMP%\XeIEwAkQ.bat
- C:\RCX3.tmp
- %TEMP%\IegMMcEI.bat
- <Current directory>\qwco.ico
- <Current directory>\hwMc.exe
- <Current directory>\MYQw.exe
- C:\RCX2.tmp
- <Current directory>\EGMw.ico
- <Current directory>\GIEK.exe
- %TEMP%\syUkAAMQ.bat
- %TEMP%\agAoAgsA.bat
- %TEMP%\zIwogsgI.bat
- C:\RCX5.tmp
- C:\RCX4.tmp
- <Current directory>\eUIU.ico
- <Current directory>\hcQc.exe
- %TEMP%\MmsgIwcs.bat
- %TEMP%\zYQsQkgY.bat
- %TEMP%\file.vbs
- <Current directory>\<Virus name>
- %ALLUSERSPROFILE%\lwQggIEM\nwAEcgMA.exe
- %TEMP%\xqgogoAI.bat
- %TEMP%\iawcgEoI.bat
- %ALLUSERSPROFILE%\casg.txt
- <Current directory>\soIQ.ico
- %TEMP%\eYIUcwYk.bat
- C:\RCX1.tmp
- <Current directory>\vUEA.ico
- <Current directory>\OsEw.exe
- %TEMP%\LuwggQIc.bat
- <Current directory>\MCcA.ico
- <Current directory>\TsEw.ico
- <Current directory>\tYQi.exe
- C:\RCXB.tmp
- %TEMP%\tKUUUwcg.bat
- <Current directory>\UgAy.exe
- C:\RCXA.tmp
- %TEMP%\cgYQoEIQ.bat
- %TEMP%\lqoEgswg.bat
- %TEMP%\bmQQIokk.bat
- <Current directory>\HUIo.ico
- <Current directory>\RwsI.exe
- C:\RCXC.tmp
- <Current directory>\WmMg.ico
- %TEMP%\WiEMAwMM.bat
- <Current directory>\vUwW.exe
- <Current directory>\OQIg.exe
- C:\RCX7.tmp
- %TEMP%\nOoYEEAE.bat
- <Current directory>\jMEQ.ico
- <Current directory>\BIcI.exe
- C:\RCX6.tmp
- %TEMP%\OIMMMcoo.bat
- <Current directory>\cIUE.ico
- <Current directory>\hwAM.exe
- C:\RCX9.tmp
- <Current directory>\umcA.ico
- <Current directory>\oggM.ico
- <Current directory>\Iowu.exe
- C:\RCX8.tmp
- %TEMP%\BKkAoAIk.bat
- %ALLUSERSPROFILE%\lwQggIEM\nwAEcgMA.exe
- %ALLUSERSPROFILE%\BWogoUMg\aeEkEEcE.exe
- %HOMEPATH%\fCkYUMIQ\pUccUkoM.exe
- %TEMP%\pSAIMEIs.bat
- %TEMP%\qaUQgAsk.bat
- <Current directory>\Oows.exe
- <Current directory>\hkQQ.ico
- <Current directory>\zyUw.ico
- <Current directory>\ckQm.exe
- <Current directory>\pEUc.exe
- %TEMP%\HaUsUccw.bat
- %TEMP%\mmYwcwUg.bat
- %TEMP%\cukoMMAI.bat
- <Current directory>\twQE.exe
- <Current directory>\JAQo.exe
- <Current directory>\bAsw.ico
- <Current directory>\XMIi.exe
- <Current directory>\CQkU.ico
- <Current directory>\RQwo.ico
- %TEMP%\vssMgwQM.bat
- <Current directory>\wewM.ico
- %TEMP%\ZqwwYAMw.bat
- <Current directory>\LAIk.exe
- <Current directory>\oMAw.exe
- <Current directory>\SuQQ.ico
- <Current directory>\PwUw.exe
- <Current directory>\qkcA.ico
- <Current directory>\ZAwA.ico
- %TEMP%\hUwIIYMY.bat
- <Current directory>\ROUc.ico
- <Current directory>\XuYs.ico
- %TEMP%\psYgYEQY.bat
- %TEMP%\KoAQkQMI.bat
- <Current directory>\iocs.exe
- %TEMP%\vqgQAYIU.bat
- <Current directory>\XQEs.exe
- <Current directory>\esUA.exe
- <Current directory>\uSYA.ico
- <Current directory>\HUIo.ico
- <Current directory>\qwco.ico
- %TEMP%\syUkAAMQ.bat
- %TEMP%\IegMMcEI.bat
- <Current directory>\GIEK.exe
- <Current directory>\BIcI.exe
- <Current directory>\MCcA.ico
- <Current directory>\hcQc.exe
- <Current directory>\eUIU.ico
- <Current directory>\EGMw.ico
- %TEMP%\LuwggQIc.bat
- <Current directory>\OsEw.exe
- %TEMP%\xqgogoAI.bat
- %TEMP%\zYQsQkgY.bat
- <Current directory>\soIQ.ico
- <Current directory>\hwMc.exe
- <Current directory>\vUEA.ico
- <Current directory>\MYQw.exe
- %TEMP%\OIMMMcoo.bat
- <Current directory>\TsEw.ico
- %TEMP%\WiEMAwMM.bat
- %TEMP%\tKUUUwcg.bat
- <Current directory>\tYQi.exe
- %TEMP%\XeIEwAkQ.bat
- <Current directory>\RwsI.exe
- <Current directory>\vUwW.exe
- <Current directory>\WmMg.ico
- <Current directory>\umcA.ico
- <Current directory>\Iowu.exe
- <Current directory>\cIUE.ico
- <Current directory>\OQIg.exe
- <Current directory>\jMEQ.ico
- <Current directory>\oggM.ico
- <Current directory>\UgAy.exe
- %TEMP%\BKkAoAIk.bat
- <Current directory>\hwAM.exe
- from C:\RCX11.tmp to <Current directory>\Oows.exe
- from C:\RCX12.tmp to <Current directory>\pEUc.exe
- from C:\RCX13.tmp to <Current directory>\ckQm.exe
- from C:\RCXE.tmp to <Current directory>\JAQo.exe
- from C:\RCXF.tmp to <Current directory>\twQE.exe
- from C:\RCX10.tmp to <Current directory>\XMIi.exe
- from C:\RCX17.tmp to <Current directory>\oMAw.exe
- from C:\RCX18.tmp to <Current directory>\LAIk.exe
- from C:\RCX19.tmp to <Current directory>\PwUw.exe
- from C:\RCX14.tmp to <Current directory>\iocs.exe
- from C:\RCX15.tmp to <Current directory>\esUA.exe
- from C:\RCX16.tmp to <Current directory>\XQEs.exe
- from C:\RCXD.tmp to <Current directory>\RwsI.exe
- from C:\RCX4.tmp to <Current directory>\GIEK.exe
- from C:\RCX5.tmp to <Current directory>\hcQc.exe
- from C:\RCX6.tmp to <Current directory>\BIcI.exe
- from C:\RCX1.tmp to <Current directory>\OsEw.exe
- from C:\RCX2.tmp to <Current directory>\MYQw.exe
- from C:\RCX3.tmp to <Current directory>\hwMc.exe
- from C:\RCXA.tmp to <Current directory>\UgAy.exe
- from C:\RCXB.tmp to <Current directory>\tYQi.exe
- from C:\RCXC.tmp to <Current directory>\vUwW.exe
- from C:\RCX7.tmp to <Current directory>\OQIg.exe
- from C:\RCX8.tmp to <Current directory>\Iowu.exe
- from C:\RCX9.tmp to <Current directory>\hwAM.exe
- '19#.#86.45.170':9999
- '74.##5.232.51':80
- '20#.#7.164.69':9999
- '20#.#19.204.12':9999
- 74.##5.232.51/
- DNS ASK google.com
- ClassName: '' WindowName: 'pUccUkoM.exe'
- ClassName: 'Shell_TrayWnd' WindowName: ''
- ClassName: 'Indicator' WindowName: ''
- ClassName: '' WindowName: 'aeEkEEcE.exe'