Technical Information
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'aeEkEEcE.exe' = '%ALLUSERSPROFILE%\BWogoUMg\aeEkEEcE.exe'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'pUccUkoM.exe' = '%HOMEPATH%\fCkYUMIQ\pUccUkoM.exe'
- [<HKLM>\SYSTEM\ControlSet001\Services\FkYQcQph] 'Start' = '00000002'
- hidden files
- file extensions
- User Account Control (UAC)
- '%ALLUSERSPROFILE%\lwQggIEM\nwAEcgMA.exe'
- '%ALLUSERSPROFILE%\BWogoUMg\aeEkEEcE.exe'
- '%HOMEPATH%\fCkYUMIQ\pUccUkoM.exe'
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\PMwYQwcE.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\DIsEEQcg.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\VSgggkIE.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\voYAIEgU.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\tcUoMMYA.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\hioQAckY.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\ReoUEgoo.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\cgIsksYc.bat" "<Full path to virus>""
- '<SYSTEM32>\reg.exe' %TEMP%\file.vbs
- '<SYSTEM32>\reg.exe' /c "<Current directory>\<Virus name>"
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\bEgMMAgM.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\bCYgYYAA.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\vAEoEwQs.bat" "<Full path to virus>""
- '<SYSTEM32>\reg.exe'
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\dEgQoIQU.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\dcUoMMkI.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\kuAEYwkA.bat" "<Full path to virus>""
- '<SYSTEM32>\cscript.exe' %TEMP%\file.vbs
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\RIAMoQgA.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\FSQgQoME.bat" "<Full path to virus>""
- '<SYSTEM32>\reg.exe' add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
- '<SYSTEM32>\reg.exe' add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
- '<SYSTEM32>\reg.exe' add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\jOQMEUwI.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\OGoQAoQI.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\eKgEwMAg.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\hGowwsAw.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\gYIQgIAQ.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\gKksIggw.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\hwQwIcEU.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\MUkwgosU.bat" "<Full path to virus>""
- <SYSTEM32>\cmd.exe
- <SYSTEM32>\reg.exe
- <SYSTEM32>\cmd.exe
- <Current directory>\IqYk.ico
- %TEMP%\rOYcgksg.bat
- C:\RCX10.tmp
- <Current directory>\ewUq.exe
- C:\RCXF.tmp
- <Current directory>\hIAa.exe
- %TEMP%\DIsEEQcg.bat
- %TEMP%\dgQQQcUs.bat
- %TEMP%\cgIsksYc.bat
- C:\RCX11.tmp
- %TEMP%\vAEoEwQs.bat
- %TEMP%\HwUwAEoY.bat
- %TEMP%\EkUwkQoE.bat
- %TEMP%\VSgggkIE.bat
- <Current directory>\ZUIW.exe
- <Current directory>\HIcU.ico
- <Current directory>\LQMC.exe
- <Current directory>\deAk.ico
- C:\RCXD.tmp
- %TEMP%\ReoUEgoo.bat
- %TEMP%\BCkcgEco.bat
- %TEMP%\tcUoMMYA.bat
- %TEMP%\FicEsscU.bat
- %TEMP%\hioQAckY.bat
- %TEMP%\bmYIYIoU.bat
- C:\RCXE.tmp
- <Current directory>\HeEk.ico
- %TEMP%\PMwYQwcE.bat
- <Current directory>\lUME.ico
- %TEMP%\zGMwgAAg.bat
- %TEMP%\voYAIEgU.bat
- <Current directory>\yoES.exe
- <Current directory>\xYII.ico
- <Current directory>\tsEK.exe
- <Current directory>\focU.ico
- C:\RCX17.tmp
- %TEMP%\bEgMMAgM.bat
- <Current directory>\ZcAw.exe
- <Current directory>\eeMQ.ico
- %TEMP%\wocEsMks.bat
- C:\RCX16.tmp
- <Current directory>\aKQg.ico
- %TEMP%\JWsQMYYw.bat
- C:\RCX19.tmp
- <Current directory>\zEgo.exe
- <Current directory>\TgQc.exe
- <Current directory>\GwQY.ico
- %TEMP%\CGUgkwkA.bat
- C:\RCX18.tmp
- C:\RCX13.tmp
- <Current directory>\VEwy.exe
- <Current directory>\vAUU.ico
- %TEMP%\PssQoYMI.bat
- C:\RCX12.tmp
- <Current directory>\wMYc.exe
- <Current directory>\hUEM.ico
- %TEMP%\XkcIwEcE.bat
- <Current directory>\vywU.ico
- %TEMP%\ZCIEgAUs.bat
- C:\RCX15.tmp
- <Current directory>\dgcS.exe
- %TEMP%\dEgQoIQU.bat
- <Current directory>\zYoY.exe
- %TEMP%\bCYgYYAA.bat
- C:\RCX14.tmp
- C:\RCXC.tmp
- C:\RCX3.tmp
- <Current directory>\ugQY.exe
- <Current directory>\kOcA.ico
- %TEMP%\AcogUgMQ.bat
- <Current directory>\JskO.exe
- %TEMP%\jOQMEUwI.bat
- <Current directory>\mYwM.ico
- C:\RCX2.tmp
- <Current directory>\McsE.exe
- %TEMP%\WWoEcEoc.bat
- <Current directory>\vWAA.ico
- C:\RCX5.tmp
- C:\RCX4.tmp
- <Current directory>\boka.exe
- <Current directory>\OMYc.ico
- %TEMP%\gKksIggw.bat
- %TEMP%\yAIQEsAA.bat
- %TEMP%\FSQgQoME.bat
- %TEMP%\file.vbs
- <Current directory>\FaYw.ico
- %ALLUSERSPROFILE%\lwQggIEM\nwAEcgMA.exe
- <Current directory>\<Virus name>
- %TEMP%\TYQAgEkQ.bat
- %TEMP%\RIAMoQgA.bat
- %ALLUSERSPROFILE%\casg.txt
- <Current directory>\RYMs.ico
- %TEMP%\PqoYcskg.bat
- <Current directory>\BgEu.exe
- %TEMP%\kuAEYwkA.bat
- %TEMP%\pKUEwwIY.bat
- C:\RCX1.tmp
- <Current directory>\gMkA.exe
- %TEMP%\eKgEwMAg.bat
- %TEMP%\zwwAYQAc.bat
- %TEMP%\hGowwsAw.bat
- C:\RCXA.tmp
- %TEMP%\xcIskYcc.bat
- %TEMP%\OGoQAoQI.bat
- <Current directory>\KMwi.exe
- <Current directory>\NIow.ico
- %TEMP%\aggQUUkU.bat
- %TEMP%\dcUoMMkI.bat
- <Current directory>\aoos.exe
- <Current directory>\hcgA.ico
- <Current directory>\RWwQ.ico
- %TEMP%\WOIAQYsw.bat
- C:\RCXB.tmp
- <Current directory>\WYkS.exe
- C:\RCX7.tmp
- <Current directory>\YsEg.exe
- <Current directory>\oWwM.ico
- %TEMP%\MUkwgosU.bat
- %TEMP%\aeQUIYco.bat
- C:\RCX6.tmp
- <Current directory>\newc.ico
- %TEMP%\hwQwIcEU.bat
- <Current directory>\BoEA.ico
- %TEMP%\lGwQkUAg.bat
- C:\RCX9.tmp
- <Current directory>\hMQO.exe
- C:\RCX8.tmp
- <Current directory>\DwUk.exe
- %TEMP%\gYIQgIAQ.bat
- %TEMP%\vyYUUAkc.bat
- %ALLUSERSPROFILE%\lwQggIEM\nwAEcgMA.exe
- %ALLUSERSPROFILE%\BWogoUMg\aeEkEEcE.exe
- %HOMEPATH%\fCkYUMIQ\pUccUkoM.exe
- %TEMP%\rOYcgksg.bat
- <Current directory>\ewUq.exe
- <Current directory>\hIAa.exe
- <Current directory>\HeEk.ico
- <Current directory>\IqYk.ico
- <Current directory>\ZUIW.exe
- <Current directory>\HIcU.ico
- %TEMP%\EkUwkQoE.bat
- %TEMP%\HwUwAEoY.bat
- %TEMP%\zGMwgAAg.bat
- <Current directory>\LQMC.exe
- <Current directory>\hcgA.ico
- %TEMP%\FicEsscU.bat
- <Current directory>\deAk.ico
- <Current directory>\lUME.ico
- %TEMP%\dgQQQcUs.bat
- %TEMP%\bmYIYIoU.bat
- <Current directory>\yoES.exe
- <Current directory>\wMYc.exe
- <Current directory>\eeMQ.ico
- %TEMP%\wocEsMks.bat
- <Current directory>\vywU.ico
- <Current directory>\ZcAw.exe
- <Current directory>\tsEK.exe
- %TEMP%\CGUgkwkA.bat
- <Current directory>\GwQY.ico
- <Current directory>\focU.ico
- <Current directory>\TgQc.exe
- <Current directory>\VEwy.exe
- <Current directory>\hUEM.ico
- <Current directory>\xYII.ico
- %TEMP%\XkcIwEcE.bat
- %TEMP%\PssQoYMI.bat
- %TEMP%\ZCIEgAUs.bat
- <Current directory>\dgcS.exe
- <Current directory>\zYoY.exe
- <Current directory>\vAUU.ico
- <Current directory>\boka.exe
- <Current directory>\kOcA.ico
- <Current directory>\ugQY.exe
- <Current directory>\mYwM.ico
- %TEMP%\WWoEcEoc.bat
- <Current directory>\gMkA.exe
- %TEMP%\aeQUIYco.bat
- <Current directory>\McsE.exe
- <Current directory>\OMYc.ico
- %TEMP%\pKUEwwIY.bat
- <Current directory>\BgEu.exe
- %TEMP%\TYQAgEkQ.bat
- %TEMP%\yAIQEsAA.bat
- <Current directory>\FaYw.ico
- <Current directory>\RYMs.ico
- %TEMP%\AcogUgMQ.bat
- %TEMP%\PqoYcskg.bat
- <Current directory>\JskO.exe
- <Current directory>\vWAA.ico
- %TEMP%\WOIAQYsw.bat
- <Current directory>\NIow.ico
- %TEMP%\zwwAYQAc.bat
- <Current directory>\KMwi.exe
- <Current directory>\WYkS.exe
- %TEMP%\BCkcgEco.bat
- <Current directory>\aoos.exe
- <Current directory>\RWwQ.ico
- %TEMP%\aggQUUkU.bat
- %TEMP%\vyYUUAkc.bat
- <Current directory>\DwUk.exe
- <Current directory>\YsEg.exe
- <Current directory>\newc.ico
- %TEMP%\lGwQkUAg.bat
- <Current directory>\hMQO.exe
- <Current directory>\BoEA.ico
- <Current directory>\oWwM.ico
- %TEMP%\xcIskYcc.bat
- from C:\RCX10.tmp to <Current directory>\ewUq.exe
- from C:\RCX11.tmp to <Current directory>\ZUIW.exe
- from C:\RCX12.tmp to <Current directory>\wMYc.exe
- from C:\RCXD.tmp to <Current directory>\LQMC.exe
- from C:\RCXE.tmp to <Current directory>\yoES.exe
- from C:\RCXF.tmp to <Current directory>\hIAa.exe
- from C:\RCX16.tmp to <Current directory>\ZcAw.exe
- from C:\RCX17.tmp to <Current directory>\tsEK.exe
- from C:\RCX18.tmp to <Current directory>\TgQc.exe
- from C:\RCX13.tmp to <Current directory>\VEwy.exe
- from C:\RCX14.tmp to <Current directory>\zYoY.exe
- from C:\RCX15.tmp to <Current directory>\dgcS.exe
- from C:\RCX4.tmp to <Current directory>\boka.exe
- from C:\RCX5.tmp to <Current directory>\McsE.exe
- from C:\RCX6.tmp to <Current directory>\gMkA.exe
- from C:\RCX1.tmp to <Current directory>\BgEu.exe
- from C:\RCX2.tmp to <Current directory>\JskO.exe
- from C:\RCX3.tmp to <Current directory>\ugQY.exe
- from C:\RCXA.tmp to <Current directory>\KMwi.exe
- from C:\RCXB.tmp to <Current directory>\WYkS.exe
- from C:\RCXC.tmp to <Current directory>\aoos.exe
- from C:\RCX7.tmp to <Current directory>\YsEg.exe
- from C:\RCX8.tmp to <Current directory>\DwUk.exe
- from C:\RCX9.tmp to <Current directory>\hMQO.exe
- '19#.#86.45.170':9999
- '74.##5.232.51':80
- '20#.#7.164.69':9999
- '20#.#19.204.12':9999
- 74.##5.232.51/
- DNS ASK google.com
- ClassName: '' WindowName: 'pUccUkoM.exe'
- ClassName: 'Shell_TrayWnd' WindowName: ''
- ClassName: 'Indicator' WindowName: ''
- ClassName: '' WindowName: 'aeEkEEcE.exe'