Technical Information
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'aeEkEEcE.exe' = '%ALLUSERSPROFILE%\BWogoUMg\aeEkEEcE.exe'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'pUccUkoM.exe' = '%HOMEPATH%\fCkYUMIQ\pUccUkoM.exe'
- [<HKLM>\SYSTEM\ControlSet001\Services\FkYQcQph] 'Start' = '00000002'
- hidden files
- file extensions
- User Account Control (UAC)
- '%ALLUSERSPROFILE%\lwQggIEM\nwAEcgMA.exe'
- '%ALLUSERSPROFILE%\BWogoUMg\aeEkEEcE.exe'
- '%HOMEPATH%\fCkYUMIQ\pUccUkoM.exe'
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\NsQowwcc.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\LCcYsogw.bat" "<Full path to virus>""
- '<SYSTEM32>\reg.exe' /c "<Current directory>\<Virus name>"
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\xCogUgUM.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\wggwYEww.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\ZowcQkwE.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\liAQQscQ.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\vEcoMUwg.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\AucEwQwc.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\RCYYYQcA.bat" "<Full path to virus>""
- '<SYSTEM32>\cscript.exe' add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
- '<SYSTEM32>\reg.exe' %TEMP%\file.vbs
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\HAUsMcMc.bat" "<Full path to virus>""
- '<SYSTEM32>\cscript.exe' /c "<Current directory>\<Virus name>"
- '<SYSTEM32>\reg.exe' /c ""%TEMP%\FgUIMsMw.bat" "<Full path to virus>""
- '<SYSTEM32>\cscript.exe' /c ""%TEMP%\KwIEIwos.bat" "<Full path to virus>""
- '<SYSTEM32>\reg.exe'
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\RAYcsMgM.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\cCggooUY.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\MKEwAQgk.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\oGcIAggY.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\MYYAogcc.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\rsgQUIcE.bat" "<Full path to virus>""
- '<SYSTEM32>\cscript.exe' %TEMP%\file.vbs
- '<SYSTEM32>\reg.exe' add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
- '<SYSTEM32>\reg.exe' add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\LCsIMoMg.bat" "<Full path to virus>""
- '<SYSTEM32>\reg.exe' add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\aKYYEkUo.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\ygIAEcQU.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\icAUQcMc.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\uiMUMswI.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\jYIAAYgA.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\iOkIsEgI.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\pScwYMIc.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\lGcQUYAA.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\hqwAoYcw.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\LSkMQkYM.bat" "<Full path to virus>""
- <SYSTEM32>\cmd.exe
- <SYSTEM32>\cscript.exe
- <SYSTEM32>\reg.exe
- <Current directory>\GOQA.ico
- <Current directory>\lQUU.exe
- C:\RCXE.tmp
- %TEMP%\KmYoIQQM.bat
- <Current directory>\DOUU.ico
- <Current directory>\rcwc.exe
- C:\RCXD.tmp
- %TEMP%\AucEwQwc.bat
- C:\RCXF.tmp
- %TEMP%\YUIUwgcA.bat
- %TEMP%\skgwwkcw.bat
- %TEMP%\vEcoMUwg.bat
- %TEMP%\ZSgscUwE.bat
- <Current directory>\DqYM.ico
- <Current directory>\sUcE.exe
- <Current directory>\AkMc.ico
- <Current directory>\Scky.exe
- C:\RCXA.tmp
- %TEMP%\liAQQscQ.bat
- C:\RCX9.tmp
- %TEMP%\uiMUMswI.bat
- %TEMP%\rYIsUgYQ.bat
- <Current directory>\oSco.ico
- <Current directory>\JgQQ.exe
- C:\RCXC.tmp
- %TEMP%\ZowcQkwE.bat
- <Current directory>\WaYY.ico
- <Current directory>\aMYY.exe
- C:\RCXB.tmp
- %TEMP%\eWkQoQAY.bat
- %TEMP%\FsooAgIk.bat
- %TEMP%\RAYcsMgM.bat
- %TEMP%\FgUIMsMw.bat
- %TEMP%\TqEAAowI.bat
- <Current directory>\nIUk.ico
- <Current directory>\MYgk.exe
- C:\RCX11.tmp
- %TEMP%\UMUIcEEY.bat
- C:\RCX12.tmp
- %TEMP%\FkEEYQQo.bat
- %TEMP%\XGYoUAMQ.bat
- <Current directory>\hkYs.exe
- %TEMP%\ryIUIoEk.bat
- %TEMP%\HAUsMcMc.bat
- <Current directory>\bUcM.ico
- <Current directory>\Vwsu.exe
- %TEMP%\syogIkAU.bat
- C:\RCX10.tmp
- <Current directory>\MGgM.ico
- %TEMP%\LCcYsogw.bat
- %TEMP%\wggwYEww.bat
- %TEMP%\FkYAMMMk.bat
- %TEMP%\NsQowwcc.bat
- %TEMP%\bWUUoUks.bat
- %TEMP%\KwIEIwos.bat
- %TEMP%\cCggooUY.bat
- %TEMP%\eMAsIkwk.bat
- %TEMP%\xCogUgUM.bat
- %TEMP%\RakMIMgY.bat
- %TEMP%\RCYYYQcA.bat
- %TEMP%\aKYYEkUo.bat
- %TEMP%\SaggAQkg.bat
- %TEMP%\lGcQUYAA.bat
- %ALLUSERSPROFILE%\casg.txt
- %TEMP%\fywcooAU.bat
- %TEMP%\MYYAogcc.bat
- %TEMP%\KmYkkoYg.bat
- <Current directory>\MaMs.ico
- C:\RCX3.tmp
- %TEMP%\iQUoEgkA.bat
- <Current directory>\hcYQ.ico
- <Current directory>\FAQm.exe
- <Current directory>\mQce.exe
- C:\RCX2.tmp
- <Current directory>\JyEs.ico
- %TEMP%\LCsIMoMg.bat
- %TEMP%\OoswEAwg.bat
- %TEMP%\file.vbs
- <Current directory>\<Virus name>
- %ALLUSERSPROFILE%\lwQggIEM\nwAEcgMA.exe
- %TEMP%\PmMAUcsQ.bat
- %TEMP%\oGcIAggY.bat
- %TEMP%\KAUgwAow.bat
- C:\RCX1.tmp
- %TEMP%\rsgQUIcE.bat
- <Current directory>\hYkq.exe
- <Current directory>\VyIE.ico
- %TEMP%\cEEMkEso.bat
- %TEMP%\MKEwAQgk.bat
- %TEMP%\icAUQcMc.bat
- %TEMP%\SCcYIQEs.bat
- <Current directory>\uKgM.ico
- %TEMP%\mMggwoYg.bat
- <Current directory>\YIso.exe
- C:\RCX7.tmp
- %TEMP%\iOkIsEgI.bat
- %TEMP%\ygIAEcQU.bat
- %TEMP%\OmsQIQwU.bat
- <Current directory>\DIQI.ico
- <Current directory>\FYUg.exe
- %TEMP%\jYIAAYgA.bat
- <Current directory>\cwIk.exe
- C:\RCX8.tmp
- %TEMP%\IqEsYYEA.bat
- %TEMP%\pScwYMIc.bat
- C:\RCX5.tmp
- %TEMP%\iSgsMMgg.bat
- <Current directory>\xcMO.exe
- <Current directory>\eUEE.exe
- C:\RCX4.tmp
- <Current directory>\sUwE.ico
- %TEMP%\LSkMQkYM.bat
- %TEMP%\hqwAoYcw.bat
- %TEMP%\syMEIoAw.bat
- <Current directory>\xAUs.ico
- %TEMP%\vqowccEU.bat
- <Current directory>\dgwI.ico
- <Current directory>\dkko.exe
- C:\RCX6.tmp
- %ALLUSERSPROFILE%\lwQggIEM\nwAEcgMA.exe
- %ALLUSERSPROFILE%\BWogoUMg\aeEkEEcE.exe
- %HOMEPATH%\fCkYUMIQ\pUccUkoM.exe
- <Current directory>\DOUU.ico
- <Current directory>\lQUU.exe
- <Current directory>\rcwc.exe
- %TEMP%\KmYoIQQM.bat
- %TEMP%\YUIUwgcA.bat
- %TEMP%\skgwwkcw.bat
- %TEMP%\ZSgscUwE.bat
- <Current directory>\GOQA.ico
- <Current directory>\AkMc.ico
- %TEMP%\eWkQoQAY.bat
- <Current directory>\DIQI.ico
- <Current directory>\Scky.exe
- <Current directory>\JgQQ.exe
- <Current directory>\WaYY.ico
- <Current directory>\aMYY.exe
- <Current directory>\oSco.ico
- <Current directory>\sUcE.exe
- %TEMP%\KwIEIwos.bat
- %TEMP%\UMUIcEEY.bat
- %TEMP%\TqEAAowI.bat
- %TEMP%\FsooAgIk.bat
- %TEMP%\ryIUIoEk.bat
- %TEMP%\FgUIMsMw.bat
- <Current directory>\MYgk.exe
- <Current directory>\nIUk.ico
- %TEMP%\syogIkAU.bat
- %TEMP%\RakMIMgY.bat
- %TEMP%\FkYAMMMk.bat
- <Current directory>\DqYM.ico
- %TEMP%\bWUUoUks.bat
- <Current directory>\MGgM.ico
- %TEMP%\eMAsIkwk.bat
- <Current directory>\Vwsu.exe
- <Current directory>\MaMs.ico
- <Current directory>\FAQm.exe
- %TEMP%\SaggAQkg.bat
- <Current directory>\mQce.exe
- <Current directory>\eUEE.exe
- <Current directory>\hcYQ.ico
- <Current directory>\JyEs.ico
- %TEMP%\iQUoEgkA.bat
- %TEMP%\cEEMkEso.bat
- %TEMP%\KAUgwAow.bat
- %TEMP%\PmMAUcsQ.bat
- %TEMP%\OoswEAwg.bat
- %TEMP%\KmYkkoYg.bat
- <Current directory>\VyIE.ico
- %TEMP%\fywcooAU.bat
- <Current directory>\hYkq.exe
- %TEMP%\iSgsMMgg.bat
- %TEMP%\IqEsYYEA.bat
- <Current directory>\cwIk.exe
- <Current directory>\xAUs.ico
- %TEMP%\SCcYIQEs.bat
- %TEMP%\rYIsUgYQ.bat
- <Current directory>\FYUg.exe
- <Current directory>\uKgM.ico
- %TEMP%\OmsQIQwU.bat
- %TEMP%\vqowccEU.bat
- <Current directory>\dkko.exe
- <Current directory>\xcMO.exe
- <Current directory>\sUwE.ico
- %TEMP%\mMggwoYg.bat
- <Current directory>\YIso.exe
- <Current directory>\dgwI.ico
- %TEMP%\syMEIoAw.bat
- from C:\RCXC.tmp to <Current directory>\JgQQ.exe
- from C:\RCXD.tmp to <Current directory>\rcwc.exe
- from C:\RCXA.tmp to <Current directory>\Scky.exe
- from C:\RCXB.tmp to <Current directory>\aMYY.exe
- from C:\RCX10.tmp to <Current directory>\Vwsu.exe
- from C:\RCX11.tmp to <Current directory>\MYgk.exe
- from C:\RCXE.tmp to <Current directory>\lQUU.exe
- from C:\RCXF.tmp to <Current directory>\sUcE.exe
- from C:\RCX9.tmp to <Current directory>\FYUg.exe
- from C:\RCX3.tmp to <Current directory>\FAQm.exe
- from C:\RCX4.tmp to <Current directory>\eUEE.exe
- from C:\RCX1.tmp to <Current directory>\hYkq.exe
- from C:\RCX2.tmp to <Current directory>\mQce.exe
- from C:\RCX7.tmp to <Current directory>\YIso.exe
- from C:\RCX8.tmp to <Current directory>\cwIk.exe
- from C:\RCX5.tmp to <Current directory>\xcMO.exe
- from C:\RCX6.tmp to <Current directory>\dkko.exe
- '19#.#86.45.170':9999
- '74.##5.232.51':80
- '20#.#7.164.69':9999
- '20#.#19.204.12':9999
- 74.##5.232.51/
- DNS ASK google.com
- ClassName: '' WindowName: 'aeEkEEcE.exe'
- ClassName: 'Shell_TrayWnd' WindowName: ''
- ClassName: 'Indicator' WindowName: ''
- ClassName: '' WindowName: 'pUccUkoM.exe'