Technical Information
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'aeEkEEcE.exe' = '%ALLUSERSPROFILE%\BWogoUMg\aeEkEEcE.exe'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'pUccUkoM.exe' = '%HOMEPATH%\fCkYUMIQ\pUccUkoM.exe'
- hidden files
- file extensions
- User Account Control (UAC)
- '%ALLUSERSPROFILE%\BWogoUMg\aeEkEEcE.exe' %TEMP%\file.vbs
- '%ALLUSERSPROFILE%\BWogoUMg\aeEkEEcE.exe'
- '%HOMEPATH%\fCkYUMIQ\pUccUkoM.exe'
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\MkcoYkwk.bat" "<Full path to virus>""
- '<SYSTEM32>\reg.exe' /pid=3680
- '<SYSTEM32>\cscript.exe'
- '<SYSTEM32>\reg.exe' /pid=3964
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\bqQsIckw.bat" "<Full path to virus>""
- '<SYSTEM32>\cscript.exe' /pid=3972
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\kgkQYUEI.bat" "<Full path to virus>""
- '<SYSTEM32>\reg.exe' /c "<Current directory>\<Virus name>"
- '<SYSTEM32>\reg.exe' /pid=3300
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\docQswMc.bat" "<Full path to virus>""
- '<SYSTEM32>\reg.exe' /pid=3412
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\aOYgEAcg.bat" "<Full path to virus>""
- '<SYSTEM32>\cscript.exe' /pid=3380
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\VSosAYkw.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\YWowcIYw.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\kAIgskgk.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\rSsYUwAM.bat" "<Full path to virus>""
- '<SYSTEM32>\wbem\wmiadap.exe' /R /T
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\EKwYUUwk.bat" "<Full path to virus>""
- '<SYSTEM32>\cscript.exe' /pid=2816
- '<SYSTEM32>\reg.exe' /pid=3812
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\jMcUkYwQ.bat" "<Full path to virus>""
- '<SYSTEM32>\reg.exe' %TEMP%\file.vbs
- '<SYSTEM32>\reg.exe' /pid=3636
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\LmUIAYks.bat" "<Full path to virus>""
- '<SYSTEM32>\cscript.exe' add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
- '<SYSTEM32>\cscript.exe' /pid=1600
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\iqsIoMYg.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\ZQQsMIEA.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\kEAgccUg.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\kYYMIgcU.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\LwUYMYIs.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\bGcgUoUU.bat" "<Full path to virus>""
- '<SYSTEM32>\taskkill.exe' /FI "USERNAME eq %USERNAME%" /F /IM aeEkEEcE.exe
- '<SYSTEM32>\reg.exe' add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
- '<SYSTEM32>\reg.exe' add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
- '<SYSTEM32>\reg.exe' add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\CCgQUsEM.bat" "<Full path to virus>""
- '<SYSTEM32>\cscript.exe' %TEMP%\file.vbs
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\BKcsQoIo.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\OUEUMYww.bat" "<Full path to virus>""
- '<SYSTEM32>\cscript.exe' /c "<Current directory>\<Virus name>"
- '<SYSTEM32>\reg.exe'
- '<SYSTEM32>\reg.exe' /pid=3060
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\pekYMsAE.bat" "<Full path to virus>""
- '<SYSTEM32>\cscript.exe' /pid=2768
- '<SYSTEM32>\reg.exe' /pid=1972
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\EOUoYQcY.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\qaIkQgoc.bat" "<Full path to virus>""
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\PSQcUMEk.bat" "<Full path to virus>""
- '<SYSTEM32>\reg.exe' /pid=1696
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\NyYIYIcA.bat" "<Full path to virus>""
- '<SYSTEM32>\reg.exe' /pid=2684
- <SYSTEM32>\cmd.exe
- <SYSTEM32>\cscript.exe
- <SYSTEM32>\reg.exe
- %TEMP%\LmUIAYks.bat
- %TEMP%\ckMEwEgc.bat
- <Current directory>\bkYU.ico
- C:\RCXA.tmp
- C:\RCX9.tmp
- <Current directory>\QYou.ico
- <Current directory>\rEMG.exe
- C:\RCXC.tmp
- %TEMP%\iYogUMUY.bat
- %TEMP%\kAIgskgk.bat
- <Current directory>\TgIE.exe
- <Current directory>\lkkU.exe
- C:\RCXB.tmp
- <Current directory>\ysEO.ico
- C:\RCX7.tmp
- %TEMP%\MkcoYkwk.bat
- %TEMP%\dAwQQkgo.bat
- %TEMP%\bqQsIckw.bat
- %TEMP%\ZcYAQkYU.bat
- <Current directory>\EQUS.ico
- <Current directory>\JMcw.exe
- <Current directory>\wUkA.ico
- %TEMP%\sYMcwEss.bat
- <Current directory>\OAMe.exe
- C:\RCX8.tmp
- <Current directory>\awce.ico
- <Current directory>\xoYo.exe
- %TEMP%\jMcUkYwQ.bat
- <Current directory>\HMcI.ico
- <Current directory>\YoIw.exe
- C:\RCX11.tmp
- C:\RCX10.tmp
- %TEMP%\uIEwEYoY.bat
- <Current directory>\SMoc.ico
- <Current directory>\dgUi.exe
- C:\RCX12.tmp
- %TEMP%\xwgIoEMA.bat
- <Current directory>\yEUQ.ico
- %TEMP%\rSsYUwAM.bat
- %TEMP%\mAUUUoIU.bat
- <Current directory>\PQUs.ico
- <Current directory>\SgEk.exe
- %TEMP%\BkgcwMAA.bat
- <Current directory>\MAAI.ico
- <Current directory>\QsEG.exe
- %TEMP%\YWowcIYw.bat
- <Current directory>\iUMC.ico
- <Current directory>\SUkS.exe
- C:\RCXD.tmp
- <Current directory>\tEAO.exe
- C:\RCXF.tmp
- %TEMP%\EKwYUUwk.bat
- %TEMP%\YCIMkwsk.bat
- C:\RCXE.tmp
- %TEMP%\VSosAYkw.bat
- <Current directory>\zMoU.ico
- %TEMP%\kYYMIgcU.bat
- %TEMP%\IoUQgEkg.bat
- %TEMP%\PSQcUMEk.bat
- %TEMP%\LWcYYkEc.bat
- %TEMP%\bGcgUoUU.bat
- %TEMP%\zCQwEgwo.bat
- %TEMP%\LwUYMYIs.bat
- %TEMP%\bgIkowko.bat
- %TEMP%\NyYIYIcA.bat
- %TEMP%\IesoAQoA.bat
- %TEMP%\qaIkQgoc.bat
- %TEMP%\iakEsIEU.bat
- %TEMP%\JuYUEIIE.bat
- %TEMP%\EOUoYQcY.bat
- %TEMP%\TSMQIwUs.bat
- %TEMP%\file.vbs
- %TEMP%\CCgQUsEM.bat
- %TEMP%\BKcsQoIo.bat
- %TEMP%\iWoAcEQk.bat
- <Current directory>\<Virus name>
- %TEMP%\mOocEEIU.bat
- %TEMP%\iqsIoMYg.bat
- %TEMP%\WyUMUssM.bat
- %TEMP%\ZQQsMIEA.bat
- %TEMP%\yugQsMko.bat
- %TEMP%\kEAgccUg.bat
- %TEMP%\weAkIoAU.bat
- %TEMP%\aOYgEAcg.bat
- C:\RCX4.tmp
- %TEMP%\kgkQYUEI.bat
- <Current directory>\lEQu.exe
- C:\RCX3.tmp
- %TEMP%\nGkQkYIg.bat
- <Current directory>\ZAIy.ico
- <Current directory>\HIIq.ico
- <Current directory>\awwm.exe
- C:\RCX6.tmp
- C:\RCX5.tmp
- %TEMP%\DqgkgwYk.bat
- <Current directory>\pcoK.ico
- <Current directory>\Rggy.exe
- <Current directory>\QgMc.exe
- %TEMP%\fWoMkgkA.bat
- C:\RCX1.tmp
- %TEMP%\pekYMsAE.bat
- %TEMP%\lCgAckMI.bat
- %TEMP%\OUEUMYww.bat
- <Current directory>\Tosm.ico
- C:\RCX2.tmp
- <Current directory>\rEsw.ico
- <Current directory>\ZEoG.exe
- %TEMP%\KCYMIYgY.bat
- %TEMP%\docQswMc.bat
- <Current directory>\VwoG.ico
- <Current directory>\LwoO.exe
- %ALLUSERSPROFILE%\BWogoUMg\aeEkEEcE.exe
- %HOMEPATH%\fCkYUMIQ\pUccUkoM.exe
- <Current directory>\lkkU.exe
- %TEMP%\ckMEwEgc.bat
- <Current directory>\QYou.ico
- <Current directory>\bkYU.ico
- %TEMP%\iYogUMUY.bat
- <Current directory>\ysEO.ico
- <Current directory>\TgIE.exe
- <Current directory>\rEMG.exe
- <Current directory>\xoYo.exe
- %TEMP%\dAwQQkgo.bat
- <Current directory>\EQUS.ico
- <Current directory>\awce.ico
- <Current directory>\wUkA.ico
- %TEMP%\sYMcwEss.bat
- <Current directory>\OAMe.exe
- <Current directory>\SUkS.exe
- <Current directory>\YoIw.exe
- %TEMP%\uIEwEYoY.bat
- <Current directory>\SMoc.ico
- <Current directory>\HMcI.ico
- <Current directory>\PQUs.ico
- <Current directory>\SgEk.exe
- %TEMP%\mAUUUoIU.bat
- <Current directory>\dgUi.exe
- <Current directory>\QsEG.exe
- %TEMP%\BkgcwMAA.bat
- <Current directory>\iUMC.ico
- <Current directory>\MAAI.ico
- <Current directory>\zMoU.ico
- <Current directory>\tEAO.exe
- %TEMP%\YCIMkwsk.bat
- <Current directory>\JMcw.exe
- %TEMP%\JuYUEIIE.bat
- %TEMP%\iakEsIEU.bat
- %TEMP%\IoUQgEkg.bat
- %TEMP%\bgIkowko.bat
- %TEMP%\fWoMkgkA.bat
- %TEMP%\lCgAckMI.bat
- %TEMP%\IesoAQoA.bat
- %TEMP%\LWcYYkEc.bat
- %TEMP%\yugQsMko.bat
- %TEMP%\TSMQIwUs.bat
- %TEMP%\iWoAcEQk.bat
- %TEMP%\weAkIoAU.bat
- %TEMP%\zCQwEgwo.bat
- %TEMP%\WyUMUssM.bat
- %TEMP%\mOocEEIU.bat
- <Current directory>\QgMc.exe
- %TEMP%\DqgkgwYk.bat
- <Current directory>\Rggy.exe
- <Current directory>\ZAIy.ico
- <Current directory>\pcoK.ico
- %TEMP%\ZcYAQkYU.bat
- <Current directory>\HIIq.ico
- <Current directory>\awwm.exe
- <Current directory>\lEQu.exe
- <Current directory>\VwoG.ico
- <Current directory>\LwoO.exe
- <Current directory>\Tosm.ico
- %TEMP%\KCYMIYgY.bat
- %TEMP%\nGkQkYIg.bat
- <Current directory>\rEsw.ico
- <Current directory>\ZEoG.exe
- from C:\RCXC.tmp to <Current directory>\TgIE.exe
- from C:\RCXD.tmp to <Current directory>\SUkS.exe
- from C:\RCXA.tmp to <Current directory>\rEMG.exe
- from C:\RCXB.tmp to <Current directory>\lkkU.exe
- from C:\RCXE.tmp to <Current directory>\QsEG.exe
- from C:\RCX11.tmp to <Current directory>\YoIw.exe
- from C:\RCX12.tmp to <Current directory>\SgEk.exe
- from C:\RCXF.tmp to <Current directory>\tEAO.exe
- from C:\RCX10.tmp to <Current directory>\dgUi.exe
- from C:\RCX3.tmp to <Current directory>\ZEoG.exe
- from C:\RCX4.tmp to <Current directory>\lEQu.exe
- from C:\RCX1.tmp to <Current directory>\QgMc.exe
- from C:\RCX2.tmp to <Current directory>\LwoO.exe
- from C:\RCX5.tmp to <Current directory>\Rggy.exe
- from C:\RCX8.tmp to <Current directory>\xoYo.exe
- from C:\RCX9.tmp to <Current directory>\OAMe.exe
- from C:\RCX6.tmp to <Current directory>\awwm.exe
- from C:\RCX7.tmp to <Current directory>\JMcw.exe
- '19#.#86.45.170':9999
- '74.##5.232.51':80
- '20#.#7.164.69':9999
- '20#.#19.204.12':9999
- 74.##5.232.51/
- DNS ASK google.com
- ClassName: '' WindowName: 'Microsoft Windows'
- ClassName: '' WindowName: ''
- ClassName: '' WindowName: 'pUccUkoM.exe'
- ClassName: 'Indicator' WindowName: ''
- ClassName: '' WindowName: 'aeEkEEcE.exe'