Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] 'Userinit' = '<SYSTEM32>\userinit.exe,C:\ProgramData\sIAowgok\rSYkcwMw.exe,'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'rSYkcwMw.exe' = 'C:\ProgramData\sIAowgok\rSYkcwMw.exe'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'GocwIYEU.exe' = '%HOMEPATH%\CaIocokM\GocwIYEU.exe'
Creates the following services:
- [<HKLM>\SYSTEM\ControlSet001\services\yoYkgMRX] 'Start' = '00000002'
Infects the following executable files:
- C:\ProgramData\Package Cache\{6c95b50e-cb5a-4a1f-a7b4-8a6004f8dd6a}\vcredist_x86.exe
- C:\ProgramData\Package Cache\{f0080ca2-80ae-4958-b6eb-e8fa916d744a}\vcredist_x86.exe
- C:\ProgramData\Package Cache\{615bc16d-60f5-482e-91b3-b51d8130963b}\vcredist_x86.exe
- C:\ProgramData\Package Cache\{01db25f3-1b76-4d97-88c8-1c90634d88fb}\vcredist_x86.exe
- C:\ProgramData\Package Cache\{2af972c7-13b0-4978-92a8-fee26a4fb4e9}\vcredist_x86.exe
Malicious functions:
To complicate detection of its presence in the operating system,
forces the system hide from view:
- hidden files
- file extensions
blocks the following features:
- User Account Control (UAC)
Creates and executes the following:
- 'C:\ProgramData\ZQIIosos\XiskIEYE.exe'
- 'C:\ProgramData\sIAowgok\rSYkcwMw.exe'
- '%HOMEPATH%\CaIocokM\GocwIYEU.exe'
Executes the following:
- '<SYSTEM32>\reg.exe' <LS_APPDATA>\Temp/file.vbs
- '<SYSTEM32>\cscript.exe' /pid=0x100 /log
- '<SYSTEM32>\conhost.exe' add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
- '<SYSTEM32>\reg.exe' /pid=0x980 /log
- '<SYSTEM32>\reg.exe' /c "<Current directory>\<Virus name>"
- '<SYSTEM32>\wbem\wmiprvse.exe' <LS_APPDATA>\Temp/file.vbs
- '<SYSTEM32>\cscript.exe' /c ""%TEMP%\RMkUAQoI.bat" "<Full path to virus>""
- '<SYSTEM32>\cscript.exe' /pid=0xc30 /log
- '<SYSTEM32>\conhost.exe' /c ""%TEMP%\EuIwsocc.bat" "<Full path to virus>""
- '<SYSTEM32>\reg.exe' /c ""%TEMP%\gIYoQAEA.bat" "<Full path to virus>""
- '<SYSTEM32>\cscript.exe' add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
- '<SYSTEM32>\reg.exe' /pid=0x9f0 /log
- '<SYSTEM32>\reg.exe' /pid=0xfc /log
- '<SYSTEM32>\conhost.exe' /c ""%TEMP%\dWwkYoQE.bat" "<Full path to virus>""
- '<SYSTEM32>\cscript.exe' /c "<Current directory>\<Virus name>"
- '<SYSTEM32>\reg.exe' 0x920 cscript.exe
- '<SYSTEM32>\conhost.exe' /c ""%TEMP%\LiUkQkAw.bat" "<Full path to virus>""
- '<SYSTEM32>\conhost.exe' /c ""%TEMP%\zkgkYEss.bat" "<Full path to virus>""
- '<SYSTEM32>\conhost.exe' /c ""%TEMP%\SkkMEksY.bat" "<Full path to virus>""
- '<SYSTEM32>\conhost.exe' add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
- '<SYSTEM32>\conhost.exe' <LS_APPDATA>\Temp/file.vbs
- '<SYSTEM32>\conhost.exe'
- '<SYSTEM32>\reg.exe' add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
- '<SYSTEM32>\reg.exe' add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
- '<SYSTEM32>\cscript.exe' <LS_APPDATA>\Temp/file.vbs
- '<SYSTEM32>\reg.exe' add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
- '<SYSTEM32>\reg.exe' 0x3dc cscript.exe
- '<SYSTEM32>\reg.exe' /c ""%TEMP%\uoAogAoE.bat" "<Full path to virus>""
- '<SYSTEM32>\cscript.exe' 0x4f8 cscript.exe
- '<SYSTEM32>\cscript.exe' add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
- '<SYSTEM32>\conhost.exe' /c "<Current directory>\<Virus name>"
- '<SYSTEM32>\conhost.exe' add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
- '<SYSTEM32>\reg.exe'
- '<SYSTEM32>\reg.exe' 0x58c <Virus name>.exe
- '<SYSTEM32>\reg.exe' /c ""%TEMP%\pmUMwock.bat" "<Full path to virus>""
Modifies file system :
Creates the following files:
- C:\RCX1181.tmp
- <Current directory>\nkII.ico
- <Current directory>\gAIa.exe
- C:\RCX1019.tmp
- <Current directory>\gIgI.ico
- <Current directory>\woIO.exe
- C:\RCX1395.tmp
- <Current directory>\AoEY.ico
- <Current directory>\igky.exe
- C:\RCX126C.tmp
- <Current directory>\UIQC.exe
- <Current directory>\FQoG.exe
- C:\RCXD49.tmp
- %TEMP%\zscoowwQ.bat
- C:\RCXAB9.tmp
- <Current directory>\JSAo.ico
- C:\RCXEA1.tmp
- <Current directory>\iAIU.ico
- %TEMP%\ISEIgoEc.bat
- <Current directory>\PUAM.ico
- <Current directory>\Uksw.exe
- C:\RCX1B57.tmp
- <Current directory>\akII.ico
- <Current directory>\bcwE.exe
- C:\RCX1A0F.tmp
- <Current directory>\bcgc.ico
- <Current directory>\Tgoa.exe
- C:\RCX1CC0.tmp
- <Current directory>\NAIA.ico
- <Current directory>\LAcy.exe
- C:\RCX1BE5.tmp
- <Current directory>\UkoS.exe
- <Current directory>\mUEc.ico
- <Current directory>\MIwe.exe
- C:\RCX1616.tmp
- <Current directory>\nGwE.ico
- <Current directory>\ZgAC.exe
- C:\RCX18C6.tmp
- <Current directory>\QqkY.ico
- <Current directory>\NUco.exe
- C:\RCX176E.tmp
- <Current directory>\YWsM.ico
- <Current directory>\wgMs.exe
- C:\RCXFB93.tmp
- <Current directory>\WSwQ.ico
- C:\RCXF932.tmp
- %TEMP%\VIsoQgQY.bat
- <Current directory>\bMkc.ico
- <Current directory>\poYG.exe
- C:\RCXFCEB.tmp
- <Current directory>\wasM.ico
- <Current directory>\McUk.exe
- <Current directory>\Rwgm.exe
- <Current directory>\EAoq.exe
- C:\RCXF672.tmp
- <Current directory>\WoQs.ico
- <Current directory>\lYkk.exe
- C:\RCXF51A.tmp
- <Current directory>\FUQg.ico
- %TEMP%\BcIMoMsU.bat
- C:\RCXF79B.tmp
- <Current directory>\YyoA.ico
- <Current directory>\FQYs.exe
- <Current directory>\CQAG.exe
- C:\RCX6D1.tmp
- <Current directory>\ukAI.ico
- <Current directory>\AUMm.exe
- C:\RCX54A.tmp
- <Current directory>\rGwc.ico
- <Current directory>\oIYW.exe
- C:\RCX961.tmp
- <Current directory>\uwgo.ico
- <Current directory>\AQos.exe
- <Current directory>\FUcs.ico
- C:\RCX28.tmp
- <Current directory>\nCoE.ico
- <Current directory>\vAoA.exe
- C:\RCXFEA1.tmp
- <Current directory>\WmME.ico
- <Current directory>\PgUI.exe
- C:\RCX430.tmp
- <Current directory>\Vccw.ico
- <Current directory>\Ksgm.exe
- C:\RCX1FD.tmp
- <Current directory>\vwQo.ico
- C:\RCX3BA8.tmp
- <Current directory>\oWMs.ico
- <Current directory>\pwEK.exe
- C:\RCX3937.tmp
- <Current directory>\AyUg.ico
- %TEMP%\uoAogAoE.bat
- %TEMP%\XCoYkkkY.bat
- %TEMP%\CiQUkQMk.bat
- %TEMP%\vCYoQsck.bat
- %TEMP%\lUQUcMcI.bat
- <Current directory>\wkko.exe
- <Current directory>\XIAa.exe
- %TEMP%\HAgQYUcA.bat
- <Current directory>\kWgM.ico
- %TEMP%\beMIkssM.bat
- C:\RCX3415.tmp
- C:\RCX387A.tmp
- <Current directory>\UGcE.ico
- <Current directory>\KIAS.exe
- C:\RCX35BB.tmp
- <Current directory>\kAck.ico
- %TEMP%\QWAcAUMQ.bat
- %TEMP%\IesYIwkE.bat
- %TEMP%\XKIwEEkc.bat
- %TEMP%\aYAsgYsQ.bat
- %TEMP%\EuIwsocc.bat
- %TEMP%\zAQgYEAs.bat
- %TEMP%\gIYoQAEA.bat
- %TEMP%\LiUkQkAw.bat
- %TEMP%\dWwkYoQE.bat
- %TEMP%\LeoYAsks.bat
- %TEMP%\LsUMkkcU.bat
- %TEMP%\AAIAgMYk.bat
- %TEMP%\bqYoQsgk.bat
- %TEMP%\zkgkYEss.bat
- %TEMP%\fIUcMEQA.bat
- %TEMP%\EsMkAccQ.bat
- %TEMP%\RMkUAQoI.bat
- %TEMP%\zQwYUckI.bat
- %TEMP%\wukAQQQY.bat
- %TEMP%\ZaoIUAwc.bat
- %TEMP%\hggEgsQU.bat
- <Current directory>\hQMC.exe
- C:\RCX2647.tmp
- <Current directory>\Nycc.ico
- <Current directory>\EIgA.exe
- C:\RCX24EE.tmp
- <Current directory>\Tkgw.ico
- <Current directory>\oYAm.exe
- C:\RCX280C.tmp
- <Current directory>\MSAc.ico
- <Current directory>\wAMG.exe
- <Current directory>\rKMA.ico
- <Current directory>\UAAM.exe
- %TEMP%\xgYgEIoQ.bat
- <Current directory>\piUo.ico
- <Current directory>\DsQK.exe
- C:\RCX1DCA.tmp
- C:\RCX22AC.tmp
- %TEMP%\pmUMwock.bat
- <Current directory>\KwEy.exe
- C:\RCX2154.tmp
- <Current directory>\EicE.ico
- <Current directory>\uoYK.exe
- C:\RCX307B.tmp
- <Current directory>\fQEQ.ico
- <Current directory>\BMAg.exe
- C:\RCX2F32.tmp
- <Current directory>\pGYU.ico
- <Current directory>\XgsK.exe
- C:\RCX3250.tmp
- <Current directory>\Yosw.ico
- <Current directory>\qAgA.exe
- <Current directory>\Taoc.ico
- C:\RCX2B97.tmp
- <Current directory>\BAkw.ico
- <Current directory>\xksA.exe
- C:\RCX2945.tmp
- <Current directory>\qOAM.ico
- <Current directory>\CMsk.exe
- C:\RCX2E66.tmp
- <Current directory>\QuYM.ico
- <Current directory>\vAwU.exe
- C:\RCX2D6C.tmp
- <Current directory>\uQsE.ico
- <Current directory>\xUYK.exe
- C:\RCXA561.tmp
- <Current directory>\WsIs.ico
- <Current directory>\dQcC.exe
- C:\RCXA1E7.tmp
- <Current directory>\fSUE.ico
- <Current directory>\JMgi.exe
- C:\RCXA774.tmp
- <Current directory>\ROUw.ico
- <Current directory>\LkcY.exe
- <Current directory>\PwAM.ico
- %TEMP%\tAYMYoUY.bat
- <Current directory>\JekA.ico
- C:\RCX9AC2.tmp
- %TEMP%\PSwcwosA.bat
- <Current directory>\jAgQ.exe
- <Current directory>\lEUA.exe
- C:\RCX9F37.tmp
- <Current directory>\seAE.ico
- <Current directory>\pQcm.exe
- C:\RCX9C78.tmp
- C:\RCXB242.tmp
- <Current directory>\XMQI.ico
- <Current directory>\cIEQ.exe
- C:\RCXAF93.tmp
- <Current directory>\VoAA.ico
- <Current directory>\KUEQ.exe
- C:\RCXB782.tmp
- <Current directory>\isYQ.ico
- <Current directory>\pAIa.exe
- C:\RCXB54F.tmp
- <Current directory>\AUEm.exe
- C:\RCXAA73.tmp
- %TEMP%\dakgogYY.bat
- <Current directory>\iQAU.exe
- C:\RCXA88E.tmp
- <Current directory>\FuYw.ico
- %TEMP%\SkkMEksY.bat
- <Current directory>\LWIk.ico
- C:\RCXAD9F.tmp
- <Current directory>\oiUs.ico
- <Current directory>\hQgU.exe
- C:\RCX81DD.tmp
- <Current directory>\oMEQ.ico
- <Current directory>\sUQK.exe
- C:\RCX8008.tmp
- <Current directory>\KkEA.ico
- <Current directory>\EQgm.exe
- C:\RCX85B5.tmp
- <Current directory>\Nmcg.ico
- <Current directory>\cwUM.exe
- C:\RCX83C1.tmp
- <Current directory>\IAcA.exe
- <SYSTEM32>\config\systemprofile\CaIocokM\GocwIYEU
- C:\ProgramData\kaog.txt
- C:\ProgramData\ZQIIosos\XiskIEYE.exe
- %HOMEPATH%\CaIocokM\GocwIYEU
- C:\ProgramData\sIAowgok\rSYkcwMw
- %TEMP%\file.vbs
- <Current directory>\Skss.ico
- %TEMP%\uMokIAcY.bat
- %TEMP%\uKsEAIYA.bat
- <Current directory>\<Virus name>
- <Current directory>\yOcQ.ico
- <Current directory>\hYIa.exe
- C:\RCX94A7.tmp
- <Current directory>\BkgA.ico
- <Current directory>\yQQY.exe
- C:\RCX995B.tmp
- <Current directory>\BOIw.ico
- <Current directory>\oQQa.exe
- C:\RCX96BB.tmp
- <Current directory>\MEYc.ico
- C:\RCX9227.tmp
- %TEMP%\DoMIMook.bat
- %TEMP%\sIkgkUIY.bat
- C:\RCX896E.tmp
- <Current directory>\PgYo.ico
- <Current directory>\qcce.exe
- <Current directory>\Dykc.ico
- <Current directory>\JEwO.exe
- C:\RCX8D65.tmp
- <Current directory>\LoIk.ico
- <Current directory>\aQYC.exe
- <Current directory>\ssEQ.ico
- <Current directory>\FoEU.exe
- C:\RCXDEF2.tmp
- <Current directory>\iQME.ico
- <Current directory>\awYA.exe
- C:\RCXDCBF.tmp
- <Current directory>\kcMY.ico
- <Current directory>\iUcW.exe
- C:\RCXE03A.tmp
- <Current directory>\ZuwU.ico
- <Current directory>\zAcU.exe
- <Current directory>\ykMg.ico
- C:\RCXD492.tmp
- <Current directory>\egMc.ico
- <Current directory>\ysEA.exe
- C:\RCXD349.tmp
- <Current directory>\QyQg.ico
- <Current directory>\ogcA.exe
- C:\RCXD926.tmp
- <Current directory>\aAgs.ico
- <Current directory>\UkcG.exe
- C:\RCXD770.tmp
- C:\RCXEEDF.tmp
- <Current directory>\tCQk.ico
- <Current directory>\vQAw.exe
- C:\RCXED0A.tmp
- <Current directory>\EUgA.ico
- <Current directory>\yMMc.exe
- C:\RCXF47D.tmp
- <Current directory>\eUgg.ico
- <Current directory>\Xocm.exe
- C:\RCXF19E.tmp
- <Current directory>\sMsS.exe
- <Current directory>\FCcI.ico
- <Current directory>\dQcw.exe
- %TEMP%\OKEQkUgs.bat
- C:\RCXE24E.tmp
- %TEMP%\eqEkYwcA.bat
- C:\RCXEAA9.tmp
- <Current directory>\Rakg.ico
- <Current directory>\CMUk.exe
- C:\RCXE848.tmp
- <Current directory>\tEsE.ico
- <Current directory>\yEwc.exe
- C:\RCXC147.tmp
- <Current directory>\wAUY.ico
- C:\RCXBEE6.tmp
- %TEMP%\YkwAsoMU.bat
- <Current directory>\yeME.ico
- <Current directory>\uEoW.exe
- C:\RCXC473.tmp
- <Current directory>\bkAY.ico
- <Current directory>\pkwO.exe
- <Current directory>\GIsW.exe
- <Current directory>\WIwC.exe
- C:\RCXBBF7.tmp
- <Current directory>\fsIY.ico
- <Current directory>\tUoy.exe
- C:\RCXBAAE.tmp
- %TEMP%\cmEEEAAo.bat
- <Current directory>\Lykk.ico
- C:\RCXBD8D.tmp
- <Current directory>\rYok.ico
- <Current directory>\vgow.exe
- %TEMP%\eGockAoA.bat
- <Current directory>\OaQo.ico
- C:\RCXCE77.tmp
- <Current directory>\jwsS.exe
- <Auxiliary element>
- <Current directory>\xkMg.ico
- <Current directory>\TYsi.exe
- %TEMP%\EYIAkIUg.bat
- <Current directory>\xwAE.exe
- C:\RCXD184.tmp
- <Current directory>\PyEQ.ico
- C:\RCXC87B.tmp
- <Current directory>\owMI.ico
- <Current directory>\iMwM.exe
- C:\RCXC5FA.tmp
- <Current directory>\NGUc.ico
- <Current directory>\kUoi.exe
- C:\RCXCC54.tmp
- <Current directory>\ruYU.ico
- <Current directory>\HQEU.exe
- C:\RCXCB1B.tmp
Deletes the following files:
- <Current directory>\AoEY.ico
- <Current directory>\igky.exe
- <Current directory>\nkII.ico
- <Current directory>\ZgAC.exe
- <Current directory>\nGwE.ico
- <Current directory>\woIO.exe
- <Current directory>\gAIa.exe
- <Current directory>\Uksw.exe
- <Current directory>\PUAM.ico
- %TEMP%\zscoowwQ.bat
- <Current directory>\gIgI.ico
- <Current directory>\UIQC.exe
- <Current directory>\iAIU.ico
- <Current directory>\mUEc.ico
- <Current directory>\NAIA.ico
- <Current directory>\LAcy.exe
- <Current directory>\akII.ico
- <Current directory>\DsQK.exe
- <Current directory>\vwQo.ico
- <Current directory>\Tgoa.exe
- <Current directory>\bcwE.exe
- <Current directory>\NUco.exe
- <Current directory>\YWsM.ico
- <Current directory>\MIwe.exe
- <Current directory>\bcgc.ico
- <Current directory>\UkoS.exe
- <Current directory>\QqkY.ico
- <Current directory>\FQoG.exe
- <Current directory>\bMkc.ico
- <Current directory>\McUk.exe
- <Current directory>\wasM.ico
- <Current directory>\vAoA.exe
- <Current directory>\WmME.ico
- <Current directory>\poYG.exe
- <Current directory>\wgMs.exe
- <Current directory>\FUQg.ico
- <Current directory>\FQYs.exe
- <Current directory>\YyoA.ico
- <Current directory>\WSwQ.ico
- %TEMP%\BcIMoMsU.bat
- <Current directory>\Rwgm.exe
- <Current directory>\nCoE.ico
- %TEMP%\VIsoQgQY.bat
- <Current directory>\AQos.exe
- <Current directory>\uwgo.ico
- <Current directory>\JSAo.ico
- <Current directory>\oIYW.exe
- <Current directory>\rGwc.ico
- <Current directory>\CQAG.exe
- <Current directory>\PgUI.exe
- <Current directory>\Vccw.ico
- <Current directory>\Ksgm.exe
- <Current directory>\ukAI.ico
- <Current directory>\AUMm.exe
- <Current directory>\FUcs.ico
- <Current directory>\piUo.ico
- %TEMP%\CiQUkQMk.bat
- %TEMP%\vCYoQsck.bat
- <Current directory>\pwEK.exe
- %TEMP%\EsMkAccQ.bat
- %TEMP%\XCoYkkkY.bat
- %TEMP%\uoAogAoE.bat
- <Current directory>\AyUg.ico
- <Current directory>\KIAS.exe
- <Current directory>\kAck.ico
- <Current directory>\XIAa.exe
- <Current directory>\wkko.exe
- <Current directory>\UGcE.ico
- %TEMP%\pmUMwock.bat
- %TEMP%\zkgkYEss.bat
- %TEMP%\dWwkYoQE.bat
- %TEMP%\IesYIwkE.bat
- %TEMP%\XKIwEEkc.bat
- %TEMP%\zAQgYEAs.bat
- %TEMP%\LiUkQkAw.bat
- %TEMP%\LeoYAsks.bat
- %TEMP%\EuIwsocc.bat
- %TEMP%\wukAQQQY.bat
- %TEMP%\ZaoIUAwc.bat
- %TEMP%\AAIAgMYk.bat
- %TEMP%\aYAsgYsQ.bat
- %TEMP%\zQwYUckI.bat
- %TEMP%\RMkUAQoI.bat
- <Current directory>\kWgM.ico
- <Current directory>\wAMG.exe
- <Current directory>\MSAc.ico
- <Current directory>\hQMC.exe
- <Current directory>\qOAM.ico
- <Current directory>\oYAm.exe
- <Current directory>\Tkgw.ico
- <Current directory>\Nycc.ico
- <Current directory>\EicE.ico
- %TEMP%\xgYgEIoQ.bat
- <Current directory>\UAAM.exe
- <Current directory>\EIgA.exe
- <Current directory>\rKMA.ico
- <Current directory>\KwEy.exe
- <Current directory>\xksA.exe
- <Current directory>\qAgA.exe
- <Current directory>\Yosw.ico
- <Current directory>\uoYK.exe
- %TEMP%\beMIkssM.bat
- <Current directory>\XgsK.exe
- <Current directory>\pGYU.ico
- <Current directory>\fQEQ.ico
- <Current directory>\QuYM.ico
- <Current directory>\vAwU.exe
- <Current directory>\BAkw.ico
- <Current directory>\BMAg.exe
- <Current directory>\Taoc.ico
- <Current directory>\CMsk.exe
- <Current directory>\EAoq.exe
- <Current directory>\FuYw.ico
- <Current directory>\JMgi.exe
- <Current directory>\fSUE.ico
- <Current directory>\oiUs.ico
- %TEMP%\dakgogYY.bat
- <Current directory>\iQAU.exe
- <Current directory>\LkcY.exe
- <Current directory>\dQcC.exe
- <Current directory>\PwAM.ico
- <Current directory>\lEUA.exe
- <Current directory>\ROUw.ico
- <Current directory>\xUYK.exe
- <Current directory>\WsIs.ico
- <Current directory>\hQgU.exe
- <Current directory>\tUoy.exe
- <Current directory>\ssEQ.ico
- <Current directory>\KUEQ.exe
- <Current directory>\rYok.ico
- <Current directory>\WIwC.exe
- <Current directory>\fsIY.ico
- <Current directory>\isYQ.ico
- <Current directory>\VoAA.ico
- <Current directory>\AUEm.exe
- <Current directory>\LWIk.ico
- <Current directory>\pAIa.exe
- <Current directory>\XMQI.ico
- <Current directory>\cIEQ.exe
- <Current directory>\seAE.ico
- %TEMP%\DoMIMook.bat
- <Current directory>\EQgm.exe
- <Current directory>\Nmcg.ico
- <Current directory>\LoIk.ico
- <Current directory>\qcce.exe
- <Current directory>\PgYo.ico
- <Current directory>\cwUM.exe
- <Current directory>\IAcA.exe
- <Current directory>\Skss.ico
- %TEMP%\uKsEAIYA.bat
- <Current directory>\oMEQ.ico
- <Current directory>\sUQK.exe
- <Current directory>\KkEA.ico
- <Current directory>\aQYC.exe
- <Current directory>\BOIw.ico
- %TEMP%\PSwcwosA.bat
- <Current directory>\oQQa.exe
- <Current directory>\pQcm.exe
- <Current directory>\JekA.ico
- <Current directory>\jAgQ.exe
- <Current directory>\MEYc.ico
- <Current directory>\BkgA.ico
- <Current directory>\JEwO.exe
- <Current directory>\Dykc.ico
- <Current directory>\hYIa.exe
- <Current directory>\yOcQ.ico
- <Current directory>\yQQY.exe
- <Current directory>\vgow.exe
- <Current directory>\kcMY.ico
- <Current directory>\zAcU.exe
- <Current directory>\ZuwU.ico
- <Current directory>\FCcI.ico
- %TEMP%\eqEkYwcA.bat
- <Current directory>\iUcW.exe
- %TEMP%\EYIAkIUg.bat
- <Current directory>\ykMg.ico
- <Current directory>\ogcA.exe
- <Current directory>\aAgs.ico
- <Current directory>\FoEU.exe
- <Current directory>\iQME.ico
- <Current directory>\awYA.exe
- <Current directory>\dQcw.exe
- <Current directory>\yMMc.exe
- <Current directory>\eUgg.ico
- <Current directory>\Xocm.exe
- <Current directory>\WoQs.ico
- <Current directory>\lYkk.exe
- <Current directory>\uQsE.ico
- <Current directory>\tCQk.ico
- <Current directory>\Rakg.ico
- <Current directory>\CMUk.exe
- <Current directory>\tEsE.ico
- <Current directory>\vQAw.exe
- <Current directory>\EUgA.ico
- <Current directory>\sMsS.exe
- <Current directory>\UkcG.exe
- <Current directory>\uEoW.exe
- <Current directory>\yeME.ico
- <Current directory>\pkwO.exe
- <Current directory>\owMI.ico
- <Current directory>\iMwM.exe
- <Current directory>\NGUc.ico
- <Current directory>\bkAY.ico
- <Current directory>\GIsW.exe
- <Current directory>\Lykk.ico
- %TEMP%\cmEEEAAo.bat
- %TEMP%\SkkMEksY.bat
- <Current directory>\yEwc.exe
- <Current directory>\wAUY.ico
- <Current directory>\HQEU.exe
- <Current directory>\TYsi.exe
- <Current directory>\xkMg.ico
- <Current directory>\xwAE.exe
- <Current directory>\egMc.ico
- <Current directory>\ysEA.exe
- <Current directory>\QyQg.ico
- <Current directory>\OaQo.ico
- <Current directory>\PyEQ.ico
- <Current directory>\kUoi.exe
- <Current directory>\ruYU.ico
- %TEMP%\YkwAsoMU.bat
- %TEMP%\eGockAoA.bat
- <Current directory>\jwsS.exe
Moves the following files:
- from C:\RCXAB9.tmp to <Current directory>\oIYW.exe
- from C:\RCXD49.tmp to <Current directory>\FQoG.exe
- from C:\RCX961.tmp to <Current directory>\AQos.exe
- from C:\RCX54A.tmp to <Current directory>\AUMm.exe
- from C:\RCX6D1.tmp to <Current directory>\CQAG.exe
- from C:\RCXEA1.tmp to <Current directory>\Uksw.exe
- from C:\RCX1395.tmp to <Current directory>\woIO.exe
- from C:\RCX1616.tmp to <Current directory>\ZgAC.exe
- from C:\RCX126C.tmp to <Current directory>\igky.exe
- from C:\RCX1019.tmp to <Current directory>\UIQC.exe
- from C:\RCX1181.tmp to <Current directory>\gAIa.exe
- from C:\RCX430.tmp to <Current directory>\PgUI.exe
- from C:\RCXF672.tmp to <Current directory>\EAoq.exe
- from C:\RCXF79B.tmp to <Current directory>\FQYs.exe
- from C:\RCXF51A.tmp to <Current directory>\lYkk.exe
- from C:\RCXF19E.tmp to <Current directory>\Xocm.exe
- from C:\RCXF47D.tmp to <Current directory>\yMMc.exe
- from C:\RCXF932.tmp to <Current directory>\Rwgm.exe
- from C:\RCX28.tmp to <Current directory>\vAoA.exe
- from C:\RCX1FD.tmp to <Current directory>\Ksgm.exe
- from C:\RCXFEA1.tmp to <Current directory>\poYG.exe
- from C:\RCXFB93.tmp to <Current directory>\wgMs.exe
- from C:\RCXFCEB.tmp to <Current directory>\McUk.exe
- from C:\RCX176E.tmp to <Current directory>\MIwe.exe
- from C:\RCX2F32.tmp to <Current directory>\BMAg.exe
- from C:\RCX307B.tmp to <Current directory>\uoYK.exe
- from C:\RCX2E66.tmp to <Current directory>\CMsk.exe
- from C:\RCX2B97.tmp to <Current directory>\xksA.exe
- from C:\RCX2D6C.tmp to <Current directory>\vAwU.exe
- from C:\RCX3250.tmp to <Current directory>\qAgA.exe
- from C:\RCX3937.tmp to <Current directory>\wkko.exe
- from C:\RCX3BA8.tmp to <Current directory>\pwEK.exe
- from C:\RCX387A.tmp to <Current directory>\KIAS.exe
- from C:\RCX3415.tmp to <Current directory>\XgsK.exe
- from C:\RCX35BB.tmp to <Current directory>\XIAa.exe
- from C:\RCX2945.tmp to <Current directory>\oYAm.exe
- from C:\RCX1BE5.tmp to <Current directory>\LAcy.exe
- from C:\RCX1CC0.tmp to <Current directory>\Tgoa.exe
- from C:\RCX1B57.tmp to <Current directory>\bcwE.exe
- from C:\RCX18C6.tmp to <Current directory>\NUco.exe
- from C:\RCX1A0F.tmp to <Current directory>\UkoS.exe
- from C:\RCX1DCA.tmp to <Current directory>\DsQK.exe
- from C:\RCX2647.tmp to <Current directory>\hQMC.exe
- from C:\RCX280C.tmp to <Current directory>\wAMG.exe
- from C:\RCX24EE.tmp to <Current directory>\EIgA.exe
- from C:\RCX2154.tmp to <Current directory>\UAAM.exe
- from C:\RCX22AC.tmp to <Current directory>\KwEy.exe
- from C:\RCXA774.tmp to <Current directory>\LkcY.exe
- from C:\RCXA88E.tmp to <Current directory>\JMgi.exe
- from C:\RCXA561.tmp to <Current directory>\xUYK.exe
- from C:\RCX9F37.tmp to <Current directory>\lEUA.exe
- from C:\RCXA1E7.tmp to <Current directory>\dQcC.exe
- from C:\RCXAA73.tmp to <Current directory>\iQAU.exe
- from C:\RCXB54F.tmp to <Current directory>\pAIa.exe
- from C:\RCXB782.tmp to <Current directory>\KUEQ.exe
- from C:\RCXB242.tmp to <Current directory>\cIEQ.exe
- from C:\RCXAD9F.tmp to <Current directory>\hQgU.exe
- from C:\RCXAF93.tmp to <Current directory>\AUEm.exe
- from C:\RCX9C78.tmp to <Current directory>\pQcm.exe
- from C:\RCX85B5.tmp to <Current directory>\EQgm.exe
- from C:\RCX896E.tmp to <Current directory>\qcce.exe
- from C:\RCX83C1.tmp to <Current directory>\cwUM.exe
- from C:\RCX8008.tmp to <Current directory>\IAcA.exe
- from C:\RCX81DD.tmp to <Current directory>\sUQK.exe
- from C:\RCX8D65.tmp to <Current directory>\aQYC.exe
- from C:\RCX995B.tmp to <Current directory>\oQQa.exe
- from C:\RCX9AC2.tmp to <Current directory>\jAgQ.exe
- from C:\RCX96BB.tmp to <Current directory>\hYIa.exe
- from C:\RCX9227.tmp to <Current directory>\JEwO.exe
- from C:\RCX94A7.tmp to <Current directory>\yQQY.exe
- from C:\RCXBAAE.tmp to <Current directory>\tUoy.exe
- from C:\RCXDCBF.tmp to <Current directory>\awYA.exe
- from C:\RCXDEF2.tmp to <Current directory>\FoEU.exe
- from C:\RCXD926.tmp to <Current directory>\ogcA.exe
- from C:\RCXD492.tmp to <Current directory>\ysEA.exe
- from C:\RCXD770.tmp to <Current directory>\UkcG.exe
- from C:\RCXE03A.tmp to <Current directory>\zAcU.exe
- from C:\RCXED0A.tmp to <Current directory>\sMsS.exe
- from C:\RCXEEDF.tmp to <Current directory>\vQAw.exe
- from C:\RCXEAA9.tmp to <Current directory>\CMUk.exe
- from C:\RCXE24E.tmp to <Current directory>\iUcW.exe
- from C:\RCXE848.tmp to <Current directory>\dQcw.exe
- from C:\RCXD349.tmp to <Current directory>\TYsi.exe
- from C:\RCXC147.tmp to <Current directory>\yEwc.exe
- from C:\RCXC473.tmp to <Current directory>\pkwO.exe
- from C:\RCXBEE6.tmp to <Current directory>\GIsW.exe
- from C:\RCXBBF7.tmp to <Current directory>\WIwC.exe
- from C:\RCXBD8D.tmp to <Current directory>\vgow.exe
- from C:\RCXC5FA.tmp to <Current directory>\uEoW.exe
- from C:\RCXCE77.tmp to <Current directory>\jwsS.exe
- from C:\RCXD184.tmp to <Current directory>\xwAE.exe
- from C:\RCXCC54.tmp to <Current directory>\kUoi.exe
- from C:\RCXC87B.tmp to <Current directory>\iMwM.exe
- from C:\RCXCB1B.tmp to <Current directory>\HQEU.exe
Deletes itself.
Network activity:
UDP:
- DNS ASK dn#.##ftncsi.com
- DNS ASK google.com
Miscellaneous:
Searches for the following windows:
- ClassName: '' WindowName: 'Microsoft Windows'
- ClassName: '' WindowName: 'GocwIYEU.exe'
- ClassName: '' WindowName: 'rSYkcwMw.exe'
- ClassName: 'Indicator' WindowName: ''
- ClassName: 'Shell_TrayWnd' WindowName: ''
