Technical Information
Modifies file system
Creates the following files
- %APPDATA%\roaming\llq\7654llqmini\7654llqmini.exe
- %APPDATA%\roaming\7654llq\7654llqpb\7654pb.exe
- %APPDATA%\7654liulanqi\7654liulanqitips\7654llqtips.exe
- %APPDATA%\screensaver\dll\0a25a21bbd9a1c35250e85d3f53b205a
- %APPDATA%\7654liulanqi\7654llqtuopan\7654llqtuopan.exe
- %LOCALAPPDATA%\microsoft\internet explorer\domstore\p4p79gg0\news.7654[1].xml
Network activity
TCP
HTTP GET requests
- http://do###.####browser.shzhanmeng.com/logo/v1.0.0.2/super.gif.MD5
- http://tt###g.7654.com/image/801ea64b12c60cca13829e40d746622a?im#############################
- http://do###.####browser.shzhanmeng.com/tui/package/tipsplus2/v1.0.5.6/TipsPlus2.gif
- http://tt###g.7654.com/image/e567ff8e8fc7f91b69489fbcb852cb38?im#############################
- http://tt###g.7654.com/image/45060947c74c2765c39e5ad783884995?im#############################
- http://ad###.kpzip.com/ZMdsp/v1/search/?da#######################################################################################################################################################...
- http://ad##.kpzip.com/dsp/user_click?co##########################################################################################################################################################...
- http://tt###g.7654.com/image/2e109c26baeb87777c2dd0cde76f5179?im#############################
- http://sc######vers.shzhanmeng.com/lua/v1.0.0.1/super.gif
- http://tt###g.7654.com/image/1b53d85f8804e96f70db80392a904d16?im#############################
- http://ss#.#654.com/ssp/ads?qi####################################################
- http://ss#.#654.com/ssp/ads?qi##################################################
- http://sc######vers.shzhanmeng.com/lua/v1.0.0.1/super.gif.MD5
- http://ne##.##utiaobashi.com/api/tpop/list_new/llq02/1/34/10
- http://we#####.shzhanmeng.com/api/weather_jsonp/0?ca#####################################
- http://ad#.#654.com/prod/news.7654.com.mini_new3.025.json?t=#############
- http://ne##.##utiaobashi.com/api/wps_news_list/14/llq02
- http://ss#.#654.com/ssp/ads?qi################################
- http://tt###g.7654.com/image/3319c0072e9198650763962e297f4843?im#############################
- http://tt###g.7654.com/image/365d3c4b5753939e643ca7e8cda73908?im#############################
- http://tt###g.7654.com/image/d58705195305e3136767a03e4ab7640f?im#############################
- http://tt###g.7654.com/image/d8047acef6d2ecfaabdb651c1dfe22ee?im#############################
- http://tt###g.7654.com/image/242d66e52ccfd8bac6577fac1d45f13b?im#############################
- http://tt###g.7654.com/image/9e4d7e289df9ad80e4e6205035c7aa71?im#############################
- http://sc######vers.shzhanmeng.com/lua/v1.0.0.1/common.gif
- http://tt###g.7654.com/image/386890f517cacda70318a3f28d5bc6ca?im#############################
- http://tt###g.7654.com/image/1bbf2e07e9b884b17efb9ad2c532a465?im#############################
- http://do###.####browser.shzhanmeng.com/tui/tips/2/tips2-1.zip.MD5
- http://do###.####browser.shzhanmeng.com/tui/tips/tray/v1.0.0.3/traytip-3.exe
- http://tt###g.7654.com/image/c8a0961e2839427ce72e5851d13fecb9?im#############################
- http://sc######vers.shzhanmeng.com/lua/v1.0.0.1/common.gif.MD5
- http://tt###g.7654.com/image/af2604af20fb345da9798d7595b07e64?im#############################
- http://tt###g.7654.com/image/bb548084ee8c78677e22341b0a495d3c?im#############################
- http://tt###g.7654.com/image/c0fd009d86c034ab8eac5065eb711be7?im#############################
- http://tt###g.7654.com/image/ab55dd9d3f8e0f09ab96338e3da891e8?im#############################
- http://tt###g.7654.com/image/82f0a8037ec35ce7ebe07ea4b00f7233?im#############################
- http://tt###g.7654.com/image/2908f9fa3c12bac099a456dc8a0dbe80?im#############################
- http://tt###g.7654.com/image/74a44033d07c986edcbfe2a4b67f214c?im#############################
- http://ip####tion.7654.com/v1
- http://do###.####browser.shzhanmeng.com/tui/tips/tipsplus2/tipsplus2.json
- http://ss#.#654.com/monitor?qi###############################################################
- http://ne##.7654.com/mini_new3/025/statics/assets/js/dspOrSsp.js?v=####
- http://do###.####browser.shzhanmeng.com/tui/tips/tipsplus2/v1.0.3.5/tipsplus2-1.exe
- http://ne##.7654.com/mini_new3/025/statics/common/js/base.lib.js
- http://ne##.7654.com/mini_new3/025/statics/assets/css/dspSsp.css?v=####
- http://br#####.shzhanmeng.com/browser/stamp_trace?co#############################################################################################################################################...
- http://ne##.7654.com/mini_new3/025/statics/assets/css/index.0606.css?v=###
- http://do###.####browser.shzhanmeng.com/tui/mininews/mininewsplus/ffzdr.png
- http://ne##.7654.com/mini_new3/025/?qi###########################################################################################################################################################...
- http://ne##.7654.com/mini_new3/025/statics/assets/images/route4.png
- http://do###.####browser.shzhanmeng.com/tui/screensaver/v1.0.7.1/screen_saver-5.exe
- http://do###.####browser.shzhanmeng.com/tui/package/mininewsplus/v5.0.293.9/MiniNewsPlusModule.gif
- http://do###.####browser.shzhanmeng.com/tui/package/mininewsplus/v5.0.271.93/mininews-1.exe
- http://do###.####browser.shzhanmeng.com/6645c41d54d23ef884bb8eb455fce1fd.json
- http://ky######on.dftoutiao.com/position/get02
- http://do###.####browser.shzhanmeng.com/logo/v1.0.0.2/uc.gif
- http://do###.####browser.shzhanmeng.com/logo/v1.0.0.2/uc.gif.MD5
- http://do###.####browser.shzhanmeng.com/logo/v1.0.0.2/super.gif
- http://ss#.#654.com/ct?mi########################################################################################################################################################################...
- http://ne##.7654.com/mini_new3/025/statics/assets/images/month.png
- http://ne##.7654.com/mini_new3/025/statics/assets/images/consultation1.png
- http://ne##.7654.com/mini_new3/025/statics/assets/images/selected1.png
- http://ne##.7654.com/mini_new3/025/statics/assets/js/ad360.js?v=####
- http://ne##.7654.com/mini_new3/025/statics/assets/js/adTemps.js?v=####
- http://ne##.7654.com/mini_new3/025/statics/common/js/promise.js
- http://ne##.7654.com/mini_new3/025/statics/common/js/common.js?v=###
- http://ne##.7654.com/mini_new3/025/statics/common/js/jquery.endless-scroll.min.js
- http://ne##.7654.com/mini_new3/025/statics/common/js/calendar.js?v=#
- http://ne##.7654.com/mini_new3/025/statics/common/js/xDomain.js
- http://sc######vers.shzhanmeng.com/n/1.0.6.9/0A25A21BBD9A1C35250E85D3F53B205A
- http://ne##.7654.com/mini_new3/025/statics/common/js/jquery.base64.js
- http://sc##########-1252899349.file.myqcloud.com/cdn_bandwith_config.json?v=##########
- http://ne##.7654.com/mini_new3/025/statics/common/js/jquery.cookie.js
- http://ne##.7654.com/mini_new3/025/statics/common/js/jquery.min.js
- http://ne##.7654.com/mini_new3/025/statics/assets/images/top1.png
- http://ne##.7654.com/mini_new3/025/statics/assets/images/not-followed.png
- http://ne##.7654.com/mini_new3/025/statics/assets/images/remen.png
- http://sc######vers.shzhanmeng.com/n/ss.json
- http://ne##.7654.com/mini_new3/025/statics/assets/images/rectangle.png
- http://ne##.7654.com/mini_new3/025/statics/assets/js/index.js?v=####
- http://ne##.7654.com/tipsdsp/13/s11/?pr##########################################################################################################################################################...
HTTP POST requests
- http://re####.###eensavers.shzhanmeng.com/screensavers/stamp_trace?co############################################################################################################################...
UDP
- DNS ASK do###.####browser.shzhanmeng.com
- DNS ASK ad##.kpzip.com
- DNS ASK tt###g.7654.com
- DNS ASK we#####.shzhanmeng.com
- DNS ASK hm.##idu.com
- DNS ASK ip####tion.7654.com
- DNS ASK ne##.##utiaobashi.com
- DNS ASK ad###.kpzip.com
- DNS ASK ad#.#654.com
- DNS ASK sc######vers.shzhanmeng.com
- DNS ASK re####.###eensavers.shzhanmeng.com
- DNS ASK ne##.7654.com
- DNS ASK br#####.shzhanmeng.com
- DNS ASK ss#.#654.com
- DNS ASK ky######on.dftoutiao.com
- DNS ASK sc##########-1252899349.file.myqcloud.com
- DNS ASK sh##.#.mediav.com
Miscellaneous
Searches for the following windows
- ClassName: 'C9CD4F35-4AD6-45d3-8A0E-AC211EB1D13E' WindowName: 'C9CD4F35-4AD6-45d3-8A0E-AC211EB1D13E'
- ClassName: 'MS_AutodialMonitor' WindowName: ''
- ClassName: 'MS_WebCheckMonitor' WindowName: ''
- ClassName: 'Chrome_MessageWindow' WindowName: 'sc_D7EE826A-3855-4F1B-818C-2571B3AB4F63'
Creates and executes the following
- '%APPDATA%\roaming\llq\7654llqmini\7654llqmini.exe' LXByb2plY3Q9NzY1NEJyb3dzZXIgLWtpbGxwcm9jZXNzPTYwIC1lbmFibGVob21lcGFnZXJhbmQ9MSAtT3B0aW1pemU9MTAgLURpc3BsYXlUaXRsZT03NjU0QnJvd3NlciAtd3JpdGV0Y2s9TGl2ZVVwZGF0ZTM2MCw2MzIgLXVzZXNzcG1vZGU9dHJ1ZSAtV...
- '%APPDATA%\roaming\7654llq\7654llqpb\7654pb.exe' --data=yn20hu0MXqi21W1oPkoo1fbgEtF7j0DiSsZmG+KP4b+LfqVr4h8TlQI7lzQ16xHMDm+ay4KmESL/eXUiSGGzf/DovS1G9IXjFDBfHY4ZWAcaOG6qcwMkz5q/6BI7gFj/z3CEdVafQ9fPPi8=
- '%APPDATA%\7654liulanqi\7654liulanqitips\7654llqtips.exe' T9ToxVhaBp0VzGfqwSVMPGNbTOfQEhLvICOZqezcecdyS25V+RbEkygW1RzSM/xcYF+LSd9oFYrCec8/w84AmyngxY6I65XBGy7yzLwKXTNkKOUt5Bxaeuknr6+KAhmz0sER4N+WwxW5jrtb2HPtVHL7LoNEXii57jCG7DH6JskMovdkzEwy0LgcMdsutx6t4...
- '%APPDATA%\7654liulanqi\7654llqtuopan\7654llqtuopan.exe' dlFuXviETP16sBg6cAnSnOkf7AuTZEKf2yqAawrvM5IMPxsew0E4RW0KMIexLrrwgzhrobQYoLk1tz4HXyTiwflUBNsYDLceuX+yzkl4BQXjiIL7DXg7YL6d6OsEc8r5TckSwATlYNdGqhkyiHthvJFCJ45ocVTgFHjPH5BI1PIft2JMmwNrrBUDDLlt0QOo3...
