Technical Information
Modifies file system:
Creates the following files:
- %TEMP%\Ce415.tmp
- %TEMP%\UAF14.tmp
- %TEMP%\ukB17.tmp
- %TEMP%\hMd16.tmp
- %TEMP%\3pv11.tmp
- %TEMP%\dZr10.tmp
- %TEMP%\pRR13.tmp
- %TEMP%\0Gj12.tmp
- %TEMP%\uDF1D.tmp
- %TEMP%\3Ug1C.tmp
- %TEMP%\Lc11F.tmp
- %TEMP%\Pjz1E.tmp
- %TEMP%\dUS19.tmp
- %TEMP%\ZzS18.tmp
- %TEMP%\QXe1B.tmp
- %TEMP%\gvM1A.tmp
- %TEMP%\eUB5.tmp
- %TEMP%\2Lt4.tmp
- %TEMP%\i8m7.tmp
- %TEMP%\uiT6.tmp
- %TEMP%\1qo1.tmp
- %WINDIR%\shield8425.inf
- %TEMP%\NXK2.tmp
- %TEMP%\tmp3.tmp
- %TEMP%\Q7ID.tmp
- %TEMP%\oc0C.tmp
- %TEMP%\j9GF.tmp
- %TEMP%\X0AE.tmp
- %TEMP%\jD79.tmp
- %TEMP%\tar8.tmp
- %TEMP%\3oHB.tmp
- %TEMP%\je7A.tmp
Deletes the following files:
- <Full path to file>
- %TEMP%\tmp3.tmp
- %WINDIR%\shield8425.inf
Network activity:
Connects to:
- 'in#.#gkj.com':80
- 'lw##g.top':80
- 'dw.#efb.com':80
- 'in#.#88b.com':80
- 'in#.#8qz.com':80
- 'ap##.#ame.qq.com':80
TCP:
HTTP GET requests:
- http://in#.#8qz.com/soft/gc.ini
- http://in#.#gkj.com/soft1/aaa/silu004.zip
- http://dw.#efb.com/soft1/aaa/silu004.zip
- http://in#.#88b.com/tt/pb.ini
- http://in#.#8qz.com/soft1/aaa/silu004.zip
- http://ap##.#ame.qq.com/comm-htdocs/ip/get_ip.php
HTTP POST requests:
- http://lw##g.top/api/r/mcm
UDP:
- DNS ASK lw##g.top
- DNS ASK dw.#efb.com
- DNS ASK e0######2e05a4d4.58su.cn
- DNS ASK in#.#gkj.com
- DNS ASK in#.#88b.com
- DNS ASK in#.#8qz.com
- DNS ASK ap##.#ame.qq.com
Miscellaneous:
Executes the following:
- '<SYSTEM32>\cmd.exe' /c del /Q /F "<Full path to file>"
- '<SYSTEM32>\ipconfig.exe' /flushdns
