Technical Information
Modifies file system
Creates the following files
- %APPDATA%\roaming\llq\7654llqmini\7654llqmini.exe
- %APPDATA%\roaming\7654llq\7654llqpb\7654pb.exe
- %TEMP%\mn6c3.tmp.tlb
- %APPDATA%\7654liulanqi\7654liulanqitips\7654llqtips.exe
- %APPDATA%\screensaver\dll\c0b32f5186dd75880d7e21c404d6029d
- %LOCALAPPDATA%\microsoft\internet explorer\domstore\w37zlxnl\news.7654[1].xml
- %APPDATA%\7654liulanqi\7654llqtuopan\7654llqtuopan.exe
- %APPDATA%\7654liulanqi\7654llqtuopan\5eb218eed8459.ico
Network activity
TCP
HTTP GET requests
- http://do###.####browser.shzhanmeng.com/logo/v1.0.0.2/super.gif.MD5
- http://do###.####browser.shzhanmeng.com/tui/tips/tray/v1.0.0.3/traytip-3.exe
- http://sc######vers.shzhanmeng.com/lua/v1.0.0.1/common.gif
- http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt
- http://sc######vers.shzhanmeng.com/lua/v1.0.0.1/common.gif.MD5
- http://do###.####browser.shzhanmeng.com/tui/package/tipsplus2/v1.0.5.5/TipsPlus2.gif
- http://ne##.7654.com/mini_new3/025/statics/assets/images/selected2.png
- http://sc######vers.shzhanmeng.com/lua/v1.0.0.1/super.gif
- http://sc######vers.shzhanmeng.com/lua/v1.0.0.1/super.gif.MD5
- http://tt###g.7654.com/image/8d04f85aba566be19eba21c6604cd74a?im#############################
- http://tt###g.7654.com/image/a20aa2665c61f626a79540552fba3bec?im#############################
- http://tt###g.7654.com/image/a1f8a6f541645b60a7ea019769912b53?im#############################
- http://do###.####browser.shzhanmeng.com/tui/tips/tipsplus2/tipsplus2.json
- http://tt###g.7654.com/image/10cdfce4288e4c56fd6a924eceb2a6ab?im#############################
- http://tt###g.7654.com/image/89c5f7cc4ac7c40caa3e4e812fc7e185?im#############################
- http://tt###g.7654.com/image/abaca5822af866c73c5c4ff10406e077?im#############################
- http://tt###g.7654.com/image/2f65f6fa9c528109e94b16618d1091f9?im#############################
- http://s3#.#zwgs.com/galileo/d17da0ed2c5576219aaaef5e917db84b.jpg
- http://s3##.nzwgs.com/galileo/853909-c14b30687805dfd2d8fbe2ac4fc5fa55.gif
- http://s3##.nzwgs.com/galileo/918b9a389e0b3fab4a1ccb1804032617.gif
- http://s3.##bdw.com/s?ty#########################################################################################################################################################################...
- http://s3#.#zwgs.com/galileo/3568f27c7545c7b3b776a1e5f6abe302.jpg
- http://tt###g.7654.com/image/94a72b932c8d113e23aaaa53f538d810?im#############################
- http://sc##########-1252899349.file.myqcloud.com/cdn_bandwith_config.json?v=##########
- http://ne##.7654.com/tipsdsp/13/s11/?pr##########################################################################################################################################################...
- http://ne##.7654.com/tipsdsp/libs/images/closebutton/8.png?v=#############
- http://ss#.#654.com/ssp/v2/ads?qi################################################################################################################################################################...
- http://ne##.7654.com/tipsdsp/13/assets/s11.js?v=######
- http://ne##.7654.com/tipsdsp/libs/script/zmdsp_t.js?v=#####
- http://ne##.7654.com/tipsdsp/libs/script/zhike.js?v=######
- http://ne##.7654.com/tipsdsp/libs/script/kgdsp.js?v=#####
- http://ne##.7654.com/tipsdsp/libs/script/shdsp2.js?v=#####
- http://ne########99349.file.myqcloud.com/ssp/5eb218eed8459.ico
- http://ne##.7654.com/tipsdsp/libs/sh_config.js?v=#####
- http://ne##.7654.com/tipsdsp/libs/script/zmdsp_new.js?v=#####
- http://sc######vers.shzhanmeng.com/n/1.0.6.8/C0B32F5186DD75880D7E21C404D6029D
- http://do###.####browser.shzhanmeng.com/tui/tips/2/tips2-1.zip.MD5
- http://ne##.7654.com/tipsdsp/libs/script/common.js
- http://ne##.7654.com/tipsdsp/libs/script/json2.js
- http://ne##.7654.com/tipsdsp/libs/swiper/idangerous.swiper.min.js
- http://ss####ort.7654.com/ssp/user_click?co######################################################################################################################################################...
- http://ss#.#654.com/ssp/list?qi###############################
- http://ne##.7654.com/tipsdsp/libs/script/jquery.base64.js
- http://ne##.7654.com/tipsdsp/libs/script/jquery.cookie.domain.js
- http://ne##.7654.com/tipsdsp/libs/script/jquery.min.js
- http://ne##.7654.com/tipsdsp/libs/css/zhike.css?v=#####
- http://ne##.7654.com/tipsdsp/libs/swiper/idangerous.swiper.css
- http://ne##.7654.com/tipsdsp/libs/config.js?v=###
- http://do###.####browser.shzhanmeng.com/tui/tips/tray/dll/v1.0.1.2_001/TrayTip.gif
- http://s3#.#zwgs.com/galileo/842885-20d1a6b3edad132d9fe647132e2767df.png
- http://s3##.fenxi.com/galileo/0398e532def8248b489691ee2bdc8163.gif
- http://s3##.fenxi.com/galileo/876581-67b236c3e7923637f7350e55237d8dd7.gif
- http://do###.####browser.shzhanmeng.com/tui/mininews/mininewsplus/ffzdr.png
- http://ne##.7654.com/mini_new3/025/statics/assets/images/top1.png
- http://ne##.7654.com/mini_new3/025/statics/assets/images/not-followed.png
- http://ne##.7654.com/mini_new3/025/statics/assets/images/remen.png
- http://ne##.7654.com/mini_new3/025/statics/assets/images/rectangle.png
- http://ne##.7654.com/mini_new3/025/statics/assets/images/selected1.png
- http://ne##.7654.com/mini_new3/025/statics/assets/images/consultation1.png
- http://ne##.7654.com/mini_new3/025/statics/assets/images/month.png
- http://ne##.7654.com/mini_new3/025/statics/assets/images/route4.png
- http://ne##.7654.com/mini_new3/025/statics/common/js/jquery.min.js
- http://ne##.7654.com/tipsdsp/libs/images/shdsp/3.jpg
- http://ne##.7654.com/mini_new3/025/statics/common/js/jquery.base64.js
- http://ne##.7654.com/mini_new3/025/?qi###########################################################################################################################################################...
- http://br#####.shzhanmeng.com/browser/stamp_trace?co#############################################################################################################################################...
- http://do###.####browser.shzhanmeng.com/tui/screensaver/v1.0.6.8/screen_saver-4.exe
- http://do###.####browser.shzhanmeng.com/tui/package/mininewsplus/v5.0.271.95/MiniNewsPlusModule.gif
- http://do###.####browser.shzhanmeng.com/tui/package/tipsplus2/v5.0.0.1/tipsplus2-1.exe
- http://do###.####browser.shzhanmeng.com/6645c41d54d23ef884bb8eb455fce1fd.json
- http://ky######on.dftoutiao.com/position/get02
- http://do###.####browser.shzhanmeng.com/logo/v1.0.0.2/uc.gif
- http://do###.####browser.shzhanmeng.com/logo/v1.0.0.2/uc.gif.MD5
- http://do###.####browser.shzhanmeng.com/logo/v1.0.0.2/super.gif
- http://ne##.7654.com/mini_new3/025/statics/assets/css/index.0606.css?v=###
- http://ne##.7654.com/tipsdsp/libs/script/shdsp_new.js?v=######
- http://ne##.7654.com/mini_new3/025/statics/common/js/xDomain.js
- http://ip####tion.7654.com/v1
- http://ne##.7654.com/mini_new3/025/statics/common/js/calendar.js?v=#
- http://tt###g.7654.com/image/8ad5b61c3234779f309da47045cf0cde?im#############################
- http://s3#.#zwgs.com/galileo/874228-151be62abb805db7e96a3444aa91a53c.jpg
- http://s3#.#zwgs.com/galileo/737544-f724c90c0a97b0647228a8b7f8ec4ebf.jpg
- http://g1###.mediav.com/rtb?ty###################################################################################################################################################################...
- http://s3##.nzwgs.com/galileo/7b8bf91569dda0ef569437108effe4f1.gif
- http://s3##.nzwgs.com/galileo/842865-4d497b790a4c883faf38028c35d8c2ad.gif
- http://ma###.mediav.com/rtb?ty###################################################################################################################################################################...
- http://ad.##aizip.com/advertise/userclick?ti#####################################################################################################################################################...
- http://tt###g.7654.com/image/b918047f271f78d005888873eaa5a6d0?im#############################
- http://ne##.7654.com/mini_new3/025/statics/assets/js/index.js?v=####
- http://tt###g.7654.com/image/997e1dbb4af3aeefdc80f0b749e22d63?im#############################
- http://ne##.7654.com/mini_new3/025/statics/common/js/jquery.cookie.js
- http://tt###g.7654.com/image/a9e2da232947a5458d1cee455482a278?im#############################
- http://sh##.#.mediav.com/s?ty########################################################################################################################################
- http://do###.####browser.shzhanmeng.com/tui/tips/tipsplus2/v1.0.3.5/tipsplus2-2.exe
- http://sc######vers.shzhanmeng.com/n/ss.json
- http://we#####.shzhanmeng.com/api/weather_jsonp/0?ca#####################################
- http://ne##.##utiaobashi.com/api/tpop/list_new/llq02/1/34/10
- http://ad#.#654.com/prod/news.7654.com.mini_new3.025.json?t=#############
- http://ne##.##utiaobashi.com/api/wps_news_list/14/llq02
- http://ss#.#654.com/monitor?qi###############################################################
- http://sh##.#.mediav.com/s?ty#########################################################################################################################################
- http://zq##.asmed.cn/qrcode/2020-05-09_0BTW6ZXdpCu.jpeg
HTTP POST requests
- http://re####.###eensavers.shzhanmeng.com/screensavers/stamp_trace?co############################################################################################################################...
- http://kl.##ayg.com/zkactive/ctl/w/qinfo.html
- http://kl.##ayg.com/zkactive/ctl/wb/show.html
- http://tj.##ayg.com/zklogger/zk/rp.html
UDP
- DNS ASK do###.####browser.shzhanmeng.com
- DNS ASK kl.##ayg.com
- DNS ASK ne########99349.file.myqcloud.com
- DNS ASK ss####ort.7654.com
- DNS ASK microsoft.com
- DNS ASK s3##.fenxi.com
- DNS ASK g1###.mediav.com
- DNS ASK s3#.#zwgs.com
- DNS ASK ad.##aizip.com
- DNS ASK s3.##bdw.com
- DNS ASK ma###.mediav.com
- DNS ASK s3##.nzwgs.com
- DNS ASK sc##########-1252899349.file.myqcloud.com
- DNS ASK sh##.#.mediav.com
- DNS ASK tt###g.7654.com
- DNS ASK re####.###eensavers.shzhanmeng.com
- DNS ASK sc######vers.shzhanmeng.com
- DNS ASK we#####.shzhanmeng.com
- DNS ASK ss#.#654.com
- DNS ASK hm.##idu.com
- DNS ASK ip####tion.7654.com
- DNS ASK ne##.##utiaobashi.com
- DNS ASK ad#.#654.com
- DNS ASK ne##.7654.com
- DNS ASK br#####.shzhanmeng.com
- DNS ASK ky######on.dftoutiao.com
- DNS ASK zq##.asmed.cn
- DNS ASK tj.##ayg.com
Miscellaneous
Searches for the following windows
- ClassName: 'C9CD4F35-4AD6-45d3-8A0E-AC211EB1D13E' WindowName: 'C9CD4F35-4AD6-45d3-8A0E-AC211EB1D13E'
- ClassName: 'MS_AutodialMonitor' WindowName: ''
- ClassName: 'MS_WebCheckMonitor' WindowName: ''
- ClassName: 'Chrome_MessageWindow' WindowName: 'sc_D7EE826A-3855-4F1B-818C-2571B3AB4F63'
- ClassName: 'ActiveXWnd' WindowName: ''
- ClassName: 'Shell Embedding' WindowName: ''
- ClassName: 'Shell DocObject View' WindowName: ''
- ClassName: 'Internet Explorer_Server' WindowName: ''
Creates and executes the following
- '%APPDATA%\roaming\llq\7654llqmini\7654llqmini.exe' LXByb2plY3Q9NzY1NEJyb3dzZXIgLWtpbGxwcm9jZXNzPTYwIC1lbmFibGVob21lcGFnZXJhbmQ9MSAtT3B0aW1pemU9MzAgLURpc3BsYXlUaXRsZT03NjU0QnJvd3NlciAtd3JpdGV0Y2s9TGl2ZVVwZGF0ZTM2MCw2MzIgLXVzZXNzcG1vZGU9dHJ1ZSAtV...
- '%APPDATA%\roaming\7654llq\7654llqpb\7654pb.exe' --data=yn20hu0MXqi21W1oPkoo1fbgEtF7j0DiSsZmG+KP4b+LfqVr4h8TlQI7lzQ16xHMDm+ay4KmESL/eXUiSGGzf/DovS1G9IXjFDBfHY4ZWAcaOG6qcwMkz5q/6BI7gFj/z3CEdVafQ9fPPi8=
- '%APPDATA%\7654liulanqi\7654liulanqitips\7654llqtips.exe' T9ToxVhaBp0VzGfqwSVMPGNbTOfQEhLvICOZqezcecdyS25V+RbEkygW1RzSM/xcYF+LSd9oFYrCec8/w84AmyngxY6I65XBGy7yzLwKXTNkKOUt5Bxaeuknr6+KAhmz0sER4N+WwxW5jrtb2HPtVHL7LoNEXii57jCG7DH6JskMovdkzEwy0LgcMdsutx6t4...
- '%APPDATA%\7654liulanqi\7654llqtuopan\7654llqtuopan.exe' dlFuXviETP16sBg6cAnSnOkf7AuTZEKf2yqAawrvM5IMPxsew0E4RW0KMIexLrrwgzhrobQYoLk1tz4HXyTiwflUBNsYDLceuX+yzkl4BQXjiIL7DXg7YL6d6OsEc8r5TckSwATlYNdGqhkyiHthvJFCJ45ocVTgFHjPH5BI1PIft2JMmwNrrBUDDLlt0QOo3...
