Technical Information
To ensure autorun and distribution
Creates or modifies the following files
- <SYSTEM32>\tasks\sccbronstab
Modifies file system
Creates the following files
- %TEMP%\940264.zip
- C:\users\public\hidecheckserver\msvcr71.dll
- C:\users\public\hidecheckserver\muteapihook.dll
- C:\users\public\hidecheckserver\pipiallinone.exe
- C:\users\public\hidecheckserver\pipigame.ico
- C:\users\public\hidecheckserver\pipigame.url
- C:\users\public\hidecheckserver\pipiiconlib.dll
- C:\users\public\hidecheckserver\pipirec.exe
- C:\users\public\hidecheckserver\pipirecommend.dll
- C:\users\public\hidecheckserver\pipisp.ico
- C:\users\public\hidecheckserver\pipisp.url
- C:\users\public\hidecheckserver\pipistartsvr.exe
- C:\users\public\hidecheckserver\mfc71.dll
- C:\users\public\hidecheckserver\msvcp71.dll
- C:\users\public\hidecheckserver\pipitips.exe
- C:\users\public\hidecheckserver\pphelp.url
- C:\users\public\hidecheckserver\ppwebnav.url
- C:\users\public\hidecheckserver\ppxa.dll
- C:\users\public\hidecheckserver\sqlite3.dll
- C:\users\public\hidecheckserver\task.dat
- C:\users\public\hidecheckserver\tcs.exe
- C:\users\public\hidecheckserver\tdcode.jpg
- C:\users\public\hidecheckserver\topwizardsmallimagefile.bmp
- C:\users\public\hidecheckserver\topwizardsmallimagefile.jpg
- C:\users\public\hidecheckserver\unins000.dat
- C:\users\public\hidecheckserver\unins000.exe
- C:\users\public\hidecheckserver\pipiwebplayer.ocx
- C:\users\public\hidecheckserver\player.swf
- C:\users\public\hidecheckserver\machineinfo.cfg
- C:\users\public\hidecheckserver\kmliveupdate.exe
- C:\users\public\hidecheckserver\kmfiletypesetting.exe
- C:\users\public\hidecheckserver\config\clienttype.ini
- C:\users\public\hidecheckserver\config\config.ini
- C:\users\public\hidecheckserver\config\enumwindow.ini
- C:\users\public\hidecheckserver\config\hlib_block.db
- C:\users\public\hidecheckserver\config\hlib_index.db
- C:\users\public\hidecheckserver\config\hlib_pcrc.db
- C:\users\public\hidecheckserver\config\init.clienttype.ini
- C:\users\public\hidecheckserver\config\init.config.ini
- C:\users\public\hidecheckserver\config\init.enumwindow.ini
- C:\users\public\hidecheckserver\config\mcckmplayervod.ini
- C:\users\public\hidecheckserver\config\mcckmplayervod.ini.wbk
- C:\users\public\hidecheckserver\config\partner.ini
- %TEMP%\940266.zip
- C:\users\public\hidecheckserver\config\player.ini
- C:\users\public\hidecheckserver\config\sp.ini
- C:\users\public\hidecheckserver\config\tab2_down.bmp
- C:\users\public\hidecheckserver\config\tab2_norm.bmp
- C:\users\public\hidecheckserver\config\tab2_over.bmp
- C:\users\public\hidecheckserver\donottrace.txt
- C:\users\public\hidecheckserver\fileassocbak.cfg
- C:\users\public\hidecheckserver\httpdownload.exe
- C:\users\public\hidecheckserver\iumenuright.dll
- C:\users\public\hidecheckserver\jfcheck.conf
- C:\users\public\hidecheckserver\jfcheck.dll
- C:\users\public\hidecheckserver\jpg2bmp.dll
- C:\users\public\hidecheckserver\kmbugslayerutil.dll
- C:\users\public\hidecheckserver\config\skin.ini
- C:\users\public\hidecheckserver\uninstall.ico
- C:\users\public\hidecheckserver\tcs.dat
Deletes the following files
- %TEMP%\940266.zip
Network activity
Connects to
- 'li##.jscdn.cn':80
- 'cf###b.jscdn.cn':443
- 'j0####.#l.files.1drv.com':443
- 'pa###bin.com':443
- 'ne##.#ookielive.top':2890
- 'D9.###uxroot.site':3257
TCP
HTTP GET requests
- http://li##.jscdn.cn/1drv/aHR0cHM6Ly8xZHJ2Lm1zL3UvcyFBa0ZQRnBaT2Q2d0FjSFNyNzZhZ0JrcE56RW8_ZT1mclRhZWk.zip
Other
- 'li##.jscdn.cn':443
- 'j0####.#l.files.1drv.com':443
- 'pa###bin.com':443
- 'ne##.#ookielive.top':2890
- 'D9.###uxroot.site':3257
UDP
- DNS ASK li##.jscdn.cn
- DNS ASK cf###b.jscdn.cn
- DNS ASK j0####.#l.files.1drv.com
- DNS ASK ne##.#ookielive.top
- DNS ASK pa###bin.com
- DNS ASK D9.###uxroot.site
Miscellaneous
Creates and executes the following
- 'C:\users\public\hidecheckserver\tcs.exe'
