Technical Information
Malicious functions:
Executes the following:
- '<SYSTEM32>\regsvr32.exe' atl.dll /s
Installs hooks to intercept notifications
on keystrokes:
- Handler for all processes: <Current directory>\cfgdll.dll
Modifies file system:
Creates the following files:
- <Current directory>\coc\40.bmp
- <Current directory>\coc\39.bmp
- <Current directory>\coc\41.bmp
- <Current directory>\coc\43.bmp
- <Current directory>\coc\42.bmp
- <Current directory>\coc\35.bmp
- <Current directory>\coc\34.bmp
- <Current directory>\coc\36.bmp
- <Current directory>\coc\38.bmp
- <Current directory>\coc\37.bmp
- <Current directory>\coc\50.bmp
- <Current directory>\coc\49.bmp
- <Current directory>\coc\51.bmp
- <Current directory>\coc\53.bmp
- <Current directory>\coc\52.bmp
- <Current directory>\coc\45.bmp
- <Current directory>\coc\44.bmp
- <Current directory>\coc\46.bmp
- <Current directory>\coc\48.bmp
- <Current directory>\coc\47.bmp
- <Current directory>\coc\22.bmp
- <Current directory>\coc\21.bmp
- <Current directory>\coc\23.bmp
- <Current directory>\coc\25.bmp
- <Current directory>\coc\24.bmp
- <Current directory>\coc\17.bmp
- <Current directory>\coc\16-4.bmp
- <Current directory>\coc\18.bmp
- <Current directory>\coc\20.bmp
- <Current directory>\coc\19.bmp
- <Current directory>\coc\30.bmp
- <Current directory>\coc\29.bmp
- <Current directory>\coc\31.bmp
- <Current directory>\coc\33.bmp
- <Current directory>\coc\32.bmp
- <Current directory>\coc\26-1.bmp
- <Current directory>\coc\26.bmp
- <Current directory>\coc\26-2.bmp
- <Current directory>\coc\28.bmp
- <Current directory>\coc\27.bmp
- <Current directory>\coc\80.bmp
- <Current directory>\coc\79.bmp
- <Current directory>\coc\81.bmp
- <Current directory>\coc\82.bmp
- <Current directory>\coc\82(1).bmp
- <Current directory>\coc\75.bmp
- <Current directory>\coc\74.bmp
- <Current directory>\coc\76.bmp
- <Current directory>\coc\78.bmp
- <Current directory>\coc\77.bmp
- <Current directory>\coc\86.bmp
- <Current directory>\coc\85.bmp
- <Current directory>\coc\87.bmp
- <Current directory>\coc\89.bmp
- <Current directory>\coc\88.bmp
- <Current directory>\coc\83(1).bmp
- <Current directory>\coc\82-2.bmp
- <Current directory>\coc\83.bmp
- <Current directory>\coc\84.bmp
- <Current directory>\coc\83-2.bmp
- <Current directory>\coc\60.bmp
- <Current directory>\coc\59.bmp
- <Current directory>\coc\61.bmp
- <Current directory>\coc\63.bmp
- <Current directory>\coc\62.bmp
- <Current directory>\coc\55.bmp
- <Current directory>\coc\54.bmp
- <Current directory>\coc\56.bmp
- <Current directory>\coc\58.bmp
- <Current directory>\coc\57.bmp
- <Current directory>\coc\70.bmp
- <Current directory>\coc\69.bmp
- <Current directory>\coc\71.bmp
- <Current directory>\coc\73.bmp
- <Current directory>\coc\72.bmp
- <Current directory>\coc\65.bmp
- <Current directory>\coc\64.bmp
- <Current directory>\coc\66.bmp
- <Current directory>\coc\68.bmp
- <Current directory>\coc\67.bmp
- <Current directory>\coc\16-3.bmp
- <Current directory>\browsebox_file.ico
- <Current directory>\checkbox_disabled_unchecked.ico
- <Current directory>\browsebox_dir.ico
- <Current directory>\coc\±шБ¦.txt
- <Current directory>\coc\±.txt
- %APPDATA%\qmacro\shield\Shield.ini
- %APPDATA%\qmacro\shield\SD004.dat
- <Current directory>\checkbox_checked.ico
- <Current directory>\checkbox_disabled_checked.ico
- <Current directory>\checkbox_unchecked.ico
- <Current directory>\coc\РЕПў.txt
- <Current directory>\coc\ПкЗйЧЦМе.txt
- <Current directory>\coc\ХЅ№ыЧЦїв.txt
- <Current directory>\coc\2.bmp
- <Current directory>\coc\1.bmp
- <Current directory>\coc\µ±З°ЧКФґ.txt
- <Current directory>\coc\±шУЄ.txt
- <Current directory>\coc\·Е±ш.txt
- <Current directory>\coc\ЛСУгЧЦїв.txt
- <Current directory>\coc\ѕи±шЧЦїв.txt
- <Current directory>\plugin\FILE.DLL
- <Current directory>\plugin\REGDLL.DLL
- <Current directory>\plugin\SYS.DLL
- %TEMP%\mymacro.zip
- <Current directory>\plugin\LXJ_PLUG.DLL
- %TEMP%\mac1.tmp
- %TEMP%\mymacro_errinfo.exe
- %TEMP%\mac2.tmp
- <Current directory>\plugin\WINDOW.DLL
- %TEMP%\plugin.zip
- %APPDATA%\qmacro\shield\SD000.dat
- <Current directory>\<File name>.ini
- %APPDATA%\qmacro\shield\SD001.dat
- %APPDATA%\qmacro\shield\SD003.dat
- %APPDATA%\qmacro\shield\SD002.dat
- <Current directory>\cfgdll.dll
- %TEMP%\BackGround.bmp
- <Current directory>\ShieldModule.dat
- %TEMP%\88a3.tmp
- %APPDATA%\mymacro\qdisp.dll
- <Current directory>\coc\9±ѕЙП.bmp
- <Current directory>\coc\9fen.bmp
- <Current directory>\coc\9±ѕПВ.bmp
- <Current directory>\coc\10fen.bmp
- <Current directory>\coc\10.bmp
- <Current directory>\coc\09bsЦШЖф1.bmp
- <Current directory>\coc\8±ѕПВ.bmp
- <Current directory>\coc\9.bmp
- <Current directory>\coc\9bsЙѕіэ2.bmp
- <Current directory>\coc\9bsЙѕіэ.bmp
- <Current directory>\coc\13.bmp
- <Current directory>\coc\12fen.bmp
- <Current directory>\coc\14.bmp
- <Current directory>\coc\16.bmp
- <Current directory>\coc\15.bmp
- <Current directory>\coc\10±ѕПВ.bmp
- <Current directory>\coc\10±ѕЙП.bmp
- <Current directory>\coc\11.bmp
- <Current directory>\coc\12.bmp
- <Current directory>\coc\11fen.bmp
- <Current directory>\coc\4guohuo2.bmp
- <Current directory>\coc\4guohuo.bmp
- <Current directory>\coc\5.bmp
- <Current directory>\coc\6.bmp
- <Current directory>\coc\5guohuo.bmp
- <Current directory>\coc\3guohuo.bmp
- <Current directory>\coc\3.bmp
- <Current directory>\coc\4.bmp
- <Current directory>\coc\4-6±ѕПВ.bmp
- <Current directory>\coc\4-6±ѕЙП.bmp
- <Current directory>\coc\8.bmp
- <Current directory>\coc\7±ѕПВ.bmp
- <Current directory>\coc\8fen.bmp
- <Current directory>\coc\8±ѕЙП.bmp
- <Current directory>\coc\8guohuo.bmp
- <Current directory>\coc\6ј¶БЄГЛ±ш.bmp
- <Current directory>\coc\6guohuo.bmp
- <Current directory>\coc\7.bmp
- <Current directory>\coc\7±ѕЙП.bmp
- <Current directory>\coc\7guohuo.bmp
Deletes the following files:
- <Current directory>\checkbox_disabled_unchecked.ico
- <Current directory>\checkbox_disabled_checked.ico
- <Current directory>\browsebox_dir.ico
- <Current directory>\browsebox_file.ico
- <Current directory>\checkbox_unchecked.ico
- %TEMP%\mymacro.zip
- %TEMP%\plugin.zip
- <Current directory>\checkbox_checked.ico
- <Current directory>\ShieldModule.dat
Moves the following files:
- from %TEMP%\BackGround.bmp to %TEMP%\b2cbackground.bmp
Network activity:
Connects to:
- 'c.###huoa.com':80
TCP:
HTTP GET requests:
- http://c.###huoa.com/c2/MymacroidSalesUrl.aspx?my#####################
- http://c.###huoa.com/banner/Q10719.htm
UDP:
- DNS ASK c.###huoa.com
Miscellaneous:
Searches for the following windows:
- ClassName: 'Shell_TrayWnd' WindowName: ''
