Technical Information
To ensure autorun and distribution
Modifies the following registry keys
- [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] '2021032300' = '%ProgramFiles(x86)%\TQCalendar\2021032300\TQCalendar.exe hide'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '2021032300' = '%ProgramFiles(x86)%\TQCalendar\2021032300\TQCalendar.exe hide'
- [<HKLM>\SOFTWARE\Classes\.epp\shell\open\command] '' = '"%ProgramFiles(x86)%\TQCalendar\2021032300\TQCalendar.exe" "%1"'
- [<HKLM>\SOFTWARE\Classes\TQCalendar.epp\shell\open\command] '' = '"%ProgramFiles(x86)%\TQCalendar\2021032300\TQCalendar.exe" "%1"'
- [<HKLM>\SOFTWARE\Classes\.ipp\shell\open\command] '' = '"%ProgramFiles(x86)%\TQCalendar\2021032300\TQCalendar.exe" "%1"'
- [<HKLM>\SOFTWARE\Classes\TQCalendar.ipp\shell\open\command] '' = '"%ProgramFiles(x86)%\TQCalendar\2021032300\TQCalendar.exe" "%1"'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon] 'TaskMan' = '%ProgramFiles(x86)%\wints\winsers.exe'
Creates or modifies the following files
- <SYSTEM32>\tasks\winss
Sets the following service settings
- [<HKLM>\System\CurrentControlSet\Services\winss] 'Start' = '00000002'
- [<HKLM>\System\CurrentControlSet\Services\winss] 'ImagePath' = '"%ProgramFiles(x86)%\wints\WindowssTM.exe"'
Creates the following services
- 'winss' "%ProgramFiles(x86)%\wints\WindowssTM.exe"
- 'winss' %ProgramFiles(x86)%\wints\WindowssTM.exe
Malicious functions
Executes the following
- '%ProgramFiles(x86)%\internet explorer\iexplore.exe' http://www.23##.com/?25###
Reads files which store third party applications passwords
- %HOMEPATH%\desktop\trivial-merge.html
- %HOMEPATH%\desktop\trivial-merge.htm
- %HOMEPATH%\desktop\iisstart.htm
- %HOMEPATH%\desktop\browse.html
- %HOMEPATH%\desktop\alert.html
- %HOMEPATH%\desktop\advice_process.htm
Modifies file system
Creates the following files
- %TEMP%\nsheb68.tmp
- %ProgramFiles(x86)%\tqcalendar\2021032300\language\weather\d30.png
- %ProgramFiles(x86)%\tqcalendar\2021032300\language\weather\d26.png
- %ProgramFiles(x86)%\tqcalendar\2021032300\language\weather\d19.png
- %ProgramFiles(x86)%\tqcalendar\2021032300\language\weather\d15.png
- %ProgramFiles(x86)%\tqcalendar\2021032300\language\weather\d14.png
- %ProgramFiles(x86)%\tqcalendar\2021032300\language\weather\d13.png
- %ProgramFiles(x86)%\tqcalendar\2021032300\language\weather\d06.png
- %ProgramFiles(x86)%\tqcalendar\2021032300\language\weather\b9.png
- %ProgramFiles(x86)%\tqcalendar\2021032300\language\weather\b8.png
- %ProgramFiles(x86)%\tqcalendar\2021032300\language\weather\b7.png
- %ProgramFiles(x86)%\tqcalendar\2021032300\language\weather\b5.png
- %ProgramFiles(x86)%\tqcalendar\2021032300\language\weather\d99.png
- %ProgramFiles(x86)%\tqcalendar\2021032300\language\weather\b4.png
- %ProgramFiles(x86)%\tqcalendar\2021032300\language\weather\b30.png
- %ProgramFiles(x86)%\tqcalendar\2021032300\language\weather\b3.png
- %ProgramFiles(x86)%\tqcalendar\2021032300\language\weather\b25.png
- %ProgramFiles(x86)%\tqcalendar\2021032300\language\weather\b23.png
- %ProgramFiles(x86)%\tqcalendar\2021032300\language\weather\b22.png
- %ProgramFiles(x86)%\tqcalendar\2021032300\language\weather\b21.png
- %ProgramFiles(x86)%\tqcalendar\2021032300\language\weather\b20.png
- %ProgramFiles(x86)%\tqcalendar\2021032300\language\weather\b2.png
- %ProgramFiles(x86)%\tqcalendar\2021032300\language\weather\b10.png
- %ProgramFiles(x86)%\tqcalendar\2021032300\language\weather\b1.png
- %ProgramFiles(x86)%\tqcalendar\2021032300\language\weather\b0.png
- %ProgramFiles(x86)%\tqcalendar\2021032300\language\weather\b31.png
- %APPDATA%\tqcalendar\plugin\notepad\notepad.zip
- %APPDATA%\tqcalendar\language\skin.xml
- %ProgramFiles(x86)%\tqcalendar\2021032300\language\weather\n13.png
- %ProgramFiles(x86)%\tqcalendar\2021032300\uninst.exe
- %ALLUSERSPROFILE%\microsoft\windows\start menu\programs\ììæøèõà ú\°²×°åäöã\uninstall.lnk
- %ALLUSERSPROFILE%\microsoft\windows\start menu\programs\ììæøèõà ú\В№Г№В·ВЅГøõ¾.lnk
- %ProgramFiles(x86)%\tqcalendar\2021032300\ììæøèõà ú.url
- %ALLUSERSPROFILE%\microsoft\windows\start menu\programs\ììæøèõà ú\ììæøèõà ú.lnk
- %APPDATA%\tqcalendar\plugin\usersync\logo.png
- %APPDATA%\tqcalendar\plugin\usersync\icon.png
- %APPDATA%\tqcalendar\plugin\usersync\usersync.zip
- %APPDATA%\tqcalendar\plugin\usersync\usersync.dll
- %APPDATA%\tqcalendar\plugin\notepad\notepad.db
- %APPDATA%\tqcalendar\plugin\notepad\logo.png
- %ProgramFiles(x86)%\tqcalendar\2021032300\language\6\small.png
- %APPDATA%\tqcalendar\plugin\notepad\icon.png
- %APPDATA%\tqcalendar\plugin\notepad\notepad.dll
- %APPDATA%\tqcalendar\plugin\holiday\logo.png
- %APPDATA%\tqcalendar\plugin\holiday\icon.png
- %APPDATA%\tqcalendar\plugin\holiday\holiday.db
- %APPDATA%\tqcalendar\plugin\holiday\holiday.dll
- %APPDATA%\tqcalendar\plugin\plugin.db
- %ProgramFiles(x86)%\tqcalendar\2021032300\language\weather\n99.png
- %ProgramFiles(x86)%\tqcalendar\2021032300\language\weather\n5.png
- %ProgramFiles(x86)%\tqcalendar\2021032300\language\weather\n4.png
- %ProgramFiles(x86)%\tqcalendar\2021032300\language\weather\n30.png
- %ProgramFiles(x86)%\tqcalendar\2021032300\language\weather\n3.png
- %ProgramFiles(x86)%\tqcalendar\2021032300\language\weather\n0.png
- %ProgramFiles(x86)%\tqcalendar\2021032300\language\weather\n1.png
- %ProgramFiles(x86)%\tqcalendar\2021032300\language\6\cfg.xml
- %ProgramFiles(x86)%\tqcalendar\2021032300\inject64.exe
- %ProgramFiles(x86)%\tqcalendar\2021032300\lunar.dll
- %ProgramFiles(x86)%\tqcalendar\2021032300\network.dll
- %ProgramFiles(x86)%\tqcalendar\2021032300\tqcalendar.exe
- %ProgramFiles(x86)%\tqcalendar\2021032300\microsoft.vc90.atl.manifest
- %ProgramFiles(x86)%\tqcalendar\2021032300\microsoft.vc90.crt.manifest
- %ProgramFiles(x86)%\tqcalendar\2021032300\msvcm90.dll
- %ProgramFiles(x86)%\tqcalendar\2021032300\msvcp90.dll
- %ProgramFiles(x86)%\tqcalendar\2021032300\msvcr90.dll
- %ProgramFiles(x86)%\tqcalendar\2021032300\sqlite3.dll
- %ProgramFiles(x86)%\tqcalendar\2021032300\atl90.dll
- %TEMP%\nsxb77.tmp\killprocdll.dll
- %ProgramFiles(x86)%\tqcalendar\2021032300\library.dll
- %TEMP%\nsxb77.tmp\system.dll
- %TEMP%\nsxb76.tmp
- %APPDATA%\winrar\version.dat
- %ProgramFiles(x86)%\wints\winsers.vbs
- %ProgramFiles(x86)%\wints\winsers.exe
- %ProgramFiles(x86)%\wints\tqrlsimp37_9500_200757.exe
- %ProgramFiles(x86)%\wints\qd.vbs
- %ProgramFiles(x86)%\wints\filedown_328301.exe
- %ProgramFiles(x86)%\wints\windowsstm.exe
- %TEMP%\nshf43e.tmp
- %TEMP%\setupz.exe
- %APPDATA%\°ôæøqq¿õ¼äèëæø»¥ë¢¾«áé 1.0 âìé«°æ.rar
- %TEMP%\nsxb77.tmp\install.dll
- %ProgramFiles(x86)%\tqcalendar\2021032300\language\1\cfg.xml
- %ProgramFiles(x86)%\tqcalendar\2021032300\language\5\small.png
- %ProgramFiles(x86)%\tqcalendar\2021032300\directui.dll
- %ProgramFiles(x86)%\tqcalendar\2021032300\language\5\cfg.xml
- %ProgramFiles(x86)%\tqcalendar\2021032300\language\5\back.png
- %ProgramFiles(x86)%\tqcalendar\2021032300\language\4\small.png
- %ProgramFiles(x86)%\tqcalendar\2021032300\language\4\cfg.xml
- %ProgramFiles(x86)%\tqcalendar\2021032300\language\4\back.png
- %ProgramFiles(x86)%\tqcalendar\2021032300\language\3\small.png
- %ProgramFiles(x86)%\tqcalendar\2021032300\language\3\cfg.xml
- %ProgramFiles(x86)%\tqcalendar\2021032300\language\3\back.png
- %ProgramFiles(x86)%\tqcalendar\2021032300\language\2\small.png
- %ProgramFiles(x86)%\tqcalendar\2021032300\language\2\cfg.xml
- %ProgramFiles(x86)%\tqcalendar\2021032300\language\2\back.png
- %ProgramFiles(x86)%\tqcalendar\2021032300\language\6\back.png
- %ProgramFiles(x86)%\tqcalendar\2021032300\language\1\small.png
- %ProgramFiles(x86)%\tqcalendar\2021032300\language\1\back.png
- %ProgramFiles(x86)%\tqcalendar\2021032300\language\skin.zip
- %ProgramFiles(x86)%\tqcalendar\2021032300\language\skin.xml
- %ProgramFiles(x86)%\tqcalendar\2021032300\language\d00.swf
- %ProgramFiles(x86)%\tqcalendar\2021032300\data\huangli.db
- %ProgramFiles(x86)%\tqcalendar\2021032300\uninstall.exe
- %ProgramFiles(x86)%\tqcalendar\2021032300\tqinstall.exe
- %ProgramFiles(x86)%\tqcalendar\2021032300\tqnewstip.exe
- %ProgramFiles(x86)%\tqcalendar\2021032300\tqupdate.exe
- %ProgramFiles(x86)%\tqcalendar\2021032300\clock64.dll
- %ProgramFiles(x86)%\tqcalendar\2021032300\clock.dll
- %ProgramFiles(x86)%\tqcalendar\2021032300\install.dll
- %LOCALAPPDATA%\microsoft\windows\history\history.ie5\mshist012021032320210324\index.dat
Deletes the following files
- %TEMP%\nsxb77.tmp\install.dll
- %TEMP%\nsxb77.tmp\killprocdll.dll
- %TEMP%\nsxb77.tmp\system.dll
- %TEMP%\setupz.exe
Modifies the following files
Network activity
Connects to
- 'so##.tianqi.com':80
- 'cp##.##idustatic.com':80
- 'df#####02.dftoutiao.com':443
- 'im####.toutiaoyule.com':443
- 'im#.#q233.com':443
- 'p.##63.com':443
- 'im#.##yangsheng.com':443
- 'do####ad.2345.cn':80
- 'cr#.#igicert.cn':80
- 'po#.#aidu.com':443
- 'ww#####eam.2345cdn.net':443
- 'ss#.#aidu.com':443
- 'cb##.baidu.com':443
- 'oc##.#igicert.cn':80
- 'un####.50bang.org':443
- 'li#.#345cdn.net':443
- 'cp##.##idustatic.com':443
- 'h.###5cdn.net':443
- 'microsoft.com':80
- '23##.com':443
- '23##.com':80
- 'ti##qi.com':443
- 'un####.50bang.org':80
- 'bu#####soss.2345cdn.net':443
TCP
HTTP GET requests
- http://h.###5cdn.net/js/lib/js-a93551cfaf.cookie.js
- http://h.###5cdn.net/js/index/cnxh/index_v3-85545490bf.js
- http://h.###5cdn.net/js/index/ui_v3-5af66a8aa6.js
- http://h.###5cdn.net/js/index/tianqi-d48b443420.js
- http://h.###5cdn.net/js/index/cnxh/common-2bfd6070cd.js
- http://h.###5cdn.net/js/index/func_abtest-ad21850e0d.js
- http://h.###5cdn.net/js/index/bd_words-38b762dce9.js
- http://h.###5cdn.net/js/index/statistics_report-cb79ec06f1.js
- http://h.###5cdn.net/js/index/report-78677e5cc9.js
- http://h.###5cdn.net/js/base64-5bca38624a.min.js
- http://h.###5cdn.net/js/moment-6e68074f83.min.js
- http://h.###5cdn.net/js/index/common_js-7b3cc2010c.js?v=###
- http://h.###5cdn.net/js/index/public-35a91c0d8c.js
- http://h.###5cdn.net/js/index/config_js-0483ace827.js
- http://h.###5cdn.net/js/jquery-1.8-dd39d1759b.3.min.js
- http://www.23##.com/resource/i/2019/02/21/c8408e3a45257ca8530470007bc619fc.png
- http://h.###5cdn.net/images/logo.png
- http://h.###5cdn.net/images/icons/y2x5_150626.png
- http://h.###5cdn.net/i/search20200812/idx-1.png
- http://h.###5cdn.net/i/blank.png
- http://h.###5cdn.net/resource/api/zjsVer2.js?t=########
- http://h.###5cdn.net/css/index_v1-f4a50b60d7.2_20201210.css
- http://h.###5cdn.net/right/homepage/zjsVer2.js?t=########
- http://oc##.#igicert.cn/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQhnxEBNL9LgIhfSsTcHsrTt204QgQURNnISjOO01KNp5KUYR%2BayKW37MsCEAzCC1Fa4CLfRokM0itVaJg%3D
- http://cr#.#igicert.cn/DigiCertSecureSiteCNCAG3.crl
- http://oc##.#igicert.cn/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQhnxEBNL9LgIhfSsTcHsrTt204QgQURNnISjOO01KNp5KUYR%2BayKW37MsCEAmXA3BU1Hq4%2BXERYZqPmak%3D
- http://h.###5cdn.net/js/index/module_20201210_abtest-e5a8f08e96.js
- http://h.###5cdn.net/js/index/performance_20200811-d7895022f0.js
UDP
- DNS ASK to####.xmzs8.com
- DNS ASK mi####.eastday.com
- DNS ASK im####.toutiaoyule.com
- DNS ASK im#.#q233.com
- DNS ASK p.##63.com
- DNS ASK im#.##yangsheng.com
- DNS ASK do####ad.2345.cn
- DNS ASK cr#.#igicert.cn
- DNS ASK tr####.#nion2.50bang.org
- DNS ASK dh###t.2345.com
- DNS ASK po#.#aidu.com
- DNS ASK e2.#345.com
- DNS ASK ba##u.com
- DNS ASK gu###.#nion2.50bang.org
- DNS ASK ss#.#aidu.com
- DNS ASK ww#####eam.2345cdn.net
- DNS ASK cb##.baidu.com
- DNS ASK ti###i.2345.com
- DNS ASK oc##.#igicert.cn
- DNS ASK un####.50bang.org
- DNS ASK li#.#345cdn.net
- DNS ASK cp##.##idustatic.com
- DNS ASK h.###5cdn.net
- DNS ASK microsoft.com
- DNS ASK 23##.com
- DNS ASK ti##qi.com
- DNS ASK so##.tianqi.com
- DNS ASK xm##8.com
- DNS ASK df#####02.dftoutiao.com
- DNS ASK bu#####soss.2345cdn.net
Miscellaneous
Searches for the following windows
- ClassName: 'WinRarWindow' WindowName: ''
- ClassName: 'MS_AutodialMonitor' WindowName: ''
- ClassName: 'MS_WebCheckMonitor' WindowName: ''
- ClassName: 'Static' WindowName: ''
Creates and executes the following
- '%TEMP%\setupz.exe'
- '%ProgramFiles(x86)%\wints\tqrlsimp37_9500_200757.exe'
- '%ProgramFiles(x86)%\tqcalendar\2021032300\tqcalendar.exe' hide
- '%ProgramFiles(x86)%\tqcalendar\2021032300\inject64.exe' Hook 66110
- '%WINDIR%\syswow64\wscript.exe' "%ProgramFiles(x86)%\wints\qd.vbs"
- '%WINDIR%\syswow64\wscript.exe' "%ProgramFiles(x86)%\wints\winsers.vbs"
- '%ProgramFiles(x86)%\wints\filedown_328301.exe'
- '%ProgramFiles(x86)%\wints\tqrlsimp37_9500_200757.exe' ' (with hidden window)
- '%ProgramFiles(x86)%\tqcalendar\2021032300\inject64.exe' Hook 66110' (with hidden window)
- '%WINDIR%\syswow64\wscript.exe' "%ProgramFiles(x86)%\wints\qd.vbs"' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /C schtasks /create /tn "winss" /tr "\"%ProgramFiles(x86)%\wints\winsers.exe"" /sc onstart /ru System' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /C sc create "winss" type= interact type= own start= auto binpath= "\"%ProgramFiles(x86)%\wints\WindowssTM.exe""' (with hidden window)
- '%WINDIR%\syswow64\wscript.exe' "%ProgramFiles(x86)%\wints\winsers.vbs"' (with hidden window)
- '%ProgramFiles(x86)%\wints\filedown_328301.exe' ' (with hidden window)
Executes the following
- '%ProgramFiles%\winrar\winrar.exe' "%APPDATA%\°ÔÆøQQ¿Õ¼äÈËÆø»¥Ë¢¾«Áé 1.0 ÂÌÉ«°æ.rar"
- '%WINDIR%\syswow64\cmd.exe' /C schtasks /create /tn "winss" /tr "\"%ProgramFiles(x86)%\wints\winsers.exe"" /sc onstart /ru System
- '%WINDIR%\syswow64\schtasks.exe' /create /tn "winss" /tr "\"%ProgramFiles(x86)%\wints\winsers.exe"" /sc onstart /ru System
- '%WINDIR%\syswow64\cmd.exe' /C sc create "winss" type= interact type= own start= auto binpath= "\"%ProgramFiles(x86)%\wints\WindowssTM.exe""
- '%WINDIR%\syswow64\sc.exe' create "winss" type= interact type= own start= auto binpath= "\"%ProgramFiles(x86)%\wints\WindowssTM.exe""
- '%ProgramFiles(x86)%\mozilla firefox\firefox.exe' http://www.23##.com/?25###
