Technical Information
To ensure autorun and distribution
Sets the following service settings
- [HKLM\System\CurrentControlSet\Services\PfService] 'Start' = '00000002'
- [HKLM\System\CurrentControlSet\Services\PfService] 'ImagePath' = '%ProgramFiles(x86)%\kuqi\PfServer.exe'
Creates the following services
- 'PfService' %ProgramFiles(x86)%\kuqi\PfServer.exe
Modifies file system
Creates the following files
- %TEMP%\is-nhfb1.tmp\<File name>.tmp
- %TEMP%\is-17i5i.tmp\_isetup\_regdll.tmp
- %TEMP%\is-17i5i.tmp\_isetup\_setup64.tmp
- %TEMP%\is-17i5i.tmp\_isetup\_shfoldr.dll
- %TEMP%\is-17i5i.tmp\urlnetget.dll
- %ProgramFiles(x86)%\kuqi\is-tlq5g.tmp
- %ProgramFiles(x86)%\kuqi\ad.ini
Deletes the following files
- %TEMP%\is-17i5i.tmp\urlnetget.dll
- %TEMP%\is-17i5i.tmp\_isetup\_regdll.tmp
- %TEMP%\is-17i5i.tmp\_isetup\_setup64.tmp
- %TEMP%\is-17i5i.tmp\_isetup\_shfoldr.dll
- %TEMP%\is-nhfb1.tmp\<File name>.tmp
Moves the following files
- from %ProgramFiles(x86)%\kuqi\is-tlq5g.tmp to %ProgramFiles(x86)%\kuqi\pfserver.exe
Network activity
UDP
- DNS ASK ma##.##rvice.cnnuo.com
- DNS ASK c1.####ice.cnnuo.com
Miscellaneous
Creates and executes the following
- '%TEMP%\is-nhfb1.tmp\<File name>.tmp' /SL5="$20258,898620,53248,<Full path to file>"
- '%ProgramFiles(x86)%\kuqi\pfserver.exe' /install /SILENT
- '%ProgramFiles(x86)%\kuqi\pfserver.exe'
