Technical Information
To ensure autorun and distribution
Sets the following service settings
- [HKLM\System\CurrentControlSet\Services\pcsvc] 'Start' = '00000002'
- [HKLM\System\CurrentControlSet\Services\pcsvc] 'ImagePath' = '<SYSTEM32>\svchost.exe -k pcloundssvc'
- [HKLM\SYSTEM\CurrentControlSet\Services\pcsvc\Parameters] 'ServiceDll' = '%ProgramFiles(x86)%\xcfc\pcsvc.dll'
Creates the following services
- 'pcsvc' <SYSTEM32>\svchost.exe -k pcloundssvc
Modifies file system
Creates the following files
- %ProgramFiles(x86)%\xcfc\audio\1.mp3
- %ProgramFiles(x86)%\xcfc\thumbnail.dll
- %ProgramFiles(x86)%\xcfc\tbb.dll
- %ProgramFiles(x86)%\xcfc\swscale-2.dll
- %ProgramFiles(x86)%\xcfc\swresample-0.dll
- %ProgramFiles(x86)%\xcfc\svcapi.dll
- %ProgramFiles(x86)%\xcfc\substat.dll
- %ProgramFiles(x86)%\xcfc\sqlite3.dll
- %ProgramFiles(x86)%\xcfc\softconfig.dll
- %ProgramFiles(x86)%\xcfc\ubuninst.dll
- %ProgramFiles(x86)%\xcfc\servicehelp.dll
- %ProgramFiles(x86)%\xcfc\sdl2.dll
- %ProgramFiles(x86)%\xcfc\sdl.dll
- %ProgramFiles(x86)%\xcfc\rltcp.dll
- %ProgramFiles(x86)%\xcfc\postproc-52.dll
- %ProgramFiles(x86)%\xcfc\photoviewdll.dll
- %ProgramFiles(x86)%\xcfc\photoview.exe
- %ProgramFiles(x86)%\xcfc\pcsvc.dll
- %ProgramFiles(x86)%\xcfc\pcid.dll
- %ProgramFiles(x86)%\xcfc\servhelpproxy.exe
- %ProgramFiles(x86)%\xcfc\udp.dll
- %ProgramFiles(x86)%\xcfc\udp_platform.dll
- %ProgramFiles(x86)%\xcfc\uifeatureeffect.dll
- %ALLUSERSPROFILE%\xcfc\pcv2.db-journal
- %ALLUSERSPROFILE%\xcfc\userdata2.db
- %ALLUSERSPROFILE%\xcfc\userdata2.db-journal
- %ALLUSERSPROFILE%\xcfc\config.ini
- %HOMEPATH%\desktop\相册飞船.lnk
- %ALLUSERSPROFILE%\microsoft\windows\start menu\programs\相册飞船\卸载相册飞船.lnk
- %ALLUSERSPROFILE%\microsoft\windows\start menu\programs\相册飞船\相册飞船.lnk
- %ProgramFiles(x86)%\xcfc\uninst.dar1
- %ProgramFiles(x86)%\xcfc\uninst.dar0
- %ProgramFiles(x86)%\xcfc\xcfc.exe
- %ProgramFiles(x86)%\xcfc\wke.dll
- %ProgramFiles(x86)%\xcfc\wirelessrouter.dll
- %ProgramFiles(x86)%\xcfc\updater\updatehelper.dll
- %ProgramFiles(x86)%\xcfc\updater\dtlupg.exe
- %ProgramFiles(x86)%\xcfc\updater\checkupdate.dll
- %ProgramFiles(x86)%\xcfc\updater\checkprocess.dll
- %ProgramFiles(x86)%\xcfc\uninsthlp.dll
- %ProgramFiles(x86)%\xcfc\uninstall.exe
- %ProgramFiles(x86)%\xcfc\uninstall.dll
- %ProgramFiles(x86)%\xcfc\opencv_video231.dll
- %ALLUSERSPROFILE%\xcfc\pcv2.db
- %ProgramFiles(x86)%\xcfc\opencv_ts231.dll
- %ProgramFiles(x86)%\xcfc\opencv_ml231.dll
- %ProgramFiles(x86)%\xcfc\dtlcrashreport.exe
- %ProgramFiles(x86)%\xcfc\dtlcrashcatch.dll
- %ProgramFiles(x86)%\xcfc\dstudp.dll
- %ProgramFiles(x86)%\xcfc\drvsrc.dll
- %ProgramFiles(x86)%\xcfc\avutil-52.dll
- %ProgramFiles(x86)%\xcfc\avformat-55.dll
- %ProgramFiles(x86)%\xcfc\avfilter-4.dll
- %ProgramFiles(x86)%\xcfc\avdevice-55.dll
- %ProgramFiles(x86)%\xcfc\dtlplug.dll
- %ProgramFiles(x86)%\xcfc\avcodec-55.dll
- %ProgramFiles(x86)%\xcfc\address.dll
- %ProgramFiles(x86)%\xcfc\7z.dll
- %ProgramFiles(x86)%\xcfc\microsoft.vc90.crt\microsoft.vc90.crt.manifest
- %ProgramFiles(x86)%\xcfc\html\index.html
- %ProgramFiles(x86)%\xcfc\audio\5.mp3
- %ProgramFiles(x86)%\xcfc\audio\4.mp3
- %ProgramFiles(x86)%\xcfc\audio\3.mp3
- %ProgramFiles(x86)%\xcfc\audio\2.mp3
- %ProgramFiles(x86)%\xcfc\assoctype.dll
- %ProgramFiles(x86)%\xcfc\dtlui.dll
- %ProgramFiles(x86)%\xcfc\gzipdll.dll
- %ProgramFiles(x86)%\xcfc\httpdown.dll
- %ProgramFiles(x86)%\xcfc\opencv_legacy231.dll
- %ProgramFiles(x86)%\xcfc\opencv_imgproc231.dll
- %ProgramFiles(x86)%\xcfc\opencv_highgui231.dll
- %ProgramFiles(x86)%\xcfc\opencv_gpu231.dll
- %ProgramFiles(x86)%\xcfc\opencv_flann231.dll
- %ProgramFiles(x86)%\xcfc\opencv_features2d231.dll
- %ProgramFiles(x86)%\xcfc\opencv_core231.dll
- %ProgramFiles(x86)%\xcfc\opencv_contrib231.dll
- %ProgramFiles(x86)%\xcfc\opencv_calib3d231.dll
- %ProgramFiles(x86)%\xcfc\network.dll
- %ProgramFiles(x86)%\xcfc\microsoft.vc90.crt\msvcr90.dll
- %ProgramFiles(x86)%\xcfc\microsoft.vc90.crt\msvcp90.dll
- %ProgramFiles(x86)%\xcfc\microsoft.vc90.crt\msvcm90.dll
- %ProgramFiles(x86)%\xcfc\login.dll
- %ProgramFiles(x86)%\xcfc\libgcc_s_dw2-1.dll
- %ProgramFiles(x86)%\xcfc\libexif-12.dll.dll
- %ProgramFiles(x86)%\xcfc\libcurl.dll
- %ProgramFiles(x86)%\xcfc\libavengine.dll
- %ProgramFiles(x86)%\xcfc\ipc.dll
- %ProgramFiles(x86)%\xcfc\opencv_objdetect231.dll
- %ALLUSERSPROFILE%\xcfc\qrcode.bmp
Sets the 'hidden' attribute to the following files
- %ALLUSERSPROFILE%\xcfc\pcv2.db
Deletes the following files
- %ALLUSERSPROFILE%\xcfc\userdata2.db-journal
- %ALLUSERSPROFILE%\xcfc\pcv2.db-journal
- %ALLUSERSPROFILE%\xcfc\qrcode.bmp
Substitutes the following files
- %ALLUSERSPROFILE%\xcfc\userdata2.db-journal
- %ALLUSERSPROFILE%\xcfc\pcv2.db-journal
Network activity
Connects to
- 'in#.#pdrv.com':80
TCP
HTTP GET requests
- http://in#.#pdrv.com/common/IntegrateInstallStat.ashx?v=############################
UDP
- DNS ASK in#.#pdrv.com
- DNS ASK se#####.rili.updrv.com
- DNS ASK in#####.integrate.updrv.com
- DNS ASK di######.integrate.updrv.com
- DNS ASK gl#####pdate.updrv.com
- DNS ASK on#####.integrate.updrv.com
- DNS ASK in#.####behavior.updrv.com
- 'in#####.integrate.updrv.com':7020
- 'di######.integrate.updrv.com':3800
- 'gl#####pdate.updrv.com':4040
- 'on#####.integrate.updrv.com':6000
Miscellaneous
Searches for the following windows
- ClassName: 'PrivateCloudsWnd' WindowName: ''
Creates and executes the following
- '%ProgramFiles(x86)%\xcfc\xcfc.exe'
- '%ProgramFiles(x86)%\xcfc\xcfc.exe' /frserv
- '%WINDIR%\syswow64\cmd.exe' /c arp -a 10.0.34.1' (with hidden window)
Executes the following
- '%WINDIR%\syswow64\svchost.exe' -k pcloundssvc
- '%WINDIR%\syswow64\cmd.exe' /c arp -a 10.0.34.1
- '%WINDIR%\syswow64\arp.exe' -a 10.0.34.1
