Technical Information
To ensure autorun and distribution
Creates or modifies the following files
- <SYSTEM32>\tasks\5a1c9ced-5a1c-9ced-5a1c-5a1c9ced5a10
Malicious functions
To complicate detection of its presence in the operating system,
deletes volume shadow copies.
Modifies file system
Creates the following files
- <Current directory>\2204722946
- <Current directory>\134121811.js
- %LOCALAPPDATA%\5a1c9ced0.js
- <Current directory>\6422e26f
- <Current directory>\3005559c
- %TEMP%\maqpqgzi.0.cs
- %TEMP%\maqpqgzi.cmdline
- %TEMP%\maqpqgzi.out
- %TEMP%\csccdc9.tmp
- %TEMP%\rescdda.tmp
- %TEMP%\maqpqgzi.dll
Deletes the following files
- <Current directory>\6422e26f
- <Current directory>\3005559c
- %TEMP%\rescdda.tmp
- %TEMP%\csccdc9.tmp
- %TEMP%\maqpqgzi.dll
- %TEMP%\maqpqgzi.out
- %TEMP%\maqpqgzi.cmdline
- %TEMP%\maqpqgzi.pdb
- %TEMP%\maqpqgzi.0.cs
Moves the following files
- from <Current directory>\134121811.js to <Current directory>\6422e26f
- from <Current directory>\2204722946 to <Current directory>\3005559c
Moves itself
- from <Full path to file> to <Current directory>\78a665ff
Deletes itself.
Network activity
UDP
- DNS ASK ra########dffor-tracebfdb1290.top
- DNS ASK ra######sgdf89ec4c11.top
- DNS ASK ra######sgdffeeb7c87.top
- DNS ASK ra######sgdf6e546116.top
- DNS ASK ra######sgdf19535180.top
- DNS ASK ra######sgdf805a003a.top
- DNS ASK ra######sgdff75d30ac.top
- DNS ASK ra######sgdfe92bc5f4.top
- DNS ASK ra######sgdf6939a50f.top
- DNS ASK ra######sgdf8737c423.top
- DNS ASK ra######sgdff030f4b5.top
- DNS ASK ra######sgdf0e7450de.top
- DNS ASK ra######sgdf79736048.top
- DNS ASK ra######sgdfe9cc7dd9.top
- DNS ASK ra######sgdf9ecb4d4f.top
- DNS ASK ra######sgdf1e3e9599.top
- DNS ASK ra######sgdf9e2cf562.top
- DNS ASK ra######sgdf0725a4d8.top
- DNS ASK ra######sgdf7022944e.top
- DNS ASK ra######sgdf347448d6.top
- DNS ASK ra######sgdfa4cb5547.top
- DNS ASK ra######sgdfd3cc65d1.top
- DNS ASK ra######sgdf4ac5346b.top
- DNS ASK ra######sgdf3dc204fd.top
- DNS ASK ra######sgdfa3a6915e.top
- DNS ASK ra######sgdfd4a1a1c8.top
- DNS ASK ra######sgdf4da8f072.top
- DNS ASK ra######sgdf3aafc0e4.top
- DNS ASK ra######sgdf90f77d50.top
- DNS ASK ra######sgdfe7f04dc6.top
- DNS ASK ra######sgdf774f5057.top
- DNS ASK ra######sgdf004860c1.top
- DNS ASK ra######sgdf9941317b.top
- DNS ASK ra######sgdfee4601ed.top
- DNS ASK ra######sgdf07c21cf5.top
- DNS ASK ra######sgdf43737840.top
- DNS ASK ra######sgdf70c52c63.top
- DNS ASK ra######sgdf99a68956.top
- DNS ASK ra######sgdfab90ebd4.top
- DNS ASK ra######sgdf3299ba6e.top
- DNS ASK ra######sgdf459e8af8.top
- DNS ASK ra######sgdf2559031d.top
- DNS ASK ra######sgdf525e338b.top
- DNS ASK ra######sgdfc2e12e1a.top
- DNS ASK ra######sgdfdc97db42.top
- DNS ASK ra######sgdfb5e61e8c.top
- DNS ASK ra######sgdf5be87fa0.top
- DNS ASK ra######sgdfc58cea03.top
- DNS ASK ra######sgdfb28bda95.top
- DNS ASK ra######sgdf2b828b2f.top
- DNS ASK ra######sgdf5c85bbb9.top
- DNS ASK ra######sgdf6a1895da.top
- DNS ASK ra######sgdf2cef4f36.top
- DNS ASK ra######sgdf42f34ee1.top
- DNS ASK ra######sgdf35f47e77.top
- DNS ASK ra######sgdfacfd2fcd.top
- DNS ASK ra######sgdf00afd8ec.top
- DNS ASK ra######sgdf77a8e87a.top
- DNS ASK ra######sgdf176f619f.top
- DNS ASK ra######sgdf60685109.top
- DNS ASK ra######sgdff0d74c98.top
- DNS ASK ra######sgdf87d07c0e.top
- DNS ASK ra######sgdf1ed92db4.top
- DNS ASK ra######sgdf69de1d22.top
- DNS ASK ra######sgdff7ba8881.top
- DNS ASK ra######sgdf80bdb817.top
- DNS ASK ra######sgdf19b4e9ad.top
- DNS ASK ra######sgdf6eb3d93b.top
- DNS ASK ra######sgdf3c42325c.top
- DNS ASK ra######sgdf4b4502ca.top
- DNS ASK ra######sgdfdbfa1f5b.top
- DNS ASK ra######sgdfeea1b9c0.top
- DNS ASK ra######sgdfc0a79043.top
- DNS ASK ra######sgdf6b7f1b56.top
- DNS ASK ra######sgdfcdba9089.top
- DNS ASK ra######sgdff5fc36d8.top
- DNS ASK ra######sgdf82fb064e.top
- DNS ASK ra######sgdf1bf257f4.top
- DNS ASK ra######sgdf6cf56762.top
- DNS ASK ra######sgdf3e048c05.top
- DNS ASK ra######sgdf4903bc93.top
- DNS ASK ra######sgdf6b98a37b.top
- DNS ASK ra######sgdfd9bca102.top
- DNS ASK ra######sgdf37b2c02e.top
- DNS ASK ra######sgdf40b5f0b8.top
- DNS ASK ra######sgdfded1651b.top
- DNS ASK ra######sgdfa9d6558d.top
- DNS ASK ra######sgdf30df0437.top
- DNS ASK ra######sgdf47d834a1.top
- DNS ASK ra######sgdfaebb9194.top
- DNS ASK ra######sgdf1c9f93ed.top
- DNS ASK ra######sgdf8596c257.top
- DNS ASK ra######sgdff291f2c1.top
- DNS ASK ra######sgdf1c782bc0.top
- DNS ASK ra######sgdf85717a7a.top
- DNS ASK ra######sgdff2764aec.top
- DNS ASK ra######sgdf0c32ee87.top
- DNS ASK ra######sgdf7b35de11.top
- DNS ASK ra######sgdfeb8ac380.top
- DNS ASK ra######sgdf9c8df316.top
- DNS ASK ra######sgdf0584a2ac.top
- DNS ASK ra######sgdf7283923a.top
- DNS ASK ra######sgdfece70799.top
- DNS ASK ra######sgdf9be0370f.top
- DNS ASK ra######sgdf02e966b5.top
- DNS ASK ra######sgdf75ee5623.top
- DNS ASK ra######sgdf1529dfc6.top
- DNS ASK ra######sgdf622eef50.top
- DNS ASK ra######sgdf271fbd44.top
- DNS ASK ra######sgdf1d1fa54c.top
- DNS ASK ra######sgdf50188dd2.top
- DNS ASK ra######sgdfb7a0a0d5.top
- DNS ASK ra######sgdfe1fa0753.top
- DNS ASK ra######sgdf78f356e9.top
- DNS ASK ra######sgdf0ff4667f.top
- DNS ASK ra######sgdf9190f3dc.top
- DNS ASK ra######sgdfe697c34a.top
- DNS ASK ra######sgdf7f9e92f0.top
- DNS ASK ra######sgdf96fd37c5.top
- DNS ASK ra######sgdf0899a266.top
- DNS ASK ra######sgdf2d6f7997.top
- DNS ASK ra######sgdfbdd06406.top
- DNS ASK ra######sgdfcad75490.top
- DNS ASK ra######sgdf53de052a.top
- DNS ASK ra######sgdf24d935bc.top
- DNS ASK ra######sgdfbabda01f.top
- DNS ASK ra######sgdf5a684901.top
- DNS ASK ra######sgdf06422a54.top
- DNS ASK ra######sgdf71451ac2.top
- DNS ASK ra######sgdf11829327.top
- DNS ASK ra######sgdf2ea9f16f.top
- DNS ASK ra######sgdf59aec1f9.top
- DNS ASK ra######sgdfc7ca545a.top
- DNS ASK ra######sgdfb0cd64cc.top
- DNS ASK ra######sgdf29c43576.top
- DNS ASK ra######sgdf5ec305e0.top
- DNS ASK ra######sgdf685e2b83.top
- DNS ASK ra######sgdf1f591b15.top
- DNS ASK ra######sgdf8fe60684.top
- DNS ASK ra######sgdff8e13612.top
- DNS ASK ra######sgdf61e867a8.top
- DNS ASK ra######sgdf16ef573e.top
- DNS ASK ra######sgdf888bc29d.top
- DNS ASK ra######sgdfff8cf20b.top
- DNS ASK ra######sgdf6685a3b1.top
- DNS ASK ra######sgdf23b4f1a5.top
- DNS ASK ra######sgdf54b3c133.top
- DNS ASK ra######sgdf8da0b8dd.top
- DNS ASK ra######sgdfe89ecec9.top
- DNS ASK ra######sgdf34a6cd67.top
- DNS ASK ra######sgdf43a1fdf1.top
- DNS ASK ra######sgdf753cd392.top
- DNS ASK ra######sgdf023be304.top
- DNS ASK ra######sgdf9284fe95.top
- DNS ASK ra######sgdfe583ce03.top
- DNS ASK ra######sgdfadaf9cdd.top
- DNS ASK ra######sgdf7c8a9fb9.top
- DNS ASK ra######sgdf95e93a8c.top
- DNS ASK ra######sgdfe2ee0a1a.top
- DNS ASK ra######sgdf7be75ba0.top
- DNS ASK ra######sgdf0ce06b36.top
- DNS ASK ra######sgdf6c27e2d3.top
- DNS ASK ra######sgdf1b20d245.top
- DNS ASK ra######sgdf0b8daf2f.top
- DNS ASK ra######sgdfdaa8ac4b.top
- DNS ASK ra######sgdf44cc39e8.top
- DNS ASK ra######sgdf33cb097e.top
- DNS ASK ra######sgdf71979f73.top
- DNS ASK ra######sgdf23667414.top
- DNS ASK ra######sgdf54614482.top
- DNS ASK ra######sgdfc4de5913.top
- DNS ASK ra######sgdfb3d96985.top
- DNS ASK ra######sgdf2ad0383f.top
- DNS ASK ra######sgdf5dd708a9.top
- DNS ASK ra######sgdfc3b39d0a.top
- DNS ASK ra######sgdfb4b4ad9c.top
- DNS ASK ra######sgdf2dbdfc26.top
- DNS ASK ra######sgdf5abaccb0.top
- DNS ASK ra######sgdf3a7d4555.top
- DNS ASK ra######sgdf4d7a75c3.top
- DNS ASK ra######sgdfddc56852.top
- DNS ASK ra######sgdfaac258c4.top
- DNS ASK ra######sgdf8b9fcfd4.top
- DNS ASK ra######sgdf0690afe5.top
- DNS ASK ra######sgdffc98ff42.top
- DNS ASK ra######sgdf12969e6e.top
- DNS ASK ra######sgdfc77eeb7e.top
- DNS ASK ra######sgdf591a7edd.top
- DNS ASK ra######sgdf2e1d4e4b.top
- DNS ASK ra######sgdfb7141ff1.top
- DNS ASK ra######sgdfc0132f67.top
- DNS ASK ra########dffortracyadb205b1.top
- DNS ASK ra######sgdfb079dbe8.top
- DNS ASK ra########dffor-tracedab53527.top
- DNS ASK ra########dffor-trace3d0d1820.top
- DNS ASK ra########dffor-tracea404499a.top
- DNS ASK ra########dffor-traced303790c.top
- DNS ASK ra########dffor-trace4d67ecaf.top
- DNS ASK ra########dffor-trace3a60dc39.top
- DNS ASK ra########dffor-tracea3698d83.top
- DNS ASK ra########dffor-trace4a0a28b6.top
- DNS ASK ra######sgdf29708a52.top
- DNS ASK ra######sgdf5e77bac4.top
- DNS ASK ra######sgdfcec8a755.top
- DNS ASK ra######sgdf8cf20bcd.top
- DNS ASK ra######sgdffbf53b5b.top
- DNS ASK ra######sgdf62fc6ae1.top
- DNS ASK ra######sgdf15fb5a77.top
- DNS ASK ra######sgdf470ab110.top
- DNS ASK ra######sgdf300d8186.top
- DNS ASK ra######sgdfa0b29c17.top
- DNS ASK ra######sgdfd7b5ac81.top
- DNS ASK ra######sgdf4ebcfd3b.top
- DNS ASK ra######sgdf39bbcdad.top
- DNS ASK ra######sgdfa7df580e.top
- DNS ASK ra######sgdfd0d86898.top
- DNS ASK ra######sgdf49d13922.top
- DNS ASK ra######sgdf3ed609b4.top
- DNS ASK ra######sgdfb9cf97c3.top
- DNS ASK ra######sgdf6591aef8.top
- DNS ASK ra######sgdf8fd33b18.top
- DNS ASK ra######sgdf63aed9f1.top
- DNS ASK ra######sgdf76fa5b6a.top
- DNS ASK ra######sgdf5198bb73.top
- DNS ASK ra######sgdf269f8be5.top
- DNS ASK ra######sgdfb8fb1e46.top
- DNS ASK ra######sgdfcffc2ed0.top
- DNS ASK ra######sgdf56f57f6a.top
- DNS ASK ra######sgdf21f24ffc.top
- DNS ASK ra######sgdfc891eac9.top
- DNS ASK ra######sgdf4135c619.top
- DNS ASK ra######sgdfa68deb1e.top
- DNS ASK ra######sgdfd18adb88.top
- DNS ASK ra######sgdf48838a32.top
- DNS ASK ra######sgdf3f84baa4.top
- DNS ASK ra######sgdfa1e02f07.top
- DNS ASK ra######sgdfd6e71f91.top
- DNS ASK ra######sgdf3632f68f.top
- DNS ASK ra######sgdfbf96da5f.top
- DNS ASK ra######sgdf2f29c7ce.top
- DNS ASK ra######sgdf582ef758.top
- DNS ASK ra######sgdf14a9e967.top
- DNS ASK ra######sgdf8acd7cc4.top
- DNS ASK ra######sgdffdca4c52.top
- DNS ASK ra######sgdf64c31de8.top
- DNS ASK ra######sgdf13c42d7e.top
- DNS ASK ra######sgdf7303a49b.top
- DNS ASK ra######sgdf0404940d.top
- DNS ASK ra######sgdf94bb899c.top
- DNS ASK ra######sgdfe3bcb90a.top
- DNS ASK ra######sgdf7ab5e8b0.top
- DNS ASK ra######sgdf0db2d826.top
- DNS ASK ra######sgdf93d64d85.top
- DNS ASK ra######sgdfe4d17d13.top
- DNS ASK ra######sgdf7dd82ca9.top
- DNS ASK ra######sgdf0adf1c3f.top
- DNS ASK ra######sgdf4fee4e2b.top
- DNS ASK ra######sgdffaa7884b.top
- DNS ASK ra######sgdf38e97ebd.top
- DNS ASK ra######sgdff8d40b8e.top
- DNS ASK ra######sgdf66572600.top
- DNS ASK ra######sgdff6e83b91.top
- DNS ASK ra######sgdf81ef0b07.top
- DNS ASK ra######sgdf18e65abd.top
- DNS ASK ra######sgdf6fe16a2b.top
- DNS ASK ra######sgdff185ff88.top
- DNS ASK ra######sgdf11501696.top
- DNS ASK ra######sgdf8682cf1e.top
- DNS ASK ra######sgdf688cae32.top
- DNS ASK ra######sgdf084b27d7.top
- DNS ASK ra######sgdf7f4c1741.top
- DNS ASK ra######sgdfeff30ad0.top
- DNS ASK ra######sgdf98f43a46.top
- DNS ASK ra######sgdf01fd6bfc.top
- DNS ASK ra######sgdf1f8b9ea4.top
- DNS ASK ra######sgdfef14b2fd.top
- DNS ASK ra######sgdf9813826b.top
- DNS ASK ra######sgdf011ad3d1.top
- DNS ASK ra######sgdf686b161f.top
- DNS ASK ra######sgdf1f6c2689.top
- DNS ASK ra######sgdf86657733.top
- DNS ASK ra######sgdff16247a5.top
- DNS ASK ra######sgdf6f06d206.top
- DNS ASK ra######sgdf1801e290.top
- DNS ASK ra######sgdf8108b32a.top
- DNS ASK ra######sgdff60f83bc.top
- DNS ASK ra######sgdf96c80a59.top
- DNS ASK ra######sgdfe1cf3acf.top
- DNS ASK ra######sgdf7170275e.top
- DNS ASK ra######sgdf067717c8.top
- DNS ASK ra######sgdf9f7e4672.top
- DNS ASK ra######sgdfe87976e4.top
- DNS ASK ra######sgdf761de347.top
- DNS ASK ra######sgdf9f99fe5f.top
- DNS ASK ra######sgdff51b8ef5.top
Miscellaneous
Searches for the following windows
- ClassName: 'EDIT' WindowName: ''
Creates and executes the following
- '%WINDIR%\syswow64\wscript.exe' "<Current directory>\134121811.js" "<Full path to file>"
- '<SYSTEM32>\wscript.exe' "%LOCALAPPDATA%\5a1c9ced0.js"
- '%WINDIR%\syswow64\vssadmin.exe' Delete Shadows /All /Quiet' (with hidden window)
- '<SYSTEM32>\wscript.exe' "%LOCALAPPDATA%\5a1c9ced0.js"' (with hidden window)
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -NoP -NonI -W Hidden -Exec Bypass -enc QQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsAdQBzAGkAbgBnACAATQBpAGMAcgBvAHMAbwBmAHQALg...' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\maqpqgzi.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RESCDDA.tmp" "%TEMP%\CSCCDC9.tmp"' (with hidden window)
Executes the following
- '<SYSTEM32>\taskeng.exe' {1EFBDDED-1E16-4829-A6D0-F204AC05CD0D} S-1-5-21-1960123792-2022915161-3775307078-1001:bjqrnapd\user:Interactive:[1]
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -NoP -NonI -W Hidden -Exec Bypass -enc QQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsAdQBzAGkAbgBnACAATQBpAGMAcgBvAHMAbwBmAHQALg...
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\maqpqgzi.cmdline"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RESCDDA.tmp" "%TEMP%\CSCCDC9.tmp"
