Technical Information
To ensure autorun and distribution
Creates the following files on removable media
- <Drive name for removable media>:\dblue3.lnk
- <Drive name for removable media>:\kblue6.lnk
- <Drive name for removable media>:\jblue6.lnk
- <Drive name for removable media>:\iblue6.lnk
- <Drive name for removable media>:\hblue6.lnk
- <Drive name for removable media>:\gblue6.lnk
- <Drive name for removable media>:\fblue6.lnk
- <Drive name for removable media>:\eblue6.lnk
- <Drive name for removable media>:\blue6.bin
- <Drive name for removable media>:\dblue6.lnk
- <Drive name for removable media>:\kblue3.lnk
- <Drive name for removable media>:\jblue3.lnk
- <Drive name for removable media>:\iblue3.lnk
- <Drive name for removable media>:\hblue3.lnk
- <Drive name for removable media>:\gblue3.lnk
- <Drive name for removable media>:\fblue3.lnk
- <Drive name for removable media>:\eblue3.lnk
- <Drive name for removable media>:\blue3.bin
- <Drive name for removable media>:\readme.js
Modifies file system
Creates the following files
- %TEMP%\eu2wdm_q.0.cs
- %TEMP%\csc17e3.tmp
- %TEMP%\dnq1xdmh.out
- %TEMP%\dnq1xdmh.cmdline
- %TEMP%\dnq1xdmh.0.cs
- %TEMP%\mimi.dat
- %TEMP%\dzhdyooa.dll
- %TEMP%\res47ca.tmp
- %TEMP%\o09rda3m.dll
- %TEMP%\csc47c9.tmp
- %TEMP%\res4589.tmp
- %TEMP%\dzhdyooa.out
- %TEMP%\dzhdyooa.cmdline
- %TEMP%\dzhdyooa.0.cs
- %TEMP%\res17e4.tmp
- %TEMP%\csc4588.tmp
- %TEMP%\o09rda3m.cmdline
- %TEMP%\o09rda3m.0.cs
- %TEMP%\sskgveib.dll
- %TEMP%\res3b1d.tmp
- %TEMP%\csc3b0c.tmp
- %TEMP%\sskgveib.out
- %TEMP%\sskgveib.cmdline
- %TEMP%\sskgveib.0.cs
- %TEMP%\eu2wdm_q.dll
- %TEMP%\res390b.tmp
- %TEMP%\csc38fa.tmp
- %TEMP%\eu2wdm_q.out
- %TEMP%\eu2wdm_q.cmdline
- %TEMP%\o09rda3m.out
- %TEMP%\dnq1xdmh.dll
Deletes the following files
- %TEMP%\res390b.tmp
- %TEMP%\o09rda3m.0.cs
- %TEMP%\o09rda3m.out
- %TEMP%\res47ca.tmp
- %TEMP%\csc47c9.tmp
- %TEMP%\dzhdyooa.dll
- %TEMP%\dzhdyooa.out
- %TEMP%\dzhdyooa.pdb
- %TEMP%\dnq1xdmh.pdb
- %TEMP%\dzhdyooa.cmdline
- %TEMP%\res17e4.tmp
- %TEMP%\csc17e3.tmp
- %TEMP%\dnq1xdmh.0.cs
- %TEMP%\dnq1xdmh.cmdline
- %TEMP%\dnq1xdmh.out
- %TEMP%\o09rda3m.pdb
- %TEMP%\dzhdyooa.0.cs
- %TEMP%\o09rda3m.cmdline
- %TEMP%\res3b1d.tmp
- %TEMP%\csc38fa.tmp
- %TEMP%\eu2wdm_q.cmdline
- %TEMP%\eu2wdm_q.out
- %TEMP%\eu2wdm_q.0.cs
- %TEMP%\eu2wdm_q.pdb
- %TEMP%\eu2wdm_q.dll
- %TEMP%\csc3b0c.tmp
- %TEMP%\csc4588.tmp
- %TEMP%\sskgveib.cmdline
- %TEMP%\sskgveib.pdb
- %TEMP%\sskgveib.dll
- %TEMP%\sskgveib.out
- %TEMP%\sskgveib.0.cs
- %TEMP%\res4589.tmp
- %TEMP%\o09rda3m.dll
- %TEMP%\dnq1xdmh.dll
Network activity
Connects to
- 'd.##38l.com':80
- 'ap#.#pify.org':443
- 'microsoft.com':80
TCP
- 'ap#.#pify.org':443
UDP
- DNS ASK d.##38l.com
- DNS ASK ap#.#pify.org
- DNS ASK microsoft.com
Miscellaneous
Creates and executes the following
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\eu2wdm_q.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES390B.tmp" "%TEMP%\CSC38FA.tmp"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\sskgveib.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES3B1D.tmp" "%TEMP%\CSC3B0C.tmp"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\o09rda3m.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES4589.tmp" "%TEMP%\CSC4588.tmp"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\dzhdyooa.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES47CA.tmp" "%TEMP%\CSC47C9.tmp"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\dnq1xdmh.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES17E4.tmp" "%TEMP%\CSC17E3.tmp"' (with hidden window)
Executes the following
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\eu2wdm_q.cmdline"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES390B.tmp" "%TEMP%\CSC38FA.tmp"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\sskgveib.cmdline"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES3B1D.tmp" "%TEMP%\CSC3B0C.tmp"
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -s -NoLogo -NoProfile
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\o09rda3m.cmdline"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES4589.tmp" "%TEMP%\CSC4588.tmp"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\dzhdyooa.cmdline"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES47CA.tmp" "%TEMP%\CSC47C9.tmp"
- '<SYSTEM32>\whoami.exe' /user
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\dnq1xdmh.cmdline"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES17E4.tmp" "%TEMP%\CSC17E3.tmp"
- '<SYSTEM32>\ipconfig.exe' /all
- '<SYSTEM32>\ipconfig.exe' /displaydns
- '<SYSTEM32>\netstat.exe' -ano
