Trojan.DownLoader33.53636

Technical Information

To ensure autorun and distribution

Modifies the following registry keys

[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '20065' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '31573' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '2315' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '13055' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '20137' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '7279' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '10346' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '15271' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '24942' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '17932' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '2266' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '16067' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '187' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '12446' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '15244' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '32133' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '3347' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '24157' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '11810' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '6939' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '18705' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '21513' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '11443' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '14251' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '20290' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '99' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '11481' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '25545' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '18524' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '2563' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '3369' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '31694' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '31030' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '24503' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '6205' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '21963' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '24519' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '8662' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '3829' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '4762' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '23927' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '18162' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '21694' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '10269' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '14262' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '23609' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '26488' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '4723' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '29236' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '5354' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '13900' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '31452' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '7049' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '19034' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '15354' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '21212' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '17240' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '30410' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '922' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '19835' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '17361' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '7960' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '14832' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '12967' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '7850' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '12776' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '160' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '3259' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '28310' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '12907' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '12677' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '18112' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '22534' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '17482' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '29845' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '14723' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '2425' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '14630' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '31079' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '7027' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '23998' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '20049' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '26357' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '450' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '10499' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '10999' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '10631' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '5925' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '17630' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '2935' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '23548' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '24541' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '5135' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '19435' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '15913' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '15683' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '14613' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '18069' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '18403' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '16769' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '2255' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '17761' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '28501' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '28342' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '27240' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '24031' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '9945' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '7592' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '5014' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '11552' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '28693' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '15090' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '9325' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '12858' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '1432' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '5425' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '30981' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '17652' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '12095' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '29154' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '18464' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '32516' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '13850' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '16659' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '5705' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '19254' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '9726' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '26598' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '9995' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '32242' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '9935' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '32094' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '15392' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '26395' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '25896' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '27421' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '17619' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '30306' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '30076' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '29006' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '4180' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '18996' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '21091' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '14800' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '15074' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '23417' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '28211' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '29746' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '19988' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '9506' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '31523' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '1109' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '15194' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '22002' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '29286' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '5683' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '16708' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '659' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '6276' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '4954' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '27651' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '20899' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '911' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '25024' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '24371' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '21782' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '4531' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '16017' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '2206' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '6007' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '25907' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '9095' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '12825' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '31403' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '8179' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '8514' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '6879' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '8574' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '13697' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '18453' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '9144' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '22023' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '12265' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '18343' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '22276' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '8102' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '12002' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '18414' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '16385' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '368' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '4361' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '19166' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '25923' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '32566' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '13368' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '9907' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '21842' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '1070' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '24963' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '4833' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '209' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '30597' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '2376' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '7060' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '25814' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '32385' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '5283' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '21453' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '25484' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '8875' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '27871' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '21300' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '32352' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '14942' = '<Full path to file>'

Malicious functions

To bypass firewall, removes or modifies the following registry keys

[<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] 'EnableFirewall' = '00000000'

Modifies file system

Creates the following files

C:\lsass.exe

Network activity

Connects to

'12#.#9.152.99':3128
'24.#.101.173':3128
'24.##0.93.198':3128
'12#.#67.227.207':3128
'98.##3.163.223':3128
'88.##6.140.63':3128
'67.##4.228.190':3128
'76.##9.59.198':3128
'12#.#44.227.211':3128
'98.##9.144.177':3128
'76.##8.29.165':3128
'68.##.116.243':3128
'85.#5.59.77':3128
'12#.#6.17.73':3128
'18#.#8.82.126':3128
'67.##.183.115':3128
'21#.#48.255.97':3128
'68.##2.35.71':3128
'22#.#0.46.241':3128
'24.##6.142.175':3128
'24.##6.70.130':3128
'78.##.131.149':3128
'14#.#08.165.167':3128
'80.##2.240.210':3128
'98.##2.15.128':3128
'72.##8.219.233':3128
'70.#61.5.54':3128
'20#.#2.201.205':3128
'85.##9.84.108':3128
'18#.#5.181.51':3128
'88.##5.124.142':3128
'19#.#99.17.97':3128
'76.##.99.173':3128
'68.##5.30.247':3128
'76.##0.14.58':3128
'18#.#8.61.88':3128
'76.##.223.90':3128
'75.##5.154.235':3128
'19#.#74.95.251':3128
'76.##2.118.22':3128
'18#.#3.165.6':3128
'76.##2.13.246':3128
'80.##.139.153':3128
'67.##.249.135':3128
'24.##8.74.91':3128
'98.##6.195.108':3128
'64.##5.142.140':3128
'24.##8.8.189':3128
'24.##4.60.115':3128
'69.##9.49.85':3128
'69.##2.83.44':3128
'21#.#53.159.69':3128
'67.##2.55.202':3128
'20#.#.191.135':3128
'21#.#19.181.123':3128
'76.##3.82.87':3128
'85.##9.253.227':3128
'16#.#32.242.201':3128
'70.##1.253.221':3128
'76.##5.211.200':3128
'76.##4.39.199':3128
'78.##.210.31':3128
'98.##4.149.92':3128
'68.##.198.131':3128
'94.##6.154.173':3128
'96.##.158.65':3128
'76.##9.141.49':3128
'71.##9.76.103':3128
'19#.#40.185.213':3128
'62.##1.92.44':3128
'91.#8.46.66':3128
'76.##5.208.51':3128
'68.##6.88.185':3128
'22#.#6.16.176':3128
'75.##9.230.124':3128
'18#.#3.70.175':3128
'67.#2.3.13':3128
'75.#0.1.65':3128
'75.##.206.12':3128
'98.##0.218.227':3128
'76.##9.50.75':3128
'18#.#8.229.150':3128
'74.##7.192.48':3128
'98.##3.255.13':3128
'20#.#33.61.29':3128
'76.##.34.161':3128
'67.##2.56.188':3128
'69.##9.80.49':3128
'24.##9.121.0':3128
'86.##6.14.42':3128
'24.#.120.140':3128
'19#.#9.52.138':3128
'70.##7.109.173':3128
'18#.#5.186.6':3128
'18#.#9.145.181':3128
'67.##7.62.51':3128
'72.##4.6.237':3128
'12#.#.145.188':3128
'65.##5.145.141':3128
'66.##.104.157':3128
'89.##.98.154':3128
'19#.#05.17.14':3128
'98.##1.78.135':3128
'19#.#5.28.140':3128
'21#.#27.18.198':3128
'82.##.37.247':3128
'99.##5.68.251':3128
'24.##7.39.108':3128
'20#.#38.240.62':3128
'69.##6.213.245':3128
'99.##9.53.157':3128
'20#.#20.222.72':3128
'97.##.24.152':3128
'18#.#.49.186':3128
'21#.#31.114.204':3128
'76.##.15.188':3128
'76.##8.249.78':3128
'96.##.227.51':3128
'71.##8.88.204':3128
'20#.#.222.212':3128
'72.##0.114.96':3128
'20#.#31.255.34':3128
'70.##8.186.155':3128
'76.##4.155.68':3128
'20#.#46.213.28':3128
'21#.#7.128.4':3128
'20#.#.210.202':3128
'18#.#2.133.87':3128
'21#.#53.155.189':3128
'20#.#2.188.171':3128
'17#.#0.100.79':3128
'59.##.210.230':3128
'20#.#80.140.151':3128
'84.##0.253.96':3128
'76.##.23.229':3128
'98.#0.65.78':3128
'24.##.232.175':3128
'89.##.63.223':3128
'18#.#09.32.126':3128
'20#.#44.7.234':3128
'72.#08.73.9':3128
'24.#90.1.4':3128
'61.##.214.57':3128
'75.##2.12.31':3128
'20#.#8.45.56':3128
'59.##.11.201':3128
'68.#3.42.60':3128
'69.##3.197.73':3128
'24.##6.214.145':3128
'67.##7.179.152':3128
'87.##6.197.233':3128
'12#.#41.151.14':3128

Miscellaneous

Creates and executes the following

'C:\lsass.exe' exe <Full path to file>

Executes the following

'<SYSTEM32>\rundll32.exe' <SYSTEM32>\FirewallControlPanel.dll,ShowNotificationDialog /configure /ETOnly 0 /OnProfiles 6 /OtherAllowed 0 /OtherBlocked 0 /OtherEdgeAllowed 0 /NewBlocked 4 "<Full path to file>"

Технологии

Термины

Обучение и просвещение

Мифы

Technical Information

Рекомендации по лечению

Демо бесплатно на 14 дней