Technical Information
To ensure autorun and distribution
Modifies the following registry keys
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '2714' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '2040' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '3059' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '32292' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '12494' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '10508' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '29849' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '7306' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '30306' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '32137' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '12213' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '25235' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '6922' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '31834' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '19357' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '21290' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '16663' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '2498' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '1354' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '7483' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '27522' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '1086' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '6594' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '11855' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '22296' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '25524' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '28679' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '6973' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '28986' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '19434' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '16305' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '24928' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '22563' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '184' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '3745' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '10901' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '12719' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '1824' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '27242' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '25196' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '22244' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '30867' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '25498' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '31437' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '5907' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '32482' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '31998' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '4483' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '30384' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '15075' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '13866' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '23288' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '22154' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '23772' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '25654' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '8972' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '16115' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '22589' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '14375' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '10103' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '20794' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '29862' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '27307' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '17134' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '1837' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '13625' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '32024' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '13901' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '15226' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '9874' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '4202' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '25412' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '12684' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '24471' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '22106' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '24001' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '11082' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '21407' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '7038' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '6796' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '19512' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '16421' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '16918' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '30829' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '6555' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '11259' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '16051' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '10293' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '15329' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '6020' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '16154' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '27510' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '28209' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '210' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '10612' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '3616' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '30268' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '7992' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '13979' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '8091' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '10850' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '25157' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '18139' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '2955' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '32266' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '6848' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '19257' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '3844' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '27380' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '15645' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '18165' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '12507' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '1876' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '31386' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '13482' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '15554' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '32581' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '284' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '4772' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '14617' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '2649' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '7289' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '19969' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '8691' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '27078' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '6097' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '12964' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '8195' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '5640' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '29926' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '22002' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '6581' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '8704' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '12809' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '909' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '2330' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '29240' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '29404' = '<Full path to file>'
Malicious functions
To bypass firewall, removes or modifies the following registry keys
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] 'EnableFirewall' = '00000000'
Modifies file system
Creates the following files
- C:\lsass.exe
Network activity
Connects to
- '24.##8.234.224':3128
- '86.#7.224.4':3128
- '20#.#5.148.207':3128
- '20#.#9.19.104':3128
- '59.#.4.188':3128
- '91.##.206.86':3128
- '64.##8.148.152':3128
- '67.##3.217.124':3128
- '19#.#10.41.99':3128
- '89.##3.142.181':3128
- '18#.#8.196.221':3128
- '74.#8.32.82':3128
- '82.##1.119.31':3128
- '78.##.159.184':3128
- '76.##.113.152':3128
- '18#.#3.21.185':3128
- '82.#3.4.151':3128
- '89.##.39.100':3128
- '84.##6.91.230':3128
- '83.#7.2.9':3128
- '62.##.177.196':3128
- '98.##0.39.21':3128
- '20#.86.0.42':3128
- '78.##5.141.179':3128
- '18#.#2.213.51':3128
- '15#.#10.47.52':3128
- '83.##3.108.161':3128
- '18#.#0.239.238':3128
- '81.##1.223.170':3128
- '83.##.159.142':3128
- '84.##2.149.173':3128
- '19#.#5.105.78':3128
- '18#.#5.145.239':3128
- '72.##7.60.181':3128
- '77.##.135.125':3128
- '20#.#5.215.215':3128
- '17#.#6.238.19':3128
- '80.##9.212.170':3128
- '24.##0.159.165':3128
- '18#.#21.96.94':3128
- '14#.#51.134.72':3128
- '21#.#0.230.94':3128
- '18#.#1.240.102':3128
- '79.##9.248.58':3128
- '21#.#53.129.127':3128
- '82.##7.236.171':3128
- '83.##3.51.201':3128
- '72.##4.138.83':3128
- '18#.#4.120.86':3128
- '78.#.73.61':3128
- '24.##2.154.7':3128
- '85.##0.20.238':3128
- '18#.#7.56.100':3128
- '89.##2.25.142':3128
- '59.#8.102.8':3128
- '20#.#0.3.104':3128
- '19#.#.216.20':3128
- '71.##9.84.249':3128
- '18#.#5.135.36':3128
- '76.##.136.204':3128
- '14#.#61.251.101':3128
- '98.##3.127.251':3128
- '69.##2.132.215':3128
- '17#.#0.72.154':3128
- '19#.#0.58.154':3128
- '77.##.158.250':3128
- '18#.#11.141.8':3128
- '18#.#3.161.172':3128
- '68.##.136.70':3128
- '20#.#5.45.190':3128
- '67.##1.33.242':3128
- '20#.#7.109.204':3128
- '81.##4.228.130':3128
- '93.##3.12.66':3128
- '18#.#2.28.64':3128
- '21#.#7.43.128':3128
- '81.##0.59.235':3128
- '74.##0.48.169':3128
- '87.##0.75.110':3128
- '89.##.187.121':3128
- '12#.#36.61.106':3128
- '11#.#98.226.4':3128
- '70.##.162.93':3128
- '85.##.199.201':3128
- '18#.#20.80.133':3128
- '20#.#8.74.220':3128
- '15#.#7.162.20':3128
- '70.#1.5.102':3128
- '21#.#51.211.127':3128
- '84.##1.203.233':3128
- '24.##.71.246':3128
- '98.##7.76.39':3128
- '68.##.67.253':3128
- '90.##8.209.207':3128
- '21#.#67.27.216':3128
- '20#.#07.17.200':3128
- '78.##.247.68':3128
- '12#.#05.168.140':3128
- '12#.6.25.29':3128
- '78.##.51.140':3128
- '20#.#7.5.122':3128
- '19#.#42.33.164':3128
- '18#.#1.64.218':3128
- '99.##5.227.186':3128
- '79.##1.39.70':3128
- '82.##7.16.85':3128
- '81.##5.147.103':3128
- '18#.#27.229.253':3128
- '11#.#4.164.72':3128
- '19#.#7.250.15':3128
- '20#.#5.107.88':3128
- '20#.#3.110.248':3128
- '88.##2.149.42':3128
- '90.##5.70.240':3128
- '89.#30.7.8':3128
- '82.##2.23.36':3128
- '14#.#29.203.93':3128
- '21#.#32.142.13':3128
- '62.##3.243.91':3128
- '69.##0.83.232':3128
- '85.##0.51.213':3128
- '99.##6.185.71':3128
- '69.##0.174.227':3128
- '19#.#4.186.31':3128
- '24.##9.253.195':3128
- '92.##.217.104':3128
- '18#.4.16.91':3128
- '84.##6.44.157':3128
- '21#.#00.180.10':3128
- '20#.#42.28.215':3128
- '83.##9.25.44':3128
- '84.##8.172.27':3128
- '82.##1.10.69':3128
- '22#.#08.108.232':3128
- '19#.#19.159.195':3128
- '12#.#3.49.151':3128
- '17#.89.7.66':3128
- '68.##.151.140':3128
- '19#.#88.249.46':3128
- '21#.#3.10.233':3128
- '70.##.202.16':3128
- '21#.#5.115.132':3128
- '12#.#09.78.34':3128
- '89.##.251.39':3128
- '98.##2.162.219':3128
Miscellaneous
Creates and executes the following
- 'C:\lsass.exe' exe <Full path to file>
Executes the following
- '<SYSTEM32>\rundll32.exe' <SYSTEM32>\FirewallControlPanel.dll,ShowNotificationDialog /configure /ETOnly 0 /OnProfiles 6 /OtherAllowed 0 /OtherBlocked 0 /OtherEdgeAllowed 0 /NewBlocked 4 "<Full path to file>"
