Technical Information
To ensure autorun and distribution
Modifies the following registry keys
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '23586' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '18275' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '16600' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '19892' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '22256' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '2316' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '28817' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '28264' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '29434' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '16209' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '26240' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '4764' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '11446' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '21835' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '22484' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '22232' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '8502' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '4454' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '23988' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '31572' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '29052' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '23606' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '21850' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '11975' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '2283' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '7542' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '3681' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '731' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '21558' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '374' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '28183' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '5031' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '26622' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '21005' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '8941' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '4535' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '18118' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '31394' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '21549' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '11364' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '19330' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '10998' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '23296' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '29735' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '25134' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '22924' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '21826' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '20819' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '17078' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '17607' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '3796' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '27873' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '3008' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '1219' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '31873' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '26727' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '8282' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '18476' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '21736' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '17168' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '11933' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '23778' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '31915' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '23573' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '3299' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '19616' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '10940' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '19811' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '722' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '16257' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '15713' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '28655' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '8023' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '9332' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '23329' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '26078' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '5552' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '31963' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '9795' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '23372' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '28532' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '10162' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '29247' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '29792' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '5943' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '10210' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '30793' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '10396' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '29338' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '3251' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '5861' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '11999' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '1357' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '29271' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '12038' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '11494' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '25176' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '3805' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '5852' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '15168' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '15592' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '407' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '27792' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '14576' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '2292' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '24623' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '18266' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '6941' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '8926' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '11121' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '18753' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '17306' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '22599' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '32426' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '13990' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '10901' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '30946' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '28393' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '25338' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '13469' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '14777' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '4096' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '26313' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '26989' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '17297' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '4502' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '17330' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '10324' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '31223' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '32330' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '12778' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '18160' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '23615' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '29753' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '23696' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '32011' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '25639' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '837' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '4340' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '17574' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '383' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '578' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '2139' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '521' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '31614' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '11680' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '22557' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '18696' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '15746' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '15388' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '13641' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '10640' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '10429' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '20046' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '8868' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '2512' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '23955' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '19550' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '365' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '11298' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '13818' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '6234' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '10510' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '14257' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '25777' = '<Full path to file>'
Malicious functions
To bypass firewall, removes or modifies the following registry keys
- [HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] 'EnableFirewall' = '00000000'
Launches a large number of processes
Modifies file system
Creates the following files
- C:\lsass.exe
Network activity
Connects to
- '84.#49.4.49':3128
- '20#.#2.66.38':3128
- '16#.#46.210.246':3128
- '21#.#0.223.161':3128
- '19#.#2.53.44':3128
- '82.##0.97.85':3128
- '20#.#31.95.156':3128
- '94.##9.4.145':3128
- '19#.#7.120.74':3128
- '78.##.196.53':3128
- '20#.#93.116.218':3128
- '18#.#.60.115':3128
- '20#.#17.84.254':3128
- '78.##.53.124':3128
- '19#.#7.181.100':3128
- '20#.#.192.75':3128
- '84.##0.58.244':3128
- '98.##0.39.21':3128
- '98.##5.223.4':3128
- '79.##8.186.70':3128
- '20#.#35.148.42':3128
- '62.##9.136.101':3128
- '19#.#7.33.165':3128
- '20#.#3.189.186':3128
- '93.##3.32.100':3128
- '84.##9.120.215':3128
- '15#.#00.77.172':3128
- '59.##.242.247':3128
- '19#.#0.158.86':3128
- '19#.#00.145.25':3128
- '18#.#1.238.55':3128
- '91.##7.16.192':3128
- '60.##3.24.44':3128
- '19#.#7.217.26':3128
- '77.##4.72.95':3128
- '20#.#17.8.35':3128
- '20#.#.123.118':3128
- '93.##2.155.128':3128
- '18#.#6.1.124':3128
- '78.##.51.140':3128
- '20#.#3.196.15':3128
- '70.##.202.16':3128
- '67.##3.217.124':3128
- '82.##4.82.17':3128
- '20#.#6.113.81':3128
- '20#.#40.17.73':3128
- '16#.#14.45.9':3128
- '20#.#.165.21':3128
- '86.##1.159.17':3128
- '85.##2.157.70':3128
- '84.##2.142.86':3128
- '19#.#59.81.132':3128
- '21#.#11.163.202':3128
- '12#.#52.60.54':3128
- '18#.#5.213.197':3128
- '82.##.209.99':3128
- '19#.#8.190.188':3128
- '78.##.189.82':3128
- '84.#0.12.72':3128
- '88.##1.216.205':3128
- '18#.#.240.155':3128
- '88.#.87.204':3128
- '89.#5.85.68':3128
- '12#.#38.62.206':3128
- '24.##0.177.144':3128
- '86.#.42.240':3128
- '77.##2.169.76':3128
- '41.##7.13.33':3128
- '89.##7.124.225':3128
- '12.##8.196.117':3128
- '84.##8.223.180':3128
- '75.##8.112.243':3128
- '19#.#58.77.113':3128
- '86.##2.251.11':3128
- '69.#38.24.2':3128
- '82.##1.172.110':3128
- '89.##.175.228':3128
- '87.##6.105.67':3128
- '82.##1.119.31':3128
- '89.##.240.101':3128
- '89.##.65.233':3128
- '20#.#14.26.205':3128
- '20#.#07.17.200':3128
- '81.##0.224.170':3128
- '88.#.80.170':3128
- '24.#7.42.26':3128
- '99.##6.185.71':3128
- '17#.#8.204.137':3128
- '71.#3.3.97':3128
- '83.##3.78.225':3128
- '77.#8.45.69':3128
- '98.##3.127.251':3128
- '12#.#0.98.26':3128
- '21#.22.54.6':3128
- '89.##5.43.239':3128
- '84.##1.203.233':3128
- '12#.#42.63.165':3128
- '20#.#34.132.2':3128
- '12#.#23.111.59':3128
- '77.##.158.250':3128
- '82.##6.197.246':3128
- '79.##.44.188':3128
- '88.##5.158.186':3128
- '18#.#9.149.145':3128
- '85.##8.118.184':3128
- '19#.5.30.42':3128
- '20#.#10.169.58':3128
- '24.##9.253.195':3128
- '79.#18.5.27':3128
- '11#.#3.135.187':3128
- '71.##6.197.190':3128
- '84.##.250.26':3128
- '19#.#.102.219':3128
- '24.##5.47.40':3128
- '83.##2.208.6':3128
- '79.##5.64.191':3128
- '19#.#00.48.229':3128
- '19#.#0.41.165':3128
- '79.##0.194.23':3128
- '20#.#5.89.208':3128
- '17#.#1.64.207':3128
- '79.##2.9.100':3128
- '18#.#2.234.104':3128
- '19#.#43.39.213':3128
- '20#.#5.50.254':3128
- '15#.#95.166.25':3128
- '20#.#81.184.110':3128
- '18#.#.21.200':3128
- '81.##.151.184':3128
- '88.##.196.28':3128
- '78.##.72.201':3128
- '89.##.244.57':3128
- '19#.#8.24.131':3128
- '88.##3.106.50':3128
- '84.##2.87.192':3128
- '18#.#3.156.59':3128
- '64.##.137.184':3128
- '20#.#25.76.107':3128
- '19#.#64.45.195':3128
- '20#.#3.34.241':3128
- '18#.#22.149.197':3128
- '19#.#39.195.34':3128
- '19#.#0.40.15':3128
- '88.##4.218.119':3128
- '20#.#5.31.92':3128
- '18#.#5.146.59':3128
- '84.##8.172.27':3128
Miscellaneous
Creates and executes the following
- 'C:\lsass.exe' exe <Full path to file>
Executes the following
- '<SYSTEM32>\rundll32.exe' <SYSTEM32>\FirewallControlPanel.dll,ShowNotificationDialog /configure /ETOnly 0 /OnProfiles 6 /OtherAllowed 0 /OtherBlocked 0 /OtherEdgeAllowed 0 /NewBlocked 4 "<Full path to file>"
