Technical Information
To ensure autorun and distribution
Modifies the following registry keys
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '32393' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '25541' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '19177' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '22708' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '2979' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '4096' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '21340' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '20122' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '6105' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '9883' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '19629' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '4105' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '22169' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '31784' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '9381' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '9017' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '21913' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '22541' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '28411' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '18754' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '22917' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '27621' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '15837' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '8301' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '14679' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '23090' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '12795' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '28755' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '29830' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '7352' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '22290' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '26951' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '2803' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '15302' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '16549' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '26462' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '5933' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '6841' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '29035' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '1635' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '10548' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '11381' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '1644' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '18126' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '28211' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '24206' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '25746' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '12962' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '15670' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '21582' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '686' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '8143' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '25704' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '2984' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '9715' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '2845' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '32245' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '16888' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '19247' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '12227' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '6050' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '30253' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '21206' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '14586' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '3649' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '29839' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '26997' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '7678' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '13256' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '10590' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '32044' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '6306' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '2691' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '19377' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '30784' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '32584' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '17377' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '3900' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '1389' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '27286' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '393' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '17805' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '20833' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '4268' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '13139' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '22885' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '11385' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '10171' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '732' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '8841' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '5436' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '184' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '25709' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '2635' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '14390' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '29793' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '23164' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '7427' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '17424' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '26076' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '7557' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '11051' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '20331' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '31491' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '8548' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '3928' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '18624' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '18749' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '28700' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '3803' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '28174' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '18587' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '29746' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '24499' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '11302' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '18666' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '26290' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '10511' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '10506' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '19415' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '19801' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '27244' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '8222' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '18135' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '25127' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '30374' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '31282' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '20708' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '7343' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '6557' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '28128' = '<Full path to file>'
Malicious functions
To bypass firewall, removes or modifies the following registry keys
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] 'EnableFirewall' = '00000000'
Modifies file system
Creates the following files
- C:\lsass.exe
Network activity
Connects to
- '88.##5.169.190':3128
- '41.##7.23.132':3128
- '19#.#78.188.78':3128
- '12#.#83.86.128':3128
- '11#.#00.25.147':3128
- '62.#35.47.3':3128
- '21#.#1.249.45':3128
- '21#.#63.1.111':3128
- '95.#6.97.34':3128
- '21#.#41.66.98':3128
- '22#.#21.70.244':3128
- '20#.#63.238.118':3128
- '92.##.199.121':3128
- '14#.#36.25.12':3128
- '85.##6.232.248':3128
- '19#.#17.202.60':3128
- '60.#9.41.63':3128
- '11#.#7.52.145':3128
- '12#.#68.246.183':3128
- '19#.#10.253.56':3128
- '92.##4.173.179':3128
- '83.#.71.44':3128
- '82.##9.181.50':3128
- '94.##3.221.234':3128
- '22#.#52.204.140':3128
- '92.##.215.128':3128
- '82.##8.148.6':3128
- '77.##.183.213':3128
- '18#.#5.9.206':3128
- '77.##.183.207':3128
- '12#.#62.227.112':3128
- '78.##5.46.28':3128
- '12#.#89.165.64':3128
- '19#.#.147.59':3128
- '78.##.213.60':3128
- '89.##8.66.213':3128
- '19#.#03.28.166':3128
- '87.##6.195.207':3128
- '11#.#8.69.166':3128
- '82.##3.221.63':3128
- '81.##5.85.215':3128
- '82.##1.200.202':6667
- '95.##2.55.88':3128
- '19#.#46.106.12':3128
- '88.##3.179.180':3128
- '20#.#71.33.111':3128
- '41.##4.223.194':3128
- '20#.#09.202.227':3128
- '18#.#18.36.115':3128
- '89.##.88.140':3128
- '62.##2.166.250':3128
- '41.##7.15.154':3128
- '41.##1.113.226':3128
- '20#.#70.79.102':3128
- '12#.#41.147.103':3128
- '41.##1.12.238':3128
- '11#.#4.125.85':3128
- '11#.9.25.60':3128
- '79.#5.112.6':6667
- '20#.#72.110.64':6667
- '11#.#1.236.243':3128
- '89.##7.75.85':3128
- '82.##9.127.108':3128
- '94.##3.233.124':3128
- '19#.#41.248.24':3128
- '83.##.234.230':3128
- '81.##0.246.247':3128
- '88.##8.35.94':3128
- '22#.#17.255.41':3128
- '21#.#4.98.21':3128
- '84.#2.226.1':3128
- '92.##.53.120':3128
- '59.##1.68.246':3128
- '78.##0.6.202':3128
- '21#.#5.158.126':3128
- '12#.#3.105.87':3128
- '21#.#19.194.130':3128
- '82.##.103.65':3128
- '41.##7.28.195':3128
- '11#.#10.160.216':3128
- '94.##3.230.13':3128
- '11#.#71.225.95':3128
- '78.##6.109.85':3128
- '18#.#27.129.97':3128
- '12#.#65.52.220':3128
- '83.#.78.219':3128
- '41.##9.50.119':3128
- '19#.#04.248.190':3128
- '61.##.24.217':3128
- '85.#4.83.24':3128
- '21#.#28.216.119':3128
- '61.##1.188.68':3128
- '12#.#68.237.206':3128
- '95.##.82.248':3128
- '41.##9.126.124':3128
- '12#.#58.65.165':3128
- '11#.#7.75.98':3128
- '22#.#22.98.246':3128
- '83.#.74.80':3128
- '85.##7.57.116':3128
- '86.##.149.208':3128
- '59.##.228.138':3128
- '87.##.199.162':3128
- '83.##.173.187':3128
- '79.##8.201.103':3128
- '79.##2.90.85':3128
- '59.##.141.251':3128
- '12#.#01.122.203':3128
- '11#.#2.171.90':3128
- '11#.#98.92.174':3128
- '87.##6.45.71':3128
- '78.##.49.122':3128
- '41.##4.193.23':3128
- '82.##.131.217':3128
- '14#.#25.62.191':3128
- '78.#.139.210':3128
- '21#.#14.156.227':3128
- '18#.#29.231.145':3128
- '41.##4.139.12':3128
- '79.#.187.232':3128
- '62.##0.190.109':3128
- '21#.#24.89.29':3128
- '78.##5.204.185':3128
- '41.##9.51.66':3128
- '78.##.185.170':3128
- '15#.#4.229.127':3128
- '18#.19.2.17':3128
- '41.##4.233.130':3128
- '41.##4.158.76':3128
- '41.##7.27.156':3128
- '82.##4.195.16':3128
- '41.##9.32.95':3128
- '21#.#19.104.5':3128
- '11#.#00.113.179':3128
- '41.##1.111.216':3128
- '86.##6.114.151':3128
- '18#.#15.32.134':3128
- '62.##1.154.51':3128
- '83.##.162.157':3128
- '16#.#25.115.89':3128
- '41.##4.140.227':3128
- '93.##0.127.220':3128
- '19#.#06.118.178':3128
- '11#.#4.176.94':3128
- '79.##.56.223':3128
- '81.##.115.138':3128
- '41.##2.95.234':3128
- '83.##.246.126':3128
- '41.##9.32.65':3128
- '87.#1.10.86':3128
- '14#.#15.73.142':3128
- '20#.#46.69.177':3128
- '70.##.217.42':3128
- '83.#.97.26':3128
- '11#.#7.52.161':3128
- '41.##9.35.129':3128
- '11#.#53.64.208':3128
- '10.#.1.254':3128
- '21#.#6.71.242':3128
- '20#.#70.97.21':3128
- '79.#5.112.6':3128
- '12#.#68.219.1':3128
- '62.##8.185.174':3128
- '18#.#20.97.228':3128
- '82.##0.250.83':3128
- '80.##.126.148':3128
- '61.##.216.15':6667
Miscellaneous
Creates and executes the following
- 'C:\lsass.exe' exe <Full path to file>
Executes the following
- '<SYSTEM32>\rundll32.exe' <SYSTEM32>\FirewallControlPanel.dll,ShowNotificationDialog /configure /ETOnly 0 /OnProfiles 6 /OtherAllowed 0 /OtherBlocked 0 /OtherEdgeAllowed 0 /NewBlocked 4 "<Full path to file>"
