Trojan.DownLoader33.1958

Technical Information

To ensure autorun and distribution

Modifies the following registry keys

[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '17987' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '9' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '222' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '8451' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '7252' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '21137' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '133' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '1338' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '32665' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '8185' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '14974' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '17855' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '2188' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '3882' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '29590' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '9755' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '8350' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '6314' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '2743' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '10009' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '23964' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '1592' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '20594' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '20564' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '25080' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '19189' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '10924' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '24472' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '27205' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '14313' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '14632' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '22648' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '27223' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '31750' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '20942' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '26143' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '12630' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '25481' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '27601' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '4313' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '32270' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '8256' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '19141' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '31857' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '23368' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '2819' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '10795' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '13085' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '5883' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '19625' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '18539' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '6007' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '7389' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '14419' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '7554' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '28327' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '25871' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '29673' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '21981' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '15423' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '12973' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '19891' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '10452' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '20216' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '26325' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '8740' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '19065' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '19909' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '23711' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '13628' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '26597' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '31727' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '5317' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '31981' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '31065' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '17967' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '6668' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '9283' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '12937' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '3788' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '32754' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '23675' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '23988' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '3758' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '22595' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '3032' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '14130' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '3953' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '30647' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '13752' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '659' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '23911' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '20269' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '671' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '10293' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '23333' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '19082' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '22955' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '11503' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '29909' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '13516' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '23102' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '27819' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '9030' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '31674' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '12831' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '25115' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '11172' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '4219' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '16727' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '4868' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '24324' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '871' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '32447' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '22341' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '3126' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '14543' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '13250' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '5104' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '18179' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '2129' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '346' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '24791' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '30033' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '23079' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '9390' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '28215' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '32394' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '19826' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '20434' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '17837' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '4401' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '3829' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '16402' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '22683' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '25712' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '80' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '24667' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '9679' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '16597' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '17099' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '25174' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '19531' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '19248' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '7625' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '16414' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '6651' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '26503' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '21621' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '23805' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '18197' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '17282' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '15700' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '4579' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '16202' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '24743' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '18108' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '25493' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '7341' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '27784' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '3067' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '21013' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '21' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '11863' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '18079' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '24867' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '30700' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '31927' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '18486' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '8799' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '4903' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '26054' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '21875' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '8292' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '13173' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '14018' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '7247' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '14165' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '14667' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '22742' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '4201' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '16815' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '5193' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '1084' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '26810' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '28527' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '7607' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '19714' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '25009' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '20452' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '6798' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '25552' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '8421' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '3575' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '5269' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '30977' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '11143' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '9738' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '7701' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '4130' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '20222' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '22719' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '11396' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '15877' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '2111' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '21951' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '28704' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '14271' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '18073' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '13191' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '5015' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '5157' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '25045' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '15535' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '25351' = '<Full path to file>'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '24726' = '<Full path to file>'

Malicious functions

To bypass firewall, removes or modifies the following registry keys

[<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] 'EnableFirewall' = '00000000'

Modifies file system

Creates the following files

C:\lsass.exe

Network activity

Connects to

'99.##0.158.15':3128
'69.##.49.228':3128
'20#.#5.57.254':3128
'99.##6.21.23':3128
'19#.#83.141.237':3128
'17#.#1.24.213':3128
'83.##3.53.24':3128
'14#.#00.126.65':3128
'70.##6.153.37':3128
'69.##5.119.42':3128
'12#.#58.69.126':3128
'62.##1.211.245':3128
'99.##3.208.73':3128
'78.##.209.138':3128
'67.##7.119.211':3128
'88.##5.124.142':3128
'20#.#2.197.191':3128
'95.##.32.205':3128
'59.#6.43.53':3128
'98.##5.84.236':3128
'98.##2.108.247':3128
'76.##.254.162':3128
'19#.#74.31.19':3128
'80.##3.159.169':3128
'96.#.109.140':3128
'89.##3.32.197':3128
'61.##.160.15':3128
'11#.#93.99.156':3128
'89.##2.49.97':3128
'21#.#14.10.155':3128
'24.##2.150.121':3128
'68.#5.7.125':3128
'12#.#21.196.245':3128
'89.#1.45.75':3128
'82.##.232.100':3128
'20#.#4.168.238':3128
'11#.#37.24.57':3128
'76.##.94.234':3128
'70.##.106.187':3128
'86.##5.93.118':3128
'66.##.101.49':3128
'71.##5.9.218':3128
'80.##3.26.19':3128
'17#.#3.72.37':3128
'20#.#0.55.194':3128
'99.##1.99.45':3128
'88.##5.245.61':3128
'89.##.138.57':3128
'69.##5.116.91':3128
'18#.#21.96.94':3128
'84.##.83.186':3128
'24.##.210.128':3128
'79.##3.190.66':3128
'20#.#7.241.135':3128
'86.##3.156.48':3128
'64.##3.240.133':3128
'99.##0.169.20':3128
'21#.#12.15.216':3128
'18#.#58.232.173':3128
'20#.#30.105.180':3128
'84.##.126.15':3128
'95.#6.0.161':3128
'75.#5.92.92':3128
'83.##5.115.57':3128
'12#.#41.197.188':3128
'62.##1.92.44':3128
'83.##0.123.101':3128
'69.##.85.238':3128
'87.##.172.100':3128
'16#.#32.223.191':3128
'98.##3.208.42':3128
'12#.#00.61.136':3128
'88.##0.112.166':3128
'24.##4.163.140':3128
'12#.#53.85.108':3128
'19#.#5.174.228':3128
'69.##7.124.222':3128
'20#.#68.252.115':3128
'72.##9.147.86':3128
'20#.#03.240.104':3128
'87.##0.55.68':3128
'89.##2.29.54':3128
'70.##0.78.228':3128
'86.##1.115.84':3128
'20#.#71.244.183':3128
'24.#6.61.39':3128
'18#.#8.20.97':3128
'99.##8.209.16':3128
'71.##0.146.108':3128
'66.##.85.235':3128
'70.##6.55.65':3128
'82.#2.22.57':3128
'74.##.175.57':3128
'11#.#4.191.93':3128
'18#.#1.253.182':3128
'76.##.135.63':3128
'12#.#06.202.130':3128
'98.#02.5.95':3128
'22#.#55.122.196':3128
'68.##7.98.133':3128
'59.##.205.35':3128
'70.##.202.16':3128
'17#.#9.33.209':3128
'99.##5.68.251':3128
'19#.#99.151.245':3128
'78.##.214.156':3128
'69.##3.88.223':3128
'85.#5.54.69':3128
'12#.#8.184.181':3128
'24.##.201.111':3128
'69.##4.125.151':3128
'75.##8.134.91':3128
'20#.#22.239.156':3128
'18#.#4.210.49':3128
'66.##.185.171':3128
'66.##3.117.18':3128
'12#.#41.131.226':3128
'21#.#17.199.48':3128
'91.##0.96.32':3128
'18#.#5.125.120':3128
'75.##4.74.25':3128
'12#.#53.229.62':3128
'19#.#20.109.140':3128
'14#.#51.134.72':3128
'67.##2.16.41':3128
'20#.#6.200.105':3128
'78.##8.217.249':3128
'12#.#4.149.90':3128
'17#.#8.35.43':3128
'11#.#97.9.168':3128
'70.#2.7.63':3128
'18#.#5.41.129':3128
'98.##6.116.193':3128
'62.##.127.154':3128
'74.#2.3.50':3128
'84.##.138.149':3128
'86.##1.241.104':3128
'85.##.96.146':3128
'11#.#27.223.151':3128
'19#.#5.71.19':3128
'98.##2.155.238':3128
'84.#.160.87':3128
'24.##.179.129':3128
'12#.#38.120.91':3128
'98.##.129.111':3128
'17#.#70.168.179':3128
'72.##3.138.154':3128
'77.##2.161.101':3128
'89.##.129.35':3128
'12#.#59.241.52':3128
'13#.#43.186.16':3128
'18#.#0.127.194':3128
'78.##2.50.252':3128
'96.#0.52.44':3128
'86.##1.90.55':3128
'20#.#0.224.126':3128
'95.##4.95.34':3128
'12#.#38.106.113':3128
'96.#.160.38':3128
'17#.#1.136.65':3128
'12#.#44.227.211':3128
'59.#3.127.0':3128
'66.##1.37.201':3128
'21#.#64.96.55':3128
'70.##2.29.93':3128
'61.##.124.45':3128

Miscellaneous

Creates and executes the following

'C:\lsass.exe' exe <Full path to file>

Executes the following

'<SYSTEM32>\rundll32.exe' <SYSTEM32>\FirewallControlPanel.dll,ShowNotificationDialog /configure /ETOnly 0 /OnProfiles 6 /OtherAllowed 0 /OtherBlocked 0 /OtherEdgeAllowed 0 /NewBlocked 2 "<Full path to file>"

Технологии

Термины

Обучение и просвещение

Мифы

Technical Information

Рекомендации по лечению

Демо бесплатно на 14 дней