Technical Information
To ensure autorun and distribution
Modifies the following registry keys
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] '3661' = '<Full path to file>'
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] '4496' = '<Full path to file>'
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] '28637' = '<Full path to file>'
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] '14199' = '<Full path to file>'
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] '20482' = '<Full path to file>'
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] '5388' = '<Full path to file>'
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] '22671' = '<Full path to file>'
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] '14232' = '<Full path to file>'
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] '28889' = '<Full path to file>'
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] '5776' = '<Full path to file>'
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] '31182' = '<Full path to file>'
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] '15920' = '<Full path to file>'
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] '15211' = '<Full path to file>'
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] '14416' = '<Full path to file>'
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] '6989' = '<Full path to file>'
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] '29429' = '<Full path to file>'
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] '26263' = '<Full path to file>'
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] '23955' = '<Full path to file>'
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] '3671' = '<Full path to file>'
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] '24039' = '<Full path to file>'
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] '16476' = '<Full path to file>'
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] '25100' = '<Full path to file>'
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] '554' = '<Full path to file>'
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] '21446' = '<Full path to file>'
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] '31941' = '<Full path to file>'
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] '13915' = '<Full path to file>'
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] '24411' = '<Full path to file>'
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] '16104' = '<Full path to file>'
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] '24123' = '<Full path to file>'
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] '14704' = '<Full path to file>'
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] '18966' = '<Full path to file>'
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] '23567' = '<Full path to file>'
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] '11622' = '<Full path to file>'
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] '19690' = '<Full path to file>'
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] '22419' = '<Full path to file>'
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] '11150' = '<Full path to file>'
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] '15832' = '<Full path to file>'
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] '32275' = '<Full path to file>'
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] '9330' = '<Full path to file>'
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] '1734' = '<Full path to file>'
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] '4227' = '<Full path to file>'
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] '28368' = '<Full path to file>'
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] '5185' = '<Full path to file>'
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] '14872' = '<Full path to file>'
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] '15548' = '<Full path to file>'
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] '12230' = '<Full path to file>'
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] '22438' = '<Full path to file>'
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] '690' = '<Full path to file>'
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] '16880' = '<Full path to file>'
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] '17637' = '<Full path to file>'
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] '16188' = '<Full path to file>'
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] '7965' = '<Full path to file>'
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] '2323' = '<Full path to file>'
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] '5744' = '<Full path to file>'
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] '5036' = '<Full path to file>'
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] '20886' = '<Full path to file>'
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] '14235' = '<Full path to file>'
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] '635' = '<Full path to file>'
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] '6517' = '<Full path to file>'
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] '26917' = '<Full path to file>'
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] '23079' = '<Full path to file>'
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] '23211' = '<Full path to file>'
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] '22555' = '<Full path to file>'
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] '4868' = '<Full path to file>'
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] '30270' = '<Full path to file>'
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] '19001' = '<Full path to file>'
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] '23683' = '<Full path to file>'
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] '7358' = '<Full path to file>'
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] '17181' = '<Full path to file>'
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] '182' = '<Full path to file>'
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] '9585' = '<Full path to file>'
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] '24327' = '<Full path to file>'
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] '11522' = '<Full path to file>'
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] '12347' = '<Full path to file>'
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] '29853' = '<Full path to file>'
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] '1227' = '<Full path to file>'
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] '27780' = '<Full path to file>'
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] '7257' = '<Full path to file>'
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] '26904' = '<Full path to file>'
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] '12447' = '<Full path to file>'
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] '31418' = '<Full path to file>'
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] '16440' = '<Full path to file>'
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] '16020' = '<Full path to file>'
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] '10662' = '<Full path to file>'
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] '23447' = '<Full path to file>'
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] '9482' = '<Full path to file>'
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] '19205' = '<Full path to file>'
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] '20298' = '<Full path to file>'
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] '32226' = '<Full path to file>'
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] '28824' = '<Full path to file>'
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] '15732' = '<Full path to file>'
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] '28602' = '<Full path to file>'
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] '22118' = '<Full path to file>'
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] '18005' = '<Full path to file>'
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] '6717' = '<Full path to file>'
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] '31822' = '<Full path to file>'
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] '131' = '<Full path to file>'
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] '20178' = '<Full path to file>'
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] '26396' = '<Full path to file>'
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] '13003' = '<Full path to file>'
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] '18801' = '<Full path to file>'
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] '3956' = '<Full path to file>'
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] '4379' = '<Full path to file>'
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] '9349' = '<Full path to file>'
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] '8337' = '<Full path to file>'
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] '82' = '<Full path to file>'
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] '15933' = '<Full path to file>'
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] '22151' = '<Full path to file>'
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] '5152' = '<Full path to file>'
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] '14555' = '<Full path to file>'
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] '13443' = '<Full path to file>'
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] '30053' = '<Full path to file>'
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] '13407' = '<Full path to file>'
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] '3587' = '<Full path to file>'
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] '19438' = '<Full path to file>'
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] '2711' = '<Full path to file>'
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] '17265' = '<Full path to file>'
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] '535' = '<Full path to file>'
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] '14604' = '<Full path to file>'
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] '11351' = '<Full path to file>'
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] '1867' = '<Full path to file>'
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] '3923' = '<Full path to file>'
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] '21226' = '<Full path to file>'
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] '32242' = '<Full path to file>'
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] '19810' = '<Full path to file>'
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] '25083' = '<Full path to file>'
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] '22251' = '<Full path to file>'
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] '2187' = '<Full path to file>'
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] '20366' = '<Full path to file>'
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] '11910' = '<Full path to file>'
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] '18209' = '<Full path to file>'
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] '16068' = '<Full path to file>'
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] '28941' = '<Full path to file>'
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] '25539' = '<Full path to file>'
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] '28336' = '<Full path to file>'
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] '166' = '<Full path to file>'
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] '21898' = '<Full path to file>'
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] '15683' = '<Full path to file>'
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] '27929' = '<Full path to file>'
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] '14807' = '<Full path to file>'
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] '351' = '<Full path to file>'
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] '9314' = '<Full path to file>'
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] '29969' = '<Full path to file>'
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] '23583' = '<Full path to file>'
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] '32261' = '<Full path to file>'
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] '79' = '<Full path to file>'
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] '302' = '<Full path to file>'
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] '14048' = '<Full path to file>'
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] '20078' = '<Full path to file>'
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] '6956' = '<Full path to file>'
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] '28873' = '<Full path to file>'
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] '1463' = '<Full path to file>'
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] '2135' = '<Full path to file>'
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] '2811' = '<Full path to file>'
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] '7746' = '<Full path to file>'
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] '2003' = '<Full path to file>'
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] '21714' = '<Full path to file>'
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] '8169' = '<Full path to file>'
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] '17200' = '<Full path to file>'
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] '8201' = '<Full path to file>'
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] '27660' = '<Full path to file>'
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] '13727' = '<Full path to file>'
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] '27056' = '<Full path to file>'
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] '24543' = '<Full path to file>'
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] '7309' = '<Full path to file>'
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] '7833' = '<Full path to file>'
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] '25471' = '<Full path to file>'
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] '14875' = '<Full path to file>'
Malicious functions
To bypass firewall, removes or modifies the following registry keys
- [HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] 'EnableFirewall' = '00000000'
Launches a large number of processes
Modifies file system
Creates the following files
- C:\lsass.exe
Network activity
Connects to
- '20#.#.248.23':3128
- '19#.#00.127.181':3128
- '78.##9.155.137':3128
- '11#.#8.139.118':3128
- '94.##4.174.254':3128
- '62.##4.195.193':3128
- '85.##9.20.156':3128
- '11#.#99.146.102':3128
- '19#.#3.242.109':3128
- '89.##.246.84':3128
- '12#.#28.106.129':3128
- '78.##.133.132':3128
- '85.##9.187.133':3128
- '21#.#4.123.70':3128
- '22#.#24.41.146':3128
- '84.#.71.30':3128
- '20#.#3.114.7':3128
- '93.##.193.55':3128
- '19#.#76.162.5':3128
- '20#.#23.41.129':3128
- '94.##8.152.39':3128
- '20#.#7.20.83':3128
- '89.#5.139.1':3128
- '18#.#7.111.72':3128
- '12#.#91.182.173':3128
- '19#.#.155.48':3128
- '83.#0.97.97':3128
- '93.#24.2.97':3128
- '19#.#4.220.15':3128
- '12#.#1.184.250':3128
- '77.##3.26.136':3128
- '79.##6.164.225':3128
- '19#.#34.211.56':3128
- '94.##.203.26':3128
- '19#.#.79.100':3128
- '20#.#2.11.146':3128
- '18#.#7.59.110':3128
- '18#.#0.208.211':3128
- '88.##8.120.214':3128
- '91.##2.4.248':3128
- '21#.#8.149.84':3128
- '85.##6.176.201':3128
- '19#.#34.1.67':3128
- '11#.#13.22.187':3128
- '19#.#82.30.103':3128
- '85.##9.16.99':3128
- '12#.#4.59.216':3128
- '11#.#99.148.78':3128
- '20#.#9.20.133':3128
- '85.##.224.252':3128
- '18#.#.36.108':3128
- '79.#6.4.99':3128
- '79.##.240.175':3128
- '88.##5.182.166':3128
- '19#.#3.10.79':3128
- '62.##2.112.12':3128
- '18#.#4.63.112':3128
- '79.##4.202.38':3128
- '64.##0.229.40':3128
- '61.#0.81.13':3128
- '89.##9.21.192':3128
- '19#.#0.84.31':3128
- '18#.#6.169.219':3128
- '12#.#06.255.217':3128
- '79.##5.21.227':3128
- '91.##7.130.29':3128
- '91.##2.90.170':3128
- '11#.#36.223.196':3128
- '19#.#01.93.46':3128
- '94.##.173.222':3128
- '94.##0.208.165':3128
- '11#.#01.19.203':3128
- '18#.#1.74.93':3128
- '93.##3.95.191':3128
- '12#.#32.73.123':3128
- '88.##2.237.107':3128
- '18#.#6.120.31':3128
- '86.##0.41.120':3128
- '89.##0.28.62':3128
- '20#.#23.74.180':3128
- '12#.#3.20.254':3128
- '11#.#3.74.207':3128
- '92.##6.221.130':3128
- '92.#7.64.55':3128
- '20#.#9.58.250':3128
- '58.##6.227.116':3128
- '89.##8.131.191':3128
- '21#.#1.25.37':3128
- '94.##0.216.118':3128
- '19#.#06.209.5':3128
- '19#.#35.48.88':3128
- '11#.#6.91.70':3128
- '87.##6.191.217':3128
- '11#.#4.66.38':3128
- '21#.#33.6.15':3128
- '19#.#73.79.66':3128
- '84.##4.56.43':3128
- '18#.#1.248.183':3128
- '20#.#8.194.138':3128
- '18#.#18.172.88':3128
- '19#.#4.215.53':3128
- '18#.#2.186.157':3128
- '83.##3.155.241':3128
- '21#.#72.59.92':3128
- '20#.#77.48.147':3128
- '59.##1.151.206':3128
- '21#.#6.153.91':3128
- '78.##.155.183':3128
- '78.##9.163.20':3128
- '78.##9.133.67':3128
- '83.##.125.106':3128
- '20#.#5.217.64':3128
- '20#.#99.185.107':3128
- '11#.#32.226.198':3128
- '81.##2.240.126':3128
- '18#.#.111.59':3128
- '11#.#54.59.152':3128
- '85.##0.173.16':3128
- '59.##.51.209':3128
- '20#.#3.242.100':3128
- '85.##4.142.238':3128
- '19#.#1.111.111':3128
- '60.##4.210.16':3128
- '83.#.148.7':3128
- '11#.#1.31.111':3128
- '83.##.218.174':3128
- '12#.#07.84.203':3128
- '11#.#4.156.109':3128
- '19#.#76.153.80':3128
- '78.##0.239.197':3128
- '19#.#0.145.212':3128
- '84.#8.99.19':3128
- '84.##9.88.192':3128
- '20#.#4.165.145':3128
- '11#.#8.25.127':3128
- '89.##9.108.23':3128
- '85.##9.168.84':3128
- '20#.#2.49.176':3128
- '92.#3.2.35':3128
- '77.##3.252.67':3128
- '88.##9.160.200':3128
- '62.#.182.252':3128
- '78.##.207.38':3128
- '85.##4.188.57':3128
- '95.##.135.33':3128
- '21#.#08.255.212':3128
- '11#.#74.125.241':3128
- '59.##.128.219':3128
- '19#.#74.17.4':3128
- '66.##7.70.71':3128
Miscellaneous
Creates and executes the following
- 'C:\lsass.exe' exe <Full path to file>
Executes the following
- '<SYSTEM32>\rundll32.exe' <SYSTEM32>\FirewallControlPanel.dll,ShowNotificationDialog /configure /ETOnly 0 /OnProfiles 6 /OtherAllowed 0 /OtherBlocked 0 /OtherEdgeAllowed 0 /NewBlocked 4 "<Full path to file>"
