Technical Information
To ensure autorun and distribution
Modifies the following registry keys
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '6436' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '18041' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '28101' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '31268' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '14306' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '120' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '30258' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '32099' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '27617' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '12895' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '13317' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '12169' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '16546' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '6139' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '3130' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '605' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '4741' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '15904' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '12117' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '7897' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '1331' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '5361' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '10559' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '14590' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '18756' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '14032' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '19777' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '32246' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '4215' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '32416' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '28437' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '25271' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '24702' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '4088' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '15579' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '17104' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '6203' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '25617' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '9812' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '15547' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '7981' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '23450' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '9002' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '11527' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '11833' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '3582' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '13065' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '2582' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '18357' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '31374' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '18136' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '19556' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '25238' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '20850' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '7477' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '22418' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '18461' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '27701' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '11001' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '19314' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '23575' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '25113' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '8939' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '3920' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '15232' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '19388' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '28933' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '27901' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '24986' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '30184' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '1447' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '5613' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '889' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '23050' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '1488' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '14116' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '26311' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '25312' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '5540' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '23545' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '553' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '23965' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '24924' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '8528' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '11402' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '8181' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '13685' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '15663' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '12095' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '5865' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '9286' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '5413' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '11843' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '9034' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '7802' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '13696' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '4045' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '16662' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '17621' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '1225' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '4099' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '878' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '6382' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '8360' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '31331' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '1983' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '14905' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '22492' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '25154' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '16337' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '1731' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '30721' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '25891' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '25344' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '23082' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '24450' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '22207' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '19745' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '4793' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '18957' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '2151' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '32520' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '20619' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '31794' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '17326' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '6371' = '<Full path to file>'
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '1762' = '<Full path to file>'
Malicious functions
To bypass firewall, removes or modifies the following registry keys
- [HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] 'EnableFirewall' = '00000000'
Launches a large number of processes
Modifies file system
Creates the following files
- C:\lsass.exe
Network activity
Connects to
- '18#.38.12.7':3128
- '21#.#11.7.46':3128
- '18#.#24.192.162':3128
- '18#.#9.51.101':3128
- '19#.#06.207.129':3128
- '20#.#04.61.163':3128
- '93.##6.164.15':3128
- '12#.#63.192.179':3128
- '11#.#01.88.140':3128
- '18#.#1.246.93':3128
- '95.##.138.75':3128
- '59.##.219.86':3128
- '11#.#00.149.122':3128
- '18#.#3.76.103':3128
- '17#.#14.141.115':3128
- '20#.#4.167.210':3128
- '20#.#1.57.28':3128
- '12#.#23.52.252':3128
- '18#.#4.29.249':3128
- '95.##.160.188':3128
- '18#.#1.31.181':3128
- '20#.#71.232.97':3128
- '18#.#7.22.100':3128
- '12#.#46.253.2':3128
- '11#.#8.98.95':3128
- '11#.255.8.9':3128
- '22#.#40.172.39':3128
- '14#.#04.124.24':3128
- '18#.#7.200.60':3128
- '11#.#02.122.28':3128
- '11#.#3.192.166':3128
- '12#.#3.198.15':3128
- '11#.#6.40.57':3128
- '18#.7.94.54':3128
- '12#.#37.97.146':3128
- '12#.#23.11.118':3128
- '18#.#0.40.87':3128
- '20#.#07.35.241':3128
- '59.##9.124.233':3128
- '11#.#31.74.125':3128
- '12#.#0.96.178':3128
- '20#.#3.144.53':3128
- '11#.33.8.26':3128
- '21#.#90.160.167':3128
- '18#.#7.142.121':3128
- '11#.#52.28.188':3128
- '60.#1.70.55':3128
- '22#.#19.194.30':3128
- '78.##.36.197':3128
- '11#.#03.23.197':3128
- '20#.#2.248.61':3128
- '89.##8.47.21':3128
- '20#.#64.56.208':3128
- '12#.#38.21.106':3128
- '18#.#3.238.236':3128
- '11#.#1.189.210':3128
- '19#.#6.103.166':3128
- '11#.#07.55.150':3128
- '11#.#42.120.219':3128
- '11#.#09.19.150':3128
- '20#.#0.130.223':3128
- '20#.#15.142.162':3128
- '20#.#0.239.187':3128
- '11#.#3.64.93':3128
- '20#.#3.113.241':3128
- '14#.#04.124.23':3128
- '19#.#46.111.205':3128
- '12#.#31.206.186':3128
- '84.##8.31.133':3128
- '18#.#23.57.198':3128
- '89.##.14.170':3128
- '20#.#7.108.246':3128
- '21#.#7.11.80':3128
- '22#.8.2.169':3128
- '12#.#68.106.29':3128
- '18#.#0.243.228':3128
- '18#.#.93.196':3128
- '12#.#40.225.118':3128
- '20#.#3.36.182':3128
- '60.##.255.146':3128
- '11#.#3.139.254':3128
- '20#.#8.140.156':3128
- '20#.#68.75.165':3128
- '18#.#.45.211':3128
- '96.##.38.195':3128
- '78.#1.14.73':3128
- '95.##2.122.96':3128
- '18#.#10.101.88':3128
- '77.##.42.250':3128
- '91.#3.85.60':3128
- '11#.#23.157.70':3128
- '20#.#1.44.191':3128
- '20#.#7.107.67':3128
- '12#.#36.66.98':3128
- '22#.#93.88.126':3128
- '20#.#7.35.183':3128
- '18#.#5.158.131':3128
- '62.##3.165.20':3128
- '18#.#22.170.185':3128
- '81.##0.203.100':3128
- '18#.#.255.99':3128
- '60.##.209.171':3128
- '21#.#19.163.23':3128
- '21#.#14.165.169':3128
- '19#.#59.2.34':3128
- '81.##.243.145':3128
- '12#.#81.147.30':3128
- '11#.#1.67.87':3128
- '78.##5.60.199':3128
- '20#.#.234.158':3128
- '19#.#17.204.203':3128
- '12#.#33.47.15':3128
- '18#.87.40.3':3128
- '20#.#36.37.98':3128
- '84.##8.195.134':3128
- '21#.#42.178.34':3128
- '20#.#33.48.28':3128
- '61.##.128.107':3128
- '20#.#3.255.23':3128
- '22#.#32.143.85':3128
- '11#.#3.69.214':3128
- '18#.#0.187.211':3128
- '11#.#02.48.63':3128
- '18#.60.8.54':3128
- '20#.#0.122.9':3128
- '89.#6.211.4':3128
- '93.##3.11.83':3128
- '18#.#4.86.49':3128
- '21#.#28.249.73':3128
- '20#.#1.165.65':3128
- '20#.#0.137.99':3128
- '18#.63.33.3':3128
- '18#.#.106.73':3128
- '59.##.160.65':3128
- '18#.#.249.129':3128
- '11#.#32.57.204':3128
- '60.##3.181.254':3128
- '12#.#37.91.242':3128
- '12#.#23.12.27':3128
- '85.##6.151.9':3128
- '61.##.254.248':3128
- '20#.#7.218.71':3128
- '78.##.179.73':3128
- '18#.#1.175.231':3128
- '18#.#02.116.23':3128
- '12#.#22.234.20':3128
- '61.##.227.120':3128
- '11#.#0.162.126':3128
- '18#.#1.140.149':3128
- '20#.#3.107.227':3128
- '18#.#.228.52':3128
- '20#.#2.71.64':3128
- '58.##.181.254':3128
- '12#.#4.156.168':3128
- '11#.#98.20.178':3128
- '12#.#23.209.183':3128
- '11#.#00.122.24':3128
- '22#.#75.158.45':3128
- '19#.#9.198.35':3128
- '59.##4.19.253':3128
- '77.##5.4.186':3128
- '18#.#5.82.186':3128
- '18#.#11.209.170':3128
Miscellaneous
Creates and executes the following
- 'C:\lsass.exe' exe <Full path to file>
Executes the following
- '<SYSTEM32>\rundll32.exe' <SYSTEM32>\FirewallControlPanel.dll,ShowNotificationDialog /configure /ETOnly 0 /OnProfiles 6 /OtherAllowed 0 /OtherBlocked 0 /OtherEdgeAllowed 0 /NewBlocked 4 "<Full path to file>"
