Technical Information
To ensure autorun and distribution
Modifies the following registry keys
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '27959' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '32040' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '25412' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '16196' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '7137' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '3024' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '8374' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '9767' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '20878' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '5497' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '11794' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '29104' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '17849' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '19531' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '12083' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '1070' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '135' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '8187' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '20045' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '9236' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '4477' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '6275' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '17615' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '28862' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '11781' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '1860' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '27813' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '7048' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '31203' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '16685' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '25080' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '10991' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '2404' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '1673' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '14008' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '8773' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '31594' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '17288' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '5268' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '9164' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '21630' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '25250' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '9984' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '29869' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '31649' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '10473' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '17662' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '19340' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '30472' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '18337' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '21872' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '20135' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '25267' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '11148' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '12457' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '24073' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '9279' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '2017' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '7524' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '29308' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '18176' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '14845' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '30051' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '15707' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '26274' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '22348' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '7379' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '9176' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '23483' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '12227' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '18669' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '23271' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '1516' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '10388' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '25696' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '24966' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '2922' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '32065' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '13187' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '23640' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '18681' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '6903' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '22089' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '26419' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '25484' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '26908' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '15401' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '17946' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '15635' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '30353' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '11739' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '17246' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '18898' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '3054' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '32155' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '29019' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '20092' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '30238' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '10689' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '27022' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '27294' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '14441' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '13995' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '11360' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '14284' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '262' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '25569' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '26806' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '9997' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '31824' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '2982' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '22246' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '6317' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '7813' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '17071' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '26674' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '29682' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '20551' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '13531' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '24099' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '14683' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '10545' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '18452' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '25641' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '23241' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '11275' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '12614' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '6088' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '20394' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '509' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '28446' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '30689' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '11577' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '9797' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '30727' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '22680' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '5178' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '5208' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '9605' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '26070' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '32512' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '6045' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '1371' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '31348' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '21082' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '12886' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '26160' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '20249' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '13090' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '8561' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '21142' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '32746' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '5395' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '160' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '22982' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '12036' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '19646' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '24490' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '1558' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '5195' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '5726' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '19038' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '26559' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '22421' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '10732' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '950' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '12487' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '18741' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '4001' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '18278' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '5038' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '21282' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '14110' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '21329' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '23759' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '23814' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '25973' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '9550' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '16378' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '347' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '29338' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '11492' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '14598' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '6015' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '12861' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '17415' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '25183' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '3525' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '16854' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '28157' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '22663' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '32457' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '810' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '24345' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '27583' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '32342' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '2493' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '28259' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '10715' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '11106' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '30804' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '8314' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '13651' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '14326' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '1299' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '7277' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '15074' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '9682' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '18380' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '18295' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '394' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '29984' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '27855' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '9755' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '29091' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '11637' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '11552' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '6631' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '25726' = '<Full path to file>'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '30243' = '<Full path to file>'
Malicious functions
To bypass firewall, removes or modifies the following registry keys
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] 'EnableFirewall' = '00000000'
Modifies file system
Creates the following files
- C:\lsass.exe
Network activity
Connects to
- '68.#.126.57':3128
- '17#.#8.35.43':3128
- '24.##2.252.28':3128
- '78.##.214.156':3128
- '18#.#2.98.71':3128
- '71.##9.166.160':3128
- '84.##.83.186':3128
- '19#.#55.50.230':3128
- '17#.#9.75.254':3128
- '69.##2.7.227':3128
- '82.##2.182.2':3128
- '20#.#02.250.35':3128
- '99.##1.47.208':3128
- '98.##2.198.105':3128
- '75.##7.214.175':3128
- '19#.#83.141.237':3128
- '76.##.225.102':3128
- '98.##9.168.30':3128
- '19#.#7.191.6':3128
- '24.##5.78.240':3128
- '86.##5.38.81':3128
- '89.##0.101.12':3128
- '69.##.97.159':3128
- '87.##6.41.160':3128
- '21#.#0.236.113':3128
- '68.##.107.122':3128
- '86.#.83.146':3128
- '67.##.85.125':3128
- '12#.#5.232.238':3128
- '78.##.185.204':3128
- '97.##.127.98':3128
- '19#.#07.100.113':3128
- '68.##.236.251':3128
- '68.##8.147.89':3128
- '89.##.138.57':3128
- '76.##.104.44':3128
- '20#.#3.217.90':3128
- '68.##.149.126':3128
- '75.##.31.100':3128
- '67.##4.220.112':3128
- '67.##9.17.103':3128
- '71.#4.5.57':3128
- '69.##9.104.184':3128
- '18#.#22.70.184':3128
- '19#.#5.176.54':3128
- '17#.#3.42.110':3128
- '70.##.202.16':3128
- '24.##7.215.186':3128
- '70.##0.177.230':3128
- '85.##5.181.33':3128
- '67.##.130.224':3128
- '78.##8.217.249':3128
- '12#.#25.46.202':3128
- '84.#29.9.56':3128
- '89.##9.241.114':3128
- '86.##3.156.48':3128
- '68.##.101.133':3128
- '19#.#6.229.159':3128
- '17#.#4.229.40':3128
- '77.##7.57.153':3128
- '72.##.217.130':3128
- '76.##.109.29':3128
- '70.##7.16.20':3128
- '76.##9.232.242':3128
- '68.##.151.140':3128
- '96.##.244.113':3128
- '67.##1.33.242':3128
- '20#.#60.64.113':3128
- '99.##.240.249':3128
- '98.##5.197.124':3128
- '99.##4.147.140':3128
- '75.##2.23.43':3128
- '18#.#2.71.188':3128
- '84.#05.7.15':3128
- '20#.#27.146.45':3128
- '66.#5.0.227':3128
- '98.##3.71.96':3128
- '12#.#23.18.221':3128
- '24.##3.230.110':3128
- '84.##2.248.244':3128
- '98.##3.39.250':3128
- '20#.#26.1.96':3128
- '69.##8.255.138':3128
- '76.##3.107.219':3128
- '20#.#34.185.228':3128
- '88.##5.124.142':3128
- '17#.#3.166.97':3128
- '18#.#95.13.72':3128
- '18#.#6.81.14':3128
- '84.##.95.142':3128
- '67.##6.234.212':3128
- '72.##7.136.175':3128
- '20#.#7.241.135':3128
- '98.##4.52.22':3128
- '20#.#4.168.238':3128
- '67.#4.65.15':3128
- '12#.#5.187.217':3128
- '21#.#6.22.134':3128
- '19#.#5.114.223':3128
- '68.#9.41.25':3128
- '66.##3.117.18':3128
- '75.##.59.232':3128
- '67.##3.230.106':3128
- '66.##1.143.170':3128
- '24.##7.85.186':3128
- '71.##.64.153':3128
- '18#.#7.141.33':3128
- '19#.#54.169.248':3128
- '71.##.52.213':3128
- '24.##9.98.76':3128
- '74.##0.161.51':3128
- '67.#81.96.7':3128
- '72.##4.203.118':3128
- '69.##4.174.60':3128
- '18#.#21.96.94':3128
- '76.##6.240.76':3128
- '72.##1.98.235':3128
- '75.#.229.6':3128
- '69.##5.17.215':3128
- '75.#9.204.7':3128
- '75.##.211.11':3128
- '72.##3.138.154':3128
- '98.##2.167.49':3128
- '71.##9.66.247':3128
- '89.##6.51.138':3128
- '24.##8.150.43':3128
- '76.##7.169.76':3128
- '71.##2.142.211':3128
- '75.##8.112.97':3128
- '82.##.174.52':3128
- '24.##0.140.164':3128
- '17#.#.172.14':3128
- '93.##3.12.66':3128
- '19#.#20.221.51':3128
- '70.##7.41.15':3128
- '66.##1.37.201':3128
- '75.##.28.181':3128
- '69.##0.216.41':3128
- '98.##5.84.236':3128
- '98.##4.248.229':3128
- '65.##.101.80':3128
- '70.##4.165.173':3128
- '64.##3.11.11':3128
- '66.##7.23.73':3128
- '67.##3.196.25':3128
- '64.##4.111.243':3128
Miscellaneous
Creates and executes the following
- 'C:\lsass.exe' exe <Full path to file>
Executes the following
- '<SYSTEM32>\rundll32.exe' <SYSTEM32>\FirewallControlPanel.dll,ShowNotificationDialog /configure /ETOnly 0 /OnProfiles 6 /OtherAllowed 0 /OtherBlocked 0 /OtherEdgeAllowed 0 /NewBlocked 4 "<Full path to file>"
