Техническая информация
Для обеспечения автозапуска и распространения:
Модифицирует следующие ключи реестра:
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] '10636' = '<Полный путь к вирусу>'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] '28780' = '<Полный путь к вирусу>'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] '16970' = '<Полный путь к вирусу>'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] '7170' = '<Полный путь к вирусу>'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] '12500' = '<Полный путь к вирусу>'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] '4962' = '<Полный путь к вирусу>'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] '15178' = '<Полный путь к вирусу>'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] '21218' = '<Полный путь к вирусу>'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] '19131' = '<Полный путь к вирусу>'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] '7050' = '<Полный путь к вирусу>'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] '13090' = '<Полный путь к вирусу>'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] '7642' = '<Полный путь к вирусу>'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] '8536' = '<Полный путь к вирусу>'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] '14576' = '<Полный путь к вирусу>'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] '2495' = '<Полный путь к вирусу>'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] '12465' = '<Полный путь к вирусу>'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] '20856' = '<Полный путь к вирусу>'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] '20616' = '<Полный путь к вирусу>'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] '16236' = '<Полный путь к вирусу>'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] '32276' = '<Полный путь к вирусу>'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] '17409' = '<Полный путь к вирусу>'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] '26657' = '<Полный путь к вирусу>'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] '9922' = '<Полный путь к вирусу>'
Вредоносные функции:
Для обхода брандмауэра удаляет или модифицирует следующие ключи реестра:
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] 'EnableFirewall' = '00000000'
Создает и запускает на исполнение:
- 'C:\lsass.exe' exe <Полный путь к вирусу>
Изменения в файловой системе:
Создает следующие файлы:
- C:\lsass.exe
Сетевая активность:
Подключается к:
- '98.##7.76.39':3128
- '76.##.255.216':3128
- '89.#30.7.8':3128
- '93.##6.69.125':3128
- '20#.#.244.138':3128
- '86.##0.115.204':3128
- '18#.#1.144.76':3128
- '75.##6.136.153':3128
- '20#.#88.255.90':3128
- '78.##5.212.85':3128
- '21#.#64.42.44':3128
- '19#.#4.71.80':3128
- '24.##7.89.206':3128
- '19#.#3.133.242':3128
- '75.#0.51.29':3128
- '11#.#96.231.29':3128
- '78.##4.167.218':3128
- '83.##.187.244':3128
- '20#.#07.17.200':3128
- '20#.#5.50.254':3128
- '93.##7.171.214':3128
- '86.##.43.217':3128
- '19#.#27.46.54':3128
- '89.##8.203.155':3128
- '59.#6.22.66':3128
- '91.##0.81.112':3128
- '69.#46.56.8':3128
- '82.##9.175.129':3128
- '82.#.116.130':3128
- '93.##3.160.115':3128
- '90.##4.242.192':3128
- '76.##.105.93':3128
- '95.##4.85.143':3128
- '21#.#0.223.161':3128
- '12#.#48.197.58':3128
- '88.##9.49.64':3128
- '19#.#6.117.112':3128
- '76.##2.51.168':3128
- '20#.#52.237.215':3128
- '20#.#66.48.225':3128
- '24.##3.29.121':3128
- '19#.#76.29.20':3128
- '66.##7.185.63':3128
- '59.##.171.20':3128
- '19#.#39.195.34':3128
- '68.#0.40.87':3128
- '12#.#46.145.254':3128
- '67.##.235.38':3128
- '71.##.238.33':3128
- '22#.#01.109.96':3128
- '69.##3.95.238':3128
- '78.##1.127.109':3128
- '58.#.102.200':3128
- '88.##4.26.113':3128
- '24.##9.78.97':3128
- '89.##9.117.154':3128
- '81.##.225.60':3128
- '82.##6.197.246':3128
- '62.##9.75.227':3128
- '24.##0.80.104':3128
- '19#.#07.199.171':3128
- '19#.#03.241.3':3128
- '21#.#12.143.52':3128
- '89.##5.38.55':3128
- '20#.#50.95.142':3128
- '60.##3.162.244':3128
- '19#.#1.187.41':3128
- '69.##8.93.65':3128
- '78.##.64.235':3128
- '89.##.78.188':3128
- '77.##4.232.9':3128
- '76.##5.90.250':3128
- '89.##.137.154':3128
- '85.##.151.70':3128
- '84.##0.152.209':3128
- '71.##.212.34':3128
- '98.##6.72.119':3128
- '84.##7.208.57':3128
- '77.##.158.250':3128
- '83.#49.1.15':3128
- '93.##3.94.37':3128
- '89.##9.53.120':3128
- '88.##0.53.190':3128
- '18#.#2.44.120':3128
- '20#.#3.34.104':3128
- '17#.#1.247.143':3128
- '81.##9.124.207':3128
- '89.##4.255.50':3128
- '18#.#.233.112':3128
- '82.##1.119.31':3128
- '86.##6.95.124':3128
- '18#.#16.147.32':3128
- '94.##.116.105':3128
- '18#.#3.51.72':3128
- '92.##3.208.9':3128
- '20#.#18.191.110':3128
- '78.#8.79.77':3128
- '12#.#25.43.74':3128
- '85.##0.99.70':3128
- '19#.#8.223.103':3128
- 'localhost':211
- '21#.#4.202.160':3128
- '24.##1.102.211':3128
- '68.##4.13.255':3128
- '20#.#9.85.133':3128
- '19#.#8.210.16':3128
- '70.#2.5.11':3128
- '82.##.217.36':3128
- '64.##3.161.53':3128
- '79.##3.166.33':3128
- '18#.#4.75.172':3128
- '76.##9.154.138':3128
- '87.##9.225.69':3128
- '86.#0.1.195':3128
- '19#.#58.29.252':3128
- '17#.#8.204.137':3128
- '14#.#55.208.208':3128
- '82.#6.53.41':3128
- '92.##.238.144':3128
- '19#.#8.118.85':3128
- '82.##8.111.38':3128
- '20#.#9.235.15':3128
- '12#.#36.83.240':3128
- '18#.#69.139.45':3128
- '94.##8.80.183':3128
- '19#.#55.195.10':3128
- '91.##5.111.5':3128
- '87.#26.4.45':3128
- '18#.#1.176.72':3128
- '59.#0.89.84':3128
- '71.##.168.60':3128
- '19#.#73.214.151':3128
- '76.#02.0.39':3128
- '12#.#08.35.213':3128
- '68.##.160.54':3128
- '62.##.232.185':3128
- '20#.#50.79.145':3128
- '67.##1.33.242':3128
- '84.##0.58.244':3128
- '20#.#0.249.80':3128
- '89.##.215.186':3128
- '11#.#3.163.121':3128
- '76.##9.22.244':3128
- '19#.#98.228.194':3128
- '89.##.151.97':3128
- '12#.#25.58.218':3128
- '20#.#09.22.28':3128
- '89.#1.14.35':3128
- '71.##9.84.249':3128
- '66.##.57.200':3128
- '84.##2.142.86':3128
- '76.##.121.193':3128
- '58.##0.197.34':3128
- '93.##.196.35':3128
- '89.##4.124.167':3128
- '24.##.236.149':3128
- '19#.#34.164.106':3128
- '89.#5.78.42':3128
- '91.##8.105.130':3128
- '89.##9.77.10':3128
- '24.##6.182.4':3128
- '78.#1.88.65':3128
- '69.##4.161.141':3128
- '82.##4.82.17':3128
- '68.#.158.80':3128
- '93.##.151.187':3128
- '18#.#5.38.90':3128
- '19#.#00.48.229':3128
- '12#.#25.239.5':3128
- '89.##0.102.138':3128
- '11#.#92.113.67':3128
- '83.##5.182.237':3128
- '79.##2.156.178':3128
- '12#.#62.126.58':3128
- '89.##.74.110':3128
- '19#.#74.132.206':3128
- '84.##6.114.36':3128
- '85.##7.163.31':3128
- '85.##2.150.153':3128
- '83.##8.120.143':3128
- '18#.#04.210.132':3128
- '17#.#3.137.56':3128
- '68.##.22.232':3128
- '20#.#6.184.66':3128
- '70.##.202.16':3128
- '88.##6.215.72':3128
- '86.#.42.240':3128
- '86.##.24.216':3128
- '21#.#7.194.93':3128
- '24.##0.126.55':3128
- '12#.#13.210.154':3128
- '19#.#8.66.135':3128
- '92.##.20.178':3128
- '67.##4.150.65':3128
- '59.##.226.144':3128
- '19#.#60.233.209':3128
- '18#.#4.122.214':3128
- '21#.#7.113.109':3128
- '66.##3.116.10':3128
- '77.##.210.89':3128
- '19#.#2.126.170':3128
- '69.##3.67.26':3128
- '88.##9.88.78':3128
- '67.##7.132.53':3128
- '94.##6.130.77':3128
- '75.##.31.100':3128
- '24.##6.72.236':3128
- '12#.#21.122.234':3128
- '62.##.48.147':3128
- '75.##.136.225':3128
- '89.##.175.228':3128
- '24.##.164.58':3128
- '20#.#52.57.139':3128
- '24.##0.177.144':3128
- '20#.#00.113.98':3128
- '20#.#2.65.25':3128
- '82.##0.97.85':3128
- '86.##5.139.55':3128
- '89.##.254.27':3128
- '93.##4.234.145':3128
- '98.##9.176.59':3128
- '82.##8.105.116':3128
- '18#.#1.15.103':3128
- '88.##6.28.72':3128
- '68.#.135.102':3128
- '86.##.31.153':3128
- '12#.#42.63.165':3128
- '79.##1.46.204':3128
- '69.##6.104.158':3128
- '20#.#33.74.43':3128
- '20#.#17.110.77':3128
- '69.#27.50.1':3128
- '24.##6.81.128':3128
- '69.##9.28.202':3128
- '98.##1.187.123':3128
- '71.##.48.242':3128
- '93.##3.32.100':3128
- '58.##7.93.218':3128
- '65.##8.188.110':3128
- '89.##.244.57':3128
- '77.##.95.149':3128
- '19#.#.30.167':3128
- '18#.#4.120.86':3128
- '20#.#11.90.244':3128
- '78.##.151.245':3128
- '20#.#82.8.131':3128
- '68.##.191.115':3128
- '84.##2.199.241':3128
- '85.##4.205.250':3128
- '24.##.175.131':3128
- '77.##.144.125':3128
- '77.##.127.218':3128
- '88.##2.13.223':3128
- '84.##6.44.157':3128
- '60.##.39.182':3128
- '82.#7.22.50':3128
- '21#.#3.230.189':3128
- '11#.#87.32.80':3128
- '79.##3.238.20':3128
- '88.##1.216.205':3128
- '82.##5.133.139':3128
- '87.##.73.159':3128
- '86.##4.139.99':3128
- '20#.#58.103.45':3128
- '24.##9.253.195':3128
- '15#.#00.77.172':3128
- '93.##2.155.128':3128
- '98.##6.112.110':3128
- '88.##3.25.155':3128
- '24.##5.240.184':3128
- '76.#1.6.130':3128
- '18#.#91.100.17':3128
- '98.##7.146.142':3128
- '67.##4.241.132':3128
- '19#.#88.228.143':3128
- '84.#1.31.91':3128
- '18#.#21.67.52':3128
- '18#.#8.145.237':3128
- '18#.#00.171.39':3128
- '19#.#54.3.142':3128
- '82.##3.204.63':3128
- '19#.#98.246.71':3128
- '19#.#10.200.218':3128
- '19#.#6.230.89':3128
- '11#.#61.77.101':3128
- '84.##1.203.233':3128
- '78.##.151.82':3128
- '21#.#25.167.43':3128
- '24.##5.68.75':3128
- '<IP-адрес в локальной сети>':80
- '12#.#58.105.39':3128
- '19#.#.102.219':3128
- '20#.#43.15.9':3128
- '19#.#01.24.168':3128
- '18#.#3.21.69':3128
- '85.##2.29.78':3128
- '62.##1.92.44':3128
- '12#.#37.118.248':3128
- '76.##.114.82':3128
- '24.##.107.125':3128
- '20#.#3.209.2':3128
- '24.##.241.223':3128
Другое:
Ищет следующие окна:
- ClassName: 'Indicator' WindowName: '(null)'
