Technical Information
- [<HKLM>\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '<SYSTEM32>\CatRoot\4174\TpKmpSed.exe' = '<SYSTEM32>\CatRoot\4174\T...
- <SYSTEM32>\catroot\4174\tpkmpsed.exe
- %WINDIR%\syswow64\38c49c70b5.dll
- <SYSTEM32>\catroot\dgjmlcuemy.dll
- %WINDIR%\syswow64\cezsvlfqvdi.reg
- <Current directory>\$$306609.bat
- %WINDIR%\syswow64\cezsvlfqvdi.reg
- DNS ASK ud#.#job123.com
- 'ud#.#job123.com':31803
- ClassName: 'MS_WINHELP' WindowName: ''
- ClassName: 'RegEdit_RegEdit' WindowName: ''
- '%WINDIR%\syswow64\cacls.exe' "<SYSTEM32>\CatRoot" /t /e /g everyone:f' (with hidden window)
- '%WINDIR%\syswow64\explorer.exe' /e,<SYSTEM32>\CatRoot\4174\' (with hidden window)
- '%WINDIR%\syswow64\regedit.exe' /s "<SYSTEM32>\CEZSVLFQVDI.reg"' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c <Current directory>\$$306609.bat' (with hidden window)
- '%WINDIR%\syswow64\cacls.exe' "<SYSTEM32>\CatRoot" /t /e /g everyone:f
- '%WINDIR%\syswow64\regsvr32.exe' /s <SYSTEM32>\CatRoot\dgjmlcuemy.dll
- '%WINDIR%\syswow64\explorer.exe' /e,<SYSTEM32>\CatRoot\4174\
- '%WINDIR%\syswow64\regedit.exe' /s "<SYSTEM32>\CEZSVLFQVDI.reg"
- '%WINDIR%\syswow64\cmd.exe' /c <Current directory>\$$306609.bat