| K7 Detection Name | Affected OS | Prevalence | AV Definition Version |
|---|---|---|---|
| Trojan ( 004bc29f1 ) | Windows | Low | 12.226.55265 |
| MD5 | 03883e2ce8d80ead6cd30bda6eda3f03 |
| SHA256 | d8cf3bb51fb9e73198afda728be39c5a00bd1b65e1d4b83d7af3900a2326954f |
| File Size | 735,744 bytes |
| Packer Information | N/A |
| First Seen | 27-03-2025 |
| Last Seen | 09-04-2025 |
| Aliases | Win32/PassMa.D |
Behavior Details
1. Dropped files:
~DFEF5ADEDD90043568.TMP
03883e2ce8d80ead6cd3.dat.hwd
~DF21A82F61812F0B3A.TMP
Under the folder
C:\Users\
2. Dropped files:
SERVICEMGR.EXE
Under the folder
C:\Windows\System32
3. Dropped files:
SQMHelper
Under the folder
\Device\Afd
4. Creates Registry:
Adds registry data
\xbd\xb4\xd6\xcf\xed\xdf\xec\xed\xd6\xc4\xe9\xe2\xe8\xd6\xbb\xea\xea\xbe\xdb\xee\xdb\xd6\xc6\xe9\xdd\xdb\xe6\xd6\xce\xdf\xe7\xea\xd6\xaa\xad\xb2\xb2\xad\xdf\xac\xdd\xdf\xb2\xde\xb2\xaa\xdf\xdb\xde\xb0\xdd\xde\xad\xa8\xde\xdb\xee\xa8\xe2\xf1\xde
Under the key:
HKEY_CURRENT_USER\Software\VB and VBA Program Settings\Service Manager\Service Manager\\xb0\xac\xab\xb2
Adds registry data
6\xffbe\xffdf\xffee\xffdb\xffe3\xffe6\xffed\xff9a\xffe9\xffe0\xff9a\xffee\xffe2\xffdf\xff9a\xffe3\xffe8\xffe0\xffdf\xffe6\xffdd\xffee\xffdf\xffde\xff9a\xffdd\xffe9\xffe7\xffea\xffef\xffee\xffdf\xffec\xffb466\xff9a\xff9a\xff9a\xff9a\xff9a\xff9a\xff9a\xff9a\xffbd\xffe9\xffe7\xffea\xffef\xffee\xffdf\xffec\xff9a\xffc8\xffdb\xffe7\xffdf\xffb4\xff9a\xffc4\xffc9\xffc2\xffc8\xffa7\xffca\xffbd6\xff9a\xff9a\xff9a\xff9a\xff9a\xff9a\xff9a\xff9a\xffc3\xffca\xff9a\xffbb\xffde\xffde\xffec\xffdf\xffed\xffed\xffb4\xff9a\xffab\xffb3\xffac\xffa8\xffab\xffb0\xffb2\xffa8\xffab\xffac\xffac\xffa8\xffb2\xffab6\xff9a\xff9a\xff9a\xff9a\xff9a\xff9a\xff9a\xff9a\xffc3\xffe8\xffe0\xffe6\xffdf\xffdd\xffee\xffdf\xffde\xff9a\xffbe\xffdb\xffee\xffdf\xffb4\xff9a\xffc0\xffec\xffe3\xffde\xffdb\xfff3\xffa6\xff9a\xffbb\xffea\xffec\xffe3\xffe6\xff9a\xffab\xffab\xffa6\xff9a\xffac\xffaa\xffac\xffaf6\xff9a\xff9a\xff9a\xff9a\xff9a\xff9a\xff9a\xff9a\xffcf\xffed\xffdf\xffec\xff9a\xffc6\xffe9\xffe1\xffe1\xffdf\xffde\xffb4\xff9a\xffc4\xffe9\xffe2\xffe86\xff9a\xff9a\xff9a\xff9a\xff9a\xff9a\xff9a\xff9a\xffca\xffe6\xffdb\xffee\xffe0\xffe9\xffec\xffe7\xffb4\xff9a6\xff9a\xff9a\xff9a\xff9a\xff9a\xff9a\xff9a\xff9a\xffd1\xffe3\xffe8\xffde\xffe9\xfff1\xffed\xff9a\xffd1\xffdb\xffed\xff9a\xffcc\xffef\xffe8\xffe8\xffe3\xffe8\xffe1\xff9a\xffc0\xffec\xffe9\xffe7\xffb4\xff9a\xffaa\xff9a\xffde\xffdb\xfff3\xffed\xffa6\xff9a\xffae\xff9a\xffe2\xffe9\xffef\xffec\xffed\xffa6\xff9a\xffae\xff9a\xffe7\xffe3\xffe8\xffef\xffee\xffdf\xffed6\xff9a\xff9a\xff9a\xff9a\xff9a\xff9a\xff9a\xff9a\xffc3\xffe8\xffe0\xffe6\xffdf\xffdd\xffee\xffdf\xffde\xff9a\xffbc\xfff3\xff9a\xffce\xffe2\xffdf\xff9a\xffc0\xffe3\xffe6\xffdf\xffb4\xff9a\xffbd\xffb4\xffd6\xffcf\xffed\xffdf\xffec\xffed\xffd6\xffc4\xffe9\xffe2\xffe8\xffd6\xffbb\xffea\xffea\xffbe\xffdb\xffee\xffdb\xffd6\xffc6\xffe9\xffdd\xffdb\xffe6\xffd6\xffce\xffdf\xffe7\xffea\xffd6\xffaa\xffad\xffb2\xffb2\xffad\xffdf\xffac\xffdd\xffdf\xffb2\xffde\xffb2\xffaa\xffdf\xffdb\xffde\xffb0\xffdd\xffde\xffad\xffa8\xffde\xffdb\xffee\xffa8\xffdf\xfff2\xffdf666\xffce\xffe2\xffdb\xffe8\xffe5\xffed\xff9a\xffe0\xffe9\xffec\xff9a\xffef\xffed\xffe3\xffe8\xffe1\xff9a\xffca\xffdb\xffed\xffed\xfff1\xffe9\xffec\xffde\xff9a\xffc7\xffdb\xffe3\xffe6\xffdf\xffec\xffb5\xff9a\xffc3\xff9a\xffdb\xffe7\xff9a\xffdb\xffe6\xfff1\xffdb\xfff3\xffed\xff9a\xffdb\xfff0\xffdb\xffe3\xffe6\xffdb\xffdc\xffe6\xffdf\xff9a\xffdb\xffee\xff9a\xffe2\xffdb\xffec\xffde\xffd9\xfff1\xffe3\xffed\xffde\xffe9\xffe7\xffba\xfff3\xffdb\xffe2\xffe9\xffe9\xffa8\xffdd\xffe9\xffe7\xff9a\xffe0\xffe9\xffec\xff9a\xffdd\xffe9\xffe7\xffe7\xffdf\xffe8\xffee\xffed\xff9a\xffdb\xffe8\xffde\xff9a\xffed\xffef\xffe1\xffe1\xffdf\xffed\xffee\xffe3\xffe9\xffe8\xffed\xffa8
Under the key:
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Time Zones\PM\\xffad\xffac\xffaf\xffac\xffca\xffdb\xffed\xffed\xfff1\xffe9\xffec\xffde\xff9a\xffc7\xffdb\xffe3\xffe6\xffdf\xffec\xff9a\xffe3\xffe8\xffe0\xffe6\xffdf\xffdd\xffee\xffdf\xffde\xff9a\xffe8\xffdf\xfff1\xff9a\xffdd\xffe9\xffe7\xffea\xffef\xffee\xffdf\xffec
Adds registry data
C:\Windows\system32\SERVICEMGR.EXE
Under the key:
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Service Manager
Adds registry data
Under the key:
HKEY_CURRENT_USER\Software\VB and VBA Program Settings\Service Manager\Service Manager\\xb2\xab\xb3\xad
Removal Instructions
1. Update the copy of K7 security to the latest version.
2. Scan the system completely and remove the detected files.
3. Open Windows registry editor.
4. Delete the registry data
\xbd\xb4\xd6\xcf\xed\xdf\xec\xed\xd6\xc4\xe9\xe2\xe8\xd6\xbb\xea\xea\xbe\xdb\xee\xdb\xd6\xc6\xe9\xdd\xdb\xe6\xd6\xce\xdf\xe7\xea\xd6\xaa\xad\xb2\xb2\xad\xdf\xac\xdd\xdf\xb2\xde\xb2\xaa\xdf\xdb\xde\xb0\xdd\xde\xad\xa8\xde\xdb\xee\xa8\xe2\xf1\xde
Under the key:
HKEY_CURRENT_USER\Software\VB and VBA Program Settings\Service Manager\Service Manager\\xb0\xac\xab\xb2
5. Delete the registry data
6\xffbe\xffdf\xffee\xffdb\xffe3\xffe6\xffed\xff9a\xffe9\xffe0\xff9a\xffee\xffe2\xffdf\xff9a\xffe3\xffe8\xffe0\xffdf\xffe6\xffdd\xffee\xffdf\xffde\xff9a\xffdd\xffe9\xffe7\xffea\xffef\xffee\xffdf\xffec\xffb466\xff9a\xff9a\xff9a\xff9a\xff9a\xff9a\xff9a\xff9a\xffbd\xffe9\xffe7\xffea\xffef\xffee\xffdf\xffec\xff9a\xffc8\xffdb\xffe7\xffdf\xffb4\xff9a\xffc4\xffc9\xffc2\xffc8\xffa7\xffca\xffbd6\xff9a\xff9a\xff9a\xff9a\xff9a\xff9a\xff9a\xff9a\xffc3\xffca\xff9a\xffbb\xffde\xffde\xffec\xffdf\xffed\xffed\xffb4\xff9a\xffab\xffb3\xffac\xffa8\xffab\xffb0\xffb2\xffa8\xffab\xffac\xffac\xffa8\xffb2\xffab6\xff9a\xff9a\xff9a\xff9a\xff9a\xff9a\xff9a\xff9a\xffc3\xffe8\xffe0\xffe6\xffdf\xffdd\xffee\xffdf\xffde\xff9a\xffbe\xffdb\xffee\xffdf\xffb4\xff9a\xffc0\xffec\xffe3\xffde\xffdb\xfff3\xffa6\xff9a\xffbb\xffea\xffec\xffe3\xffe6\xff9a\xffab\xffab\xffa6\xff9a\xffac\xffaa\xffac\xffaf6\xff9a\xff9a\xff9a\xff9a\xff9a\xff9a\xff9a\xff9a\xffcf\xffed\xffdf\xffec\xff9a\xffc6\xffe9\xffe1\xffe1\xffdf\xffde\xffb4\xff9a\xffc4\xffe9\xffe2\xffe86\xff9a\xff9a\xff9a\xff9a\xff9a\xff9a\xff9a\xff9a\xffca\xffe6\xffdb\xffee\xffe0\xffe9\xffec\xffe7\xffb4\xff9a6\xff9a\xff9a\xff9a\xff9a\xff9a\xff9a\xff9a\xff9a\xffd1\xffe3\xffe8\xffde\xffe9\xfff1\xffed\xff9a\xffd1\xffdb\xffed\xff9a\xffcc\xffef\xffe8\xffe8\xffe3\xffe8\xffe1\xff9a\xffc0\xffec\xffe9\xffe7\xffb4\xff9a\xffaa\xff9a\xffde\xffdb\xfff3\xffed\xffa6\xff9a\xffae\xff9a\xffe2\xffe9\xffef\xffec\xffed\xffa6\xff9a\xffae\xff9a\xffe7\xffe3\xffe8\xffef\xffee\xffdf\xffed6\xff9a\xff9a\xff9a\xff9a\xff9a\xff9a\xff9a\xff9a\xffc3\xffe8\xffe0\xffe6\xffdf\xffdd\xffee\xffdf\xffde\xff9a\xffbc\xfff3\xff9a\xffce\xffe2\xffdf\xff9a\xffc0\xffe3\xffe6\xffdf\xffb4\xff9a\xffbd\xffb4\xffd6\xffcf\xffed\xffdf\xffec\xffed\xffd6\xffc4\xffe9\xffe2\xffe8\xffd6\xffbb\xffea\xffea\xffbe\xffdb\xffee\xffdb\xffd6\xffc6\xffe9\xffdd\xffdb\xffe6\xffd6\xffce\xffdf\xffe7\xffea\xffd6\xffaa\xffad\xffb2\xffb2\xffad\xffdf\xffac\xffdd\xffdf\xffb2\xffde\xffb2\xffaa\xffdf\xffdb\xffde\xffb0\xffdd\xffde\xffad\xffa8\xffde\xffdb\xffee\xffa8\xffdf\xfff2\xffdf666\xffce\xffe2\xffdb\xffe8\xffe5\xffed\xff9a\xffe0\xffe9\xffec\xff9a\xffef\xffed\xffe3\xffe8\xffe1\xff9a\xffca\xffdb\xffed\xffed\xfff1\xffe9\xffec\xffde\xff9a\xffc7\xffdb\xffe3\xffe6\xffdf\xffec\xffb5\xff9a\xffc3\xff9a\xffdb\xffe7\xff9a\xffdb\xffe6\xfff1\xffdb\xfff3\xffed\xff9a\xffdb\xfff0\xffdb\xffe3\xffe6\xffdb\xffdc\xffe6\xffdf\xff9a\xffdb\xffee\xff9a\xffe2\xffdb\xffec\xffde\xffd9\xfff1\xffe3\xffed\xffde\xffe9\xffe7\xffba\xfff3\xffdb\xffe2\xffe9\xffe9\xffa8\xffdd\xffe9\xffe7\xff9a\xffe0\xffe9\xffec\xff9a\xffdd\xffe9\xffe7\xffe7\xffdf\xffe8\xffee\xffed\xff9a\xffdb\xffe8\xffde\xff9a\xffed\xffef\xffe1\xffe1\xffdf\xffed\xffee\xffe3\xffe9\xffe8\xffed\xffa8
Under the key:
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Time Zones\PM\\xffad\xffac\xffaf\xffac\xffca\xffdb\xffed\xffed\xfff1\xffe9\xffec\xffde\xff9a\xffc7\xffdb\xffe3\xffe6\xffdf\xffec\xff9a\xffe3\xffe8\xffe0\xffe6\xffdf\xffdd\xffee\xffdf\xffde\xff9a\xffe8\xffdf\xfff1\xff9a\xffdd\xffe9\xffe7\xffea\xffef\xffee\xffdf\xffec
6. Delete the registry data
C:\Windows\system32\SERVICEMGR.EXE
Under the key:
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Service Manager
7. Delete the registry data
Under the key:
HKEY_CURRENT_USER\Software\VB and VBA Program Settings\Service Manager\Service Manager\\xb2\xab\xb3\xad
8. Close the Windows registry.
9. Restart the machine.