Technical Information
- [<HKLM>\System\CurrentControlSet\Services\Jklmno] 'Start' = '00000002'
- [<HKLM>\System\CurrentControlSet\Services\Jklmno] 'ImagePath' = '%ProgramFiles(x86)%\WinRAP\xorvom.exe'
- %ProgramFiles(x86)%\winrap\xorvom.exe
- %ProgramFiles(x86)%\winrap\xorvom.exe
- from <Full path to file> to %WINDIR%\syswow64\1083843.bak
- 'xi#####ngwl.xxwl1.com':9998
- DNS ASK xi#####ngwl.xxwl1.com
- '%ProgramFiles(x86)%\winrap\xorvom.exe'
- '%ProgramFiles(x86)%\winrap\xorvom.exe' Win7
- '%WINDIR%\syswow64\attrib.exe' +h +s "%ProgramFiles(x86)%\WinRAP\xorvom.exe"' (with hidden window)
- '%WINDIR%\syswow64\attrib.exe' +h +s "%ProgramFiles(x86)%\WinRAP"' (with hidden window)
- '%WINDIR%\syswow64\attrib.exe' +h +s "%ProgramFiles(x86)%\WinRAP\xorvom.exe"
- '%WINDIR%\syswow64\attrib.exe' +h +s "%ProgramFiles(x86)%\WinRAP"