Technical Information
- [<HKLM>\SYSTEM\ControlSet001\Services\CRMSvc] 'Start' = '00000002'
- [<HKLM>\SYSTEM\ControlSet001\Services\CRMSvc] 'ImagePath' = '"%APPDATA%\CRMSvc\CRMSvc.exe"'
- '' (downloaded from the Internet)
- %APPDATA%\CRMSvc\CRMSvc.exe
- %APPDATA%\CRMSvc\CRMSvc.InstallLog
- %APPDATA%\CRMSvc\CRMSvc.InstallState
- %APPDATA%\CRMSvc\7z.exe
- %APPDATA%\CRMSvc\CRMSvc.InstallLog
- %APPDATA%\CRMSvc\CRMSvc.InstallState
- %APPDATA%\CRMSvc\7z.exe
- 'wp#d':80
- '17#.9.8.183':2247
- '88.##8.58.40':2247
- '7-##p.org':80
- '17#.#.118.173':2247
- http://11#.#11.111.1/wpad.dat via wp#d
- http://www.7-##p.org/a/7z1604.exe via 7-##p.org
- DNS ASK wp#d
- DNS ASK www.7-##p.org
- '%APPDATA%\CRMSvc\CRMSvc.exe' --install
- '%APPDATA%\CRMSvc\CRMSvc.exe'
- '%APPDATA%\CRMSvc\7z.exe' /S
- '<SYSTEM32>\sc.exe' failure "CRMSvc" reset= 2 actions= restart/10000