Technical Information
- [<HKLM>\System\CurrentControlSet\Services\__xProtect__] 'Start' = '00000001'
- [<HKLM>\System\CurrentControlSet\Services\__xProtect__] 'ImagePath' = '<Current directory>\841C.tmp'
- <SYSTEM32>\ruobid\services.exe
- nul
- <Current directory>\841c.tmp
- <Current directory>\841c.tmp
- DNS ASK d.###ocv.com
- '<SYSTEM32>\ruobid\services.exe'
- '<SYSTEM32>\cmd.exe' /c ping 127.0.0.1 -n 5 >nul&del/f/s/q "<Full path to file>"' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c ping 127.0.0.1 -n 5 >nul&del/f/s/q "<Full path to file>"
- '<SYSTEM32>\ping.exe' 127.0.0.1 -n 5