Technical Information
- [HKLM\System\CurrentControlSet\Services\Ghijkl] 'Start' = '00000002'
- [HKLM\System\CurrentControlSet\Services\Ghijkl] 'ImagePath' = '%WINDIR%\svchost.exe'
- 'Ghijkl' %WINDIR%\svchost.exe
- %WINDIR%\svchost.exe
- from <Full path to file> to %WINDIR%\syswow64\1120040.bak
- 'xi######.e1.luyouxia.net':22810
- DNS ASK xi######.e1.luyouxia.net
- '%WINDIR%\svchost.exe'
- '%WINDIR%\svchost.exe' Win7