Technical Information
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'a486f544a7acc1db8861e855401cbf24' = '"%TEMP%\svhost.exe" ..'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] 'a486f544a7acc1db8861e855401cbf24' = '"%TEMP%\svhost.exe" ..'
- %APPDATA%\microsoft\windows\start menu\programs\startup\a486f544a7acc1db8861e855401cbf24.exe
- '%WINDIR%\syswow64\netsh.exe' firewall add allowedprogram "%TEMP%\svhost.exe" "svhost.exe" ENABLE
- <Current directory>\123.sfx.exe
- <Current directory>\start.bat
- C:\123.exe
- %TEMP%\svhost.exe
- C:\123.exe
- %TEMP%\svhost.exe
- 'qw########2345-29262.portmap.host':29262
- DNS ASK qw########2345-29262.portmap.host
- ClassName: 'EDIT' WindowName: ''
- '<Current directory>\123.sfx.exe' -p5435453435435454 -dc:/ %LOCALAPPDATA%\Temp
- 'C:\123.exe'
- '%TEMP%\svhost.exe'
- '%WINDIR%\syswow64\netsh.exe' firewall add allowedprogram "%TEMP%\svhost.exe" "svhost.exe" ENABLE' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c ""<Current directory>\start.bat" "