Technical Information
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'Microsoft' = '%APPDATA%\svchosht.exe'
- %APPDATA%\svchosht.exe
- '0u###rground.pw':80
- http://0u###rground.pw/disp/inc/check_command.php?HW######################################################
- http://0u###rground.pw/disp/inc/check_command.php?HW###################################################################
- DNS ASK 0u###rground.pw
- '%APPDATA%\svchosht.exe'
- '%WINDIR%\syswow64\cmd.exe' /C reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Microsoft /t REG_SZ /d %APPDATA%\svchosht.exe' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /C reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Microsoft /t REG_SZ /d %APPDATA%\svchosht.exe
- '%WINDIR%\syswow64\reg.exe' add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Microsoft /t REG_SZ /d %APPDATA%\svchosht.exe