Technical Information
- <SYSTEM32>\tasks\svchost
- <SYSTEM32>\svchost.com
- %TEMP%\tmp1a15.tmp.bat
- nul
- 'ba##u.com':80
- 'he###yh.88ip.cn':81
- 'to##.chacuo.net':80
- http://he####h.88ip.cn:81/exp.txt via he###yh.88ip.cn
- http://to##.chacuo.net/cryptaes
- DNS ASK ba##u.com
- DNS ASK he###yh.88ip.cn
- DNS ASK to##.chacuo.net
- '<SYSTEM32>\svchost.com'
- '<SYSTEM32>\cmd.exe' /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"<SYSTEM32>\svchost.com"' & exit' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"<SYSTEM32>\svchost.com"' & exit
- '<SYSTEM32>\schtasks.exe' /create /f /sc onlogon /rl highest /tn "svchost" /tr '"<SYSTEM32>\svchost.com"'
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\tmp1A15.tmp.bat""
- '<SYSTEM32>\timeout.exe' 3