Technical Information
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'svchost' = '%WINDIR%\svchost.exe'
- [<HKLM>\SYSTEM\ControlSet001\Services\EDriver32.sys] 'ImagePath' = '%WINDIR%\EDriver32.sys'
- User Account Control (UAC)
- %WINDIR%\AutoMssql.exe
- %WINDIR%\XiaoBa.exe
- %WINDIR%\svchost.exe
- %WINDIR%\EDriver32.sys
- %WINDIR%\wininit\winin1t.exe
- %WINDIR%\wininit\config.json
- %WINDIR%\csrss.exe
- '11#.#15.146.121':8080
- ClassName: 'EDIT' WindowName: ''
- '%WINDIR%\AutoMssql.exe'
- '%WINDIR%\XiaoBa.exe'
- '%WINDIR%\svchost.exe'
- '<SYSTEM32>\cmd.exe' /c cmd.exe /c SCHTASKS /Create /SC ONLOGON /TN svchost /TR %WINDIR%\svchost.exe /F
- '<SYSTEM32>\cmd.exe' /c SCHTASKS /Create /SC ONLOGON /TN svchost /TR %WINDIR%\svchost.exe /F
- '<SYSTEM32>\schtasks.exe' /Create /SC ONLOGON /TN svchost /TR %WINDIR%\svchost.exe /F