Technical Information
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'scvhost.exe' = '"%APPDATA%\scvhost.exe" ..'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'scvhost.exe' = '"%APPDATA%\scvhost.exe" ..'
- hidden files
- %APPDATA%\scvhost.exe
- 'localhost':1989
- '%APPDATA%\scvhost.exe'
- '<SYSTEM32>\schtasks.exe' /Delete /tn NYAN /F
- '<SYSTEM32>\schtasks.exe' /create /tn NYAN /tr "<Full path to file>" /sc minute /mo 1
- '<SYSTEM32>\schtasks.exe' /create /tn NYAN /tr "%APPDATA%\scvhost.exe" /sc minute /mo 1