Technical Information
- [<HKLM>\SYSTEM\ControlSet001\Services\Messenger\Parameters] 'ServiceDll' = '<SYSTEM32>\chqean.dll'
- [<HKLM>\SYSTEM\ControlSet001\Services\Messenger] 'Start' = '00000002'
- %TEMP%\1.tmp
- %TEMP%\RCX2.tmp
- %TEMP%\1.tmp
- <Full path to file>
- from %TEMP%\1.tmp to <SYSTEM32>\chqean.dll
- %TEMP%\1.tmp
- '<SYSTEM32>\cmd.exe' reg add HKLM\SYSTEM\CurrentControlSet\services\Messenger\Parameters /v ServiceDll /t REG_EXPAND_SZ /d ^%SystemRoot^%\system32\chqean.dll /f
- '<SYSTEM32>\reg.exe' add HKLM\SYSTEM\CurrentControlSet\services\Messenger\Parameters /v ServiceDll /t REG_EXPAND_SZ /d <SYSTEM32>\chqean.dll /f
- '<SYSTEM32>\cmd.exe' move /Y "%TEMP%\1.tmp" "<SYSTEM32>\chqean.dll"
- '<SYSTEM32>\svchost.exe' -k netsvcs
- '<SYSTEM32>\cmd.exe' ping localhost -n 3 > nul & del "<Full path to file>"
- '<SYSTEM32>\ping.exe' localhost -n 3