Technical Information
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'svechosts' = '%APPDATA%\svechosts.exe'
- <SYSTEM32>\tasks\svechosts
- <PATH_SAMPLE>.bmp
- %APPDATA%\svechosts.exe
- <Current directory>\cdhnjo.bat
- nul
- <Current directory>\cdhnjo.bat
- DNS ASK ni##.pk-gov.org
- '%APPDATA%\svechosts.exe'
- '%APPDATA%\svechosts.exe' ' (with hidden window)
- '%WINDIR%\syswow64\explorer.exe' <File name>.bmp
- '%WINDIR%\syswow64\cmd.exe' /c cdhnjo.bat > nul
- '%WINDIR%\syswow64\reg.exe' add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v svechosts /t REG_SZ /d %APPDATA%\svechosts.exe /f
- '%WINDIR%\syswow64\schtasks.exe' /CREATE /SC Minute /MO 1 /TR %APPDATA%\svechosts.exe /TN svechosts /F
- '<SYSTEM32>\taskeng.exe' {4CFC656E-8DA8-42F5-BEF6-2831299FEB2F} S-1-5-21-1960123792-2022915161-3775307078-1001:wnibhkjwrjlf\user:Interactive:[1]