Technical Information
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] 'winhost' = '%TEMP%\wihost\wihost.exe'
- %WINDIR%\microsoft.net\framework\v4.0.30319\msbuild.exe
- %TEMP%\wihost\wihost.exe
- DNS ASK wi####aservice.club
- '%TEMP%\wihost\wihost.exe'
- '%WINDIR%\microsoft.net\framework\v4.0.30319\msbuild.exe'