Technical Information
- [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'WindowsStart' = '%TEMP%\WindowsStart.exe'
- %TEMP%\windows10.cmd
- %TEMP%\windowsstart.exe
- nul
- 'bi##naj.xyz':80
- http://www.bi##naj.xyz/GhostWindows/Windows10.cmd
- http://www.bi##naj.xyz/GhostWindows/WindowsStart.exe
- DNS ASK bi##naj.xyz
- '<SYSTEM32>\cmd.exe' /C "%TEMP%\Windows10.cmd"' (with hidden window)
- '<SYSTEM32>\cmd.exe' /C "%TEMP%\Windows10.cmd"
- '<SYSTEM32>\chcp.com' 65001
- '<SYSTEM32>\cacls.exe' "<SYSTEM32>\config\system"
- '<SYSTEM32>\reg.exe' query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages"
- '<SYSTEM32>\findstr.exe' /c:Defender