Technical Information
- %TEMP%\&startupname&.exe
- %TEMP%\tmp85cc.tmp
- %WINDIR%\serviceprofiles\networkservice\appdata\locallow\microsoft\cryptneturlcache\metadata\f0accf77cdcbff39f6191887f6d2d357
- %WINDIR%\serviceprofiles\networkservice\appdata\locallow\microsoft\cryptneturlcache\content\f0accf77cdcbff39f6191887f6d2d357
- %TEMP%\tmp85cc.tmp
- http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt
- DNS ASK pa###bin.com
- '%WINDIR%\syswow64\schtasks.exe' /Create /TN "Updates\&startupname&" /XML "%TEMP%\tmp85CC.tmp"' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"%TEMP%\jzdujb.exe"' & exit' (with hidden window)
- '%WINDIR%\syswow64\schtasks.exe' /Create /TN "Updates\&startupname&" /XML "%TEMP%\tmp85CC.tmp"
- '%WINDIR%\syswow64\cmd.exe' /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"%TEMP%\jzdujb.exe"' & exit
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' –ExecutionPolicy Bypass Start-Process -FilePath '"%TEMP%\jzdujb.exe"'