Its configured to run a PowerShell script with a similar-looking name -File C:/Windows/System32/NvWinSearchOptimizer.ps1.
The PowerShell script downloads a payload from a remote server and executes it on the machine.
When the PowerShell script is finally executed, it adds registry values to force the installation of malicious extensions.
Doing so allows the script to hijack the default search from Bing or Google to the adversarys search portal.
It checks which version of the web app is installed and searches the bytes accordingly.
The ReasonLabs Research Team promptly alerted Google and Microsoft upon discovering the breach.
