Technical Information
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'WindowsDefenderAutoUpdate' = 'regsvr32.exe /s "%ALLUSERSPROFILE%\Firmware\Microsoft\Windows\Defender\AutoUpdate.dll"'
- %ALLUSERSPROFILE%\temp\6eba.tmp.bat
- %ALLUSERSPROFILE%\firmware\microsoft\windows\defender\autoupdate.dll
- %ALLUSERSPROFILE%\temp\72e0.tmp.bat
- 'fe###.p-e.kr':80
- http://fe###.p-e.kr//?m=#############
- http://fe###.p-e.kr//?m=#####################################################
- DNS ASK fe###.p-e.kr
- 'localhost':56024
- 'localhost':49936
- '%WINDIR%\syswow64\regsvr32.exe' /s "%ALLUSERSPROFILE%\Firmware\Microsoft\Windows\Defender\AutoUpdate.dll"' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c %ALLUSERSPROFILE%\temp\6EBA.tmp.bat
- '%WINDIR%\syswow64\cmd.exe' /c %ALLUSERSPROFILE%\temp\72E0.tmp.bat
- '%WINDIR%\syswow64\regsvr32.exe' /s "%ALLUSERSPROFILE%\Firmware\Microsoft\Windows\Defender\AutoUpdate.dll"