I can't seem to find any system files replaced, and the .exe was never executed. I'm running this in a test VM, but from what I can see, Defender signatures have been updated to block this prior to execution.
The exploit, from my reading, needs to be executed in order to do it's thing, but Defender isn't allowing it to be written to the filesystem on download.
What is Defender marking it as? I also wonder if they are just special casing this program and it would work again if the code was shuffled a bit or if it used the AMSI sig [0] instead of EICAR or if they actually fixed the problem.
