Technical Information
- <SYSTEM32>\tasks\svchost
- Windows Defender
- %HOMEPATH%\documents\fed3401215766e6fc1d7ce1cd41181f4ee203551.txt
- from <Full path to file> to %TEMP%\0f1bebfb3af6a70b158f9dabb3972c43db142599.exe
- http://ip##fo.io/
- DNS ASK r-###lox.com
- DNS ASK ip##fo.io
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' Get-MpPreference -verbose
- '<SYSTEM32>\schtasks.exe' /create /tn "svchost" /sc ONLOGON /tr "<Full path to file>" /rl HIGHEST /f