Technical Information
- <SYSTEM32>\tasks\<File name>
- %APPDATA%\<File name>.exe
- 'microsoft.com':80
- http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt
- DNS ASK microsoft.com
- '%APPDATA%\<File name>.exe'
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' Start-Sleep -Seconds 3; Set-MpPreference -ExclusionPath C:\' (with hidden window)
- '%APPDATA%\<File name>.exe' ' (with hidden window)
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' Start-Sleep -Seconds 3; Set-MpPreference -ExclusionPath C:\
- '<SYSTEM32>\taskeng.exe' {047DFE45-8FE3-41BB-81C2-B142E56E4275} S-1-5-21-1960123792-2022915161-3775307078-1001:pclbujio\user:Interactive:[1]