Technical Information
- <SYSTEM32>\tasks\test timetrigger
- %WINDIR%\temp\payload.exe
- 'google.com':80
- http://www.google.com/payload.exe
- DNS ASK google.com
- '<SYSTEM32>\notepad.exe' ' (with hidden window)
- '<SYSTEM32>\taskeng.exe' {F230A7C4-7DA5-4945-8FCD-092D1BD64F5E} S-1-5-21-1960123792-2022915161-3775307078-1001:tebhexqusni\user:Interactive:[1]
- '<SYSTEM32>\notepad.exe'