We are getting a couple of alerts from servers that are creating a ps1 script in a temp directory under the appdata folder of the solarwinds service account used to manage the servers. The file is flagged by malware/XDR server as a double extension. The alert shows an odd / randomly named file xxdwewe.doc.ps1. When we look for it it is gone.
Is this typical of Solarwinds to fire off an odd named ps1, execute its payload then dissapear?
Thanks!
