Technical Information
- <SYSTEM32>\svchost.exe
- %TEMP%\tmp1.tmp.vbs
- '<SYSTEM32>\wscript.exe' "%TEMP%\tmp1.tmp.vbs"
- '<SYSTEM32>\schtasks.exe' /create /sc onlogon /rl highest /tn svchost.exe /tr "<SYSTEM32>\svchost.exe' (with hidden window)
- '<SYSTEM32>\svchost.exe'
- '<SYSTEM32>\schtasks.exe' /create /sc onlogon /rl highest /tn svchost.exe /tr "<SYSTEM32>\svchost.exe