Technical Information
- [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] 'CompPkgSrv' = '%APPDATA%\winlogon.exe'
- <SYSTEM32>\tasks\comppkgsrv
- %APPDATA%\winlogon.exe
- %APPDATA%\windowsfolder\winlogon.exe
- '%APPDATA%\windowsfolder\winlogon.exe'
- '%WINDIR%\syswow64\schtasks.exe' /create /sc MINUTE /mo 1 /tn "CompPkgSrv" /tr %APPDATA%\WindowsFolder\winlogon.exe /f' (with hidden window)
- '%APPDATA%\windowsfolder\winlogon.exe' ' (with hidden window)
- '%WINDIR%\syswow64\schtasks.exe' /create /sc MINUTE /mo 1 /tn "CompPkgSrv" /tr %APPDATA%\WindowsFolder\winlogon.exe /f
- '<SYSTEM32>\taskeng.exe' {C759314E-73E3-4887-8A79-7B9E146E8612} S-1-5-21-1960123792-2022915161-3775307078-1001:liuzsnx\user:Interactive:[1]