Technical Information
- <SYSTEM32>\tasks\server
- %APPDATA%\schoolwork.exe
- %TEMP%\server.exe
- %APPDATA%\schoolwork.exe
- '%APPDATA%\schoolwork.exe'
- '<SYSTEM32>\schtasks.exe' /create /sc minute /mo 1 /tn Server /tr %LOCALAPPDATA%\Temp/Server.exe' (with hidden window)
- '<SYSTEM32>\schtasks.exe' /create /sc minute /mo 1 /tn Server /tr %LOCALAPPDATA%\Temp/Server.exe
- '<SYSTEM32>\taskeng.exe' {4249D7D3-E753-4010-B6E0-4192E779E4C3} S-1-5-21-1960123792-2022915161-3775307078-1001:soosoczff\user:Interactive:[1]