Technical Information
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] 'csrss' = '"<SYSTEM32>\ndadmin\csrss.exe"'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] 'lsm' = '"C:\Far2\Documentation\eng\lsm.exe"'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] 'taskhost' = '"<SYSTEM32>\olecli32\taskhost.exe"'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] 'taskhost' = '"<SYSTEM32>\taskmgr\taskhost.exe"'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '<File name>' = '"%HOMEPATH%\AppData\<File name>.exe"'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] 'System' = '"C:\totalcmd\LANGUAGE\System.exe"'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] 'audiodg' = '"%WINDIR%\system\audiodg.exe"'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] 'services' = '"C:\PerfLogs\Admin\services.exe"'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] 'WmiPrvSE' = '"<SYSTEM32>\wbem\authfwcfg\WmiPrvSE.exe"'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] 'iexplore' = '"%ProgramFiles(x86)%\Internet Explorer\iexplore\iexplore.exe"'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] 'lsass' = '"<Current directory>\lsass.exe"'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] 'iexplore' = '"%ProgramFiles(x86)%\Internet Explorer\ExtExport\iexplore.exe"'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] 'WUDFHost' = '"%HOMEPATH%\Application Data\WUDFHost.exe"'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] 'spoolsv' = '"C:\Documents and Settings\spoolsv.exe"'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] 'dwm' = '"<SYSTEM32>\dhcpcmonitor\dwm.exe"'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] 'firefox' = '"%ProgramFiles(x86)%\Mozilla Firefox\xul\firefox.exe"'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] 'lsass' = '"<SYSTEM32>\WMVDECOD\lsass.exe"'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] 'wininit' = '"C:\totalcmd\LANGUAGE\wininit.exe"'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] 'msiexec' = '"C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C\msiexec.exe"'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] 'sppsvc' = '"<Current directory>\sppsvc.exe"'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] 'WmiPrvSE' = '"<SYSTEM32>\wbem\WMIC\WmiPrvSE.exe"'
- <SYSTEM32>\tasks\csrss
- <SYSTEM32>\tasks\<File name>
- <SYSTEM32>\tasks\system
- <SYSTEM32>\tasks\audiodg
- <SYSTEM32>\tasks\services
- <SYSTEM32>\tasks\wmiprvse
- <SYSTEM32>\tasks\sppsvc
- <SYSTEM32>\tasks\taskhost
- <SYSTEM32>\tasks\iexplore
- <SYSTEM32>\tasks\spoolsv
- <SYSTEM32>\tasks\dwm
- <SYSTEM32>\tasks\firefox
- <SYSTEM32>\tasks\lsass
- <SYSTEM32>\tasks\wininit
- <SYSTEM32>\tasks\msiexec
- <SYSTEM32>\tasks\wudfhost
- <SYSTEM32>\tasks\lsm
- system.exe
- %WINDIR%\syswow64\ndadmin\csrss.exe
- C:\perflogs\admin\services.exe
- C:\perflogs\admin\c5b4cb5e9653cce737f29f72ba880dd4c4bab27d
- %WINDIR%\system\audiodg.exe
- %WINDIR%\system\42af1c969fbb7b2ae36b0e06bea61fc9a154b4af
- C:\totalcmd\language\system.exe
- C:\totalcmd\language\27d1bcfc3c54e0e44ea423ffd4ee81fe73670a2a
- %HOMEPATH%\appdata\<File name>.exe
- %HOMEPATH%\appdata\abff3bae6290069b3244f3aabd7441c3d96d3c74
- %WINDIR%\syswow64\taskmgr\taskhost.exe
- %WINDIR%\syswow64\taskmgr\b75386f1303e64d8139363b71e44ac16341adf4e
- %WINDIR%\syswow64\olecli32\taskhost.exe
- %WINDIR%\syswow64\olecli32\b75386f1303e64d8139363b71e44ac16341adf4e
- C:\far2\documentation\eng\lsm.exe
- C:\far2\documentation\eng\101b941d020240259ca4912829b53995ad543df6
- %ProgramFiles(x86)%\internet explorer\iexplore\iexplore.exe
- %ProgramFiles(x86)%\internet explorer\iexplore\9db6e019d4f04ef534d0f91b3462d805c40e9d20
- %WINDIR%\syswow64\wbem\wmic\wmiprvse.exe
- %WINDIR%\syswow64\wbem\wmic\24dbde2999530ef5fd907494bc374d663924116c
- %TEMP%\krjxubaxhs
- %WINDIR%\syswow64\wbem\authfwcfg\24dbde2999530ef5fd907494bc374d663924116c
- %TEMP%\dzibf6bevp.bat
- %WINDIR%\syswow64\wbem\authfwcfg\wmiprvse.exe
- <Current directory>\lsass.exe
- %WINDIR%\syswow64\ndadmin\886983d96e3d3e31032c679b2d4ea91b6c05afef
- C:\msocache\all users\{90140000-0019-0409-1000-0000000ff1ce}-c\msiexec.exe
- C:\msocache\all users\{90140000-0019-0409-1000-0000000ff1ce}-c\133006b48fb54b65ec2045921283a18304e24d5a
- C:\totalcmd\language\wininit.exe
- C:\totalcmd\language\560854153607923c4c5f107085a7db67be01f252
- %WINDIR%\syswow64\wmvdecod\lsass.exe
- %WINDIR%\syswow64\wmvdecod\6203df4a6bafc7c328ee7f6f8ca0a8a838a8a1b9
- %ProgramFiles(x86)%\mozilla firefox\xul\firefox.exe
- %ProgramFiles(x86)%\mozilla firefox\xul\0fc223bdacedc38dd6d2772d547ade1563558e92
- %WINDIR%\syswow64\dhcpcmonitor\dwm.exe
- %WINDIR%\syswow64\dhcpcmonitor\6cb0b6c459d5d3455a3da700e713f2e2529862ff
- C:\documents and settings\spoolsv.exe
- C:\documents and settings\f3b6ecef712a24f33798f5d2fb3790c3d9b894c4
- %HOMEPATH%\application data\wudfhost.exe
- %HOMEPATH%\application data\480b7989c529f6ff17bde430d81d4770fb5337f5
- %ProgramFiles(x86)%\internet explorer\extexport\iexplore.exe
- %ProgramFiles(x86)%\internet explorer\extexport\9db6e019d4f04ef534d0f91b3462d805c40e9d20
- <Current directory>\sppsvc.exe
- <Current directory>\0a1fd5f707cd16ea89afd3d6db52b2da58214a6c
- <Current directory>\6203df4a6bafc7c328ee7f6f8ca0a8a838a8a1b9
- nul
- %TEMP%\krjxubaxhs
- 'cd#.##scordapp.com':443
- 'bu###er.pp.ru':443
- 'bu###er.pp.ru':443
- 'cd#.##scordapp.com':443
- DNS ASK bu###er.pp.ru
- DNS ASK cd#.##scordapp.com
- 'localhost':123
- 'C:\totalcmd\language\system.exe'
- '%WINDIR%\syswow64\cmd.exe' /C "%TEMP%\DzIBF6BEVp.bat"' (with hidden window)
- '<Full path to file>' ' (with hidden window)
- '<SYSTEM32>\schtasks.exe' /create /tn "csrss" /sc ONLOGON /tr "'<SYSTEM32>\ndadmin\csrss.exe'" /rl HIGHEST /f
- '%WINDIR%\syswow64\chcp.com' 65001
- '%WINDIR%\syswow64\cmd.exe' /C "%TEMP%\DzIBF6BEVp.bat"
- '<SYSTEM32>\schtasks.exe' /create /tn "WmiPrvSE" /sc ONLOGON /tr "'<SYSTEM32>\wbem\WMIC\WmiPrvSE.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "iexplore" /sc ONLOGON /tr "'%ProgramFiles(x86)%\Internet Explorer\iexplore\iexplore.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "lsm" /sc ONLOGON /tr "'C:\Far2\Documentation\eng\lsm.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "taskhost" /sc ONLOGON /tr "'<SYSTEM32>\olecli32\taskhost.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "taskhost" /sc ONLOGON /tr "'<SYSTEM32>\taskmgr\taskhost.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "<File name>" /sc ONLOGON /tr "'%HOMEPATH%\AppData\<File name>.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "System" /sc ONLOGON /tr "'C:\totalcmd\LANGUAGE\System.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "audiodg" /sc ONLOGON /tr "'%WINDIR%\system\audiodg.exe'" /rl HIGHEST /f
- '%WINDIR%\syswow64\w32tm.exe' /stripchart /computer:localhost /period:5 /dataonly /samples:2
- '<SYSTEM32>\schtasks.exe' /create /tn "services" /sc ONLOGON /tr "'C:\PerfLogs\Admin\services.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "lsass" /sc ONLOGON /tr "'<Current directory>\lsass.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "sppsvc" /sc ONLOGON /tr "'<Current directory>\sppsvc.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "iexplore" /sc ONLOGON /tr "'%ProgramFiles(x86)%\Internet Explorer\ExtExport\iexplore.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "WUDFHost" /sc ONLOGON /tr "'%HOMEPATH%\Application Data\WUDFHost.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Documents and Settings\spoolsv.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "dwm" /sc ONLOGON /tr "'<SYSTEM32>\dhcpcmonitor\dwm.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "firefox" /sc ONLOGON /tr "'%ProgramFiles(x86)%\Mozilla Firefox\xul\firefox.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "lsass" /sc ONLOGON /tr "'<SYSTEM32>\WMVDECOD\lsass.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "wininit" /sc ONLOGON /tr "'C:\totalcmd\LANGUAGE\wininit.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "msiexec" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C\msiexec.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "WmiPrvSE" /sc ONLOGON /tr "'<SYSTEM32>\wbem\authfwcfg\WmiPrvSE.exe'" /rl HIGHEST /f
- '<SYSTEM32>\w32tm.exe' /stripchart /computer:localhost /period:5 /dataonly /samples:2