Technical Information
- <SYSTEM32>\tasks\systems
- <SYSTEM32>\tasks\wininitw
- <SYSTEM32>\tasks\schtaskss
- <SYSTEM32>\tasks\winlogon
- <SYSTEM32>\tasks\winlogonw
- <SYSTEM32>\tasks\dwm
- <SYSTEM32>\tasks\dwmd
- <SYSTEM32>\tasks\wudfhostw
- <SYSTEM32>\tasks\wudfhost
- <SYSTEM32>\tasks\lsml
- <SYSTEM32>\tasks\lsm
- <SYSTEM32>\tasks\<File name>
- <SYSTEM32>\tasks\smss
- <SYSTEM32>\tasks\taskhostt
- <SYSTEM32>\tasks\<File name>w
- <SYSTEM32>\tasks\smsss
- <SYSTEM32>\tasks\taskhost
- <SYSTEM32>\tasks\csrssc
- <SYSTEM32>\tasks\csrss
- <SYSTEM32>\tasks\iexplore
- <SYSTEM32>\tasks\spoolsvs
- <SYSTEM32>\tasks\iexplorei
- <SYSTEM32>\tasks\spoolsv
- <SYSTEM32>\tasks\system
- <SYSTEM32>\tasks\schtasks
- <SYSTEM32>\tasks\wininit
- %ProgramFiles(x86)%\steam\config\config.vdf
- %ProgramFiles(x86)%\steam\config\dialogconfig.vdf
- %LOCALAPPDATA%\google\chrome\user data\default\cookies
- %APPDATA%\opera software\opera stable\login data
- %LOCALAPPDATA%\google\chrome\user data\default\login data
- %LOCALAPPDATA%\google\chrome\user data\default\web data
- ClassName: 'OLLYDBG', WindowName: ''
- %ProgramFiles%\btinint\system.exe
- C:\users\public\pictures\sample pictures\886983d96e3d3e
- %ProgramFiles%\mcregwiz\wininit.exe
- %ProgramFiles%\mcregwiz\56085415360792
- C:\far2\addons\xlat\russian\schtasks.exe
- C:\far2\addons\xlat\russian\3a6fe29a7ceee6
- C:\far2\fexcept\system.exe
- C:\far2\fexcept\27d1bcfc3c54e0
- C:\totalcmd\language\schtasks.exe
- C:\totalcmd\language\3a6fe29a7ceee6
- C:\totalcmd\language\wudfhost.exe
- C:\totalcmd\language\480b7989c529f6
- %TEMP%\xtnipxbguf
- %TEMP%\8cvparkytb
- %TEMP%\fiiombix2a
- %TEMP%\yekkd0pcbp
- %TEMP%\xtyj9tlpdb
- %TEMP%\pi6vl8zrni
- %TEMP%\fbekt8j5ov
- %TEMP%\nfpaktpa9j
- %TEMP%\aadhocppxs
- %TEMP%\zwpnabkpas
- %TEMP%\gflrrgt8h3
- %TEMP%\3fbeus5brw
- %TEMP%\fo6yyq0baj
- %TEMP%\jzjqd4zvzh
- %TEMP%\jqi3zuuudr
- C:\users\public\pictures\sample pictures\csrss.exe
- %TEMP%\cabhzudf03
- C:\users\default user\cc11b995f2a76d
- <Current directory>\69ddcba757bf72
- %ProgramFiles%\btinint\27d1bcfc3c54e0
- %ProgramFiles%\sniffer\iexplore.exe
- %ProgramFiles%\sniffer\9db6e019d4f04e
- C:\recovery\1195d5a8-f371-11e4-9c00-dd3082671db2\spoolsv.exe
- C:\recovery\1195d5a8-f371-11e4-9c00-dd3082671db2\f3b6ecef712a24
- C:\msocache\all users\{90140000-0016-0409-1000-0000000ff1ce}-c\spoolsv.exe
- C:\msocache\all users\{90140000-0016-0409-1000-0000000ff1ce}-c\f3b6ecef712a24
- C:\recovery\1195d5a8-f371-11e4-9c00-dd3082671db2\csrss.exe
- C:\recovery\1195d5a8-f371-11e4-9c00-dd3082671db2\886983d96e3d3e
- %ProgramFiles%\pccpfw\taskhost.exe
- %ProgramFiles%\pccpfw\b75386f1303e64
- <Current directory>\smss.exe
- C:\totalcmd\language\<File name>.exe
- C:\recovery\1195d5a8-f371-11e4-9c00-dd3082671db2\b75386f1303e64
- C:\totalcmd\language\91a43cf99b8599
- C:\users\default\csrss.exe
- C:\users\default\886983d96e3d3e
- C:\far2\fexcept\lsm.exe
- C:\far2\fexcept\101b941d020240
- C:\recovery\1195d5a8-f371-11e4-9c00-dd3082671db2\wudfhost.exe
- C:\recovery\1195d5a8-f371-11e4-9c00-dd3082671db2\480b7989c529f6
- C:\totalcmd\language\dwm.exe
- C:\totalcmd\language\6cb0b6c459d5d3
- %ProgramFiles(x86)%\pidgin\plugins\perl\auto\pidgin\lsm.exe
- %ProgramFiles(x86)%\pidgin\plugins\perl\auto\pidgin\101b941d020240
- C:\recovery\1195d5a8-f371-11e4-9c00-dd3082671db2\taskhost.exe
- C:\users\default user\winlogon.exe
- %TEMP%\p187udfvbz
- %TEMP%\xtnipxbguf
- %TEMP%\jqi3zuuudr
- %TEMP%\jzjqd4zvzh
- %TEMP%\fo6yyq0baj
- %TEMP%\3fbeus5brw
- %TEMP%\gflrrgt8h3
- %TEMP%\zwpnabkpas
- %TEMP%\fiiombix2a
- %TEMP%\aadhocppxs
- %TEMP%\fbekt8j5ov
- %TEMP%\pi6vl8zrni
- %TEMP%\xtyj9tlpdb
- %TEMP%\yekkd0pcbp
- %TEMP%\8cvparkytb
- %TEMP%\cabhzudf03
- %TEMP%\nfpaktpa9j
- %TEMP%\p187udfvbz
- '23#####.#lmonth.nyashteam.top':80
- http://23#####.#lmonth.nyashteam.top/nyashsupport.php?3D#########################################################################################################################################...
- http://23#####.#lmonth.nyashteam.top/nyashsupport.php?Qs#########################################################################################################################################...
- DNS ASK 23#####.#lmonth.nyashteam.top
- 'C:\recovery\1195d5a8-f371-11e4-9c00-dd3082671db2\wudfhost.exe'
- '<Full path to file>' ' (with hidden window)
- 'C:\recovery\1195d5a8-f371-11e4-9c00-dd3082671db2\wudfhost.exe' ' (with hidden window)
- '<SYSTEM32>\schtasks.exe' /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'%ProgramFiles%\BTIniNT\System.exe'" /f
- '<SYSTEM32>\schtasks.exe' /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\totalcmd\LANGUAGE\dwm.exe'" /f
- '<SYSTEM32>\schtasks.exe' /create /tn "dwm" /sc ONLOGON /tr "'C:\totalcmd\LANGUAGE\dwm.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\totalcmd\LANGUAGE\dwm.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Recovery\1195d5a8-f371-11e4-9c00-dd3082671db2\csrss.exe'" /f
- '<SYSTEM32>\schtasks.exe' /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Recovery\1195d5a8-f371-11e4-9c00-dd3082671db2\csrss.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "lsml" /sc MINUTE /mo 8 /tr "'%ProgramFiles(x86)%\Pidgin\plugins\perl\auto\Pidgin\lsm.exe'" /f
- '<SYSTEM32>\schtasks.exe' /create /tn "lsm" /sc ONLOGON /tr "'%ProgramFiles(x86)%\Pidgin\plugins\perl\auto\Pidgin\lsm.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "lsml" /sc MINUTE /mo 13 /tr "'%ProgramFiles(x86)%\Pidgin\plugins\perl\auto\Pidgin\lsm.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Recovery\1195d5a8-f371-11e4-9c00-dd3082671db2\taskhost.exe'" /f
- '<SYSTEM32>\schtasks.exe' /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\1195d5a8-f371-11e4-9c00-dd3082671db2\taskhost.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Recovery\1195d5a8-f371-11e4-9c00-dd3082671db2\taskhost.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\winlogon.exe'" /f
- '<SYSTEM32>\schtasks.exe' /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Default User\winlogon.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\winlogon.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Public\Pictures\Sample Pictures\csrss.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "WUDFHost" /sc ONLOGON /tr "'C:\totalcmd\LANGUAGE\WUDFHost.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Pictures\Sample Pictures\csrss.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'%ProgramFiles%\mcregwiz\wininit.exe'" /f
- '<SYSTEM32>\schtasks.exe' /create /tn "wininit" /sc ONLOGON /tr "'%ProgramFiles%\mcregwiz\wininit.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'%ProgramFiles%\mcregwiz\wininit.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "schtaskss" /sc MINUTE /mo 6 /tr "'C:\Far2\Addons\XLat\Russian\schtasks.exe'" /f
- '<SYSTEM32>\schtasks.exe' /create /tn "schtasks" /sc ONLOGON /tr "'C:\Far2\Addons\XLat\Russian\schtasks.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "schtaskss" /sc MINUTE /mo 12 /tr "'C:\Far2\Addons\XLat\Russian\schtasks.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Far2\FExcept\System.exe'" /f
- '<SYSTEM32>\schtasks.exe' /create /tn "System" /sc ONLOGON /tr "'C:\Far2\FExcept\System.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Far2\FExcept\System.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "schtaskss" /sc MINUTE /mo 5 /tr "'C:\totalcmd\LANGUAGE\schtasks.exe'" /f
- '<SYSTEM32>\schtasks.exe' /create /tn "schtasks" /sc ONLOGON /tr "'C:\totalcmd\LANGUAGE\schtasks.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "schtaskss" /sc MINUTE /mo 8 /tr "'C:\totalcmd\LANGUAGE\schtasks.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "WUDFHostW" /sc MINUTE /mo 11 /tr "'C:\totalcmd\LANGUAGE\WUDFHost.exe'" /f
- '<SYSTEM32>\schtasks.exe' /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Recovery\1195d5a8-f371-11e4-9c00-dd3082671db2\spoolsv.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Pictures\Sample Pictures\csrss.exe'" /f
- '<SYSTEM32>\schtasks.exe' /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Recovery\1195d5a8-f371-11e4-9c00-dd3082671db2\spoolsv.exe'" /f
- '<SYSTEM32>\schtasks.exe' /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'%ProgramFiles%\PCCPFW\taskhost.exe'" /f
- '<SYSTEM32>\schtasks.exe' /create /tn "System" /sc ONLOGON /tr "'%ProgramFiles%\BTIniNT\System.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'%ProgramFiles%\BTIniNT\System.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "iexplorei" /sc MINUTE /mo 12 /tr "'%ProgramFiles%\sniffer\iexplore.exe'" /f
- '<SYSTEM32>\schtasks.exe' /create /tn "iexplore" /sc ONLOGON /tr "'%ProgramFiles%\sniffer\iexplore.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "iexplorei" /sc MINUTE /mo 9 /tr "'%ProgramFiles%\sniffer\iexplore.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Recovery\1195d5a8-f371-11e4-9c00-dd3082671db2\spoolsv.exe'" /f
- '<SYSTEM32>\schtasks.exe' /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\1195d5a8-f371-11e4-9c00-dd3082671db2\spoolsv.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Recovery\1195d5a8-f371-11e4-9c00-dd3082671db2\spoolsv.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\spoolsv.exe'" /f
- '<SYSTEM32>\schtasks.exe' /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Recovery\1195d5a8-f371-11e4-9c00-dd3082671db2\csrss.exe'" /f
- '<SYSTEM32>\schtasks.exe' /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\1195d5a8-f371-11e4-9c00-dd3082671db2\csrss.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Recovery\1195d5a8-f371-11e4-9c00-dd3082671db2\csrss.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "taskhost" /sc ONLOGON /tr "'%ProgramFiles%\PCCPFW\taskhost.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "WUDFHost" /sc ONLOGON /tr "'C:\Recovery\1195d5a8-f371-11e4-9c00-dd3082671db2\WUDFHost.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'%ProgramFiles%\PCCPFW\taskhost.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "smsss" /sc MINUTE /mo 14 /tr "'<Current directory>\smss.exe'" /f
- '<SYSTEM32>\schtasks.exe' /create /tn "smss" /sc ONLOGON /tr "'<Current directory>\smss.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "smsss" /sc MINUTE /mo 6 /tr "'<Current directory>\smss.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "<File name>w" /sc MINUTE /mo 14 /tr "'C:\totalcmd\LANGUAGE\<File name>.exe'" /f
- '<SYSTEM32>\schtasks.exe' /create /tn "<File name>" /sc ONLOGON /tr "'C:\totalcmd\LANGUAGE\<File name>.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "<File name>w" /sc MINUTE /mo 6 /tr "'C:\totalcmd\LANGUAGE\<File name>.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Users\Default\csrss.exe'" /f
- '<SYSTEM32>\schtasks.exe' /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default\csrss.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Users\Default\csrss.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Far2\FExcept\lsm.exe'" /f
- '<SYSTEM32>\schtasks.exe' /create /tn "lsm" /sc ONLOGON /tr "'C:\Far2\FExcept\lsm.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Far2\FExcept\lsm.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "WUDFHostW" /sc MINUTE /mo 11 /tr "'C:\Recovery\1195d5a8-f371-11e4-9c00-dd3082671db2\WUDFHost.exe'" /f
- '<SYSTEM32>\schtasks.exe' /create /tn "WUDFHostW" /sc MINUTE /mo 8 /tr "'C:\Recovery\1195d5a8-f371-11e4-9c00-dd3082671db2\WUDFHost.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "WUDFHostW" /sc MINUTE /mo 8 /tr "'C:\totalcmd\LANGUAGE\WUDFHost.exe'" /rl HIGHEST /f