Technical Information
- <SYSTEM32>\tasks\smss
- <SYSTEM32>\tasks\lsass
- <SYSTEM32>\tasks\spoolsv
- C:\users\default\cookies\smss.exe
- C:\users\default\cookies\69ddcba757bf72f7d36c464c71f42baab150b2b9
- %WINDIR%\syswow64\fwremotesvr\lsass.exe
- %WINDIR%\syswow64\fwremotesvr\6203df4a6bafc7c328ee7f6f8ca0a8a838a8a1b9
- C:\totalcmd\language\spoolsv.exe
- C:\totalcmd\language\f3b6ecef712a24f33798f5d2fb3790c3d9b894c4
- %TEMP%\zh9h0ayq3d
- %TEMP%\nkq8h52r9y.bat
- nul
- C:\simplerecorder.exe
- %TEMP%\zh9h0ayq3d
- '82.##6.57.148':80
- http://82.##6.57.148/files/SimpleRecorder.exe
- '%WINDIR%\syswow64\fwremotesvr\lsass.exe'
- '%WINDIR%\syswow64\cmd.exe' /C "%TEMP%\nkQ8h52R9Y.bat"' (with hidden window)
- '%WINDIR%\syswow64\schtasks.exe' /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Default\Cookies\smss.exe'" /rl HIGHEST /f
- '%WINDIR%\syswow64\schtasks.exe' /create /tn "lsass" /sc ONLOGON /tr "'<SYSTEM32>\FwRemoteSvr\lsass.exe'" /rl HIGHEST /f
- '%WINDIR%\syswow64\schtasks.exe' /create /tn "spoolsv" /sc ONLOGON /tr "'C:\totalcmd\LANGUAGE\spoolsv.exe'" /rl HIGHEST /f
- '%WINDIR%\syswow64\cmd.exe' /C "%TEMP%\nkQ8h52R9Y.bat"
- '%WINDIR%\syswow64\chcp.com' 65001
- '%WINDIR%\syswow64\ping.exe' -n 5 localhost