Live analysis
Next, let's perform some live analysis on the infected machine in hand. This live analysis will give us quick results. It may overwrite some traces in the system, but in our case here, we have already acquired our evidence.
The running processes
Listing the running processes will allow us to notice any maliciously-named processes that may relate to malware behavior. We can list the running processes using the native tasklist command:
We can also use processexplorer from Sysinternals. We will notice no malicious names, but we can see that there are two processes named explorer.exe within the system. One holds an ID of 2256 ran for compatibility with 32 bit images but its current directory is C:\Users\<<UserName>>\AppData\Roaming\ as shown in the Process Explorer in the following screenshot. Also, please note that this process most likely will hold another ID if you ran the malware in a machine on your own:
To investigate this process more, we can...
