Technical Information
- '%WINDIR%\syswow64\taskkill.exe' /im "WindowsActive.exe" /f
- %TEMP%\autdc4a.tmp
- %TEMP%\windowsloader.exe
- %TEMP%\autdeda.tmp
- %TEMP%\windowsactive.exe
- %TEMP%\autdc4a.tmp
- %TEMP%\autdeda.tmp
- %TEMP%\windowsactive.exe
- DNS ASK g-###nrs.top
- ClassName: 'STATIC' WindowName: 'q3TDgcZ4p2up0Z77amQP 000003E0'
- ClassName: '' WindowName: ''
- '%TEMP%\windowsloader.exe'
- '%TEMP%\windowsactive.exe'
- '%WINDIR%\syswow64\cmd.exe' /c taskkill /im "WindowsActive.exe" /f & erase "%TEMP%\WindowsActive.exe" & exit' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /A /C "compact /u \\?\Volume{c84d25cc-f368-11e4-889d-806e6f6e6963}\XELDZ"' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c taskkill /im "WindowsActive.exe" /f & erase "%TEMP%\WindowsActive.exe" & exit
- '%WINDIR%\syswow64\cmd.exe' /A /C "compact /u \\?\Volume{c84d25cc-f368-11e4-889d-806e6f6e6963}\XELDZ"
- '%WINDIR%\syswow64\compact.exe' /u \\?\Volume{c84d25cc-f368-11e4-889d-806e6f6e6963}\XELDZ