Technical Information
- %WINDIR%\syswow64\cmd.exe
- from <Full path to file> to %TEMP%\_@b3e3.tmp
- 'ip.##nliu2.com':80
- http://ip.##nliu2.com/ip.txt
- DNS ASK ip.##nliu2.com
- '%WINDIR%\syswow64\cmd.exe' ' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /C SC STOP excqsr' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /C SC DELETE excqsr' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe'
- '%WINDIR%\syswow64\cmd.exe' /C SC STOP excqsr
- '%WINDIR%\syswow64\sc.exe' STOP excqsr
- '%WINDIR%\syswow64\cmd.exe' /C SC DELETE excqsr
- '%WINDIR%\syswow64\sc.exe' DELETE excqsr