Technical Information
- %WINDIR%\syswow64\cmd.exe
- from <Full path to file> to %TEMP%\_@692e.tmp
- 'ip.##nliu2.com':80
- http://ip.##nliu2.com/ip.txt
- DNS ASK ip.##nliu2.com
- '%WINDIR%\syswow64\cmd.exe' ' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /C SC STOP qsnbru' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /C SC DELETE qsnbru' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe'
- '%WINDIR%\syswow64\cmd.exe' /C SC STOP qsnbru
- '%WINDIR%\syswow64\sc.exe' STOP qsnbru
- '%WINDIR%\syswow64\cmd.exe' /C SC DELETE qsnbru
- '%WINDIR%\syswow64\sc.exe' DELETE qsnbru