Technical Information
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] 'pctfrb' = 'RUNDLL32.EXE <SYSTEM32>\msmlalfu.dll,w'
- %TEMP%\1004911.system
- <Current directory>\1011931.bat
- from %TEMP%\1004911.system to %WINDIR%\syswow64\msmlalfu.dll
- ClassName: 'GxWindowClassD3d' WindowName: ''
- '%WINDIR%\syswow64\cmd.exe' /c ""<Current directory>\1011931.BAT" "' (with hidden window)
- '%WINDIR%\syswow64\rundll32.exe' <SYSTEM32>\msmlalfu.dll,w
- '%WINDIR%\syswow64\cmd.exe' /c ""<Current directory>\1011931.BAT" "