Technical Information
- %APPDATA%\microsoft\windows\start menu\programs\startup\<File name>.exe
- %WINDIR%\tasks\at1.job
- <SYSTEM32>\tasks\at1
- %WINDIR%\tasks\at2.job
- <SYSTEM32>\tasks\at2
- '%WINDIR%\syswow64\at.exe' 12:30 /every:m,t,w,th,f,s,su <SYSTEM32>\<File name>.exe
- %WINDIR%\syswow64\<File name>.exe
- %APPDATA%\microsoft\windows\start menu\programs\startup\<File name>.exe
- %WINDIR%\syswow64\<File name>.exe
- 'fi####20.meibu.com':5002
- DNS ASK fi####20.meibu.com
- '%WINDIR%\syswow64\at.exe' 12:30 /every:m,t,w,th,f,s,su <SYSTEM32>\<File name>.exe' (with hidden window)