Technical Information
- %APPDATA%\microsoft\windows\start menu\programs\startup\taskwhost.exe
- %TEMP%\s.bat
- %TEMP%\<File name>.exe.pid
- http://18#.##4.10.146:8888/bots/knock?wo###################################### via 18#.#14.10.146
- http://18#.##4.10.146:8888/bots/chkVersion?cu#################### via 18#.#14.10.146
- http://18#.##4.10.146:8888/project/active via 18#.#14.10.146
- http://18#.##4.10.146:8888/gw?wo################ via 18#.#14.10.146
- http://18#.##4.10.146:8888/gw?wo##### via 18#.#14.10.146
- '%WINDIR%\syswow64\cmd.exe' /Q /C %LOCALAPPDATA%\Temp/s.bat' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /Q /C %LOCALAPPDATA%\Temp/s.bat