Technical Information
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'wincl' = '%APPDATA%\WinCL\wincl.exe'
- %APPDATA%\wincl\wincl.exe
- %APPDATA%\1.bat
- 'ko###rks.com':80
- http://ko###rks.com/web/wl3/log.php
- DNS ASK ko###rks.com
- '%APPDATA%\wincl\wincl.exe'
- '%APPDATA%\wincl\wincl.exe' ' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c %APPDATA%\1.bat' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c %APPDATA%\1.bat