Technical Information
- from <Full path to file> to %TEMP%\po520\waaay.exe\....\waaay.exe
- '11#.#8.129.115':5210
- 'pv.#ohu.com':80
- '20##.ip138.com':80
- http://pv.#ohu.com/cityjson
- http://20##.ip138.com/
- '11#.#8.129.115':5210
- DNS ASK pv.#ohu.com
- DNS ASK 20##.ip138.com
- ClassName: '' WindowName: '0user.exe'
- '%WINDIR%\syswow64\cmd.exe' /c rd %TEMP%\PO520 /s /q' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c rd %TEMP%\PO520 /s /q