Technical Information
- %TEMP%\fe61a.tmp.bat
- from <Full path to file> to %TEMP%\_@e60a.tmp
- http://13#.##2.73.111:8080/%E5%A4%9A%E5%8A%9F%E8%83%BD%E5%8E%8B%E6%9E%AA%E5%87%BD%E6%95%B0/%E5%A4%9A%E5%8A%9F%E8%83%BD%E5%8E%8B%E6%9E%AA%E5%87%BD%E6%95%B0puvs2Fyk5f.txt via 13#.#32.73.111
- '%WINDIR%\syswow64\cmd.exe' /c %TEMP%\fe61a.tmp.bat' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c %TEMP%\fe61a.tmp.bat