Technical Information
- %APPDATA%\microsoft\windows\start menu\programs\startup\microsoft.exe
- C:\l.txt
- <Current directory>\rs.exe
- %HOMEPATH%\theft.jpg
- C:\cliped.txt
- 'ka######y.great-site.net':80
- 'ft###load.net':21
- http://ka######y.great-site.net/RozbehStealer.exe
- DNS ASK ka######y.great-site.net
- DNS ASK ft###load.net
- '%WINDIR%\syswow64\cmd.exe' /C tasklist >..\L.txt' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /C start RS.exe' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /C tasklist >..\L.txt
- '%WINDIR%\syswow64\tasklist.exe'
- '%WINDIR%\syswow64\cmd.exe' /C start RS.exe