Technical Information
- %APPDATA%\microsoft\windows\start menu\programs\mrfeabtw\lmeklbjqt.exe
- %ALLUSERSPROFILE%\remcos\logs.dat
- '18#.#46.221.36':54794
- 'ge###ugin.net':80
- http://ge###ugin.net/json.gp
- '18#.#46.221.36':54794
- DNS ASK ge###ugin.net
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' [System.Security.Principal.WindowsIdentity]::GetCurrent().Name' (with hidden window)
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==' (with hidden window)
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' [System.Security.Principal.WindowsIdentity]::GetCurrent().Name
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==