Technical Information
- [<HKCU>\Software\Microsoft\Windows NT\CurrentVersion\Winlogon] 'shell' = 'explorer.exe,"%APPDATA%\874515028\/win32.exe"'
- %TEMP%\ixp000.tmp\win32s.exe
- %TEMP%\ixp000.tmp\tor.zip
- %APPDATA%\874515028\win32.exe
- %APPDATA%\idw.file
- %APPDATA%\874515028\win32.exe
- http://us###.atw.hu/mogyiii/phpmanual/SocksWebProxy.dll
- DNS ASK us###.atw.hu
- '%TEMP%\ixp000.tmp\win32s.exe'
- '%TEMP%\ixp000.tmp\win32s.exe' ' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c cacls %APPDATA%\874515028\/win32.exe /e /r system /p %username%:r
- '%WINDIR%\syswow64\cacls.exe' %APPDATA%\874515028\/win32.exe /e /r system /p user:r