Technical Information
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'System32.exe' = '"%TEMP%\System32.exe" ..'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] 'System32.exe' = '"%TEMP%\System32.exe" ..'
- %APPDATA%\microsoft\windows\start menu\programs\startup\system32.exe
- hidden files
- %TEMP%\crypt.exe
- %TEMP%\server.sfx.exe
- %TEMP%\php5ts.dll
- %TEMP%\pse20\f6dc41cc96950d37a577a73682be9f1b\php.ini
- %TEMP%\server.exe
- %TEMP%\system32.exe
- %TEMP%\system32.exe
- 'localhost':1177
- ClassName: 'EDIT' WindowName: ''
- '%TEMP%\crypt.exe'
- '%TEMP%\server.sfx.exe' -pLJgd13572 -d%LOCALAPPDATA%\Temp
- '%TEMP%\server.exe'
- '%TEMP%\system32.exe'
- '%WINDIR%\syswow64\cmd.exe' /c "Server.sfx.exe -pLJgd13572 -d%temp%"