Technical Information
- [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\] 'MSSMSGS' = 'rundll32.exe winzve32.rom,nuUzMvwG'
- iexplore.exe
- %TEMP%\unw74c2.tmp
- %WINDIR%\syswow64\winzve32.rom
- %TEMP%\unw74c2.bat
- %TEMP%\unw74c2.tmp
- 'sa###oft.net':80
- 'sa###oft.net':443
- 'oc##.#tartssl.com':80
- 'oc##.thawte.com':80
- http://sa###oft.net/img/cmd.php?c=#########################################
- http://oc##.#tartssl.com/sub/class2/code/ca/MEMwQTA%2FMD0wOzAJBgUrDgMCGgUABBQSOgrhRCSnWfKxoWTjWxhk8hga9AQU0E4PQJlsuEsZbzsouODjiAc0qrcCAhAV
- http://oc##.thawte.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQwF4prw9S7mCbCEHD%2Fyl6nWPkczAQUe1tFz6%2FOy3r9MZIaarbzRutXSFACEEeXTXhzpbyrDS%2BzcBkvzl4%3D
- 'sa###oft.net':443
- DNS ASK sa###oft.net
- DNS ASK microsoft.com
- DNS ASK oc##.#tartssl.com
- DNS ASK public-trust.com
- DNS ASK st####.rapidssl.com
- DNS ASK oc##.thawte.com
- ClassName: 'IEFrame' WindowName: ''
- '%WINDIR%\syswow64\cmd.exe' /c "%TEMP%\UNw74C2.bat"' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c "%TEMP%\UNw74C2.bat"