Technical Information
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon] 'Shell' = 'Explorer.exe %TEMP%\system.exe'
- %TEMP%\system.exe
- 'google.com':80
- 'ca##ur.com':80
- 'ca##ur.com':443
- http://google.com/
- http://www.google.com/
- http://ca##ur.com/img/icons/tabs/top.jpg
- 'ca##ur.com':443
- DNS ASK google.com
- DNS ASK ca##ur.com
- '%TEMP%\system.exe'
- '%WINDIR%\syswow64\cmd.exe' /c %TEMP%\system.exe' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c copy <Full path to file> %TEMP%\system.exe' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c copy <Full path to file> %TEMP%\system.exe
- '%WINDIR%\syswow64\cmd.exe' /c %TEMP%\system.exe