Technical Information
- http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/office/data/v32.cab as %temp%\over614584\v32.cab
- http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/office/data/v32.cab as %temp%\over684856\v32.cab
- http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/office/data/v32.cab as %temp%\over698266\v32.cab
- http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/office/data/v32.cab as %temp%\over516772\v32.cab
- http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/office/data/v32.cab as %temp%\over742435\v32.cab
- http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/office/data/v32.cab as %temp%\over903389\v32.cab
- http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/office/data/v32.cab as %temp%\over374450\v32.cab
- http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/office/data/v32.cab as %temp%\over125298\v32.cab
- <Current directory>\files\setup.exe
- %TEMP%\over125298\v32.cab
- %TEMP%\over374450\v32.txt
- %TEMP%\over374450\$dpx$.tmp\fe44bc97c7847842a72ec4ab2671b7a3.tmp
- %TEMP%\over374450\v32.cab
- %TEMP%\over903389\v32.txt
- %TEMP%\over903389\$dpx$.tmp\29ee3b223613bd4ea50b885186ba571f.tmp
- %TEMP%\over903389\v32.cab
- %TEMP%\over742435\v32.txt
- %TEMP%\over742435\$dpx$.tmp\b4e01d7e9ef7934198a43683b73599b0.tmp
- %TEMP%\over742435\v32.cab
- %TEMP%\over516772\v32.txt
- %TEMP%\over516772\$dpx$.tmp\7553c1bce443584e8106fea713c20ab7.tmp
- %TEMP%\over516772\v32.cab
- %TEMP%\over698266\v32.txt
- %TEMP%\over698266\$dpx$.tmp\7c77e7f7ed6ef3439cf0b52646de81c4.tmp
- %TEMP%\over698266\v32.cab
- %TEMP%\over684856\v32.txt
- %TEMP%\over684856\$dpx$.tmp\cd02ea519a49964eb55415c0f1cd3d1c.tmp
- %TEMP%\over684856\v32.cab
- %TEMP%\over614584\v32.txt
- %TEMP%\over614584\$dpx$.tmp\1ef0c5d970337a4da7018c970a34b7b1.tmp
- %TEMP%\over614584\v32.cab
- <Current directory>\files\configure.xml
- <Current directory>\files\x86\msvcr100.dll
- <Current directory>\files\x86\cleanospp.exe
- <Current directory>\files\x64\msvcr100.dll
- <Current directory>\files\x64\cleanospp.exe
- <Current directory>\files\uninstall.xml
- <Current directory>\files\files.dat
- %TEMP%\over125298\$dpx$.tmp\7cf9720aeb4f8a488bdf3add51cd2eb8.tmp
- %TEMP%\over125298\v32.txt
- <Current directory>\files\files.dat
- %TEMP%\over125298\v32.cab
- %TEMP%\over374450\versiondescriptor.xml
- %TEMP%\over374450\v32.txt
- %TEMP%\over374450\v32.cab
- %TEMP%\over903389\versiondescriptor.xml
- %TEMP%\over903389\v32.txt
- %TEMP%\over903389\v32.cab
- %TEMP%\over742435\versiondescriptor.xml
- %TEMP%\over742435\v32.txt
- %TEMP%\over742435\v32.cab
- %TEMP%\over125298\v32.txt
- %TEMP%\over516772\versiondescriptor.xml
- %TEMP%\over516772\v32.cab
- %TEMP%\over698266\versiondescriptor.xml
- %TEMP%\over698266\v32.txt
- %TEMP%\over698266\v32.cab
- %TEMP%\over684856\versiondescriptor.xml
- %TEMP%\over684856\v32.txt
- %TEMP%\over684856\v32.cab
- %TEMP%\over614584\versiondescriptor.xml
- %TEMP%\over614584\v32.txt
- %TEMP%\over614584\v32.cab
- %TEMP%\over516772\v32.txt
- %TEMP%\over125298\versiondescriptor.xml
- from %TEMP%\over614584\$dpx$.tmp\1ef0c5d970337a4da7018c970a34b7b1.tmp to %TEMP%\over614584\versiondescriptor.xml
- from %TEMP%\over684856\$dpx$.tmp\cd02ea519a49964eb55415c0f1cd3d1c.tmp to %TEMP%\over684856\versiondescriptor.xml
- from %TEMP%\over698266\$dpx$.tmp\7c77e7f7ed6ef3439cf0b52646de81c4.tmp to %TEMP%\over698266\versiondescriptor.xml
- from %TEMP%\over516772\$dpx$.tmp\7553c1bce443584e8106fea713c20ab7.tmp to %TEMP%\over516772\versiondescriptor.xml
- from %TEMP%\over742435\$dpx$.tmp\b4e01d7e9ef7934198a43683b73599b0.tmp to %TEMP%\over742435\versiondescriptor.xml
- from %TEMP%\over903389\$dpx$.tmp\29ee3b223613bd4ea50b885186ba571f.tmp to %TEMP%\over903389\versiondescriptor.xml
- from %TEMP%\over374450\$dpx$.tmp\fe44bc97c7847842a72ec4ab2671b7a3.tmp to %TEMP%\over374450\versiondescriptor.xml
- from %TEMP%\over125298\$dpx$.tmp\7cf9720aeb4f8a488bdf3add51cd2eb8.tmp to %TEMP%\over125298\versiondescriptor.xml
- 'officecdn.microsoft.com':80
- http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32.cab
- DNS ASK officecdn.microsoft.com
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -command "& { Get-Content %TEMP%\over516772\VersionDescriptor.xml | Set-Content -Encoding ASCII v32.txt }
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -command "& { Get-Content %TEMP%\over742435\VersionDescriptor.xml | Set-Content -Encoding ASCII v32.txt }
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -command "& { Get-Content %TEMP%\over698266\VersionDescriptor.xml | Set-Content -Encoding ASCII v32.txt }
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -command "& { Get-Content %TEMP%\over903389\VersionDescriptor.xml | Set-Content -Encoding ASCII v32.txt }
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -command "& { Get-Content %TEMP%\over125298\VersionDescriptor.xml | Set-Content -Encoding ASCII v32.txt }
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -command "& { Get-Content %TEMP%\over374450\VersionDescriptor.xml | Set-Content -Encoding ASCII v32.txt }
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -command "& { Get-Content %TEMP%\over684856\VersionDescriptor.xml | Set-Content -Encoding ASCII v32.txt }
- '<Current directory>\files\files.dat' -y -pkmsauto
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -command "& { Get-Content %TEMP%\over614584\VersionDescriptor.xml | Set-Content -Encoding ASCII v32.txt }
- '%WINDIR%\syswow64\expand.exe' v32.cab -F:VersionDescriptor.xml %TEMP%\over742435' (with hidden window)
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -command "& { (New-Object Net.WebClient).DownloadFile('http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32.cab', '%TEMP%\over742435\v32.cab') }"' (with hidden window)
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -command "& { Get-Content %TEMP%\over742435\VersionDescriptor.xml | Set-Content -Encoding ASCII v32.txt }' (with hidden window)
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -command "& { (New-Object Net.WebClient).DownloadFile('http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32.cab', '%TEMP%\over903389\v32.cab') }"' (with hidden window)
- '%WINDIR%\syswow64\expand.exe' v32.cab -F:VersionDescriptor.xml %TEMP%\over903389' (with hidden window)
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -command "& { (New-Object Net.WebClient).DownloadFile('http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32.cab', '%TEMP%\over374450\v32.cab') }"' (with hidden window)
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -command "& { Get-Content %TEMP%\over903389\VersionDescriptor.xml | Set-Content -Encoding ASCII v32.txt }' (with hidden window)
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -command "& { Get-Content %TEMP%\over374450\VersionDescriptor.xml | Set-Content -Encoding ASCII v32.txt }' (with hidden window)
- '<SYSTEM32>\reg.exe' add "HKLM\SOFTWARE\Microsoft\Windows Script Host\Settings" /v Enabled /t REG_DWORD /d 1 /f' (with hidden window)
- '%WINDIR%\syswow64\expand.exe' v32.cab -F:VersionDescriptor.xml %TEMP%\over374450' (with hidden window)
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -command "& { (New-Object Net.WebClient).DownloadFile('http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32.cab', '%TEMP%\over125298\v32.cab') }"' (with hidden window)
- '%WINDIR%\syswow64\expand.exe' v32.cab -F:VersionDescriptor.xml %TEMP%\over125298' (with hidden window)
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -command "& { (New-Object Net.WebClient).DownloadFile('http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32.cab', '%TEMP%\over516772\v32.cab') }"' (with hidden window)
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -command "& { (New-Object Net.WebClient).DownloadFile('http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32.cab', '%TEMP%\over684856\v32.cab') }"' (with hidden window)
- '<SYSTEM32>\cmd.exe' /D /c files.dat -y -pkmsauto' (with hidden window)
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -command "& { Get-Content %TEMP%\over516772\VersionDescriptor.xml | Set-Content -Encoding ASCII v32.txt }' (with hidden window)
- '%WINDIR%\syswow64\expand.exe' v32.cab -F:VersionDescriptor.xml %TEMP%\over614584' (with hidden window)
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -command "& { Get-Content %TEMP%\over614584\VersionDescriptor.xml | Set-Content -Encoding ASCII v32.txt }' (with hidden window)
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -command "& { (New-Object Net.WebClient).DownloadFile('http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32.cab', '%TEMP%\over614584\v32.cab') }"' (with hidden window)
- '%WINDIR%\syswow64\expand.exe' v32.cab -F:VersionDescriptor.xml %TEMP%\over684856' (with hidden window)
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -command "& { Get-Content %TEMP%\over684856\VersionDescriptor.xml | Set-Content -Encoding ASCII v32.txt }' (with hidden window)
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -command "& { (New-Object Net.WebClient).DownloadFile('http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32.cab', '%TEMP%\over698266\v32.cab') }"' (with hidden window)
- '%WINDIR%\syswow64\expand.exe' v32.cab -F:VersionDescriptor.xml %TEMP%\over698266' (with hidden window)
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -command "& { Get-Content %TEMP%\over698266\VersionDescriptor.xml | Set-Content -Encoding ASCII v32.txt }' (with hidden window)
- '%WINDIR%\syswow64\expand.exe' v32.cab -F:VersionDescriptor.xml %TEMP%\over516772' (with hidden window)
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -command "& { Get-Content %TEMP%\over125298\VersionDescriptor.xml | Set-Content -Encoding ASCII v32.txt }' (with hidden window)
- '<SYSTEM32>\reg.exe' add "HKLM\SOFTWARE\Microsoft\Windows Script Host\Settings" /v Enabled /t REG_DWORD /d 1 /f
- '<SYSTEM32>\cmd.exe' /D /c files.dat -y -pkmsauto
- '%WINDIR%\syswow64\expand.exe' v32.cab -F:VersionDescriptor.xml %TEMP%\over614584
- '%WINDIR%\syswow64\expand.exe' v32.cab -F:VersionDescriptor.xml %TEMP%\over684856
- '%WINDIR%\syswow64\expand.exe' v32.cab -F:VersionDescriptor.xml %TEMP%\over698266
- '%WINDIR%\syswow64\expand.exe' v32.cab -F:VersionDescriptor.xml %TEMP%\over516772
- '%WINDIR%\syswow64\expand.exe' v32.cab -F:VersionDescriptor.xml %TEMP%\over742435
- '%WINDIR%\syswow64\expand.exe' v32.cab -F:VersionDescriptor.xml %TEMP%\over903389
- '%WINDIR%\syswow64\expand.exe' v32.cab -F:VersionDescriptor.xml %TEMP%\over374450
- '%WINDIR%\syswow64\expand.exe' v32.cab -F:VersionDescriptor.xml %TEMP%\over125298