Technical Information
Malicious functions
Downloads
- http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/office/data/v32.cab as %temp%\over501279\v32.cab
- http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/office/data/v32.cab as %temp%\over385043\v32.cab
- http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/office/data/v32.cab as %temp%\over420062\v32.cab
- http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/office/data/v32.cab as %temp%\over291759\v32.cab
- http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/office/data/v32.cab as %temp%\over887625\v32.cab
- http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/office/data/v32.cab as %temp%\over560059\v32.cab
- http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/office/data/v32.cab as %temp%\over644200\v32.cab
- http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/office/data/v32.cab as %temp%\over359780\v32.cab
Modifies file system
Creates the following files
- <Current directory>\files\setup.exe
- %TEMP%\over359780\v32.cab
- %TEMP%\over644200\v32.txt
- %TEMP%\over644200\$dpx$.tmp\36d20dc950e3b640b64cb73470a117d9.tmp
- %TEMP%\over644200\v32.cab
- %TEMP%\over560059\v32.txt
- %TEMP%\over560059\$dpx$.tmp\170506b7a14054499b95b82cbe6a7b32.tmp
- %TEMP%\over560059\v32.cab
- %TEMP%\over887625\v32.txt
- %TEMP%\over887625\$dpx$.tmp\afc9e04630a979499bce41e81bf2f805.tmp
- %TEMP%\over887625\v32.cab
- %TEMP%\over291759\v32.txt
- %TEMP%\over291759\$dpx$.tmp\1b3a6f446cbe5e46bb7ef345128ed6d8.tmp
- %TEMP%\over291759\v32.cab
- %TEMP%\over420062\v32.txt
- %TEMP%\over420062\$dpx$.tmp\e02e4d8346e6004a94daa974d11859f6.tmp
- %TEMP%\over420062\v32.cab
- %TEMP%\over385043\v32.txt
- %TEMP%\over385043\$dpx$.tmp\335f79965199184799df908f6c8b23f6.tmp
- %TEMP%\over385043\v32.cab
- %TEMP%\over501279\v32.txt
- %TEMP%\over501279\$dpx$.tmp\7c329005f73635419a10ef0958b65ef3.tmp
- %TEMP%\over501279\v32.cab
- <Current directory>\files\configure.xml
- <Current directory>\files\x86\msvcr100.dll
- <Current directory>\files\x86\cleanospp.exe
- <Current directory>\files\x64\msvcr100.dll
- <Current directory>\files\x64\cleanospp.exe
- <Current directory>\files\uninstall.xml
- <Current directory>\files\files.dat
- %TEMP%\over359780\$dpx$.tmp\59329bdb98e78e44aa28afc546a4dfe4.tmp
- %TEMP%\over359780\v32.txt
Deletes the following files
- <Current directory>\files\files.dat
- %TEMP%\over359780\v32.cab
- %TEMP%\over644200\versiondescriptor.xml
- %TEMP%\over644200\v32.txt
- %TEMP%\over644200\v32.cab
- %TEMP%\over560059\versiondescriptor.xml
- %TEMP%\over560059\v32.txt
- %TEMP%\over560059\v32.cab
- %TEMP%\over887625\versiondescriptor.xml
- %TEMP%\over887625\v32.txt
- %TEMP%\over887625\v32.cab
- %TEMP%\over359780\v32.txt
- %TEMP%\over291759\versiondescriptor.xml
- %TEMP%\over291759\v32.cab
- %TEMP%\over420062\versiondescriptor.xml
- %TEMP%\over420062\v32.txt
- %TEMP%\over420062\v32.cab
- %TEMP%\over385043\versiondescriptor.xml
- %TEMP%\over385043\v32.txt
- %TEMP%\over385043\v32.cab
- %TEMP%\over501279\versiondescriptor.xml
- %TEMP%\over501279\v32.txt
- %TEMP%\over501279\v32.cab
- %TEMP%\over291759\v32.txt
- %TEMP%\over359780\versiondescriptor.xml
Moves the following files
- from %TEMP%\over501279\$dpx$.tmp\7c329005f73635419a10ef0958b65ef3.tmp to %TEMP%\over501279\versiondescriptor.xml
- from %TEMP%\over385043\$dpx$.tmp\335f79965199184799df908f6c8b23f6.tmp to %TEMP%\over385043\versiondescriptor.xml
- from %TEMP%\over420062\$dpx$.tmp\e02e4d8346e6004a94daa974d11859f6.tmp to %TEMP%\over420062\versiondescriptor.xml
- from %TEMP%\over291759\$dpx$.tmp\1b3a6f446cbe5e46bb7ef345128ed6d8.tmp to %TEMP%\over291759\versiondescriptor.xml
- from %TEMP%\over887625\$dpx$.tmp\afc9e04630a979499bce41e81bf2f805.tmp to %TEMP%\over887625\versiondescriptor.xml
- from %TEMP%\over560059\$dpx$.tmp\170506b7a14054499b95b82cbe6a7b32.tmp to %TEMP%\over560059\versiondescriptor.xml
- from %TEMP%\over644200\$dpx$.tmp\36d20dc950e3b640b64cb73470a117d9.tmp to %TEMP%\over644200\versiondescriptor.xml
- from %TEMP%\over359780\$dpx$.tmp\59329bdb98e78e44aa28afc546a4dfe4.tmp to %TEMP%\over359780\versiondescriptor.xml
Network activity
Connects to
- 'officecdn.microsoft.com':80
TCP
HTTP GET requests
- http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32.cab
UDP
- DNS ASK officecdn.microsoft.com
Miscellaneous
Creates and executes the following
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -command "& { Get-Content %TEMP%\over291759\VersionDescriptor.xml | Set-Content -Encoding ASCII v32.txt }
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -command "& { Get-Content %TEMP%\over887625\VersionDescriptor.xml | Set-Content -Encoding ASCII v32.txt }
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -command "& { Get-Content %TEMP%\over420062\VersionDescriptor.xml | Set-Content -Encoding ASCII v32.txt }
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -command "& { Get-Content %TEMP%\over560059\VersionDescriptor.xml | Set-Content -Encoding ASCII v32.txt }
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -command "& { Get-Content %TEMP%\over359780\VersionDescriptor.xml | Set-Content -Encoding ASCII v32.txt }
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -command "& { Get-Content %TEMP%\over644200\VersionDescriptor.xml | Set-Content -Encoding ASCII v32.txt }
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -command "& { Get-Content %TEMP%\over385043\VersionDescriptor.xml | Set-Content -Encoding ASCII v32.txt }
- '<Current directory>\files\files.dat' -y -pkmsauto
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -command "& { Get-Content %TEMP%\over501279\VersionDescriptor.xml | Set-Content -Encoding ASCII v32.txt }
- '%WINDIR%\syswow64\expand.exe' v32.cab -F:VersionDescriptor.xml %TEMP%\over887625' (with hidden window)
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -command "& { (New-Object Net.WebClient).DownloadFile('http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32.cab', '%TEMP%\over887625\v32.cab') }"' (with hidden window)
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -command "& { Get-Content %TEMP%\over887625\VersionDescriptor.xml | Set-Content -Encoding ASCII v32.txt }' (with hidden window)
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -command "& { (New-Object Net.WebClient).DownloadFile('http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32.cab', '%TEMP%\over560059\v32.cab') }"' (with hidden window)
- '%WINDIR%\syswow64\expand.exe' v32.cab -F:VersionDescriptor.xml %TEMP%\over560059' (with hidden window)
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -command "& { (New-Object Net.WebClient).DownloadFile('http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32.cab', '%TEMP%\over644200\v32.cab') }"' (with hidden window)
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -command "& { Get-Content %TEMP%\over560059\VersionDescriptor.xml | Set-Content -Encoding ASCII v32.txt }' (with hidden window)
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -command "& { Get-Content %TEMP%\over644200\VersionDescriptor.xml | Set-Content -Encoding ASCII v32.txt }' (with hidden window)
- '<SYSTEM32>\reg.exe' add "HKLM\SOFTWARE\Microsoft\Windows Script Host\Settings" /v Enabled /t REG_DWORD /d 1 /f' (with hidden window)
- '%WINDIR%\syswow64\expand.exe' v32.cab -F:VersionDescriptor.xml %TEMP%\over644200' (with hidden window)
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -command "& { (New-Object Net.WebClient).DownloadFile('http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32.cab', '%TEMP%\over359780\v32.cab') }"' (with hidden window)
- '%WINDIR%\syswow64\expand.exe' v32.cab -F:VersionDescriptor.xml %TEMP%\over359780' (with hidden window)
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -command "& { (New-Object Net.WebClient).DownloadFile('http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32.cab', '%TEMP%\over291759\v32.cab') }"' (with hidden window)
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -command "& { (New-Object Net.WebClient).DownloadFile('http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32.cab', '%TEMP%\over385043\v32.cab') }"' (with hidden window)
- '<SYSTEM32>\cmd.exe' /D /c files.dat -y -pkmsauto' (with hidden window)
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -command "& { Get-Content %TEMP%\over291759\VersionDescriptor.xml | Set-Content -Encoding ASCII v32.txt }' (with hidden window)
- '%WINDIR%\syswow64\expand.exe' v32.cab -F:VersionDescriptor.xml %TEMP%\over501279' (with hidden window)
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -command "& { Get-Content %TEMP%\over501279\VersionDescriptor.xml | Set-Content -Encoding ASCII v32.txt }' (with hidden window)
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -command "& { (New-Object Net.WebClient).DownloadFile('http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32.cab', '%TEMP%\over501279\v32.cab') }"' (with hidden window)
- '%WINDIR%\syswow64\expand.exe' v32.cab -F:VersionDescriptor.xml %TEMP%\over385043' (with hidden window)
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -command "& { Get-Content %TEMP%\over385043\VersionDescriptor.xml | Set-Content -Encoding ASCII v32.txt }' (with hidden window)
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -command "& { (New-Object Net.WebClient).DownloadFile('http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32.cab', '%TEMP%\over420062\v32.cab') }"' (with hidden window)
- '%WINDIR%\syswow64\expand.exe' v32.cab -F:VersionDescriptor.xml %TEMP%\over420062' (with hidden window)
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -command "& { Get-Content %TEMP%\over420062\VersionDescriptor.xml | Set-Content -Encoding ASCII v32.txt }' (with hidden window)
- '%WINDIR%\syswow64\expand.exe' v32.cab -F:VersionDescriptor.xml %TEMP%\over291759' (with hidden window)
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -command "& { Get-Content %TEMP%\over359780\VersionDescriptor.xml | Set-Content -Encoding ASCII v32.txt }' (with hidden window)
Executes the following
- '<SYSTEM32>\reg.exe' add "HKLM\SOFTWARE\Microsoft\Windows Script Host\Settings" /v Enabled /t REG_DWORD /d 1 /f
- '<SYSTEM32>\cmd.exe' /D /c files.dat -y -pkmsauto
- '%WINDIR%\syswow64\expand.exe' v32.cab -F:VersionDescriptor.xml %TEMP%\over501279
- '%WINDIR%\syswow64\expand.exe' v32.cab -F:VersionDescriptor.xml %TEMP%\over385043
- '%WINDIR%\syswow64\expand.exe' v32.cab -F:VersionDescriptor.xml %TEMP%\over420062
- '%WINDIR%\syswow64\expand.exe' v32.cab -F:VersionDescriptor.xml %TEMP%\over291759
- '%WINDIR%\syswow64\expand.exe' v32.cab -F:VersionDescriptor.xml %TEMP%\over887625
- '%WINDIR%\syswow64\expand.exe' v32.cab -F:VersionDescriptor.xml %TEMP%\over560059
- '%WINDIR%\syswow64\expand.exe' v32.cab -F:VersionDescriptor.xml %TEMP%\over644200
- '%WINDIR%\syswow64\expand.exe' v32.cab -F:VersionDescriptor.xml %TEMP%\over359780
