Technical Information
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'load' = '%TEMP%\WINWORD.exe'
- %TEMP%\WINWORD.exe
- <SYSTEM32>\wscript.exe "%TEMP%\sys.vbs"
- %TEMP%\sys.vbs
- %TEMP%\WINWORD.exe
- %TEMP%\DC_Council_chair_resigns_after_bank_fraud_charge.doc
- 'ab###.muprofeta.org':80
- ab###.muprofeta.org/story/cruise.html
- DNS ASK ab###.muprofeta.org
- ClassName: 'Indicator' WindowName: ''
- ClassName: 'WordPadClass' WindowName: ''
- ClassName: 'EDIT' WindowName: ''
- ClassName: 'Shell_TrayWnd' WindowName: ''