Техническая информация
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] 'WindowsUpdate' = '%APPDATA%\WindowsUpdate.exe'
- %APPDATA%\windowsupdate.exe
- nul
- %TEMP%\chrome_pwd_1782767112516889900.db
- %TEMP%\chrome_pwd_1782767112516889900.db
- %LOCALAPPDATA%\microsoft\vault\userprofileroaming\latest.dat
- 'di##ord.com':443
- 'di##ord.com':443
- DNS ASK di##ord.com
- ClassName: 'ConsoleWindowClass' WindowName: ''
- '<SYSTEM32>\reg.exe' add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v WindowsUpdate /t REG_SZ /d %APPDATA%\WindowsUpdate.exe /f
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -NoProfile -ExecutionPolicy Bypass -Command " Add-Type -AssemblyName System.Runtime.WindowsRuntime $winRt = [Windows.Security.Credentials.PasswordVault,Windows.Security.Credentials,ContentType=...
- '<SYSTEM32>\cmdkey.exe' /list
- '<SYSTEM32>\vaultcmd.exe' /listcreds: "Windows Credentials" /all