a873a7d3b90c6f2d156e5026b72a5652d4893081cd188300141a95dc38cba56b

Analysis

max time kernel
138s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
16/11/2023, 08:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

gatherNetworkInfo.vbs
Size

39KB
MD5

2ae808cb0d9a667b0cf41ea74b3b9bac
SHA1

628b6b4bf3cc7f77578cf3ccfcc587dbf9ec7e07
SHA256

a873a7d3b90c6f2d156e5026b72a5652d4893081cd188300141a95dc38cba56b
SHA512

667e1d082658b36cf7d8cae68d6055a51599d7d411fd5615f1431e15a0d30f267f6447b575bebc034ac7e9b77a1b478c3718801f9848945140be4ee979bc8bff
SSDEEP

768:8IYHILRGUJX4mlrU5R/A+Tr/GsfpkgKo9kNxyJ4OORfWXyB22rQeWE5TloYL7TBY:8IYHILRGUJImlrc/A+3fpkgKo9kNxyJt

Score

8^/10

evasion

Malware Config

Signatures

Modifies Windows Firewall 1 TTPs 8 IoCs

evasion

Windows Service

T1543.003

pid	Process
4212	netsh.exe
380	netsh.exe
2808	netsh.exe
2884	netsh.exe
2424	netsh.exe
5080	netsh.exe
1924	netsh.exe
4364	netsh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation	WScript.exe

Launches sc.exe 6 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4400	sc.exe
4336	sc.exe
4404	sc.exe
448	sc.exe
3820	sc.exe
4972	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery

T1057

pid	Process
1016	tasklist.exe

Gathers network information 2 TTPs 3 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
32	ipconfig.exe
2224	ipconfig.exe
3580	ipconfig.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
920	systeminfo.exe

Runs net.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2268	WScript.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeDebugPrivilege	1016	tasklist.exe
Token: SeSecurityPrivilege	4700	wevtutil.exe
Token: SeBackupPrivilege	4700	wevtutil.exe
Token: SeSecurityPrivilege	2352	wevtutil.exe
Token: SeBackupPrivilege	2352	wevtutil.exe
Token: SeSecurityPrivilege	100	wevtutil.exe
Token: SeBackupPrivilege	100	wevtutil.exe
Token: SeSecurityPrivilege	3580	wevtutil.exe
Token: SeBackupPrivilege	3580	wevtutil.exe
Token: SeSecurityPrivilege	632	wevtutil.exe
Token: SeBackupPrivilege	632	wevtutil.exe
Token: SeSecurityPrivilege	388	wevtutil.exe
Token: SeBackupPrivilege	388	wevtutil.exe
Token: SeSecurityPrivilege	3244	wevtutil.exe
Token: SeBackupPrivilege	3244	wevtutil.exe
Token: SeSecurityPrivilege	4848	wevtutil.exe
Token: SeBackupPrivilege	4848	wevtutil.exe
Token: SeSecurityPrivilege	3040	wevtutil.exe
Token: SeBackupPrivilege	3040	wevtutil.exe
Token: SeSecurityPrivilege	3484	wevtutil.exe
Token: SeBackupPrivilege	3484	wevtutil.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2268 wrote to memory of 1508	2268	WScript.exe	89
PID 2268 wrote to memory of 1508	2268	WScript.exe	89
PID 1508 wrote to memory of 388	1508	cmd.exe	91
PID 1508 wrote to memory of 388	1508	cmd.exe	91
PID 2268 wrote to memory of 3472	2268	WScript.exe	92
PID 2268 wrote to memory of 3472	2268	WScript.exe	92
PID 3472 wrote to memory of 4708	3472	cmd.exe	94
PID 3472 wrote to memory of 4708	3472	cmd.exe	94
PID 2268 wrote to memory of 2188	2268	WScript.exe	95
PID 2268 wrote to memory of 2188	2268	WScript.exe	95
PID 2188 wrote to memory of 1944	2188	cmd.exe	97
PID 2188 wrote to memory of 1944	2188	cmd.exe	97
PID 2268 wrote to memory of 544	2268	WScript.exe	98
PID 2268 wrote to memory of 544	2268	WScript.exe	98
PID 544 wrote to memory of 4000	544	cmd.exe	100
PID 544 wrote to memory of 4000	544	cmd.exe	100
PID 2268 wrote to memory of 2388	2268	WScript.exe	101
PID 2268 wrote to memory of 2388	2268	WScript.exe	101
PID 2388 wrote to memory of 5100	2388	cmd.exe	103
PID 2388 wrote to memory of 5100	2388	cmd.exe	103
PID 2268 wrote to memory of 1564	2268	WScript.exe	104
PID 2268 wrote to memory of 1564	2268	WScript.exe	104
PID 1564 wrote to memory of 888	1564	cmd.exe	106
PID 1564 wrote to memory of 888	1564	cmd.exe	106
PID 2268 wrote to memory of 448	2268	WScript.exe	107
PID 2268 wrote to memory of 448	2268	WScript.exe	107
PID 448 wrote to memory of 3096	448	cmd.exe	109
PID 448 wrote to memory of 3096	448	cmd.exe	109
PID 2268 wrote to memory of 4936	2268	WScript.exe	110
PID 2268 wrote to memory of 4936	2268	WScript.exe	110
PID 4936 wrote to memory of 1928	4936	cmd.exe	112
PID 4936 wrote to memory of 1928	4936	cmd.exe	112
PID 2268 wrote to memory of 4140	2268	WScript.exe	113
PID 2268 wrote to memory of 4140	2268	WScript.exe	113
PID 4140 wrote to memory of 4248	4140	cmd.exe	115
PID 4140 wrote to memory of 4248	4140	cmd.exe	115
PID 2268 wrote to memory of 2520	2268	WScript.exe	116
PID 2268 wrote to memory of 2520	2268	WScript.exe	116
PID 2520 wrote to memory of 3108	2520	cmd.exe	118
PID 2520 wrote to memory of 3108	2520	cmd.exe	118
PID 2268 wrote to memory of 2256	2268	WScript.exe	119
PID 2268 wrote to memory of 2256	2268	WScript.exe	119
PID 2256 wrote to memory of 4656	2256	cmd.exe	121
PID 2256 wrote to memory of 4656	2256	cmd.exe	121
PID 2268 wrote to memory of 3996	2268	WScript.exe	122
PID 2268 wrote to memory of 3996	2268	WScript.exe	122
PID 3996 wrote to memory of 3184	3996	cmd.exe	124
PID 3996 wrote to memory of 3184	3996	cmd.exe	124
PID 2268 wrote to memory of 1628	2268	WScript.exe	125
PID 2268 wrote to memory of 1628	2268	WScript.exe	125
PID 1628 wrote to memory of 4788	1628	cmd.exe	127
PID 1628 wrote to memory of 4788	1628	cmd.exe	127
PID 2268 wrote to memory of 1952	2268	WScript.exe	128
PID 2268 wrote to memory of 1952	2268	WScript.exe	128
PID 1952 wrote to memory of 1704	1952	cmd.exe	130
PID 1952 wrote to memory of 1704	1952	cmd.exe	130
PID 2268 wrote to memory of 4228	2268	WScript.exe	131
PID 2268 wrote to memory of 4228	2268	WScript.exe	131
PID 2268 wrote to memory of 4160	2268	WScript.exe	137
PID 2268 wrote to memory of 4160	2268	WScript.exe	137
PID 4160 wrote to memory of 920	4160	cmd.exe	139
PID 4160 wrote to memory of 920	4160	cmd.exe	139
PID 2268 wrote to memory of 692	2268	WScript.exe	142
PID 2268 wrote to memory of 692	2268	WScript.exe	142

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\gatherNetworkInfo.vbs"
1⤵
- Checks computer location settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2268
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg export "HKLM\SYSTEM\CurrentControlSet\Control\Winlogon\Notifications" Reg\Notif.reg.txt /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1508
- - C:\Windows\system32\reg.exe
    reg export "HKLM\SYSTEM\CurrentControlSet\Control\Winlogon\Notifications" Reg\Notif.reg.txt /y
    3⤵
    PID:388
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg export "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers" Reg\AllCred.reg.txt /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3472
- - C:\Windows\system32\reg.exe
    reg export "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers" Reg\AllCred.reg.txt /y
    3⤵
    PID:4708
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg export "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider Filters" Reg\AllCredFilter.reg.txt /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2188
- - C:\Windows\system32\reg.exe
    reg export "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider Filters" Reg\AllCredFilter.reg.txt /y
    3⤵
    PID:1944
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg export "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\{07AA0886-CC8D-4e19-A410-1C75AF686E62}" Reg\{07AA0886-CC8D-4e19-A410-1C75AF686E62}.reg.txt /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:544
- - C:\Windows\system32\reg.exe
    reg export "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\{07AA0886-CC8D-4e19-A410-1C75AF686E62}" Reg\{07AA0886-CC8D-4e19-A410-1C75AF686E62}.reg.txt /y
    3⤵
    PID:4000
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg export "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\{33c86cd6-705f-4ba1-9adb-67070b837775}" Reg\{33c86cd6-705f-4ba1-9adb-67070b837775}.reg.txt /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2388
- - C:\Windows\system32\reg.exe
    reg export "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\{33c86cd6-705f-4ba1-9adb-67070b837775}" Reg\{33c86cd6-705f-4ba1-9adb-67070b837775}.reg.txt /y
    3⤵
    PID:5100
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg export "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider Filters\{edd749de-2ef1-4a80-98d1-81f20e6df58e}" Reg\{edd749de-2ef1-4a80-98d1-81f20e6df58e}.reg.txt /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1564
- - C:\Windows\system32\reg.exe
    reg export "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider Filters\{edd749de-2ef1-4a80-98d1-81f20e6df58e}" Reg\{edd749de-2ef1-4a80-98d1-81f20e6df58e}.reg.txt /y
    3⤵
    PID:888
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg export "HKLM\SYSTEM\CurrentControlSet\Services\Wlansvc\Parameters\WlanAPIPermissions" Reg\APIPerm.reg.txt /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:448
- - C:\Windows\system32\reg.exe
    reg export "HKLM\SYSTEM\CurrentControlSet\Services\Wlansvc\Parameters\WlanAPIPermissions" Reg\APIPerm.reg.txt /y
    3⤵
    PID:3096
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg export "HKLM\SOFTWARE\Policies\Microsoft\Windows\Wireless\GPTWirelessPolicy" Reg\GPT.reg.txt /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4936
- - C:\Windows\system32\reg.exe
    reg export "HKLM\SOFTWARE\Policies\Microsoft\Windows\Wireless\GPTWirelessPolicy" Reg\GPT.reg.txt /y
    3⤵
    PID:1928
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg export "HKCU\SOFTWARE\Microsoft\Wlansvc" Reg\HKCUWlanSvc.reg.txt /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4140
- - C:\Windows\system32\reg.exe
    reg export "HKCU\SOFTWARE\Microsoft\Wlansvc" Reg\HKCUWlanSvc.reg.txt /y
    3⤵
    PID:4248
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg export "HKLM\SOFTWARE\Microsoft\Wlansvc" Reg\HKLMWlanSvc.reg.txt /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2520
- - C:\Windows\system32\reg.exe
    reg export "HKLM\SOFTWARE\Microsoft\Wlansvc" Reg\HKLMWlanSvc.reg.txt /y
    3⤵
    PID:3108
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg export "HKLM\SOFTWARE\Microsoft\dot3svc" Reg\HKLMDot3Svc.reg.txt /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2256
- - C:\Windows\system32\reg.exe
    reg export "HKLM\SOFTWARE\Microsoft\dot3svc" Reg\HKLMDot3Svc.reg.txt /y
    3⤵
    PID:4656
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg export "HKCU\SOFTWARE\Microsoft\dot3svc" Reg\HKCUDot3Svc.reg.txt /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3996
- - C:\Windows\system32\reg.exe
    reg export "HKCU\SOFTWARE\Microsoft\dot3svc" Reg\HKCUDot3Svc.reg.txt /y
    3⤵
    PID:3184
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg export "HKLM\SOFTWARE\Policies\Microsoft\Windows\WiredL2\GP_Policy" Reg\L2GP.reg.txt /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1628
- - C:\Windows\system32\reg.exe
    reg export "HKLM\SOFTWARE\Policies\Microsoft\Windows\WiredL2\GP_Policy" Reg\L2GP.reg.txt /y
    3⤵
    PID:4788
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg export "HKLM\SOFTWARE\MICROSOFT\Windows NT\CurrentVersion\NetworkList" Reg\NetworkProfiles.reg.txt /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1952
- - C:\Windows\system32\reg.exe
    reg export "HKLM\SOFTWARE\MICROSOFT\Windows NT\CurrentVersion\NetworkList" Reg\NetworkProfiles.reg.txt /y
    3⤵
    PID:1704
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c set processor >> config\osinfo.txt
  2⤵
  PID:4228
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c systeminfo >> config\osinfo.txt
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4160
- - C:\Windows\system32\systeminfo.exe
    systeminfo
    3⤵
    - Gathers system information
    PID:920
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c set u >> config\osinfo.txt
  2⤵
  PID:692
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c tasklist > tempfile.txt
  2⤵
  PID:4416
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1016
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c wevtutil epl "Microsoft-Windows-WLAN-AutoConfig/Operational" config\WLANAutoConfigLog.evtx
  2⤵
  PID:516
- - C:\Windows\system32\wevtutil.exe
    wevtutil epl "Microsoft-Windows-WLAN-AutoConfig/Operational" config\WLANAutoConfigLog.evtx
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4700
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c wevtutil al config\WLANAutoConfigLog.evtx
  2⤵
  PID:2800
- - C:\Windows\system32\wevtutil.exe
    wevtutil al config\WLANAutoConfigLog.evtx
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2352
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c netsh wlan show all > config\envinfo.txt
  2⤵
  PID:4656
- - C:\Windows\system32\netsh.exe
    netsh wlan show all
    3⤵
    PID:3780
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c netsh lan show interfaces >> config\envinfo.txt
  2⤵
  PID:2816
- - C:\Windows\system32\netsh.exe
    netsh lan show interfaces
    3⤵
    PID:1628
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c netsh lan show settings >> config\envinfo.txt
  2⤵
  PID:2884
- - C:\Windows\system32\netsh.exe
    netsh lan show settings
    3⤵
    PID:4972
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c netsh lan show profiles >> config\envinfo.txt
  2⤵
  PID:4300
- - C:\Windows\system32\netsh.exe
    netsh lan show profiles
    3⤵
    PID:3256
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ipconfig /all >> config\envinfo.txt
  2⤵
  PID:1768
- - C:\Windows\system32\ipconfig.exe
    ipconfig /all
    3⤵
    - Gathers network information
    PID:2224
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c echo. >> config\envinfo.txt
  2⤵
  PID:4732
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c echo ROUTE PRINT: >> config\envinfo.txt
  2⤵
  PID:1280
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c route print >> config\envinfo.txt
  2⤵
  PID:3988
- - C:\Windows\system32\ROUTE.EXE
    route print
    3⤵
    PID:2164
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c certutil -v -store -silent My >> config\envinfo.txt
  2⤵
  PID:3788
- - C:\Windows\system32\certutil.exe
    certutil -v -store -silent My
    3⤵
    PID:2784
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c certutil -v -store -silent -user My >> config\envinfo.txt
  2⤵
  PID:3828
- - C:\Windows\system32\certutil.exe
    certutil -v -store -silent -user My
    3⤵
    PID:1956
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c netsh winsock show catalog > config\WinsockCatalog.txt
  2⤵
  PID:4000
- - C:\Windows\system32\netsh.exe
    netsh winsock show catalog
    3⤵
    PID:2064
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c echo Current Profiles: > config\WindowsFirewallConfig.txt
  2⤵
  PID:3296
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c echo ------------------------------------------------------------------------ >> config\WindowsFirewallConfig.txt
  2⤵
  PID:876
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c netsh advfirewall monitor show currentprofile >> config\WindowsFirewallConfig.txt
  2⤵
  PID:5032
- - C:\Windows\system32\netsh.exe
    netsh advfirewall monitor show currentprofile
    3⤵
    - Modifies Windows Firewall
    PID:5080
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c echo Firewall Configuration: >> config\WindowsFirewallConfig.txt
  2⤵
  PID:1264
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c echo ------------------------------------------------------------------------ >> config\WindowsFirewallConfig.txt
  2⤵
  PID:2092
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c netsh advfirewall monitor show firewall >> config\WindowsFirewallConfig.txt
  2⤵
  PID:2204
- - C:\Windows\system32\netsh.exe
    netsh advfirewall monitor show firewall
    3⤵
    - Modifies Windows Firewall
    PID:1924
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c echo Connection Security Configuration: >> config\WindowsFirewallConfig.txt
  2⤵
  PID:1616
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c echo ------------------------------------------------------------------------ >> config\WindowsFirewallConfig.txt
  2⤵
  PID:4596
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c netsh advfirewall monitor show consec >> config\WindowsFirewallConfig.txt
  2⤵
  PID:2596
- - C:\Windows\system32\netsh.exe
    netsh advfirewall monitor show consec
    3⤵
    - Modifies Windows Firewall
    PID:4364
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c echo Firewall Rules : >> config\WindowsFirewallConfig.txt
  2⤵
  PID:3520
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c echo ------------------------------------------------------------------------ >> config\WindowsFirewallConfig.txt
  2⤵
  PID:3988
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c netsh advfirewall firewall show rule name=all verbose >> config\WindowsFirewallConfig.txt
  2⤵
  PID:3556
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall show rule name=all verbose
    3⤵
    - Modifies Windows Firewall
    PID:4212
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c echo Connection Security Rules : >> config\WindowsFirewallConfig.txt
  2⤵
  PID:1844
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c echo ------------------------------------------------------------------------ >> config\WindowsFirewallConfig.txt
  2⤵
  PID:1052
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c netsh advfirewall consec show rule name=all verbose >> config\WindowsFirewallConfig.txt
  2⤵
  PID:772
- - C:\Windows\system32\netsh.exe
    netsh advfirewall consec show rule name=all verbose
    3⤵
    - Modifies Windows Firewall
    PID:380
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c echo Firewall Rules currently enforced : > config\WindowsFirewallEffectiveRules.txt
  2⤵
  PID:2068
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c echo ------------------------------------------------------------------------ >> config\WindowsFirewallEffectiveRules.txt
  2⤵
  PID:1016
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c netsh advfirewall monitor show firewall rule name=all >> config\WindowsFirewallEffectiveRules.txt
  2⤵
  PID:540
- - C:\Windows\system32\netsh.exe
    netsh advfirewall monitor show firewall rule name=all
    3⤵
    - Modifies Windows Firewall
    PID:2808
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c echo Connection Security Rules currently enforced : >> config\WindowsFirewallEffectiveRules.txt
  2⤵
  PID:4284
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c echo ------------------------------------------------------------------------ >> config\WindowsFirewallEffectiveRules.txt
  2⤵
  PID:3408
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c netsh advfirewall monitor show consec rule name=all >> config\WindowsFirewallEffectiveRules.txt
  2⤵
  PID:1352
- - C:\Windows\system32\netsh.exe
    netsh advfirewall monitor show consec rule name=all
    3⤵
    - Modifies Windows Firewall
    PID:2884
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c wevtutil epl "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall" config\WindowsFirewallLog.evtx
  2⤵
  PID:4668
- - C:\Windows\system32\wevtutil.exe
    wevtutil epl "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall" config\WindowsFirewallLog.evtx
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:100
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c wevtutil al config\WindowsFirewallLog.evtx
  2⤵
  PID:3568
- - C:\Windows\system32\wevtutil.exe
    wevtutil al config\WindowsFirewallLog.evtx
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3580
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c wevtutil epl "Microsoft-Windows-Windows Firewall With Advanced Security/ConnectionSecurity" config\WindowsFirewallConsecLog.evtx
  2⤵
  PID:4140
- - C:\Windows\system32\wevtutil.exe
    wevtutil epl "Microsoft-Windows-Windows Firewall With Advanced Security/ConnectionSecurity" config\WindowsFirewallConsecLog.evtx
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:632
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c wevtutil al config\WindowsFirewallConsecLog.evtx
  2⤵
  PID:4196
- - C:\Windows\system32\wevtutil.exe
    wevtutil al config\WindowsFirewallConsecLog.evtx
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:388
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c wevtutil epl "Microsoft-Windows-Windows Firewall With Advanced Security/FirewallVerbose" config\WindowsFirewallLogVerbose.evtx
  2⤵
  PID:920
- - C:\Windows\system32\wevtutil.exe
    wevtutil epl "Microsoft-Windows-Windows Firewall With Advanced Security/FirewallVerbose" config\WindowsFirewallLogVerbose.evtx
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3244
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c wevtutil al config\WindowsFirewallLogVerbose.evtx
  2⤵
  PID:1840
- - C:\Windows\system32\wevtutil.exe
    wevtutil al config\WindowsFirewallLogVerbose.evtx
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4848
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c wevtutil epl "Microsoft-Windows-Windows Firewall With Advanced Security/ConnectionSecurityVerbose" config\WindowsFirewallConsecLogVerbose.evtx
  2⤵
  PID:2404
- - C:\Windows\system32\wevtutil.exe
    wevtutil epl "Microsoft-Windows-Windows Firewall With Advanced Security/ConnectionSecurityVerbose" config\WindowsFirewallConsecLogVerbose.evtx
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3040
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c wevtutil al config\WindowsFirewallConsecLogVerbose.evtx
  2⤵
  PID:1700
- - C:\Windows\system32\wevtutil.exe
    wevtutil al config\WindowsFirewallConsecLogVerbose.evtx
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3484
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc query wcncsvc >> config\WcnInfo.txt
  2⤵
  PID:3916
- - C:\Windows\system32\sc.exe
    sc query wcncsvc
    3⤵
    - Launches sc.exe
    PID:4336
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc query wlansvc >> config\WcnInfo.txt
  2⤵
  PID:4996
- - C:\Windows\system32\sc.exe
    sc query wlansvc
    3⤵
    - Launches sc.exe
    PID:4404
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc query eaphost >> config\WcnInfo.txt
  2⤵
  PID:2036
- - C:\Windows\system32\sc.exe
    sc query eaphost
    3⤵
    - Launches sc.exe
    PID:448
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc query fdrespub >> config\WcnInfo.txt
  2⤵
  PID:4164
- - C:\Windows\system32\sc.exe
    sc query fdrespub
    3⤵
    - Launches sc.exe
    PID:3820
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc query upnphost >> config\WcnInfo.txt
  2⤵
  PID:1192
- - C:\Windows\system32\sc.exe
    sc query upnphost
    3⤵
    - Launches sc.exe
    PID:4972
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc query eaphost >> config\WcnInfo.txt
  2⤵
  PID:1912
- - C:\Windows\system32\sc.exe
    sc query eaphost
    3⤵
    - Launches sc.exe
    PID:4400
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ipconfig /all >> config\WcnInfo.txt
  2⤵
  PID:3140
- - C:\Windows\system32\ipconfig.exe
    ipconfig /all
    3⤵
    - Gathers network information
    PID:3580
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c netsh wlan show device >> config\WcnInfo.txt
  2⤵
  PID:4692
- - C:\Windows\system32\netsh.exe
    netsh wlan show device
    3⤵
    PID:528
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wcncsvc\Parameters >> config\WcnInfo.txt
  2⤵
  PID:1120
- - C:\Windows\system32\reg.exe
    reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wcncsvc\Parameters
    3⤵
    PID:3788
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c netsh advfirewall show currentprofile >> config\WcnInfo.txt
  2⤵
  PID:4212
- - C:\Windows\system32\netsh.exe
    netsh advfirewall show currentprofile
    3⤵
    - Modifies Windows Firewall
    PID:2424
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c netsh wfp show filters file=config\wfpfilters.xml > config\wfplog.log
  2⤵
  PID:4964
- - C:\Windows\system32\netsh.exe
    netsh wfp show filters file=config\wfpfilters.xml
    3⤵
    PID:4660
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c netsh interface teredo show state > config\netiostate.txt
  2⤵
  PID:5040
- - C:\Windows\system32\netsh.exe
    netsh interface teredo show state
    3⤵
    PID:3184
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c netsh interface httpstunnel show interface >> config\netiostate.txt
  2⤵
  PID:4420
- - C:\Windows\system32\netsh.exe
    netsh interface httpstunnel show interface
    3⤵
    PID:4404
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c netsh interface httpstunnel show statistics >> config\netiostate.txt
  2⤵
  PID:540
- - C:\Windows\system32\netsh.exe
    netsh interface httpstunnel show statistics
    3⤵
    PID:4160
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c echo IPCONFIG /DISPLAYDNS: >> config\Dns.txt
  2⤵
  PID:3408
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ipconfig /displaydns >> config\Dns.txt
  2⤵
  PID:2436
- - C:\Windows\system32\ipconfig.exe
    ipconfig /displaydns
    3⤵
    - Gathers network information
    PID:32
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c echo. >> config\Dns.txt
  2⤵
  PID:3256
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c echo NETSH NAMESPACE SHOW EFFECTIVE: >> config\Dns.txt
  2⤵
  PID:1380
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c netsh namespace show effective >> config\Dns.txt
  2⤵
  PID:1100
- - C:\Windows\system32\netsh.exe
    netsh namespace show effective
    3⤵
    PID:1516
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c echo. >> config\Dns.txt
  2⤵
  PID:752
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c echo NETSH NAMESPACE SHOW POLICY: >> config\Dns.txt
  2⤵
  PID:4140
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c netsh namespace show policy >> config\Dns.txt
  2⤵
  PID:4036
- - C:\Windows\system32\netsh.exe
    netsh namespace show policy
    3⤵
    PID:3788
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c echo ARP -A: >> config\Neighbors.txt
  2⤵
  PID:4780
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c arp -a >> config\Neighbors.txt
  2⤵
  PID:4500
- - C:\Windows\system32\ARP.EXE
    arp -a
    3⤵
    PID:3000
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c echo. >> config\Neighbors.txt
  2⤵
  PID:4168
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c echo NETSH INT IPV6 SHOW NEIGHBORS: >> config\Neighbors.txt
  2⤵
  PID:2404
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c netsh int ipv6 show neigh >> config\Neighbors.txt
  2⤵
  PID:4180
- - C:\Windows\system32\netsh.exe
    netsh int ipv6 show neigh
    3⤵
    PID:4884
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c echo NBTSTAT -N: >> config\FileSharing.txt
  2⤵
  PID:4944
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c nbtstat -n >> config\FileSharing.txt
  2⤵
  PID:1512
- - C:\Windows\system32\nbtstat.exe
    nbtstat -n
    3⤵
    PID:4088
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c echo. >> config\FileSharing.txt
  2⤵
  PID:2036
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c echo NBTSTAT -C: >> config\FileSharing.txt
  2⤵
  PID:2572
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c nbtstat -c >> config\FileSharing.txt
  2⤵
  PID:1888
- - C:\Windows\system32\nbtstat.exe
    nbtstat -c
    3⤵
    PID:4392
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c echo. >> config\FileSharing.txt
  2⤵
  PID:624
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c echo NET CONFIG RDR: >> config\FileSharing.txt
  2⤵
  PID:4192
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c net config rdr >> config\FileSharing.txt
  2⤵
  PID:4152
- - C:\Windows\system32\net.exe
    net config rdr
    3⤵
    PID:888
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 config rdr
      4⤵
      PID:1892
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c echo. >> config\FileSharing.txt
  2⤵
  PID:4596
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c echo NET CONFIG SRV: >> config\FileSharing.txt
  2⤵
  PID:3140
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c net config srv >> config\FileSharing.txt
  2⤵
  PID:4988
- - C:\Windows\system32\net.exe
    net config srv
    3⤵
    PID:1048
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 config srv
      4⤵
      PID:1776
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c echo. >> config\FileSharing.txt
  2⤵
  PID:4036
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c echo NET SHARE: >> config\FileSharing.txt
  2⤵
  PID:2780
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c net share >> config\FileSharing.txt
  2⤵
  PID:3940
- - C:\Windows\system32\net.exe
    net share
    3⤵
    PID:4004
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 share
      4⤵
      PID:2960
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c gpresult /scope:computer /v 1> config\gpresult.txt 2>&1
  2⤵
  PID:4260
- - C:\Windows\system32\gpresult.exe
    gpresult /scope:computer /v
    3⤵
    PID:4336
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c netsh wfp show netevents file=config\netevents.xml 1> config\neteventslog.txt 2>&1
  2⤵
  PID:2808
- - C:\Windows\system32\netsh.exe
    netsh wfp show netevents file=config\netevents.xml
    3⤵
    PID:4844
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c netsh wfp show state file=config\wfpstate.xml 1> config\wfpstatelog.txt 2>&1
  2⤵
  PID:3108
- - C:\Windows\system32\netsh.exe
    netsh wfp show state file=config\wfpstate.xml
    3⤵
    PID:448
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c netsh wfp show sysports file=config\sysports.xml 1> config\sysportslog.txt 2>&1
  2⤵
  PID:3408
- - C:\Windows\system32\netsh.exe
    netsh wfp show sysports file=config\sysports.xml
    3⤵
    PID:2864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\REG392C.tmp

Filesize
5KB

MD5
9b854efe8795d80357d5515cc1d4186f

SHA1
0dd86c1a5e889126d928cc802c8604666f1962f4

SHA256
aa7cfb6e102c4d6e38eb3dca4f3df416b9657c808b8ddfc4d284627be9c14803

SHA512
8276d6f75abdf1f8cb47d32c30dfccfb0d5b61275c179f330d4bc8668689845b9393030e9f35703ed703a6f25e9762eb081406e4abf0c83953c88046e62c82fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\REG3A26.tmp

Filesize
8KB

MD5
a4bed7e5f4a2315c2f7a85303adcb6c8

SHA1
b28f29461290551a9fdba20a79e3b316cf6b6103

SHA256
84c800b498e2592add424db8eb82878daff1c5ac195293d3f05fe15996a4fa0e

SHA512
93acb60c42fe2077bb70a5544d15da4e182b548d882ef20ea23cb37a21ced46dc259d7fc80db01dc4afc2e008e4b0f950ffd6a8e6803b1317c9e9288fc54421d

Download Submit
C:\Users\Admin\AppData\Local\Temp\REG3B20.tmp

Filesize
634B

MD5
9a5a295efdc30925c631166a5d041bd3

SHA1
06068ba50872e1cf5ebfd08697e000afe3088bae

SHA256
88275b3c833910726328d29fb29f50ff6e5d357e8d3f316362c6d709d5fa5ef5

SHA512
7ad1813c3e4e639510e6e743d48fc83105b8f07c1502370eea11dd9c41c1360f6c20692ffc2588a1e0e280240c524201cdce92b4d137b16830848b592a31819c

Download Submit
C:\Users\Admin\AppData\Local\Temp\REG40FC.tmp

Filesize
2KB

MD5
8d0253d6d2ff5866c0ca9a29db086322

SHA1
c2161a4576bd2bc4aaa09f1426183ff45a75a123

SHA256
dbe14ba69d94c7e70d92fef91a390a6dcc70389dcd0b271906676863038eee1c

SHA512
9c7ce97a58bb3540ff79628e8aadcf0adcb0e6cec47e57ccb210ad30d85826f3fde646b3e15c9f092ed7d2a69f694b04c36f54ccb771da21ee9956979c04a52f

Download Submit
C:\Users\Admin\AppData\Local\Temp\REG4419.tmp

Filesize
7KB

MD5
6f06b0fbf16cf647f998ed3d2f82b778

SHA1
a1f8fc54afe8739e6cd285905372f410b4088776

SHA256
70b7217c9ec095d2cc26a6f75964481f6f0319a9f56dfec4e3e11110d931ad9c

SHA512
51bd5bd4bbdf56c464c6078182160693f7929a04854e1fa1b734a35ee16262891986e1eedc7324d1da60d3b0a2f8b8853f0fe17704a19742c2735e4540d2e70a

Download Submit
C:\Users\Admin\AppData\Local\Temp\config\Dns.txt

Filesize
25B

MD5
dbbe6a0d6c5d16e1f1b3f1a0a02640ab

SHA1
ec26045f7867ff5b47edf76ad014fe584243d8ce

SHA256
c6226537e8f06c6916bdf4a19662d28feb21e249c39f41be615b6894c603eb60

SHA512
76dd015a4710c5f2fa9a1ac606e02d40b56595c22e10b8e9f1b9f2f2b57a94f243214ce0026f2d363e4a61ad6fd373e40fdcd7b8f24f747d286124787f3d87ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\config\Dns.txt

Filesize
13KB

MD5
5981663a814aaa28554e33653615bbba

SHA1
c53a4ff7685a46d8e672030861ef7d9b52ef11dc

SHA256
08c420dc604b437c8e475dcfd59191e51807e4d05de177ea6c9ed692d337fd7a

SHA512
87b7242adb6f4ccc2e3ced3b2ab9e2657fd24cd62ec682652309485b7cd8be304e6731aea9efd2850cb8f4bb20d0ff33c7387a7b6b4357c8bc2abf7bd10a0345

Download Submit
C:\Users\Admin\AppData\Local\Temp\config\Dns.txt

Filesize
13KB

MD5
6278dff1a0b7f7bae419e9a87aca9cee

SHA1
300dc9d859361c94023e9f4c45365da4a17d490d

SHA256
9ac7d71083a3d73cf831ec45bfbc22ed26a15bd2b68716e0eeba5c2f51713aac

SHA512
63596af6c64072f513fa75abf09389ea9b479aef813ea4962cbd1bf09fa91c76618d47d5b51f9f7c9f2977156095ed9cbc6e68fcf069946cf25d6732a3c68b60

Download Submit
C:\Users\Admin\AppData\Local\Temp\config\Dns.txt

Filesize
13KB

MD5
b3592f00f524c9ba5468bc69eb55a4c8

SHA1
cee4ae84f4edb502883c1dc77a7217c8e8c99b23

SHA256
5349f92a04834347eec44c9c089434afe91162796adf13a90d803c406506a8c9

SHA512
d8469b4c78a9e11ebe8a87300aa9d2655c7331b9ddf1c490e6fc509a42500e06150b949bf10ca18841617d126d5277577e883a40800a9c310aa907b1340ba309

Download Submit
C:\Users\Admin\AppData\Local\Temp\config\Dns.txt

Filesize
13KB

MD5
ea4c6efcd90b2010d280b65eab15a656

SHA1
7c8fecc59406006e2a71093fbe3e6138578247dd

SHA256
de4c84be56fa7d010cd8716dcbed9dfb76d523d5779eac5171e2232fc40a1168

SHA512
a33ef1103bbd8e110b7a8c3176dfb492f32a5196eb5cb257d55ce747b76b74f52677b336463029e7ef4d788b2dff5db611058189a7b3258da3b01811e4f6f1d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\config\Dns.txt

Filesize
13KB

MD5
fb7a3a23d55542e1e636993a803cb6a7

SHA1
c46b3c951dcb84e3950c2ec2936a91cab22135d6

SHA256
b86e61a7b903fca3d896d28dd5c331dc4f9f3960d856b04678c9ef8d0a5db251

SHA512
556c9fd2682e79be81aad5c5f91551197cdec96674afd5e450272302ea05fd4708c87d6823d983337b9df17702b563349c475261a490fee6c0794dcfe64143ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\config\Dns.txt

Filesize
13KB

MD5
d8dfeb0b9cbb43a75184ce8d93eb2c62

SHA1
812a98aa378a9876abf8e9461d9ee41fc2a5999a

SHA256
6368e6075d6d913f2a838bfddc8dca78f11f36fc99adb6a6a1207daf49cbb7dd

SHA512
4c0e63ca7e9dbfa80d7303bddadb49e0a41e061a6868937e7fb9d80c5ef4358db6acfeae6156164528c5ebe627500c605f0a93bdf94283b7f092d0f4d42fa7e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\config\Dns.txt

Filesize
13KB

MD5
d8dfeb0b9cbb43a75184ce8d93eb2c62

SHA1
812a98aa378a9876abf8e9461d9ee41fc2a5999a

SHA256
6368e6075d6d913f2a838bfddc8dca78f11f36fc99adb6a6a1207daf49cbb7dd

SHA512
4c0e63ca7e9dbfa80d7303bddadb49e0a41e061a6868937e7fb9d80c5ef4358db6acfeae6156164528c5ebe627500c605f0a93bdf94283b7f092d0f4d42fa7e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\config\Neighbors.txt

Filesize
10B

MD5
680c0f5b43ef4736633cddb32b417a2d

SHA1
ce18efc8ffd6d94f643faef43680d2d105d15cba

SHA256
48d49298867ff9049f8ad01db758a1ef4adc71b5ca2bd5aaa8cdd89806334a23

SHA512
31a6c84e0303364d1a972ea7ce73d22286050b5bcede8c998b10fdebb225505cb740c6d8cc75923977f9f16ab76b8e1aa8967231b50496a7540e64a496c13091

Download Submit
C:\Users\Admin\AppData\Local\Temp\config\Neighbors.txt

Filesize
560B

MD5
711876622f789941a6e1a04de4050784

SHA1
2aaf1230362399983c92330fda63eaf4b30dc32d

SHA256
dd8c1473dc9c2632f0a636a6d876c31c7f1a6b5ab308a7a88490feb72ca7ae57

SHA512
8070f17bba66fa9abd0a0a6e4ad02663a0b913f25fd5d77e48b9a186f161452290da65e80e7e38180686b3dc16ee331d8bca9b4198d747411f602a167aa5aa39

Download Submit
C:\Users\Admin\AppData\Local\Temp\config\Neighbors.txt

Filesize
563B

MD5
ca05edeb29a58cbe725a5419207c8a18

SHA1
80e3ae49de2ad73af44586582da500245f1a5465

SHA256
68cb366f04b8f873d932b882aebc86287b4a2e27f47d44aebf8931385ff8b5e1

SHA512
1f40084cde9f140fe3de84449065e6d2f2f90059c01a0545f453baa77c1085f366411865ead41b48e96eb5685747596185443e34c70f04f6b9d02263f968c0b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\config\Neighbors.txt

Filesize
596B

MD5
0e5192e5d2981e213988a2818106ca11

SHA1
d601ef7c9a3978ab476603c38954f23e5ae5e914

SHA256
85dd97c64995672243cba05000756a1918a104664c37df15b20cedef34fc69d6

SHA512
22a93575041bd70a4c67d3fa9a216156253e3c103bbe9d757c41a36e76885cafddfe49334ff39310a1db4181c10fed8688cbe0ad55ac8e6683cb6eefed5b2810

Download Submit
C:\Users\Admin\AppData\Local\Temp\config\WcnInfo.txt

Filesize
180B

MD5
e9d9c70311e468c5ac1e313ea317e31f

SHA1
3ec7e470b8e8a747dff0b312afbe8f9f859fdb56

SHA256
f89da86624bb8f26a5b624932253966dc7cd97ce87eeacf19ed9cc8c77f650be

SHA512
644e4d6b2fe77af31ae29b48a6d46761e3a4cacd1f979bd25994051cc8280b218f7bd6512eb592a11f2b65554551887dde988d264b1e0e215198539d060c1582

Download Submit
C:\Users\Admin\AppData\Local\Temp\config\WcnInfo.txt

Filesize
455B

MD5
11331075e463e6cc232419d9c5a23945

SHA1
2ac8dd5fda25ff577ad32020d417ee7218abb0da

SHA256
5a84886b89430498df9ef0c57b8e982ffbdbd07000678fd94093feec9343fe52

SHA512
eaca25d1656d70b6e7e125476e40ba53cad085da432328b0a8303d4c332b03c37d1fc8b5073f526b8183d18db07f76cc6399ed95255f41f52a9dd89120ee1c74

Download Submit
C:\Users\Admin\AppData\Local\Temp\config\WcnInfo.txt

Filesize
728B

MD5
83238b17864fc7a4e9255f941069cc77

SHA1
1314353ec44aa89f8c9771c9e2631772d62dbd6a

SHA256
a6590f11feceacf7867707db549b38e47512e5163c113dbd38d5507ac131703a

SHA512
d9c6afad490a90144c6402284a28cc4a99d9c7d1d0182ecff35aa3d248a86c6d41800dec0c1485f6a082c56213028d49f4dc3761d442cbddab22b7a805293515

Download Submit
C:\Users\Admin\AppData\Local\Temp\config\WcnInfo.txt

Filesize
1003B

MD5
18d6368f108c94d08858db45a8f850d9

SHA1
f9a67905121641d183c9a9a1be41cc5187dbfcad

SHA256
eac4ceeb16facafdaf32f393fff2b45c115dfa10a4f9e039e88cd9cd9ab11f0c

SHA512
5aac62a7b5398b879a8a5ef387ecdab72440779f7ac84ea960050e1b80ef264031f47e1ad1a0b9ae0f18f1900829937eb804f7d70307b5f98a4044558aab9292

Download Submit
C:\Users\Admin\AppData\Local\Temp\config\WcnInfo.txt

Filesize
1KB

MD5
86f3eef9a2046d107f5294266e2acaa5

SHA1
359d8ce17b11a5b679a38dc72a8b53eefcb93e3d

SHA256
9c77d9bf5f1367256b8adbf5170398402a8a5587af0e97ef50dfba8e17640408

SHA512
03b4c47e4323f68fb6e27ef75aae311c4ee2db823e4efc7c748a0a0c69e8aa23bda67d529d22d8307b7267fcdaf01867a9b1a5a384cde163ac6df833e1a21fe0

Download Submit
C:\Users\Admin\AppData\Local\Temp\config\WcnInfo.txt

Filesize
1KB

MD5
dc4420c1062494067b18d001f9588f04

SHA1
e33009c1a9e99434fb9eb88bc8d8bc3f8ae2ce22

SHA256
2def975e3063dfdd2ded02222ad6b29c5aa697874f8a57fecaec3eee1c572ff5

SHA512
24f381eff215fed63d444458f0967645b32124832a1726ec8a8f7829561678f18326719f6efa1baedf9db661ad9699c66ce9dafa330bdbdfef02480aa1dab985

Download Submit
C:\Users\Admin\AppData\Local\Temp\config\WcnInfo.txt

Filesize
1KB

MD5
3f7707b5c2ca7e2b11fa7c653892c556

SHA1
3e26fa9816b886a00619b85c3c4d207646a17579

SHA256
a2ad56eeb8d9d4fc93d24661268e5a4a7e648325b16c3c4f3d0f496626314635

SHA512
f75d9f51c4f75bc25627ae52fdd7fe53c4dea07b0229f059c7ec03ec3ae5ec338db9ceda7db4dee3aea8c74150dea7eaa223ecd1c0b6170a91d25fdde91c49d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\config\WcnInfo.txt

Filesize
6KB

MD5
ee232dfccd23dd79897fa90372073aa0

SHA1
ff1242d8586d0c93fc477b6d80661ca457e1004f

SHA256
640b04cf2b2f750cb93d1e6cc112402c6840d804f5f8df138b06109c8bb590ad

SHA512
b182ab1dddd3c28f5322012742089af4f1090aabb90a82278092cad53e0c57bde188584feb2b6da5f250b04fbcee8a0476d2cd689593689b25986f6db64a3d5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\config\WcnInfo.txt

Filesize
7KB

MD5
f9e7373ab15de2c6a149114b8b26743e

SHA1
ef9b9165ef4a343fcb57a8124f60f48f346b085a

SHA256
01bd6fb5c455bd2a530cef136cb93c8b3194334b072c4a01c856d7c8ac172dbc

SHA512
32c541c9891f871d2c0747fdd60fbf372d0a8cd95f6dfe29504fc0537f1be6918878292708e4efbf430052ad6cd101bb79241ed800e99c2e24014fc885bc4f70

Download Submit
C:\Users\Admin\AppData\Local\Temp\config\WcnInfo.txt

Filesize
7KB

MD5
f9e7373ab15de2c6a149114b8b26743e

SHA1
ef9b9165ef4a343fcb57a8124f60f48f346b085a

SHA256
01bd6fb5c455bd2a530cef136cb93c8b3194334b072c4a01c856d7c8ac172dbc

SHA512
32c541c9891f871d2c0747fdd60fbf372d0a8cd95f6dfe29504fc0537f1be6918878292708e4efbf430052ad6cd101bb79241ed800e99c2e24014fc885bc4f70

Download Submit
C:\Users\Admin\AppData\Local\Temp\config\WcnInfo.txt

Filesize
7KB

MD5
5edcd325ee5681e5b718f632153a3be9

SHA1
0ccd3057baa713dbfbcb1097fb749a17873f3d08

SHA256
3a1391a99f1d78bbc20be770bec11dbcee6e4d11ba1e0570a48644132d3db4ae

SHA512
c5d61f0f5e4e3028b5ed385dbd4a3f44ee2a8af3eac845298c1dfc77fc6b8b1208b07472a5c21e7035c18ae6a9ad0da2576059aba793727bb8213af4bfd9831b

Download Submit
C:\Users\Admin\AppData\Local\Temp\config\WcnInfo.txt

Filesize
7KB

MD5
8eec9da2fe13befb3e7e4ba816626544

SHA1
dbe1cd19d031f3aa3258a880288a63eac9b039e8

SHA256
08571e75c5547fd01b1d56300bbbe931725992b709850a78a2cf0deec153a5d2

SHA512
708effbb96af6f613ee23deb667b1d76746321b2104bfd861850bf2bcd5ffc0ebb4cfdea80b623c0ca44696b6e5db5aae397d61bc6da9a2befa69d7b2d551937

Download Submit
C:\Users\Admin\AppData\Local\Temp\config\WcnInfo.txt

Filesize
7KB

MD5
8eec9da2fe13befb3e7e4ba816626544

SHA1
dbe1cd19d031f3aa3258a880288a63eac9b039e8

SHA256
08571e75c5547fd01b1d56300bbbe931725992b709850a78a2cf0deec153a5d2

SHA512
708effbb96af6f613ee23deb667b1d76746321b2104bfd861850bf2bcd5ffc0ebb4cfdea80b623c0ca44696b6e5db5aae397d61bc6da9a2befa69d7b2d551937

Download Submit
C:\Users\Admin\AppData\Local\Temp\config\WcnInfo.txt

Filesize
7KB

MD5
7787e98a9d6aaa9116e017b155dc473b

SHA1
53b2173c148a269c4cbae290165c59d9507a9880

SHA256
e31cedc0c005ecd97f6a5d4253e60e0d49eaf95ca233581513259d7155290b98

SHA512
14c7ecccefe6923ded93c2c4f7883aabfc9904b5476f02c9bbf74c6937e21a5673715621a9e73527d36a3d9bec0123827ce4f802af2a896f39c2a05630879def

Download Submit
C:\Users\Admin\AppData\Local\Temp\config\WcnInfo.txt

Filesize
7KB

MD5
002c62e715032f770a12f99065709a25

SHA1
0ccffacd5a4029003caa9e8089b7cdfd175d3041

SHA256
1c47e5653724fa6d7b511d7b270de3bf2d84e795b697c5b97e6ebadf09caca8f

SHA512
82d0b7c8ceffde62f4795b1eb942c2ef6b9453d9fc1ebe392a2566ac90878e702bbb3d96900b7462a9c98dc5ba9e565fbdb2db866c75e4cc6632e73be816f125

Download Submit
C:\Users\Admin\AppData\Local\Temp\config\WcnInfo.txt

Filesize
8KB

MD5
7f4fc3e26d609ab9bb503ac61c9d4bae

SHA1
c51d9fd175e3eb2ad112020bf0d7592354f7074e

SHA256
35db0677976bd5b0b25c370c364fcc87237e6598acef0b74ef67ee1c78512207

SHA512
48cc6553d718c46c08a9accbc994c94a42b7cc0b926e3f237e84371ee5c8e3671e0bdf61e682579b5b8abc71188927f9e037bd5817d4016789cd90c1ca3efff2

Download Submit
C:\Users\Admin\AppData\Local\Temp\config\WindowsFirewallConfig.txt

Filesize
95B

MD5
9b507b45c41b5b76ee28e9a236d2799b

SHA1
1faccb7a5024ec67e96277264d8accfad0882863

SHA256
d7d5617f0c7bc136c2c3c813b0aebdf9aa51fc4b660994abd17e843390b64d3c

SHA512
28dc0f4f1108150111873f10b43dbbb8c5e99f033f6708a8ce3eed0038ec33fc6a0f48a76d07f468de7ab0e5d67321647c884c7551f7a418e5866151a506eb47

Download Submit
C:\Users\Admin\AppData\Local\Temp\config\WindowsFirewallConfig.txt

Filesize
95B

MD5
9b507b45c41b5b76ee28e9a236d2799b

SHA1
1faccb7a5024ec67e96277264d8accfad0882863

SHA256
d7d5617f0c7bc136c2c3c813b0aebdf9aa51fc4b660994abd17e843390b64d3c

SHA512
28dc0f4f1108150111873f10b43dbbb8c5e99f033f6708a8ce3eed0038ec33fc6a0f48a76d07f468de7ab0e5d67321647c884c7551f7a418e5866151a506eb47

Download Submit
C:\Users\Admin\AppData\Local\Temp\config\WindowsFirewallConfig.txt

Filesize
231B

MD5
9170b20d03ea1e63f482af71e6975221

SHA1
9fa38caf5023a1b745cb1d5c432e74cfb31cc405

SHA256
a117ecb928139aa22ae4a9bf0f0a79a446ed97ff711c7a4e887768a122be911c

SHA512
c73d5cbaeb7fc62bdb5e5f04ebeefd97b7da4db3b56dc0adb9b5dbb37bb056e3fb2701c1cb5006467a845eab02190d73b412863d6a5f8481e92fc66c6da72ed9

Download Submit
C:\Users\Admin\AppData\Local\Temp\config\WindowsFirewallConfig.txt

Filesize
306B

MD5
75db7861304a47ffeac0b5c88801172a

SHA1
b3778cef27637ee986e194006d291560adadf14d

SHA256
26d6835d602b9e09e793d0031701bdfffd07eda032f2f56344aa7ac00b8d79e9

SHA512
62a1341833e3de6a9052d8c9d37e82223f49e5b279821a82cfd8558a8d1e89e074115195150a01049d327bae12158221ef82de43ea682905b81d0002fa32dd3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\config\WindowsFirewallConfig.txt

Filesize
306B

MD5
75db7861304a47ffeac0b5c88801172a

SHA1
b3778cef27637ee986e194006d291560adadf14d

SHA256
26d6835d602b9e09e793d0031701bdfffd07eda032f2f56344aa7ac00b8d79e9

SHA512
62a1341833e3de6a9052d8c9d37e82223f49e5b279821a82cfd8558a8d1e89e074115195150a01049d327bae12158221ef82de43ea682905b81d0002fa32dd3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\config\WindowsFirewallConfig.txt

Filesize
3KB

MD5
9fc2f6f056b761ee2efb51f1b2abe2a0

SHA1
b6b10ee66a5e91356e36656c670a55cd1d0e4ca3

SHA256
66bb48ee25484e6d28125af45c7ba09d785f822340975503f044bfe0d1093bdb

SHA512
29cc4e2179047807286df7cb36563133394123bcb74e228bae38c5991bd7781be47c32b2609c5a88bcbca9ea3674f1cecd262bbdcad3485821564421f6d9ed91

Download Submit
C:\Users\Admin\AppData\Local\Temp\config\WindowsFirewallConfig.txt

Filesize
3KB

MD5
28ab641176c919ef5f796f965254e72c

SHA1
21cadde04c3a28842a51c63b6e184e3250385db3

SHA256
da759355fc068f769a450e76f7d392045a5e7f44ae2708695c92ea3f78f44d4f

SHA512
c5a81507b9c5f23f9e933e8aeadf90ece340e16aa94bfb3394d2e4634ee46b551e813d732f415ab36513183dd1a8038068fcae6c8b5b2cb2a3559dd6c09b4aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\config\WindowsFirewallConfig.txt

Filesize
3KB

MD5
28ab641176c919ef5f796f965254e72c

SHA1
21cadde04c3a28842a51c63b6e184e3250385db3

SHA256
da759355fc068f769a450e76f7d392045a5e7f44ae2708695c92ea3f78f44d4f

SHA512
c5a81507b9c5f23f9e933e8aeadf90ece340e16aa94bfb3394d2e4634ee46b551e813d732f415ab36513183dd1a8038068fcae6c8b5b2cb2a3559dd6c09b4aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\config\WindowsFirewallConfig.txt

Filesize
4KB

MD5
e30f9bc0eaec914ce681d09f2dda880d

SHA1
49a17ea54cf9325a04a5bc9dd036b48dec7599bf

SHA256
e7244164fbbe3378d6dad2d5de18bdad034b3536318bc9b56a8b947f11d91dee

SHA512
a59a8a749ac80641ccca6def865a8ad51f18816ee7aa9efbf88a9baaa82dd56c9290367a00db58202e5369a2b0186c3d6bca9e8b26f51d890c94c06832ab7e82

Download Submit
C:\Users\Admin\AppData\Local\Temp\config\WindowsFirewallConfig.txt

Filesize
4KB

MD5
a20149cc6d15b8616bc54139b9c5d315

SHA1
ec898328ff87ac3f4ff40087a46a2f7a27102f3d

SHA256
2eafa24a440fff6f353ce82a07b44c569f0f8752cf1726d93fc79522f09ccc7d

SHA512
e82c10f8fe9b3542c2b666c5d76138b0bcee7d1c4d3b0b4a0d3d67677a80b212c18e410021a36d473701bb62e84bd423fc124a4ec3f198ea49f923d3ad75bed9

Download Submit
C:\Users\Admin\AppData\Local\Temp\config\WindowsFirewallConfig.txt

Filesize
4KB

MD5
a20149cc6d15b8616bc54139b9c5d315

SHA1
ec898328ff87ac3f4ff40087a46a2f7a27102f3d

SHA256
2eafa24a440fff6f353ce82a07b44c569f0f8752cf1726d93fc79522f09ccc7d

SHA512
e82c10f8fe9b3542c2b666c5d76138b0bcee7d1c4d3b0b4a0d3d67677a80b212c18e410021a36d473701bb62e84bd423fc124a4ec3f198ea49f923d3ad75bed9

Download Submit
C:\Users\Admin\AppData\Local\Temp\config\WindowsFirewallConfig.txt

Filesize
419KB

MD5
d830d4fb3ab789b1bb4b8664e9353b34

SHA1
f2159bdb6507c52d9331a2410afa992b548485c2

SHA256
211baa880d6ac7e0fd70a40625e41a625eef3045bf45f9902b084b6fd975e3a8

SHA512
94f9964c52cf8e2c5c4b4955f6736558c6f0e966a87fafaa326686901fe9db7589afd14c9554ece5424d29feced405809912ed7b0835db7c3f0c8f1e65507c19

Download Submit
C:\Users\Admin\AppData\Local\Temp\config\WindowsFirewallConfig.txt

Filesize
419KB

MD5
d830d4fb3ab789b1bb4b8664e9353b34

SHA1
f2159bdb6507c52d9331a2410afa992b548485c2

SHA256
211baa880d6ac7e0fd70a40625e41a625eef3045bf45f9902b084b6fd975e3a8

SHA512
94f9964c52cf8e2c5c4b4955f6736558c6f0e966a87fafaa326686901fe9db7589afd14c9554ece5424d29feced405809912ed7b0835db7c3f0c8f1e65507c19

Download Submit
C:\Users\Admin\AppData\Local\Temp\config\WindowsFirewallConfig.txt

Filesize
419KB

MD5
c365c0db230e1d7b2fd2e308685740d5

SHA1
3377c9d871dc87f969331d7af96ad1f553a43009

SHA256
043f419ae376a1f45ccf5f7d6ca49a132e063ec30588432aa1a1952608b49478

SHA512
1d2056a15b8c41e41fbb12ee5183bade3e7919bc39d3bcab1575769c814b7158c715b6444855211feed62151adbc79ffa55c7ae9f195539f5d4c1b47c38dfebe

Download Submit
C:\Users\Admin\AppData\Local\Temp\config\WindowsFirewallConfig.txt

Filesize
419KB

MD5
c365c0db230e1d7b2fd2e308685740d5

SHA1
3377c9d871dc87f969331d7af96ad1f553a43009

SHA256
043f419ae376a1f45ccf5f7d6ca49a132e063ec30588432aa1a1952608b49478

SHA512
1d2056a15b8c41e41fbb12ee5183bade3e7919bc39d3bcab1575769c814b7158c715b6444855211feed62151adbc79ffa55c7ae9f195539f5d4c1b47c38dfebe

Download Submit
C:\Users\Admin\AppData\Local\Temp\config\WindowsFirewallEffectiveRules.txt

Filesize
113B

MD5
f922ce103305d2d2766cd69b4992bed4

SHA1
e43c5ec1882020e9f59bf8be1f7b039b7279aec9

SHA256
673712f1a5ddf23348ad5dd910c0fad7656d5c4b60f9d9d6b413aa7ed20f3612

SHA512
65b2dd117d6ac6d8589ebaf1c22d3dff59cc79887eb53e8951f53160b9cc6ecabecd2a32d0e54d4cf517258118ed48791d0e9f679b3e166974aaa18faff8112f

Download Submit
C:\Users\Admin\AppData\Local\Temp\config\WindowsFirewallEffectiveRules.txt

Filesize
319B

MD5
a061107b2d08559c7a12a7a9e7b2df83

SHA1
2c596969754b809311ac75043758790aee198529

SHA256
e877977b3f751237f71eafe880b4ace1d5604b36d02645ac237d1fb176debae0

SHA512
0b58ef2e8e154429ff0e63fb53f7474f37619911e60c2d6c0ed3fb42c37bf980feaf92acc155db7a6ad1318a9f134349063cd2929a3c13c4eee56b16fa7840a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\config\WindowsFirewallEffectiveRules.txt

Filesize
394B

MD5
ed6f7545439589adafbd8111aba17e69

SHA1
902f6318e9663452bfff6de3c344300a2254ea61

SHA256
86f51a10715190ad0ad34d4cbdc3d0f81a64857b0099ccb3bc4a5c2805bd0494

SHA512
6e71ef55c1ac84ec3d37c43d338f628535253c238c50661027c6a66337a1abda0561ca26f07b15ef88b5d027038100f5cebd305dac7852d96726a9efc8831b94

Download Submit
C:\Users\Admin\AppData\Local\Temp\config\WindowsFirewallEffectiveRules.txt

Filesize
394B

MD5
ed6f7545439589adafbd8111aba17e69

SHA1
902f6318e9663452bfff6de3c344300a2254ea61

SHA256
86f51a10715190ad0ad34d4cbdc3d0f81a64857b0099ccb3bc4a5c2805bd0494

SHA512
6e71ef55c1ac84ec3d37c43d338f628535253c238c50661027c6a66337a1abda0561ca26f07b15ef88b5d027038100f5cebd305dac7852d96726a9efc8831b94

Download Submit
C:\Users\Admin\AppData\Local\Temp\config\WindowsFirewallEffectiveRules.txt

Filesize
113B

MD5
f922ce103305d2d2766cd69b4992bed4

SHA1
e43c5ec1882020e9f59bf8be1f7b039b7279aec9

SHA256
673712f1a5ddf23348ad5dd910c0fad7656d5c4b60f9d9d6b413aa7ed20f3612

SHA512
65b2dd117d6ac6d8589ebaf1c22d3dff59cc79887eb53e8951f53160b9cc6ecabecd2a32d0e54d4cf517258118ed48791d0e9f679b3e166974aaa18faff8112f

Download Submit
C:\Users\Admin\AppData\Local\Temp\config\envinfo.txt

Filesize
2KB

MD5
22b63eb0b2e803a4e102197e310177bc

SHA1
515289e6f0d3e4a7661f08d594c2d1c6deb1f35e

SHA256
f7a3c4309665180f8079a6e1db821ee9d3a6cc2c369425e5450f8b03b77b0109

SHA512
8fdfd1c4ae3211e7776088308e9b5155aaa302325a201ba8d361fc067d37753bde674abc5fbc3b692b871ad08c8f7cf54f5ccb7e15c42f2520023c03934bec4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\config\envinfo.txt

Filesize
2KB

MD5
1fc1f6fbf04fb59fb11734f5bf43862d

SHA1
d94ffb2d0e5c7242031a415cef128c7d0dee80fe

SHA256
82260a9bbec8ef6a31140879f5218343d27752c440ac152f7f6f91140a31aa15

SHA512
36ec87fc85b5b2e2be2f53c65f5325d7d1964429d14b8281d6c813b762b650896ec48eb38d128e470f9b3c3e93cfb3ac09a4c9aba167f4e17e38d39a0d3fc12d

Download Submit
C:\Users\Admin\AppData\Local\Temp\config\envinfo.txt

Filesize
2KB

MD5
49e3fd103cf0f736a94d50cb7f200a18

SHA1
2a036b1f77e050707fb0734a9ecf34d8647f1e47

SHA256
f8d28fe7b5df92075bb951b510aca78858a4d042737492d613e928460557799a

SHA512
4e3455a95f791464c014a662fb4a288aeaf685dac08225c78896962efda2e3ed4559a4ce365828a871ca04967bf532cf23c2fd605bf90190421655455dab579a

Download Submit
C:\Users\Admin\AppData\Local\Temp\config\envinfo.txt

Filesize
2KB

MD5
e2df4a4a994331bc753259b7213bdd7f

SHA1
19c5b1081cd458b25bb71b6d09e3716f206df7f1

SHA256
4797b5745399628e5609e75fa8e54ee2988d9ba00b95fb49449a13ead3259f39

SHA512
0e27163bce76d51ba10bd7c20a286c6abd383e422211127fac4d66cf11c0f2538311cf262502380eaf8e660f476dd0de63684f9f366e7dddbfc4e1e6dd6b18d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\config\envinfo.txt

Filesize
3KB

MD5
f4554302ac95b1934fcb2bc47c2c47ef

SHA1
ebdba1151a8fde0a7e37d2732d58f77aa8946cad

SHA256
9fa1474a00b10635a72d6227ba5e4f86ffde45056483eae84f587ca5144313fd

SHA512
3055aae6cc3c253f855be3893f6b6a24d186c0bd0c2056ae0e13a0da08fbfdf3fc96e9baf2ddb5c45642ae60b8cb4db34ded0c7f023ba6f18f8e5b946239e48d

Download Submit
C:\Users\Admin\AppData\Local\Temp\config\envinfo.txt

Filesize
4KB

MD5
303cec15f3f8d40e0e062a0d184f73dd

SHA1
7bb213a1588c6056fc2c3a85534b71138cf15b83

SHA256
7c065adeb4970c7c95d9c5f4cde29be22c31f22c7d5a69e003e083e400f4e374

SHA512
94b3485790f42d19e1e2c6d8c0916e1f5ae9ffa1f7f2339bd6c16caf9605ec28320c286a3a59c569123dc9152758d73ca3fd17a84fa0e142029110a18dbd6ddd

Download Submit
C:\Users\Admin\AppData\Local\Temp\config\envinfo.txt

Filesize
4KB

MD5
303cec15f3f8d40e0e062a0d184f73dd

SHA1
7bb213a1588c6056fc2c3a85534b71138cf15b83

SHA256
7c065adeb4970c7c95d9c5f4cde29be22c31f22c7d5a69e003e083e400f4e374

SHA512
94b3485790f42d19e1e2c6d8c0916e1f5ae9ffa1f7f2339bd6c16caf9605ec28320c286a3a59c569123dc9152758d73ca3fd17a84fa0e142029110a18dbd6ddd

Download Submit
C:\Users\Admin\AppData\Local\Temp\config\envinfo.txt

Filesize
6KB

MD5
61fbccddd0a94d41e515b5292849220f

SHA1
447f3a5cbe799996673f892f7ea1ab31b7899770

SHA256
5e1f209ba6c157d1527c387117269286d5ab5c168a687ea4ea056d6b2d3469e7

SHA512
b4ecfa7bd9e250d4752f3de195dfefa0713ae44d50c92f6c3888cc0c6d52c6140d595a6fa72aa8f5ee37b1ea895c534e1891588c950d80fd8058f066dcf0c696

Download Submit
C:\Users\Admin\AppData\Local\Temp\config\envinfo.txt

Filesize
6KB

MD5
61fbccddd0a94d41e515b5292849220f

SHA1
447f3a5cbe799996673f892f7ea1ab31b7899770

SHA256
5e1f209ba6c157d1527c387117269286d5ab5c168a687ea4ea056d6b2d3469e7

SHA512
b4ecfa7bd9e250d4752f3de195dfefa0713ae44d50c92f6c3888cc0c6d52c6140d595a6fa72aa8f5ee37b1ea895c534e1891588c950d80fd8058f066dcf0c696

Download Submit
C:\Users\Admin\AppData\Local\Temp\config\envinfo.txt

Filesize
6KB

MD5
2753fd85ad6de793dad617b05b03d7cc

SHA1
f57162750cbf681b3794bd923a358fe01a68cc57

SHA256
17d711e16d05ea9f29dc2e0da01ecc7bc3e79780913f46107ad25d22b6fadcce

SHA512
7e65ac6971d756ad2bfbe0709c101cc18115cba3a7be05a65583f3252f53549e1d558d740d03a8617ab24542c2dfe762e3b18eebcf20db0e9e5da6d4d2881e7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\config\envinfo.txt

Filesize
6KB

MD5
2753fd85ad6de793dad617b05b03d7cc

SHA1
f57162750cbf681b3794bd923a358fe01a68cc57

SHA256
17d711e16d05ea9f29dc2e0da01ecc7bc3e79780913f46107ad25d22b6fadcce

SHA512
7e65ac6971d756ad2bfbe0709c101cc18115cba3a7be05a65583f3252f53549e1d558d740d03a8617ab24542c2dfe762e3b18eebcf20db0e9e5da6d4d2881e7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\config\envinfo.txt

Filesize
6KB

MD5
2753fd85ad6de793dad617b05b03d7cc

SHA1
f57162750cbf681b3794bd923a358fe01a68cc57

SHA256
17d711e16d05ea9f29dc2e0da01ecc7bc3e79780913f46107ad25d22b6fadcce

SHA512
7e65ac6971d756ad2bfbe0709c101cc18115cba3a7be05a65583f3252f53549e1d558d740d03a8617ab24542c2dfe762e3b18eebcf20db0e9e5da6d4d2881e7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\config\netiostate.txt

Filesize
236B

MD5
c2c7cb140e3220f8c448dc24f9de156d

SHA1
5c419b0dcf5375962d8bb66f2a66c19caadaa50a

SHA256
950d0c34da1650c0b5748bf67723543f7beada93fe9dfdb18fea224b84684aa4

SHA512
c83d4cd9a2379fc1ed7c3f734652227aca33e0d6cb1b95bb226e6a9e7a0e9f03ef2b296038ef3fc9f06f077e672753e0fbf97d3b1021f7f18a5565fc9e1d803b

Download Submit
C:\Users\Admin\AppData\Local\Temp\config\netiostate.txt

Filesize
238B

MD5
dd2672844d10d2bd786658a37d8073c1

SHA1
692e614433a44188e7da0cc8049b8ac02a05ed1c

SHA256
b0a61a7de64c997f976c74616cf0274fd8c77668f277a3fa6a0042ec47e604fe

SHA512
fbca961ac0d7590abb6ef5520927ef1187ade28e663a03398e1a5b4bcaab61fe1aa59bd6c86e96b00d97d986ff01032511d28eb3d4feb9cc13db424f6aaa055a

Download Submit
C:\Users\Admin\AppData\Local\Temp\config\osinfo.txt

Filesize
187B

MD5
a296a4233e07760e59d0f979d6bce642

SHA1
255a632d598e3654c87f0cce3d6b53c464b6770f

SHA256
b6acdc07538b4893dc6203e18805996d08d12de895062f34d95497faa6d25e0b

SHA512
b6a6efb5e082fdd97a1ad36483c0a5bbc7f183a1a06a2ff0f504862fb4f2e1bacf3d03b946a4408d34c761a450eceb85c25153c9819bb7436793ec459509a769

Download Submit
C:\Users\Admin\AppData\Local\Temp\config\osinfo.txt

Filesize
223B

MD5
3839b4ef0a60449d0b916cb858f8e6ab

SHA1
47fd428a8a9ec91316c0248dcf9fb117f628f860

SHA256
d37f6aeea9f98bfcf587cf593085d0614624b61df220adc3657a89457169e259

SHA512
bda997f0cf01155b30332bb5b70873b6c863b10ffce87972b97a64fd8f38802be135520a23cab4226744abb51818d437b557fb87f2bfb936746df1145322c8e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\config\osinfo.txt

Filesize
1KB

MD5
63a65da8f0b372ca8822fc37a225446f

SHA1
b8c8300e8e1da493b99beaf8663b053039f598f9

SHA256
ed948f032a531e34b0a1da1ebdb04d0bcf4460e2c8c5a8e383835618c511ae04

SHA512
bc15a64f1398ece5b461689b89625720849fb2e22556f66ca9ec88e8a41bc87ceeb632da7487580c63716fabb41bc50886728492ffd874ecf66bbdf6b0e30936

Download Submit
C:\Users\Admin\AppData\Local\Temp\config\osinfo.txt

Filesize
3KB

MD5
e5e2349bd5110043c18ccac666538c4a

SHA1
5d292b795716942cdab301a85aa5598d8395b257

SHA256
4292cd00a2539255b2cc593b589864a761b982abf43628dde8460688cbfbb121

SHA512
6ce50a83cbfc32a171141554bfc98feb204d2796497e90cf04045e8e24fe317ebf973f9662f38e2010d9efa29613f02d7945307089d60886c77e91fabbde59dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\config\osinfo.txt

Filesize
3KB

MD5
267f1d78b4e56ed0c13073b6aac645bf

SHA1
f614347f0688efdfdc99078e1e1dfa3cf475fd58

SHA256
b3e8425b21e8c2499657a8103e1dc3200cf82bfac78922f21d1aa44fc97c1e84

SHA512
632f96911f591d6fb20be76eeb2f4cdc2f33f6f42d9fba17f83af01295ebeba5d88a35977511846106a630493f54f94803d1e618ef8c4ffa6b6ebcbf4eba3ea9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tempfile.txt

Filesize
7KB

MD5
aad2ca9d1a3a57b0a1bb4dae8ebe53a0

SHA1
7502c7c0f119923f126c4be5123ac27847bab3df

SHA256
41cf71d23d95f38d72dd7ae0c16f3d8f5319be44cab862566d44040d0e4eae33

SHA512
9acf31d4eb1369b43038570ecd249540f47265772d4aa1550d7baf020621f259547ccd71f320d83e698946022a47c62e2bb358ecccf04b5ce23a1acf1f29002a

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads