d906d6126a1e9c9569ef81605d02f03ef94aa57b3ab9cbd56c996baf22fa461b

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
03-10-2024 01:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

gatherNetworkInfo.vbs
Size

86KB
MD5

2e6af4d5bf6e31e728f409984c3045d4
SHA1

757bf5310f40a69d883f11e75f220e02fbaa0127
SHA256

d906d6126a1e9c9569ef81605d02f03ef94aa57b3ab9cbd56c996baf22fa461b
SHA512

2ff376bee712a61cb4a6ff8f0f3ac0ac9778acdaf0cb767d9d085502cb8e9365458292266e994a3d973494759b43181511aaf050ec0d48bfa7e51b07a3b56bfa
SSDEEP

1536:sImNGeeGUJIgZf/A+qfwkgKo9kNxyJ3OOjPl68fef0qIbIE5ToGdKTYL7TBHQ/8S:sImNGXGUJtx/A+qfol6yqZs8J

Score

8^/10

discovery evasion execution persistence privilege_escalation

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
1396	powershell.exe

Modifies Windows Firewall 2 TTPs 8 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
1672	netsh.exe
2112	netsh.exe
700	netsh.exe
1748	netsh.exe
2620	netsh.exe
2124	netsh.exe
1760	netsh.exe
2856	netsh.exe

Network Service Discovery 1 TTPs 3 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
2424	cmd.exe
2732	cmd.exe
2484	ARP.EXE

Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135

Power Settings 1 TTPs 2 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
1624	cmd.exe
1596	powercfg.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\dxdiag.txt	dxdiag.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

discovery

Process Discovery

T1057

pid	Process
1564	tasklist.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.app.log	dispdiag.exe
File opened for modification	C:\Windows\INF\setupapi.app.log	dxdiag.exe

Launches sc.exe 12 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
768	sc.exe
3024	sc.exe
1268	sc.exe
2912	sc.exe
2672	sc.exe
2956	sc.exe
2856	sc.exe
1444	sc.exe
2936	sc.exe
2212	sc.exe
2616	sc.exe
2676	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 64 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dxdiag.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1788	PING.EXE
1844	PING.EXE

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\BIOS	dispdiag.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	dispdiag.exe

Gathers network information 2 TTPs 3 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
3012	ipconfig.exe
1692	ipconfig.exe
1728	ipconfig.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
2296	systeminfo.exe

Modifies registry class 34 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CurVer	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ProgID	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\VersionIndependentProgID	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\CurVer	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}\VersionIndependentProgID	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CurVer\ = "DxDiag.DxDiagClassObject.1"	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\VersionIndependentProgID\ = "DxDiag.DxDiagClassObject"	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32\ = "C:\\Windows\\SysWOW64\\dxdiagn.dll"	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider.1\ = "DxDiagProvider Class"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1\ = "DxDiagClassObject Class"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1\CLSID	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CLSID\ = "{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\ = "DxDiagProvider Class"	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\CurVer\ = "DxDiag.DxDiagClassObject.1"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CLSID	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider.1	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}\ProgID	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1\CLSID\ = "{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider.1\CLSID	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}\InprocServer32	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32\ThreadingModel = "Apartment"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\ = "DxDiagClassObject Class"	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ = "DxDiagClassObject Class"	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ProgID\ = "DxDiag.DxDiagClassObject.1"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ForceRemove	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ForceRemove\ = "Programmable"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\CLSID	dxdiag.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
296	reg.exe

Runs net.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
1788	PING.EXE
1844	PING.EXE

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2432	dxdiag.exe
2432	dxdiag.exe
1396	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3040	WScript.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1596	powercfg.exe
Token: SeDebugPrivilege	1564	tasklist.exe
Token: SeSecurityPrivilege	912	wevtutil.exe
Token: SeBackupPrivilege	912	wevtutil.exe
Token: SeSecurityPrivilege	560	wevtutil.exe
Token: SeBackupPrivilege	560	wevtutil.exe
Token: SeSecurityPrivilege	1780	wevtutil.exe
Token: SeBackupPrivilege	1780	wevtutil.exe
Token: SeSecurityPrivilege	2536	wevtutil.exe
Token: SeBackupPrivilege	2536	wevtutil.exe
Token: SeSecurityPrivilege	1500	wevtutil.exe
Token: SeBackupPrivilege	1500	wevtutil.exe
Token: SeSecurityPrivilege	1316	wevtutil.exe
Token: SeBackupPrivilege	1316	wevtutil.exe
Token: SeSecurityPrivilege	1968	wevtutil.exe
Token: SeBackupPrivilege	1968	wevtutil.exe
Token: SeSecurityPrivilege	2060	wevtutil.exe
Token: SeBackupPrivilege	2060	wevtutil.exe
Token: SeSecurityPrivilege	2572	wevtutil.exe
Token: SeBackupPrivilege	2572	wevtutil.exe
Token: SeSecurityPrivilege	484	wevtutil.exe
Token: SeBackupPrivilege	484	wevtutil.exe
Token: SeSecurityPrivilege	1564	wevtutil.exe
Token: SeBackupPrivilege	1564	wevtutil.exe
Token: SeSecurityPrivilege	1552	wevtutil.exe
Token: SeBackupPrivilege	1552	wevtutil.exe
Token: SeSecurityPrivilege	2420	wevtutil.exe
Token: SeBackupPrivilege	2420	wevtutil.exe
Token: SeSecurityPrivilege	604	wevtutil.exe
Token: SeBackupPrivilege	604	wevtutil.exe
Token: SeRestorePrivilege	1804	dispdiag.exe
Token: SeRestorePrivilege	1804	dispdiag.exe
Token: SeRestorePrivilege	1804	dispdiag.exe
Token: SeRestorePrivilege	1804	dispdiag.exe
Token: SeRestorePrivilege	1804	dispdiag.exe
Token: SeRestorePrivilege	1804	dispdiag.exe
Token: SeRestorePrivilege	1804	dispdiag.exe
Token: SeRestorePrivilege	2432	dxdiag.exe
Token: SeRestorePrivilege	2432	dxdiag.exe
Token: SeRestorePrivilege	2432	dxdiag.exe
Token: SeRestorePrivilege	2432	dxdiag.exe
Token: SeRestorePrivilege	2432	dxdiag.exe
Token: SeRestorePrivilege	2432	dxdiag.exe
Token: SeRestorePrivilege	2432	dxdiag.exe
Token: SeSecurityPrivilege	2752	wevtutil.exe
Token: SeBackupPrivilege	2752	wevtutil.exe
Token: SeSecurityPrivilege	2648	wevtutil.exe
Token: SeBackupPrivilege	2648	wevtutil.exe
Token: SeSecurityPrivilege	2428	wevtutil.exe
Token: SeBackupPrivilege	2428	wevtutil.exe
Token: SeSecurityPrivilege	2612	wevtutil.exe
Token: SeBackupPrivilege	2612	wevtutil.exe
Token: SeIncreaseQuotaPrivilege	2492	WMIC.exe
Token: SeSecurityPrivilege	2492	WMIC.exe
Token: SeTakeOwnershipPrivilege	2492	WMIC.exe
Token: SeLoadDriverPrivilege	2492	WMIC.exe
Token: SeSystemProfilePrivilege	2492	WMIC.exe
Token: SeSystemtimePrivilege	2492	WMIC.exe
Token: SeProfSingleProcessPrivilege	2492	WMIC.exe
Token: SeIncBasePriorityPrivilege	2492	WMIC.exe
Token: SeCreatePagefilePrivilege	2492	WMIC.exe
Token: SeBackupPrivilege	2492	WMIC.exe
Token: SeRestorePrivilege	2492	WMIC.exe
Token: SeShutdownPrivilege	2492	WMIC.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2432	dxdiag.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3040 wrote to memory of 2280	3040	WScript.exe	30
PID 3040 wrote to memory of 2280	3040	WScript.exe	30
PID 3040 wrote to memory of 2280	3040	WScript.exe	30
PID 3040 wrote to memory of 2228	3040	WScript.exe	31
PID 3040 wrote to memory of 2228	3040	WScript.exe	31
PID 3040 wrote to memory of 2228	3040	WScript.exe	31
PID 2280 wrote to memory of 2568	2280	cmd.exe	34
PID 2280 wrote to memory of 2568	2280	cmd.exe	34
PID 2280 wrote to memory of 2568	2280	cmd.exe	34
PID 2228 wrote to memory of 2216	2228	cmd.exe	35
PID 2228 wrote to memory of 2216	2228	cmd.exe	35
PID 2228 wrote to memory of 2216	2228	cmd.exe	35
PID 3040 wrote to memory of 2072	3040	WScript.exe	36
PID 3040 wrote to memory of 2072	3040	WScript.exe	36
PID 3040 wrote to memory of 2072	3040	WScript.exe	36
PID 2072 wrote to memory of 2176	2072	cmd.exe	39
PID 2072 wrote to memory of 2176	2072	cmd.exe	39
PID 2072 wrote to memory of 2176	2072	cmd.exe	39
PID 3040 wrote to memory of 2840	3040	WScript.exe	40
PID 3040 wrote to memory of 2840	3040	WScript.exe	40
PID 3040 wrote to memory of 2840	3040	WScript.exe	40
PID 2840 wrote to memory of 2740	2840	cmd.exe	42
PID 2840 wrote to memory of 2740	2840	cmd.exe	42
PID 2840 wrote to memory of 2740	2840	cmd.exe	42
PID 3040 wrote to memory of 2892	3040	WScript.exe	44
PID 3040 wrote to memory of 2892	3040	WScript.exe	44
PID 3040 wrote to memory of 2892	3040	WScript.exe	44
PID 2892 wrote to memory of 2636	2892	cmd.exe	46
PID 2892 wrote to memory of 2636	2892	cmd.exe	46
PID 2892 wrote to memory of 2636	2892	cmd.exe	46
PID 3040 wrote to memory of 2888	3040	WScript.exe	47
PID 3040 wrote to memory of 2888	3040	WScript.exe	47
PID 3040 wrote to memory of 2888	3040	WScript.exe	47
PID 2888 wrote to memory of 2876	2888	cmd.exe	49
PID 2888 wrote to memory of 2876	2888	cmd.exe	49
PID 2888 wrote to memory of 2876	2888	cmd.exe	49
PID 3040 wrote to memory of 2616	3040	WScript.exe	50
PID 3040 wrote to memory of 2616	3040	WScript.exe	50
PID 3040 wrote to memory of 2616	3040	WScript.exe	50
PID 2616 wrote to memory of 2676	2616	cmd.exe	52
PID 2616 wrote to memory of 2676	2616	cmd.exe	52
PID 2616 wrote to memory of 2676	2616	cmd.exe	52
PID 3040 wrote to memory of 2732	3040	WScript.exe	53
PID 3040 wrote to memory of 2732	3040	WScript.exe	53
PID 3040 wrote to memory of 2732	3040	WScript.exe	53
PID 2732 wrote to memory of 1300	2732	cmd.exe	55
PID 2732 wrote to memory of 1300	2732	cmd.exe	55
PID 2732 wrote to memory of 1300	2732	cmd.exe	55
PID 3040 wrote to memory of 2844	3040	WScript.exe	56
PID 3040 wrote to memory of 2844	3040	WScript.exe	56
PID 3040 wrote to memory of 2844	3040	WScript.exe	56
PID 2844 wrote to memory of 2376	2844	cmd.exe	58
PID 2844 wrote to memory of 2376	2844	cmd.exe	58
PID 2844 wrote to memory of 2376	2844	cmd.exe	58
PID 3040 wrote to memory of 672	3040	WScript.exe	59
PID 3040 wrote to memory of 672	3040	WScript.exe	59
PID 3040 wrote to memory of 672	3040	WScript.exe	59
PID 672 wrote to memory of 1512	672	cmd.exe	61
PID 672 wrote to memory of 1512	672	cmd.exe	61
PID 672 wrote to memory of 1512	672	cmd.exe	61
PID 3040 wrote to memory of 1868	3040	WScript.exe	62
PID 3040 wrote to memory of 1868	3040	WScript.exe	62
PID 3040 wrote to memory of 1868	3040	WScript.exe	62
PID 1868 wrote to memory of 1452	1868	cmd.exe	64

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\gatherNetworkInfo.vbs"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:3040
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c gpresult /scope:computer /v 1> config\gpresult.txt 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2280
- - C:\Windows\system32\gpresult.exe
    gpresult /scope:computer /v
    3⤵
    PID:2568
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg export "HKLM\SYSTEM\CurrentControlSet\Control\Winlogon\Notifications" Reg\Notif.reg.txt /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2228
- - C:\Windows\system32\reg.exe
    reg export "HKLM\SYSTEM\CurrentControlSet\Control\Winlogon\Notifications" Reg\Notif.reg.txt /y
    3⤵
    PID:2216
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg export "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers" Reg\AllCred.reg.txt /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2072
- - C:\Windows\system32\reg.exe
    reg export "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers" Reg\AllCred.reg.txt /y
    3⤵
    PID:2176
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg export "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider Filters" Reg\AllCredFilter.reg.txt /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2840
- - C:\Windows\system32\reg.exe
    reg export "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider Filters" Reg\AllCredFilter.reg.txt /y
    3⤵
    PID:2740
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg export "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\{07AA0886-CC8D-4e19-A410-1C75AF686E62}" Reg\{07AA0886-CC8D-4e19-A410-1C75AF686E62}.reg.txt /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2892
- - C:\Windows\system32\reg.exe
    reg export "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\{07AA0886-CC8D-4e19-A410-1C75AF686E62}" Reg\{07AA0886-CC8D-4e19-A410-1C75AF686E62}.reg.txt /y
    3⤵
    PID:2636
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg export "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\{33c86cd6-705f-4ba1-9adb-67070b837775}" Reg\{33c86cd6-705f-4ba1-9adb-67070b837775}.reg.txt /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2888
- - C:\Windows\system32\reg.exe
    reg export "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\{33c86cd6-705f-4ba1-9adb-67070b837775}" Reg\{33c86cd6-705f-4ba1-9adb-67070b837775}.reg.txt /y
    3⤵
    PID:2876
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg export "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider Filters\{edd749de-2ef1-4a80-98d1-81f20e6df58e}" Reg\{edd749de-2ef1-4a80-98d1-81f20e6df58e}.reg.txt /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2616
- - C:\Windows\system32\reg.exe
    reg export "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider Filters\{edd749de-2ef1-4a80-98d1-81f20e6df58e}" Reg\{edd749de-2ef1-4a80-98d1-81f20e6df58e}.reg.txt /y
    3⤵
    PID:2676
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg export "HKLM\SYSTEM\CurrentControlSet\Services\Wlansvc\Parameters\WlanAPIPermissions" Reg\APIPerm.reg.txt /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2732
- - C:\Windows\system32\reg.exe
    reg export "HKLM\SYSTEM\CurrentControlSet\Services\Wlansvc\Parameters\WlanAPIPermissions" Reg\APIPerm.reg.txt /y
    3⤵
    PID:1300
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg export "HKLM\SOFTWARE\Policies\Microsoft\Windows\Wireless\GPTWirelessPolicy" Reg\GPT.reg.txt /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2844
- - C:\Windows\system32\reg.exe
    reg export "HKLM\SOFTWARE\Policies\Microsoft\Windows\Wireless\GPTWirelessPolicy" Reg\GPT.reg.txt /y
    3⤵
    PID:2376
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg export "HKCU\SOFTWARE\Microsoft\Wlansvc" Reg\HKCUWlanSvc.reg.txt /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:672
- - C:\Windows\system32\reg.exe
    reg export "HKCU\SOFTWARE\Microsoft\Wlansvc" Reg\HKCUWlanSvc.reg.txt /y
    3⤵
    PID:1512
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg export "HKLM\SOFTWARE\Microsoft\Wlansvc" Reg\HKLMWlanSvc.reg.txt /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1868
- - C:\Windows\system32\reg.exe
    reg export "HKLM\SOFTWARE\Microsoft\Wlansvc" Reg\HKLMWlanSvc.reg.txt /y
    3⤵
    PID:1452
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg export "HKLM\SOFTWARE\Microsoft\dot3svc" Reg\HKLMDot3Svc.reg.txt /y
  2⤵
  PID:2912
- - C:\Windows\system32\reg.exe
    reg export "HKLM\SOFTWARE\Microsoft\dot3svc" Reg\HKLMDot3Svc.reg.txt /y
    3⤵
    PID:2788
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg export "HKCU\SOFTWARE\Microsoft\dot3svc" Reg\HKCUDot3Svc.reg.txt /y
  2⤵
  PID:2948
- - C:\Windows\system32\reg.exe
    reg export "HKCU\SOFTWARE\Microsoft\dot3svc" Reg\HKCUDot3Svc.reg.txt /y
    3⤵
    PID:768
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg export "HKLM\SOFTWARE\Policies\Microsoft\Windows\WiredL2\GP_Policy" Reg\L2GP.reg.txt /y
  2⤵
  PID:1356
- - C:\Windows\system32\reg.exe
    reg export "HKLM\SOFTWARE\Policies\Microsoft\Windows\WiredL2\GP_Policy" Reg\L2GP.reg.txt /y
    3⤵
    PID:2976
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg export "HKLM\SOFTWARE\MICROSOFT\Windows NT\CurrentVersion\NetworkList" Reg\NetworkProfiles.reg.txt /y
  2⤵
  PID:1540
- - C:\Windows\system32\reg.exe
    reg export "HKLM\SOFTWARE\MICROSOFT\Windows NT\CurrentVersion\NetworkList" Reg\NetworkProfiles.reg.txt /y
    3⤵
    PID:2008
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg export "HKLM\SOFTWARE\Policies\Microsoft\WcmSvc" Reg\WCMPolicy.reg.txt /y
  2⤵
  PID:1716
- - C:\Windows\system32\reg.exe
    reg export "HKLM\SOFTWARE\Policies\Microsoft\WcmSvc" Reg\WCMPolicy.reg.txt /y
    3⤵
    PID:536
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c set processor >> config\osinfo.txt
  2⤵
  PID:888
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c systeminfo >> config\osinfo.txt
  2⤵
  PID:1956
- - C:\Windows\system32\systeminfo.exe
    systeminfo
    3⤵
    - Gathers system information
    PID:2296
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c set u >> config\osinfo.txt
  2⤵
  PID:320
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c powercfg.exe /batteryreport /output config\battery-report.html
  2⤵
  - Power Settings
  PID:1624
- - C:\Windows\system32\powercfg.exe
    powercfg.exe /batteryreport /output config\battery-report.html
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:1596
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c tasklist /svc > processes.txt
  2⤵
  PID:1520
- - C:\Windows\system32\tasklist.exe
    tasklist /svc
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1564
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c wevtutil epl "Microsoft-Windows-WLAN-AutoConfig/Operational" config\WLANAutoConfigLog.evtx
  2⤵
  PID:2036
- - C:\Windows\system32\wevtutil.exe
    wevtutil epl "Microsoft-Windows-WLAN-AutoConfig/Operational" config\WLANAutoConfigLog.evtx
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:912
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c wevtutil al config\WLANAutoConfigLog.evtx
  2⤵
  PID:1560
- - C:\Windows\system32\wevtutil.exe
    wevtutil al config\WLANAutoConfigLog.evtx
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:560
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c wevtutil epl "Microsoft-Windows-Wcmsvc/Operational" config\WCMLog.evtx
  2⤵
  PID:804
- - C:\Windows\system32\wevtutil.exe
    wevtutil epl "Microsoft-Windows-Wcmsvc/Operational" config\WCMLog.evtx
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1780
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c wevtutil al config\WCMLog.evtx
  2⤵
  PID:2508
- - C:\Windows\system32\wevtutil.exe
    wevtutil al config\WCMLog.evtx
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2536
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c wevtutil epl "Microsoft-Windows-WWAN-SVC-EVENTS/Operational" config\WWANLog.evtx
  2⤵
  PID:1860
- - C:\Windows\system32\wevtutil.exe
    wevtutil epl "Microsoft-Windows-WWAN-SVC-EVENTS/Operational" config\WWANLog.evtx
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1500
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c wevtutil al config\WWANLog.evtx
  2⤵
  PID:700
- - C:\Windows\system32\wevtutil.exe
    wevtutil al config\WWANLog.evtx
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1316
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c netsh wlan show all > config\envinfo.txt
  2⤵
  PID:2512
- - C:\Windows\system32\netsh.exe
    netsh wlan show all
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    PID:876
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c netsh lan show interfaces >> config\envinfo.txt
  2⤵
  PID:1972
- - C:\Windows\system32\netsh.exe
    netsh lan show interfaces
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    PID:2272
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c netsh lan show settings >> config\envinfo.txt
  2⤵
  PID:2276
- - C:\Windows\system32\netsh.exe
    netsh lan show settings
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    PID:2300
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c netsh lan show profiles >> config\envinfo.txt
  2⤵
  PID:2176
- - C:\Windows\system32\netsh.exe
    netsh lan show profiles
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    PID:3068
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c netsh mbn show interfaces >> config\envinfo.txt
  2⤵
  PID:2304
- - C:\Windows\system32\netsh.exe
    netsh mbn show interfaces
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    PID:2648
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c netsh mbn show profile name=* interface=* >> config\envinfo.txt
  2⤵
  PID:2876
- - C:\Windows\system32\netsh.exe
    netsh mbn show profile name=* interface=*
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    PID:2632
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c netsh mbn show readyinfo interface=* >> config\envinfo.txt
  2⤵
  PID:1644
- - C:\Windows\system32\netsh.exe
    netsh mbn show readyinfo interface=*
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    PID:2628
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c netsh mbn show capability interface=* >> config\envinfo.txt
  2⤵
  PID:3024
- - C:\Windows\system32\netsh.exe
    netsh mbn show capability interface=*
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    PID:1868
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ipconfig /all >> config\envinfo.txt
  2⤵
  PID:3020
- - C:\Windows\system32\ipconfig.exe
    ipconfig /all
    3⤵
    - Gathers network information
    PID:3012
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c echo. >> config\envinfo.txt
  2⤵
  PID:3008
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c echo ROUTE PRINT: >> config\envinfo.txt
  2⤵
  PID:316
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c route print >> config\envinfo.txt
  2⤵
  PID:1028
- - C:\Windows\system32\ROUTE.EXE
    route print
    3⤵
    PID:2504
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c certutil -v -store -silent My >> config\envinfo.txt
  2⤵
  PID:1816
- - C:\Windows\system32\certutil.exe
    certutil -v -store -silent My
    3⤵
    PID:2056
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c certutil -v -store -silent -user My >> config\envinfo.txt
  2⤵
  PID:2296
- - C:\Windows\system32\certutil.exe
    certutil -v -store -silent -user My
    3⤵
    PID:1648
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c certutil -v -store -silent root >> config\envinfo.txt
  2⤵
  PID:1944
- - C:\Windows\system32\certutil.exe
    certutil -v -store -silent root
    3⤵
    PID:2572
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c certutil -v -enterprise -store -silent NTAuth >> config\envinfo.txt
  2⤵
  PID:1240
- - C:\Windows\system32\certutil.exe
    certutil -v -enterprise -store -silent NTAuth
    3⤵
    PID:2040
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c certutil -v -user -store -silent root >> config\envinfo.txt
  2⤵
  PID:912
- - C:\Windows\system32\certutil.exe
    certutil -v -user -store -silent root
    3⤵
    PID:1552
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c netsh winsock show catalog > config\WinsockCatalog.txt
  2⤵
  PID:1560
- - C:\Windows\system32\netsh.exe
    netsh winsock show catalog
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    PID:3032
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c echo Current Profiles: > config\WindowsFirewallConfig.txt
  2⤵
  PID:2404
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c echo ------------------------------------------------------------------------ >> config\WindowsFirewallConfig.txt
  2⤵
  PID:2136
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c netsh advfirewall monitor show currentprofile >> config\WindowsFirewallConfig.txt
  2⤵
  PID:2032
- - C:\Windows\system32\netsh.exe
    netsh advfirewall monitor show currentprofile
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:700
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c echo Firewall Configuration: >> config\WindowsFirewallConfig.txt
  2⤵
  PID:624
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c echo ------------------------------------------------------------------------ >> config\WindowsFirewallConfig.txt
  2⤵
  PID:2148
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c netsh advfirewall monitor show firewall >> config\WindowsFirewallConfig.txt
  2⤵
  PID:1720
- - C:\Windows\system32\netsh.exe
    netsh advfirewall monitor show firewall
    3⤵
    - Modifies Windows Firewall
    PID:1748
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c echo Connection Security Configuration: >> config\WindowsFirewallConfig.txt
  2⤵
  PID:2300
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c echo ------------------------------------------------------------------------ >> config\WindowsFirewallConfig.txt
  2⤵
  PID:2072
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c netsh advfirewall monitor show consec >> config\WindowsFirewallConfig.txt
  2⤵
  PID:3068
- - C:\Windows\system32\netsh.exe
    netsh advfirewall monitor show consec
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:2620
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c echo Firewall Rules : >> config\WindowsFirewallConfig.txt
  2⤵
  PID:2648
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c echo ------------------------------------------------------------------------ >> config\WindowsFirewallConfig.txt
  2⤵
  PID:2612
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c netsh advfirewall firewall show rule name=all verbose >> config\WindowsFirewallConfig.txt
  2⤵
  PID:2244
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall show rule name=all verbose
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:2124
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c echo Connection Security Rules : >> config\WindowsFirewallConfig.txt
  2⤵
  PID:2676
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c echo ------------------------------------------------------------------------ >> config\WindowsFirewallConfig.txt
  2⤵
  PID:2876
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c netsh advfirewall consec show rule name=all verbose >> config\WindowsFirewallConfig.txt
  2⤵
  PID:1352
- - C:\Windows\system32\netsh.exe
    netsh advfirewall consec show rule name=all verbose
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:1760
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c echo Firewall Rules currently enforced : > config\WindowsFirewallEffectiveRules.txt
  2⤵
  PID:2788
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c echo ------------------------------------------------------------------------ >> config\WindowsFirewallEffectiveRules.txt
  2⤵
  PID:3024
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c netsh advfirewall monitor show firewall rule name=all >> config\WindowsFirewallEffectiveRules.txt
  2⤵
  PID:2976
- - C:\Windows\system32\netsh.exe
    netsh advfirewall monitor show firewall rule name=all
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:2856
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c echo Connection Security Rules currently enforced : >> config\WindowsFirewallEffectiveRules.txt
  2⤵
  PID:1568
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c echo ------------------------------------------------------------------------ >> config\WindowsFirewallEffectiveRules.txt
  2⤵
  PID:296
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c netsh advfirewall monitor show consec rule name=all >> config\WindowsFirewallEffectiveRules.txt
  2⤵
  PID:1716
- - C:\Windows\system32\netsh.exe
    netsh advfirewall monitor show consec rule name=all
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:1672
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c wevtutil epl "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall" config\WindowsFirewallLog.evtx
  2⤵
  PID:2052
- - C:\Windows\system32\wevtutil.exe
    wevtutil epl "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall" config\WindowsFirewallLog.evtx
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1968
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c wevtutil al config\WindowsFirewallLog.evtx
  2⤵
  PID:1648
- - C:\Windows\system32\wevtutil.exe
    wevtutil al config\WindowsFirewallLog.evtx
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2060
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c wevtutil epl "Microsoft-Windows-Windows Firewall With Advanced Security/ConnectionSecurity" config\WindowsFirewallConsecLog.evtx
  2⤵
  PID:2112
- - C:\Windows\system32\wevtutil.exe
    wevtutil epl "Microsoft-Windows-Windows Firewall With Advanced Security/ConnectionSecurity" config\WindowsFirewallConsecLog.evtx
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2572
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c wevtutil al config\WindowsFirewallConsecLog.evtx
  2⤵
  PID:1944
- - C:\Windows\system32\wevtutil.exe
    wevtutil al config\WindowsFirewallConsecLog.evtx
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:484
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c wevtutil epl "Microsoft-Windows-Windows Firewall With Advanced Security/FirewallVerbose" config\WindowsFirewallLogVerbose.evtx
  2⤵
  PID:2192
- - C:\Windows\system32\wevtutil.exe
    wevtutil epl "Microsoft-Windows-Windows Firewall With Advanced Security/FirewallVerbose" config\WindowsFirewallLogVerbose.evtx
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1564
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c wevtutil al config\WindowsFirewallLogVerbose.evtx
  2⤵
  PID:908
- - C:\Windows\system32\wevtutil.exe
    wevtutil al config\WindowsFirewallLogVerbose.evtx
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1552
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c wevtutil epl "Microsoft-Windows-Windows Firewall With Advanced Security/ConnectionSecurityVerbose" config\WindowsFirewallConsecLogVerbose.evtx
  2⤵
  PID:912
- - C:\Windows\system32\wevtutil.exe
    wevtutil epl "Microsoft-Windows-Windows Firewall With Advanced Security/ConnectionSecurityVerbose" config\WindowsFirewallConsecLogVerbose.evtx
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2420
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c wevtutil al config\WindowsFirewallConsecLogVerbose.evtx
  2⤵
  PID:804
- - C:\Windows\system32\wevtutil.exe
    wevtutil al config\WindowsFirewallConsecLogVerbose.evtx
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:604
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c dxdiag /t dxdiag.txt
  2⤵
  PID:1740
- - C:\Windows\system32\dxdiag.exe
    dxdiag /t dxdiag.txt
    3⤵
    PID:1756
  - - C:\Windows\SysWOW64\dxdiag.exe
      "C:\Windows\SysWOW64\dxdiag.exe" /t dxdiag.txt
      4⤵
      Drops file in System32 directory
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:2432
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c dispdiag -out dispdiag_stop.dat
  2⤵
  PID:1860
- - C:\Windows\system32\dispdiag.exe
    dispdiag -out dispdiag_stop.dat
    3⤵
    - Drops file in Windows directory
    - Enumerates system info in registry
    - Suspicious use of AdjustPrivilegeToken
    PID:1804
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c time /t >> config\wlaninfo.txt
  2⤵
  PID:1316
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c netsh wl show i >> config\wlaninfo.txt
  2⤵
  PID:1516
- - C:\Windows\system32\netsh.exe
    netsh wl show i
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    PID:2440
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c netsh wl show d >> config\wlaninfo.txt
  2⤵
  PID:2820
- - C:\Windows\system32\netsh.exe
    netsh wl show d
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    PID:2272
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c netsh wlan show interfaces >> config\wlaninfo.txt
  2⤵
  PID:1640
- - C:\Windows\system32\netsh.exe
    netsh wlan show interfaces
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    PID:2072
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c netsh wlan sho net m=b >> config\wlaninfo.txt
  2⤵
  PID:2660
- - C:\Windows\system32\netsh.exe
    netsh wlan sho net m=b
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    PID:3068
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc query wcncsvc >> config\WcnInfo.txt
  2⤵
  PID:2776
- - C:\Windows\system32\sc.exe
    sc query wcncsvc
    3⤵
    - Launches sc.exe
    PID:2616
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc query wlansvc >> config\WcnInfo.txt
  2⤵
  PID:2732
- - C:\Windows\system32\sc.exe
    sc query wlansvc
    3⤵
    - Launches sc.exe
    PID:1268
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc query eaphost >> config\WcnInfo.txt
  2⤵
  PID:2632
- - C:\Windows\system32\sc.exe
    sc query eaphost
    3⤵
    - Launches sc.exe
    PID:2676
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc query fdrespub >> config\WcnInfo.txt
  2⤵
  PID:2212
- - C:\Windows\system32\sc.exe
    sc query fdrespub
    3⤵
    - Launches sc.exe
    PID:2672
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc query upnphost >> config\WcnInfo.txt
  2⤵
  PID:1352
- - C:\Windows\system32\sc.exe
    sc query upnphost
    3⤵
    - Launches sc.exe
    PID:2956
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc query eaphost >> config\WcnInfo.txt
  2⤵
  PID:832
- - C:\Windows\system32\sc.exe
    sc query eaphost
    3⤵
    - Launches sc.exe
    PID:2856
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ipconfig /all >> config\WcnInfo.txt
  2⤵
  PID:764
- - C:\Windows\system32\ipconfig.exe
    ipconfig /all
    3⤵
    - Gathers network information
    PID:1692
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c netsh wlan show device >> config\WcnInfo.txt
  2⤵
  PID:2056
- - C:\Windows\system32\netsh.exe
    netsh wlan show device
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    PID:2084
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wcncsvc\Parameters >> config\WcnInfo.txt
  2⤵
  PID:2132
- - C:\Windows\system32\reg.exe
    reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wcncsvc\Parameters
    3⤵
    PID:2060
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c netsh advfirewall show currentprofile >> config\WcnInfo.txt
  2⤵
  PID:1088
- - C:\Windows\system32\netsh.exe
    netsh advfirewall show currentprofile
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:2112
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c netsh interface teredo show state > config\netiostate.txt
  2⤵
  PID:1812
- - C:\Windows\system32\netsh.exe
    netsh interface teredo show state
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    PID:2040
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c netsh interface httpstunnel show interface >> config\netiostate.txt
  2⤵
  PID:908
- - C:\Windows\system32\netsh.exe
    netsh interface httpstunnel show interface
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    PID:684
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c netsh interface httpstunnel show statistics >> config\netiostate.txt
  2⤵
  PID:604
- - C:\Windows\system32\netsh.exe
    netsh interface httpstunnel show statistics
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    PID:1948
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c echo IPCONFIG /DISPLAYDNS: >> config\Dns.txt
  2⤵
  PID:1844
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ipconfig /displaydns >> config\Dns.txt
  2⤵
  PID:1608
- - C:\Windows\system32\ipconfig.exe
    ipconfig /displaydns
    3⤵
    - Gathers network information
    PID:1728
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c echo. >> config\Dns.txt
  2⤵
  PID:1516
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c echo NETSH NAMESPACE SHOW EFFECTIVE: >> config\Dns.txt
  2⤵
  PID:2452
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c netsh namespace show effective >> config\Dns.txt
  2⤵
  PID:2816
- - C:\Windows\system32\netsh.exe
    netsh namespace show effective
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    PID:2740
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c echo. >> config\Dns.txt
  2⤵
  PID:2836
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c echo NETSH NAMESPACE SHOW POLICY: >> config\Dns.txt
  2⤵
  PID:2772
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c netsh namespace show policy >> config\Dns.txt
  2⤵
  PID:2840
- - C:\Windows\system32\netsh.exe
    netsh namespace show policy
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    PID:2616
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c echo ARP -A: >> config\Neighbors.txt
  2⤵
  - Network Service Discovery
  PID:2424
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c arp -a >> config\Neighbors.txt
  2⤵
  - Network Service Discovery
  PID:2732
- - C:\Windows\system32\ARP.EXE
    arp -a
    3⤵
    - Network Service Discovery
    PID:2484
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c echo. >> config\Neighbors.txt
  2⤵
  PID:1156
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c echo NETSH INT IPV6 SHOW NEIGHBORS: >> config\Neighbors.txt
  2⤵
  PID:2912
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c netsh int ipv6 show neigh >> config\Neighbors.txt
  2⤵
  PID:3028
- - C:\Windows\system32\netsh.exe
    netsh int ipv6 show neigh
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    PID:1604
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c echo NBTSTAT -N: >> config\FileSharing.txt
  2⤵
  PID:2364
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c nbtstat -n >> config\FileSharing.txt
  2⤵
  PID:1452
- - C:\Windows\system32\nbtstat.exe
    nbtstat -n
    3⤵
    PID:2872
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c echo. >> config\FileSharing.txt
  2⤵
  PID:2856
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c echo NBTSTAT -C: >> config\FileSharing.txt
  2⤵
  PID:1008
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c nbtstat -c >> config\FileSharing.txt
  2⤵
  PID:1920
- - C:\Windows\system32\nbtstat.exe
    nbtstat -c
    3⤵
    PID:2340
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c echo. >> config\FileSharing.txt
  2⤵
  PID:1620
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c echo NET CONFIG RDR: >> config\FileSharing.txt
  2⤵
  PID:2292
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c net config rdr >> config\FileSharing.txt
  2⤵
  PID:2084
- - C:\Windows\system32\net.exe
    net config rdr
    3⤵
    PID:2056
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 config rdr
      4⤵
      PID:2916
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c echo. >> config\FileSharing.txt
  2⤵
  PID:2092
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c echo NET CONFIG SRV: >> config\FileSharing.txt
  2⤵
  PID:1520
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c net config srv >> config\FileSharing.txt
  2⤵
  PID:1596
- - C:\Windows\system32\net.exe
    net config srv
    3⤵
    PID:2036
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 config srv
      4⤵
      PID:1784
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c echo. >> config\FileSharing.txt
  2⤵
  PID:1460
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c echo NET SHARE: >> config\FileSharing.txt
  2⤵
  PID:912
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c net share >> config\FileSharing.txt
  2⤵
  PID:2996
- - C:\Windows\system32\net.exe
    net share
    3⤵
    PID:1788
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 share
      4⤵
      PID:1756
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c netsh wfp show netevents file=config\netevents.xml 1> config\neteventslog.txt 2>&1
  2⤵
  PID:1948
- - C:\Windows\system32\netsh.exe
    netsh wfp show netevents file=config\netevents.xml
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    PID:604
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c netsh wfp show state file=config\wfpstate.xml 1> config\wfpstatelog.txt 2>&1
  2⤵
  PID:1728
- - C:\Windows\system32\netsh.exe
    netsh wfp show state file=config\wfpstate.xml
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    PID:2204
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c netsh wfp show sysports file=config\sysports.xml 1> config\sysportslog.txt 2>&1
  2⤵
  PID:2232
- - C:\Windows\system32\netsh.exe
    netsh wfp show sysports file=config\sysports.xml
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    PID:2320
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c wevtutil epl System /q:"*[System[Provider[@Name='Microsoft-Windows-Hyper-V-VmSwitch']]]" config\VmSwitchLog.evtx
  2⤵
  PID:2300
- - C:\Windows\system32\wevtutil.exe
    wevtutil epl System /q:"*[System[Provider[@Name='Microsoft-Windows-Hyper-V-VmSwitch']]]" config\VmSwitchLog.evtx
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2752
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c wevtutil al config\VmSwitchLog.evtx
  2⤵
  PID:2744
- - C:\Windows\system32\wevtutil.exe
    wevtutil al config\VmSwitchLog.evtx
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2648
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c wevtutil epl "Microsoft-Windows-Hyper-V-VMMS-Networking" config\VmmsNetworkingLog.evtx
  2⤵
  PID:2660
- - C:\Windows\system32\wevtutil.exe
    wevtutil epl "Microsoft-Windows-Hyper-V-VMMS-Networking" config\VmmsNetworkingLog.evtx
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2428
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c wevtutil al config\VmmsNetworkingLog.evtx
  2⤵
  PID:700
- - C:\Windows\system32\wevtutil.exe
    wevtutil al config\VmmsNetworkingLog.evtx
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2612
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c wmic qfe >> config\Hotfixinfo.log
  2⤵
  PID:2776
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic qfe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2492
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc.exe queryex nativewifip >> config\serviceinfo.log
  2⤵
  PID:2568
- - C:\Windows\system32\sc.exe
    sc.exe queryex nativewifip
    3⤵
    - Launches sc.exe
    PID:1444
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc.exe qc nativewifip >> config\serviceinfo.log
  2⤵
  PID:2244
- - C:\Windows\system32\sc.exe
    sc.exe qc nativewifip
    3⤵
    - Launches sc.exe
    PID:2936
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc.exe queryex wlansvc >> config\serviceinfo.log
  2⤵
  PID:2844
- - C:\Windows\system32\sc.exe
    sc.exe queryex wlansvc
    3⤵
    - Launches sc.exe
    PID:2912
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc.exe qc wlansvc >> config\serviceinfo.log
  2⤵
  PID:1584
- - C:\Windows\system32\sc.exe
    sc.exe qc wlansvc
    3⤵
    - Launches sc.exe
    PID:2212
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc.exe queryex dhcp >> config\serviceinfo.log
  2⤵
  PID:2924
- - C:\Windows\system32\sc.exe
    sc.exe queryex dhcp
    3⤵
    - Launches sc.exe
    PID:768
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc.exe qc dhcp >> config\serviceinfo.log
  2⤵
  PID:2860
- - C:\Windows\system32\sc.exe
    sc.exe qc dhcp
    3⤵
    - Launches sc.exe
    PID:3024
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg.exe query hklm\system\CurrentControlSet\Services\Winsock\Parameters /v Transports >> config\winsock.log
  2⤵
  PID:2940
- - C:\Windows\system32\reg.exe
    reg.exe query hklm\system\CurrentControlSet\Services\Winsock\Parameters /v Transports
    3⤵
    - Modifies registry key
    PID:296
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg.exe query "hklm\system\CurrentControlSet\Services\Winsock\Setup Migration" /v "Provider List" >> config\winsock.log
  2⤵
  PID:2260
- - C:\Windows\system32\reg.exe
    reg.exe query "hklm\system\CurrentControlSet\Services\Winsock\Setup Migration" /v "Provider List"
    3⤵
    PID:1568
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c netsh.exe winsock show catalog >> config\winsock.log
  2⤵
  PID:764
- - C:\Windows\system32\netsh.exe
    netsh.exe winsock show catalog
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    PID:536
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c Reg.exe Export HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseDataProtection\Policies config\EDPPolicies.reg /y /Reg:64
  2⤵
  PID:2296
- - C:\Windows\system32\reg.exe
    Reg.exe Export HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseDataProtection\Policies config\EDPPolicies.reg /y /Reg:64
    3⤵
    PID:1968
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c Reg.exe Export HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\Providers config\PolicyManager.reg /y /Reg:64
  2⤵
  PID:1064
- - C:\Windows\system32\reg.exe
    Reg.exe Export HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\Providers config\PolicyManager.reg /y /Reg:64
    3⤵
    PID:2052
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c Reg.exe Export HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HomeGroupListener config\HomeGroupListener.reg /y /Reg:64
  2⤵
  PID:2092
- - C:\Windows\system32\reg.exe
    Reg.exe Export HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HomeGroupListener config\HomeGroupListener.reg /y /Reg:64
    3⤵
    PID:2076
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c Reg.exe Export HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HomeGroupProvider config\HomeGroupProvider.reg /y /Reg:64
  2⤵
  PID:2192
- - C:\Windows\system32\reg.exe
    Reg.exe Export HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HomeGroupProvider config\HomeGroupProvider.reg /y /Reg:64
    3⤵
    PID:1088
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $net_adapter=(Get-NetAdapter -IncludeHidden); $output= ($net_adapter); $output += ($net_adapter | fl *); $output += (Get-NetAdapterAdvancedProperty | fl); $net_adapter_bindings=(Get-NetAdapterBinding -IncludeHidden); $output += ($net_adapter_bindings); $output += ($net_adapter_bindings | fl); $output += (Get-NetIpConfiguration -Detailed); $output += (Get-DnsClientNrptPolicy); $output += (Resolve-DnsName bing.com); $output += (ping bing.com -4); $output += (ping bing.com -6); $output += (Test-NetConnection bing.com -InformationLevel Detailed); $output += (Test-NetConnection bing.com -InformationLevel Detailed -CommonTCPPort HTTP); $output += (Get-NetRoute); $output += (Get-NetIPaddress); $output += (Get-NetLbfoTeam); $output += (Get-Service -Name:VMMS); $output += (Get-VMSwitch); $output += "(Get-VMNetworkAdapter -all)"; $output += (Get-DnsClientNrptPolicy); $output += (Get-WindowsOptionalFeature -Online); $output += (Get-Service | fl); $pnp_devices = (Get-PnpDevice); $output += ($pnp_devices); $output += ($pnp_devices | Get-PnpDeviceProperty -KeyName DEVPKEY_Device_InstanceId,DEVPKEY_Device_DevNodeStatus,DEVPKEY_Device_ProblemCode); $output | Out-File config\PowershellInfo.log
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:1396
- - C:\Windows\system32\PING.EXE
    "C:\Windows\system32\PING.EXE" bing.com -4
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:1788
- - C:\Windows\system32\PING.EXE
    "C:\Windows\system32\PING.EXE" bing.com -6
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:1844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Power Settings

T1653

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Network Service Discovery

T1046

Network Share Discovery

T1135

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\config\WcnInfo.txt

Filesize
180B

MD5
e9d9c70311e468c5ac1e313ea317e31f

SHA1
3ec7e470b8e8a747dff0b312afbe8f9f859fdb56

SHA256
f89da86624bb8f26a5b624932253966dc7cd97ce87eeacf19ed9cc8c77f650be

SHA512
644e4d6b2fe77af31ae29b48a6d46761e3a4cacd1f979bd25994051cc8280b218f7bd6512eb592a11f2b65554551887dde988d264b1e0e215198539d060c1582

Download Submit
C:\Users\Admin\AppData\Local\Temp\config\WcnInfo.txt

Filesize
455B

MD5
11331075e463e6cc232419d9c5a23945

SHA1
2ac8dd5fda25ff577ad32020d417ee7218abb0da

SHA256
5a84886b89430498df9ef0c57b8e982ffbdbd07000678fd94093feec9343fe52

SHA512
eaca25d1656d70b6e7e125476e40ba53cad085da432328b0a8303d4c332b03c37d1fc8b5073f526b8183d18db07f76cc6399ed95255f41f52a9dd89120ee1c74

Download Submit
C:\Users\Admin\AppData\Local\Temp\config\WcnInfo.txt

Filesize
730B

MD5
070b4dc5ec850f127b71640bdedb85fe

SHA1
ce294d70ba4a000af61c371a698cc72c9f9d0142

SHA256
c6d65dda676758f2018c2d4a6bf364e41bb28dd46c63a2ff28f81e1ccf494154

SHA512
2f6afe868eca63eecfea7ba24a4a2a02c68ab368d66f803614a03c915b46d5fad747a657566024ae8de2176be7c825b42831a64f0e338dfeb5317edab34582c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\config\WcnInfo.txt

Filesize
1005B

MD5
546d39bed845e9fd72c48c29a681c6e1

SHA1
d8b1070f02a4160a055e862f9ef5fe1b5c2e69ab

SHA256
7b06f66f91635a37fd2c8a6215c120cd536ad1acff45769c244cd8b1e2d27316

SHA512
235a0cee797c5db5bfba51ea71784b34c13970f19a9075fcb14a363e9e698c43f912dee7cf00fbd33d6c6f52679388582a432c3e330e5044a19c21ac4d040ab4

Download Submit
C:\Users\Admin\AppData\Local\Temp\config\WcnInfo.txt

Filesize
1KB

MD5
239dab30605b95605fd9b6a6ec9740b7

SHA1
98ee462fe202a0f9f12aafeb8f044b0d9b5b7ad0

SHA256
0c25e9f59d1b2db5fc59cf926836a90d07b575ab15f63f88171cf783465a7287

SHA512
e7ad7c277d9deb914a2c7dd83f5b0fc5380703bfb28407d9e3be856e17fd501a9c577dbf9ff0a725048fe9a1a96c0a62503888dca32b6bd9892334029190c9e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\config\WcnInfo.txt

Filesize
1KB

MD5
471755c211cd2a6d9dac12c97cca74b8

SHA1
4ed2b8dbf4789c641abc6cb8694d810973d8f224

SHA256
9ddce13768515a1efd99c23b0b8df4241b6a797a441003a39c94f76d85d2042f

SHA512
131ef906f0e72c6496fa233d07594e95c344119aa5b6dbc33caa2a2714d5ab8ff5d6f6c608ce26abed0f489c3c9d338446112b46ed70cae7ae1aaa2161513ea4

Download Submit
C:\Users\Admin\AppData\Local\Temp\config\WcnInfo.txt

Filesize
1KB

MD5
34aaec8e266e676ba30d2e8c43134314

SHA1
b54b6d96d79c74f9d184233b310d564f77ff0075

SHA256
6e99ddb93b1ed2e6d8a0a79da6c024771d2a1836c3d3d0f76b2061d7ead0deec

SHA512
641f36a4c9e8736fdb21f1aa7bc234da30b4dfcbde6836b1058c17e21efa812104fab5215907577e1dc0bb6818311e7f43fecef89d4678ad14749479d17baa85

Download Submit
C:\Users\Admin\AppData\Local\Temp\config\WcnInfo.txt

Filesize
11KB

MD5
d240eb9eb692e132872d657c3dd19ac4

SHA1
65cb16956810b73c549aa485950bd25e64779dea

SHA256
a5d36dd1fdf4a50e6e9bcb2f2d42ed5d957701626e84dcd216fcb6f02c7ae997

SHA512
f64e7106f9d3d63d1af8429fd591c41f8171395f38543334bd7257fc020332cab71234b3171730e3b038a243ec465357455484e0fa5ad14c902c36f4f831eb40

Download Submit
C:\Users\Admin\AppData\Local\Temp\config\WcnInfo.txt

Filesize
13KB

MD5
0df2f214b56f8d69fdd4e47016c70e53

SHA1
395cd74f7f4bdb5edb125b77a336348691940c51

SHA256
eda5465e856f3ea87d17a46ec28e72995f64d0648c24ab28de279a356aa34704

SHA512
3658b63b4b1ce66ce7631820454fb42d79887e5308a4be6717974c97959defa6c9dd3d11a85c83bdb2a36a419ea59ec08f6e421ca7a44147752752e64a345335

Download Submit
C:\Users\Admin\AppData\Local\Temp\config\WcnInfo.txt

Filesize
13KB

MD5
112d3a3910eb4c760369b75fbd91f07b

SHA1
630dc7d16e4eec30acae36cfcd5a32b03a5211c8

SHA256
125750b89203bc1873a9447f9fdd541941d7ca506ce8fb63b9a8f7bb52a163de

SHA512
37bfab75e0b77cfbe2483d10b1661971ec075219f5d427570b7dd877ad52740fb42063caeaf5c68ed5141f6fff7ea35ed6d7b47d6c935daa3f95f52f54cd7fbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\config\WcnInfo.txt

Filesize
13KB

MD5
e652c53a673504c8db377b95ace73dce

SHA1
c03db6295d2b5ab6be12739c95ee5de30466b777

SHA256
1a61cd1bd20c597938c6933495374f5c35c0024e2e3dc0f7609d63141063b925

SHA512
9819e9e2430c47da18e934c1e08c2ab9db447de16c5be9de6f58ce7071d3e363ea7b17d2926b8b0757574ab93cc04477b27df79138efc83069ecf91109f408b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\config\WcnInfo.txt

Filesize
13KB

MD5
4387fff0c5eb886803e3d5935b0586d3

SHA1
c30d3b7063fd9330ef2e61384f3d829234122da3

SHA256
8e748203e030e3249510204f54f5c033cec9699931a570506b3cf827bc1f00a9

SHA512
7f8f3cb41670fe929f18fa9edf15656848440c827722e2a161a1d22148a7675296b3dbd902c273db412a5cd188095c0847025f0c349802f6cde93a0dedc04e49

Download Submit
C:\Users\Admin\AppData\Local\Temp\config\WindowsFirewallConfig.txt

Filesize
1KB

MD5
3149e60c925b3e4eeb2afa18d221a7ec

SHA1
14b10324f85dcfbccd23cdf49f0f6d2d3b559c9a

SHA256
eb6811e21dc49b4a2218a9f3d44c83eec0e89488fb4340b75308d63f3a3f97cc

SHA512
673ce17238e9981a091d7f8c8761f905d722ff9994edbc7d6dadeb6442baea55138a8c0a29bf61b9e71f250ecd2273e57adb02c68f5db5e5d92e093b83c066aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\config\WindowsFirewallConfig.txt

Filesize
1KB

MD5
3c3bfb6800aeab3caaf49a7632fff3bb

SHA1
805676e841b7ded8fe76b91bcdd5cb12204deb60

SHA256
2a36a69a436e4f3ac6b4739c47c572b551efbc74d0bd5146fb4f1ae74735c8cb

SHA512
2b997d344683d8a891df05b119921ea43a27285795d1eef52c61b4639e200c7b6a15b029f75e9fa97d2c3bd7204095da930c0b2547def84249774ee6a24b24ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\config\WindowsFirewallConfig.txt

Filesize
95B

MD5
9b507b45c41b5b76ee28e9a236d2799b

SHA1
1faccb7a5024ec67e96277264d8accfad0882863

SHA256
d7d5617f0c7bc136c2c3c813b0aebdf9aa51fc4b660994abd17e843390b64d3c

SHA512
28dc0f4f1108150111873f10b43dbbb8c5e99f033f6708a8ce3eed0038ec33fc6a0f48a76d07f468de7ab0e5d67321647c884c7551f7a418e5866151a506eb47

Download Submit
C:\Users\Admin\AppData\Local\Temp\config\WindowsFirewallConfig.txt

Filesize
243B

MD5
2ad61732ed331e7a4724df0dde0190c6

SHA1
388a7e77d4c77a07a1952bbafcc65ce8145ff302

SHA256
ff9f05d76ce4bec4aea13da0ecd5f13b086c485ba35bfc27c314637b2ebffb81

SHA512
0336114cfe8fe160787e372988880b8396a372d4a253180b94cac1012836edaf7d6504c64a1880ac7ff6c1e6a472882ba8a711850bb9847043f7678a94c2a0cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\config\WindowsFirewallConfig.txt

Filesize
344B

MD5
e0fedf98a0859224fea3d5c58c7a9203

SHA1
5792f4561c103e660cc35d0a1d0a05695e5a2879

SHA256
8c62de583360a6e8e86c8de6bc33347f3c998f8849176663b02d8f53eaf8ac43

SHA512
9208984ac1fa1706c5476ba08404718d5360ce222e47e46493312000e250b31e6ac123e673d1bfe893eafbd4221f5637a7530f5287bebf11bdf81ed4ff8af49a

Download Submit
C:\Users\Admin\AppData\Local\Temp\config\WindowsFirewallConfig.txt

Filesize
698B

MD5
6b06aa1ce0a2c0d2125acfaff7591bd5

SHA1
585853f6b76a8dd1a35aad6b25b6436a0250526b

SHA256
ae90c6a7f11fa209a88bd0e88281acc7e1a6cd4793c678168e72ccf6db724796

SHA512
957a0d38440cd102a91010b3622461811480de991d0a0b5f0c9f7c9aafdfebb954824bae20c1b853dea7a3703809b308ed7b56bc39b4ce59e311b44dc520e6ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\config\WindowsFirewallConfig.txt

Filesize
958B

MD5
fa70c0c76388ed7ec597187e12feb1f2

SHA1
f7a0b7a3a307d32460e91c9f36c592124bcc0341

SHA256
64ea5af499726361a0a4c7c31e6c2166a960666649448f88a599a8e0cb129e5e

SHA512
e01fdf6af774ffce476b94c2ba7b3cc20b88154f08f809c0662fc77377b789becdf998c6195dbd993dcc63dce0833d9a2e467271c85291fadc23f6cae06cef62

Download Submit
C:\Users\Admin\AppData\Local\Temp\config\WindowsFirewallConfig.txt

Filesize
1KB

MD5
7657e67bc70a5a90244ad44dc42107cf

SHA1
77ef972e7ef1ea4283db571a8c12c7818496cfcd

SHA256
28720c68ac798d34c306747c91b6f576743360463096833dd74f1addc9d6d242

SHA512
1bc009142b2dfccd3992ad62c731d8a68f0e6076ea9301935b29b522a37e7f1a56b14720036e87469688f075509d27428ded897f54565d0c59e225d2f71b0f83

Download Submit
C:\Users\Admin\AppData\Local\Temp\config\WindowsFirewallEffectiveRules.txt

Filesize
38B

MD5
4e01cf6c5fbb5cfed6a3684f69054365

SHA1
7a040aa2784160f4254f14acd958a6a75ef7293c

SHA256
a31a85891221410dbaf4d3d1bf5f842405140bf583945088d585bc5e8a9fbed3

SHA512
8376e53d2a81c39c9e04c074ea556279dee9d6a721443b7a41375ea3ed054ed795965dac6a6171f9de00a5f9bd9ddffc53322b98712cfe7dfa7eb1ca8e62e625

Download Submit
C:\Users\Admin\AppData\Local\Temp\config\WindowsFirewallEffectiveRules.txt

Filesize
113B

MD5
f922ce103305d2d2766cd69b4992bed4

SHA1
e43c5ec1882020e9f59bf8be1f7b039b7279aec9

SHA256
673712f1a5ddf23348ad5dd910c0fad7656d5c4b60f9d9d6b413aa7ed20f3612

SHA512
65b2dd117d6ac6d8589ebaf1c22d3dff59cc79887eb53e8951f53160b9cc6ecabecd2a32d0e54d4cf517258118ed48791d0e9f679b3e166974aaa18faff8112f

Download Submit
C:\Users\Admin\AppData\Local\Temp\config\WindowsFirewallEffectiveRules.txt

Filesize
407B

MD5
445273f6cb444643254868591238cb3f

SHA1
df0fccd4475453a9ce599105bc32d41dcc26c2c4

SHA256
322b29c363f0c96f7c0537f31aee08606d90c1f750af05a65beaca6a8d1e5d98

SHA512
82ac8c4c0da86646145fef16c65a51f2ab499fea90bd87cf6c553591402340983ecc051fa04c8585a0220c6c21f2e9a4f3a5b30d1083dba606c8c6d996656b7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\config\WindowsFirewallEffectiveRules.txt

Filesize
482B

MD5
8eaea0bd242613fabfdd0db2d5c35a69

SHA1
b534ded196120d8b34f8d72503ca548a88574734

SHA256
6339ea308fae5552302e96d5328b72f070452911d757b87e27b46db665595431

SHA512
2cc1a9349c507aaee258d0b545516f1f7b662d36111d15add4ae00ac6b55809128b46472e5254ed62688b93e8122a9aa686ab8467f04cc08a8b2629b98eed52f

Download Submit
C:\Users\Admin\AppData\Local\Temp\config\envinfo.txt

Filesize
2KB

MD5
4eb54c2893ec1497f14b95aaa7ff5b5e

SHA1
f021355c940f90759752217cd59fbc515dd6340b

SHA256
76aa24fb2f934acc15bf5a9b4b417c583c07b13527d74f0bb886a1a7e78246aa

SHA512
83b300c8be391184335191bfd3dd8620eeb99f33fa544a728911958eeb522fd7ca167261e79fb51bbdaad90e1290a58d70897756262cf0220cb8b4706cd53eac

Download Submit
C:\Users\Admin\AppData\Local\Temp\config\envinfo.txt

Filesize
2KB

MD5
8a51c7836aa8d49bc61ac3582a79af9b

SHA1
9945fa19a737875ec33e9928703ccb17812088e3

SHA256
dd6d766817f47b421cdcb7c68df8368d2d9cc609d9bf4fd0fba52c9255514f05

SHA512
c71d3302a65904fca5fbd9df5bca50a9ddb0d3db6c12cd5f3a1959b0d686dc9767b14c981a509334325ed6629cec37ceffa01070e21f109a258fef81b4258925

Download Submit
C:\Users\Admin\AppData\Local\Temp\config\envinfo.txt

Filesize
2KB

MD5
dcc0e588a7cb0a57f40b50f87606f6f6

SHA1
3db9c108e64f4584be60765fc82f0affd9d9701b

SHA256
ddd78fac824aff10c4f3f678833d2c82646029fb50874b59843a165f11b883ad

SHA512
696471d8afacae6ef87a46fb748fdc2757cab520bfa508277912f31697e81615d44120a01d0f4da76a132d4946f0cf13a986f7c06b997759648378e1e665049f

Download Submit
C:\Users\Admin\AppData\Local\Temp\config\envinfo.txt

Filesize
2KB

MD5
71797453e493021e6200622695caa8b1

SHA1
e843046c20d7078c0b96f975196578589bdb36a7

SHA256
83667c0984e5ce05928d7142bbbfc9d047d98ac63895228f5978d75518aaf864

SHA512
884651f6997c1eb951b40a6b442883fa3470f5df52631265f9050658fde523be347340ae8cf445f14691ccbd5deb247bcfb21efd2c1893064e113b05578798fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\config\envinfo.txt

Filesize
2KB

MD5
01352b2c7730bc190fdc0d00687a3a44

SHA1
6aae6357aa3dcadcc69e1e1f15198fe08bbeea9a

SHA256
dc9052f028dafc50346a5f22fe5d9c5ca9658945f415b2e06f57d7b15b7362f3

SHA512
84c552bef0097a727cca4a604c9113cd75598116f290d5131ce358e97453f460cc77f593d77b4db1f4f5e26bfa5b0a0f15baa59d03ff5717282f8428a60ed10f

Download Submit
C:\Users\Admin\AppData\Local\Temp\config\envinfo.txt

Filesize
2KB

MD5
032abde035bcc5389d4016770c185e18

SHA1
99e0f1ff805950233b029ccdc7d97d769d17379f

SHA256
8b42aac0688832c6c86c547bd10ef944a6513abfbba9727da8f73f08b52bc763

SHA512
3d89fc968bf55902b7b89c59eee9fc327fa3bfefd217f68a34e229a42486f53332a79fff0c7551b920297d10435c59c1aac63993c98399b49def40d32be9dfab

Download Submit
C:\Users\Admin\AppData\Local\Temp\config\envinfo.txt

Filesize
2KB

MD5
1387ac500a5b06e45b7171bbeda54d40

SHA1
96bee79acc44a12c95917a927d27b097e2011067

SHA256
e1d27f692c0de43a26a3eb67f754f7b3c29bbbe8718acfe8712e5393b0dcf760

SHA512
543b600349cbc4b292c0f85dc3e65aaa529e0985989867404135b9748e2cd7da840a45cfec28a6212136f815e1ca4cd4a9456893b9943924ceef3fbb1b0aba78

Download Submit
C:\Users\Admin\AppData\Local\Temp\config\envinfo.txt

Filesize
2KB

MD5
78f606eccb61f85d1ea823b05d026e90

SHA1
9d6676d194bec53a3de4e782a6f04ab07a9b5c77

SHA256
dd4adbea05feb91ce64fb329c203f06dba2bb05b4789338390157fb6a5d303e6

SHA512
672b57dfa3db22310336d347887bc3e2da25e5ece1228df3c48b0e305af9f191752052f40f96aedf287763babaa87607b670c43d1a483c83dcf1f4bb11bf565c

Download Submit
C:\Users\Admin\AppData\Local\Temp\config\envinfo.txt

Filesize
4KB

MD5
70d4e4f2967b7cbfaa6370973447cbb9

SHA1
bbe1aa75d8e40e168355b6f4d8f323d9fa8bc418

SHA256
a01fc7c7ec6368fc50eda572ed89052961dbe8e2e47fa00880110577356c68b8

SHA512
c870a757fcd9cdaf7246e3f613d6eed89373b50364851b33dc0581d4eef667a2e2232b1a18fcd929ba4099821fc850e86441768d986541cd046cdab93fce78db

Download Submit
C:\Users\Admin\AppData\Local\Temp\config\envinfo.txt

Filesize
4KB

MD5
09dd83c11cbd37d9927d347555b646a4

SHA1
a040e43a934263a445b68573384bd08a13bbeb31

SHA256
c2b1ee8956ed30a1f5cfb621610a894266aa1016c67526621208d6af2132ae7a

SHA512
20ee003e41f57856a0036c6ff7119060a24a5d750692cba7c0ee0c8b66d0d5187879910e80f3ed2afc75abc917499fc25f05a47502f97ad289c267056388c139

Download Submit
C:\Users\Admin\AppData\Local\Temp\config\envinfo.txt

Filesize
6KB

MD5
1a099b628593f6509c72702fa95857b5

SHA1
a0084f3340303b7aecffe425e769ad2add974532

SHA256
486c8c6438b7ebef4ef4dee4489fcbadd28de4556d6ff6098ed6caff8454f34f

SHA512
fbf3e85864c8d2469883988a0799fbd8c1438cde30e330bab500c60d58316c536d08c3f8d1773bc459a77db63db2648c979f486270a432e1c5e97768e45348ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\config\envinfo.txt

Filesize
6KB

MD5
f3ea95aa4a07c6067ef04bc014bdc5bd

SHA1
d1516ec9467bcfd30ad5fd4995c7285e0b96a64e

SHA256
472797e54027f15c8b87b79a507cbe68c27cb5c354aeff64fcb36aef760cd20d

SHA512
756bfd36cfb38e409346d4df672a9954145e7f80240cc8d6731b6282a91869bbd69442402077378542e873a35eb635222207390429e409221279b665f8421b66

Download Submit
C:\Users\Admin\AppData\Local\Temp\config\envinfo.txt

Filesize
6KB

MD5
b4100eeb448a15b03a258484b3a5f596

SHA1
9bd4867fc20001a1376ca7526e380a9a5bdf648e

SHA256
2d1e203e791b6df48dc65b78d9bf677602207ed94f669bcacffb06fbc729bc34

SHA512
6d048fc77c05956f6bff6357d212a38e4ecc4f088ef9e02cf125ccbd9b4f9a158b21281fba8176473fca09e2bc68bc5144a1bc8bee551a2d2dcca664f63eb683

Download Submit
C:\Users\Admin\AppData\Local\Temp\config\envinfo.txt

Filesize
43KB

MD5
ea04dcda8474f9302f6f8a34398be0c7

SHA1
b8e58e892bedf406c1bf5ebb196d229d25487cf5

SHA256
1201188abfbbeb22d0ceef019263b77fc17049e5fc187c063a0a3628f130ae56

SHA512
23a2e7c858553db1dd48c94fc25624cc1c5a2451bff690751742a0cede9081efcdd3a95d38c9121f33246bb8f7f18ddee9080f63d8d9d5a340f820ea7f7eb0d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\config\envinfo.txt

Filesize
43KB

MD5
786543cb8a3aa65a545e6c70252f4686

SHA1
d7ea7a8eb025d8a8a1b640b221fae942a45b8205

SHA256
f4223b5a66f9a0c9eee7d93aa2702f435246aa5112a4fd59d5f3f6c6d05ed131

SHA512
ccac0eef411f92908e6a4c6666e7c92d904c3e9b552e0f14cfb387adca75132ece0b64889e5a2430fa503444376309d99bbb8c41cf8f580208bc9103f9d2437c

Download Submit
C:\Users\Admin\AppData\Local\Temp\config\osinfo.txt

Filesize
185B

MD5
3e2b9ce90045c27b90180e8cce3e9274

SHA1
861cb07a6a5078ac9ab95261cb6196b355eb9ff8

SHA256
8557ba1362e4599bc384b2cd6ef4c4033af61bc96efd535952ede37e84349610

SHA512
9b8514437d41b5cc960807ea496841265404e3a16353ac234fc96bbb4051f65812a3e5062bbc9bd4207693e33d6fd9b055247f9dc10b80f02b79cc254417a548

Download Submit
C:\Users\Admin\AppData\Local\Temp\config\osinfo.txt

Filesize
221B

MD5
58f8a02b6ee859c43469582daa4ee7c5

SHA1
133e928deeeea4a5a7590dd9ad3e00544e8348ee

SHA256
ebde6108b24704049280ba76f26df196b513641f782b4f340c4a3563a134f655

SHA512
501c2c1971775bac5875d8ddb8c629a25b7f11c7ace862f6767a20e8db71269690592df97511bfe9fda052a655a8186db3df23eaf73189a1149b89f9e25d7e80

Download Submit
C:\Users\Admin\AppData\Local\Temp\config\osinfo.txt

Filesize
1KB

MD5
72a818abfff9c9fd5c90ee8393a3cf35

SHA1
847712112a91736863575da78638c2ec0a534c22

SHA256
f5e6613beac861091a67fefb6d7ae0186862eb637b6273deef4a41a3871464eb

SHA512
b346fc906640c89b414f1950054eaa03f02f65990e4e124960c2dc764a3b63b0eb97aa50d1898d515ec5b4c7b59a1570891a499807afe03f62e519624d969846

Download Submit
C:\Users\Admin\AppData\Local\Temp\config\osinfo.txt

Filesize
3KB

MD5
1b3341b7f51eb78ce5eb2ecf8dd2463a

SHA1
187ca946dc21f1758e8ac7c752631b4009f73768

SHA256
a5e5e9ceb6c470db5b08aa88f028beb0a6ab18ab077867f9812797cd9f73f497

SHA512
49d8770c718ee1072ef7e4083adec9da156a858c6e7e1024235cf32b1620c8517d0ac9afe490719bde175fcc88a816cfce1ee357b73f79b906eea97b24b75160

Download Submit
C:\Users\Admin\AppData\Local\Temp\config\osinfo.txt

Filesize
3KB

MD5
78bd674b12aa46eff88bcdbc610f4fbf

SHA1
3c70bc1bf692fab996a329ea974147b31848b313

SHA256
33c2568fbbe5ba168b40d25d5cb1cbec60d4d7e68654c826862b1717c55db3e9

SHA512
e6695a4f2ae37c0700388d9eebb48af630078567384c8cb416a1e08a10b540a93cb5c06a8b24704277feed3a53e1b47f14f346a2f1acd9a87e5fd8749adfb8ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\config\wlaninfo.txt

Filesize
135B

MD5
36b8f09340530f94e24dde586d43620e

SHA1
e4e03089fcda0f00ab4a46ac3536a1031230f43d

SHA256
afb95a47992abd1b214497ccba1fa15be01670218531ffdd50f7626df293177b

SHA512
cd0b481d12b79a79c66f6276e6f9a339b59759c6a83168246163b3373042af5308860c9e1b5536e0d16a0d40bb2608dee72908d4063a7d9c3c78a18cd6b657bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\config\wlaninfo.txt

Filesize
194B

MD5
a2bb40dec84c3b3c399c416b7c58f0dc

SHA1
cc0924ab388244e5a1b77928eeca6dbe0b8e61b6

SHA256
581d2c81bd6eeaacc61c62cdbe9bbb7a691ebefc2b098ae99c23a794d27af65c

SHA512
2441c1a9de2108aa187ee91186c6909f6dd196e64f4d99eddb3c1fca50399f5612784b6353e55aaa43ce00f7d20dc4824ad34defe426b2a6fd525efd80c506a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\config\wlaninfo.txt

Filesize
253B

MD5
889356fa365e739c9caa839ee544fb09

SHA1
5f0dc027a1343d3b0f1cbf35ef2b0784efcbd650

SHA256
868d968dbe0b4bb3618a28597dda97d521afa8969e5e218154e243b17e05b0b1

SHA512
b83a7cdd5ab238c6cf5a0c70be6e01e9690a5bc10cda1e781ef0be44a9568fa10a07476fd4aa80a8479c5fa8d08edebf4f732e33dbec06807e7ef964b1fea5b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\config\wlaninfo.txt

Filesize
312B

MD5
580be8aa116ca476405e4550ef662d81

SHA1
a4bcee6e5d140c169d59378356543b06c86d43bf

SHA256
a8c59f5dd5ae79cfa7d7ddb7e8ab1804af93fef1edcda69b8388920743083a5e

SHA512
7b4be4dd44c2542bb0fda9812b7eb485b297d2a199d0207c06545a7f5af54ecd4070b637a8833ea91ad2275bd82497f708c75cf6d3c2556692eef8dd42aa7456

Download Submit
C:\Users\Admin\AppData\Local\Temp\processes.txt

Filesize
3KB

MD5
c287f354b1899a10451166063f93f981

SHA1
94a3807ccd8197dcc1a840acd7c39cb2b29a6c93

SHA256
352fa8a83c0a29397639dd8851dd33036c306ef2383ae7550060a345283a4085

SHA512
d352690da51980320f01893a0dec0c2219aa1e0fd08bec34ff82da719f8d88da947edd40a09455519938b6f2c041fc6ebc56f711e3f10f1b86697040262786d6

Download Submit
memory/1396-256-0x00000000020D0000-0x00000000020D8000-memory.dmp

Filesize
32KB

Download
memory/1396-255-0x000000001B6B0000-0x000000001B992000-memory.dmp

Filesize
2.9MB

Download
memory/2432-153-0x0000000000590000-0x00000000005EC000-memory.dmp

Filesize
368KB

Download
memory/2432-151-0x00000000002B0000-0x00000000002BA000-memory.dmp

Filesize
40KB

Download
memory/2432-154-0x0000000000590000-0x00000000005EC000-memory.dmp

Filesize
368KB

Download
memory/2432-188-0x00000000002B0000-0x00000000002BA000-memory.dmp

Filesize
40KB

Download
memory/2432-187-0x0000000000350000-0x000000000037A000-memory.dmp

Filesize
168KB

Download
memory/2432-186-0x0000000000350000-0x000000000037A000-memory.dmp

Filesize
168KB

Download
memory/2432-185-0x0000000000270000-0x000000000027A000-memory.dmp

Filesize
40KB

Download
memory/2432-191-0x0000000000270000-0x0000000000275000-memory.dmp

Filesize
20KB

Download
memory/2432-132-0x0000000000270000-0x000000000027A000-memory.dmp

Filesize
40KB

Download
memory/2432-150-0x00000000002B0000-0x00000000002BA000-memory.dmp

Filesize
40KB

Download