Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240910-en -
resource tags
arch:x64arch:x86image:win10v2004-20240910-enlocale:en-usos:windows10-2004-x64system -
submitted
03/10/2024, 01:24
Static task
static1
Behavioral task
behavioral1
Sample
gatherNetworkInfo.vbs
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
gatherNetworkInfo.vbs
Resource
win10v2004-20240910-en
General
-
Target
gatherNetworkInfo.vbs
-
Size
86KB
-
MD5
2e6af4d5bf6e31e728f409984c3045d4
-
SHA1
757bf5310f40a69d883f11e75f220e02fbaa0127
-
SHA256
d906d6126a1e9c9569ef81605d02f03ef94aa57b3ab9cbd56c996baf22fa461b
-
SHA512
2ff376bee712a61cb4a6ff8f0f3ac0ac9778acdaf0cb767d9d085502cb8e9365458292266e994a3d973494759b43181511aaf050ec0d48bfa7e51b07a3b56bfa
-
SSDEEP
1536:sImNGeeGUJIgZf/A+qfwkgKo9kNxyJ3OOjPl68fef0qIbIE5ToGdKTYL7TBHQ/8S:sImNGXGUJtx/A+qfol6yqZs8J
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
flow pid Process 61 2232 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
pid Process 2232 powershell.exe -
Modifies Windows Firewall 2 TTPs 8 IoCs
pid Process 1244 netsh.exe 4472 netsh.exe 2996 netsh.exe 1424 netsh.exe 3876 netsh.exe 4064 netsh.exe 4708 netsh.exe 3708 netsh.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation WScript.exe -
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE 1 IoCs
pid Process 3800 dismhost.exe -
Loads dropped DLL 5 IoCs
pid Process 3800 dismhost.exe 3800 dismhost.exe 3800 dismhost.exe 3800 dismhost.exe 3800 dismhost.exe -
pid Process 1536 cmd.exe 2696 cmd.exe 372 ARP.EXE -
Power Settings 1 TTPs 2 IoCs
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
pid Process 3328 cmd.exe 3440 powercfg.exe -
Drops file in System32 directory 16 IoCs
description ioc Process File created C:\Windows\System32\DriverStore\FileRepository\input.inf_amd64_adeb6424513f60a2\input.PNF dxdiag.exe File created \??\c:\windows\system32\driverstore\filerepository\input.inf_amd64_adeb6424513f60a2\input.PNF dxdiag.exe File created C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_amd64_0d06b6638bdb4763\mshdc.PNF dxdiag.exe File created C:\Windows\System32\DriverStore\FileRepository\usbport.inf_amd64_254cd5ae09de6b08\usbport.PNF dxdiag.exe File created C:\Windows\System32\DriverStore\FileRepository\msmouse.inf_amd64_1793a485b491b199\msmouse.PNF dxdiag.exe File created \??\c:\windows\system32\driverstore\filerepository\msmouse.inf_amd64_1793a485b491b199\msmouse.PNF dxdiag.exe File created \??\c:\windows\system32\driverstore\filerepository\netrtl64.inf_amd64_8e9c2368fe308df2\netrtl64.PNF dxdiag.exe File created \??\c:\windows\system32\driverstore\filerepository\machine.inf_amd64_b748590104fe1c15\machine.PNF dxdiag.exe File created \??\c:\windows\system32\driverstore\filerepository\usbport.inf_amd64_254cd5ae09de6b08\usbport.PNF dxdiag.exe File created C:\Windows\System32\DriverStore\FileRepository\netrtl64.inf_amd64_8e9c2368fe308df2\netrtl64.PNF dxdiag.exe File created C:\Windows\System32\DriverStore\FileRepository\keyboard.inf_amd64_5938c699b80ebb8f\keyboard.PNF dxdiag.exe File created \??\c:\windows\system32\driverstore\filerepository\keyboard.inf_amd64_5938c699b80ebb8f\keyboard.PNF dxdiag.exe File created C:\Windows\System32\DriverStore\FileRepository\hdaudbus.inf_amd64_533c8d455025cc59\hdaudbus.PNF dxdiag.exe File created \??\c:\windows\system32\driverstore\filerepository\hdaudbus.inf_amd64_533c8d455025cc59\hdaudbus.PNF dxdiag.exe File created \??\c:\windows\system32\driverstore\filerepository\mshdc.inf_amd64_0d06b6638bdb4763\mshdc.PNF dxdiag.exe File created C:\Windows\System32\DriverStore\FileRepository\machine.inf_amd64_b748590104fe1c15\machine.PNF dxdiag.exe -
Enumerates processes with tasklist 1 TTPs 1 IoCs
pid Process 4064 tasklist.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\Logs\DISM\dism.log powershell.exe File opened for modification C:\Windows\Logs\DISM\dism.log dismhost.exe -
Launches sc.exe 12 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 3964 sc.exe 2444 sc.exe 1456 sc.exe 4972 sc.exe 2700 sc.exe 3084 sc.exe 4940 sc.exe 4948 sc.exe 1456 sc.exe 664 sc.exe 1344 sc.exe 3800 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 64 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 4472 PING.EXE 4704 PING.EXE -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 dxdiag.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID dxdiag.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs dxdiag.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 dxdiag.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID dxdiag.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs dxdiag.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\BIOS dispdiag.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily dispdiag.exe -
Gathers network information 2 TTPs 3 IoCs
Uses commandline utility to view network configuration.
pid Process 1736 ipconfig.exe 412 ipconfig.exe 2360 ipconfig.exe -
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.
pid Process 4712 systeminfo.exe -
Modifies registry class 36 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32\ = "C:\\Windows\\system32\\dxdiagn.dll" dxdiag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32\ThreadingModel = "Apartment" dxdiag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider.1 dxdiag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject dxdiag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\ = "DxDiagClassObject Class" dxdiag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ = "DxDiagClassObject Class" dxdiag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\VersionIndependentProgID dxdiag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider.1\ = "DxDiagProvider Class" dxdiag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider dxdiag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\CLSID dxdiag.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2629364133-3182087385-364449604-1000\{BC3F5DC5-AAAD-4243-ABFA-8BF006F4FEF5} dxdiag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1 dxdiag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B} dxdiag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ForceRemove dxdiag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ForceRemove\ = "Programmable" dxdiag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32 dxdiag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\CurVer\ = "DxDiag.DxDiagClassObject.1" dxdiag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CurVer\ = "DxDiag.DxDiagClassObject.1" dxdiag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}\ProgID dxdiag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}\VersionIndependentProgID dxdiag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\ = "DxDiagProvider Class" dxdiag.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2629364133-3182087385-364449604-1000\{CD40AF29-6318-4F7D-B6A0-063DBFC60C17} dxdiag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CLSID dxdiag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CLSID\ = "{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}" dxdiag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CurVer dxdiag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider.1\CLSID dxdiag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7} dxdiag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1\ = "DxDiagClassObject Class" dxdiag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1\CLSID dxdiag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ProgID dxdiag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ProgID\ = "DxDiag.DxDiagClassObject.1" dxdiag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\VersionIndependentProgID\ = "DxDiag.DxDiagClassObject" dxdiag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\CurVer dxdiag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1\CLSID\ = "{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}" dxdiag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID dxdiag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}\InprocServer32 dxdiag.exe -
Modifies registry key 1 TTPs 1 IoCs
pid Process 3560 reg.exe -
Runs net.exe
-
Runs ping.exe 1 TTPs 2 IoCs
pid Process 4472 PING.EXE 4704 PING.EXE -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 684 dxdiag.exe 684 dxdiag.exe 2232 powershell.exe 2232 powershell.exe 2232 powershell.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4728 WScript.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 3440 powercfg.exe Token: SeCreatePagefilePrivilege 3440 powercfg.exe Token: SeDebugPrivilege 4064 tasklist.exe Token: SeSecurityPrivilege 1620 wevtutil.exe Token: SeBackupPrivilege 1620 wevtutil.exe Token: SeSecurityPrivilege 2300 wevtutil.exe Token: SeBackupPrivilege 2300 wevtutil.exe Token: SeSecurityPrivilege 2852 wevtutil.exe Token: SeBackupPrivilege 2852 wevtutil.exe Token: SeSecurityPrivilege 4632 wevtutil.exe Token: SeBackupPrivilege 4632 wevtutil.exe Token: SeSecurityPrivilege 632 wevtutil.exe Token: SeBackupPrivilege 632 wevtutil.exe Token: SeSecurityPrivilege 3584 wevtutil.exe Token: SeBackupPrivilege 3584 wevtutil.exe Token: SeSecurityPrivilege 4144 wevtutil.exe Token: SeBackupPrivilege 4144 wevtutil.exe Token: SeSecurityPrivilege 2484 wevtutil.exe Token: SeBackupPrivilege 2484 wevtutil.exe Token: SeSecurityPrivilege 1388 wevtutil.exe Token: SeBackupPrivilege 1388 wevtutil.exe Token: SeSecurityPrivilege 3560 wevtutil.exe Token: SeBackupPrivilege 3560 wevtutil.exe Token: SeSecurityPrivilege 4332 wevtutil.exe Token: SeBackupPrivilege 4332 wevtutil.exe Token: SeSecurityPrivilege 2736 wevtutil.exe Token: SeBackupPrivilege 2736 wevtutil.exe Token: SeSecurityPrivilege 4556 wevtutil.exe Token: SeBackupPrivilege 4556 wevtutil.exe Token: SeSecurityPrivilege 4376 wevtutil.exe Token: SeBackupPrivilege 4376 wevtutil.exe Token: SeSecurityPrivilege 2340 wevtutil.exe Token: SeBackupPrivilege 2340 wevtutil.exe Token: SeSecurityPrivilege 3708 wevtutil.exe Token: SeBackupPrivilege 3708 wevtutil.exe Token: SeSecurityPrivilege 2988 wevtutil.exe Token: SeBackupPrivilege 2988 wevtutil.exe Token: SeSecurityPrivilege 1708 wevtutil.exe Token: SeBackupPrivilege 1708 wevtutil.exe Token: SeIncreaseQuotaPrivilege 4384 WMIC.exe Token: SeSecurityPrivilege 4384 WMIC.exe Token: SeTakeOwnershipPrivilege 4384 WMIC.exe Token: SeLoadDriverPrivilege 4384 WMIC.exe Token: SeSystemProfilePrivilege 4384 WMIC.exe Token: SeSystemtimePrivilege 4384 WMIC.exe Token: SeProfSingleProcessPrivilege 4384 WMIC.exe Token: SeIncBasePriorityPrivilege 4384 WMIC.exe Token: SeCreatePagefilePrivilege 4384 WMIC.exe Token: SeBackupPrivilege 4384 WMIC.exe Token: SeRestorePrivilege 4384 WMIC.exe Token: SeShutdownPrivilege 4384 WMIC.exe Token: SeDebugPrivilege 4384 WMIC.exe Token: SeSystemEnvironmentPrivilege 4384 WMIC.exe Token: SeRemoteShutdownPrivilege 4384 WMIC.exe Token: SeUndockPrivilege 4384 WMIC.exe Token: SeManageVolumePrivilege 4384 WMIC.exe Token: 33 4384 WMIC.exe Token: 34 4384 WMIC.exe Token: 35 4384 WMIC.exe Token: 36 4384 WMIC.exe Token: SeIncreaseQuotaPrivilege 4384 WMIC.exe Token: SeSecurityPrivilege 4384 WMIC.exe Token: SeTakeOwnershipPrivilege 4384 WMIC.exe Token: SeLoadDriverPrivilege 4384 WMIC.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 684 dxdiag.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4728 wrote to memory of 116 4728 WScript.exe 84 PID 4728 wrote to memory of 116 4728 WScript.exe 84 PID 4728 wrote to memory of 4716 4728 WScript.exe 86 PID 4728 wrote to memory of 4716 4728 WScript.exe 86 PID 116 wrote to memory of 2936 116 cmd.exe 88 PID 116 wrote to memory of 2936 116 cmd.exe 88 PID 4716 wrote to memory of 4008 4716 cmd.exe 89 PID 4716 wrote to memory of 4008 4716 cmd.exe 89 PID 4728 wrote to memory of 2704 4728 WScript.exe 90 PID 4728 wrote to memory of 2704 4728 WScript.exe 90 PID 2704 wrote to memory of 2296 2704 cmd.exe 93 PID 2704 wrote to memory of 2296 2704 cmd.exe 93 PID 4728 wrote to memory of 3592 4728 WScript.exe 94 PID 4728 wrote to memory of 3592 4728 WScript.exe 94 PID 3592 wrote to memory of 3204 3592 cmd.exe 96 PID 3592 wrote to memory of 3204 3592 cmd.exe 96 PID 4728 wrote to memory of 5048 4728 WScript.exe 97 PID 4728 wrote to memory of 5048 4728 WScript.exe 97 PID 5048 wrote to memory of 4588 5048 cmd.exe 99 PID 5048 wrote to memory of 4588 5048 cmd.exe 99 PID 4728 wrote to memory of 2984 4728 WScript.exe 100 PID 4728 wrote to memory of 2984 4728 WScript.exe 100 PID 2984 wrote to memory of 1696 2984 cmd.exe 102 PID 2984 wrote to memory of 1696 2984 cmd.exe 102 PID 4728 wrote to memory of 4980 4728 WScript.exe 103 PID 4728 wrote to memory of 4980 4728 WScript.exe 103 PID 4980 wrote to memory of 1424 4980 cmd.exe 105 PID 4980 wrote to memory of 1424 4980 cmd.exe 105 PID 4728 wrote to memory of 3168 4728 WScript.exe 106 PID 4728 wrote to memory of 3168 4728 WScript.exe 106 PID 3168 wrote to memory of 2384 3168 cmd.exe 108 PID 3168 wrote to memory of 2384 3168 cmd.exe 108 PID 4728 wrote to memory of 2232 4728 WScript.exe 109 PID 4728 wrote to memory of 2232 4728 WScript.exe 109 PID 2232 wrote to memory of 908 2232 cmd.exe 111 PID 2232 wrote to memory of 908 2232 cmd.exe 111 PID 4728 wrote to memory of 2548 4728 WScript.exe 112 PID 4728 wrote to memory of 2548 4728 WScript.exe 112 PID 2548 wrote to memory of 1968 2548 cmd.exe 114 PID 2548 wrote to memory of 1968 2548 cmd.exe 114 PID 4728 wrote to memory of 2072 4728 WScript.exe 115 PID 4728 wrote to memory of 2072 4728 WScript.exe 115 PID 2072 wrote to memory of 1568 2072 cmd.exe 117 PID 2072 wrote to memory of 1568 2072 cmd.exe 117 PID 4728 wrote to memory of 3936 4728 WScript.exe 118 PID 4728 wrote to memory of 3936 4728 WScript.exe 118 PID 3936 wrote to memory of 2596 3936 cmd.exe 120 PID 3936 wrote to memory of 2596 3936 cmd.exe 120 PID 4728 wrote to memory of 3800 4728 WScript.exe 121 PID 4728 wrote to memory of 3800 4728 WScript.exe 121 PID 3800 wrote to memory of 2376 3800 cmd.exe 123 PID 3800 wrote to memory of 2376 3800 cmd.exe 123 PID 4728 wrote to memory of 4056 4728 WScript.exe 124 PID 4728 wrote to memory of 4056 4728 WScript.exe 124 PID 4056 wrote to memory of 1544 4056 cmd.exe 126 PID 4056 wrote to memory of 1544 4056 cmd.exe 126 PID 4728 wrote to memory of 1112 4728 WScript.exe 127 PID 4728 wrote to memory of 1112 4728 WScript.exe 127 PID 1112 wrote to memory of 3984 1112 cmd.exe 129 PID 1112 wrote to memory of 3984 1112 cmd.exe 129 PID 4728 wrote to memory of 3436 4728 WScript.exe 130 PID 4728 wrote to memory of 3436 4728 WScript.exe 130 PID 3436 wrote to memory of 4196 3436 cmd.exe 133 PID 3436 wrote to memory of 4196 3436 cmd.exe 133
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\gatherNetworkInfo.vbs"1⤵
- Checks computer location settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:4728 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c gpresult /scope:computer /v 1> config\gpresult.txt 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:116 -
C:\Windows\system32\gpresult.exegpresult /scope:computer /v3⤵PID:2936
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg export "HKLM\SYSTEM\CurrentControlSet\Control\Winlogon\Notifications" Reg\Notif.reg.txt /y2⤵
- Suspicious use of WriteProcessMemory
PID:4716 -
C:\Windows\system32\reg.exereg export "HKLM\SYSTEM\CurrentControlSet\Control\Winlogon\Notifications" Reg\Notif.reg.txt /y3⤵PID:4008
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg export "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers" Reg\AllCred.reg.txt /y2⤵
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Windows\system32\reg.exereg export "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers" Reg\AllCred.reg.txt /y3⤵PID:2296
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg export "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider Filters" Reg\AllCredFilter.reg.txt /y2⤵
- Suspicious use of WriteProcessMemory
PID:3592 -
C:\Windows\system32\reg.exereg export "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider Filters" Reg\AllCredFilter.reg.txt /y3⤵PID:3204
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg export "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\{07AA0886-CC8D-4e19-A410-1C75AF686E62}" Reg\{07AA0886-CC8D-4e19-A410-1C75AF686E62}.reg.txt /y2⤵
- Suspicious use of WriteProcessMemory
PID:5048 -
C:\Windows\system32\reg.exereg export "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\{07AA0886-CC8D-4e19-A410-1C75AF686E62}" Reg\{07AA0886-CC8D-4e19-A410-1C75AF686E62}.reg.txt /y3⤵PID:4588
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg export "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\{33c86cd6-705f-4ba1-9adb-67070b837775}" Reg\{33c86cd6-705f-4ba1-9adb-67070b837775}.reg.txt /y2⤵
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Windows\system32\reg.exereg export "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\{33c86cd6-705f-4ba1-9adb-67070b837775}" Reg\{33c86cd6-705f-4ba1-9adb-67070b837775}.reg.txt /y3⤵PID:1696
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg export "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider Filters\{edd749de-2ef1-4a80-98d1-81f20e6df58e}" Reg\{edd749de-2ef1-4a80-98d1-81f20e6df58e}.reg.txt /y2⤵
- Suspicious use of WriteProcessMemory
PID:4980 -
C:\Windows\system32\reg.exereg export "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider Filters\{edd749de-2ef1-4a80-98d1-81f20e6df58e}" Reg\{edd749de-2ef1-4a80-98d1-81f20e6df58e}.reg.txt /y3⤵PID:1424
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg export "HKLM\SYSTEM\CurrentControlSet\Services\Wlansvc\Parameters\WlanAPIPermissions" Reg\APIPerm.reg.txt /y2⤵
- Suspicious use of WriteProcessMemory
PID:3168 -
C:\Windows\system32\reg.exereg export "HKLM\SYSTEM\CurrentControlSet\Services\Wlansvc\Parameters\WlanAPIPermissions" Reg\APIPerm.reg.txt /y3⤵PID:2384
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg export "HKLM\SOFTWARE\Policies\Microsoft\Windows\Wireless\GPTWirelessPolicy" Reg\GPT.reg.txt /y2⤵
- Suspicious use of WriteProcessMemory
PID:2232 -
C:\Windows\system32\reg.exereg export "HKLM\SOFTWARE\Policies\Microsoft\Windows\Wireless\GPTWirelessPolicy" Reg\GPT.reg.txt /y3⤵PID:908
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg export "HKCU\SOFTWARE\Microsoft\Wlansvc" Reg\HKCUWlanSvc.reg.txt /y2⤵
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Windows\system32\reg.exereg export "HKCU\SOFTWARE\Microsoft\Wlansvc" Reg\HKCUWlanSvc.reg.txt /y3⤵PID:1968
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg export "HKLM\SOFTWARE\Microsoft\Wlansvc" Reg\HKLMWlanSvc.reg.txt /y2⤵
- Suspicious use of WriteProcessMemory
PID:2072 -
C:\Windows\system32\reg.exereg export "HKLM\SOFTWARE\Microsoft\Wlansvc" Reg\HKLMWlanSvc.reg.txt /y3⤵PID:1568
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg export "HKLM\SOFTWARE\Microsoft\dot3svc" Reg\HKLMDot3Svc.reg.txt /y2⤵
- Suspicious use of WriteProcessMemory
PID:3936 -
C:\Windows\system32\reg.exereg export "HKLM\SOFTWARE\Microsoft\dot3svc" Reg\HKLMDot3Svc.reg.txt /y3⤵PID:2596
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg export "HKCU\SOFTWARE\Microsoft\dot3svc" Reg\HKCUDot3Svc.reg.txt /y2⤵
- Suspicious use of WriteProcessMemory
PID:3800 -
C:\Windows\system32\reg.exereg export "HKCU\SOFTWARE\Microsoft\dot3svc" Reg\HKCUDot3Svc.reg.txt /y3⤵PID:2376
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg export "HKLM\SOFTWARE\Policies\Microsoft\Windows\WiredL2\GP_Policy" Reg\L2GP.reg.txt /y2⤵
- Suspicious use of WriteProcessMemory
PID:4056 -
C:\Windows\system32\reg.exereg export "HKLM\SOFTWARE\Policies\Microsoft\Windows\WiredL2\GP_Policy" Reg\L2GP.reg.txt /y3⤵PID:1544
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg export "HKLM\SOFTWARE\MICROSOFT\Windows NT\CurrentVersion\NetworkList" Reg\NetworkProfiles.reg.txt /y2⤵
- Suspicious use of WriteProcessMemory
PID:1112 -
C:\Windows\system32\reg.exereg export "HKLM\SOFTWARE\MICROSOFT\Windows NT\CurrentVersion\NetworkList" Reg\NetworkProfiles.reg.txt /y3⤵PID:3984
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg export "HKLM\SOFTWARE\Policies\Microsoft\WcmSvc" Reg\WCMPolicy.reg.txt /y2⤵
- Suspicious use of WriteProcessMemory
PID:3436 -
C:\Windows\system32\reg.exereg export "HKLM\SOFTWARE\Policies\Microsoft\WcmSvc" Reg\WCMPolicy.reg.txt /y3⤵PID:4196
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c set processor >> config\osinfo.txt2⤵PID:2448
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c systeminfo >> config\osinfo.txt2⤵PID:4900
-
C:\Windows\system32\systeminfo.exesysteminfo3⤵
- Gathers system information
PID:4712
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c set u >> config\osinfo.txt2⤵PID:3168
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c powercfg.exe /batteryreport /output config\battery-report.html2⤵
- Power Settings
PID:3328 -
C:\Windows\system32\powercfg.exepowercfg.exe /batteryreport /output config\battery-report.html3⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:3440
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c tasklist /svc > processes.txt2⤵PID:2324
-
C:\Windows\system32\tasklist.exetasklist /svc3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4064
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c wevtutil epl "Microsoft-Windows-WLAN-AutoConfig/Operational" config\WLANAutoConfigLog.evtx2⤵PID:3236
-
C:\Windows\system32\wevtutil.exewevtutil epl "Microsoft-Windows-WLAN-AutoConfig/Operational" config\WLANAutoConfigLog.evtx3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1620
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c wevtutil al config\WLANAutoConfigLog.evtx2⤵PID:2376
-
C:\Windows\system32\wevtutil.exewevtutil al config\WLANAutoConfigLog.evtx3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2300
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c wevtutil epl "Microsoft-Windows-Wcmsvc/Operational" config\WCMLog.evtx2⤵PID:212
-
C:\Windows\system32\wevtutil.exewevtutil epl "Microsoft-Windows-Wcmsvc/Operational" config\WCMLog.evtx3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2852
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c wevtutil al config\WCMLog.evtx2⤵PID:536
-
C:\Windows\system32\wevtutil.exewevtutil al config\WCMLog.evtx3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4632
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c wevtutil epl "Microsoft-Windows-WWAN-SVC-EVENTS/Operational" config\WWANLog.evtx2⤵PID:2412
-
C:\Windows\system32\wevtutil.exewevtutil epl "Microsoft-Windows-WWAN-SVC-EVENTS/Operational" config\WWANLog.evtx3⤵
- Suspicious use of AdjustPrivilegeToken
PID:632
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c wevtutil al config\WWANLog.evtx2⤵PID:2536
-
C:\Windows\system32\wevtutil.exewevtutil al config\WWANLog.evtx3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3584
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c netsh wlan show all > config\envinfo.txt2⤵PID:5060
-
C:\Windows\system32\netsh.exenetsh wlan show all3⤵
- Event Triggered Execution: Netsh Helper DLL
PID:548
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c netsh lan show interfaces >> config\envinfo.txt2⤵PID:2312
-
C:\Windows\system32\netsh.exenetsh lan show interfaces3⤵
- Event Triggered Execution: Netsh Helper DLL
PID:3260
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c netsh lan show settings >> config\envinfo.txt2⤵PID:4332
-
C:\Windows\system32\netsh.exenetsh lan show settings3⤵
- Event Triggered Execution: Netsh Helper DLL
PID:948
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c netsh lan show profiles >> config\envinfo.txt2⤵PID:4972
-
C:\Windows\system32\netsh.exenetsh lan show profiles3⤵
- Event Triggered Execution: Netsh Helper DLL
PID:2256
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c netsh mbn show interfaces >> config\envinfo.txt2⤵PID:1404
-
C:\Windows\system32\netsh.exenetsh mbn show interfaces3⤵
- Event Triggered Execution: Netsh Helper DLL
PID:4940
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c netsh mbn show profile name=* interface=* >> config\envinfo.txt2⤵PID:4872
-
C:\Windows\system32\netsh.exenetsh mbn show profile name=* interface=*3⤵
- Event Triggered Execution: Netsh Helper DLL
PID:3308
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c netsh mbn show readyinfo interface=* >> config\envinfo.txt2⤵PID:988
-
C:\Windows\system32\netsh.exenetsh mbn show readyinfo interface=*3⤵
- Event Triggered Execution: Netsh Helper DLL
PID:2324
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c netsh mbn show capability interface=* >> config\envinfo.txt2⤵PID:1848
-
C:\Windows\system32\netsh.exenetsh mbn show capability interface=*3⤵
- Event Triggered Execution: Netsh Helper DLL
PID:2300
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c ipconfig /all >> config\envinfo.txt2⤵PID:4056
-
C:\Windows\system32\ipconfig.exeipconfig /all3⤵
- Gathers network information
PID:1736
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c echo. >> config\envinfo.txt2⤵PID:1140
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c echo ROUTE PRINT: >> config\envinfo.txt2⤵PID:3124
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c route print >> config\envinfo.txt2⤵PID:4880
-
C:\Windows\system32\ROUTE.EXEroute print3⤵PID:3388
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c certutil -v -store -silent My >> config\envinfo.txt2⤵PID:3812
-
C:\Windows\system32\certutil.execertutil -v -store -silent My3⤵PID:3188
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c certutil -v -store -silent -user My >> config\envinfo.txt2⤵PID:2316
-
C:\Windows\system32\certutil.execertutil -v -store -silent -user My3⤵PID:900
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c certutil -v -store -silent root >> config\envinfo.txt2⤵PID:4012
-
C:\Windows\system32\certutil.execertutil -v -store -silent root3⤵PID:3836
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c certutil -v -enterprise -store -silent NTAuth >> config\envinfo.txt2⤵PID:2804
-
C:\Windows\system32\certutil.execertutil -v -enterprise -store -silent NTAuth3⤵PID:948
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c certutil -v -user -store -silent root >> config\envinfo.txt2⤵PID:1500
-
C:\Windows\system32\certutil.execertutil -v -user -store -silent root3⤵PID:3332
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c netsh winsock show catalog > config\WinsockCatalog.txt2⤵PID:4972
-
C:\Windows\system32\netsh.exenetsh winsock show catalog3⤵
- Event Triggered Execution: Netsh Helper DLL
PID:3876
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c echo Current Profiles: > config\WindowsFirewallConfig.txt2⤵PID:3848
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c echo ------------------------------------------------------------------------ >> config\WindowsFirewallConfig.txt2⤵PID:4940
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c netsh advfirewall monitor show currentprofile >> config\WindowsFirewallConfig.txt2⤵PID:664
-
C:\Windows\system32\netsh.exenetsh advfirewall monitor show currentprofile3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:1244
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c echo Firewall Configuration: >> config\WindowsFirewallConfig.txt2⤵PID:988
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c echo ------------------------------------------------------------------------ >> config\WindowsFirewallConfig.txt2⤵PID:3312
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c netsh advfirewall monitor show firewall >> config\WindowsFirewallConfig.txt2⤵PID:4220
-
C:\Windows\system32\netsh.exenetsh advfirewall monitor show firewall3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:4472
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c echo Connection Security Configuration: >> config\WindowsFirewallConfig.txt2⤵PID:3124
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c echo ------------------------------------------------------------------------ >> config\WindowsFirewallConfig.txt2⤵PID:4644
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c netsh advfirewall monitor show consec >> config\WindowsFirewallConfig.txt2⤵PID:3736
-
C:\Windows\system32\netsh.exenetsh advfirewall monitor show consec3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:2996
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c echo Firewall Rules : >> config\WindowsFirewallConfig.txt2⤵PID:552
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c echo ------------------------------------------------------------------------ >> config\WindowsFirewallConfig.txt2⤵PID:1272
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c netsh advfirewall firewall show rule name=all verbose >> config\WindowsFirewallConfig.txt2⤵PID:2312
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall show rule name=all verbose3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:1424
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c echo Connection Security Rules : >> config\WindowsFirewallConfig.txt2⤵PID:4648
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c echo ------------------------------------------------------------------------ >> config\WindowsFirewallConfig.txt2⤵PID:3216
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c netsh advfirewall consec show rule name=all verbose >> config\WindowsFirewallConfig.txt2⤵PID:1836
-
C:\Windows\system32\netsh.exenetsh advfirewall consec show rule name=all verbose3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:3876
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c echo Firewall Rules currently enforced : > config\WindowsFirewallEffectiveRules.txt2⤵PID:1888
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c echo ------------------------------------------------------------------------ >> config\WindowsFirewallEffectiveRules.txt2⤵PID:4872
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c netsh advfirewall monitor show firewall rule name=all >> config\WindowsFirewallEffectiveRules.txt2⤵PID:4408
-
C:\Windows\system32\netsh.exenetsh advfirewall monitor show firewall rule name=all3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:4064
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c echo Connection Security Rules currently enforced : >> config\WindowsFirewallEffectiveRules.txt2⤵PID:4676
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c echo ------------------------------------------------------------------------ >> config\WindowsFirewallEffectiveRules.txt2⤵PID:5080
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c netsh advfirewall monitor show consec rule name=all >> config\WindowsFirewallEffectiveRules.txt2⤵PID:1156
-
C:\Windows\system32\netsh.exenetsh advfirewall monitor show consec rule name=all3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:4708
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c wevtutil epl "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall" config\WindowsFirewallLog.evtx2⤵PID:1592
-
C:\Windows\system32\wevtutil.exewevtutil epl "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall" config\WindowsFirewallLog.evtx3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4144
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c wevtutil al config\WindowsFirewallLog.evtx2⤵PID:2212
-
C:\Windows\system32\wevtutil.exewevtutil al config\WindowsFirewallLog.evtx3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2484
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c wevtutil epl "Microsoft-Windows-Windows Firewall With Advanced Security/ConnectionSecurity" config\WindowsFirewallConsecLog.evtx2⤵PID:728
-
C:\Windows\system32\wevtutil.exewevtutil epl "Microsoft-Windows-Windows Firewall With Advanced Security/ConnectionSecurity" config\WindowsFirewallConsecLog.evtx3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1388
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c wevtutil al config\WindowsFirewallConsecLog.evtx2⤵PID:1912
-
C:\Windows\system32\wevtutil.exewevtutil al config\WindowsFirewallConsecLog.evtx3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3560
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c wevtutil epl "Microsoft-Windows-Windows Firewall With Advanced Security/FirewallVerbose" config\WindowsFirewallLogVerbose.evtx2⤵PID:2140
-
C:\Windows\system32\wevtutil.exewevtutil epl "Microsoft-Windows-Windows Firewall With Advanced Security/FirewallVerbose" config\WindowsFirewallLogVerbose.evtx3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4332
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c wevtutil al config\WindowsFirewallLogVerbose.evtx2⤵PID:2804
-
C:\Windows\system32\wevtutil.exewevtutil al config\WindowsFirewallLogVerbose.evtx3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2736
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c wevtutil epl "Microsoft-Windows-Windows Firewall With Advanced Security/ConnectionSecurityVerbose" config\WindowsFirewallConsecLogVerbose.evtx2⤵PID:4712
-
C:\Windows\system32\wevtutil.exewevtutil epl "Microsoft-Windows-Windows Firewall With Advanced Security/ConnectionSecurityVerbose" config\WindowsFirewallConsecLogVerbose.evtx3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4556
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c wevtutil al config\WindowsFirewallConsecLogVerbose.evtx2⤵PID:2256
-
C:\Windows\system32\wevtutil.exewevtutil al config\WindowsFirewallConsecLogVerbose.evtx3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4376
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c dxdiag /t dxdiag.txt2⤵PID:1648
-
C:\Windows\system32\dxdiag.exedxdiag /t dxdiag.txt3⤵
- Drops file in System32 directory
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:684
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c dispdiag -out dispdiag_stop.dat2⤵PID:632
-
C:\Windows\system32\dispdiag.exedispdiag -out dispdiag_stop.dat3⤵
- Enumerates system info in registry
PID:2640
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c time /t >> config\wlaninfo.txt2⤵PID:4720
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c netsh wl show i >> config\wlaninfo.txt2⤵PID:3188
-
C:\Windows\system32\netsh.exenetsh wl show i3⤵
- Event Triggered Execution: Netsh Helper DLL
PID:3704
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c netsh wl show d >> config\wlaninfo.txt2⤵PID:3208
-
C:\Windows\system32\netsh.exenetsh wl show d3⤵
- Event Triggered Execution: Netsh Helper DLL
PID:4456
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c netsh wlan show interfaces >> config\wlaninfo.txt2⤵PID:2340
-
C:\Windows\system32\netsh.exenetsh wlan show interfaces3⤵
- Event Triggered Execution: Netsh Helper DLL
PID:2808
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c netsh wlan sho net m=b >> config\wlaninfo.txt2⤵PID:4624
-
C:\Windows\system32\netsh.exenetsh wlan sho net m=b3⤵
- Event Triggered Execution: Netsh Helper DLL
PID:4648
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c sc query wcncsvc >> config\WcnInfo.txt2⤵PID:4376
-
C:\Windows\system32\sc.exesc query wcncsvc3⤵
- Launches sc.exe
PID:3084
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c sc query wlansvc >> config\WcnInfo.txt2⤵PID:996
-
C:\Windows\system32\sc.exesc query wlansvc3⤵
- Launches sc.exe
PID:4940
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c sc query eaphost >> config\WcnInfo.txt2⤵PID:3228
-
C:\Windows\system32\sc.exesc query eaphost3⤵
- Launches sc.exe
PID:3964
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c sc query fdrespub >> config\WcnInfo.txt2⤵PID:4036
-
C:\Windows\system32\sc.exesc query fdrespub3⤵
- Launches sc.exe
PID:4948
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c sc query upnphost >> config\WcnInfo.txt2⤵PID:2232
-
C:\Windows\system32\sc.exesc query upnphost3⤵
- Launches sc.exe
PID:2444
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c sc query eaphost >> config\WcnInfo.txt2⤵PID:4088
-
C:\Windows\system32\sc.exesc query eaphost3⤵
- Launches sc.exe
PID:1456
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c ipconfig /all >> config\WcnInfo.txt2⤵PID:1184
-
C:\Windows\system32\ipconfig.exeipconfig /all3⤵
- Gathers network information
PID:412
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c netsh wlan show device >> config\WcnInfo.txt2⤵PID:3260
-
C:\Windows\system32\netsh.exenetsh wlan show device3⤵
- Event Triggered Execution: Netsh Helper DLL
PID:1388
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wcncsvc\Parameters >> config\WcnInfo.txt2⤵PID:1104
-
C:\Windows\system32\reg.exereg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wcncsvc\Parameters3⤵PID:3104
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c netsh advfirewall show currentprofile >> config\WcnInfo.txt2⤵PID:2312
-
C:\Windows\system32\netsh.exenetsh advfirewall show currentprofile3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:3708
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c netsh interface teredo show state > config\netiostate.txt2⤵PID:1636
-
C:\Windows\system32\netsh.exenetsh interface teredo show state3⤵
- Event Triggered Execution: Netsh Helper DLL
PID:4624
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c netsh interface httpstunnel show interface >> config\netiostate.txt2⤵PID:216
-
C:\Windows\system32\netsh.exenetsh interface httpstunnel show interface3⤵
- Event Triggered Execution: Netsh Helper DLL
PID:4820
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c netsh interface httpstunnel show statistics >> config\netiostate.txt2⤵PID:4856
-
C:\Windows\system32\netsh.exenetsh interface httpstunnel show statistics3⤵
- Event Triggered Execution: Netsh Helper DLL
PID:5052
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c echo IPCONFIG /DISPLAYDNS: >> config\Dns.txt2⤵PID:1344
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c ipconfig /displaydns >> config\Dns.txt2⤵PID:1836
-
C:\Windows\system32\ipconfig.exeipconfig /displaydns3⤵
- Gathers network information
PID:2360
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c echo. >> config\Dns.txt2⤵PID:3024
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c echo NETSH NAMESPACE SHOW EFFECTIVE: >> config\Dns.txt2⤵PID:4920
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c netsh namespace show effective >> config\Dns.txt2⤵PID:3736
-
C:\Windows\system32\netsh.exenetsh namespace show effective3⤵
- Event Triggered Execution: Netsh Helper DLL
PID:3812
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c echo. >> config\Dns.txt2⤵PID:3188
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c echo NETSH NAMESPACE SHOW POLICY: >> config\Dns.txt2⤵PID:5100
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c netsh namespace show policy >> config\Dns.txt2⤵PID:4364
-
C:\Windows\system32\netsh.exenetsh namespace show policy3⤵
- Event Triggered Execution: Netsh Helper DLL
PID:3668
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c echo ARP -A: >> config\Neighbors.txt2⤵
- Network Service Discovery
PID:1536
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c arp -a >> config\Neighbors.txt2⤵
- Network Service Discovery
PID:2696 -
C:\Windows\system32\ARP.EXEarp -a3⤵
- Network Service Discovery
PID:372
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c echo. >> config\Neighbors.txt2⤵PID:3992
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c echo NETSH INT IPV6 SHOW NEIGHBORS: >> config\Neighbors.txt2⤵PID:1256
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c netsh int ipv6 show neigh >> config\Neighbors.txt2⤵PID:908
-
C:\Windows\system32\netsh.exenetsh int ipv6 show neigh3⤵
- Event Triggered Execution: Netsh Helper DLL
PID:4800
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c echo NBTSTAT -N: >> config\FileSharing.txt2⤵PID:772
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c nbtstat -n >> config\FileSharing.txt2⤵PID:4036
-
C:\Windows\system32\nbtstat.exenbtstat -n3⤵PID:1836
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c echo. >> config\FileSharing.txt2⤵PID:560
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c echo NBTSTAT -C: >> config\FileSharing.txt2⤵PID:4880
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c nbtstat -c >> config\FileSharing.txt2⤵PID:3996
-
C:\Windows\system32\nbtstat.exenbtstat -c3⤵PID:4012
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c echo. >> config\FileSharing.txt2⤵PID:2212
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c echo NET CONFIG RDR: >> config\FileSharing.txt2⤵PID:3548
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c net config rdr >> config\FileSharing.txt2⤵PID:3104
-
C:\Windows\system32\net.exenet config rdr3⤵PID:1224
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 config rdr4⤵PID:4980
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c echo. >> config\FileSharing.txt2⤵PID:4364
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c echo NET CONFIG SRV: >> config\FileSharing.txt2⤵PID:2312
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c net config srv >> config\FileSharing.txt2⤵PID:4556
-
C:\Windows\system32\net.exenet config srv3⤵PID:2448
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 config srv4⤵PID:1132
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c echo. >> config\FileSharing.txt2⤵PID:4316
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c echo NET SHARE: >> config\FileSharing.txt2⤵PID:4076
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c net share >> config\FileSharing.txt2⤵PID:3824
-
C:\Windows\system32\net.exenet share3⤵PID:1640
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 share4⤵PID:3228
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c netsh wfp show netevents file=config\netevents.xml 1> config\neteventslog.txt 2>&12⤵PID:1900
-
C:\Windows\system32\netsh.exenetsh wfp show netevents file=config\netevents.xml3⤵
- Event Triggered Execution: Netsh Helper DLL
PID:404
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c netsh wfp show state file=config\wfpstate.xml 1> config\wfpstatelog.txt 2>&12⤵PID:544
-
C:\Windows\system32\netsh.exenetsh wfp show state file=config\wfpstate.xml3⤵
- Event Triggered Execution: Netsh Helper DLL
PID:1584
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c netsh wfp show sysports file=config\sysports.xml 1> config\sysportslog.txt 2>&12⤵PID:3036
-
C:\Windows\system32\netsh.exenetsh wfp show sysports file=config\sysports.xml3⤵
- Event Triggered Execution: Netsh Helper DLL
PID:1580
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c wevtutil epl System /q:"*[System[Provider[@Name='Microsoft-Windows-Hyper-V-VmSwitch']]]" config\VmSwitchLog.evtx2⤵PID:4704
-
C:\Windows\system32\wevtutil.exewevtutil epl System /q:"*[System[Provider[@Name='Microsoft-Windows-Hyper-V-VmSwitch']]]" config\VmSwitchLog.evtx3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2340
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c wevtutil al config\VmSwitchLog.evtx2⤵PID:1500
-
C:\Windows\system32\wevtutil.exewevtutil al config\VmSwitchLog.evtx3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3708
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c wevtutil epl "Microsoft-Windows-Hyper-V-VMMS-Networking" config\VmmsNetworkingLog.evtx2⤵PID:1536
-
C:\Windows\system32\wevtutil.exewevtutil epl "Microsoft-Windows-Hyper-V-VMMS-Networking" config\VmmsNetworkingLog.evtx3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2988
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c wevtutil al config\VmmsNetworkingLog.evtx2⤵PID:5072
-
C:\Windows\system32\wevtutil.exewevtutil al config\VmmsNetworkingLog.evtx3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1708
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c wmic qfe >> config\Hotfixinfo.log2⤵PID:4500
-
C:\Windows\System32\Wbem\WMIC.exewmic qfe3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4384
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c sc.exe queryex nativewifip >> config\serviceinfo.log2⤵PID:4316
-
C:\Windows\system32\sc.exesc.exe queryex nativewifip3⤵
- Launches sc.exe
PID:664
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c sc.exe qc nativewifip >> config\serviceinfo.log2⤵PID:372
-
C:\Windows\system32\sc.exesc.exe qc nativewifip3⤵
- Launches sc.exe
PID:1344
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c sc.exe queryex wlansvc >> config\serviceinfo.log2⤵PID:3196
-
C:\Windows\system32\sc.exesc.exe queryex wlansvc3⤵
- Launches sc.exe
PID:4972
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c sc.exe qc wlansvc >> config\serviceinfo.log2⤵PID:772
-
C:\Windows\system32\sc.exesc.exe qc wlansvc3⤵
- Launches sc.exe
PID:1456
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c sc.exe queryex dhcp >> config\serviceinfo.log2⤵PID:1516
-
C:\Windows\system32\sc.exesc.exe queryex dhcp3⤵
- Launches sc.exe
PID:2700
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c sc.exe qc dhcp >> config\serviceinfo.log2⤵PID:2060
-
C:\Windows\system32\sc.exesc.exe qc dhcp3⤵
- Launches sc.exe
PID:3800
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg.exe query hklm\system\CurrentControlSet\Services\Winsock\Parameters /v Transports >> config\winsock.log2⤵PID:4020
-
C:\Windows\system32\reg.exereg.exe query hklm\system\CurrentControlSet\Services\Winsock\Parameters /v Transports3⤵
- Modifies registry key
PID:3560
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg.exe query "hklm\system\CurrentControlSet\Services\Winsock\Setup Migration" /v "Provider List" >> config\winsock.log2⤵PID:4584
-
C:\Windows\system32\reg.exereg.exe query "hklm\system\CurrentControlSet\Services\Winsock\Setup Migration" /v "Provider List"3⤵PID:412
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c netsh.exe winsock show catalog >> config\winsock.log2⤵PID:3708
-
C:\Windows\system32\netsh.exenetsh.exe winsock show catalog3⤵
- Event Triggered Execution: Netsh Helper DLL
PID:2928
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c Reg.exe Export HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseDataProtection\Policies config\EDPPolicies.reg /y /Reg:642⤵PID:4356
-
C:\Windows\system32\reg.exeReg.exe Export HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseDataProtection\Policies config\EDPPolicies.reg /y /Reg:643⤵PID:744
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c Reg.exe Export HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\Providers config\PolicyManager.reg /y /Reg:642⤵PID:3124
-
C:\Windows\system32\reg.exeReg.exe Export HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\Providers config\PolicyManager.reg /y /Reg:643⤵PID:1484
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c Reg.exe Export HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HomeGroupListener config\HomeGroupListener.reg /y /Reg:642⤵PID:1132
-
C:\Windows\system32\reg.exeReg.exe Export HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HomeGroupListener config\HomeGroupListener.reg /y /Reg:643⤵PID:664
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c Reg.exe Export HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HomeGroupProvider config\HomeGroupProvider.reg /y /Reg:642⤵PID:3084
-
C:\Windows\system32\reg.exeReg.exe Export HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HomeGroupProvider config\HomeGroupProvider.reg /y /Reg:643⤵PID:1156
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $net_adapter=(Get-NetAdapter -IncludeHidden); $output= ($net_adapter); $output += ($net_adapter | fl *); $output += (Get-NetAdapterAdvancedProperty | fl); $net_adapter_bindings=(Get-NetAdapterBinding -IncludeHidden); $output += ($net_adapter_bindings); $output += ($net_adapter_bindings | fl); $output += (Get-NetIpConfiguration -Detailed); $output += (Get-DnsClientNrptPolicy); $output += (Resolve-DnsName bing.com); $output += (ping bing.com -4); $output += (ping bing.com -6); $output += (Test-NetConnection bing.com -InformationLevel Detailed); $output += (Test-NetConnection bing.com -InformationLevel Detailed -CommonTCPPort HTTP); $output += (Get-NetRoute); $output += (Get-NetIPaddress); $output += (Get-NetLbfoTeam); $output += (Get-Service -Name:VMMS); $output += (Get-VMSwitch); $output += "(Get-VMNetworkAdapter -all)"; $output += (Get-DnsClientNrptPolicy); $output += (Get-WindowsOptionalFeature -Online); $output += (Get-Service | fl); $pnp_devices = (Get-PnpDevice); $output += ($pnp_devices); $output += ($pnp_devices | Get-PnpDeviceProperty -KeyName DEVPKEY_Device_InstanceId,DEVPKEY_Device_DevNodeStatus,DEVPKEY_Device_ProblemCode); $output | Out-File config\PowershellInfo.log2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:2232 -
C:\Windows\system32\PING.EXE"C:\Windows\system32\PING.EXE" bing.com -43⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4472
-
-
C:\Windows\system32\PING.EXE"C:\Windows\system32\PING.EXE" bing.com -63⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4704
-
-
C:\Users\Admin\AppData\Local\Temp\0DC15C50-2A67-4214-B6CA-486019109AB0\dismhost.exeC:\Users\Admin\AppData\Local\Temp\0DC15C50-2A67-4214-B6CA-486019109AB0\dismhost.exe {72003A6F-D9B0-4C98-874B-41F228EB8A00}3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:3800
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
1Windows Service
1Event Triggered Execution
2Component Object Model Hijacking
1Netsh Helper DLL
1Power Settings
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Event Triggered Execution
2Component Object Model Hijacking
1Netsh Helper DLL
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
1Discovery
Network Service Discovery
1Network Share Discovery
1Peripheral Device Discovery
1Process Discovery
1Query Registry
3Remote System Discovery
1System Information Discovery
6System Network Configuration Discovery
1Internet Connection Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
20KB
MD56e9deb76069796219349ac3a7d051de5
SHA103857c01fdc89455c5bd2f7777e172981d0a16fe
SHA2560d023b38b841fe7f36d149757ba29af13780c898d2589bd3f1acc492d97f9de7
SHA512b70a9c031c1efdd1a0290f71d061e865246575be954b530af2bd73ecfb288e172890f1b70be23f4c73ba85ec0bfcda6424e756d288c838cab7a65b7796767d12
-
Filesize
5KB
MD58e7756612e131e3995df35b729accab6
SHA12f14ca117bb86dee7f44fbcdfea479e66830b208
SHA2563259dcca8c1c4f309199014b3f5ac6a3e63e6d271904f98d89f18d8b23db6efd
SHA5123f4458429ee2585514d306c9d17ab71de62372de3b14faf7ff2c30c050aa76b8c98402d33dd00a48fa0380d6ed3d63cd1b3655079cac591ec710040caa771e67
-
Filesize
1KB
MD5438c3e536a4deb87cff81c837dc90eb3
SHA105d2a07778146097a8c9bafdf4f43dfebaa4c289
SHA2565a5b65c7953311a4113db29880a1a583b9ca8aa3cebba1d08e1e98a4c33ad23c
SHA512c077dbf0537659124cfa553c4e062b2bb188f76988a31dea3276edf06d200d00706900746a843004d79d3431c5b5a3715590f8488c5db6f51ce0a4fa58f41ea4
-
Filesize
5KB
MD59b854efe8795d80357d5515cc1d4186f
SHA10dd86c1a5e889126d928cc802c8604666f1962f4
SHA256aa7cfb6e102c4d6e38eb3dca4f3df416b9657c808b8ddfc4d284627be9c14803
SHA5128276d6f75abdf1f8cb47d32c30dfccfb0d5b61275c179f330d4bc8668689845b9393030e9f35703ed703a6f25e9762eb081406e4abf0c83953c88046e62c82fc
-
Filesize
8KB
MD5a69498c41719466c796f934cf8465148
SHA14cdd546487816f593ff7d90cb92b8dd8c67d7075
SHA25691c6d0e069fff8710ea5216d6a467f7b862888b0e88f80dc808f77b164360fa7
SHA51255a424f27d9861f7e24929a00d0d62a600e2043e999adb3be365afbfbfd93ff7759938c87dc66c5431dbd6f26f98f8fea6698f29053b52e9e1931e35f44d7b94
-
Filesize
634B
MD59a5a295efdc30925c631166a5d041bd3
SHA106068ba50872e1cf5ebfd08697e000afe3088bae
SHA25688275b3c833910726328d29fb29f50ff6e5d357e8d3f316362c6d709d5fa5ef5
SHA5127ad1813c3e4e639510e6e743d48fc83105b8f07c1502370eea11dd9c41c1360f6c20692ffc2588a1e0e280240c524201cdce92b4d137b16830848b592a31819c
-
Filesize
2KB
MD58d0253d6d2ff5866c0ca9a29db086322
SHA1c2161a4576bd2bc4aaa09f1426183ff45a75a123
SHA256dbe14ba69d94c7e70d92fef91a390a6dcc70389dcd0b271906676863038eee1c
SHA5129c7ce97a58bb3540ff79628e8aadcf0adcb0e6cec47e57ccb210ad30d85826f3fde646b3e15c9f092ed7d2a69f694b04c36f54ccb771da21ee9956979c04a52f
-
Filesize
7KB
MD5079eea4df15a54637c102e8786ad9110
SHA1e34c25eaea4498d101076f705a228063cfba070b
SHA25609c647e8a85a46f0c4f7ce758d3a4bc5779a177f394ef126caae08f88e5c493f
SHA5129269e0a6441e2efa10f7c1f8ac3162025030f2040660a24fc8640929ea52f036aab45840a02de15277b5aa439bfa5f36f4a77bbf507b5e4d4c10ef4d5ff6ed5d
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
14KB
MD5b47e310288e53c342701b03f9575c4b6
SHA19ea22b9aff04c994a0d325f0c0becd29b4cb19fe
SHA25689551b5c983a1bfa2c3d93d0c307b4ae7e2dbfa6cc6b40c9a3c4b675d975efbe
SHA512ec74eeb63ee6dd112187f53a4c375dfb2b7aaf65a7907119011509403e7b683cd6de45a07d814cd83affb03117a033f961721d8d7d562280a02386ed95af3613
-
Filesize
180B
MD5e9d9c70311e468c5ac1e313ea317e31f
SHA13ec7e470b8e8a747dff0b312afbe8f9f859fdb56
SHA256f89da86624bb8f26a5b624932253966dc7cd97ce87eeacf19ed9cc8c77f650be
SHA512644e4d6b2fe77af31ae29b48a6d46761e3a4cacd1f979bd25994051cc8280b218f7bd6512eb592a11f2b65554551887dde988d264b1e0e215198539d060c1582
-
Filesize
455B
MD511331075e463e6cc232419d9c5a23945
SHA12ac8dd5fda25ff577ad32020d417ee7218abb0da
SHA2565a84886b89430498df9ef0c57b8e982ffbdbd07000678fd94093feec9343fe52
SHA512eaca25d1656d70b6e7e125476e40ba53cad085da432328b0a8303d4c332b03c37d1fc8b5073f526b8183d18db07f76cc6399ed95255f41f52a9dd89120ee1c74
-
Filesize
728B
MD583238b17864fc7a4e9255f941069cc77
SHA11314353ec44aa89f8c9771c9e2631772d62dbd6a
SHA256a6590f11feceacf7867707db549b38e47512e5163c113dbd38d5507ac131703a
SHA512d9c6afad490a90144c6402284a28cc4a99d9c7d1d0182ecff35aa3d248a86c6d41800dec0c1485f6a082c56213028d49f4dc3761d442cbddab22b7a805293515
-
Filesize
1003B
MD518d6368f108c94d08858db45a8f850d9
SHA1f9a67905121641d183c9a9a1be41cc5187dbfcad
SHA256eac4ceeb16facafdaf32f393fff2b45c115dfa10a4f9e039e88cd9cd9ab11f0c
SHA5125aac62a7b5398b879a8a5ef387ecdab72440779f7ac84ea960050e1b80ef264031f47e1ad1a0b9ae0f18f1900829937eb804f7d70307b5f98a4044558aab9292
-
Filesize
1KB
MD586f3eef9a2046d107f5294266e2acaa5
SHA1359d8ce17b11a5b679a38dc72a8b53eefcb93e3d
SHA2569c77d9bf5f1367256b8adbf5170398402a8a5587af0e97ef50dfba8e17640408
SHA51203b4c47e4323f68fb6e27ef75aae311c4ee2db823e4efc7c748a0a0c69e8aa23bda67d529d22d8307b7267fcdaf01867a9b1a5a384cde163ac6df833e1a21fe0
-
Filesize
1KB
MD5dc4420c1062494067b18d001f9588f04
SHA1e33009c1a9e99434fb9eb88bc8d8bc3f8ae2ce22
SHA2562def975e3063dfdd2ded02222ad6b29c5aa697874f8a57fecaec3eee1c572ff5
SHA51224f381eff215fed63d444458f0967645b32124832a1726ec8a8f7829561678f18326719f6efa1baedf9db661ad9699c66ce9dafa330bdbdfef02480aa1dab985
-
Filesize
1KB
MD53f7707b5c2ca7e2b11fa7c653892c556
SHA13e26fa9816b886a00619b85c3c4d207646a17579
SHA256a2ad56eeb8d9d4fc93d24661268e5a4a7e648325b16c3c4f3d0f496626314635
SHA512f75d9f51c4f75bc25627ae52fdd7fe53c4dea07b0229f059c7ec03ec3ae5ec338db9ceda7db4dee3aea8c74150dea7eaa223ecd1c0b6170a91d25fdde91c49d6
-
Filesize
6KB
MD52347df75da1c4613d8eb3141f5da79a7
SHA1a24b5c60d33f7261c3a397f66d7f9c70b0e9befd
SHA256bef63a38bc0739978896a484f09c48f86fadb10cbe2d527446bdd2af0f52b30b
SHA5121f6be5c4047982f06c54eee9ced713e13b58e0646fd54b2eeded90a9af609429cf0a1e5342fac189d9cdafe54ca26f4c97b655a4f0df72c21d8c4f27419d8b8d
-
Filesize
7KB
MD533bf26198909e8cc003cd62c6445c6e7
SHA155564a6ad8b1f8cfe30626b2a3e99184c32b9394
SHA2564914433294d4e68845425336973765db18a018c64902bdafc4680f92ee6ee5d1
SHA512c7a88bb7eb7d18550369975463c9d81674c478063be8f86321bce9e778871ac0825441c53bc5765730f2bc686281e6f0adc3ea59ce5de2f379bbe4ad1992cc31
-
Filesize
7KB
MD517f44a38d29cc6c7067211d02bb7b564
SHA113964109a19bbf2f4d809fcdcf625d77c2206c89
SHA25646a308dd67d07e7922d30e4a8727acfb587dcf1f7848aa187168020296843e4a
SHA51239009e05112086302523f716f87620d7c20f64e6ca5dd847388aedfdc36d070d92e1d40a925143944042618091bd0ad63d59fab2cff7f18d159721f30be3697b
-
Filesize
7KB
MD5e06b83e753ac64ddea35971037e6fd24
SHA13250f1c0d0cba4781dc228c0e4293f587d78bc62
SHA2566d5c9d548fccdfeb54055f1c1eaac19d9a238fdc658ae13ff72744ec4d00d336
SHA5122964dbc0305d7065149235c291ce4ac7f0505b6fc065c70156090dbf9a546d67c8b28923f370159f1dc0889ccf78965cbcb93b9ca2c4bab9643b7d82d7354f80
-
Filesize
7KB
MD54d716855f5106868a010cc48597abd3e
SHA133308df661ff88115815d799688f8e6544bf22f2
SHA256751d4a523417960d123a41789ed5d4923ec8483052fd926474fcd58dd1cc42f6
SHA512c1582f63a8275deb3e227240c39a4b508a7202ca4025a0e6e984a69ff055f3b65fe39840fe766bcf516dc99f1cf6844697a548bad544585cd70bd2adf807683c
-
Filesize
3KB
MD59fc2f6f056b761ee2efb51f1b2abe2a0
SHA1b6b10ee66a5e91356e36656c670a55cd1d0e4ca3
SHA25666bb48ee25484e6d28125af45c7ba09d785f822340975503f044bfe0d1093bdb
SHA51229cc4e2179047807286df7cb36563133394123bcb74e228bae38c5991bd7781be47c32b2609c5a88bcbca9ea3674f1cecd262bbdcad3485821564421f6d9ed91
-
Filesize
3KB
MD528ab641176c919ef5f796f965254e72c
SHA121cadde04c3a28842a51c63b6e184e3250385db3
SHA256da759355fc068f769a450e76f7d392045a5e7f44ae2708695c92ea3f78f44d4f
SHA512c5a81507b9c5f23f9e933e8aeadf90ece340e16aa94bfb3394d2e4634ee46b551e813d732f415ab36513183dd1a8038068fcae6c8b5b2cb2a3559dd6c09b4aac
-
Filesize
4KB
MD5e30f9bc0eaec914ce681d09f2dda880d
SHA149a17ea54cf9325a04a5bc9dd036b48dec7599bf
SHA256e7244164fbbe3378d6dad2d5de18bdad034b3536318bc9b56a8b947f11d91dee
SHA512a59a8a749ac80641ccca6def865a8ad51f18816ee7aa9efbf88a9baaa82dd56c9290367a00db58202e5369a2b0186c3d6bca9e8b26f51d890c94c06832ab7e82
-
Filesize
4KB
MD5a20149cc6d15b8616bc54139b9c5d315
SHA1ec898328ff87ac3f4ff40087a46a2f7a27102f3d
SHA2562eafa24a440fff6f353ce82a07b44c569f0f8752cf1726d93fc79522f09ccc7d
SHA512e82c10f8fe9b3542c2b666c5d76138b0bcee7d1c4d3b0b4a0d3d67677a80b212c18e410021a36d473701bb62e84bd423fc124a4ec3f198ea49f923d3ad75bed9
-
Filesize
419KB
MD5f9e0d0b0bb0cac9bd87767c01b2c4e7c
SHA194c9f42acc99929870db2bddeb82d8044a2141fb
SHA256717390063a65aa57caac03884a8256951239e49cbcb35b83cddf46963fc452ee
SHA5120cc1086dfd978dfd29047f833ba762e8981604bdc04490af468e3ec5f9d3928bc12210b95442a2f20d03c0b58a10a5a51c8073798d9fb2f54b4de12d493a8fcb
-
Filesize
419KB
MD5b30604aa9bbc40e70659bc230ca17c60
SHA16e11ea639b6af1d14d6bb65f39561f735ad8cfb3
SHA256c74cfec67914940604c2327eed85a3ca51b1c334c94beaa3d439a171445d3d5a
SHA512b797c61f0841fb70a85ae087e38e5ffebd8948da30baece4032b077fad5492e1c23f8457afcf6ad73ff4a1a5bd2a53f47269bb4fb6f1294534184edda97119cb
-
Filesize
95B
MD59b507b45c41b5b76ee28e9a236d2799b
SHA11faccb7a5024ec67e96277264d8accfad0882863
SHA256d7d5617f0c7bc136c2c3c813b0aebdf9aa51fc4b660994abd17e843390b64d3c
SHA51228dc0f4f1108150111873f10b43dbbb8c5e99f033f6708a8ce3eed0038ec33fc6a0f48a76d07f468de7ab0e5d67321647c884c7551f7a418e5866151a506eb47
-
Filesize
231B
MD59170b20d03ea1e63f482af71e6975221
SHA19fa38caf5023a1b745cb1d5c432e74cfb31cc405
SHA256a117ecb928139aa22ae4a9bf0f0a79a446ed97ff711c7a4e887768a122be911c
SHA512c73d5cbaeb7fc62bdb5e5f04ebeefd97b7da4db3b56dc0adb9b5dbb37bb056e3fb2701c1cb5006467a845eab02190d73b412863d6a5f8481e92fc66c6da72ed9
-
Filesize
306B
MD575db7861304a47ffeac0b5c88801172a
SHA1b3778cef27637ee986e194006d291560adadf14d
SHA25626d6835d602b9e09e793d0031701bdfffd07eda032f2f56344aa7ac00b8d79e9
SHA51262a1341833e3de6a9052d8c9d37e82223f49e5b279821a82cfd8558a8d1e89e074115195150a01049d327bae12158221ef82de43ea682905b81d0002fa32dd3f
-
Filesize
38B
MD54e01cf6c5fbb5cfed6a3684f69054365
SHA17a040aa2784160f4254f14acd958a6a75ef7293c
SHA256a31a85891221410dbaf4d3d1bf5f842405140bf583945088d585bc5e8a9fbed3
SHA5128376e53d2a81c39c9e04c074ea556279dee9d6a721443b7a41375ea3ed054ed795965dac6a6171f9de00a5f9bd9ddffc53322b98712cfe7dfa7eb1ca8e62e625
-
Filesize
113B
MD5f922ce103305d2d2766cd69b4992bed4
SHA1e43c5ec1882020e9f59bf8be1f7b039b7279aec9
SHA256673712f1a5ddf23348ad5dd910c0fad7656d5c4b60f9d9d6b413aa7ed20f3612
SHA51265b2dd117d6ac6d8589ebaf1c22d3dff59cc79887eb53e8951f53160b9cc6ecabecd2a32d0e54d4cf517258118ed48791d0e9f679b3e166974aaa18faff8112f
-
Filesize
319B
MD5a061107b2d08559c7a12a7a9e7b2df83
SHA12c596969754b809311ac75043758790aee198529
SHA256e877977b3f751237f71eafe880b4ace1d5604b36d02645ac237d1fb176debae0
SHA5120b58ef2e8e154429ff0e63fb53f7474f37619911e60c2d6c0ed3fb42c37bf980feaf92acc155db7a6ad1318a9f134349063cd2929a3c13c4eee56b16fa7840a2
-
Filesize
394B
MD5ed6f7545439589adafbd8111aba17e69
SHA1902f6318e9663452bfff6de3c344300a2254ea61
SHA25686f51a10715190ad0ad34d4cbdc3d0f81a64857b0099ccb3bc4a5c2805bd0494
SHA5126e71ef55c1ac84ec3d37c43d338f628535253c238c50661027c6a66337a1abda0561ca26f07b15ef88b5d027038100f5cebd305dac7852d96726a9efc8831b94
-
Filesize
2KB
MD5720d48145da1f2f90731ae8c43f0bea7
SHA142d2bda6d3a1cc8c2d3c8465fd59809111d4b805
SHA256a224d81ff57e5a203628b3bbc8e80cfd4c1643a2071837c2a27b71d0429932aa
SHA512ef98be0f859ac2e36ebdd60174baa8e5b52f2e5c93d71aa68d6424519ebc180748e6aaafa19ef5a00b7be9185ebfbb4b61e9ee0b78577cba4c9b679eea207911
-
Filesize
2KB
MD58dbeae7ebb6fda7ac0a3027c93c496f8
SHA191bcdfeeee0e44e9971a5821e39308d6ac7118fc
SHA256fb955cb032eb12f89b6ce2016fd0c2b9b13bbb473e6b7ae4dae39c150f243eaa
SHA512e0b5753e39ea4f2c740c8ebca8c1e66b86435250c9bcb251cff95c7942e039c8f673257ce226aad0d085f23802e2b698db4b633c14b441cf0816adacb0795bf1
-
Filesize
2KB
MD5c6a224e5cc91ffdd4260941e1fce4777
SHA1f675da9f4eb4f29567e551f8fc0fd20fc9edb0f3
SHA25602d60cf1ba911fecbd996efa6761e0d95073b5686203c40cefd69884381a72d4
SHA51287b2970ec81e727416bf0784d1f9927e71f1d231d4748cddb8933c02a9e92d5ef62de65c81b162d35ee01e08ac45ccedf002c9e8d5902f9070e7607d89fb0447
-
Filesize
2KB
MD52e828b6458b0aba49b53bddd208a80df
SHA17bb35583f167a1c7c95d9e45f0bbeee57cbd5264
SHA2564ca413ae2a91ff6355203b6a1f546dc5713e8fb72b223644f42cb1fe2a3f4dcd
SHA512063e7978e642b9f51d33d5f22d5d7ea53b8ff2e7c00596f8e746006c5ad305759f2fcc81d736da1ac8db160ee441df3b97d3a36570e3e5ec9c9d5302dc1618eb
-
Filesize
3KB
MD55dee86d47e20d6fe65d1c34c60bae7db
SHA1ae67a36940520e0bbe55e8455d29d6f21aff1216
SHA256c41839993812df609bab446a61810bbf6b4f106fadff920dc714c299acbc5443
SHA51209260ed4f7f65f97a041420a77b868906fdf6cf534141e64e9f5e13fa4f8188c0edb22844ef8ab56578bde673c10486e20982f979b5d5a4747cdfe6383b99d15
-
Filesize
3KB
MD51c05beeac3da6a23a5b983f3e0ecc382
SHA1f7e486cd5c3fe0bcd725993566f0d5fb7b5bdda4
SHA2568efde82fba8d3fdda1b3ff11216b15120a3c61baa77a1dd2e9e4a52573b65953
SHA51256786baa4ca4e9c9535504f32af4a0a045de138bc15aa969b1f1f3f995d11655017c303101b7556d4a5721f8cb9dd64f0c40170d15ddde94a7841aa34c0b8f3e
-
Filesize
3KB
MD56e71a61675cf6434ee1be5ed9b924694
SHA1827d58a7b121a0ef5eea1f80e1f1f27eebda0d17
SHA256a6465c0c4f99fcdbf273472e0d6bf883c1c49e4dfd6db1f00e87aaecd6701ce1
SHA512f82189a2cf903bc11f0c5a66d1e47d1576c46c4c2825ba2bbe65c116c3bef1ac8a1d4036ddc39b4646f2552bc3c1d11d4016f3f0cb6802bfc764a538e4810a8e
-
Filesize
3KB
MD5bb1b9156e527d0c0e9022ae88ec68512
SHA1395c5a54bd8fb9cc44a624b6132018a9a38592d1
SHA256083974998f418038002fabe317c3f8556c51974c0b6056db956dc51e6831e978
SHA5123bb0327de5a718d5ccfbb9c3419bbfcdf4fb1972f463c731b71f0d37f937e450257289028cf0dcad4ccfbf3918bf46548a79aa0e4c587cfd6ab1d910edc7e407
-
Filesize
4KB
MD5103658f78812bf2d30f402b30f0175f6
SHA1bf59e4193c780092251385d75c1cca2b225d4c66
SHA25620ab4f0c32fabee18869f552f4b00e4cc80a063ac469f82ba2eafe36a3e94af7
SHA512a381630f962740418f4e966d8d171d2ac851da19e6bcc50abe9cd36827ffe359fc603a19f12567fdab7693fee0b090946038f9beeb932975ce632f6aa7495d76
-
Filesize
4KB
MD5cb2f71581b8048df0972881c02345aad
SHA1e45a933042b3e2fbf63d059296552531af773dda
SHA25664846e780c048091512b2fb30448fa8c2e5d39e2a8ba0988c1f17ab0024ac5b6
SHA512f9dca80355e3d914ad208ffb21ed06c9e3c6168d8bd1937533a495079208a9736890afcaf7e1a63165633452409ab38c0e6a0f5299569765a1f311a6588b168c
-
Filesize
6KB
MD565483850e65fb3c278c4759c87caa166
SHA17bb2923c680a63eaefa558673a79a3b811077828
SHA256af3dfcbb584a4fa81afd36a7c860dd53348fa9a3955722c09e057bb72a6cfdb8
SHA512470079b4a79d126b3ff8d5908514afe33b00dfdefb861794c2181562b5c00c37e395f7c63c4c6cdd29a1a8c9549a108d8a79b62112cf68c86bc97e56ba170fe7
-
Filesize
6KB
MD5a086451ab849d71994198f04da55a294
SHA1055b41c31e850e7340666b1f88fdbf76a53fc5a3
SHA2564e5e0a3997cbf4a28b207c404fe19063da965c2e01a13dd583919042e77f777b
SHA512aa871aff4c73fa88591bf5be9700c606bd5a7178259ea03f84030c98a855c77d1a3cbf4ebf579f62474e072bc97d2bdf4ae32fc49e7a6c91762028f5870fa4ff
-
Filesize
6KB
MD5c115f11bda009078929558e6ece6b529
SHA1aa89061b5466ca01e16dcf5ba5ce583a80815648
SHA256b693ea88e718e15de896ad5c9bf4f5c0971c59d1d6022f87fa95d6dc77add5e8
SHA512d4dd8573d4e25695fcb8b2b1df8fd25a99a7ddc1e56eff0e8b8d7aed588bd3026b595cc5e3d5850de296a5270a3e8905abde42cb5c3fe73d668592a846a32c73
-
Filesize
79KB
MD558d9db73781137ad3fedc6c836dfe3f3
SHA184c400fa58c673ed52dfaa691eea4fbdfc921f65
SHA2560a46a0d086d9d31c4e4dcc4e574ec06bc5fca0d5ea6f03a1ab0e833dd2ab1aca
SHA5122a9fabe134fc6a4354bc011423865014e9bd7cad57af7e77309ec4a016d6bef942d66adfe18d819e3f4853e4b56891127b9205cd01fdcd46b9b9f27a2605fab0
-
Filesize
79KB
MD57722bb10a2bda8cfcca73c17a51908b7
SHA12fbc9c2bd0302b0e917848df88f7a5253deb20ff
SHA2568b80830ea83aa66b5433795a9798e31e255d9d92fc2ab31bb93d31fa7d124e6b
SHA5125f499b0b1ce4f462cc581e4609613202e9753dcf919e55604cb8f5b2bb164a9767a92c3f3082bff2df525c6ae0fe8c7f54d26e8c331447d3eda85e60d42ab2c3
-
Filesize
40B
MD5c0205219cb5287d35c031f5239196bf2
SHA162f5026dfcf7e5358d6861b00e8c4df5049e8d0e
SHA2560de7759f2e8e1a55d71729420d823eefca68db450967f29ae63ff029bd610649
SHA512b867ec5118faf58d7815f12235e401d6207cff22f7b2683ef67bbb224f8503a99d9145b68ba20ebfea3be397792f4086969d99afc0a8e3efea462104b68dd099
-
Filesize
221B
MD558f8a02b6ee859c43469582daa4ee7c5
SHA1133e928deeeea4a5a7590dd9ad3e00544e8348ee
SHA256ebde6108b24704049280ba76f26df196b513641f782b4f340c4a3563a134f655
SHA512501c2c1971775bac5875d8ddb8c629a25b7f11c7ace862f6767a20e8db71269690592df97511bfe9fda052a655a8186db3df23eaf73189a1149b89f9e25d7e80
-
Filesize
1KB
MD5d3c6d1e27fbf5ec5dc8f05381265197e
SHA1ec67f0c9fde6449cc0d8bc8927a57d8697e8c9e0
SHA2560d1a309d623be5866bae1980a942b43fe0ff3be6c867d1c45090377d92c590f5
SHA512966650d01c07cfe4b6bb4252495b7749d8d23c9011fcfeb3c92fcaf35df320af8c1188ed65fa7dbdf0cf2fdeeabac91805a01d949bc025a0e622ed68c6f0d027
-
Filesize
3KB
MD59f82b15790b772d31c52127214aeddd8
SHA1eece3db4052936b8421f98c6585369382eb52743
SHA25675f5cb4f1b03efca9bd4274cc21d91ee97c357a2e86519a524f8d9501647f2d7
SHA5121dc57108b8fb9860b1b4e1e63074f12e67ae3531d26a98cb0b4298979f072b3e4200c38fa7522b25afcc8d62a4e0d44bb4cb05ed10001e7472cc449fe7c91fba
-
Filesize
3KB
MD51705a4373996180822bd30e557b73d3e
SHA10cdc9fa95d8dc285a607bacfd8396ad460621bda
SHA2569d54caeea0d2f517c43642f3db48ea40381bef762033a7db8bbcbe585e448262
SHA512f8021d4bd457cb4bda4be822f44fbf5a08b410e1c083bf570eef6e1e455181722d4ea3b06639902708f88c9c8362ed42a34be8bb41a76d887484b6b7316def3a
-
Filesize
133B
MD5a8d8d7d4692fe309cc2a4f64a66e62a3
SHA1a8e6cd05e38b093fb87192e08c69d6b5062eae7e
SHA256ec71967baffebe80b2f4c5403941789da29fe7f29a0da13d0f1947c5d6ea857e
SHA5121f93ef3a7f667ff765ba68bb31cef50837bd8d63089de550e9cb0898a7797b9b1d7fabf851540cb43d6a77cd07a60c6712b9ca8866ccc755408ff5ca7bd2fcb8
-
Filesize
135B
MD536b8f09340530f94e24dde586d43620e
SHA1e4e03089fcda0f00ab4a46ac3536a1031230f43d
SHA256afb95a47992abd1b214497ccba1fa15be01670218531ffdd50f7626df293177b
SHA512cd0b481d12b79a79c66f6276e6f9a339b59759c6a83168246163b3373042af5308860c9e1b5536e0d16a0d40bb2608dee72908d4063a7d9c3c78a18cd6b657bd
-
Filesize
194B
MD5a2bb40dec84c3b3c399c416b7c58f0dc
SHA1cc0924ab388244e5a1b77928eeca6dbe0b8e61b6
SHA256581d2c81bd6eeaacc61c62cdbe9bbb7a691ebefc2b098ae99c23a794d27af65c
SHA5122441c1a9de2108aa187ee91186c6909f6dd196e64f4d99eddb3c1fca50399f5612784b6353e55aaa43ce00f7d20dc4824ad34defe426b2a6fd525efd80c506a5
-
Filesize
253B
MD5889356fa365e739c9caa839ee544fb09
SHA15f0dc027a1343d3b0f1cbf35ef2b0784efcbd650
SHA256868d968dbe0b4bb3618a28597dda97d521afa8969e5e218154e243b17e05b0b1
SHA512b83a7cdd5ab238c6cf5a0c70be6e01e9690a5bc10cda1e781ef0be44a9568fa10a07476fd4aa80a8479c5fa8d08edebf4f732e33dbec06807e7ef964b1fea5b9
-
Filesize
312B
MD5580be8aa116ca476405e4550ef662d81
SHA1a4bcee6e5d140c169d59378356543b06c86d43bf
SHA256a8c59f5dd5ae79cfa7d7ddb7e8ab1804af93fef1edcda69b8388920743083a5e
SHA5127b4be4dd44c2542bb0fda9812b7eb485b297d2a199d0207c06545a7f5af54ecd4070b637a8833ea91ad2275bd82497f708c75cf6d3c2556692eef8dd42aa7456
-
Filesize
7KB
MD5cf0f509e916b5dd512a83a0e0aff0837
SHA120a4ea4791efe4d5d7aa45aa52d9bc6cde42844a
SHA256d77e10bad33ab76776f26eaf37c1bb05be1aad3f2c9b052ddea3b321487d4797
SHA5129960275b7c6cf1fe99e3c7ef26a6e0d580257058b6d06a5d3a795e8f3753ad184eeaa1135e1e8b8bc718683c3933fb7fd94e122d6c1dbcf3c2dc7fdd0322dbfc
-
Filesize
2.1MB
MD5260b0419ac83a221715f308ae8cf2e10
SHA189d451489cb6f9f5e4de178f98d6aa8940ebb77a
SHA256a73514eb4de61efb54c73f76b6be4383d41b493dbe94e8308e96ca2344a95ac0
SHA512793d63a9a510c2d49c01101881fd64acde9f7225cb0ede52a15f7d71baaaebd835d51011847843b049778529ffa0ed85a53a039187e4cb9f19a927c936119f7e