d906d6126a1e9c9569ef81605d02f03ef94aa57b3ab9cbd56c996baf22fa461b

Analysis

max time kernel
148s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240910-en
resource tags

arch:x64arch:x86image:win10v2004-20240910-enlocale:en-usos:windows10-2004-x64system
submitted
03/10/2024, 01:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

gatherNetworkInfo.vbs
Size

86KB
MD5

2e6af4d5bf6e31e728f409984c3045d4
SHA1

757bf5310f40a69d883f11e75f220e02fbaa0127
SHA256

d906d6126a1e9c9569ef81605d02f03ef94aa57b3ab9cbd56c996baf22fa461b
SHA512

2ff376bee712a61cb4a6ff8f0f3ac0ac9778acdaf0cb767d9d085502cb8e9365458292266e994a3d973494759b43181511aaf050ec0d48bfa7e51b07a3b56bfa
SSDEEP

1536:sImNGeeGUJIgZf/A+qfwkgKo9kNxyJ3OOjPl68fef0qIbIE5ToGdKTYL7TBHQ/8S:sImNGXGUJtx/A+qfol6yqZs8J

Score

8^/10

discovery evasion execution persistence privilege_escalation

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
61	2232	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2232	powershell.exe

Modifies Windows Firewall 2 TTPs 8 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
1244	netsh.exe
4472	netsh.exe
2996	netsh.exe
1424	netsh.exe
3876	netsh.exe
4064	netsh.exe
4708	netsh.exe
3708	netsh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	WScript.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 1 IoCs

pid	Process
3800	dismhost.exe

Loads dropped DLL 5 IoCs

pid	Process
3800	dismhost.exe
3800	dismhost.exe
3800	dismhost.exe
3800	dismhost.exe
3800	dismhost.exe

Network Service Discovery 1 TTPs 3 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
1536	cmd.exe
2696	cmd.exe
372	ARP.EXE

Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135

Power Settings 1 TTPs 2 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
3328	cmd.exe
3440	powercfg.exe

Drops file in System32 directory 16 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\FileRepository\input.inf_amd64_adeb6424513f60a2\input.PNF	dxdiag.exe
File created	\??\c:\windows\system32\driverstore\filerepository\input.inf_amd64_adeb6424513f60a2\input.PNF	dxdiag.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_amd64_0d06b6638bdb4763\mshdc.PNF	dxdiag.exe
File created	C:\Windows\System32\DriverStore\FileRepository\usbport.inf_amd64_254cd5ae09de6b08\usbport.PNF	dxdiag.exe
File created	C:\Windows\System32\DriverStore\FileRepository\msmouse.inf_amd64_1793a485b491b199\msmouse.PNF	dxdiag.exe
File created	\??\c:\windows\system32\driverstore\filerepository\msmouse.inf_amd64_1793a485b491b199\msmouse.PNF	dxdiag.exe
File created	\??\c:\windows\system32\driverstore\filerepository\netrtl64.inf_amd64_8e9c2368fe308df2\netrtl64.PNF	dxdiag.exe
File created	\??\c:\windows\system32\driverstore\filerepository\machine.inf_amd64_b748590104fe1c15\machine.PNF	dxdiag.exe
File created	\??\c:\windows\system32\driverstore\filerepository\usbport.inf_amd64_254cd5ae09de6b08\usbport.PNF	dxdiag.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netrtl64.inf_amd64_8e9c2368fe308df2\netrtl64.PNF	dxdiag.exe
File created	C:\Windows\System32\DriverStore\FileRepository\keyboard.inf_amd64_5938c699b80ebb8f\keyboard.PNF	dxdiag.exe
File created	\??\c:\windows\system32\driverstore\filerepository\keyboard.inf_amd64_5938c699b80ebb8f\keyboard.PNF	dxdiag.exe
File created	C:\Windows\System32\DriverStore\FileRepository\hdaudbus.inf_amd64_533c8d455025cc59\hdaudbus.PNF	dxdiag.exe
File created	\??\c:\windows\system32\driverstore\filerepository\hdaudbus.inf_amd64_533c8d455025cc59\hdaudbus.PNF	dxdiag.exe
File created	\??\c:\windows\system32\driverstore\filerepository\mshdc.inf_amd64_0d06b6638bdb4763\mshdc.PNF	dxdiag.exe
File created	C:\Windows\System32\DriverStore\FileRepository\machine.inf_amd64_b748590104fe1c15\machine.PNF	dxdiag.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

discovery

Process Discovery

T1057

pid	Process
4064	tasklist.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Logs\DISM\dism.log	powershell.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	dismhost.exe

Launches sc.exe 12 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3964	sc.exe
2444	sc.exe
1456	sc.exe
4972	sc.exe
2700	sc.exe
3084	sc.exe
4940	sc.exe
4948	sc.exe
1456	sc.exe
664	sc.exe
1344	sc.exe
3800	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 64 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4472	PING.EXE
4704	PING.EXE

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dxdiag.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dxdiag.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	dxdiag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	dxdiag.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	dxdiag.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs	dxdiag.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\BIOS	dispdiag.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	dispdiag.exe

Gathers network information 2 TTPs 3 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
1736	ipconfig.exe
412	ipconfig.exe
2360	ipconfig.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
4712	systeminfo.exe

Modifies registry class 36 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32\ = "C:\\Windows\\system32\\dxdiagn.dll"	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32\ThreadingModel = "Apartment"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider.1	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\ = "DxDiagClassObject Class"	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ = "DxDiagClassObject Class"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\VersionIndependentProgID	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider.1\ = "DxDiagProvider Class"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\CLSID	dxdiag.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2629364133-3182087385-364449604-1000\{BC3F5DC5-AAAD-4243-ABFA-8BF006F4FEF5}	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ForceRemove	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ForceRemove\ = "Programmable"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\CurVer\ = "DxDiag.DxDiagClassObject.1"	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CurVer\ = "DxDiag.DxDiagClassObject.1"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}\ProgID	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}\VersionIndependentProgID	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\ = "DxDiagProvider Class"	dxdiag.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2629364133-3182087385-364449604-1000\{CD40AF29-6318-4F7D-B6A0-063DBFC60C17}	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CLSID	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CLSID\ = "{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CurVer	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider.1\CLSID	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1\ = "DxDiagClassObject Class"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1\CLSID	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ProgID	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ProgID\ = "DxDiag.DxDiagClassObject.1"	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\VersionIndependentProgID\ = "DxDiag.DxDiagClassObject"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\CurVer	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1\CLSID\ = "{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}\InprocServer32	dxdiag.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
3560	reg.exe

Runs net.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
4472	PING.EXE
4704	PING.EXE

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
684	dxdiag.exe
684	dxdiag.exe
2232	powershell.exe
2232	powershell.exe
2232	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4728	WScript.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3440	powercfg.exe
Token: SeCreatePagefilePrivilege	3440	powercfg.exe
Token: SeDebugPrivilege	4064	tasklist.exe
Token: SeSecurityPrivilege	1620	wevtutil.exe
Token: SeBackupPrivilege	1620	wevtutil.exe
Token: SeSecurityPrivilege	2300	wevtutil.exe
Token: SeBackupPrivilege	2300	wevtutil.exe
Token: SeSecurityPrivilege	2852	wevtutil.exe
Token: SeBackupPrivilege	2852	wevtutil.exe
Token: SeSecurityPrivilege	4632	wevtutil.exe
Token: SeBackupPrivilege	4632	wevtutil.exe
Token: SeSecurityPrivilege	632	wevtutil.exe
Token: SeBackupPrivilege	632	wevtutil.exe
Token: SeSecurityPrivilege	3584	wevtutil.exe
Token: SeBackupPrivilege	3584	wevtutil.exe
Token: SeSecurityPrivilege	4144	wevtutil.exe
Token: SeBackupPrivilege	4144	wevtutil.exe
Token: SeSecurityPrivilege	2484	wevtutil.exe
Token: SeBackupPrivilege	2484	wevtutil.exe
Token: SeSecurityPrivilege	1388	wevtutil.exe
Token: SeBackupPrivilege	1388	wevtutil.exe
Token: SeSecurityPrivilege	3560	wevtutil.exe
Token: SeBackupPrivilege	3560	wevtutil.exe
Token: SeSecurityPrivilege	4332	wevtutil.exe
Token: SeBackupPrivilege	4332	wevtutil.exe
Token: SeSecurityPrivilege	2736	wevtutil.exe
Token: SeBackupPrivilege	2736	wevtutil.exe
Token: SeSecurityPrivilege	4556	wevtutil.exe
Token: SeBackupPrivilege	4556	wevtutil.exe
Token: SeSecurityPrivilege	4376	wevtutil.exe
Token: SeBackupPrivilege	4376	wevtutil.exe
Token: SeSecurityPrivilege	2340	wevtutil.exe
Token: SeBackupPrivilege	2340	wevtutil.exe
Token: SeSecurityPrivilege	3708	wevtutil.exe
Token: SeBackupPrivilege	3708	wevtutil.exe
Token: SeSecurityPrivilege	2988	wevtutil.exe
Token: SeBackupPrivilege	2988	wevtutil.exe
Token: SeSecurityPrivilege	1708	wevtutil.exe
Token: SeBackupPrivilege	1708	wevtutil.exe
Token: SeIncreaseQuotaPrivilege	4384	WMIC.exe
Token: SeSecurityPrivilege	4384	WMIC.exe
Token: SeTakeOwnershipPrivilege	4384	WMIC.exe
Token: SeLoadDriverPrivilege	4384	WMIC.exe
Token: SeSystemProfilePrivilege	4384	WMIC.exe
Token: SeSystemtimePrivilege	4384	WMIC.exe
Token: SeProfSingleProcessPrivilege	4384	WMIC.exe
Token: SeIncBasePriorityPrivilege	4384	WMIC.exe
Token: SeCreatePagefilePrivilege	4384	WMIC.exe
Token: SeBackupPrivilege	4384	WMIC.exe
Token: SeRestorePrivilege	4384	WMIC.exe
Token: SeShutdownPrivilege	4384	WMIC.exe
Token: SeDebugPrivilege	4384	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4384	WMIC.exe
Token: SeRemoteShutdownPrivilege	4384	WMIC.exe
Token: SeUndockPrivilege	4384	WMIC.exe
Token: SeManageVolumePrivilege	4384	WMIC.exe
Token: 33	4384	WMIC.exe
Token: 34	4384	WMIC.exe
Token: 35	4384	WMIC.exe
Token: 36	4384	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4384	WMIC.exe
Token: SeSecurityPrivilege	4384	WMIC.exe
Token: SeTakeOwnershipPrivilege	4384	WMIC.exe
Token: SeLoadDriverPrivilege	4384	WMIC.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
684	dxdiag.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4728 wrote to memory of 116	4728	WScript.exe	84
PID 4728 wrote to memory of 116	4728	WScript.exe	84
PID 4728 wrote to memory of 4716	4728	WScript.exe	86
PID 4728 wrote to memory of 4716	4728	WScript.exe	86
PID 116 wrote to memory of 2936	116	cmd.exe	88
PID 116 wrote to memory of 2936	116	cmd.exe	88
PID 4716 wrote to memory of 4008	4716	cmd.exe	89
PID 4716 wrote to memory of 4008	4716	cmd.exe	89
PID 4728 wrote to memory of 2704	4728	WScript.exe	90
PID 4728 wrote to memory of 2704	4728	WScript.exe	90
PID 2704 wrote to memory of 2296	2704	cmd.exe	93
PID 2704 wrote to memory of 2296	2704	cmd.exe	93
PID 4728 wrote to memory of 3592	4728	WScript.exe	94
PID 4728 wrote to memory of 3592	4728	WScript.exe	94
PID 3592 wrote to memory of 3204	3592	cmd.exe	96
PID 3592 wrote to memory of 3204	3592	cmd.exe	96
PID 4728 wrote to memory of 5048	4728	WScript.exe	97
PID 4728 wrote to memory of 5048	4728	WScript.exe	97
PID 5048 wrote to memory of 4588	5048	cmd.exe	99
PID 5048 wrote to memory of 4588	5048	cmd.exe	99
PID 4728 wrote to memory of 2984	4728	WScript.exe	100
PID 4728 wrote to memory of 2984	4728	WScript.exe	100
PID 2984 wrote to memory of 1696	2984	cmd.exe	102
PID 2984 wrote to memory of 1696	2984	cmd.exe	102
PID 4728 wrote to memory of 4980	4728	WScript.exe	103
PID 4728 wrote to memory of 4980	4728	WScript.exe	103
PID 4980 wrote to memory of 1424	4980	cmd.exe	105
PID 4980 wrote to memory of 1424	4980	cmd.exe	105
PID 4728 wrote to memory of 3168	4728	WScript.exe	106
PID 4728 wrote to memory of 3168	4728	WScript.exe	106
PID 3168 wrote to memory of 2384	3168	cmd.exe	108
PID 3168 wrote to memory of 2384	3168	cmd.exe	108
PID 4728 wrote to memory of 2232	4728	WScript.exe	109
PID 4728 wrote to memory of 2232	4728	WScript.exe	109
PID 2232 wrote to memory of 908	2232	cmd.exe	111
PID 2232 wrote to memory of 908	2232	cmd.exe	111
PID 4728 wrote to memory of 2548	4728	WScript.exe	112
PID 4728 wrote to memory of 2548	4728	WScript.exe	112
PID 2548 wrote to memory of 1968	2548	cmd.exe	114
PID 2548 wrote to memory of 1968	2548	cmd.exe	114
PID 4728 wrote to memory of 2072	4728	WScript.exe	115
PID 4728 wrote to memory of 2072	4728	WScript.exe	115
PID 2072 wrote to memory of 1568	2072	cmd.exe	117
PID 2072 wrote to memory of 1568	2072	cmd.exe	117
PID 4728 wrote to memory of 3936	4728	WScript.exe	118
PID 4728 wrote to memory of 3936	4728	WScript.exe	118
PID 3936 wrote to memory of 2596	3936	cmd.exe	120
PID 3936 wrote to memory of 2596	3936	cmd.exe	120
PID 4728 wrote to memory of 3800	4728	WScript.exe	121
PID 4728 wrote to memory of 3800	4728	WScript.exe	121
PID 3800 wrote to memory of 2376	3800	cmd.exe	123
PID 3800 wrote to memory of 2376	3800	cmd.exe	123
PID 4728 wrote to memory of 4056	4728	WScript.exe	124
PID 4728 wrote to memory of 4056	4728	WScript.exe	124
PID 4056 wrote to memory of 1544	4056	cmd.exe	126
PID 4056 wrote to memory of 1544	4056	cmd.exe	126
PID 4728 wrote to memory of 1112	4728	WScript.exe	127
PID 4728 wrote to memory of 1112	4728	WScript.exe	127
PID 1112 wrote to memory of 3984	1112	cmd.exe	129
PID 1112 wrote to memory of 3984	1112	cmd.exe	129
PID 4728 wrote to memory of 3436	4728	WScript.exe	130
PID 4728 wrote to memory of 3436	4728	WScript.exe	130
PID 3436 wrote to memory of 4196	3436	cmd.exe	133
PID 3436 wrote to memory of 4196	3436	cmd.exe	133

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\gatherNetworkInfo.vbs"
1⤵
- Checks computer location settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:4728
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c gpresult /scope:computer /v 1> config\gpresult.txt 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:116
- - C:\Windows\system32\gpresult.exe
    gpresult /scope:computer /v
    3⤵
    PID:2936
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg export "HKLM\SYSTEM\CurrentControlSet\Control\Winlogon\Notifications" Reg\Notif.reg.txt /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4716
- - C:\Windows\system32\reg.exe
    reg export "HKLM\SYSTEM\CurrentControlSet\Control\Winlogon\Notifications" Reg\Notif.reg.txt /y
    3⤵
    PID:4008
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg export "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers" Reg\AllCred.reg.txt /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2704
- - C:\Windows\system32\reg.exe
    reg export "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers" Reg\AllCred.reg.txt /y
    3⤵
    PID:2296
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg export "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider Filters" Reg\AllCredFilter.reg.txt /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3592
- - C:\Windows\system32\reg.exe
    reg export "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider Filters" Reg\AllCredFilter.reg.txt /y
    3⤵
    PID:3204
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg export "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\{07AA0886-CC8D-4e19-A410-1C75AF686E62}" Reg\{07AA0886-CC8D-4e19-A410-1C75AF686E62}.reg.txt /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5048
- - C:\Windows\system32\reg.exe
    reg export "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\{07AA0886-CC8D-4e19-A410-1C75AF686E62}" Reg\{07AA0886-CC8D-4e19-A410-1C75AF686E62}.reg.txt /y
    3⤵
    PID:4588
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg export "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\{33c86cd6-705f-4ba1-9adb-67070b837775}" Reg\{33c86cd6-705f-4ba1-9adb-67070b837775}.reg.txt /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2984
- - C:\Windows\system32\reg.exe
    reg export "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\{33c86cd6-705f-4ba1-9adb-67070b837775}" Reg\{33c86cd6-705f-4ba1-9adb-67070b837775}.reg.txt /y
    3⤵
    PID:1696
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg export "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider Filters\{edd749de-2ef1-4a80-98d1-81f20e6df58e}" Reg\{edd749de-2ef1-4a80-98d1-81f20e6df58e}.reg.txt /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4980
- - C:\Windows\system32\reg.exe
    reg export "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider Filters\{edd749de-2ef1-4a80-98d1-81f20e6df58e}" Reg\{edd749de-2ef1-4a80-98d1-81f20e6df58e}.reg.txt /y
    3⤵
    PID:1424
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg export "HKLM\SYSTEM\CurrentControlSet\Services\Wlansvc\Parameters\WlanAPIPermissions" Reg\APIPerm.reg.txt /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3168
- - C:\Windows\system32\reg.exe
    reg export "HKLM\SYSTEM\CurrentControlSet\Services\Wlansvc\Parameters\WlanAPIPermissions" Reg\APIPerm.reg.txt /y
    3⤵
    PID:2384
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg export "HKLM\SOFTWARE\Policies\Microsoft\Windows\Wireless\GPTWirelessPolicy" Reg\GPT.reg.txt /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2232
- - C:\Windows\system32\reg.exe
    reg export "HKLM\SOFTWARE\Policies\Microsoft\Windows\Wireless\GPTWirelessPolicy" Reg\GPT.reg.txt /y
    3⤵
    PID:908
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg export "HKCU\SOFTWARE\Microsoft\Wlansvc" Reg\HKCUWlanSvc.reg.txt /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2548
- - C:\Windows\system32\reg.exe
    reg export "HKCU\SOFTWARE\Microsoft\Wlansvc" Reg\HKCUWlanSvc.reg.txt /y
    3⤵
    PID:1968
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg export "HKLM\SOFTWARE\Microsoft\Wlansvc" Reg\HKLMWlanSvc.reg.txt /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2072
- - C:\Windows\system32\reg.exe
    reg export "HKLM\SOFTWARE\Microsoft\Wlansvc" Reg\HKLMWlanSvc.reg.txt /y
    3⤵
    PID:1568
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg export "HKLM\SOFTWARE\Microsoft\dot3svc" Reg\HKLMDot3Svc.reg.txt /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3936
- - C:\Windows\system32\reg.exe
    reg export "HKLM\SOFTWARE\Microsoft\dot3svc" Reg\HKLMDot3Svc.reg.txt /y
    3⤵
    PID:2596
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg export "HKCU\SOFTWARE\Microsoft\dot3svc" Reg\HKCUDot3Svc.reg.txt /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3800
- - C:\Windows\system32\reg.exe
    reg export "HKCU\SOFTWARE\Microsoft\dot3svc" Reg\HKCUDot3Svc.reg.txt /y
    3⤵
    PID:2376
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg export "HKLM\SOFTWARE\Policies\Microsoft\Windows\WiredL2\GP_Policy" Reg\L2GP.reg.txt /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4056
- - C:\Windows\system32\reg.exe
    reg export "HKLM\SOFTWARE\Policies\Microsoft\Windows\WiredL2\GP_Policy" Reg\L2GP.reg.txt /y
    3⤵
    PID:1544
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg export "HKLM\SOFTWARE\MICROSOFT\Windows NT\CurrentVersion\NetworkList" Reg\NetworkProfiles.reg.txt /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1112
- - C:\Windows\system32\reg.exe
    reg export "HKLM\SOFTWARE\MICROSOFT\Windows NT\CurrentVersion\NetworkList" Reg\NetworkProfiles.reg.txt /y
    3⤵
    PID:3984
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg export "HKLM\SOFTWARE\Policies\Microsoft\WcmSvc" Reg\WCMPolicy.reg.txt /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3436
- - C:\Windows\system32\reg.exe
    reg export "HKLM\SOFTWARE\Policies\Microsoft\WcmSvc" Reg\WCMPolicy.reg.txt /y
    3⤵
    PID:4196
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c set processor >> config\osinfo.txt
  2⤵
  PID:2448
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c systeminfo >> config\osinfo.txt
  2⤵
  PID:4900
- - C:\Windows\system32\systeminfo.exe
    systeminfo
    3⤵
    - Gathers system information
    PID:4712
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c set u >> config\osinfo.txt
  2⤵
  PID:3168
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c powercfg.exe /batteryreport /output config\battery-report.html
  2⤵
  - Power Settings
  PID:3328
- - C:\Windows\system32\powercfg.exe
    powercfg.exe /batteryreport /output config\battery-report.html
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:3440
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c tasklist /svc > processes.txt
  2⤵
  PID:2324
- - C:\Windows\system32\tasklist.exe
    tasklist /svc
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:4064
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c wevtutil epl "Microsoft-Windows-WLAN-AutoConfig/Operational" config\WLANAutoConfigLog.evtx
  2⤵
  PID:3236
- - C:\Windows\system32\wevtutil.exe
    wevtutil epl "Microsoft-Windows-WLAN-AutoConfig/Operational" config\WLANAutoConfigLog.evtx
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1620
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c wevtutil al config\WLANAutoConfigLog.evtx
  2⤵
  PID:2376
- - C:\Windows\system32\wevtutil.exe
    wevtutil al config\WLANAutoConfigLog.evtx
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2300
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c wevtutil epl "Microsoft-Windows-Wcmsvc/Operational" config\WCMLog.evtx
  2⤵
  PID:212
- - C:\Windows\system32\wevtutil.exe
    wevtutil epl "Microsoft-Windows-Wcmsvc/Operational" config\WCMLog.evtx
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2852
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c wevtutil al config\WCMLog.evtx
  2⤵
  PID:536
- - C:\Windows\system32\wevtutil.exe
    wevtutil al config\WCMLog.evtx
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4632
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c wevtutil epl "Microsoft-Windows-WWAN-SVC-EVENTS/Operational" config\WWANLog.evtx
  2⤵
  PID:2412
- - C:\Windows\system32\wevtutil.exe
    wevtutil epl "Microsoft-Windows-WWAN-SVC-EVENTS/Operational" config\WWANLog.evtx
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:632
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c wevtutil al config\WWANLog.evtx
  2⤵
  PID:2536
- - C:\Windows\system32\wevtutil.exe
    wevtutil al config\WWANLog.evtx
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3584
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c netsh wlan show all > config\envinfo.txt
  2⤵
  PID:5060
- - C:\Windows\system32\netsh.exe
    netsh wlan show all
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    PID:548
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c netsh lan show interfaces >> config\envinfo.txt
  2⤵
  PID:2312
- - C:\Windows\system32\netsh.exe
    netsh lan show interfaces
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    PID:3260
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c netsh lan show settings >> config\envinfo.txt
  2⤵
  PID:4332
- - C:\Windows\system32\netsh.exe
    netsh lan show settings
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    PID:948
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c netsh lan show profiles >> config\envinfo.txt
  2⤵
  PID:4972
- - C:\Windows\system32\netsh.exe
    netsh lan show profiles
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    PID:2256
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c netsh mbn show interfaces >> config\envinfo.txt
  2⤵
  PID:1404
- - C:\Windows\system32\netsh.exe
    netsh mbn show interfaces
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    PID:4940
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c netsh mbn show profile name=* interface=* >> config\envinfo.txt
  2⤵
  PID:4872
- - C:\Windows\system32\netsh.exe
    netsh mbn show profile name=* interface=*
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    PID:3308
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c netsh mbn show readyinfo interface=* >> config\envinfo.txt
  2⤵
  PID:988
- - C:\Windows\system32\netsh.exe
    netsh mbn show readyinfo interface=*
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    PID:2324
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c netsh mbn show capability interface=* >> config\envinfo.txt
  2⤵
  PID:1848
- - C:\Windows\system32\netsh.exe
    netsh mbn show capability interface=*
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    PID:2300
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ipconfig /all >> config\envinfo.txt
  2⤵
  PID:4056
- - C:\Windows\system32\ipconfig.exe
    ipconfig /all
    3⤵
    - Gathers network information
    PID:1736
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c echo. >> config\envinfo.txt
  2⤵
  PID:1140
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c echo ROUTE PRINT: >> config\envinfo.txt
  2⤵
  PID:3124
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c route print >> config\envinfo.txt
  2⤵
  PID:4880
- - C:\Windows\system32\ROUTE.EXE
    route print
    3⤵
    PID:3388
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c certutil -v -store -silent My >> config\envinfo.txt
  2⤵
  PID:3812
- - C:\Windows\system32\certutil.exe
    certutil -v -store -silent My
    3⤵
    PID:3188
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c certutil -v -store -silent -user My >> config\envinfo.txt
  2⤵
  PID:2316
- - C:\Windows\system32\certutil.exe
    certutil -v -store -silent -user My
    3⤵
    PID:900
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c certutil -v -store -silent root >> config\envinfo.txt
  2⤵
  PID:4012
- - C:\Windows\system32\certutil.exe
    certutil -v -store -silent root
    3⤵
    PID:3836
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c certutil -v -enterprise -store -silent NTAuth >> config\envinfo.txt
  2⤵
  PID:2804
- - C:\Windows\system32\certutil.exe
    certutil -v -enterprise -store -silent NTAuth
    3⤵
    PID:948
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c certutil -v -user -store -silent root >> config\envinfo.txt
  2⤵
  PID:1500
- - C:\Windows\system32\certutil.exe
    certutil -v -user -store -silent root
    3⤵
    PID:3332
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c netsh winsock show catalog > config\WinsockCatalog.txt
  2⤵
  PID:4972
- - C:\Windows\system32\netsh.exe
    netsh winsock show catalog
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    PID:3876
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c echo Current Profiles: > config\WindowsFirewallConfig.txt
  2⤵
  PID:3848
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c echo ------------------------------------------------------------------------ >> config\WindowsFirewallConfig.txt
  2⤵
  PID:4940
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c netsh advfirewall monitor show currentprofile >> config\WindowsFirewallConfig.txt
  2⤵
  PID:664
- - C:\Windows\system32\netsh.exe
    netsh advfirewall monitor show currentprofile
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:1244
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c echo Firewall Configuration: >> config\WindowsFirewallConfig.txt
  2⤵
  PID:988
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c echo ------------------------------------------------------------------------ >> config\WindowsFirewallConfig.txt
  2⤵
  PID:3312
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c netsh advfirewall monitor show firewall >> config\WindowsFirewallConfig.txt
  2⤵
  PID:4220
- - C:\Windows\system32\netsh.exe
    netsh advfirewall monitor show firewall
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:4472
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c echo Connection Security Configuration: >> config\WindowsFirewallConfig.txt
  2⤵
  PID:3124
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c echo ------------------------------------------------------------------------ >> config\WindowsFirewallConfig.txt
  2⤵
  PID:4644
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c netsh advfirewall monitor show consec >> config\WindowsFirewallConfig.txt
  2⤵
  PID:3736
- - C:\Windows\system32\netsh.exe
    netsh advfirewall monitor show consec
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:2996
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c echo Firewall Rules : >> config\WindowsFirewallConfig.txt
  2⤵
  PID:552
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c echo ------------------------------------------------------------------------ >> config\WindowsFirewallConfig.txt
  2⤵
  PID:1272
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c netsh advfirewall firewall show rule name=all verbose >> config\WindowsFirewallConfig.txt
  2⤵
  PID:2312
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall show rule name=all verbose
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:1424
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c echo Connection Security Rules : >> config\WindowsFirewallConfig.txt
  2⤵
  PID:4648
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c echo ------------------------------------------------------------------------ >> config\WindowsFirewallConfig.txt
  2⤵
  PID:3216
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c netsh advfirewall consec show rule name=all verbose >> config\WindowsFirewallConfig.txt
  2⤵
  PID:1836
- - C:\Windows\system32\netsh.exe
    netsh advfirewall consec show rule name=all verbose
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:3876
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c echo Firewall Rules currently enforced : > config\WindowsFirewallEffectiveRules.txt
  2⤵
  PID:1888
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c echo ------------------------------------------------------------------------ >> config\WindowsFirewallEffectiveRules.txt
  2⤵
  PID:4872
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c netsh advfirewall monitor show firewall rule name=all >> config\WindowsFirewallEffectiveRules.txt
  2⤵
  PID:4408
- - C:\Windows\system32\netsh.exe
    netsh advfirewall monitor show firewall rule name=all
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:4064
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c echo Connection Security Rules currently enforced : >> config\WindowsFirewallEffectiveRules.txt
  2⤵
  PID:4676
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c echo ------------------------------------------------------------------------ >> config\WindowsFirewallEffectiveRules.txt
  2⤵
  PID:5080
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c netsh advfirewall monitor show consec rule name=all >> config\WindowsFirewallEffectiveRules.txt
  2⤵
  PID:1156
- - C:\Windows\system32\netsh.exe
    netsh advfirewall monitor show consec rule name=all
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:4708
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c wevtutil epl "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall" config\WindowsFirewallLog.evtx
  2⤵
  PID:1592
- - C:\Windows\system32\wevtutil.exe
    wevtutil epl "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall" config\WindowsFirewallLog.evtx
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4144
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c wevtutil al config\WindowsFirewallLog.evtx
  2⤵
  PID:2212
- - C:\Windows\system32\wevtutil.exe
    wevtutil al config\WindowsFirewallLog.evtx
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2484
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c wevtutil epl "Microsoft-Windows-Windows Firewall With Advanced Security/ConnectionSecurity" config\WindowsFirewallConsecLog.evtx
  2⤵
  PID:728
- - C:\Windows\system32\wevtutil.exe
    wevtutil epl "Microsoft-Windows-Windows Firewall With Advanced Security/ConnectionSecurity" config\WindowsFirewallConsecLog.evtx
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1388
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c wevtutil al config\WindowsFirewallConsecLog.evtx
  2⤵
  PID:1912
- - C:\Windows\system32\wevtutil.exe
    wevtutil al config\WindowsFirewallConsecLog.evtx
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3560
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c wevtutil epl "Microsoft-Windows-Windows Firewall With Advanced Security/FirewallVerbose" config\WindowsFirewallLogVerbose.evtx
  2⤵
  PID:2140
- - C:\Windows\system32\wevtutil.exe
    wevtutil epl "Microsoft-Windows-Windows Firewall With Advanced Security/FirewallVerbose" config\WindowsFirewallLogVerbose.evtx
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4332
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c wevtutil al config\WindowsFirewallLogVerbose.evtx
  2⤵
  PID:2804
- - C:\Windows\system32\wevtutil.exe
    wevtutil al config\WindowsFirewallLogVerbose.evtx
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2736
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c wevtutil epl "Microsoft-Windows-Windows Firewall With Advanced Security/ConnectionSecurityVerbose" config\WindowsFirewallConsecLogVerbose.evtx
  2⤵
  PID:4712
- - C:\Windows\system32\wevtutil.exe
    wevtutil epl "Microsoft-Windows-Windows Firewall With Advanced Security/ConnectionSecurityVerbose" config\WindowsFirewallConsecLogVerbose.evtx
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4556
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c wevtutil al config\WindowsFirewallConsecLogVerbose.evtx
  2⤵
  PID:2256
- - C:\Windows\system32\wevtutil.exe
    wevtutil al config\WindowsFirewallConsecLogVerbose.evtx
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4376
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c dxdiag /t dxdiag.txt
  2⤵
  PID:1648
- - C:\Windows\system32\dxdiag.exe
    dxdiag /t dxdiag.txt
    3⤵
    - Drops file in System32 directory
    - Checks SCSI registry key(s)
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:684
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c dispdiag -out dispdiag_stop.dat
  2⤵
  PID:632
- - C:\Windows\system32\dispdiag.exe
    dispdiag -out dispdiag_stop.dat
    3⤵
    - Enumerates system info in registry
    PID:2640
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c time /t >> config\wlaninfo.txt
  2⤵
  PID:4720
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c netsh wl show i >> config\wlaninfo.txt
  2⤵
  PID:3188
- - C:\Windows\system32\netsh.exe
    netsh wl show i
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    PID:3704
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c netsh wl show d >> config\wlaninfo.txt
  2⤵
  PID:3208
- - C:\Windows\system32\netsh.exe
    netsh wl show d
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    PID:4456
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c netsh wlan show interfaces >> config\wlaninfo.txt
  2⤵
  PID:2340
- - C:\Windows\system32\netsh.exe
    netsh wlan show interfaces
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    PID:2808
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c netsh wlan sho net m=b >> config\wlaninfo.txt
  2⤵
  PID:4624
- - C:\Windows\system32\netsh.exe
    netsh wlan sho net m=b
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    PID:4648
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc query wcncsvc >> config\WcnInfo.txt
  2⤵
  PID:4376
- - C:\Windows\system32\sc.exe
    sc query wcncsvc
    3⤵
    - Launches sc.exe
    PID:3084
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc query wlansvc >> config\WcnInfo.txt
  2⤵
  PID:996
- - C:\Windows\system32\sc.exe
    sc query wlansvc
    3⤵
    - Launches sc.exe
    PID:4940
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc query eaphost >> config\WcnInfo.txt
  2⤵
  PID:3228
- - C:\Windows\system32\sc.exe
    sc query eaphost
    3⤵
    - Launches sc.exe
    PID:3964
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc query fdrespub >> config\WcnInfo.txt
  2⤵
  PID:4036
- - C:\Windows\system32\sc.exe
    sc query fdrespub
    3⤵
    - Launches sc.exe
    PID:4948
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc query upnphost >> config\WcnInfo.txt
  2⤵
  PID:2232
- - C:\Windows\system32\sc.exe
    sc query upnphost
    3⤵
    - Launches sc.exe
    PID:2444
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc query eaphost >> config\WcnInfo.txt
  2⤵
  PID:4088
- - C:\Windows\system32\sc.exe
    sc query eaphost
    3⤵
    - Launches sc.exe
    PID:1456
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ipconfig /all >> config\WcnInfo.txt
  2⤵
  PID:1184
- - C:\Windows\system32\ipconfig.exe
    ipconfig /all
    3⤵
    - Gathers network information
    PID:412
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c netsh wlan show device >> config\WcnInfo.txt
  2⤵
  PID:3260
- - C:\Windows\system32\netsh.exe
    netsh wlan show device
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    PID:1388
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wcncsvc\Parameters >> config\WcnInfo.txt
  2⤵
  PID:1104
- - C:\Windows\system32\reg.exe
    reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wcncsvc\Parameters
    3⤵
    PID:3104
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c netsh advfirewall show currentprofile >> config\WcnInfo.txt
  2⤵
  PID:2312
- - C:\Windows\system32\netsh.exe
    netsh advfirewall show currentprofile
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:3708
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c netsh interface teredo show state > config\netiostate.txt
  2⤵
  PID:1636
- - C:\Windows\system32\netsh.exe
    netsh interface teredo show state
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    PID:4624
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c netsh interface httpstunnel show interface >> config\netiostate.txt
  2⤵
  PID:216
- - C:\Windows\system32\netsh.exe
    netsh interface httpstunnel show interface
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    PID:4820
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c netsh interface httpstunnel show statistics >> config\netiostate.txt
  2⤵
  PID:4856
- - C:\Windows\system32\netsh.exe
    netsh interface httpstunnel show statistics
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    PID:5052
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c echo IPCONFIG /DISPLAYDNS: >> config\Dns.txt
  2⤵
  PID:1344
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ipconfig /displaydns >> config\Dns.txt
  2⤵
  PID:1836
- - C:\Windows\system32\ipconfig.exe
    ipconfig /displaydns
    3⤵
    - Gathers network information
    PID:2360
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c echo. >> config\Dns.txt
  2⤵
  PID:3024
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c echo NETSH NAMESPACE SHOW EFFECTIVE: >> config\Dns.txt
  2⤵
  PID:4920
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c netsh namespace show effective >> config\Dns.txt
  2⤵
  PID:3736
- - C:\Windows\system32\netsh.exe
    netsh namespace show effective
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    PID:3812
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c echo. >> config\Dns.txt
  2⤵
  PID:3188
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c echo NETSH NAMESPACE SHOW POLICY: >> config\Dns.txt
  2⤵
  PID:5100
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c netsh namespace show policy >> config\Dns.txt
  2⤵
  PID:4364
- - C:\Windows\system32\netsh.exe
    netsh namespace show policy
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    PID:3668
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c echo ARP -A: >> config\Neighbors.txt
  2⤵
  - Network Service Discovery
  PID:1536
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c arp -a >> config\Neighbors.txt
  2⤵
  - Network Service Discovery
  PID:2696
- - C:\Windows\system32\ARP.EXE
    arp -a
    3⤵
    - Network Service Discovery
    PID:372
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c echo. >> config\Neighbors.txt
  2⤵
  PID:3992
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c echo NETSH INT IPV6 SHOW NEIGHBORS: >> config\Neighbors.txt
  2⤵
  PID:1256
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c netsh int ipv6 show neigh >> config\Neighbors.txt
  2⤵
  PID:908
- - C:\Windows\system32\netsh.exe
    netsh int ipv6 show neigh
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    PID:4800
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c echo NBTSTAT -N: >> config\FileSharing.txt
  2⤵
  PID:772
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c nbtstat -n >> config\FileSharing.txt
  2⤵
  PID:4036
- - C:\Windows\system32\nbtstat.exe
    nbtstat -n
    3⤵
    PID:1836
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c echo. >> config\FileSharing.txt
  2⤵
  PID:560
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c echo NBTSTAT -C: >> config\FileSharing.txt
  2⤵
  PID:4880
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c nbtstat -c >> config\FileSharing.txt
  2⤵
  PID:3996
- - C:\Windows\system32\nbtstat.exe
    nbtstat -c
    3⤵
    PID:4012
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c echo. >> config\FileSharing.txt
  2⤵
  PID:2212
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c echo NET CONFIG RDR: >> config\FileSharing.txt
  2⤵
  PID:3548
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c net config rdr >> config\FileSharing.txt
  2⤵
  PID:3104
- - C:\Windows\system32\net.exe
    net config rdr
    3⤵
    PID:1224
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 config rdr
      4⤵
      PID:4980
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c echo. >> config\FileSharing.txt
  2⤵
  PID:4364
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c echo NET CONFIG SRV: >> config\FileSharing.txt
  2⤵
  PID:2312
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c net config srv >> config\FileSharing.txt
  2⤵
  PID:4556
- - C:\Windows\system32\net.exe
    net config srv
    3⤵
    PID:2448
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 config srv
      4⤵
      PID:1132
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c echo. >> config\FileSharing.txt
  2⤵
  PID:4316
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c echo NET SHARE: >> config\FileSharing.txt
  2⤵
  PID:4076
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c net share >> config\FileSharing.txt
  2⤵
  PID:3824
- - C:\Windows\system32\net.exe
    net share
    3⤵
    PID:1640
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 share
      4⤵
      PID:3228
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c netsh wfp show netevents file=config\netevents.xml 1> config\neteventslog.txt 2>&1
  2⤵
  PID:1900
- - C:\Windows\system32\netsh.exe
    netsh wfp show netevents file=config\netevents.xml
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    PID:404
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c netsh wfp show state file=config\wfpstate.xml 1> config\wfpstatelog.txt 2>&1
  2⤵
  PID:544
- - C:\Windows\system32\netsh.exe
    netsh wfp show state file=config\wfpstate.xml
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    PID:1584
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c netsh wfp show sysports file=config\sysports.xml 1> config\sysportslog.txt 2>&1
  2⤵
  PID:3036
- - C:\Windows\system32\netsh.exe
    netsh wfp show sysports file=config\sysports.xml
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    PID:1580
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c wevtutil epl System /q:"*[System[Provider[@Name='Microsoft-Windows-Hyper-V-VmSwitch']]]" config\VmSwitchLog.evtx
  2⤵
  PID:4704
- - C:\Windows\system32\wevtutil.exe
    wevtutil epl System /q:"*[System[Provider[@Name='Microsoft-Windows-Hyper-V-VmSwitch']]]" config\VmSwitchLog.evtx
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2340
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c wevtutil al config\VmSwitchLog.evtx
  2⤵
  PID:1500
- - C:\Windows\system32\wevtutil.exe
    wevtutil al config\VmSwitchLog.evtx
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3708
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c wevtutil epl "Microsoft-Windows-Hyper-V-VMMS-Networking" config\VmmsNetworkingLog.evtx
  2⤵
  PID:1536
- - C:\Windows\system32\wevtutil.exe
    wevtutil epl "Microsoft-Windows-Hyper-V-VMMS-Networking" config\VmmsNetworkingLog.evtx
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2988
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c wevtutil al config\VmmsNetworkingLog.evtx
  2⤵
  PID:5072
- - C:\Windows\system32\wevtutil.exe
    wevtutil al config\VmmsNetworkingLog.evtx
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1708
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c wmic qfe >> config\Hotfixinfo.log
  2⤵
  PID:4500
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic qfe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4384
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc.exe queryex nativewifip >> config\serviceinfo.log
  2⤵
  PID:4316
- - C:\Windows\system32\sc.exe
    sc.exe queryex nativewifip
    3⤵
    - Launches sc.exe
    PID:664
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc.exe qc nativewifip >> config\serviceinfo.log
  2⤵
  PID:372
- - C:\Windows\system32\sc.exe
    sc.exe qc nativewifip
    3⤵
    - Launches sc.exe
    PID:1344
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc.exe queryex wlansvc >> config\serviceinfo.log
  2⤵
  PID:3196
- - C:\Windows\system32\sc.exe
    sc.exe queryex wlansvc
    3⤵
    - Launches sc.exe
    PID:4972
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc.exe qc wlansvc >> config\serviceinfo.log
  2⤵
  PID:772
- - C:\Windows\system32\sc.exe
    sc.exe qc wlansvc
    3⤵
    - Launches sc.exe
    PID:1456
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc.exe queryex dhcp >> config\serviceinfo.log
  2⤵
  PID:1516
- - C:\Windows\system32\sc.exe
    sc.exe queryex dhcp
    3⤵
    - Launches sc.exe
    PID:2700
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc.exe qc dhcp >> config\serviceinfo.log
  2⤵
  PID:2060
- - C:\Windows\system32\sc.exe
    sc.exe qc dhcp
    3⤵
    - Launches sc.exe
    PID:3800
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg.exe query hklm\system\CurrentControlSet\Services\Winsock\Parameters /v Transports >> config\winsock.log
  2⤵
  PID:4020
- - C:\Windows\system32\reg.exe
    reg.exe query hklm\system\CurrentControlSet\Services\Winsock\Parameters /v Transports
    3⤵
    - Modifies registry key
    PID:3560
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg.exe query "hklm\system\CurrentControlSet\Services\Winsock\Setup Migration" /v "Provider List" >> config\winsock.log
  2⤵
  PID:4584
- - C:\Windows\system32\reg.exe
    reg.exe query "hklm\system\CurrentControlSet\Services\Winsock\Setup Migration" /v "Provider List"
    3⤵
    PID:412
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c netsh.exe winsock show catalog >> config\winsock.log
  2⤵
  PID:3708
- - C:\Windows\system32\netsh.exe
    netsh.exe winsock show catalog
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    PID:2928
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c Reg.exe Export HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseDataProtection\Policies config\EDPPolicies.reg /y /Reg:64
  2⤵
  PID:4356
- - C:\Windows\system32\reg.exe
    Reg.exe Export HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseDataProtection\Policies config\EDPPolicies.reg /y /Reg:64
    3⤵
    PID:744
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c Reg.exe Export HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\Providers config\PolicyManager.reg /y /Reg:64
  2⤵
  PID:3124
- - C:\Windows\system32\reg.exe
    Reg.exe Export HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\Providers config\PolicyManager.reg /y /Reg:64
    3⤵
    PID:1484
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c Reg.exe Export HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HomeGroupListener config\HomeGroupListener.reg /y /Reg:64
  2⤵
  PID:1132
- - C:\Windows\system32\reg.exe
    Reg.exe Export HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HomeGroupListener config\HomeGroupListener.reg /y /Reg:64
    3⤵
    PID:664
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c Reg.exe Export HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HomeGroupProvider config\HomeGroupProvider.reg /y /Reg:64
  2⤵
  PID:3084
- - C:\Windows\system32\reg.exe
    Reg.exe Export HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HomeGroupProvider config\HomeGroupProvider.reg /y /Reg:64
    3⤵
    PID:1156
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $net_adapter=(Get-NetAdapter -IncludeHidden); $output= ($net_adapter); $output += ($net_adapter | fl *); $output += (Get-NetAdapterAdvancedProperty | fl); $net_adapter_bindings=(Get-NetAdapterBinding -IncludeHidden); $output += ($net_adapter_bindings); $output += ($net_adapter_bindings | fl); $output += (Get-NetIpConfiguration -Detailed); $output += (Get-DnsClientNrptPolicy); $output += (Resolve-DnsName bing.com); $output += (ping bing.com -4); $output += (ping bing.com -6); $output += (Test-NetConnection bing.com -InformationLevel Detailed); $output += (Test-NetConnection bing.com -InformationLevel Detailed -CommonTCPPort HTTP); $output += (Get-NetRoute); $output += (Get-NetIPaddress); $output += (Get-NetLbfoTeam); $output += (Get-Service -Name:VMMS); $output += (Get-VMSwitch); $output += "(Get-VMNetworkAdapter -all)"; $output += (Get-DnsClientNrptPolicy); $output += (Get-WindowsOptionalFeature -Online); $output += (Get-Service | fl); $pnp_devices = (Get-PnpDevice); $output += ($pnp_devices); $output += ($pnp_devices | Get-PnpDeviceProperty -KeyName DEVPKEY_Device_InstanceId,DEVPKEY_Device_DevNodeStatus,DEVPKEY_Device_ProblemCode); $output | Out-File config\PowershellInfo.log
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  PID:2232
- - C:\Windows\system32\PING.EXE
    "C:\Windows\system32\PING.EXE" bing.com -4
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:4472
- - C:\Windows\system32\PING.EXE
    "C:\Windows\system32\PING.EXE" bing.com -6
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:4704
- - C:\Users\Admin\AppData\Local\Temp\0DC15C50-2A67-4214-B6CA-486019109AB0\dismhost.exe
    C:\Users\Admin\AppData\Local\Temp\0DC15C50-2A67-4214-B6CA-486019109AB0\dismhost.exe {72003A6F-D9B0-4C98-874B-41F228EB8A00}
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    PID:3800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Netsh Helper DLL

T1546.007

Power Settings

T1653

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Network Service Discovery

T1046

Network Share Discovery

T1135

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\REG23CF.tmp

Filesize
20KB

MD5
6e9deb76069796219349ac3a7d051de5

SHA1
03857c01fdc89455c5bd2f7777e172981d0a16fe

SHA256
0d023b38b841fe7f36d149757ba29af13780c898d2589bd3f1acc492d97f9de7

SHA512
b70a9c031c1efdd1a0290f71d061e865246575be954b530af2bd73ecfb288e172890f1b70be23f4c73ba85ec0bfcda6424e756d288c838cab7a65b7796767d12

Download Submit
C:\Users\Admin\AppData\Local\Temp\REG244C.tmp

Filesize
5KB

MD5
8e7756612e131e3995df35b729accab6

SHA1
2f14ca117bb86dee7f44fbcdfea479e66830b208

SHA256
3259dcca8c1c4f309199014b3f5ac6a3e63e6d271904f98d89f18d8b23db6efd

SHA512
3f4458429ee2585514d306c9d17ab71de62372de3b14faf7ff2c30c050aa76b8c98402d33dd00a48fa0380d6ed3d63cd1b3655079cac591ec710040caa771e67

Download Submit
C:\Users\Admin\AppData\Local\Temp\REG24AA.tmp

Filesize
1KB

MD5
438c3e536a4deb87cff81c837dc90eb3

SHA1
05d2a07778146097a8c9bafdf4f43dfebaa4c289

SHA256
5a5b65c7953311a4113db29880a1a583b9ca8aa3cebba1d08e1e98a4c33ad23c

SHA512
c077dbf0537659124cfa553c4e062b2bb188f76988a31dea3276edf06d200d00706900746a843004d79d3431c5b5a3715590f8488c5db6f51ce0a4fa58f41ea4

Download Submit
C:\Users\Admin\AppData\Local\Temp\REG87DD.tmp

Filesize
5KB

MD5
9b854efe8795d80357d5515cc1d4186f

SHA1
0dd86c1a5e889126d928cc802c8604666f1962f4

SHA256
aa7cfb6e102c4d6e38eb3dca4f3df416b9657c808b8ddfc4d284627be9c14803

SHA512
8276d6f75abdf1f8cb47d32c30dfccfb0d5b61275c179f330d4bc8668689845b9393030e9f35703ed703a6f25e9762eb081406e4abf0c83953c88046e62c82fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\REG884A.tmp

Filesize
8KB

MD5
a69498c41719466c796f934cf8465148

SHA1
4cdd546487816f593ff7d90cb92b8dd8c67d7075

SHA256
91c6d0e069fff8710ea5216d6a467f7b862888b0e88f80dc808f77b164360fa7

SHA512
55a424f27d9861f7e24929a00d0d62a600e2043e999adb3be365afbfbfd93ff7759938c87dc66c5431dbd6f26f98f8fea6698f29053b52e9e1931e35f44d7b94

Download Submit
C:\Users\Admin\AppData\Local\Temp\REG88B8.tmp

Filesize
634B

MD5
9a5a295efdc30925c631166a5d041bd3

SHA1
06068ba50872e1cf5ebfd08697e000afe3088bae

SHA256
88275b3c833910726328d29fb29f50ff6e5d357e8d3f316362c6d709d5fa5ef5

SHA512
7ad1813c3e4e639510e6e743d48fc83105b8f07c1502370eea11dd9c41c1360f6c20692ffc2588a1e0e280240c524201cdce92b4d137b16830848b592a31819c

Download Submit
C:\Users\Admin\AppData\Local\Temp\REG8AAC.tmp

Filesize
2KB

MD5
8d0253d6d2ff5866c0ca9a29db086322

SHA1
c2161a4576bd2bc4aaa09f1426183ff45a75a123

SHA256
dbe14ba69d94c7e70d92fef91a390a6dcc70389dcd0b271906676863038eee1c

SHA512
9c7ce97a58bb3540ff79628e8aadcf0adcb0e6cec47e57ccb210ad30d85826f3fde646b3e15c9f092ed7d2a69f694b04c36f54ccb771da21ee9956979c04a52f

Download Submit
C:\Users\Admin\AppData\Local\Temp\REG8BB5.tmp

Filesize
7KB

MD5
079eea4df15a54637c102e8786ad9110

SHA1
e34c25eaea4498d101076f705a228063cfba070b

SHA256
09c647e8a85a46f0c4f7ce758d3a4bc5779a177f394ef126caae08f88e5c493f

SHA512
9269e0a6441e2efa10f7c1f8ac3162025030f2040660a24fc8640929ea52f036aab45840a02de15277b5aa439bfa5f36f4a77bbf507b5e4d4c10ef4d5ff6ed5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pkorjjdx.xx4.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\config\Dns.txt

Filesize
14KB

MD5
b47e310288e53c342701b03f9575c4b6

SHA1
9ea22b9aff04c994a0d325f0c0becd29b4cb19fe

SHA256
89551b5c983a1bfa2c3d93d0c307b4ae7e2dbfa6cc6b40c9a3c4b675d975efbe

SHA512
ec74eeb63ee6dd112187f53a4c375dfb2b7aaf65a7907119011509403e7b683cd6de45a07d814cd83affb03117a033f961721d8d7d562280a02386ed95af3613

Download Submit
C:\Users\Admin\AppData\Local\Temp\config\WcnInfo.txt

Filesize
180B

MD5
e9d9c70311e468c5ac1e313ea317e31f

SHA1
3ec7e470b8e8a747dff0b312afbe8f9f859fdb56

SHA256
f89da86624bb8f26a5b624932253966dc7cd97ce87eeacf19ed9cc8c77f650be

SHA512
644e4d6b2fe77af31ae29b48a6d46761e3a4cacd1f979bd25994051cc8280b218f7bd6512eb592a11f2b65554551887dde988d264b1e0e215198539d060c1582

Download Submit
C:\Users\Admin\AppData\Local\Temp\config\WcnInfo.txt

Filesize
455B

MD5
11331075e463e6cc232419d9c5a23945

SHA1
2ac8dd5fda25ff577ad32020d417ee7218abb0da

SHA256
5a84886b89430498df9ef0c57b8e982ffbdbd07000678fd94093feec9343fe52

SHA512
eaca25d1656d70b6e7e125476e40ba53cad085da432328b0a8303d4c332b03c37d1fc8b5073f526b8183d18db07f76cc6399ed95255f41f52a9dd89120ee1c74

Download Submit
C:\Users\Admin\AppData\Local\Temp\config\WcnInfo.txt

Filesize
728B

MD5
83238b17864fc7a4e9255f941069cc77

SHA1
1314353ec44aa89f8c9771c9e2631772d62dbd6a

SHA256
a6590f11feceacf7867707db549b38e47512e5163c113dbd38d5507ac131703a

SHA512
d9c6afad490a90144c6402284a28cc4a99d9c7d1d0182ecff35aa3d248a86c6d41800dec0c1485f6a082c56213028d49f4dc3761d442cbddab22b7a805293515

Download Submit
C:\Users\Admin\AppData\Local\Temp\config\WcnInfo.txt

Filesize
1003B

MD5
18d6368f108c94d08858db45a8f850d9

SHA1
f9a67905121641d183c9a9a1be41cc5187dbfcad

SHA256
eac4ceeb16facafdaf32f393fff2b45c115dfa10a4f9e039e88cd9cd9ab11f0c

SHA512
5aac62a7b5398b879a8a5ef387ecdab72440779f7ac84ea960050e1b80ef264031f47e1ad1a0b9ae0f18f1900829937eb804f7d70307b5f98a4044558aab9292

Download Submit
C:\Users\Admin\AppData\Local\Temp\config\WcnInfo.txt

Filesize
1KB

MD5
86f3eef9a2046d107f5294266e2acaa5

SHA1
359d8ce17b11a5b679a38dc72a8b53eefcb93e3d

SHA256
9c77d9bf5f1367256b8adbf5170398402a8a5587af0e97ef50dfba8e17640408

SHA512
03b4c47e4323f68fb6e27ef75aae311c4ee2db823e4efc7c748a0a0c69e8aa23bda67d529d22d8307b7267fcdaf01867a9b1a5a384cde163ac6df833e1a21fe0

Download Submit
C:\Users\Admin\AppData\Local\Temp\config\WcnInfo.txt

Filesize
1KB

MD5
dc4420c1062494067b18d001f9588f04

SHA1
e33009c1a9e99434fb9eb88bc8d8bc3f8ae2ce22

SHA256
2def975e3063dfdd2ded02222ad6b29c5aa697874f8a57fecaec3eee1c572ff5

SHA512
24f381eff215fed63d444458f0967645b32124832a1726ec8a8f7829561678f18326719f6efa1baedf9db661ad9699c66ce9dafa330bdbdfef02480aa1dab985

Download Submit
C:\Users\Admin\AppData\Local\Temp\config\WcnInfo.txt

Filesize
1KB

MD5
3f7707b5c2ca7e2b11fa7c653892c556

SHA1
3e26fa9816b886a00619b85c3c4d207646a17579

SHA256
a2ad56eeb8d9d4fc93d24661268e5a4a7e648325b16c3c4f3d0f496626314635

SHA512
f75d9f51c4f75bc25627ae52fdd7fe53c4dea07b0229f059c7ec03ec3ae5ec338db9ceda7db4dee3aea8c74150dea7eaa223ecd1c0b6170a91d25fdde91c49d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\config\WcnInfo.txt

Filesize
6KB

MD5
2347df75da1c4613d8eb3141f5da79a7

SHA1
a24b5c60d33f7261c3a397f66d7f9c70b0e9befd

SHA256
bef63a38bc0739978896a484f09c48f86fadb10cbe2d527446bdd2af0f52b30b

SHA512
1f6be5c4047982f06c54eee9ced713e13b58e0646fd54b2eeded90a9af609429cf0a1e5342fac189d9cdafe54ca26f4c97b655a4f0df72c21d8c4f27419d8b8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\config\WcnInfo.txt

Filesize
7KB

MD5
33bf26198909e8cc003cd62c6445c6e7

SHA1
55564a6ad8b1f8cfe30626b2a3e99184c32b9394

SHA256
4914433294d4e68845425336973765db18a018c64902bdafc4680f92ee6ee5d1

SHA512
c7a88bb7eb7d18550369975463c9d81674c478063be8f86321bce9e778871ac0825441c53bc5765730f2bc686281e6f0adc3ea59ce5de2f379bbe4ad1992cc31

Download Submit
C:\Users\Admin\AppData\Local\Temp\config\WcnInfo.txt

Filesize
7KB

MD5
17f44a38d29cc6c7067211d02bb7b564

SHA1
13964109a19bbf2f4d809fcdcf625d77c2206c89

SHA256
46a308dd67d07e7922d30e4a8727acfb587dcf1f7848aa187168020296843e4a

SHA512
39009e05112086302523f716f87620d7c20f64e6ca5dd847388aedfdc36d070d92e1d40a925143944042618091bd0ad63d59fab2cff7f18d159721f30be3697b

Download Submit
C:\Users\Admin\AppData\Local\Temp\config\WcnInfo.txt

Filesize
7KB

MD5
e06b83e753ac64ddea35971037e6fd24

SHA1
3250f1c0d0cba4781dc228c0e4293f587d78bc62

SHA256
6d5c9d548fccdfeb54055f1c1eaac19d9a238fdc658ae13ff72744ec4d00d336

SHA512
2964dbc0305d7065149235c291ce4ac7f0505b6fc065c70156090dbf9a546d67c8b28923f370159f1dc0889ccf78965cbcb93b9ca2c4bab9643b7d82d7354f80

Download Submit
C:\Users\Admin\AppData\Local\Temp\config\WcnInfo.txt

Filesize
7KB

MD5
4d716855f5106868a010cc48597abd3e

SHA1
33308df661ff88115815d799688f8e6544bf22f2

SHA256
751d4a523417960d123a41789ed5d4923ec8483052fd926474fcd58dd1cc42f6

SHA512
c1582f63a8275deb3e227240c39a4b508a7202ca4025a0e6e984a69ff055f3b65fe39840fe766bcf516dc99f1cf6844697a548bad544585cd70bd2adf807683c

Download Submit
C:\Users\Admin\AppData\Local\Temp\config\WindowsFirewallConfig.txt

Filesize
3KB

MD5
9fc2f6f056b761ee2efb51f1b2abe2a0

SHA1
b6b10ee66a5e91356e36656c670a55cd1d0e4ca3

SHA256
66bb48ee25484e6d28125af45c7ba09d785f822340975503f044bfe0d1093bdb

SHA512
29cc4e2179047807286df7cb36563133394123bcb74e228bae38c5991bd7781be47c32b2609c5a88bcbca9ea3674f1cecd262bbdcad3485821564421f6d9ed91

Download Submit
C:\Users\Admin\AppData\Local\Temp\config\WindowsFirewallConfig.txt

Filesize
3KB

MD5
28ab641176c919ef5f796f965254e72c

SHA1
21cadde04c3a28842a51c63b6e184e3250385db3

SHA256
da759355fc068f769a450e76f7d392045a5e7f44ae2708695c92ea3f78f44d4f

SHA512
c5a81507b9c5f23f9e933e8aeadf90ece340e16aa94bfb3394d2e4634ee46b551e813d732f415ab36513183dd1a8038068fcae6c8b5b2cb2a3559dd6c09b4aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\config\WindowsFirewallConfig.txt

Filesize
4KB

MD5
e30f9bc0eaec914ce681d09f2dda880d

SHA1
49a17ea54cf9325a04a5bc9dd036b48dec7599bf

SHA256
e7244164fbbe3378d6dad2d5de18bdad034b3536318bc9b56a8b947f11d91dee

SHA512
a59a8a749ac80641ccca6def865a8ad51f18816ee7aa9efbf88a9baaa82dd56c9290367a00db58202e5369a2b0186c3d6bca9e8b26f51d890c94c06832ab7e82

Download Submit
C:\Users\Admin\AppData\Local\Temp\config\WindowsFirewallConfig.txt

Filesize
4KB

MD5
a20149cc6d15b8616bc54139b9c5d315

SHA1
ec898328ff87ac3f4ff40087a46a2f7a27102f3d

SHA256
2eafa24a440fff6f353ce82a07b44c569f0f8752cf1726d93fc79522f09ccc7d

SHA512
e82c10f8fe9b3542c2b666c5d76138b0bcee7d1c4d3b0b4a0d3d67677a80b212c18e410021a36d473701bb62e84bd423fc124a4ec3f198ea49f923d3ad75bed9

Download Submit
C:\Users\Admin\AppData\Local\Temp\config\WindowsFirewallConfig.txt

Filesize
419KB

MD5
f9e0d0b0bb0cac9bd87767c01b2c4e7c

SHA1
94c9f42acc99929870db2bddeb82d8044a2141fb

SHA256
717390063a65aa57caac03884a8256951239e49cbcb35b83cddf46963fc452ee

SHA512
0cc1086dfd978dfd29047f833ba762e8981604bdc04490af468e3ec5f9d3928bc12210b95442a2f20d03c0b58a10a5a51c8073798d9fb2f54b4de12d493a8fcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\config\WindowsFirewallConfig.txt

Filesize
419KB

MD5
b30604aa9bbc40e70659bc230ca17c60

SHA1
6e11ea639b6af1d14d6bb65f39561f735ad8cfb3

SHA256
c74cfec67914940604c2327eed85a3ca51b1c334c94beaa3d439a171445d3d5a

SHA512
b797c61f0841fb70a85ae087e38e5ffebd8948da30baece4032b077fad5492e1c23f8457afcf6ad73ff4a1a5bd2a53f47269bb4fb6f1294534184edda97119cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\config\WindowsFirewallConfig.txt

Filesize
95B

MD5
9b507b45c41b5b76ee28e9a236d2799b

SHA1
1faccb7a5024ec67e96277264d8accfad0882863

SHA256
d7d5617f0c7bc136c2c3c813b0aebdf9aa51fc4b660994abd17e843390b64d3c

SHA512
28dc0f4f1108150111873f10b43dbbb8c5e99f033f6708a8ce3eed0038ec33fc6a0f48a76d07f468de7ab0e5d67321647c884c7551f7a418e5866151a506eb47

Download Submit
C:\Users\Admin\AppData\Local\Temp\config\WindowsFirewallConfig.txt

Filesize
231B

MD5
9170b20d03ea1e63f482af71e6975221

SHA1
9fa38caf5023a1b745cb1d5c432e74cfb31cc405

SHA256
a117ecb928139aa22ae4a9bf0f0a79a446ed97ff711c7a4e887768a122be911c

SHA512
c73d5cbaeb7fc62bdb5e5f04ebeefd97b7da4db3b56dc0adb9b5dbb37bb056e3fb2701c1cb5006467a845eab02190d73b412863d6a5f8481e92fc66c6da72ed9

Download Submit
C:\Users\Admin\AppData\Local\Temp\config\WindowsFirewallConfig.txt

Filesize
306B

MD5
75db7861304a47ffeac0b5c88801172a

SHA1
b3778cef27637ee986e194006d291560adadf14d

SHA256
26d6835d602b9e09e793d0031701bdfffd07eda032f2f56344aa7ac00b8d79e9

SHA512
62a1341833e3de6a9052d8c9d37e82223f49e5b279821a82cfd8558a8d1e89e074115195150a01049d327bae12158221ef82de43ea682905b81d0002fa32dd3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\config\WindowsFirewallEffectiveRules.txt

Filesize
38B

MD5
4e01cf6c5fbb5cfed6a3684f69054365

SHA1
7a040aa2784160f4254f14acd958a6a75ef7293c

SHA256
a31a85891221410dbaf4d3d1bf5f842405140bf583945088d585bc5e8a9fbed3

SHA512
8376e53d2a81c39c9e04c074ea556279dee9d6a721443b7a41375ea3ed054ed795965dac6a6171f9de00a5f9bd9ddffc53322b98712cfe7dfa7eb1ca8e62e625

Download Submit
C:\Users\Admin\AppData\Local\Temp\config\WindowsFirewallEffectiveRules.txt

Filesize
113B

MD5
f922ce103305d2d2766cd69b4992bed4

SHA1
e43c5ec1882020e9f59bf8be1f7b039b7279aec9

SHA256
673712f1a5ddf23348ad5dd910c0fad7656d5c4b60f9d9d6b413aa7ed20f3612

SHA512
65b2dd117d6ac6d8589ebaf1c22d3dff59cc79887eb53e8951f53160b9cc6ecabecd2a32d0e54d4cf517258118ed48791d0e9f679b3e166974aaa18faff8112f

Download Submit
C:\Users\Admin\AppData\Local\Temp\config\WindowsFirewallEffectiveRules.txt

Filesize
319B

MD5
a061107b2d08559c7a12a7a9e7b2df83

SHA1
2c596969754b809311ac75043758790aee198529

SHA256
e877977b3f751237f71eafe880b4ace1d5604b36d02645ac237d1fb176debae0

SHA512
0b58ef2e8e154429ff0e63fb53f7474f37619911e60c2d6c0ed3fb42c37bf980feaf92acc155db7a6ad1318a9f134349063cd2929a3c13c4eee56b16fa7840a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\config\WindowsFirewallEffectiveRules.txt

Filesize
394B

MD5
ed6f7545439589adafbd8111aba17e69

SHA1
902f6318e9663452bfff6de3c344300a2254ea61

SHA256
86f51a10715190ad0ad34d4cbdc3d0f81a64857b0099ccb3bc4a5c2805bd0494

SHA512
6e71ef55c1ac84ec3d37c43d338f628535253c238c50661027c6a66337a1abda0561ca26f07b15ef88b5d027038100f5cebd305dac7852d96726a9efc8831b94

Download Submit
C:\Users\Admin\AppData\Local\Temp\config\envinfo.txt

Filesize
2KB

MD5
720d48145da1f2f90731ae8c43f0bea7

SHA1
42d2bda6d3a1cc8c2d3c8465fd59809111d4b805

SHA256
a224d81ff57e5a203628b3bbc8e80cfd4c1643a2071837c2a27b71d0429932aa

SHA512
ef98be0f859ac2e36ebdd60174baa8e5b52f2e5c93d71aa68d6424519ebc180748e6aaafa19ef5a00b7be9185ebfbb4b61e9ee0b78577cba4c9b679eea207911

Download Submit
C:\Users\Admin\AppData\Local\Temp\config\envinfo.txt

Filesize
2KB

MD5
8dbeae7ebb6fda7ac0a3027c93c496f8

SHA1
91bcdfeeee0e44e9971a5821e39308d6ac7118fc

SHA256
fb955cb032eb12f89b6ce2016fd0c2b9b13bbb473e6b7ae4dae39c150f243eaa

SHA512
e0b5753e39ea4f2c740c8ebca8c1e66b86435250c9bcb251cff95c7942e039c8f673257ce226aad0d085f23802e2b698db4b633c14b441cf0816adacb0795bf1

Download Submit
C:\Users\Admin\AppData\Local\Temp\config\envinfo.txt

Filesize
2KB

MD5
c6a224e5cc91ffdd4260941e1fce4777

SHA1
f675da9f4eb4f29567e551f8fc0fd20fc9edb0f3

SHA256
02d60cf1ba911fecbd996efa6761e0d95073b5686203c40cefd69884381a72d4

SHA512
87b2970ec81e727416bf0784d1f9927e71f1d231d4748cddb8933c02a9e92d5ef62de65c81b162d35ee01e08ac45ccedf002c9e8d5902f9070e7607d89fb0447

Download Submit
C:\Users\Admin\AppData\Local\Temp\config\envinfo.txt

Filesize
2KB

MD5
2e828b6458b0aba49b53bddd208a80df

SHA1
7bb35583f167a1c7c95d9e45f0bbeee57cbd5264

SHA256
4ca413ae2a91ff6355203b6a1f546dc5713e8fb72b223644f42cb1fe2a3f4dcd

SHA512
063e7978e642b9f51d33d5f22d5d7ea53b8ff2e7c00596f8e746006c5ad305759f2fcc81d736da1ac8db160ee441df3b97d3a36570e3e5ec9c9d5302dc1618eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\config\envinfo.txt

Filesize
3KB

MD5
5dee86d47e20d6fe65d1c34c60bae7db

SHA1
ae67a36940520e0bbe55e8455d29d6f21aff1216

SHA256
c41839993812df609bab446a61810bbf6b4f106fadff920dc714c299acbc5443

SHA512
09260ed4f7f65f97a041420a77b868906fdf6cf534141e64e9f5e13fa4f8188c0edb22844ef8ab56578bde673c10486e20982f979b5d5a4747cdfe6383b99d15

Download Submit
C:\Users\Admin\AppData\Local\Temp\config\envinfo.txt

Filesize
3KB

MD5
1c05beeac3da6a23a5b983f3e0ecc382

SHA1
f7e486cd5c3fe0bcd725993566f0d5fb7b5bdda4

SHA256
8efde82fba8d3fdda1b3ff11216b15120a3c61baa77a1dd2e9e4a52573b65953

SHA512
56786baa4ca4e9c9535504f32af4a0a045de138bc15aa969b1f1f3f995d11655017c303101b7556d4a5721f8cb9dd64f0c40170d15ddde94a7841aa34c0b8f3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\config\envinfo.txt

Filesize
3KB

MD5
6e71a61675cf6434ee1be5ed9b924694

SHA1
827d58a7b121a0ef5eea1f80e1f1f27eebda0d17

SHA256
a6465c0c4f99fcdbf273472e0d6bf883c1c49e4dfd6db1f00e87aaecd6701ce1

SHA512
f82189a2cf903bc11f0c5a66d1e47d1576c46c4c2825ba2bbe65c116c3bef1ac8a1d4036ddc39b4646f2552bc3c1d11d4016f3f0cb6802bfc764a538e4810a8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\config\envinfo.txt

Filesize
3KB

MD5
bb1b9156e527d0c0e9022ae88ec68512

SHA1
395c5a54bd8fb9cc44a624b6132018a9a38592d1

SHA256
083974998f418038002fabe317c3f8556c51974c0b6056db956dc51e6831e978

SHA512
3bb0327de5a718d5ccfbb9c3419bbfcdf4fb1972f463c731b71f0d37f937e450257289028cf0dcad4ccfbf3918bf46548a79aa0e4c587cfd6ab1d910edc7e407

Download Submit
C:\Users\Admin\AppData\Local\Temp\config\envinfo.txt

Filesize
4KB

MD5
103658f78812bf2d30f402b30f0175f6

SHA1
bf59e4193c780092251385d75c1cca2b225d4c66

SHA256
20ab4f0c32fabee18869f552f4b00e4cc80a063ac469f82ba2eafe36a3e94af7

SHA512
a381630f962740418f4e966d8d171d2ac851da19e6bcc50abe9cd36827ffe359fc603a19f12567fdab7693fee0b090946038f9beeb932975ce632f6aa7495d76

Download Submit
C:\Users\Admin\AppData\Local\Temp\config\envinfo.txt

Filesize
4KB

MD5
cb2f71581b8048df0972881c02345aad

SHA1
e45a933042b3e2fbf63d059296552531af773dda

SHA256
64846e780c048091512b2fb30448fa8c2e5d39e2a8ba0988c1f17ab0024ac5b6

SHA512
f9dca80355e3d914ad208ffb21ed06c9e3c6168d8bd1937533a495079208a9736890afcaf7e1a63165633452409ab38c0e6a0f5299569765a1f311a6588b168c

Download Submit
C:\Users\Admin\AppData\Local\Temp\config\envinfo.txt

Filesize
6KB

MD5
65483850e65fb3c278c4759c87caa166

SHA1
7bb2923c680a63eaefa558673a79a3b811077828

SHA256
af3dfcbb584a4fa81afd36a7c860dd53348fa9a3955722c09e057bb72a6cfdb8

SHA512
470079b4a79d126b3ff8d5908514afe33b00dfdefb861794c2181562b5c00c37e395f7c63c4c6cdd29a1a8c9549a108d8a79b62112cf68c86bc97e56ba170fe7

Download Submit
C:\Users\Admin\AppData\Local\Temp\config\envinfo.txt

Filesize
6KB

MD5
a086451ab849d71994198f04da55a294

SHA1
055b41c31e850e7340666b1f88fdbf76a53fc5a3

SHA256
4e5e0a3997cbf4a28b207c404fe19063da965c2e01a13dd583919042e77f777b

SHA512
aa871aff4c73fa88591bf5be9700c606bd5a7178259ea03f84030c98a855c77d1a3cbf4ebf579f62474e072bc97d2bdf4ae32fc49e7a6c91762028f5870fa4ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\config\envinfo.txt

Filesize
6KB

MD5
c115f11bda009078929558e6ece6b529

SHA1
aa89061b5466ca01e16dcf5ba5ce583a80815648

SHA256
b693ea88e718e15de896ad5c9bf4f5c0971c59d1d6022f87fa95d6dc77add5e8

SHA512
d4dd8573d4e25695fcb8b2b1df8fd25a99a7ddc1e56eff0e8b8d7aed588bd3026b595cc5e3d5850de296a5270a3e8905abde42cb5c3fe73d668592a846a32c73

Download Submit
C:\Users\Admin\AppData\Local\Temp\config\envinfo.txt

Filesize
79KB

MD5
58d9db73781137ad3fedc6c836dfe3f3

SHA1
84c400fa58c673ed52dfaa691eea4fbdfc921f65

SHA256
0a46a0d086d9d31c4e4dcc4e574ec06bc5fca0d5ea6f03a1ab0e833dd2ab1aca

SHA512
2a9fabe134fc6a4354bc011423865014e9bd7cad57af7e77309ec4a016d6bef942d66adfe18d819e3f4853e4b56891127b9205cd01fdcd46b9b9f27a2605fab0

Download Submit
C:\Users\Admin\AppData\Local\Temp\config\envinfo.txt

Filesize
79KB

MD5
7722bb10a2bda8cfcca73c17a51908b7

SHA1
2fbc9c2bd0302b0e917848df88f7a5253deb20ff

SHA256
8b80830ea83aa66b5433795a9798e31e255d9d92fc2ab31bb93d31fa7d124e6b

SHA512
5f499b0b1ce4f462cc581e4609613202e9753dcf919e55604cb8f5b2bb164a9767a92c3f3082bff2df525c6ae0fe8c7f54d26e8c331447d3eda85e60d42ab2c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\config\osinfo.txt

Filesize
40B

MD5
c0205219cb5287d35c031f5239196bf2

SHA1
62f5026dfcf7e5358d6861b00e8c4df5049e8d0e

SHA256
0de7759f2e8e1a55d71729420d823eefca68db450967f29ae63ff029bd610649

SHA512
b867ec5118faf58d7815f12235e401d6207cff22f7b2683ef67bbb224f8503a99d9145b68ba20ebfea3be397792f4086969d99afc0a8e3efea462104b68dd099

Download Submit
C:\Users\Admin\AppData\Local\Temp\config\osinfo.txt

Filesize
221B

MD5
58f8a02b6ee859c43469582daa4ee7c5

SHA1
133e928deeeea4a5a7590dd9ad3e00544e8348ee

SHA256
ebde6108b24704049280ba76f26df196b513641f782b4f340c4a3563a134f655

SHA512
501c2c1971775bac5875d8ddb8c629a25b7f11c7ace862f6767a20e8db71269690592df97511bfe9fda052a655a8186db3df23eaf73189a1149b89f9e25d7e80

Download Submit
C:\Users\Admin\AppData\Local\Temp\config\osinfo.txt

Filesize
1KB

MD5
d3c6d1e27fbf5ec5dc8f05381265197e

SHA1
ec67f0c9fde6449cc0d8bc8927a57d8697e8c9e0

SHA256
0d1a309d623be5866bae1980a942b43fe0ff3be6c867d1c45090377d92c590f5

SHA512
966650d01c07cfe4b6bb4252495b7749d8d23c9011fcfeb3c92fcaf35df320af8c1188ed65fa7dbdf0cf2fdeeabac91805a01d949bc025a0e622ed68c6f0d027

Download Submit
C:\Users\Admin\AppData\Local\Temp\config\osinfo.txt

Filesize
3KB

MD5
9f82b15790b772d31c52127214aeddd8

SHA1
eece3db4052936b8421f98c6585369382eb52743

SHA256
75f5cb4f1b03efca9bd4274cc21d91ee97c357a2e86519a524f8d9501647f2d7

SHA512
1dc57108b8fb9860b1b4e1e63074f12e67ae3531d26a98cb0b4298979f072b3e4200c38fa7522b25afcc8d62a4e0d44bb4cb05ed10001e7472cc449fe7c91fba

Download Submit
C:\Users\Admin\AppData\Local\Temp\config\osinfo.txt

Filesize
3KB

MD5
1705a4373996180822bd30e557b73d3e

SHA1
0cdc9fa95d8dc285a607bacfd8396ad460621bda

SHA256
9d54caeea0d2f517c43642f3db48ea40381bef762033a7db8bbcbe585e448262

SHA512
f8021d4bd457cb4bda4be822f44fbf5a08b410e1c083bf570eef6e1e455181722d4ea3b06639902708f88c9c8362ed42a34be8bb41a76d887484b6b7316def3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\config\wlaninfo.txt

Filesize
133B

MD5
a8d8d7d4692fe309cc2a4f64a66e62a3

SHA1
a8e6cd05e38b093fb87192e08c69d6b5062eae7e

SHA256
ec71967baffebe80b2f4c5403941789da29fe7f29a0da13d0f1947c5d6ea857e

SHA512
1f93ef3a7f667ff765ba68bb31cef50837bd8d63089de550e9cb0898a7797b9b1d7fabf851540cb43d6a77cd07a60c6712b9ca8866ccc755408ff5ca7bd2fcb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\config\wlaninfo.txt

Filesize
135B

MD5
36b8f09340530f94e24dde586d43620e

SHA1
e4e03089fcda0f00ab4a46ac3536a1031230f43d

SHA256
afb95a47992abd1b214497ccba1fa15be01670218531ffdd50f7626df293177b

SHA512
cd0b481d12b79a79c66f6276e6f9a339b59759c6a83168246163b3373042af5308860c9e1b5536e0d16a0d40bb2608dee72908d4063a7d9c3c78a18cd6b657bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\config\wlaninfo.txt

Filesize
194B

MD5
a2bb40dec84c3b3c399c416b7c58f0dc

SHA1
cc0924ab388244e5a1b77928eeca6dbe0b8e61b6

SHA256
581d2c81bd6eeaacc61c62cdbe9bbb7a691ebefc2b098ae99c23a794d27af65c

SHA512
2441c1a9de2108aa187ee91186c6909f6dd196e64f4d99eddb3c1fca50399f5612784b6353e55aaa43ce00f7d20dc4824ad34defe426b2a6fd525efd80c506a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\config\wlaninfo.txt

Filesize
253B

MD5
889356fa365e739c9caa839ee544fb09

SHA1
5f0dc027a1343d3b0f1cbf35ef2b0784efcbd650

SHA256
868d968dbe0b4bb3618a28597dda97d521afa8969e5e218154e243b17e05b0b1

SHA512
b83a7cdd5ab238c6cf5a0c70be6e01e9690a5bc10cda1e781ef0be44a9568fa10a07476fd4aa80a8479c5fa8d08edebf4f732e33dbec06807e7ef964b1fea5b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\config\wlaninfo.txt

Filesize
312B

MD5
580be8aa116ca476405e4550ef662d81

SHA1
a4bcee6e5d140c169d59378356543b06c86d43bf

SHA256
a8c59f5dd5ae79cfa7d7ddb7e8ab1804af93fef1edcda69b8388920743083a5e

SHA512
7b4be4dd44c2542bb0fda9812b7eb485b297d2a199d0207c06545a7f5af54ecd4070b637a8833ea91ad2275bd82497f708c75cf6d3c2556692eef8dd42aa7456

Download Submit
C:\Users\Admin\AppData\Local\Temp\processes.txt

Filesize
7KB

MD5
cf0f509e916b5dd512a83a0e0aff0837

SHA1
20a4ea4791efe4d5d7aa45aa52d9bc6cde42844a

SHA256
d77e10bad33ab76776f26eaf37c1bb05be1aad3f2c9b052ddea3b321487d4797

SHA512
9960275b7c6cf1fe99e3c7ef26a6e0d580257058b6d06a5d3a795e8f3753ad184eeaa1135e1e8b8bc718683c3933fb7fd94e122d6c1dbcf3c2dc7fdd0322dbfc

Download Submit
C:\Windows\Logs\DISM\dism.log

Filesize
2.1MB

MD5
260b0419ac83a221715f308ae8cf2e10

SHA1
89d451489cb6f9f5e4de178f98d6aa8940ebb77a

SHA256
a73514eb4de61efb54c73f76b6be4383d41b493dbe94e8308e96ca2344a95ac0

SHA512
793d63a9a510c2d49c01101881fd64acde9f7225cb0ede52a15f7d71baaaebd835d51011847843b049778529ffa0ed85a53a039187e4cb9f19a927c936119f7e

Download Submit
memory/684-140-0x0000025F216E0000-0x0000025F216E1000-memory.dmp

Filesize
4KB

Download
memory/684-132-0x0000025F216E0000-0x0000025F216E1000-memory.dmp

Filesize
4KB

Download
memory/684-138-0x0000025F216E0000-0x0000025F216E1000-memory.dmp

Filesize
4KB

Download
memory/684-143-0x0000025F216E0000-0x0000025F216E1000-memory.dmp

Filesize
4KB

Download
memory/684-142-0x0000025F216E0000-0x0000025F216E1000-memory.dmp

Filesize
4KB

Download
memory/684-141-0x0000025F216E0000-0x0000025F216E1000-memory.dmp

Filesize
4KB

Download
memory/684-133-0x0000025F216E0000-0x0000025F216E1000-memory.dmp

Filesize
4KB

Download
memory/684-134-0x0000025F216E0000-0x0000025F216E1000-memory.dmp

Filesize
4KB

Download
memory/684-139-0x0000025F216E0000-0x0000025F216E1000-memory.dmp

Filesize
4KB

Download
memory/684-144-0x0000025F216E0000-0x0000025F216E1000-memory.dmp

Filesize
4KB

Download
memory/2232-283-0x0000021452940000-0x000002145296A000-memory.dmp

Filesize
168KB

Download
memory/2232-284-0x0000021452940000-0x0000021452964000-memory.dmp

Filesize
144KB

Download
memory/2232-285-0x0000021452910000-0x0000021452920000-memory.dmp

Filesize
64KB

Download
memory/2232-286-0x0000021452D60000-0x0000021452D7A000-memory.dmp

Filesize
104KB

Download
memory/2232-287-0x0000021452D80000-0x0000021452D8E000-memory.dmp

Filesize
56KB

Download
memory/2232-288-0x0000021452E00000-0x0000021452E24000-memory.dmp

Filesize
144KB

Download
memory/2232-273-0x0000021452410000-0x0000021452432000-memory.dmp

Filesize
136KB

Download