Analysis Overview
SHA256
16fbeadcbf09c6e4dc1dbbd500271e4c44be1deedd1ccbbe8eb0b129730d2a15
Threat Level: Likely benign
The file FZ_Marauder_v2.8.zip was found to be: Likely benign.
Malicious Activity Summary
Loads dropped DLL
Detects Pyinstaller
Command and Scripting Interpreter: JavaScript
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 12:57
Signatures
Detects Pyinstaller
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral7
Detonation Overview
Submitted
2024-11-13 12:56
Reported
2024-11-13 12:59
Platform
win7-20241010-en
Max time kernel
119s
Max time network
122s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\flash.bat"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic path Win32_SerialPort get DeviceID,PNPDeviceID|findstr /i VID_303A
C:\Windows\System32\Wbem\WMIC.exe
wmic path Win32_SerialPort get DeviceID,PNPDeviceID
C:\Windows\system32\findstr.exe
findstr /i VID_303A
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic path Win32_SerialPort get DeviceID,PNPDeviceID|findstr /i VID_10C4
C:\Windows\System32\Wbem\WMIC.exe
wmic path Win32_SerialPort get DeviceID,PNPDeviceID
C:\Windows\system32\findstr.exe
findstr /i VID_10C4
Network
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 12:56
Reported
2024-11-13 12:59
Platform
win7-20241010-en
Max time kernel
119s
Max time network
121s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\Marauder\esp32_marauder_v1_0_0_20240626_flipper.js
Network
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 12:56
Reported
2024-11-13 12:59
Platform
win10v2004-20241007-en
Max time kernel
93s
Max time network
143s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\Marauder\esp32_marauder_v1_0_0_20240626_flipper.js
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral3
Detonation Overview
Submitted
2024-11-13 12:56
Reported
2024-11-13 12:59
Platform
win7-20240903-en
Max time kernel
118s
Max time network
121s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\WROOM\esp32_marauder_v1_0_0_20240626_old_hardware.js
Network
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-11-13 12:56
Reported
2024-11-13 12:59
Platform
win10v2004-20241007-en
Max time kernel
95s
Max time network
144s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\WROOM\esp32_marauder_v1_0_0_20240626_old_hardware.js
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral5
Detonation Overview
Submitted
2024-11-13 12:56
Reported
2024-11-13 12:59
Platform
win7-20240903-en
Max time kernel
118s
Max time network
121s
Command Line
Signatures
Loads dropped DLL
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2112 wrote to memory of 2668 | N/A | C:\Users\Admin\AppData\Local\Temp\esptool.exe | C:\Users\Admin\AppData\Local\Temp\esptool.exe |
| PID 2112 wrote to memory of 2668 | N/A | C:\Users\Admin\AppData\Local\Temp\esptool.exe | C:\Users\Admin\AppData\Local\Temp\esptool.exe |
| PID 2112 wrote to memory of 2668 | N/A | C:\Users\Admin\AppData\Local\Temp\esptool.exe | C:\Users\Admin\AppData\Local\Temp\esptool.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\esptool.exe
"C:\Users\Admin\AppData\Local\Temp\esptool.exe"
C:\Users\Admin\AppData\Local\Temp\esptool.exe
"C:\Users\Admin\AppData\Local\Temp\esptool.exe"
Network
Files
C:\Users\Admin\AppData\Local\Temp\_MEI21122\ucrtbase.dll
| MD5 | 3b337c2d41069b0a1e43e30f891c3813 |
| SHA1 | ebee2827b5cb153cbbb51c9718da1549fa80fc5c |
| SHA256 | c04daeba7e7c4b711d33993ab4c51a2e087f98f4211aea0dcb3a216656ba0ab7 |
| SHA512 | fdb3012a71221447b35757ed2bdca6ed1f8833b2f81d03aabebd2cd7780a33a9c3d816535d03c5c3edd5aaf11d91156842b380e2a63135e3c7f87193ad211499 |
C:\Users\Admin\AppData\Local\Temp\_MEI21122\api-ms-win-core-localization-l1-2-0.dll
| MD5 | de5695f26a0bcb54f59a8bc3f9a4ecef |
| SHA1 | 99c32595f3edc2c58bdb138c3384194831e901d6 |
| SHA256 | e9539fce90ad8be582b25ab2d5645772c2a5fb195e602ecdbf12b980656e436a |
| SHA512 | df635d5d51cdea24885ae9f0406f317ddcf04ecb6bfa26579bb2e256c457057607844ded4b52ff1f5ca25abe29d1eb2b20f1709cf19035d3829f36bbe31f550f |
C:\Users\Admin\AppData\Local\Temp\_MEI21122\api-ms-win-core-processthreads-l1-1-1.dll
| MD5 | 74c264cffc09d183fcb1555b16ea7e4b |
| SHA1 | 0b5b08cdf6e749b48254ac811ca09ba95473d47c |
| SHA256 | a8e2fc077d9a7d2faa85e1e6833047c90b22c6086487b98fc0e6a86b7bf8bf09 |
| SHA512 | 285afbcc39717510ced2ed096d9f77fc438268ecaa59cff3cf167fcc538e90c73c67652046b0ee379e0507d6e346af79d43c51a571c6dd66034f9385a73d00d1 |
C:\Users\Admin\AppData\Local\Temp\_MEI21122\api-ms-win-core-file-l1-2-0.dll
| MD5 | d92e6a007fc22a1e218552ebfb65da93 |
| SHA1 | 3c9909332e94f7b7386664a90f52730f4027a75a |
| SHA256 | 03bd3217eae0ef68521b39556e7491292db540f615da873dd8da538693b81862 |
| SHA512 | b8b0e6052e68c08e558e72c168e4ff318b1907c4dc5fc1cd1104f5cae7cc418293013dabbb30c835a5c35a456e1cb22cc352b7ae40f82b9b7311bb7419d854c7 |
C:\Users\Admin\AppData\Local\Temp\_MEI21122\api-ms-win-core-timezone-l1-1-0.dll
| MD5 | cb39eea2ef9ed3674c597d5f0667b5b4 |
| SHA1 | c133dc6416b3346fa5b0f449d7cc6f7dbf580432 |
| SHA256 | 1627b921934053f1f7d2a19948aee06fac5db8ee8d4182e6f071718d0681f235 |
| SHA512 | 2c65014dc045a2c1e5f52f3fea4967d2169e4a78d41fe56617ce9a4d5b30ebf25043112917ff3d7d152744ddef70475937ae0a7f96785f97dcefafe8e6f14d9c |
C:\Users\Admin\AppData\Local\Temp\_MEI21122\api-ms-win-core-file-l2-1-0.dll
| MD5 | 50abf0a7ee67f00f247bada185a7661c |
| SHA1 | 0cddac9ac4db3bf10a11d4b79085ef9cb3fb84a1 |
| SHA256 | f957a4c261506484b53534a9be8931c02ec1a349b3f431a858f8215cecfec3f7 |
| SHA512 | c2694bb5d103baff1264926a04d2f0fe156b8815a23c3748412a81cc307b71a9236a0e974b5549321014065e393d10228a0f0004df9ba677f03b5d244a64b528 |
C:\Users\Admin\AppData\Local\Temp\_MEI21122\python38.dll
| MD5 | 26ba25d468a778d37f1a24f4514d9814 |
| SHA1 | b64fe169690557656ede3ae50d3c5a197fea6013 |
| SHA256 | 2f3e368f5bcc1dda5e951682008a509751e6395f7328fd0f02c4e1a11f67c128 |
| SHA512 | 80471bfeeab279ce4adfb9ee1962597fb8e1886b861e31bdff1e3aa0df06d93afeb3a3398e9519bab7152d4bd7d88fa9b328a2d7eb50a91eb60fead268912080 |
C:\Users\Admin\AppData\Local\Temp\_MEI21122\VCRUNTIME140.dll
| MD5 | 4a365ffdbde27954e768358f4a4ce82e |
| SHA1 | a1b31102eee1d2a4ed1290da2038b7b9f6a104a3 |
| SHA256 | 6a0850419432735a98e56857d5cfce97e9d58a947a9863ca6afadd1c7bcab27c |
| SHA512 | 54e4b6287c4d5a165509047262873085f50953af63ca0dcb7649c22aba5b439ab117a7e0d6e7f0a3e51a23e28a255ffd1ca1ddce4b2ea7f87bca1c9b0dbe2722 |
C:\Users\Admin\AppData\Local\Temp\_MEI21122\api-ms-win-crt-runtime-l1-1-0.dll
| MD5 | 27c4a3bcc0f1dba2de4c2242cd489f3b |
| SHA1 | a704fd91e3c67108b1f02fd5e9f1223c7154a9cc |
| SHA256 | 315ded39d9e157cec05d83711c09858c23602857c9d8c88beef121c24c43be84 |
| SHA512 | 793e74dfb1052c06ab4c29e7b622c795cc3122a722382b103940b94e9dac1e6ca8039df48c558efcc5d952a0660393ae2b11ced5ade4dc8d5dd31a9f5bb9f807 |
C:\Users\Admin\AppData\Local\Temp\_MEI21122\api-ms-win-crt-heap-l1-1-0.dll
| MD5 | 9151e83b4fdfa88353b7a97ae7792678 |
| SHA1 | b46152e70d5d3d75d61d4ccdb50403bd08bb9354 |
| SHA256 | 6c0e0d22b65329f4948fcf36c8048a54ccccbf6c05b330b2c1a686f3e686eed0 |
| SHA512 | 4d4210474957e656d821e1dc5934a4bfbf7e73dd61d696a1ab39914f887810c8fbe500dbb1e23782b40807f25820f35c9665e04dcdc2fd0f6c83046a4aecb86b |
C:\Users\Admin\AppData\Local\Temp\_MEI21122\api-ms-win-crt-string-l1-1-0.dll
| MD5 | ec1381c9fda84228441459151e7badea |
| SHA1 | db2d37f3c04a2c2d4b6f9b3fd82c1be091e85d2c |
| SHA256 | 44ddab31c182235ac5405d31c1cba048316cc230698e392a732ac941ec683bad |
| SHA512 | ee9ebbdc23e7c945f2b291fde5eb68a42c11988182e6c78c0ab8fa9cb003b24910974a3291bcdaa0c8d1f9dfa8df40293848fb9a16c4be1425253bed0511a712 |
C:\Users\Admin\AppData\Local\Temp\_MEI21122\api-ms-win-crt-stdio-l1-1-0.dll
| MD5 | 306608a878089cb38602af693ba0485b |
| SHA1 | 59753556f471c5bf1dfef46806cb02cf87590c5c |
| SHA256 | 3b59a50457f6b6eaa6d35e42722d4562e88bcd716bae113be1271ead0feb7af3 |
| SHA512 | 21b626e619aaf4eda861a9c5edf02133c63adc9e893f38fede72d90a6e8be0e566c117a8a24ca4bab77928083ae4a859034417b035e8553cc7ccfb88cb4cbd9c |
C:\Users\Admin\AppData\Local\Temp\_MEI21122\api-ms-win-crt-convert-l1-1-0.dll
| MD5 | 0e35e369165875d3a593d68324e2b162 |
| SHA1 | 6a1ff3405277250a892b79faed01dcdc9dbf864a |
| SHA256 | 14694879f9c3c52fbd7dde96bf5d67b9768b067c80d5567be55b37262e9dbd54 |
| SHA512 | d496f0c38300d0eed62b26a59c57463a1444a0c77a75c463014c5791371deca93d1d5dd0090e8e324c6a09bd9cff328f94947272ca49018c191c12732e805ee8 |
C:\Users\Admin\AppData\Local\Temp\_MEI21122\api-ms-win-crt-math-l1-1-0.dll
| MD5 | 7a235962dbab1e807c6ec7609fc76077 |
| SHA1 | 148ddd11a0d366313f75871007057b3f0485ab33 |
| SHA256 | f7c5d7394643c95fe14c07773a8a206e74a28db125f9b3976f9e1c8c599f2af1 |
| SHA512 | 25b21ee7bb333e5e34d2b4a32d631a50b8ffaf1f1320d47c97c2a4dff59fa2a2703cdf30638b46c800d3150efaa4a2518c55e7b2a3b2e4273f43dd5ca83ae940 |
C:\Users\Admin\AppData\Local\Temp\_MEI21122\api-ms-win-crt-locale-l1-1-0.dll
| MD5 | ebc168d7d3ea7c6192935359b6327627 |
| SHA1 | aeceb7c071cf1bb000758b6ceebefeec91ad22bd |
| SHA256 | c048a3d7ab951dce1d6d3f5f497b50353f640a1787c6c65677a13c55c8e99983 |
| SHA512 | 891d252ecd50bded4614547758d5e301bdf8e71fbb1023ff89f8de2f81927cc7cc84b98985d99e8fa8dcbf361e5117d9c625dc0d36983afc3f2aa48a54ce3d48 |
C:\Users\Admin\AppData\Local\Temp\_MEI21122\api-ms-win-crt-time-l1-1-0.dll
| MD5 | 4cf70855444f38e1eb71f9c3cd1c6e86 |
| SHA1 | d06aec4008d397756ee841f0e7a435d1c05b5f07 |
| SHA256 | a409e25a9d3c252cc0a5af9df85d3733e946087b06cd1fb2cf1bf640eb0d49ba |
| SHA512 | a13a80645e679343ac5638e8aa6a03012f16200cb3a4637be52a01aa3bef854324a8ed1882ca91b304b9c47b6351b1fc1671f4dede5be77bc208a71fe6029064 |
C:\Users\Admin\AppData\Local\Temp\_MEI21122\api-ms-win-crt-environment-l1-1-0.dll
| MD5 | dacf383a06480ca5ab70d7156aecab43 |
| SHA1 | 9e48d096c2e81a7d979f3c6b94315671157206a1 |
| SHA256 | 00f84c438aab40500a2f2df22c7a4ec147a50509c8d0cdac6a83e4269e387478 |
| SHA512 | 5d4146a669ddb963cf677257ec7865e2cfcb7960e41a38bbd60f9a7017474ed2f3291505fa407e25881cbf9e5e6b8055ff3bd891043284a0a04e3fe9cfad9817 |
C:\Users\Admin\AppData\Local\Temp\_MEI21122\api-ms-win-crt-process-l1-1-0.dll
| MD5 | 55463244172161b76546dc2de37f42bd |
| SHA1 | c10a5360ad5e340d59c814e159ea1efcbf5bf3ee |
| SHA256 | 4166a32551989f960dac7c0e296ffb28092f45f6539e7c450fa04bf17612be73 |
| SHA512 | eacec78ff95f60def6f7f27bda4a84f1dd2dfa386efc4f6da770c37268df83c5b402693ea5c29f54d48026579f3843db26add4d6448ea10cbf7f14d4d14a72fd |
C:\Users\Admin\AppData\Local\Temp\_MEI21122\api-ms-win-crt-conio-l1-1-0.dll
| MD5 | a68d15cab300774d2a20a986ee57f9f4 |
| SHA1 | bb69665b3c8714d935ee63791181491b819795cb |
| SHA256 | 966ddbf59e1d6c2a80b8abbf4a30d37475de097bf13fb72ba78684d65975cd97 |
| SHA512 | ac040f92560631ca5162c7559173bdfe858e282225967ab1adc0a038d34943b00db140d44319cd2cdc2864295a098ab0ba634dfaa443e1d1782fa143ae4c217d |
C:\Users\Admin\AppData\Local\Temp\_MEI21122\api-ms-win-crt-filesystem-l1-1-0.dll
| MD5 | d725d87a331e3073bf289d4ec85bd04d |
| SHA1 | c9d36103be794a802957d0a8243b066fa22f2e43 |
| SHA256 | 30bcf934cbcc9ed72ff364b6e352a70a9e2afa46eceadea5c47183cb46cfd16e |
| SHA512 | 6713ff954221c5dd835c15556e5fa6b8684fa7e19ce4f527a5892e77f322b3dae7199a232040b89ad4a9575c8d9788d771892d2294f3c18da45e643eb25fdb08 |
C:\Users\Admin\AppData\Local\Temp\_MEI21122\base_library.zip
| MD5 | 63852f437aeb3c9c380e6e2c049f0528 |
| SHA1 | 48fbe992cf7869c7aa80ebce1d9af2bfcd263624 |
| SHA256 | 5bad30ad6f9537afefa2bbfccc180ac427c9b793f13e3ca703341efb2c93a812 |
| SHA512 | f6ea3b984f349fbdb2d912a8417c8d99e82162e0faa7b0332025f616c4b03d488854db9b93b0498a6c4805ad4715f27f44d78e6cb49a1b0a460e815fd8d5130d |
C:\Users\Admin\AppData\Local\Temp\_MEI21122\_ctypes.pyd
| MD5 | 291a0a9b63bae00a4222a6df71a22023 |
| SHA1 | 7a6a2aad634ec30e8edb2d2d8d0895c708d84551 |
| SHA256 | 820e840759eed12e19f3c485fd819b065b49d9dc704ae3599a63077416d63324 |
| SHA512 | d43ef6fc2595936b17b0a689a00be04968f11d7c28945af4c3a74589bd05f415bf4cb3b4e22ac496490daff533755999a69d5962ccffd12e09c16130ed57fd09 |
C:\Users\Admin\AppData\Local\Temp\_MEI21122\libffi-7.dll
| MD5 | eef7981412be8ea459064d3090f4b3aa |
| SHA1 | c60da4830ce27afc234b3c3014c583f7f0a5a925 |
| SHA256 | f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081 |
| SHA512 | dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016 |
C:\Users\Admin\AppData\Local\Temp\_MEI21122\_bz2.pyd
| MD5 | a49c5f406456b79254eb65d015b81088 |
| SHA1 | cfc2a2a89c63df52947af3610e4d9b8999399c91 |
| SHA256 | ce4ef8ed1e72c1d3a6082d500a17a009eb6e8ed15022bf3b68a22291858feced |
| SHA512 | bbafeff8c101c7425dc9b8789117fe4c5e516d217181d3574d9d81b8fec4b0bd34f1e1fe6e406ae95584dc671f788cd7b05c8d700baf59fbf21de9c902edf7ae |
C:\Users\Admin\AppData\Local\Temp\_MEI21122\_lzma.pyd
| MD5 | cf9fd17b1706f3044a8f74f6d398d5f1 |
| SHA1 | c5cd0debbde042445b9722a676ff36a0ac3959ad |
| SHA256 | 9209ccc60115727b192bf7771551040ca6fdd50f9bf8c3d2eacbfd424e8245e4 |
| SHA512 | 5fe922c00c6f7fd3cd9bc56fc51de1f44adffbdb0afc0583f1bb08008be628b9ac16f8560b0c3ba16138e1cdcaf1c525ef24241bed804804cdeb5961aed6385a |
C:\Users\Admin\AppData\Local\Temp\_MEI21122\_hashlib.pyd
| MD5 | 5e5af52f42eaf007e3ac73fd2211f048 |
| SHA1 | 1a981e66ab5b03f4a74a6bac6227cd45df78010b |
| SHA256 | a30cf1a40e0b09610e34be187f1396ac5a44dcfb27bc7ff9b450d1318b694c1b |
| SHA512 | bc37625005c3dad1129b158a2f1e91628d5c973961e0efd61513bb6c7b97d77922809afca8039d08c11903734450bc098c6e7b63655ff1e9881323e5cfd739fd |
C:\Users\Admin\AppData\Local\Temp\_MEI21122\libcrypto-1_1.dll
| MD5 | 89511df61678befa2f62f5025c8c8448 |
| SHA1 | df3961f833b4964f70fcf1c002d9fd7309f53ef8 |
| SHA256 | 296426e7ce11bc3d1cfa9f2aeb42f60c974da4af3b3efbeb0ba40e92e5299fdf |
| SHA512 | 9af069ea13551a4672fdd4635d3242e017837b76ab2815788148dd4c44b4cf3a650d43ac79cd2122e1e51e01fb5164e71ff81a829395bdb8e50bb50a33f0a668 |
C:\Users\Admin\AppData\Local\Temp\_MEI21122\api-ms-win-crt-utility-l1-1-0.dll
| MD5 | fcd6b29932d6fb307964b2d3f94e6b48 |
| SHA1 | be560f8a63c8e36a7b3fa48ff384f99f69a5d4f7 |
| SHA256 | cfb2ee4e426bb00b76163c1a66cf8cfef8d7450cbf9bbce3bc9eb2053f51e0e5 |
| SHA512 | 3edfcf559f1e21870277358e6d266a1a0cea68b163b11c73108f3b6a56006d20b51410a3b4ea39bf80906bf6c9d573e1072697cfcd6a3d37e3679ea54757c69f |
Analysis: behavioral6
Detonation Overview
Submitted
2024-11-13 12:56
Reported
2024-11-13 12:59
Platform
win10v2004-20241007-en
Max time kernel
92s
Max time network
150s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\esptool.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\esptool.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\esptool.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\esptool.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\esptool.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\esptool.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\esptool.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\esptool.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\esptool.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2628 wrote to memory of 5052 | N/A | C:\Users\Admin\AppData\Local\Temp\esptool.exe | C:\Users\Admin\AppData\Local\Temp\esptool.exe |
| PID 2628 wrote to memory of 5052 | N/A | C:\Users\Admin\AppData\Local\Temp\esptool.exe | C:\Users\Admin\AppData\Local\Temp\esptool.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\esptool.exe
"C:\Users\Admin\AppData\Local\Temp\esptool.exe"
C:\Users\Admin\AppData\Local\Temp\esptool.exe
"C:\Users\Admin\AppData\Local\Temp\esptool.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.209.201.84.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\_MEI26282\ucrtbase.dll
| MD5 | 3b337c2d41069b0a1e43e30f891c3813 |
| SHA1 | ebee2827b5cb153cbbb51c9718da1549fa80fc5c |
| SHA256 | c04daeba7e7c4b711d33993ab4c51a2e087f98f4211aea0dcb3a216656ba0ab7 |
| SHA512 | fdb3012a71221447b35757ed2bdca6ed1f8833b2f81d03aabebd2cd7780a33a9c3d816535d03c5c3edd5aaf11d91156842b380e2a63135e3c7f87193ad211499 |
C:\Users\Admin\AppData\Local\Temp\_MEI26282\python38.dll
| MD5 | 26ba25d468a778d37f1a24f4514d9814 |
| SHA1 | b64fe169690557656ede3ae50d3c5a197fea6013 |
| SHA256 | 2f3e368f5bcc1dda5e951682008a509751e6395f7328fd0f02c4e1a11f67c128 |
| SHA512 | 80471bfeeab279ce4adfb9ee1962597fb8e1886b861e31bdff1e3aa0df06d93afeb3a3398e9519bab7152d4bd7d88fa9b328a2d7eb50a91eb60fead268912080 |
C:\Users\Admin\AppData\Local\Temp\_MEI26282\VCRUNTIME140.dll
| MD5 | 4a365ffdbde27954e768358f4a4ce82e |
| SHA1 | a1b31102eee1d2a4ed1290da2038b7b9f6a104a3 |
| SHA256 | 6a0850419432735a98e56857d5cfce97e9d58a947a9863ca6afadd1c7bcab27c |
| SHA512 | 54e4b6287c4d5a165509047262873085f50953af63ca0dcb7649c22aba5b439ab117a7e0d6e7f0a3e51a23e28a255ffd1ca1ddce4b2ea7f87bca1c9b0dbe2722 |
C:\Users\Admin\AppData\Local\Temp\_MEI26282\base_library.zip
| MD5 | 63852f437aeb3c9c380e6e2c049f0528 |
| SHA1 | 48fbe992cf7869c7aa80ebce1d9af2bfcd263624 |
| SHA256 | 5bad30ad6f9537afefa2bbfccc180ac427c9b793f13e3ca703341efb2c93a812 |
| SHA512 | f6ea3b984f349fbdb2d912a8417c8d99e82162e0faa7b0332025f616c4b03d488854db9b93b0498a6c4805ad4715f27f44d78e6cb49a1b0a460e815fd8d5130d |
C:\Users\Admin\AppData\Local\Temp\_MEI26282\libffi-7.dll
| MD5 | eef7981412be8ea459064d3090f4b3aa |
| SHA1 | c60da4830ce27afc234b3c3014c583f7f0a5a925 |
| SHA256 | f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081 |
| SHA512 | dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016 |
C:\Users\Admin\AppData\Local\Temp\_MEI26282\_ctypes.pyd
| MD5 | 291a0a9b63bae00a4222a6df71a22023 |
| SHA1 | 7a6a2aad634ec30e8edb2d2d8d0895c708d84551 |
| SHA256 | 820e840759eed12e19f3c485fd819b065b49d9dc704ae3599a63077416d63324 |
| SHA512 | d43ef6fc2595936b17b0a689a00be04968f11d7c28945af4c3a74589bd05f415bf4cb3b4e22ac496490daff533755999a69d5962ccffd12e09c16130ed57fd09 |
C:\Users\Admin\AppData\Local\Temp\_MEI26282\_bz2.pyd
| MD5 | a49c5f406456b79254eb65d015b81088 |
| SHA1 | cfc2a2a89c63df52947af3610e4d9b8999399c91 |
| SHA256 | ce4ef8ed1e72c1d3a6082d500a17a009eb6e8ed15022bf3b68a22291858feced |
| SHA512 | bbafeff8c101c7425dc9b8789117fe4c5e516d217181d3574d9d81b8fec4b0bd34f1e1fe6e406ae95584dc671f788cd7b05c8d700baf59fbf21de9c902edf7ae |
C:\Users\Admin\AppData\Local\Temp\_MEI26282\_lzma.pyd
| MD5 | cf9fd17b1706f3044a8f74f6d398d5f1 |
| SHA1 | c5cd0debbde042445b9722a676ff36a0ac3959ad |
| SHA256 | 9209ccc60115727b192bf7771551040ca6fdd50f9bf8c3d2eacbfd424e8245e4 |
| SHA512 | 5fe922c00c6f7fd3cd9bc56fc51de1f44adffbdb0afc0583f1bb08008be628b9ac16f8560b0c3ba16138e1cdcaf1c525ef24241bed804804cdeb5961aed6385a |
C:\Users\Admin\AppData\Local\Temp\_MEI26282\_hashlib.pyd
| MD5 | 5e5af52f42eaf007e3ac73fd2211f048 |
| SHA1 | 1a981e66ab5b03f4a74a6bac6227cd45df78010b |
| SHA256 | a30cf1a40e0b09610e34be187f1396ac5a44dcfb27bc7ff9b450d1318b694c1b |
| SHA512 | bc37625005c3dad1129b158a2f1e91628d5c973961e0efd61513bb6c7b97d77922809afca8039d08c11903734450bc098c6e7b63655ff1e9881323e5cfd739fd |
C:\Users\Admin\AppData\Local\Temp\_MEI26282\libcrypto-1_1.dll
| MD5 | 89511df61678befa2f62f5025c8c8448 |
| SHA1 | df3961f833b4964f70fcf1c002d9fd7309f53ef8 |
| SHA256 | 296426e7ce11bc3d1cfa9f2aeb42f60c974da4af3b3efbeb0ba40e92e5299fdf |
| SHA512 | 9af069ea13551a4672fdd4635d3242e017837b76ab2815788148dd4c44b4cf3a650d43ac79cd2122e1e51e01fb5164e71ff81a829395bdb8e50bb50a33f0a668 |
Analysis: behavioral8
Detonation Overview
Submitted
2024-11-13 12:56
Reported
2024-11-13 12:59
Platform
win10v2004-20241007-en
Max time kernel
94s
Max time network
139s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\flash.bat"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic path Win32_SerialPort get DeviceID,PNPDeviceID|findstr /i VID_303A
C:\Windows\System32\Wbem\WMIC.exe
wmic path Win32_SerialPort get DeviceID,PNPDeviceID
C:\Windows\system32\findstr.exe
findstr /i VID_303A
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic path Win32_SerialPort get DeviceID,PNPDeviceID|findstr /i VID_10C4
C:\Windows\System32\Wbem\WMIC.exe
wmic path Win32_SerialPort get DeviceID,PNPDeviceID
C:\Windows\system32\findstr.exe
findstr /i VID_10C4
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |