System/Kernel
*Evil-WinRM* PS C:\Users\scripting\Documents> cmd /c ver
Microsoft Windows [Version 10.0.17763.2029]
*Evil-WinRM* PS C:\Users\scripting\Documents> systeminfo ; Get-ComputerInfo
systeminfo.exe : ERROR: Access denied
+ CategoryInfo : NotSpecified: (ERROR: Access denied:String) [], RemoteException
+ FullyQualifiedErrorId : NativeCommandError
WindowsBuildLabEx : 17763.1.amd64fre.rs5_release.180914-1434
WindowsCurrentVersion : 6.3
WindowsEditionId : ServerStandard
WindowsInstallationType : Server
WindowsInstallDateFromRegistry : 5/28/2021 10:52:51 AM
WindowsProductId : 00429-70000-00000-AA751
WindowsProductName : Windows Server 2019 Standard
WindowsRegisteredOrganization :
WindowsRegisteredOwner : Windows User
WindowsSystemRoot : C:\Windows
WindowsVersion : 1809
OsServerLevel : FullServer
TimeZone : (UTC-08:00) Pacific Time (US & Canada)
PowerPlatformRole : Desktop
DeviceGuardSmartStatus : OffMicrosoft Windows [Version 10.0.17763.2029]WindowsProductName : Windows Server 2019 StandardPowerPlatformRole : Desktop
Networks
*Evil-WinRM* PS C:\Users\scripting\Documents> ipconfig /all ; arp -a ; print route
Windows IP Configuration
Host Name . . . . . . . . . . . . : compromised
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
Ethernet adapter Ethernet0 2:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : vmxnet3 Ethernet Adapter
Physical Address. . . . . . . . . : 00-50-56-9E-FD-7E
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 192.168.225.152(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.225.254
DNS Servers . . . . . . . . . . . : 192.168.225.254
NetBIOS over Tcpip. . . . . . . . : Enabled
Interface: 192.168.225.152 --- 0x3
Internet Address Physical Address Type
192.168.225.254 00-50-56-9e-8d-f2 dynamic
224.0.0.22 01-00-5e-00-00-16 static
224.0.0.251 01-00-5e-00-00-fb static
255.255.255.255 ff-ff-ff-ff-ff-ff static
Unable to initialize device PRN*Evil-WinRM* PS C:\Users\scripting\Documents> netstat -ano | Select-String LIST
TCP 0.0.0.0:80 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 872
TCP 0.0.0.0:443 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:5985 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:47001 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:49664 0.0.0.0:0 LISTENING 508
TCP 0.0.0.0:49665 0.0.0.0:0 LISTENING 352
TCP 0.0.0.0:49666 0.0.0.0:0 LISTENING 980
TCP 0.0.0.0:49667 0.0.0.0:0 LISTENING 1672
TCP 0.0.0.0:49668 0.0.0.0:0 LISTENING 636
TCP 0.0.0.0:49669 0.0.0.0:0 LISTENING 656
TCP 192.168.225.152:139 0.0.0.0:0 LISTENING 4
TCP [::]:80 [::]:0 LISTENING 4
TCP [::]:135 [::]:0 LISTENING 872
TCP [::]:443 [::]:0 LISTENING 4
TCP [::]:445 [::]:0 LISTENING 4
TCP [::]:5985 [::]:0 LISTENING 4
TCP [::]:47001 [::]:0 LISTENING 4
TCP [::]:49664 [::]:0 LISTENING 508
TCP [::]:49665 [::]:0 LISTENING 352
TCP [::]:49666 [::]:0 LISTENING 980
TCP [::]:49667 [::]:0 LISTENING 1672
TCP [::]:49668 [::]:0 LISTENING 636
TCP [::]:49669 [::]:0 LISTENING 656Users & Groups
*Evil-WinRM* PS C:\Users\scripting\Documents> net users ; net user /DOMAIN ; ls C:\Users
User accounts for \\
-------------------------------------------------------------------------------
Administrator DefaultAccount Guest
scripting WDAGUtilityAccount
The command completed with one or more errors.
The request will be processed at a domain controller for domain WORKGROUP.
net.exe : System error 1355 has occurred.
+ CategoryInfo : NotSpecified: (System error 1355 has occurred.:String) [], RemoteException
+ FullyQualifiedErrorId : NativeCommandError
The specified domain either does not exist or could not be contacted.
Directory: C:\Users
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 6/1/2021 7:59 AM .NET v4.5
d----- 6/1/2021 7:59 AM .NET v4.5 Classic
d----- 6/1/2021 7:56 AM Administrator
d-r--- 5/28/2021 3:53 AM Public
d----- 7/20/2021 8:21 AM scripting*Evil-WinRM* PS C:\Users\scripting\Documents> net localgroup ; net group /DOMAIN
Aliases for \\COMPROMISED
-------------------------------------------------------------------------------
*Access Control Assistance Operators
*Administrators
*Backup Operators
*Certificate Service DCOM Access
*Cryptographic Operators
*Device Owners
*Distributed COM Users
*Event Log Readers
*Guests
*Hyper-V Administrators
*IIS_IUSRS
*Network Configuration Operators
*Performance Log Users
*Performance Monitor Users
*Power Users
*Print Operators
*RDS Endpoint Servers
*RDS Management Servers
*RDS Remote Access Servers
*Remote Desktop Users
*Remote Management Users
*Replicator
*Storage Replica Administrators
*System Managed Accounts Group
*Users
The command completed successfully.
The request will be processed at a domain controller for domain WORKGROUP.
net.exe : System error 1355 has occurred.
+ CategoryInfo : NotSpecified: (System error 1355 has occurred.:String) [], RemoteException
+ FullyQualifiedErrorId : NativeCommandErrorProcesses
*Evil-WinRM* PS C:\Users\scripting\Documents> Get-WmiObject Win32_Process | % { $s = (Get-CimInstance Win32_Service | ? { $_.ProcessId -eq $_.ProcessId }).Name -join ", "; $u = $_.GetOwner(); [PSCustomObject]@{ Name = $_.Name; PID = $_.ProcessId; User = "$($u.Domain)$($u.User)"} } | ft -AutoSize
Access denied
At line:1 char:1
+ Get-WmiObject Win32_Process | % { $s = (Get-CimInstance Win32_Service ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [Get-WmiObject], ManagementException
+ FullyQualifiedErrorId : GetWMIManagementException,Microsoft.PowerShell.Commands.GetWmiObjectCommand
*Evil-WinRM* PS C:\Users\scripting\Documents> cmd /c tasklist /svc ; ps
cmd.exe : ERROR: Access denied
+ CategoryInfo : NotSpecified: (ERROR: Access denied:String) [], RemoteException
+ FullyQualifiedErrorId : NativeCommandError
Handles NPM(K) PM(K) WS(K) CPU(s) Id SI ProcessName
------- ------ ----- ----- ------ -- -- -----------
142 9 6676 12500 2784 0 conhost
358 13 2260 5336 388 0 csrss
165 9 1632 4820 496 1 csrss
254 14 4060 13748 2392 0 dllhost
544 22 23516 49356 940 1 dwm
48 6 1532 4616 784 0 fontdrvhost
48 6 1688 4848 792 1 fontdrvhost
0 0 56 8 0 0 Idle
472 27 12792 50160 3644 1 LogonUI
2366 25 8064 18480 656 0 lsass
225 13 3060 10736 2588 0 msdtc
896 81 235924 242944 1952 0 MsMpEng
197 39 3308 9480 3104 0 NisSrv
0 14 596 26192 88 0 Registry
311 11 3556 7932 636 0 services
53 3 528 1236 280 0 smss
469 23 5764 17184 1672 0 spoolsv
547 31 13140 22720 320 0 svchost
553 17 12708 18992 352 0 svchost
665 18 4572 14900 756 0 svchost
510 17 3704 10352 872 0 svchost
307 16 3900 15880 908 0 svchost
1633 98 52928 76512 980 0 svchost
346 16 11860 14700 1052 0 svchost
777 27 7760 19236 1092 0 svchost
740 45 9412 24696 1200 0 svchost
314 11 2020 9120 1244 0 svchost
400 32 9596 18652 1388 0 svchost
131 7 1608 6420 1520 0 svchost
535 22 20140 34316 1724 0 svchost
167 12 3900 11124 1732 0 svchost
214 12 1840 7848 1832 0 svchost
243 15 5072 12524 1840 0 svchost
211 11 2348 8748 1996 0 svchost
164 10 2116 7840 2352 0 svchost
1264 0 192 152 4 0 System
171 12 3264 10852 1936 0 VGAuthService
137 9 1800 7484 1412 1 vm3dservice
144 8 1724 7180 1868 0 vm3dservice
384 22 9252 21736 1900 0 vmtoolsd
719 50 120176 121988 3780 0 w3wp
173 11 1532 7108 508 0 wininit
253 12 2860 19752 552 1 winlogon
358 17 8676 18416 2676 0 WmiPrvSE
1933 34 73292 96088 0.53 3408 0 wsmprovhost469 23 5764 17184 1672 0 spoolsv1933 34 73292 96088 0.53 3408 0 wsmprovhost
Tasks
*Evil-WinRM* PS C:\Users\scripting\Documents> Get-ScheduledTask | where {$_.TaskPath -notlike "\Microsoft*" } | ft TaskName,TaskPath,State
Cannot connect to CIM server. Access denied
At line:1 char:1
+ Get-ScheduledTask | where {$_.TaskPath -notlike "\Microsoft*" } | ft ...
+ ~~~~~~~~~~~~~~~~~
+ CategoryInfo : ResourceUnavailable: (MSFT_ScheduledTask:String) [Get-ScheduledTask], CimJobException
+ FullyQualifiedErrorId : CimJob_BrokenCimSession,Get-ScheduledTask
*Evil-WinRM* PS C:\Users\scripting\Documents> cmd /c schtasks /QUERY /FO TABLE
Folder: \
TaskName Next Run Time Status
======================================== ====================== ===============
INFO: There are no scheduled tasks presently available at your access level.
Folder: \Microsoft
TaskName Next Run Time Status
======================================== ====================== ===============
INFO: There are no scheduled tasks presently available at your access level.
Folder: \Microsoft\Windows
TaskName Next Run Time Status
======================================== ====================== ===============
Server Initial Configuration Task N/A Disabled
Folder: \Microsoft\Windows\.NET Framework
TaskName Next Run Time Status
======================================== ====================== ===============
.NET Framework NGEN v4.0.30319 N/A Ready
.NET Framework NGEN v4.0.30319 64 N/A Ready
.NET Framework NGEN v4.0.30319 64 Critic N/A Disabled
.NET Framework NGEN v4.0.30319 Critical N/A Disabled
Folder: \Microsoft\Windows\Active Directory Rights Management Services Client
TaskName Next Run Time Status
======================================== ====================== ===============
AD RMS Rights Policy Template Management N/A Disabled
AD RMS Rights Policy Template Management N/A Ready
Folder: \Microsoft\Windows\AppID
TaskName Next Run Time Status
======================================== ====================== ===============
PolicyConverter N/A Disabled
VerifiedPublisherCertStoreCheck N/A Disabled
Folder: \Microsoft\Windows\Application Experience
TaskName Next Run Time Status
======================================== ====================== ===============
Microsoft Compatibility Appraiser 6/29/2025 3:32:10 AM Ready
ProgramDataUpdater N/A Ready
StartupAppTask N/A Ready
Folder: \Microsoft\Windows\ApplicationData
TaskName Next Run Time Status
======================================== ====================== ===============
appuriverifierdaily N/A Ready
appuriverifierinstall N/A Ready
CleanupTemporaryState N/A Ready
DsSvcCleanup N/A Ready
Folder: \Microsoft\Windows\AppxDeploymentClient
TaskName Next Run Time Status
======================================== ====================== ===============
Pre-staged app cleanup N/A Disabled
Folder: \Microsoft\Windows\Autochk
TaskName Next Run Time Status
======================================== ====================== ===============
Proxy N/A Ready
Folder: \Microsoft\Windows\BitLocker
TaskName Next Run Time Status
======================================== ====================== ===============
BitLocker Encrypt All Drives N/A Ready
BitLocker MDM policy Refresh N/A Ready
Folder: \Microsoft\Windows\Bluetooth
TaskName Next Run Time Status
======================================== ====================== ===============
UninstallDeviceTask N/A Disabled
Folder: \Microsoft\Windows\BrokerInfrastructure
TaskName Next Run Time Status
======================================== ====================== ===============
BgTaskRegistrationMaintenanceTask N/A Ready
Folder: \Microsoft\Windows\Chkdsk
TaskName Next Run Time Status
======================================== ====================== ===============
ProactiveScan N/A Ready
SyspartRepair N/A Ready
Folder: \Microsoft\Windows\CloudExperienceHost
TaskName Next Run Time Status
======================================== ====================== ===============
CreateObjectTask N/A Ready
Folder: \Microsoft\Windows\Customer Experience Improvement Program
TaskName Next Run Time Status
======================================== ====================== ===============
Consolidator 6/28/2025 6:00:00 PM Ready
UsbCeip N/A Ready
Folder: \Microsoft\Windows\Data Integrity Scan
TaskName Next Run Time Status
======================================== ====================== ===============
Data Integrity Scan 7/3/2025 12:08:58 AM Ready
Data Integrity Scan for Crash Recovery N/A Ready
Folder: \Microsoft\Windows\Defrag
TaskName Next Run Time Status
======================================== ====================== ===============
ScheduledDefrag N/A Ready
Folder: \Microsoft\Windows\Device Information
TaskName Next Run Time Status
======================================== ====================== ===============
Device 6/29/2025 4:41:35 AM Ready
Folder: \Microsoft\Windows\Diagnosis
TaskName Next Run Time Status
======================================== ====================== ===============
Scheduled N/A Ready
Folder: \Microsoft\Windows\DirectX
TaskName Next Run Time Status
======================================== ====================== ===============
DXGIAdapterCache N/A Ready
Folder: \Microsoft\Windows\DiskCleanup
TaskName Next Run Time Status
======================================== ====================== ===============
SilentCleanup N/A Ready
Folder: \Microsoft\Windows\DiskDiagnostic
TaskName Next Run Time Status
======================================== ====================== ===============
Microsoft-Windows-DiskDiagnosticDataColl N/A Ready
Microsoft-Windows-DiskDiagnosticResolver N/A Disabled
Folder: \Microsoft\Windows\DiskFootprint
TaskName Next Run Time Status
======================================== ====================== ===============
Diagnostics N/A Ready
StorageSense N/A Ready
Folder: \Microsoft\Windows\EDP
TaskName Next Run Time Status
======================================== ====================== ===============
EDP App Launch Task N/A Ready
EDP Auth Task N/A Ready
EDP Inaccessible Credentials Task N/A Ready
StorageCardEncryption Task N/A Ready
Folder: \Microsoft\Windows\ExploitGuard
TaskName Next Run Time Status
======================================== ====================== ===============
ExploitGuard MDM policy Refresh N/A Ready
Folder: \Microsoft\Windows\File Classification Infrastructure
TaskName Next Run Time Status
======================================== ====================== ===============
Property Definition Sync N/A Disabled
Folder: \Microsoft\Windows\Flighting
TaskName Next Run Time Status
======================================== ====================== ===============
INFO: There are no scheduled tasks presently available at your access level.
Folder: \Microsoft\Windows\Flighting\FeatureConfig
TaskName Next Run Time Status
======================================== ====================== ===============
ReconcileFeatures N/A Ready
Folder: \Microsoft\Windows\Flighting\OneSettings
TaskName Next Run Time Status
======================================== ====================== ===============
RefreshCache 6/28/2025 8:03:18 PM Ready
Folder: \Microsoft\Windows\InstallService
TaskName Next Run Time Status
======================================== ====================== ===============
ScanForUpdates N/A Disabled
ScanForUpdatesAsUser N/A Disabled
WakeUpAndContinueUpdates N/A Disabled
WakeUpAndScanForUpdates N/A Disabled
Folder: \Microsoft\Windows\Location
TaskName Next Run Time Status
======================================== ====================== ===============
Notifications N/A Ready
WindowsActionDialog N/A Ready
Folder: \Microsoft\Windows\Maintenance
TaskName Next Run Time Status
======================================== ====================== ===============
WinSAT N/A Ready
Folder: \Microsoft\Windows\Maps
TaskName Next Run Time Status
======================================== ====================== ===============
MapsToastTask N/A Disabled
MapsUpdateTask N/A Disabled
Folder: \Microsoft\Windows\MemoryDiagnostic
TaskName Next Run Time Status
======================================== ====================== ===============
ProcessMemoryDiagnosticEvents N/A Disabled
RunFullMemoryDiagnostic N/A Disabled
Folder: \Microsoft\Windows\Mobile Broadband Accounts
TaskName Next Run Time Status
======================================== ====================== ===============
MNO Metadata Parser N/A Ready
Folder: \Microsoft\Windows\MUI
TaskName Next Run Time Status
======================================== ====================== ===============
LPRemove N/A Ready
Folder: \Microsoft\Windows\Multimedia
TaskName Next Run Time Status
======================================== ====================== ===============
SystemSoundsService N/A Disabled
Folder: \Microsoft\Windows\NetTrace
TaskName Next Run Time Status
======================================== ====================== ===============
GatherNetworkInfo N/A Ready
Folder: \Microsoft\Windows\Offline Files
TaskName Next Run Time Status
======================================== ====================== ===============
Background Synchronization N/A Disabled
Logon Synchronization N/A Disabled
Folder: \Microsoft\Windows\PLA
TaskName Next Run Time Status
======================================== ====================== ===============
Server Manager Performance Monitor N/A Disabled
Folder: \Microsoft\Windows\Plug and Play
TaskName Next Run Time Status
======================================== ====================== ===============
Device Install Group Policy N/A Ready
Device Install Reboot Required N/A Ready
Sysprep Generalize Drivers N/A Ready
Folder: \Microsoft\Windows\Power Efficiency Diagnostics
TaskName Next Run Time Status
======================================== ====================== ===============
AnalyzeSystem N/A Ready
Folder: \Microsoft\Windows\RecoveryEnvironment
TaskName Next Run Time Status
======================================== ====================== ===============
VerifyWinRE N/A Disabled
Folder: \Microsoft\Windows\Server Manager
TaskName Next Run Time Status
======================================== ====================== ===============
CleanupOldPerfLogs N/A Ready
ServerManager N/A Ready
Folder: \Microsoft\Windows\Servicing
TaskName Next Run Time Status
======================================== ====================== ===============
StartComponentCleanup N/A Ready
Folder: \Microsoft\Windows\SharedPC
TaskName Next Run Time Status
======================================== ====================== ===============
Account Cleanup N/A Disabled
Folder: \Microsoft\Windows\Shell
TaskName Next Run Time Status
======================================== ====================== ===============
CreateObjectTask N/A Ready
IndexerAutomaticMaintenance N/A Ready
Folder: \Microsoft\Windows\Software Inventory Logging
TaskName Next Run Time Status
======================================== ====================== ===============
Collection N/A Disabled
Configuration N/A Ready
Folder: \Microsoft\Windows\SpacePort
TaskName Next Run Time Status
======================================== ====================== ===============
SpaceAgentTask N/A Ready
SpaceManagerTask N/A Ready
Folder: \Microsoft\Windows\Speech
TaskName Next Run Time Status
======================================== ====================== ===============
HeadsetButtonPress N/A Ready
SpeechModelDownloadTask 6/29/2025 12:40:51 AM Ready
Folder: \Microsoft\Windows\Storage Tiers Management
TaskName Next Run Time Status
======================================== ====================== ===============
Storage Tiers Management Initialization N/A Ready
Storage Tiers Optimization N/A Disabled
Folder: \Microsoft\Windows\TextServicesFramework
TaskName Next Run Time Status
======================================== ====================== ===============
MsCtfMonitor N/A Ready
Folder: \Microsoft\Windows\Time Synchronization
TaskName Next Run Time Status
======================================== ====================== ===============
ForceSynchronizeTime N/A Ready
SynchronizeTime N/A Ready
Folder: \Microsoft\Windows\Time Zone
TaskName Next Run Time Status
======================================== ====================== ===============
SynchronizeTimeZone N/A Ready
Folder: \Microsoft\Windows\UPnP
TaskName Next Run Time Status
======================================== ====================== ===============
UPnPHostConfig N/A Disabled
Folder: \Microsoft\Windows\Windows Defender
TaskName Next Run Time Status
======================================== ====================== ===============
Windows Defender Cache Maintenance N/A Ready
Windows Defender Cleanup N/A Ready
Windows Defender Scheduled Scan 6/29/2025 2:00:52 AM Ready
Windows Defender Verification N/A Ready
Folder: \Microsoft\Windows\Windows Error Reporting
TaskName Next Run Time Status
======================================== ====================== ===============
QueueReporting 6/28/2025 12:48:39 PM Ready
Folder: \Microsoft\Windows\Windows Filtering Platform
TaskName Next Run Time Status
======================================== ====================== ===============
BfeOnServiceStartTypeChange N/A Ready
Folder: \Microsoft\Windows\Windows Media Sharing
TaskName Next Run Time Status
======================================== ====================== ===============
UpdateLibrary N/A Ready
Folder: \Microsoft\Windows\WindowsColorSystem
TaskName Next Run Time Status
======================================== ====================== ===============
Calibration Loader N/A Ready
Folder: \Microsoft\Windows\WindowsUpdate
TaskName Next Run Time Status
======================================== ====================== ===============
Scheduled Start N/A Ready
Folder: \Microsoft\Windows\Wininet
TaskName Next Run Time Status
======================================== ====================== ===============
CacheTask N/A Ready
Folder: \Microsoft\Windows\Workplace Join
TaskName Next Run Time Status
======================================== ====================== ===============
Automatic-Device-Join N/A Disabled
Recovery-Check N/A DisabledServices
*Evil-WinRM* PS C:\Users\scripting\Documents> wmic service where "State='Running'" get Name,PathName,StartName | Out-String -Stream | Where-Object { $_ -match 'S' -and $_ -notmatch 'C:\Windows\System32' } | Select-Object
WMIC.exe : ERROR:
+ CategoryInfo : NotSpecified: (ERROR::String) [], RemoteException
+ FullyQualifiedErrorId : NativeCommandError
*Evil-WinRM* PS C:\Users\scripting\Documents> services
Path Privileges Service
---- ---------- -------
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe False aspnet_state
\??\C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{B177A1AD-7075-4751-B01F-D4630687BBF6}\MpKslDrv.sys False MpKsl1af51411
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe True NetTcpPortSharing
C:\Windows\SysWow64\perfhost.exe False PerfHost
"C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe" False Sense
C:\Windows\servicing\TrustedInstaller.exe False TrustedInstaller
"C:\Program Files\VMware\VMware Tools\VMware VGAuth\VGAuthService.exe" False VGAuthService
"C:\Program Files\VMware\VMware Tools\vmtoolsd.exe" False VMTools
"C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2106.6-0\NisSrv.exe" True WdNisSvc
"C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2106.6-0\MsMpEng.exe" True WinDefend
"C:\Program Files\Windows Media Player\wmpnetwk.exe" False WMPNetworkSvc C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe True NetTcpPortSharingC:\Windows\servicing\TrustedInstaller.exe False TrustedInstaller"C:\Program Files\Windows Media Player\wmpnetwk.exe" False WMPNetworkSvc
Installed Programs
*Evil-WinRM* PS C:\Users\scripting\Documents> Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*", "HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*", "HKCU:\Software\Microsoft\Windows\CurrentVersion\Uninstall\*" -ErrorAction SilentlyContinue | Select-Object -ExpandProperty DisplayName -ErrorAction SilentlyContinue | Where-Object { $_ } | Sort-Object -Unique ; ls "C:\Program Files" ; ls "C:\Program Files (x86)"
Microsoft Visual C++ 2015-2019 Redistributable (x64) - 14.24.28127
Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.24.28127
Microsoft Visual C++ 2019 X64 Additional Runtime - 14.24.28127
Microsoft Visual C++ 2019 X64 Minimum Runtime - 14.24.28127
Microsoft Visual C++ 2019 X86 Additional Runtime - 14.24.28127
Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.24.28127
VMware Tools
Windows 10 Update Assistant
Directory: C:\Program Files
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 5/28/2021 6:05 AM Common Files
d----- 5/28/2021 4:21 AM internet explorer
d----- 5/28/2021 6:06 AM VMware
d-r--- 5/28/2021 4:32 AM Windows Defender
d----- 7/13/2021 7:40 AM Windows Defender Advanced Threat Protection
d----- 9/15/2018 12:19 AM Windows Mail
d----- 5/28/2021 4:21 AM Windows Media Player
d----- 9/15/2018 12:19 AM Windows Multimedia Platform
d----- 9/15/2018 12:28 AM windows nt
d----- 5/28/2021 4:21 AM Windows Photo Viewer
d----- 9/15/2018 12:19 AM Windows Portable Devices
d----- 9/15/2018 12:19 AM Windows Security
d----- 9/15/2018 12:19 AM WindowsPowerShell
Directory: C:\Program Files (x86)
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 9/15/2018 12:28 AM Common Files
d----- 5/28/2021 4:21 AM Internet Explorer
d----- 9/15/2018 12:19 AM Microsoft.NET
d----- 5/28/2021 4:21 AM Windows Defender
d----- 9/15/2018 12:19 AM Windows Mail
d----- 5/28/2021 4:21 AM Windows Media Player
d----- 9/15/2018 12:19 AM Windows Multimedia Platform
d----- 9/15/2018 12:28 AM windows nt
d----- 5/28/2021 4:21 AM Windows Photo Viewer
d----- 9/15/2018 12:19 AM Windows Portable Devices
d----- 9/15/2018 12:19 AM WindowsPowerShellFirewall & AV
*Evil-WinRM* PS C:\Users\scripting\Documents> netsh firewall show config
Domain profile configuration:
-------------------------------------------------------------------
Operational mode = Enable
Exception mode = Enable
Multicast/broadcast response mode = Enable
Notification mode = Disable
Allowed programs configuration for Domain profile:
Mode Traffic direction Name / Program
-------------------------------------------------------------------
Port configuration for Domain profile:
Port Protocol Mode Traffic direction Name
-------------------------------------------------------------------
139 TCP Enable Inbound NetBIOS Rule
5985 TCP Enable Inbound PS-Remoting Rule
Standard profile configuration (current):
-------------------------------------------------------------------
Operational mode = Enable
Exception mode = Enable
Multicast/broadcast response mode = Enable
Notification mode = Disable
Service configuration for Standard profile:
Mode Customized Name
-------------------------------------------------------------------
Enable No File and Printer Sharing
Enable Yes Network Discovery
Allowed programs configuration for Standard profile:
Mode Traffic direction Name / Program
-------------------------------------------------------------------
Port configuration for Standard profile:
Port Protocol Mode Traffic direction Name
-------------------------------------------------------------------
139 TCP Enable Inbound NetBIOS Rule
5985 TCP Enable Inbound PS-Remoting Rule
Log configuration:
-------------------------------------------------------------------
File location = C:\Windows\system32\LogFiles\Firewall\pfirewall.log
Max file size = 4096 KB
Dropped packets = Disable
Connections = Disable
IMPORTANT: Command executed successfully.
However, "netsh firewall" is deprecated;
use "netsh advfirewall firewall" instead.
For more information on using "netsh advfirewall firewall" commands
instead of "netsh firewall", see KB article 947709
at https://go.microsoft.com/fwlink/?linkid=121488 .*Evil-WinRM* PS C:\Users\scripting\Documents> Get-MpComputerStatus ; Get-MpPreference | Select-Object -Property ExclusionPath
Cannot connect to CIM server. Access denied
At line:1 char:1
+ Get-MpComputerStatus ; Get-MpPreference | Select-Object -Property Exc ...
+ ~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ResourceUnavailable: (MSFT_MpComputerStatus:String) [Get-MpComputerStatus], CimJobException
+ FullyQualifiedErrorId : CimJob_BrokenCimSession,Get-MpComputerStatus
Cannot connect to CIM server. Access denied
At line:1 char:24
+ Get-MpComputerStatus ; Get-MpPreference | Select-Object -Property Exc ...
+ ~~~~~~~~~~~~~~~~
+ CategoryInfo : ResourceUnavailable: (MSFT_MpPreference:String) [Get-MpPreference], CimJobException
+ FullyQualifiedErrorId : CimJob_BrokenCimSession,Get-MpPreferenceSession Architecture
*Evil-WinRM* PS C:\Users\scripting\Documents> [Environment]::Is64BitProcess
TrueInstalled .NET Frameworks
*Evil-WinRM* PS C:\Users\scripting\Documents> cmd /c dir /A:D C:\Windows\Microsoft.NET\Framework ; cmd /c reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP" ; cmd /c reg query "HKLM\SOFTWARE\Microsoft\Net Framework Setup\NDP" /s
Volume in drive C has no label.
Volume Serial Number is 5C30-DCD7
Directory of C:\Windows\Microsoft.NET\Framework
09/15/2018 12:19 AM <DIR> .
09/15/2018 12:19 AM <DIR> ..
09/15/2018 12:19 AM <DIR> v1.0.3705
09/15/2018 12:19 AM <DIR> v1.1.4322
09/15/2018 12:19 AM <DIR> v2.0.50727
06/28/2025 10:45 AM <DIR> v4.0.30319
0 File(s) 0 bytes
6 Dir(s) 16,618,389,504 bytes free
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\CDF
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4.0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\CDF
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\CDF\v4.0
HttpNamespaceReservationInstalled REG_DWORD 0x1
NetTcpPortSharingInstalled REG_DWORD 0x1
NonHttpActivationInstalled REG_DWORD 0x1
SMSvcHostPath REG_SZ C:\Windows\Microsoft.NET\Framework64\v4.0.30319\
WMIInstalled REG_DWORD 0x1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v4\Client
CBS REG_DWORD 0x1
Install REG_DWORD 0x1
InstallPath REG_SZ C:\Windows\Microsoft.NET\Framework64\v4.0.30319\
Release REG_DWORD 0x70bf6
Servicing REG_DWORD 0x0
TargetVersion REG_SZ 4.0.0
Version REG_SZ 4.7.03190
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v4\Client\1033
CBS REG_DWORD 0x1
Install REG_DWORD 0x1
Release REG_DWORD 0x70bf6
Servicing REG_DWORD 0x0
TargetVersion REG_SZ 4.0.0
Version REG_SZ 4.7.03190
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v4\Full
CBS REG_DWORD 0x1
Install REG_DWORD 0x1
InstallPath REG_SZ C:\Windows\Microsoft.NET\Framework64\v4.0.30319\
Release REG_DWORD 0x70bf6
Servicing REG_DWORD 0x0
TargetVersion REG_SZ 4.0.0
Version REG_SZ 4.7.03190
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v4\Full\1033
CBS REG_DWORD 0x1
Install REG_DWORD 0x1
Release REG_DWORD 0x70bf6
Servicing REG_DWORD 0x0
TargetVersion REG_SZ 4.0.0
Version REG_SZ 4.7.03190
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v4.0
(Default) REG_SZ deprecated
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v4.0\Client
Install REG_DWORD 0x1
Version REG_SZ 4.0.0.0.NET 4.7.03190