Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    144s
  • max time network
    136s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240419-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/04/2024, 17:31

General

  • Target

    https://mlsendfi.com/

Score
5/10

Malware Config

Signatures

  • Drops file in System32 directory 12 IoCs
  • Drops file in Windows directory 1 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Modifies data under HKEY_USERS 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 26 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://mlsendfi.com/
    1⤵
    • Enumerates system info in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:3264
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffdb7046f8,0x7fffdb704708,0x7fffdb704718
      2⤵
        PID:5020
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2044,2375612857435030663,3007761763188960131,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2056 /prefetch:2
        2⤵
          PID:4200
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2044,2375612857435030663,3007761763188960131,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2344 /prefetch:3
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:4612
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2044,2375612857435030663,3007761763188960131,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2196 /prefetch:8
          2⤵
            PID:3836
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,2375612857435030663,3007761763188960131,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
            2⤵
              PID:4960
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,2375612857435030663,3007761763188960131,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
              2⤵
                PID:5048
              • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2044,2375612857435030663,3007761763188960131,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4872 /prefetch:8
                2⤵
                  PID:1816
                • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2044,2375612857435030663,3007761763188960131,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4872 /prefetch:8
                  2⤵
                  • Suspicious behavior: EnumeratesProcesses
                  PID:4880
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,2375612857435030663,3007761763188960131,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4216 /prefetch:1
                  2⤵
                    PID:3760
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,2375612857435030663,3007761763188960131,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4868 /prefetch:1
                    2⤵
                      PID:5092
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,2375612857435030663,3007761763188960131,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5220 /prefetch:1
                      2⤵
                        PID:4308
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,2375612857435030663,3007761763188960131,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5232 /prefetch:1
                        2⤵
                          PID:4500
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,2375612857435030663,3007761763188960131,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5524 /prefetch:1
                          2⤵
                            PID:2648
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,2375612857435030663,3007761763188960131,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5368 /prefetch:1
                            2⤵
                              PID:1804
                            • C:\Windows\system32\msdt.exe
                              -modal "262682" -skip TRUE -path "C:\Windows\diagnostics\system\networking" -af "C:\Users\Admin\AppData\Local\Temp\NDF85AB.tmp" -ep "NetworkDiagnosticsWeb"
                              2⤵
                              • Suspicious use of FindShellTrayWindow
                              PID:2628
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,2375612857435030663,3007761763188960131,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4020 /prefetch:1
                              2⤵
                                PID:5660
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,2375612857435030663,3007761763188960131,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5164 /prefetch:1
                                2⤵
                                  PID:3256
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2044,2375612857435030663,3007761763188960131,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5856 /prefetch:2
                                  2⤵
                                  • Suspicious behavior: EnumeratesProcesses
                                  PID:3508
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,2375612857435030663,3007761763188960131,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5436 /prefetch:1
                                  2⤵
                                    PID:5288
                                • C:\Windows\System32\CompPkgSrv.exe
                                  C:\Windows\System32\CompPkgSrv.exe -Embedding
                                  1⤵
                                    PID:1464
                                  • C:\Windows\System32\CompPkgSrv.exe
                                    C:\Windows\System32\CompPkgSrv.exe -Embedding
                                    1⤵
                                      PID:4204
                                    • C:\Windows\System32\sdiagnhost.exe
                                      C:\Windows\System32\sdiagnhost.exe -Embedding
                                      1⤵
                                      • Suspicious behavior: EnumeratesProcesses
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:4448
                                      • C:\Windows\system32\netsh.exe
                                        "C:\Windows\system32\netsh.exe" trace diagnose Scenario=NetworkSnapshot Mode=NetTroubleshooter
                                        2⤵
                                          PID:3680
                                        • C:\Windows\system32\netsh.exe
                                          "C:\Windows\system32\netsh.exe" trace diagnose Scenario=NetworkSnapshot Mode=NetTroubleshooter
                                          2⤵
                                            PID:5340
                                          • C:\Windows\system32\ipconfig.exe
                                            "C:\Windows\system32\ipconfig.exe" /all
                                            2⤵
                                            • Gathers network information
                                            PID:1452
                                          • C:\Windows\system32\ROUTE.EXE
                                            "C:\Windows\system32\ROUTE.EXE" print
                                            2⤵
                                              PID:5632
                                            • C:\Windows\system32\makecab.exe
                                              "C:\Windows\system32\makecab.exe" /f NetworkConfiguration.ddf
                                              2⤵
                                                PID:1716
                                            • C:\Windows\System32\svchost.exe
                                              C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork -p -s DPS
                                              1⤵
                                              • Drops file in System32 directory
                                              • Checks processor information in registry
                                              • Suspicious behavior: EnumeratesProcesses
                                              PID:5124
                                            • C:\Windows\System32\svchost.exe
                                              C:\Windows\System32\svchost.exe -k LocalService -p -s WdiServiceHost
                                              1⤵
                                              • Drops file in System32 directory
                                              • Modifies data under HKEY_USERS
                                              PID:5152
                                              • C:\Windows\System32\rundll32.exe
                                                "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\winethc.dll",ForceProxyDetectionOnNextRun
                                                2⤵
                                                  PID:6040
                                              • C:\Windows\System32\svchost.exe
                                                C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s WdiSystemHost
                                                1⤵
                                                  PID:5180
                                                • C:\Windows\System32\svchost.exe
                                                  C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s Netman
                                                  1⤵
                                                  • Drops file in Windows directory
                                                  • Modifies data under HKEY_USERS
                                                  PID:4696

                                                Network

                                                MITRE ATT&CK Enterprise v15

                                                Replay Monitor

                                                Loading Replay Monitor...

                                                Downloads

                                                • C:\Users\Admin\AppData\Local\ElevatedDiagnostics\460911090\2024043017.000\NetworkDiagnostics.debugreport.xml

                                                  Filesize

                                                  210KB

                                                  MD5

                                                  cda7fc7c599dab950d8bd7bbde58f428

                                                  SHA1

                                                  240e0c9d64fa0fd6949b9360f21e73b41be1298b

                                                  SHA256

                                                  992bc99a7a69ec3bfbbfdbcbdfb885747f5c8dfbc98a99ccf5b3080c81a5e618

                                                  SHA512

                                                  452541e3493979b5c5220f6f3249d8797a521601cb63a3868468d3540a6a8fcc07e013d2858b657b33fd05adf6088c2a9688ee4d2f987119ecde1e781e321929

                                                • C:\Users\Admin\AppData\Local\ElevatedDiagnostics\460911090\2024043017.000\ResultReport.xml

                                                  Filesize

                                                  38KB

                                                  MD5

                                                  e904d9b1bf92ce2b39bae96e146ef176

                                                  SHA1

                                                  8281775f8810c1e4838d5d57067bb970018b6afe

                                                  SHA256

                                                  36507596c3b8797e35ba7424db57ad4d004e910e40e2cedc7c44a25cce95f60e

                                                  SHA512

                                                  fcb01fe4598a6bf941a804f06fb5c6b25d62bb396252757ab07f0119e0c1b0d61541945dc2baef13f721c7382e8046e6518c8fe2ad84d4f09dfe0e74ee18815a

                                                • C:\Users\Admin\AppData\Local\ElevatedDiagnostics\460911090\2024043017.000\results.xsl

                                                  Filesize

                                                  47KB

                                                  MD5

                                                  310e1da2344ba6ca96666fb639840ea9

                                                  SHA1

                                                  e8694edf9ee68782aa1de05470b884cc1a0e1ded

                                                  SHA256

                                                  67401342192babc27e62d4c1e0940409cc3f2bd28f77399e71d245eae8d3f63c

                                                  SHA512

                                                  62ab361ffea1f0b6ff1cc76c74b8e20c2499d72f3eb0c010d47dba7e6d723f9948dba3397ea26241a1a995cffce2a68cd0aaa1bb8d917dd8f4c8f3729fa6d244

                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                                  Filesize

                                                  152B

                                                  MD5

                                                  62c02dda2bf22d702a9b3a1c547c5f6a

                                                  SHA1

                                                  8f42966df96bd2e8c1f6b31b37c9a19beb6394d6

                                                  SHA256

                                                  cb8a0964605551ed5a0668c08ab888044bbd845c9225ffee5a28e0b847ede62b

                                                  SHA512

                                                  a7ce2c0946382188e1d8480cfb096b29bd0dcb260ccdc74167cc351160a1884d04d57a2517eb700b3eef30eaf4a01bfbf31858365b1e624d4b0960ffd0032fa9

                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                                  Filesize

                                                  152B

                                                  MD5

                                                  850f27f857369bf7fe83c613d2ec35cb

                                                  SHA1

                                                  7677a061c6fd2a030b44841bfb32da0abc1dbefb

                                                  SHA256

                                                  a7db700e067222e55e323a9ffc71a92f59829e81021e2607cec0d2ec6faf602a

                                                  SHA512

                                                  7b1efa002b7a1a23973bff0618fb4a82cd0c5193df55cd960c7516caa63509587fd8b36f3aea6db01ece368065865af6472365b820fadce720b64b561ab5f401

                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                  Filesize

                                                  6KB

                                                  MD5

                                                  1c635465fd211e4d6e8d3e2ec0746761

                                                  SHA1

                                                  1eabd8d6590397980d015607323a69943ef328ea

                                                  SHA256

                                                  76eddb3a612211c7838664c144197eb06a47e513071b39e8cff68b55ebee0a21

                                                  SHA512

                                                  95f0bdc06f9781a8ff34be70eb0e6152c2cceac162f2185c6757c8abe1069d7e51924225efedf84377e9a9c124983f8bf84576ac907bd0f879a95dc5b2ef6d43

                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                  Filesize

                                                  6KB

                                                  MD5

                                                  900371caa1bd6ccea262c0b0d5a5de76

                                                  SHA1

                                                  50fee0450bb739ee13dc5bef5d3e0cc7c2f90662

                                                  SHA256

                                                  6d9b1fce3182edd0b6ae4496ac8735a9db8e3fb4fb1df294bcd16be171938a1e

                                                  SHA512

                                                  45392113a6ce11ab46c131b447d19e633bd0c29f4b386b805e38c3f78b8e1f69f46c02fea997b54e081bd6d94b68cf805d895c326ab462f74e4bb14df73e4ef0

                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                                  Filesize

                                                  16B

                                                  MD5

                                                  6752a1d65b201c13b62ea44016eb221f

                                                  SHA1

                                                  58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                                  SHA256

                                                  0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                                  SHA512

                                                  9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                                  Filesize

                                                  8KB

                                                  MD5

                                                  9bbf6334e72ccff3d42df46c9061ceb9

                                                  SHA1

                                                  c3892b81d6bf1d3950f2356875620071b180f141

                                                  SHA256

                                                  802e4576cc058eedd44dae2873cce991a83614168ccedad0586c55313281506f

                                                  SHA512

                                                  3a48b23b12b33420b8274f892cfe7217ffac9d87e431753a7b6c678db84d8864f6dc51a3634ec1e56d1cbb9d89861de2b9ebaabc05853e5036a37242e2cc36ce

                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                                  Filesize

                                                  8KB

                                                  MD5

                                                  4231cdbb038ef50fbe046efcae4a090b

                                                  SHA1

                                                  c20f1b8c577698cbbcde2ce088baa0e07043531a

                                                  SHA256

                                                  170d3ed7a1af8676b0d3c4a3ff84ce77a5f4ac7cd374a0cb59fc30ae7c7924d8

                                                  SHA512

                                                  a9179c5268c71f520aeaded18e4edf723189b1e6f72aa789aa505eabaa705a56ee36b4378f2eb02ecd2876d976749697dcb2948648fcd8f51fa8c918fb31a48a

                                                • C:\Users\Admin\AppData\Local\Microsoft\NetTraces\NdfSession-04302024-1733.etl

                                                  Filesize

                                                  192KB

                                                  MD5

                                                  b957bd0351335e21a21442f7d6747ae7

                                                  SHA1

                                                  f4b026910541c473382527c39100a1e07af2bba0

                                                  SHA256

                                                  c62539f6fcd788f84c1dc2da159b89072d2b09a66e67e88cbb4cedbe790e41ae

                                                  SHA512

                                                  74ecc78167895a011449fcfcb0c8ae5941a05232bd0ee703d2622ec377e14ae6b98011c77d73235a898e3340c6005bca4efa68b49378efe6e419d6d1b785b8b4

                                                • C:\Users\Admin\AppData\Local\Temp\NDF85AB.tmp

                                                  Filesize

                                                  3KB

                                                  MD5

                                                  1e4aeed16b58d7f5b68077a6ff08495b

                                                  SHA1

                                                  c07398433d7c101d7fafcaa6ab912443d5f22228

                                                  SHA256

                                                  18e2aecdb7998133de161a699043c3f5bdfc89b7ed7df24557f409a345f0102a

                                                  SHA512

                                                  8809a08f08bd280eb433592f610bcb0d3887c6c29c3b59aef3b46c0a858dabec08ee8b17e3e1c0d41804b6a384a10179ff56aefcfdf38504349e3c4a7f73e076

                                                • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fvg4b1o0.qcp.ps1

                                                  Filesize

                                                  60B

                                                  MD5

                                                  d17fe0a3f47be24a6453e9ef58c94641

                                                  SHA1

                                                  6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                  SHA256

                                                  96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                  SHA512

                                                  5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                • C:\Users\Admin\AppData\Local\Temp\tmp4E5A.tmp\NetworkConfiguration.cab

                                                  Filesize

                                                  1KB

                                                  MD5

                                                  33ef3fec724efa9f57c72415d9f5aead

                                                  SHA1

                                                  328d792d3cb07c0f0d65cf17c5b8e9bea583ba31

                                                  SHA256

                                                  47c3e128eb44fd368ae6307f5efda9b345b70e81c2c7292cdd1224ab4871177e

                                                  SHA512

                                                  e74eec156fafcab9c96f2c9b978fd57f4f8165dc5cf1a5d041e9a1640f9601c15815a3db5d8a8588303824222b96fdd6a96a8a48c53abc91f978fa8e44677e1a

                                                • C:\Users\Admin\AppData\Local\Temp\tmp4E5A.tmp\NetworkConfiguration.ddf

                                                  Filesize

                                                  231B

                                                  MD5

                                                  00848049d4218c485d9e9d7a54aa3b5f

                                                  SHA1

                                                  d1d5f388221417985c365e8acaec127b971c40d0

                                                  SHA256

                                                  ffeafbb8e7163fd7ec9abc029076796c73cd7b4eddaeeda9ba394c547419769e

                                                  SHA512

                                                  3a4874a5289682e2b32108740feea586cb9ccdad9ca08bf30f67c9742370c081ad943ea714f08dbf722f9f98f3b0bb307619a8ba47f96b24301c68b0fd1086d9

                                                • C:\Users\Admin\AppData\Local\Temp\tmp4E5A.tmp\ipconfig.all.txt

                                                  Filesize

                                                  1KB

                                                  MD5

                                                  2c1e7e6356f29f9ba06cd0dd570795a1

                                                  SHA1

                                                  a276e1e3e365065efc02330138f223625972a60d

                                                  SHA256

                                                  13f31ccc1a64a00bd5f66547fce903ef467d13d2a64233e4b55e932ed67f09b6

                                                  SHA512

                                                  37130e599fe12a8024beff82523f3d7936a404a0bacb9b71dbf3899570c30c2b7b53456a9bcf1b4c371e2593001afc625216b63a60be3d1c87ef99ac0b9260b0

                                                • C:\Users\Admin\AppData\Local\Temp\tmp4E5A.tmp\route.print.txt

                                                  Filesize

                                                  4KB

                                                  MD5

                                                  c85a2d17dccde0e73f70bc9caf679c23

                                                  SHA1

                                                  0e4c9fcd19428c834b53b4e0862ad6d9232f23c8

                                                  SHA256

                                                  7ce9a245b6780842a83abec5fea522f1889749a697b97be13c70d8297f26e563

                                                  SHA512

                                                  327b323fc688fc45f0c883c026aeb965908f24ee8f516a766c4ec594d46bb1ad42b7f460f91ee40335817d6f4fbf9643075c63b6bc5a197c184bd7031d78b87b

                                                • C:\Users\Admin\AppData\Local\Temp\tmp4E5A.tmp\setup.inf

                                                  Filesize

                                                  978B

                                                  MD5

                                                  b54c726f10f813188953aa79b7bb7998

                                                  SHA1

                                                  00d96f679af01e9430a7120a701c5d2aa4d2347e

                                                  SHA256

                                                  833f0701f761707e33744827446733a4a10dd80706618b0be251ebec36b00a57

                                                  SHA512

                                                  9a6a5c2537130c42411d1556bab153ebf03dabaa7f7772583114d45b0fb4de41419c5feced46251ba6184d7054c219171d0bb289f510542aeaf7f748df9e56d5

                                                • C:\Users\Admin\AppData\Local\Temp\tmp4E5A.tmp\setup.rpt

                                                  Filesize

                                                  283B

                                                  MD5

                                                  cfdb1c89d10025ee3a81e17076ed76e6

                                                  SHA1

                                                  448e8ffccf455a3fa529ac8158fa8379ecdc883d

                                                  SHA256

                                                  f67495abad5b2379399163846d84ad64f472e28d531483562d3ea4213e42e3d1

                                                  SHA512

                                                  de90da5673aee79f12d61ff208f50e552582b27e9fb0d350291e46e5033d84af3771509c1628ed7643f8b6c31ed77015c1d775d718d7682a670e0f3259f233af

                                                • C:\Windows\TEMP\SDIAG_334fab5b-6c2a-43f9-be2e-6af3a196aba1\NetworkDiagnosticsResolve.ps1

                                                  Filesize

                                                  11KB

                                                  MD5

                                                  d213491a2d74b38a9535d616b9161217

                                                  SHA1

                                                  bde94742d1e769638e2de84dfb099f797adcc217

                                                  SHA256

                                                  4662c3c94e0340a243c2a39ca8a88fd9f65c74fb197644a11d4ffcae6b191211

                                                  SHA512

                                                  5fd8b91b27935711495934e5d7ca14f9dd72bc40a38072595879ef334a47f99e0608087ddc62668c6f783938d9f22a3688c5cdef3a9ad6c3575f3cfa5a3b0104

                                                • C:\Windows\TEMP\SDIAG_334fab5b-6c2a-43f9-be2e-6af3a196aba1\NetworkDiagnosticsTroubleshoot.ps1

                                                  Filesize

                                                  25KB

                                                  MD5

                                                  d0cfc204ca3968b891f7ce0dccfb2eda

                                                  SHA1

                                                  56dad1716554d8dc573d0ea391f808e7857b2206

                                                  SHA256

                                                  e3940266b4368c04333db89804246cb89bf2073626f22b8de72bea27c522282a

                                                  SHA512

                                                  4d2225b599ad8af8ba8516f12cfddca5ec0ce69c5c80b133a6a323e9aaf5e0312efbcfa54d2e4462a5095f9a7c42b9d5b39f3204e0be72c3b1992cf33b22087c

                                                • C:\Windows\TEMP\SDIAG_334fab5b-6c2a-43f9-be2e-6af3a196aba1\NetworkDiagnosticsVerify.ps1

                                                  Filesize

                                                  10KB

                                                  MD5

                                                  9b222d8ec4b20860f10ebf303035b984

                                                  SHA1

                                                  b30eea35c2516afcab2c49ef6531af94efaf7e1a

                                                  SHA256

                                                  a32e13da40ac4b9e1dac7dd28bc1d25e2f2136b61ff93be943018b20796f15bc

                                                  SHA512

                                                  8331337ccb6e3137b01aeec03e6921fd3b9e56c44fa1b17545ae5c7bfcdd39fcd8a90192884b3a82f56659009e24b63ce7f500e8766fd01e8d4e60a52de0fe67

                                                • C:\Windows\TEMP\SDIAG_334fab5b-6c2a-43f9-be2e-6af3a196aba1\StartDPSService.ps1

                                                  Filesize

                                                  567B

                                                  MD5

                                                  a660422059d953c6d681b53a6977100e

                                                  SHA1

                                                  0c95dd05514d062354c0eecc9ae8d437123305bb

                                                  SHA256

                                                  d19677234127c38a52aec23686775a8eb3f4e3a406f4a11804d97602d6c31813

                                                  SHA512

                                                  26f8cf9ac95ff649ecc2ed349bc6c7c3a04b188594d5c3289af8f2768ab59672bc95ffefcc83ed3ffa44edd0afeb16a4c2490e633a89fce7965843674d94b523

                                                • C:\Windows\TEMP\SDIAG_334fab5b-6c2a-43f9-be2e-6af3a196aba1\UtilityFunctions.ps1

                                                  Filesize

                                                  53KB

                                                  MD5

                                                  c912faa190464ce7dec867464c35a8dc

                                                  SHA1

                                                  d1c6482dad37720db6bdc594c4757914d1b1dd70

                                                  SHA256

                                                  3891846307aa9e83bca66b13198455af72af45bf721a2fbd41840d47e2a91201

                                                  SHA512

                                                  5c34352d36459fd8fcda5b459a2e48601a033af31d802a90ed82c443a5a346b9480880d30c64db7ad0e4a8c35b98c98f69eceedad72f2a70d9c6cca74dce826a

                                                • C:\Windows\TEMP\SDIAG_334fab5b-6c2a-43f9-be2e-6af3a196aba1\UtilitySetConstants.ps1

                                                  Filesize

                                                  2KB

                                                  MD5

                                                  0c75ae5e75c3e181d13768909c8240ba

                                                  SHA1

                                                  288403fc4bedaacebccf4f74d3073f082ef70eb9

                                                  SHA256

                                                  de5c231c645d3ae1e13694284997721509f5de64ee5c96c966cdfda9e294db3f

                                                  SHA512

                                                  8fc944515f41a837c61a6c4e5181ca273607a89e48fbf86cf8eb8db837aed095aa04fc3043029c3b5cb3710d59abfd86f086ac198200f634bfb1a5dd0823406b

                                                • C:\Windows\TEMP\SDIAG_334fab5b-6c2a-43f9-be2e-6af3a196aba1\en-US\LocalizationData.psd1

                                                  Filesize

                                                  5KB

                                                  MD5

                                                  380768979618b7097b0476179ec494ed

                                                  SHA1

                                                  af2a03a17c546e4eeb896b230e4f2a52720545ab

                                                  SHA256

                                                  0637af30fc3b3544b1f516f6196a8f821ffbfa5d36d65a8798aeeadbf2e8a7c2

                                                  SHA512

                                                  b9ef59e9bfdbd49052a4e754ead8cd54b77e79cc428e7aee2b80055ff5f0b038584af519bd2d66258cf3c01f8cc71384f6959ee32111eac4399c47e1c2352302

                                                • C:\Windows\Temp\SDIAG_334fab5b-6c2a-43f9-be2e-6af3a196aba1\DiagPackage.dll

                                                  Filesize

                                                  478KB

                                                  MD5

                                                  580dc3658fa3fe42c41c99c52a9ce6b0

                                                  SHA1

                                                  3c4be12c6e3679a6c2267f88363bbd0e6e00cac5

                                                  SHA256

                                                  5b7aa413e4a64679c550c77e6599a1c940ee947cbdf77d310e142a07a237aad2

                                                  SHA512

                                                  68c52cd7b762b8f5d2f546092ed9c4316924fa04bd3ab748ab99541a8b4e7d9aec70acf5c9594d1457ad3a2f207d0c189ec58421d4352ddbc7eae453324d13f2

                                                • C:\Windows\Temp\SDIAG_334fab5b-6c2a-43f9-be2e-6af3a196aba1\en-US\DiagPackage.dll.mui

                                                  Filesize

                                                  17KB

                                                  MD5

                                                  44c4385447d4fa46b407fc47c8a467d0

                                                  SHA1

                                                  41e4e0e83b74943f5c41648f263b832419c05256

                                                  SHA256

                                                  8be175e8fbdae0dade54830fece6c6980d1345dbeb4a06c07f7efdb1152743f4

                                                  SHA512

                                                  191cd534e85323a4cd9649a1fc372312ed4a600f6252dffc4435793650f9dd40d0c0e615ba5eb9aa437a58af334146aac7c0ba08e0a1bf24ec4837a40f966005

                                                • memory/4448-425-0x00000187EFAA0000-0x00000187EFAC2000-memory.dmp

                                                  Filesize

                                                  136KB

                                                • memory/5124-448-0x0000025D32380000-0x0000025D32381000-memory.dmp

                                                  Filesize

                                                  4KB

                                                • memory/5124-444-0x0000025D2C7C0000-0x0000025D2C7D0000-memory.dmp

                                                  Filesize

                                                  64KB

                                                • memory/5124-440-0x0000025D2C780000-0x0000025D2C790000-memory.dmp

                                                  Filesize

                                                  64KB

                                                • memory/5124-621-0x0000025D324A0000-0x0000025D324A1000-memory.dmp

                                                  Filesize

                                                  4KB

                                                • memory/5124-622-0x0000025D32490000-0x0000025D32491000-memory.dmp

                                                  Filesize

                                                  4KB

                                                • memory/5124-624-0x0000025D32390000-0x0000025D32391000-memory.dmp

                                                  Filesize

                                                  4KB

                                                • memory/5124-625-0x0000025D32380000-0x0000025D32381000-memory.dmp

                                                  Filesize

                                                  4KB

                                                • memory/5124-627-0x0000025D32380000-0x0000025D32381000-memory.dmp

                                                  Filesize

                                                  4KB

                                                • memory/5124-630-0x0000025D2CF90000-0x0000025D2CF91000-memory.dmp

                                                  Filesize

                                                  4KB