hxxps://www[.]youtube[.]com/redirect?event=video_description&redir_token=QUFFLUhqbFFYZm5PdlU1eHRaMnZFeFRqWUg3dVA5ZUtsd3xBQ3Jtc0trSnZWVW05Z2xZZHhWMVI4Y245b3Y1MGxid1NHNkFBdnk4U29VdW1oanBnREdkaGlWQ0NLMDlWUzdabHFTNHFkLXJuOUdKR1dZamp1LVdqN0ZyazJYUy1rRjk5dXRFOUw4Y0VoRFZ4dDJxenYwaUpGVQ&q=https%3A%2F%2Fpastes[.]io%2Fuainjtyb3h&v=9OgpQHSP5qE

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
29/05/2024, 16:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.youtube.com/redirect?event=video_description&redir_token=QUFFLUhqbFFYZm5PdlU1eHRaMnZFeFRqWUg3dVA5ZUtsd3xBQ3Jtc0trSnZWVW05Z2xZZHhWMVI4Y245b3Y1MGxid1NHNkFBdnk4U29VdW1oanBnREdkaGlWQ0NLMDlWUzdabHFTNHFkLXJuOUdKR1dZamp1LVdqN0ZyazJYUy1rRjk5dXRFOUw4Y0VoRFZ4dDJxenYwaUpGVQ&q=https%3A%2F%2Fpastes.io%2Fuainjtyb3h&v=9OgpQHSP5qE

Score

5^/10

Malware Config

Signatures

Drops file in System32 directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\SRU\SRU.log	svchost.exe
File opened for modification	C:\Windows\system32\SRU\SRUDB.dat	svchost.exe
File opened for modification	C:\Windows\system32\SRU\SRUDB.jfm	svchost.exe
File created	C:\Windows\system32\NDF\{8C408DFD-4CE3-4CAE-901E-7261B90836B4}-temp-05292024-1635.etl	svchost.exe
File created	C:\Windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\{aafb50bd-7b08-411d-b0ee-a571ad24c2cb}\snapshot.etl	svchost.exe
File opened for modification	C:\Windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\{aafb50bd-7b08-411d-b0ee-a571ad24c2cb}\snapshot.etl	svchost.exe
File opened for modification	C:\Windows\system32\SRU\SRU.chk	svchost.exe
File opened for modification	C:\Windows\system32\NDF\{8C408DFD-4CE3-4CAE-901E-7261B90836B4}-temp-05292024-1635.etl	svchost.exe
File opened for modification	C:\Windows\system32\WDI\BootPerformanceDiagnostics_SystemData.bin	svchost.exe
File created	C:\Windows\system32\wdi\LogFiles\StartupInfo\S-1-5-21-1181767204-2009306918-3718769404-1000_StartupInfo3.xml	svchost.exe
File opened for modification	C:\Windows\system32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1181767204-2009306918-3718769404-1000_UserData.bin	svchost.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netrtl64.inf_amd64_8e9c2368fe308df2\netrtl64.PNF	svchost.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Network\Connections\Pbk\_hiddenPbk\rasphone.pbk	svchost.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
2196	ipconfig.exe

Modifies data under HKEY_USERS 6 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\RAS AutoDial\Default	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@%SystemRoot%\system32\hnetcfgclient.dll,-201 = "HNetCfg Client"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Classes\Local Settings\MuiCache\2a\52C64B7E\@%SystemRoot%\system32\hnetcfgclient.dll,-201 = "HNetCfg Client"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133614741312437131"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\RAS AutoDial	svchost.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
6576	sdiagnhost.exe
6576	sdiagnhost.exe
6836	svchost.exe
6836	svchost.exe
3888	chrome.exe
3888	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	6576	sdiagnhost.exe
Token: SeShutdownPrivilege	3888	chrome.exe
Token: SeCreatePagefilePrivilege	3888	chrome.exe
Token: SeShutdownPrivilege	3888	chrome.exe
Token: SeCreatePagefilePrivilege	3888	chrome.exe
Token: SeShutdownPrivilege	3888	chrome.exe
Token: SeCreatePagefilePrivilege	3888	chrome.exe
Token: SeShutdownPrivilege	3888	chrome.exe
Token: SeCreatePagefilePrivilege	3888	chrome.exe
Token: SeShutdownPrivilege	3888	chrome.exe
Token: SeCreatePagefilePrivilege	3888	chrome.exe
Token: SeShutdownPrivilege	3888	chrome.exe
Token: SeCreatePagefilePrivilege	3888	chrome.exe
Token: SeShutdownPrivilege	3888	chrome.exe
Token: SeCreatePagefilePrivilege	3888	chrome.exe
Token: SeShutdownPrivilege	3888	chrome.exe
Token: SeCreatePagefilePrivilege	3888	chrome.exe
Token: SeShutdownPrivilege	3888	chrome.exe
Token: SeCreatePagefilePrivilege	3888	chrome.exe
Token: SeShutdownPrivilege	3888	chrome.exe
Token: SeCreatePagefilePrivilege	3888	chrome.exe
Token: SeShutdownPrivilege	3888	chrome.exe
Token: SeCreatePagefilePrivilege	3888	chrome.exe
Token: SeShutdownPrivilege	3888	chrome.exe
Token: SeCreatePagefilePrivilege	3888	chrome.exe
Token: SeShutdownPrivilege	3888	chrome.exe
Token: SeCreatePagefilePrivilege	3888	chrome.exe
Token: SeShutdownPrivilege	3888	chrome.exe
Token: SeCreatePagefilePrivilege	3888	chrome.exe
Token: SeShutdownPrivilege	3888	chrome.exe
Token: SeCreatePagefilePrivilege	3888	chrome.exe
Token: SeShutdownPrivilege	3888	chrome.exe
Token: SeCreatePagefilePrivilege	3888	chrome.exe
Token: SeShutdownPrivilege	3888	chrome.exe
Token: SeCreatePagefilePrivilege	3888	chrome.exe
Token: SeShutdownPrivilege	3888	chrome.exe
Token: SeCreatePagefilePrivilege	3888	chrome.exe
Token: SeShutdownPrivilege	3888	chrome.exe
Token: SeCreatePagefilePrivilege	3888	chrome.exe
Token: SeShutdownPrivilege	3888	chrome.exe
Token: SeCreatePagefilePrivilege	3888	chrome.exe
Token: SeShutdownPrivilege	3888	chrome.exe
Token: SeCreatePagefilePrivilege	3888	chrome.exe
Token: SeShutdownPrivilege	3888	chrome.exe
Token: SeCreatePagefilePrivilege	3888	chrome.exe
Token: SeShutdownPrivilege	3888	chrome.exe
Token: SeCreatePagefilePrivilege	3888	chrome.exe
Token: SeShutdownPrivilege	3888	chrome.exe
Token: SeCreatePagefilePrivilege	3888	chrome.exe
Token: SeShutdownPrivilege	3888	chrome.exe
Token: SeCreatePagefilePrivilege	3888	chrome.exe
Token: SeShutdownPrivilege	3888	chrome.exe
Token: SeCreatePagefilePrivilege	3888	chrome.exe
Token: SeShutdownPrivilege	3888	chrome.exe
Token: SeCreatePagefilePrivilege	3888	chrome.exe
Token: SeShutdownPrivilege	3888	chrome.exe
Token: SeCreatePagefilePrivilege	3888	chrome.exe
Token: SeShutdownPrivilege	3888	chrome.exe
Token: SeCreatePagefilePrivilege	3888	chrome.exe
Token: SeShutdownPrivilege	3888	chrome.exe
Token: SeCreatePagefilePrivilege	3888	chrome.exe
Token: SeShutdownPrivilege	3888	chrome.exe
Token: SeCreatePagefilePrivilege	3888	chrome.exe
Token: SeShutdownPrivilege	3888	chrome.exe

Suspicious use of FindShellTrayWindow 29 IoCs

pid	Process
5356	msdt.exe
5356	msdt.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 6576 wrote to memory of 6748	6576	sdiagnhost.exe	135
PID 6576 wrote to memory of 6748	6576	sdiagnhost.exe	135
PID 6576 wrote to memory of 7044	6576	sdiagnhost.exe	140
PID 6576 wrote to memory of 7044	6576	sdiagnhost.exe	140
PID 3888 wrote to memory of 5432	3888	chrome.exe	147
PID 3888 wrote to memory of 5432	3888	chrome.exe	147
PID 3888 wrote to memory of 5064	3888	chrome.exe	148
PID 3888 wrote to memory of 5064	3888	chrome.exe	148
PID 3888 wrote to memory of 5064	3888	chrome.exe	148
PID 3888 wrote to memory of 5064	3888	chrome.exe	148
PID 3888 wrote to memory of 5064	3888	chrome.exe	148
PID 3888 wrote to memory of 5064	3888	chrome.exe	148
PID 3888 wrote to memory of 5064	3888	chrome.exe	148
PID 3888 wrote to memory of 5064	3888	chrome.exe	148
PID 3888 wrote to memory of 5064	3888	chrome.exe	148
PID 3888 wrote to memory of 5064	3888	chrome.exe	148
PID 3888 wrote to memory of 5064	3888	chrome.exe	148
PID 3888 wrote to memory of 5064	3888	chrome.exe	148
PID 3888 wrote to memory of 5064	3888	chrome.exe	148
PID 3888 wrote to memory of 5064	3888	chrome.exe	148
PID 3888 wrote to memory of 5064	3888	chrome.exe	148
PID 3888 wrote to memory of 5064	3888	chrome.exe	148
PID 3888 wrote to memory of 5064	3888	chrome.exe	148
PID 3888 wrote to memory of 5064	3888	chrome.exe	148
PID 3888 wrote to memory of 5064	3888	chrome.exe	148
PID 3888 wrote to memory of 5064	3888	chrome.exe	148
PID 3888 wrote to memory of 5064	3888	chrome.exe	148
PID 3888 wrote to memory of 5064	3888	chrome.exe	148
PID 3888 wrote to memory of 5064	3888	chrome.exe	148
PID 3888 wrote to memory of 5064	3888	chrome.exe	148
PID 3888 wrote to memory of 5064	3888	chrome.exe	148
PID 3888 wrote to memory of 5064	3888	chrome.exe	148
PID 3888 wrote to memory of 5064	3888	chrome.exe	148
PID 3888 wrote to memory of 5064	3888	chrome.exe	148
PID 3888 wrote to memory of 5064	3888	chrome.exe	148
PID 3888 wrote to memory of 5064	3888	chrome.exe	148
PID 3888 wrote to memory of 5064	3888	chrome.exe	148
PID 3888 wrote to memory of 5848	3888	chrome.exe	149
PID 3888 wrote to memory of 5848	3888	chrome.exe	149
PID 3888 wrote to memory of 5768	3888	chrome.exe	150
PID 3888 wrote to memory of 5768	3888	chrome.exe	150
PID 3888 wrote to memory of 5768	3888	chrome.exe	150
PID 3888 wrote to memory of 5768	3888	chrome.exe	150
PID 3888 wrote to memory of 5768	3888	chrome.exe	150
PID 3888 wrote to memory of 5768	3888	chrome.exe	150
PID 3888 wrote to memory of 5768	3888	chrome.exe	150
PID 3888 wrote to memory of 5768	3888	chrome.exe	150
PID 3888 wrote to memory of 5768	3888	chrome.exe	150
PID 3888 wrote to memory of 5768	3888	chrome.exe	150
PID 3888 wrote to memory of 5768	3888	chrome.exe	150
PID 3888 wrote to memory of 5768	3888	chrome.exe	150
PID 3888 wrote to memory of 5768	3888	chrome.exe	150
PID 3888 wrote to memory of 5768	3888	chrome.exe	150
PID 3888 wrote to memory of 5768	3888	chrome.exe	150
PID 3888 wrote to memory of 5768	3888	chrome.exe	150
PID 3888 wrote to memory of 5768	3888	chrome.exe	150
PID 3888 wrote to memory of 5768	3888	chrome.exe	150
PID 3888 wrote to memory of 5768	3888	chrome.exe	150
PID 3888 wrote to memory of 5768	3888	chrome.exe	150
PID 3888 wrote to memory of 5768	3888	chrome.exe	150
PID 3888 wrote to memory of 5768	3888	chrome.exe	150
PID 3888 wrote to memory of 5768	3888	chrome.exe	150
PID 3888 wrote to memory of 5768	3888	chrome.exe	150
PID 3888 wrote to memory of 5768	3888	chrome.exe	150

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/redirect?event=video_description&redir_token=QUFFLUhqbFFYZm5PdlU1eHRaMnZFeFRqWUg3dVA5ZUtsd3xBQ3Jtc0trSnZWVW05Z2xZZHhWMVI4Y245b3Y1MGxid1NHNkFBdnk4U29VdW1oanBnREdkaGlWQ0NLMDlWUzdabHFTNHFkLXJuOUdKR1dZamp1LVdqN0ZyazJYUy1rRjk5dXRFOUw4Y0VoRFZ4dDJxenYwaUpGVQ&q=https%3A%2F%2Fpastes.io%2Fuainjtyb3h&v=9OgpQHSP5qE
1⤵
PID:388

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --field-trial-handle=3900,i,3724086843943218842,1026644135694712596,262144 --variations-seed-version --mojo-platform-channel-handle=4748 /prefetch:1
1⤵
PID:2388

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --field-trial-handle=4764,i,3724086843943218842,1026644135694712596,262144 --variations-seed-version --mojo-platform-channel-handle=5116 /prefetch:1
1⤵
PID:624

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --field-trial-handle=5132,i,3724086843943218842,1026644135694712596,262144 --variations-seed-version --mojo-platform-channel-handle=5380 /prefetch:1
1⤵
PID:3720

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=5240,i,3724086843943218842,1026644135694712596,262144 --variations-seed-version --mojo-platform-channel-handle=5504 /prefetch:8
1⤵
PID:4484

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --no-appcompat-clear --field-trial-handle=5496,i,3724086843943218842,1026644135694712596,262144 --variations-seed-version --mojo-platform-channel-handle=5588 /prefetch:8
1⤵
PID:2196

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5924,i,3724086843943218842,1026644135694712596,262144 --variations-seed-version --mojo-platform-channel-handle=3472 /prefetch:8
1⤵
PID:4284

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --field-trial-handle=5932,i,3724086843943218842,1026644135694712596,262144 --variations-seed-version --mojo-platform-channel-handle=5912 /prefetch:1
1⤵
PID:3320

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --field-trial-handle=5972,i,3724086843943218842,1026644135694712596,262144 --variations-seed-version --mojo-platform-channel-handle=6280 /prefetch:1
1⤵
PID:2972

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault8288c4e9h2bcfh4d8bh8d10h344000828105
1⤵
PID:5860

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --field-trial-handle=6008,i,3724086843943218842,1026644135694712596,262144 --variations-seed-version --mojo-platform-channel-handle=6780 /prefetch:1
1⤵
PID:5968

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --field-trial-handle=4760,i,3724086843943218842,1026644135694712596,262144 --variations-seed-version --mojo-platform-channel-handle=5116 /prefetch:1
1⤵
PID:6040

C:\Windows\system32\msdt.exe
-modal "655444" -skip TRUE -path "C:\Windows\diagnostics\system\networking" -af "C:\Users\Admin\AppData\Local\Temp\NDF6B86.tmp" -ep "NetworkDiagnosticsWeb"
1⤵
- Suspicious use of FindShellTrayWindow
PID:5356

C:\Windows\System32\sdiagnhost.exe
C:\Windows\System32\sdiagnhost.exe -Embedding
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:6576
- C:\Windows\system32\netsh.exe
  "C:\Windows\system32\netsh.exe" trace diagnose Scenario=NetworkSnapshot Mode=NetTroubleshooter
  2⤵
  PID:6748
- C:\Windows\system32\netsh.exe
  "C:\Windows\system32\netsh.exe" trace diagnose Scenario=NetworkSnapshot Mode=NetTroubleshooter
  2⤵
  PID:7044
- C:\Windows\system32\ipconfig.exe
  "C:\Windows\system32\ipconfig.exe" /all
  2⤵
  - Gathers network information
  PID:2196
- C:\Windows\system32\ROUTE.EXE
  "C:\Windows\system32\ROUTE.EXE" print
  2⤵
  PID:5264
- C:\Windows\system32\makecab.exe
  "C:\Windows\system32\makecab.exe" /f NetworkConfiguration.ddf
  2⤵
  PID:2732

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork -p -s DPS
1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:6836

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s WdiServiceHost
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:6864
- C:\Windows\System32\rundll32.exe
  "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\winethc.dll",ForceProxyDetectionOnNextRun
  2⤵
  PID:5792

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --field-trial-handle=6684,i,3724086843943218842,1026644135694712596,262144 --variations-seed-version --mojo-platform-channel-handle=6520 /prefetch:8
1⤵
PID:6880

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s WdiSystemHost
1⤵
PID:6900

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --field-trial-handle=5252,i,3724086843943218842,1026644135694712596,262144 --variations-seed-version --mojo-platform-channel-handle=5944 /prefetch:1
1⤵
PID:5700

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3888
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7fff7623ab58,0x7fff7623ab68,0x7fff7623ab78
  2⤵
  PID:5432
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1784 --field-trial-handle=1896,i,12353858150152482578,8460385955195038134,131072 /prefetch:2
  2⤵
  PID:5064
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2056 --field-trial-handle=1896,i,12353858150152482578,8460385955195038134,131072 /prefetch:8
  2⤵
  PID:5848
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2280 --field-trial-handle=1896,i,12353858150152482578,8460385955195038134,131072 /prefetch:8
  2⤵
  PID:5768
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3052 --field-trial-handle=1896,i,12353858150152482578,8460385955195038134,131072 /prefetch:1
  2⤵
  PID:6248
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3224 --field-trial-handle=1896,i,12353858150152482578,8460385955195038134,131072 /prefetch:1
  2⤵
  PID:6292
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4320 --field-trial-handle=1896,i,12353858150152482578,8460385955195038134,131072 /prefetch:1
  2⤵
  PID:6744
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4540 --field-trial-handle=1896,i,12353858150152482578,8460385955195038134,131072 /prefetch:8
  2⤵
  PID:6716
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4608 --field-trial-handle=1896,i,12353858150152482578,8460385955195038134,131072 /prefetch:8
  2⤵
  PID:6748
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4756 --field-trial-handle=1896,i,12353858150152482578,8460385955195038134,131072 /prefetch:8
  2⤵
  PID:4796
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4896 --field-trial-handle=1896,i,12353858150152482578,8460385955195038134,131072 /prefetch:8
  2⤵
  PID:7156
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=4092 --field-trial-handle=1896,i,12353858150152482578,8460385955195038134,131072 /prefetch:1
  2⤵
  PID:7064
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4980 --field-trial-handle=1896,i,12353858150152482578,8460385955195038134,131072 /prefetch:8
  2⤵
  PID:5552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4640 --field-trial-handle=1896,i,12353858150152482578,8460385955195038134,131072 /prefetch:8
  2⤵
  PID:5540
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4088 --field-trial-handle=1896,i,12353858150152482578,8460385955195038134,131072 /prefetch:8
  2⤵
  PID:6136
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=4540 --field-trial-handle=1896,i,12353858150152482578,8460385955195038134,131072 /prefetch:1
  2⤵
  PID:6688

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:6384

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s Netman
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:3016

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=27 --field-trial-handle=6728,i,3724086843943218842,1026644135694712596,262144 --variations-seed-version --mojo-platform-channel-handle=5836 /prefetch:1
1⤵
PID:5968

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --field-trial-handle=5776,i,3724086843943218842,1026644135694712596,262144 --variations-seed-version --mojo-platform-channel-handle=6772 /prefetch:1
1⤵
PID:6756

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=29 --field-trial-handle=6044,i,3724086843943218842,1026644135694712596,262144 --variations-seed-version --mojo-platform-channel-handle=6592 /prefetch:1
1⤵
PID:5624

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=30 --field-trial-handle=6764,i,3724086843943218842,1026644135694712596,262144 --variations-seed-version --mojo-platform-channel-handle=5660 /prefetch:1
1⤵
PID:5332

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=31 --field-trial-handle=5904,i,3724086843943218842,1026644135694712596,262144 --variations-seed-version --mojo-platform-channel-handle=5616 /prefetch:1
1⤵
PID:1704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\ElevatedDiagnostics\460911090\2024052916.000\NetworkDiagnostics.debugreport.xml

Filesize
209KB

MD5
e3e694689fd6c2be6bec3c8a4382a7b4

SHA1
433a7d7449aca0c332cb3b7f8cb9ab526ec61895

SHA256
cb0c0b2fe74f237cb83db7b8a1bfbc89d2098c8475b49d60dd3f7167d7f03536

SHA512
26dc0f22b6f462f57a94a601b646017baf9a10156ed00c998fb3674b34db2acbc91136b115ab94a57b5ee3f3659f84905b768f05f7d9fbb66afcf017e1cfbbdb

Download Submit
C:\Users\Admin\AppData\Local\ElevatedDiagnostics\460911090\2024052916.000\ResultReport.xml

Filesize
38KB

MD5
fe5ee67be422796401e944d544160492

SHA1
ea5121eb7b1558d8c3d2c52376632bdc46abf138

SHA256
551d79cf2dc661a2c8986c41974b9fffdef9cede946b5d7ca412160ae4833f5c

SHA512
486feb065b9378d9b72f905ad0816f278e38730a7aec83ba047a8a2e85063a0b352a367edf64c67e77007b2a1b8260a5f9ad28af7568ef743d1cec09eee66b47

Download Submit
C:\Users\Admin\AppData\Local\ElevatedDiagnostics\460911090\2024052916.000\results.xsl

Filesize
47KB

MD5
310e1da2344ba6ca96666fb639840ea9

SHA1
e8694edf9ee68782aa1de05470b884cc1a0e1ded

SHA256
67401342192babc27e62d4c1e0940409cc3f2bd28f77399e71d245eae8d3f63c

SHA512
62ab361ffea1f0b6ff1cc76c74b8e20c2499d72f3eb0c010d47dba7e6d723f9948dba3397ea26241a1a995cffce2a68cd0aaa1bb8d917dd8f4c8f3729fa6d244

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
864B

MD5
311bc98f1313511325fd63e73c62abef

SHA1
806b35a071240d414e9986f704ac441b593ab1b2

SHA256
4ea467459255b563f6f74b2c7e7dc9c9d1e02913b03a0266eaaee606d1074761

SHA512
4baad0f87146ab693978aae0c9a9327a2c69675a6d0efba08f1d20e07e0586174cd5d0111da548489de2f9a8ebb296d10d25bd95e44d4e9d618721516099b346

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
26168d246b9ee0ada846ac49314da5e0

SHA1
4f9f5e39718588e67e80d5a8e908668ae1301672

SHA256
bb8ed6507755b9925cfc3e219ad176ea9cf1f48d62881808ab8ae962051fb42d

SHA512
871830e761c1e5175fa36447f303ef3ba0be9e3088502509f32686a97bdf26996090e5e2cfb3a7db99a78818d6c14a8e91a2304f11d731b8d0a5430f82561c0b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
cadbc2a75151ed02319ec2cf6735c3b7

SHA1
7cae114be538424efa5ef632095a87fdcb9affe3

SHA256
34e36d7261d1c89f519b49d2712e4d80418eed6108ce1eb74cae5a6b272cf884

SHA512
8891661c0f75dd915542952d29c1939db5f3caabf0f0ada0e8c37c3a3e9175135cab4e805cbc14fac9b7f7af1fe14c97a9296f67e622e88662f79c2825923af0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
524B

MD5
ca172bb4d42463e5a240e447f84032a6

SHA1
384994a1f9794737ce0b4d95f1c25db2530fb22e

SHA256
e1bac2485ad104a619972f9634dd0cb53cc44bd33e305acc62ab9266c76bb9fe

SHA512
3a019ddb63ef3c86e4be20995d114111225887ad1d460d7de300892166191504be7f0deb28e32d9eacd196dabbdb67239431bade56333f40c131195c6a7688e6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
c6bbc093f2c325c9ce0cf34d967c4bca

SHA1
f50e17c6019f59e24f8ee9a00bfdc3d1edcb0ab2

SHA256
fd65e4ecc33a675abfeca18de99326031fa628a8ff25128ba20f2680de640761

SHA512
1cc7acac5c79d4a578e46d44a1f3683a258590f07c442873f120d08943e0eb13d4fca3f2174b46fbada57296645ad0dca4f821983b9fcc9096fe313d626b82f5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
1ca2396368f79fb71235e431d11c9a80

SHA1
c9360814bb853a2120befb5ae22c74fa5a121380

SHA256
2eff681765bd152d2e74e408131774f5cdeb73058702b6aa7732c44d5526674c

SHA512
7b7956099f57d630fbd5e7a5b121f55a51902c5d3603edbd59e5e046a4062a973f2c864688259e98ada928333f6dde435bec1f10c66ba240374ad949aa0ec9e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
b86e760569e589459d43553b58dc329c

SHA1
c74017a6a0d75de84ec802c0cc7946b1c149376f

SHA256
b1b415318709cbb53aa9250d1badfc85e7ad0f8e39f10d3536feb57407a4d954

SHA512
f5d5ee8828c8b9b57e957f260c9f16776c73870d476dc71436d9d8b555b682e8b6fa533b3723e793bb0a99896eb3ac45cb1e90eb52bdc813f0e2542ba60cbedf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
514665ebdeaaada7401487d823e75354

SHA1
4f18e70c33de5f8d80b0c55575ca3ab7f1cefd95

SHA256
931d5cc31a7275d9ddea7fb746263f95eac836f4e690b1dee2e7b6562a585a72

SHA512
e8f6fe8353f85e871a485476fa539d198bc9c226be2da79b8012e54912a68b8ea852f80cc1ca908ed517487bf6cad3a63294dab37795479b817cb5eb42cdec0a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
57eb257c1cafb968c94f40f27c2b0d72

SHA1
2d7c8660efb51a0244132dc24ca083deef3ba2b4

SHA256
4991b048cc6d9364e7b20709d11cd17a6f2c16867a1870c4b27e1bb00d7737ca

SHA512
dfc62e6000b77ed3182799a5fdda55111641ee0e98482f0978606c90d78f93bbc69350463a8a3e66e0c28351d70a837c68d9871975b9b9e087e0c271cf4b24b6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
290cee3a40ea27da3ee9a84a11668618

SHA1
4a1d5b43504ac525702117e46e24d8435e4e62b4

SHA256
21d51b737adb475d33580f7a831e4fcc6ca8f4d7412f9b3ad587a0bdb81d8207

SHA512
9cd307edbd4b036d6cc19f36a8fe5643cfeb01b1adc0959f689e4d49b909012d8059df176f2fec733e845a28db433986e228e1b52db99be8d251a15d25605e1f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
96B

MD5
675d5b7ae24a910589b1a57df7958969

SHA1
c77edf660ee7913e6122d11a46f69f97a867188f

SHA256
6e7586e3b6f17d574f1e526c5bef9681ad2da8cec977ad6c523e13467f028dac

SHA512
c0aed1b40b51d504ac2390a7826784d83940cf58471683a8e4faebc2978006739506fee749746d5a865456b4ad547b3698fe062e0f199a6cb76e3d13cc7185b0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe59a723.TMP

Filesize
48B

MD5
c54b23856f6a5421cd082afdaaaeeeed

SHA1
58e0a5b81859613869c82ed54ec62ff5af9d9a70

SHA256
a180d1fbe542fe8f50ea038031c6ca5e38fcf85911777de3fde67c642b986374

SHA512
ae447d74b551ace164803f8538cde86311a816ebffa565776ad01f2000610863d3ac8b1ce1df95137dfd32130d4e06c98d2f5f786fd92d07bf64f896881e32d0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
260KB

MD5
40c6173bbe87f7693f4aeed394769667

SHA1
c02d5cd22df69d4bda1f734920d5ee4c49bfed9a

SHA256
00f13973435f46353af62adaf24b2556825e0f7c83325f66639dce879803e4dc

SHA512
4239a0895d65345294d7c2ff0d5da2d32f42c5d2b724bdb8d0a6de2a367432e7f098972853777c49368d7ce7c181a4d55a401079f9b21a2e903730fa90e3ed51

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
260KB

MD5
d19876c5905d69690e1dace86a4cae72

SHA1
b71d522bf948393a7976cc0f1a88de3e498d7c8c

SHA256
c15155c36da37bc5ad4b90ac0609e00873844a6a89d2a3c36ab16f028d75bb34

SHA512
b828cc2d812661f6d0d0d9f8c0d6a5054ddf81f2332a29209a06d765c820ac4d71c7befa1c5f6fbb28789aacc69eb5296e104bf81b12a1eb43d33a2ff6949fe4

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rsmuortc.55d.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp335B.tmp\NetworkConfiguration.cab

Filesize
1KB

MD5
d4ddb8b3dbc8532b1834267e303568aa

SHA1
d2e219c407feedddffd628fd3d25c370e1dc98bf

SHA256
ad81a6c7ab62349ba03e16e9bb987d307d7b93db9293a11850e74c1837088df4

SHA512
af87cc7f6b6df33feeffd42c93a42294868db94c8f51d4ac8d19ed502c299fb9ddd5366eca02b5343f6f46ee5a901485eae360f81f4a98cb8e3e1880323f8b8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp335B.tmp\NetworkConfiguration.ddf

Filesize
231B

MD5
00848049d4218c485d9e9d7a54aa3b5f

SHA1
d1d5f388221417985c365e8acaec127b971c40d0

SHA256
ffeafbb8e7163fd7ec9abc029076796c73cd7b4eddaeeda9ba394c547419769e

SHA512
3a4874a5289682e2b32108740feea586cb9ccdad9ca08bf30f67c9742370c081ad943ea714f08dbf722f9f98f3b0bb307619a8ba47f96b24301c68b0fd1086d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp335B.tmp\ipconfig.all.txt

Filesize
1KB

MD5
2bdefb9317a26957014bf387f5fb688d

SHA1
1cfc2105fc4f6310f7d70682c000cc19ea78a58a

SHA256
3bf305ec5528364c42b409d22018fcd2dbcca87c624cd37c82d22dbbb1ba4e4d

SHA512
a8e61869cc1c2816c19a29d2593179c0f9fd640c306d302994e24688309a7cf4a1f600f4fdce275f094e9f5c75d482ed102d932376dcb5cc3331071febf61c4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp335B.tmp\route.print.txt

Filesize
4KB

MD5
19197ff9e29d653fdab28d337b74ea65

SHA1
79d90aa8406bb63ef51861fd984ef99eb50d1e66

SHA256
0cb6febbe777b7294d4a2599de34854e741506e034fb50f0979451ba496bfd57

SHA512
203dbbdf61a0b88c681d86cdb6b4fa25a1dbe47b6b90d002c98ccbc3a84dff6f1b76864a22366c7964be5db9716c2ed2e7f572ac0799b6069d6b64b5ddcadeac

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp335B.tmp\setup.inf

Filesize
978B

MD5
fb5f77ebb1770100cc511e8f2ac17a69

SHA1
cb0bf31d37ec2f8ddb29d19b6cf8ca6b270eccc7

SHA256
d2c3e8391aa32423630c760318c09c9682c690a39039f6d359c630f63d855755

SHA512
3b136511fbd40cbc4f9226c3eb2eb4bd440aeccff2db66ec7772a989fdc478c1f94c8dacab4b9581186427de1ba1887289bb2c32e85854eaacc47c13529b96eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp335B.tmp\setup.rpt

Filesize
283B

MD5
ceea1d8b750d5595cb1717440b86665f

SHA1
b9b547a92d5ee415139add2052a1afdf58ce8ff9

SHA256
f6272fafc2398845114dadfa1efb2af1c1ba09f5d148270f5c7b3d1843c08ab6

SHA512
5b29b1fc577a63baa5b6fded59e30946943ce4cf89c23add29aa78176a776c96716fcfd3ac1dea0b5e6e6a14ab0331740c9f0ab1a7dd207db9089691cb6822dd

Download Submit
C:\Windows\TEMP\SDIAG_6ddb247f-60d8-4143-9baf-1cc84e8ae844\NetworkDiagnosticsResolve.ps1

Filesize
11KB

MD5
d213491a2d74b38a9535d616b9161217

SHA1
bde94742d1e769638e2de84dfb099f797adcc217

SHA256
4662c3c94e0340a243c2a39ca8a88fd9f65c74fb197644a11d4ffcae6b191211

SHA512
5fd8b91b27935711495934e5d7ca14f9dd72bc40a38072595879ef334a47f99e0608087ddc62668c6f783938d9f22a3688c5cdef3a9ad6c3575f3cfa5a3b0104

Download Submit
C:\Windows\TEMP\SDIAG_6ddb247f-60d8-4143-9baf-1cc84e8ae844\NetworkDiagnosticsTroubleshoot.ps1

Filesize
25KB

MD5
d0cfc204ca3968b891f7ce0dccfb2eda

SHA1
56dad1716554d8dc573d0ea391f808e7857b2206

SHA256
e3940266b4368c04333db89804246cb89bf2073626f22b8de72bea27c522282a

SHA512
4d2225b599ad8af8ba8516f12cfddca5ec0ce69c5c80b133a6a323e9aaf5e0312efbcfa54d2e4462a5095f9a7c42b9d5b39f3204e0be72c3b1992cf33b22087c

Download Submit
C:\Windows\TEMP\SDIAG_6ddb247f-60d8-4143-9baf-1cc84e8ae844\NetworkDiagnosticsVerify.ps1

Filesize
10KB

MD5
9b222d8ec4b20860f10ebf303035b984

SHA1
b30eea35c2516afcab2c49ef6531af94efaf7e1a

SHA256
a32e13da40ac4b9e1dac7dd28bc1d25e2f2136b61ff93be943018b20796f15bc

SHA512
8331337ccb6e3137b01aeec03e6921fd3b9e56c44fa1b17545ae5c7bfcdd39fcd8a90192884b3a82f56659009e24b63ce7f500e8766fd01e8d4e60a52de0fe67

Download Submit
C:\Windows\TEMP\SDIAG_6ddb247f-60d8-4143-9baf-1cc84e8ae844\StartDPSService.ps1

Filesize
567B

MD5
a660422059d953c6d681b53a6977100e

SHA1
0c95dd05514d062354c0eecc9ae8d437123305bb

SHA256
d19677234127c38a52aec23686775a8eb3f4e3a406f4a11804d97602d6c31813

SHA512
26f8cf9ac95ff649ecc2ed349bc6c7c3a04b188594d5c3289af8f2768ab59672bc95ffefcc83ed3ffa44edd0afeb16a4c2490e633a89fce7965843674d94b523

Download Submit
C:\Windows\TEMP\SDIAG_6ddb247f-60d8-4143-9baf-1cc84e8ae844\UtilityFunctions.ps1

Filesize
53KB

MD5
c912faa190464ce7dec867464c35a8dc

SHA1
d1c6482dad37720db6bdc594c4757914d1b1dd70

SHA256
3891846307aa9e83bca66b13198455af72af45bf721a2fbd41840d47e2a91201

SHA512
5c34352d36459fd8fcda5b459a2e48601a033af31d802a90ed82c443a5a346b9480880d30c64db7ad0e4a8c35b98c98f69eceedad72f2a70d9c6cca74dce826a

Download Submit
C:\Windows\TEMP\SDIAG_6ddb247f-60d8-4143-9baf-1cc84e8ae844\UtilitySetConstants.ps1

Filesize
2KB

MD5
0c75ae5e75c3e181d13768909c8240ba

SHA1
288403fc4bedaacebccf4f74d3073f082ef70eb9

SHA256
de5c231c645d3ae1e13694284997721509f5de64ee5c96c966cdfda9e294db3f

SHA512
8fc944515f41a837c61a6c4e5181ca273607a89e48fbf86cf8eb8db837aed095aa04fc3043029c3b5cb3710d59abfd86f086ac198200f634bfb1a5dd0823406b

Download Submit
C:\Windows\TEMP\SDIAG_6ddb247f-60d8-4143-9baf-1cc84e8ae844\en-US\LocalizationData.psd1

Filesize
5KB

MD5
380768979618b7097b0476179ec494ed

SHA1
af2a03a17c546e4eeb896b230e4f2a52720545ab

SHA256
0637af30fc3b3544b1f516f6196a8f821ffbfa5d36d65a8798aeeadbf2e8a7c2

SHA512
b9ef59e9bfdbd49052a4e754ead8cd54b77e79cc428e7aee2b80055ff5f0b038584af519bd2d66258cf3c01f8cc71384f6959ee32111eac4399c47e1c2352302

Download Submit
C:\Windows\Temp\SDIAG_6ddb247f-60d8-4143-9baf-1cc84e8ae844\DiagPackage.dll

Filesize
478KB

MD5
580dc3658fa3fe42c41c99c52a9ce6b0

SHA1
3c4be12c6e3679a6c2267f88363bbd0e6e00cac5

SHA256
5b7aa413e4a64679c550c77e6599a1c940ee947cbdf77d310e142a07a237aad2

SHA512
68c52cd7b762b8f5d2f546092ed9c4316924fa04bd3ab748ab99541a8b4e7d9aec70acf5c9594d1457ad3a2f207d0c189ec58421d4352ddbc7eae453324d13f2

Download Submit
C:\Windows\Temp\SDIAG_6ddb247f-60d8-4143-9baf-1cc84e8ae844\en-US\DiagPackage.dll.mui

Filesize
17KB

MD5
44c4385447d4fa46b407fc47c8a467d0

SHA1
41e4e0e83b74943f5c41648f263b832419c05256

SHA256
8be175e8fbdae0dade54830fece6c6980d1345dbeb4a06c07f7efdb1152743f4

SHA512
191cd534e85323a4cd9649a1fc372312ed4a600f6252dffc4435793650f9dd40d0c0e615ba5eb9aa437a58af334146aac7c0ba08e0a1bf24ec4837a40f966005

Download Submit
C:\Windows\Temp\SDIAG_6ddb247f-60d8-4143-9baf-1cc84e8ae844\result\8C408DFD-4CE3-4CAE-901E-7261B90836B4.Diagnose.Admin.0.etl

Filesize
192KB

MD5
7cac147d1f189ee2e4d1f6b307875316

SHA1
2c5a4705143ba9fc248496c02f9aec8fb1b4488c

SHA256
d6c5eeedec07850ef66b29d773a0890aef014db2151128136a414ac8a4b012f0

SHA512
db4f7b75f39f5c2036931971bb770f74397231ea3d36aa005c3bb32bb01dbcfa542f5359be8dba153b099bd839b996c5115ab96ed00a9b2eb29837c7dc52f1e4

Download Submit
memory/6576-388-0x00007FFF733F0000-0x00007FFF73EB1000-memory.dmp

Filesize
10.8MB

Download
memory/6576-371-0x00007FFF733F0000-0x00007FFF73EB1000-memory.dmp

Filesize
10.8MB

Download
memory/6576-370-0x000001D6A0630000-0x000001D6A0652000-memory.dmp

Filesize
136KB

Download
memory/6576-360-0x00007FFF733F3000-0x00007FFF733F5000-memory.dmp

Filesize
8KB

Download
memory/6576-387-0x00007FFF733F3000-0x00007FFF733F5000-memory.dmp

Filesize
8KB

Download
memory/6576-854-0x00007FFF733F0000-0x00007FFF73EB1000-memory.dmp

Filesize
10.8MB

Download
memory/6836-381-0x0000021D311A0000-0x0000021D311B0000-memory.dmp

Filesize
64KB

Download
memory/6836-377-0x0000021D31160000-0x0000021D31170000-memory.dmp

Filesize
64KB

Download
memory/6836-385-0x0000021D31C60000-0x0000021D31C61000-memory.dmp

Filesize
4KB

Download