Analysis

  • max time kernel
    155s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/06/2024, 15:08

General

  • Target

    Graphing data.xlsx

  • Size

    7.6MB

  • MD5

    e19d0eda637f74082459f65ef9932c06

  • SHA1

    02c1b4bea5a8a8984ae4b06b88cc30c5ccbbe58e

  • SHA256

    3eb94783cb0063c9fb90a79f8a157e315f627bd60e5bcfc4c426aa90b6069f1a

  • SHA512

    d95c57f1f5df143956fd9f1582ee38ffcf0679724346b242d49cd5639a1eca714fb65ddbb23ff5b22518028938054277e2eaf3c8226c3c6dcfb6912f104d849f

  • SSDEEP

    196608:nkDusCHhRf8ewh52r1LDpD7jruFNTiuYvWa4mApTz:kCs6dgz2r1LDpD7jUNTiuYu9

Score
5/10

Malware Config

Signatures

  • Drops file in System32 directory 12 IoCs
  • Drops file in Windows directory 1 IoCs
  • Checks processor information in registry 2 TTPs 5 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 6 IoCs
  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Modifies data under HKEY_USERS 6 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 37 IoCs
  • Suspicious use of SendNotifyMessage 32 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Graphing data.xlsx"
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    PID:1528
  • C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe"
    1⤵
    • Enumerates system info in registry
    • Modifies data under HKEY_USERS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:3200
    • C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe80e5ab58,0x7ffe80e5ab68,0x7ffe80e5ab78
      2⤵
        PID:4908
      • C:\Program Files\Google\Chrome\Application\chrome.exe
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1628 --field-trial-handle=1880,i,9498292580889633314,11543430941259594936,131072 /prefetch:2
        2⤵
          PID:760
        • C:\Program Files\Google\Chrome\Application\chrome.exe
          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 --field-trial-handle=1880,i,9498292580889633314,11543430941259594936,131072 /prefetch:8
          2⤵
            PID:1268
          • C:\Program Files\Google\Chrome\Application\chrome.exe
            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2244 --field-trial-handle=1880,i,9498292580889633314,11543430941259594936,131072 /prefetch:8
            2⤵
              PID:4488
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3060 --field-trial-handle=1880,i,9498292580889633314,11543430941259594936,131072 /prefetch:1
              2⤵
                PID:2044
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3084 --field-trial-handle=1880,i,9498292580889633314,11543430941259594936,131072 /prefetch:1
                2⤵
                  PID:2060
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4224 --field-trial-handle=1880,i,9498292580889633314,11543430941259594936,131072 /prefetch:1
                  2⤵
                    PID:2600
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4600 --field-trial-handle=1880,i,9498292580889633314,11543430941259594936,131072 /prefetch:8
                    2⤵
                      PID:4148
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4748 --field-trial-handle=1880,i,9498292580889633314,11543430941259594936,131072 /prefetch:8
                      2⤵
                        PID:2276
                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4948 --field-trial-handle=1880,i,9498292580889633314,11543430941259594936,131072 /prefetch:1
                        2⤵
                          PID:2204
                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=4208 --field-trial-handle=1880,i,9498292580889633314,11543430941259594936,131072 /prefetch:1
                          2⤵
                            PID:2460
                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=3092 --field-trial-handle=1880,i,9498292580889633314,11543430941259594936,131072 /prefetch:1
                            2⤵
                              PID:1184
                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4824 --field-trial-handle=1880,i,9498292580889633314,11543430941259594936,131072 /prefetch:1
                              2⤵
                                PID:2164
                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=3380 --field-trial-handle=1880,i,9498292580889633314,11543430941259594936,131072 /prefetch:1
                                2⤵
                                  PID:2472
                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=4684 --field-trial-handle=1880,i,9498292580889633314,11543430941259594936,131072 /prefetch:1
                                  2⤵
                                    PID:3904
                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4820 --field-trial-handle=1880,i,9498292580889633314,11543430941259594936,131072 /prefetch:8
                                    2⤵
                                      PID:3244
                                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4816 --field-trial-handle=1880,i,9498292580889633314,11543430941259594936,131072 /prefetch:8
                                      2⤵
                                        PID:2724
                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3476 --field-trial-handle=1880,i,9498292580889633314,11543430941259594936,131072 /prefetch:8
                                        2⤵
                                          PID:4500
                                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4324 --field-trial-handle=1880,i,9498292580889633314,11543430941259594936,131072 /prefetch:8
                                          2⤵
                                            PID:4372
                                          • C:\Windows\system32\msdt.exe
                                            -modal "66174" -skip TRUE -path "C:\Windows\diagnostics\system\networking" -af "C:\Users\Admin\AppData\Local\Temp\NDF74E.tmp" -ep "NetworkDiagnosticsWeb"
                                            2⤵
                                            • Suspicious use of FindShellTrayWindow
                                            PID:3528
                                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=3600 --field-trial-handle=1880,i,9498292580889633314,11543430941259594936,131072 /prefetch:1
                                            2⤵
                                              PID:6028
                                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --mojo-platform-channel-handle=4464 --field-trial-handle=1880,i,9498292580889633314,11543430941259594936,131072 /prefetch:1
                                              2⤵
                                                PID:5536
                                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3564 --field-trial-handle=1880,i,9498292580889633314,11543430941259594936,131072 /prefetch:2
                                                2⤵
                                                • Suspicious behavior: EnumeratesProcesses
                                                PID:5696
                                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --mojo-platform-channel-handle=2100 --field-trial-handle=1880,i,9498292580889633314,11543430941259594936,131072 /prefetch:1
                                                2⤵
                                                  PID:5976
                                              • C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
                                                "C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
                                                1⤵
                                                  PID:2532
                                                • C:\Windows\System32\sdiagnhost.exe
                                                  C:\Windows\System32\sdiagnhost.exe -Embedding
                                                  1⤵
                                                  • Suspicious behavior: EnumeratesProcesses
                                                  PID:5776
                                                  • C:\Windows\system32\netsh.exe
                                                    "C:\Windows\system32\netsh.exe" trace diagnose Scenario=NetworkSnapshot Mode=NetTroubleshooter
                                                    2⤵
                                                      PID:5944
                                                    • C:\Windows\system32\netsh.exe
                                                      "C:\Windows\system32\netsh.exe" trace diagnose Scenario=NetworkSnapshot Mode=NetTroubleshooter
                                                      2⤵
                                                        PID:3992
                                                      • C:\Windows\system32\ipconfig.exe
                                                        "C:\Windows\system32\ipconfig.exe" /all
                                                        2⤵
                                                        • Gathers network information
                                                        PID:5260
                                                      • C:\Windows\system32\ROUTE.EXE
                                                        "C:\Windows\system32\ROUTE.EXE" print
                                                        2⤵
                                                          PID:5296
                                                        • C:\Windows\system32\makecab.exe
                                                          "C:\Windows\system32\makecab.exe" /f NetworkConfiguration.ddf
                                                          2⤵
                                                            PID:4424
                                                        • C:\Windows\System32\svchost.exe
                                                          C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork -p -s DPS
                                                          1⤵
                                                          • Drops file in System32 directory
                                                          • Checks processor information in registry
                                                          • Suspicious behavior: EnumeratesProcesses
                                                          PID:1396
                                                        • C:\Windows\System32\svchost.exe
                                                          C:\Windows\System32\svchost.exe -k LocalService -p -s WdiServiceHost
                                                          1⤵
                                                          • Drops file in System32 directory
                                                          • Modifies data under HKEY_USERS
                                                          PID:4728
                                                          • C:\Windows\System32\rundll32.exe
                                                            "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\winethc.dll",ForceProxyDetectionOnNextRun
                                                            2⤵
                                                              PID:4508
                                                          • C:\Windows\System32\svchost.exe
                                                            C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s WdiSystemHost
                                                            1⤵
                                                              PID:4032
                                                            • C:\Windows\System32\svchost.exe
                                                              C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s Netman
                                                              1⤵
                                                              • Drops file in Windows directory
                                                              • Modifies data under HKEY_USERS
                                                              PID:5160

                                                            Network

                                                            MITRE ATT&CK Enterprise v15

                                                            Replay Monitor

                                                            Loading Replay Monitor...

                                                            Downloads

                                                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

                                                              Filesize

                                                              2B

                                                              MD5

                                                              d751713988987e9331980363e24189ce

                                                              SHA1

                                                              97d170e1550eee4afc0af065b78cda302a97674c

                                                              SHA256

                                                              4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

                                                              SHA512

                                                              b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

                                                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                                              Filesize

                                                              7KB

                                                              MD5

                                                              af9be482a2bc819ce7f4aece4616037f

                                                              SHA1

                                                              f6932a2dd461fa0665e0ab7b0b2cd595205b7c4d

                                                              SHA256

                                                              8a2e407979827d9dc2409b30734b92eadc28930881042a8d558cbe5369151825

                                                              SHA512

                                                              49e058f0a56a4ab4ca7a545f128a531c35fa6cf10d86b258f3662f75de9fa43808ee45407e0d1c1dc67696dc634668f3c1402f99b75cbbaa97ba77eb5aa41cb1

                                                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\c8277be3-3c4a-41ae-aa53-e0c4a2c079fc.tmp

                                                              Filesize

                                                              7KB

                                                              MD5

                                                              3d3bc1bb1b5dcf5394d3161f9397cb48

                                                              SHA1

                                                              165f88e404667da4d1490b76d4968a10d444bd5c

                                                              SHA256

                                                              eb85474def8d4066a7f93db04588e433a40e68dc94290cff462672938b7325d3

                                                              SHA512

                                                              69e0bcfe3444b3d827b42c8194b1b1d26b9825111656d478113bf518a7b70b4944f9e43f8dffd670da96dd470943681e9dd0c8cb51f20ee1281c0f99132b5ed3

                                                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

                                                              Filesize

                                                              257KB

                                                              MD5

                                                              0aeef886565b63af88c7a861b6c504e0

                                                              SHA1

                                                              22f529c2b94f03411a5e56a85f6668a36adad6ea

                                                              SHA256

                                                              dfc94528888234305437b0ecace7bcfd30a942369c705fbead3e47fa66c2f5f0

                                                              SHA512

                                                              2691a6dd1a7644512a4d9e6ad76fc2800123904a6cd9467d2e9913054081dd16b871bff5c1f8cd5464d0749463045a24de90e43adcafe667b18efd26a2799076

                                                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

                                                              Filesize

                                                              257KB

                                                              MD5

                                                              1bf682e74aff091216c01742adda54bc

                                                              SHA1

                                                              f0d4889a16ac6c138b5b7a83b6dcbf68300005a8

                                                              SHA256

                                                              bac60a372880f17a8b5bbae7ad2671d94bbe5935befad8e81a4401cba039ff78

                                                              SHA512

                                                              b3a943e4b2e00d4e410052db9f6f71acc5bd5d294d70d00cc4e82439ab6ce5cd30420a2260bdc68e5dd166123ef9302f90b8fbc43f0899ce72f450174a81e4a9

                                                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

                                                              Filesize

                                                              92KB

                                                              MD5

                                                              8ce8536950296c7a096f808adaeaa295

                                                              SHA1

                                                              8a1074b1d5c5d6572ee53db85524a5feeb14fb98

                                                              SHA256

                                                              f77ffe3f05de2656b55e8eea81da86e29e2342352492601d1e7203d0517c0386

                                                              SHA512

                                                              9be086bb70e09e1f403ae4a81358301bd507ca5133985f04719b8a0adb4dbd976dd1d2daa3cad2b7afc579a2816a53ef7e0b9a5bab8d0a7abce9b7941e94ab7d

                                                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe582e6e.TMP

                                                              Filesize

                                                              88KB

                                                              MD5

                                                              eb43c8974b3f1cc10f5eb8eac9167281

                                                              SHA1

                                                              1062add32194d556fc850c4d6f288a697b6d634a

                                                              SHA256

                                                              e824cc9ba3d57021134c669829a1483f41404d61a4820b61d5be23ef95550ac0

                                                              SHA512

                                                              4e44d87fdf93a6c695f01016978ae25a553ef513ce51de627194af4e7dba2dcea6a6a3df7cf85a2e4802dcb8b6b5fe6261a25fc967af0098d8da071cdf8b66a5

                                                            • C:\Users\Admin\AppData\Local\Microsoft\NetTraces\NdfSession-06122024-1510.etl

                                                              Filesize

                                                              192KB

                                                              MD5

                                                              3a7c43f58f39c9605476cf2f836ce1ca

                                                              SHA1

                                                              6b50b03b7034b1b7b8233f345c936490f5bd6858

                                                              SHA256

                                                              d0ad7b546b10f83e360941c05d2fe123e9cb112c3c6aabcf79b36fffd6d54ae3

                                                              SHA512

                                                              e46d3807b340e7666032b52ef5144735c1ad9456dd3b2c101c7035faf52392a8dce3930e3403f9fc94b36a672c5c5a9e7977ed08d0e12053e9a375dc0081743d

                                                            • C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\PowerQuery\temp.User.zip

                                                              Filesize

                                                              768B

                                                              MD5

                                                              37ddbd33c2fcc7748adc5dc9cc909ce2

                                                              SHA1

                                                              2cc7453b62463555e8287ccf22faa410251a08ea

                                                              SHA256

                                                              4ed23697c8a24a1b8ceb231f87e652cdb994c8aaa5e30408e024b7228c9fcdf3

                                                              SHA512

                                                              f22822155e4b0caeda67e51fb06c9284c2ca89fd5ccad157c4e4d53773d858b4f925ded3f007349560b119d49e591c903e131f864a43a59900e10e4f61f74e2b

                                                            • C:\Users\Admin\AppData\Local\Temp\NDF74E.tmp

                                                              Filesize

                                                              3KB

                                                              MD5

                                                              e310e5578a38aa0803fe501af84e061d

                                                              SHA1

                                                              ec4e52893b7da842778df8d6658b356de731249b

                                                              SHA256

                                                              904b48d7f7c6f079ddf5453bfe05bd98118a7e69d0bba17a75f2209a7a5389bd

                                                              SHA512

                                                              36465ac3ee139947b6623b0efc85cbf66dc8640dbb41abb613057b7d4b48e816bb67cc4893bd994f4f81d2978397f0a8361b2300eb5fb38cb0dcf01a546bceb2

                                                            • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_e5xrkadd.kf1.ps1

                                                              Filesize

                                                              60B

                                                              MD5

                                                              d17fe0a3f47be24a6453e9ef58c94641

                                                              SHA1

                                                              6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                              SHA256

                                                              96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                              SHA512

                                                              5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                            • C:\Users\Admin\AppData\Local\Temp\tmp9E1F.tmp\NetworkConfiguration.cab

                                                              Filesize

                                                              1KB

                                                              MD5

                                                              e6f81115390c8f409d8c464372cb304e

                                                              SHA1

                                                              c40ec3270c4146c89f686821ff11ad53380c278f

                                                              SHA256

                                                              e5b695be9d204621f7ba75b4d08161c1a337fe7fa798dd4707ccbd434fd85971

                                                              SHA512

                                                              4762ef59067f5c362c891d5face9677b99404668ae871afbe85cc7da9048593b8bc54b620115f46a391498a2c459ab9b10669664db58e14f013e32e3fff92323

                                                            • C:\Users\Admin\AppData\Local\Temp\tmp9E1F.tmp\NetworkConfiguration.ddf

                                                              Filesize

                                                              231B

                                                              MD5

                                                              00848049d4218c485d9e9d7a54aa3b5f

                                                              SHA1

                                                              d1d5f388221417985c365e8acaec127b971c40d0

                                                              SHA256

                                                              ffeafbb8e7163fd7ec9abc029076796c73cd7b4eddaeeda9ba394c547419769e

                                                              SHA512

                                                              3a4874a5289682e2b32108740feea586cb9ccdad9ca08bf30f67c9742370c081ad943ea714f08dbf722f9f98f3b0bb307619a8ba47f96b24301c68b0fd1086d9

                                                            • C:\Users\Admin\AppData\Local\Temp\tmp9E1F.tmp\ipconfig.all.txt

                                                              Filesize

                                                              2KB

                                                              MD5

                                                              d9fdc249634ed2ae4a9a04478f68f047

                                                              SHA1

                                                              9446967eabd6c341d833ddcf7585f2dbae1121e7

                                                              SHA256

                                                              b6cb053d30003fe13fff4f712de98b492ff638aa5f0144cd65e214c03deded5a

                                                              SHA512

                                                              b28a19090773de14267a8ae1ea9cf536fd7da833b14eb3b80c34c08b6f0ec9a9ef8653411f2a4b19af456123450a0f72d63ef0addafd08fa12bba7bd9aa256bf

                                                            • C:\Users\Admin\AppData\Local\Temp\tmp9E1F.tmp\route.print.txt

                                                              Filesize

                                                              4KB

                                                              MD5

                                                              ff2b9c24cd576b167a65a1ac27e1275d

                                                              SHA1

                                                              15d9b683c673035cf0d19d2892bc6cf3929a8391

                                                              SHA256

                                                              ae99bd00a27cb8ace753ac4f821bebaadd074bbf716f06e47eeec8e211b9df40

                                                              SHA512

                                                              fc25db71195faa96d2a88b28ba65f0b2113ca5687c92451639c9ebefd6088f8d68ffd3519051ba263278b39ee12bd47e37955ed6655ca87b906d3319e4264c12

                                                            • C:\Users\Admin\AppData\Local\Temp\tmp9E1F.tmp\setup.inf

                                                              Filesize

                                                              978B

                                                              MD5

                                                              c7f248e40897aa864237ad7162d4ad68

                                                              SHA1

                                                              56b35cf55f254883b0d53aa63ae2e483c330ebae

                                                              SHA256

                                                              a792831dae7114213c57e401301dd8fca16a37ba49e86f3a76443bd43b49e544

                                                              SHA512

                                                              e25c80dd4f7a7c4662827843988d61061b10304e1bcd59daa46523131d2c830d71f3dad790384734cb877f15824a93623c076dda9f0ab4991444a490c98c55b8

                                                            • C:\Users\Admin\AppData\Local\Temp\tmp9E1F.tmp\setup.rpt

                                                              Filesize

                                                              283B

                                                              MD5

                                                              a4a3e817ac3af0f9d5c396bbc27a49ff

                                                              SHA1

                                                              41dceaafcbb3398d7e4b1682c063649c62a15fba

                                                              SHA256

                                                              623702345509cbe45d4c6827077a0f1f6f2471135f46650dfbd3e388e738a160

                                                              SHA512

                                                              660036360ef4caf44aa5cf0bfc76b41859f21c91ac236b39b5b796471eef2fe26a48019545c38c9d100d0d5b90009b867cd6ddf15a73e2cbe188d64551a5da70

                                                            • C:\Windows\TEMP\SDIAG_a0961742-f012-41ef-9d1d-8e54822cc4e8\NetworkDiagnosticsResolve.ps1

                                                              Filesize

                                                              11KB

                                                              MD5

                                                              d213491a2d74b38a9535d616b9161217

                                                              SHA1

                                                              bde94742d1e769638e2de84dfb099f797adcc217

                                                              SHA256

                                                              4662c3c94e0340a243c2a39ca8a88fd9f65c74fb197644a11d4ffcae6b191211

                                                              SHA512

                                                              5fd8b91b27935711495934e5d7ca14f9dd72bc40a38072595879ef334a47f99e0608087ddc62668c6f783938d9f22a3688c5cdef3a9ad6c3575f3cfa5a3b0104

                                                            • C:\Windows\TEMP\SDIAG_a0961742-f012-41ef-9d1d-8e54822cc4e8\NetworkDiagnosticsTroubleshoot.ps1

                                                              Filesize

                                                              25KB

                                                              MD5

                                                              d0cfc204ca3968b891f7ce0dccfb2eda

                                                              SHA1

                                                              56dad1716554d8dc573d0ea391f808e7857b2206

                                                              SHA256

                                                              e3940266b4368c04333db89804246cb89bf2073626f22b8de72bea27c522282a

                                                              SHA512

                                                              4d2225b599ad8af8ba8516f12cfddca5ec0ce69c5c80b133a6a323e9aaf5e0312efbcfa54d2e4462a5095f9a7c42b9d5b39f3204e0be72c3b1992cf33b22087c

                                                            • C:\Windows\TEMP\SDIAG_a0961742-f012-41ef-9d1d-8e54822cc4e8\NetworkDiagnosticsVerify.ps1

                                                              Filesize

                                                              10KB

                                                              MD5

                                                              9b222d8ec4b20860f10ebf303035b984

                                                              SHA1

                                                              b30eea35c2516afcab2c49ef6531af94efaf7e1a

                                                              SHA256

                                                              a32e13da40ac4b9e1dac7dd28bc1d25e2f2136b61ff93be943018b20796f15bc

                                                              SHA512

                                                              8331337ccb6e3137b01aeec03e6921fd3b9e56c44fa1b17545ae5c7bfcdd39fcd8a90192884b3a82f56659009e24b63ce7f500e8766fd01e8d4e60a52de0fe67

                                                            • C:\Windows\TEMP\SDIAG_a0961742-f012-41ef-9d1d-8e54822cc4e8\StartDPSService.ps1

                                                              Filesize

                                                              567B

                                                              MD5

                                                              a660422059d953c6d681b53a6977100e

                                                              SHA1

                                                              0c95dd05514d062354c0eecc9ae8d437123305bb

                                                              SHA256

                                                              d19677234127c38a52aec23686775a8eb3f4e3a406f4a11804d97602d6c31813

                                                              SHA512

                                                              26f8cf9ac95ff649ecc2ed349bc6c7c3a04b188594d5c3289af8f2768ab59672bc95ffefcc83ed3ffa44edd0afeb16a4c2490e633a89fce7965843674d94b523

                                                            • C:\Windows\TEMP\SDIAG_a0961742-f012-41ef-9d1d-8e54822cc4e8\UtilityFunctions.ps1

                                                              Filesize

                                                              53KB

                                                              MD5

                                                              c912faa190464ce7dec867464c35a8dc

                                                              SHA1

                                                              d1c6482dad37720db6bdc594c4757914d1b1dd70

                                                              SHA256

                                                              3891846307aa9e83bca66b13198455af72af45bf721a2fbd41840d47e2a91201

                                                              SHA512

                                                              5c34352d36459fd8fcda5b459a2e48601a033af31d802a90ed82c443a5a346b9480880d30c64db7ad0e4a8c35b98c98f69eceedad72f2a70d9c6cca74dce826a

                                                            • C:\Windows\TEMP\SDIAG_a0961742-f012-41ef-9d1d-8e54822cc4e8\UtilitySetConstants.ps1

                                                              Filesize

                                                              2KB

                                                              MD5

                                                              0c75ae5e75c3e181d13768909c8240ba

                                                              SHA1

                                                              288403fc4bedaacebccf4f74d3073f082ef70eb9

                                                              SHA256

                                                              de5c231c645d3ae1e13694284997721509f5de64ee5c96c966cdfda9e294db3f

                                                              SHA512

                                                              8fc944515f41a837c61a6c4e5181ca273607a89e48fbf86cf8eb8db837aed095aa04fc3043029c3b5cb3710d59abfd86f086ac198200f634bfb1a5dd0823406b

                                                            • C:\Windows\TEMP\SDIAG_a0961742-f012-41ef-9d1d-8e54822cc4e8\en-US\LocalizationData.psd1

                                                              Filesize

                                                              5KB

                                                              MD5

                                                              380768979618b7097b0476179ec494ed

                                                              SHA1

                                                              af2a03a17c546e4eeb896b230e4f2a52720545ab

                                                              SHA256

                                                              0637af30fc3b3544b1f516f6196a8f821ffbfa5d36d65a8798aeeadbf2e8a7c2

                                                              SHA512

                                                              b9ef59e9bfdbd49052a4e754ead8cd54b77e79cc428e7aee2b80055ff5f0b038584af519bd2d66258cf3c01f8cc71384f6959ee32111eac4399c47e1c2352302

                                                            • C:\Windows\Temp\SDIAG_a0961742-f012-41ef-9d1d-8e54822cc4e8\DiagPackage.dll

                                                              Filesize

                                                              478KB

                                                              MD5

                                                              580dc3658fa3fe42c41c99c52a9ce6b0

                                                              SHA1

                                                              3c4be12c6e3679a6c2267f88363bbd0e6e00cac5

                                                              SHA256

                                                              5b7aa413e4a64679c550c77e6599a1c940ee947cbdf77d310e142a07a237aad2

                                                              SHA512

                                                              68c52cd7b762b8f5d2f546092ed9c4316924fa04bd3ab748ab99541a8b4e7d9aec70acf5c9594d1457ad3a2f207d0c189ec58421d4352ddbc7eae453324d13f2

                                                            • C:\Windows\Temp\SDIAG_a0961742-f012-41ef-9d1d-8e54822cc4e8\en-US\DiagPackage.dll.mui

                                                              Filesize

                                                              17KB

                                                              MD5

                                                              44c4385447d4fa46b407fc47c8a467d0

                                                              SHA1

                                                              41e4e0e83b74943f5c41648f263b832419c05256

                                                              SHA256

                                                              8be175e8fbdae0dade54830fece6c6980d1345dbeb4a06c07f7efdb1152743f4

                                                              SHA512

                                                              191cd534e85323a4cd9649a1fc372312ed4a600f6252dffc4435793650f9dd40d0c0e615ba5eb9aa437a58af334146aac7c0ba08e0a1bf24ec4837a40f966005

                                                            • memory/1396-557-0x000001CF39E50000-0x000001CF39E60000-memory.dmp

                                                              Filesize

                                                              64KB

                                                            • memory/1396-553-0x000001CF39E10000-0x000001CF39E20000-memory.dmp

                                                              Filesize

                                                              64KB

                                                            • memory/1396-561-0x000001CF39FD0000-0x000001CF39FD1000-memory.dmp

                                                              Filesize

                                                              4KB

                                                            • memory/1528-22-0x0000028A55C70000-0x0000028A55E12000-memory.dmp

                                                              Filesize

                                                              1.6MB

                                                            • memory/1528-146-0x00007FFE5EED0000-0x00007FFE5EEE0000-memory.dmp

                                                              Filesize

                                                              64KB

                                                            • memory/1528-30-0x0000028A346E0000-0x0000028A346F0000-memory.dmp

                                                              Filesize

                                                              64KB

                                                            • memory/1528-29-0x0000028A570F0000-0x0000028A57E80000-memory.dmp

                                                              Filesize

                                                              13.6MB

                                                            • memory/1528-27-0x0000028A3DA80000-0x0000028A3DC42000-memory.dmp

                                                              Filesize

                                                              1.8MB

                                                            • memory/1528-61-0x0000028A347B0000-0x0000028A347D2000-memory.dmp

                                                              Filesize

                                                              136KB

                                                            • memory/1528-62-0x00007FFE9EE50000-0x00007FFE9F045000-memory.dmp

                                                              Filesize

                                                              2.0MB

                                                            • memory/1528-68-0x0000028A5F600000-0x0000028A63916000-memory.dmp

                                                              Filesize

                                                              67.1MB

                                                            • memory/1528-69-0x0000028A34840000-0x0000028A34868000-memory.dmp

                                                              Filesize

                                                              160KB

                                                            • memory/1528-71-0x0000028A348C0000-0x0000028A34910000-memory.dmp

                                                              Filesize

                                                              320KB

                                                            • memory/1528-72-0x0000028A347E0000-0x0000028A347F0000-memory.dmp

                                                              Filesize

                                                              64KB

                                                            • memory/1528-73-0x0000028A34870000-0x0000028A34888000-memory.dmp

                                                              Filesize

                                                              96KB

                                                            • memory/1528-74-0x0000028A34970000-0x0000028A349CA000-memory.dmp

                                                              Filesize

                                                              360KB

                                                            • memory/1528-77-0x00007FFE9EE50000-0x00007FFE9F045000-memory.dmp

                                                              Filesize

                                                              2.0MB

                                                            • memory/1528-78-0x00007FFE9EE50000-0x00007FFE9F045000-memory.dmp

                                                              Filesize

                                                              2.0MB

                                                            • memory/1528-79-0x00007FFE9EE50000-0x00007FFE9F045000-memory.dmp

                                                              Filesize

                                                              2.0MB

                                                            • memory/1528-81-0x0000028A57E80000-0x0000028A583A8000-memory.dmp

                                                              Filesize

                                                              5.2MB

                                                            • memory/1528-82-0x0000028A56EC0000-0x0000028A56FBC000-memory.dmp

                                                              Filesize

                                                              1008KB

                                                            • memory/1528-28-0x0000028A346F0000-0x0000028A34712000-memory.dmp

                                                              Filesize

                                                              136KB

                                                            • memory/1528-99-0x00007FFE9EE50000-0x00007FFE9F045000-memory.dmp

                                                              Filesize

                                                              2.0MB

                                                            • memory/1528-100-0x00007FFE9EE50000-0x00007FFE9F045000-memory.dmp

                                                              Filesize

                                                              2.0MB

                                                            • memory/1528-101-0x00007FFE9EE50000-0x00007FFE9F045000-memory.dmp

                                                              Filesize

                                                              2.0MB

                                                            • memory/1528-102-0x00007FFE9EE50000-0x00007FFE9F045000-memory.dmp

                                                              Filesize

                                                              2.0MB

                                                            • memory/1528-103-0x00007FFE9EE50000-0x00007FFE9F045000-memory.dmp

                                                              Filesize

                                                              2.0MB

                                                            • memory/1528-26-0x0000028A34720000-0x0000028A3477C000-memory.dmp

                                                              Filesize

                                                              368KB

                                                            • memory/1528-25-0x0000028A560C0000-0x0000028A56354000-memory.dmp

                                                              Filesize

                                                              2.6MB

                                                            • memory/1528-128-0x00007FFE9EE50000-0x00007FFE9F045000-memory.dmp

                                                              Filesize

                                                              2.0MB

                                                            • memory/1528-143-0x00007FFE5EED0000-0x00007FFE5EEE0000-memory.dmp

                                                              Filesize

                                                              64KB

                                                            • memory/1528-144-0x00007FFE5EED0000-0x00007FFE5EEE0000-memory.dmp

                                                              Filesize

                                                              64KB

                                                            • memory/1528-31-0x0000028A347F0000-0x0000028A347FA000-memory.dmp

                                                              Filesize

                                                              40KB

                                                            • memory/1528-145-0x00007FFE5EED0000-0x00007FFE5EEE0000-memory.dmp

                                                              Filesize

                                                              64KB

                                                            • memory/1528-147-0x00007FFE9EE50000-0x00007FFE9F045000-memory.dmp

                                                              Filesize

                                                              2.0MB

                                                            • memory/1528-24-0x0000028A58880000-0x0000028A5B2E0000-memory.dmp

                                                              Filesize

                                                              42.4MB

                                                            • memory/1528-21-0x00007FFE9EE50000-0x00007FFE9F045000-memory.dmp

                                                              Filesize

                                                              2.0MB

                                                            • memory/1528-23-0x00007FFE9EE50000-0x00007FFE9F045000-memory.dmp

                                                              Filesize

                                                              2.0MB

                                                            • memory/1528-0-0x00007FFE5EED0000-0x00007FFE5EEE0000-memory.dmp

                                                              Filesize

                                                              64KB

                                                            • memory/1528-8-0x00007FFE5C8F0000-0x00007FFE5C900000-memory.dmp

                                                              Filesize

                                                              64KB

                                                            • memory/1528-4-0x00007FFE5EED0000-0x00007FFE5EEE0000-memory.dmp

                                                              Filesize

                                                              64KB

                                                            • memory/1528-9-0x00007FFE9EE50000-0x00007FFE9F045000-memory.dmp

                                                              Filesize

                                                              2.0MB

                                                            • memory/1528-10-0x00007FFE9EE50000-0x00007FFE9F045000-memory.dmp

                                                              Filesize

                                                              2.0MB

                                                            • memory/1528-16-0x00007FFE9EE50000-0x00007FFE9F045000-memory.dmp

                                                              Filesize

                                                              2.0MB

                                                            • memory/1528-18-0x00007FFE9EE50000-0x00007FFE9F045000-memory.dmp

                                                              Filesize

                                                              2.0MB

                                                            • memory/1528-19-0x00007FFE9EE50000-0x00007FFE9F045000-memory.dmp

                                                              Filesize

                                                              2.0MB

                                                            • memory/1528-20-0x00007FFE9EE50000-0x00007FFE9F045000-memory.dmp

                                                              Filesize

                                                              2.0MB

                                                            • memory/1528-17-0x00007FFE9EE50000-0x00007FFE9F045000-memory.dmp

                                                              Filesize

                                                              2.0MB

                                                            • memory/1528-15-0x00007FFE5C8F0000-0x00007FFE5C900000-memory.dmp

                                                              Filesize

                                                              64KB

                                                            • memory/1528-11-0x00007FFE9EE50000-0x00007FFE9F045000-memory.dmp

                                                              Filesize

                                                              2.0MB

                                                            • memory/1528-14-0x00007FFE9EE50000-0x00007FFE9F045000-memory.dmp

                                                              Filesize

                                                              2.0MB

                                                            • memory/1528-13-0x00007FFE9EE50000-0x00007FFE9F045000-memory.dmp

                                                              Filesize

                                                              2.0MB

                                                            • memory/1528-12-0x00007FFE9EE50000-0x00007FFE9F045000-memory.dmp

                                                              Filesize

                                                              2.0MB

                                                            • memory/1528-6-0x00007FFE9EE50000-0x00007FFE9F045000-memory.dmp

                                                              Filesize

                                                              2.0MB

                                                            • memory/1528-7-0x00007FFE9EE50000-0x00007FFE9F045000-memory.dmp

                                                              Filesize

                                                              2.0MB

                                                            • memory/1528-5-0x00007FFE9EEED000-0x00007FFE9EEEE000-memory.dmp

                                                              Filesize

                                                              4KB

                                                            • memory/1528-1-0x00007FFE5EED0000-0x00007FFE5EEE0000-memory.dmp

                                                              Filesize

                                                              64KB

                                                            • memory/1528-2-0x00007FFE5EED0000-0x00007FFE5EEE0000-memory.dmp

                                                              Filesize

                                                              64KB

                                                            • memory/1528-3-0x00007FFE5EED0000-0x00007FFE5EEE0000-memory.dmp

                                                              Filesize

                                                              64KB

                                                            • memory/5776-536-0x0000025174DC0000-0x0000025174DE2000-memory.dmp

                                                              Filesize

                                                              136KB