Joe Sandbox Cloud Basic Analysis Report
Edit tour

Windows Analysis Report
http://6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417

Overview

General Information

Sample URL:http://6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417
Analysis ID:1670411
Infos:
Errors
  • URL not reachable

Detection

Score:3
Range:0 - 100
Confidence:20%

Signatures

Binary contains a suspicious time stamp
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Found dropped PE file which has not been started or loaded
PE file does not import any functions
Queries the volume information (name, serial number etc) of a device

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

Process Tree

  • System is w10x64
  • chrome.exe (PID: 5900 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank" MD5: E81F54E6C1129887AEA47E7D092680BF)
    • chrome.exe (PID: 4100 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2328,i,6134061799270259057,10941547348514285084,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=2320 /prefetch:3 MD5: E81F54E6C1129887AEA47E7D092680BF)
    • msdt.exe (PID: 1208 cmdline: -modal "66320" -skip TRUE -path "C:\Windows\diagnostics\system\networking" -af "C:\Users\user\AppData\Local\Temp\NDF611.tmp" -ep "NetworkDiagnosticsWeb" MD5: 3AE6BFDF0257B303EDD695DA183C8462)
  • chrome.exe (PID: 6848 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" "http://6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417" MD5: E81F54E6C1129887AEA47E7D092680BF)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

  • Compliance
  • Networking
  • System Summary
  • Data Obfuscation
  • Persistence and Installation Behavior
  • Hooking and other Techniques for Hiding and Protection
  • Malware Analysis System Evasion
  • Language, Device and Operating System Detection

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: unknownHTTPS traffic detected: 192.178.49.164:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: Binary string: NetworkDiagnosticSnapIn.pdb source: NetworkDiagnosticSnapIn.dll.12.dr
Source: unknownTCP traffic detected without corresponding DNS query: 2.17.190.73
Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.222
Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknownTCP traffic detected without corresponding DNS query: 2.17.190.73
Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.222
Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.27
Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.27
Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.27
Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.27
Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.27
Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.27
Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficDNS traffic detected: DNS query: www.google.com
Source: global trafficDNS traffic detected: DNS query: google.com
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49678 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49671 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49680 -> 443
Source: unknownHTTPS traffic detected: 192.178.49.164:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: DiagPackage.dll.12.drStatic PE information: No import functions for PE file found
Source: DiagPackage.dll.mui.12.drStatic PE information: No import functions for PE file found
Source: classification engineClassification label: unknown3.win@23/14@4/2
Source: C:\Windows\System32\msdt.exeFile created: C:\Users\user\AppData\Local\Temp\msdtadminJump to behavior
Source: C:\Windows\System32\msdt.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: unknownProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2328,i,6134061799270259057,10941547348514285084,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=2320 /prefetch:3
Source: unknownProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "http://6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417"
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Windows\System32\msdt.exe -modal "66320" -skip TRUE -path "C:\Windows\diagnostics\system\networking" -af "C:\Users\user\AppData\Local\Temp\NDF611.tmp" -ep "NetworkDiagnosticsWeb"
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2328,i,6134061799270259057,10941547348514285084,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=2320 /prefetch:3Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Windows\System32\msdt.exe -modal "66320" -skip TRUE -path "C:\Windows\diagnostics\system\networking" -af "C:\Users\user\AppData\Local\Temp\NDF611.tmp" -ep "NetworkDiagnosticsWeb"Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\msdt.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{88d96a05-f192-11d4-a65f-0040963251e5}\InProcServer32Jump to behavior
Source: C:\Windows\System32\msdt.exeFile opened: C:\Windows\system32\MSFTEDIT.DLLJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: Binary string: NetworkDiagnosticSnapIn.pdb source: NetworkDiagnosticSnapIn.dll.12.dr
Source: DiagPackage.dll.12.drStatic PE information: 0xB6DD46AC [Mon Mar 21 17:41:00 2067 UTC]
Source: C:\Windows\System32\msdt.exeFile created: C:\Windows\Temp\SDIAG_ae037210-5751-4613-9a30-8624263d57a8\DiagPackage.dllJump to dropped file
Source: C:\Windows\System32\msdt.exeFile created: C:\Windows\Temp\SDIAG_ae037210-5751-4613-9a30-8624263d57a8\en-GB\DiagPackage.dll.muiJump to dropped file
Source: C:\Windows\System32\msdt.exeFile created: C:\Windows\Temp\SDIAG_ae037210-5751-4613-9a30-8624263d57a8\NetworkDiagnosticSnapIn.dllJump to dropped file
Source: C:\Windows\System32\msdt.exeFile created: C:\Windows\Temp\SDIAG_ae037210-5751-4613-9a30-8624263d57a8\DiagPackage.dllJump to dropped file
Source: C:\Windows\System32\msdt.exeFile created: C:\Windows\Temp\SDIAG_ae037210-5751-4613-9a30-8624263d57a8\en-GB\DiagPackage.dll.muiJump to dropped file
Source: C:\Windows\System32\msdt.exeFile created: C:\Windows\Temp\SDIAG_ae037210-5751-4613-9a30-8624263d57a8\NetworkDiagnosticSnapIn.dllJump to dropped file
Source: C:\Windows\System32\msdt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msdt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msdt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msdt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msdt.exeDropped PE file which has not been started: C:\Windows\Temp\SDIAG_ae037210-5751-4613-9a30-8624263d57a8\en-GB\DiagPackage.dll.muiJump to dropped file
Source: C:\Windows\System32\msdt.exeDropped PE file which has not been started: C:\Windows\Temp\SDIAG_ae037210-5751-4613-9a30-8624263d57a8\DiagPackage.dllJump to dropped file
Source: C:\Windows\System32\msdt.exeDropped PE file which has not been started: C:\Windows\Temp\SDIAG_ae037210-5751-4613-9a30-8624263d57a8\NetworkDiagnosticSnapIn.dllJump to dropped file
Source: C:\Windows\System32\msdt.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0316~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\msdt.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath Interception1
Process Injection		1
Masquerading		OS Credential Dumping12
System Information Discovery		Remote ServicesData from Local System2
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
Process Injection		LSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable Media1
Non-Application Layer Protocol		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Timestomp		Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared Drive2
Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1670411 URL: http://6e07da23603fbe5b2675... Startdate: 21/04/2025 Architecture: WINDOWS Score: 3 5 chrome.exe 2->5         started        8 chrome.exe 2->8         started        dnsIp3 22 192.168.2.4, 443, 49731, 50575 unknown unknown 5->22 10 msdt.exe 27 5->10         started        13 chrome.exe 5->13         started        process4 dnsIp5 16 C:\Windows\Temp\...\DiagPackage.dll.mui, PE32 10->16 dropped 18 C:\Windows\...18etworkDiagnosticSnapIn.dll, PE32 10->18 dropped 20 C:\Windows\Temp\...\DiagPackage.dll, PE32+ 10->20 dropped 24 www.google.com 192.178.49.164, 443, 49731 GOOGLEUS United States 13->24 26 google.com 13->26 file6

Screenshots

Download Video

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
http://6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e202712634170%Avira URL Cloudsafe

Dropped Files

SourceDetectionScannerLabelLink
C:\Windows\Temp\SDIAG_ae037210-5751-4613-9a30-8624263d57a8\DiagPackage.dll0%ReversingLabs
C:\Windows\Temp\SDIAG_ae037210-5751-4613-9a30-8624263d57a8\NetworkDiagnosticSnapIn.dll0%ReversingLabs
C:\Windows\Temp\SDIAG_ae037210-5751-4613-9a30-8624263d57a8\en-GB\DiagPackage.dll.mui0%ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Download Network PCAP: filteredfull

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
google.com
192.178.49.206
truefalse
    		high
    www.google.com
    		192.178.49.164
    		truefalse
      		high

      World Map of Contacted IPs

      • No. of IPs < 25%
      • 25% < No. of IPs < 50%
      • 50% < No. of IPs < 75%
      • 75% < No. of IPs

      Public IPs

      IPDomainCountryFlagASNASN NameMalicious
      192.178.49.164
      		www.google.comUnited States
      		15169GOOGLEUSfalse

      Private

      IP
      192.168.2.4

      General Information

      Joe Sandbox version:42.0.0 Malachite
      Analysis ID:1670411
      Start date and time:2025-04-21 17:51:17 +02:00
      Joe Sandbox product:CloudBasic
      Overall analysis duration:0h 2m 24s
      Hypervisor based Inspection enabled:false
      Report type:full
      Cookbook file name:browseurl.jbs
      Sample URL:http://6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417
      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
      Number of analysed new started processes analysed:14
      Number of new started drivers analysed:0
      Number of existing processes analysed:0
      Number of existing drivers analysed:0
      Number of injected processes analysed:0
      Technologies:
      • EGA enabled
      • AMSI enabled
      Analysis Mode:default
      Analysis stop reason:Timeout
      Detection:UNKNOWN
      Classification:unknown3.win@23/14@4/2
      Cookbook Comments:
      • URL browsing timeout or error
      • URL not reachable
      • Exclude process from analysis (whitelisted): sdiagnhost.exe, sppsvc.exe, SIHClient.exe, SgrmBroker.exe, svchost.exe
      • Excluded IPs from analysis (whitelisted): 192.178.49.206, 192.178.49.195, 142.251.2.84, 192.178.49.174, 184.29.183.29, 4.245.163.56
      • Excluded domains from analysis (whitelisted): fs.microsoft.com, clients2.google.com, accounts.google.com, redirector.gvt1.com, slscr.update.microsoft.com, clientservices.googleapis.com, clients.l.google.com, fe3cr.delivery.mp.microsoft.com
      • Not all processes where analyzed, report is missing behavior information
      • Report size getting too big, too many NtOpenFile calls found.
      • Report size getting too big, too many NtOpenKeyEx calls found.
      • Report size getting too big, too many NtProtectVirtualMemory calls found.
      • VT rate limit hit for: http://6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417

      Simulations

      Behavior and APIs

      No simulations

      Joe Sandbox View / Context

      IPs

      No context

      Domains

      No context

      ASNs

      No context

      JA3 Fingerprints

      No context

      Dropped Files

      No context

      Created / dropped Files

      C:\Windows\Temp\SDIAG_ae037210-5751-4613-9a30-8624263d57a8\DiagPackage.diagpkg

      Download File
      Process:C:\Windows\System32\msdt.exe
      File Type:XML 1.0 document, ASCII text, with very long lines (317), with CRLF line terminators
      Category:dropped
      Size (bytes):167016
      Entropy (8bit):4.413051981071322
      Encrypted:false
      SSDEEP:384:X+BeLgtgFgQg7rgZgp3vFD2smEtttbkcL5Of8hj1fVh1f8hWqEfVhnq2fVhMfxhd:XLgtgFgQg7rgZgplP/s
      MD5:0606098A37089BDC9D644DEE1CC1CD78
      SHA1:CADAE9623A27BD22771BAB9D26B97226E8F2318B
      SHA-256:284A7A8525B1777BDBC194FA38D28CD9EE91C2CBC7856F5968E79667C6B62A9D
      SHA-512:0711E2FEF9FDE17B87F3F6AF1442BD46B4C86BB61C8519548B89C7A61DFCF734196DDF2D90E586D486A3B33F672A99379E8205C240BD4BCB23625FFB22936443
      Malicious:false
      Reputation:low
      Preview:<?xml version="1.0" encoding="utf-8"?><dcmPS:DiagnosticPackage SchemaVersion="1.0" Localized="true" xmlns:dcmPS="http://www.microsoft.com/schemas/dcm/package/2007" xmlns:dcmRS="http://www.microsoft.com/schemas/dcm/resource/2007" xmlns:wdem="http://diagnostics.microsoft.com/2007/08/WindowsDiagnosticExtendedMetadata">.. <DiagnosticIdentification>.. <ID>NetworkDiagnostics</ID>.. <Version>4.0</Version>.. </DiagnosticIdentification>.. <DisplayInformation>.. <Parameters/>.. <Name>@diagpackage.dll,-1</Name>.. <Description>@diagpackage.dll,-2</Description>.. </DisplayInformation>.. <PrivacyLink>http://go.microsoft.com/fwlink/?LinkId=534597</PrivacyLink>.. <PowerShellVersion>1.0</PowerShellVersion>.. <SupportedOSVersion clientSupported="true" serverSupported="true">6.1</SupportedOSVersion>.. <Troubleshooter>.. <Script>.. <Parameters/>.. <ProcessArchitecture>Any</ProcessArchitecture>.. <RequiresElevation>false</RequiresElevation>.. <RequiresInteracti

      C:\Windows\Temp\SDIAG_ae037210-5751-4613-9a30-8624263d57a8\DiagPackage.dll

      Download File
      Process:C:\Windows\System32\msdt.exe
      File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
      Category:dropped
      Size (bytes):489984
      Entropy (8bit):7.291387835559217
      Encrypted:false
      SSDEEP:6144:LZC0lEOC2Us6eEyAc0jbJYOjlCLHUZQsxjuaJ7oSEvcdfSc0jbJYOjlCLHUZQ:LZFLUe6vJ/wLIvavyfEvJ/wLI
      MD5:EF3F72E162CFA6C082007672655CAE8A
      SHA1:F6BE37340CDED395EF7C3DAB103DE4E061B05806
      SHA-256:5A04D9F78BEF844FEE2FEC65610E12DB59CEFAA63544F3045401597AAE753B3C
      SHA-512:B63D884525CC747D4DEB1335BF31A27248DD612BE9D8A1F6CA7C5F5A795964AC3B8868994CDE1EC5CD0F4C537E00EC56FB45D5250F3BEC1BFA13EE4AA1F9C52C
      Malicious:false
      Antivirus:
      • Antivirus: ReversingLabs, Detection: 0%
      Reputation:low
      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5.<.q.R.q.R.q.R.e...p.R.e.P.p.R.Richq.R.PE..d....F..........." .........x....................................................../.....`A......................................................... ...u..............................T............................................................................rdata..............................@..@.rsrc....u... ...v..................@..@.....F.........T...T...T........F.........$................F.............................T....rdata..T...|....rdata$zzzdbg.... .......rsrc$01.....0...e...rsrc$02.... ....,.J..o...m.W{F..,.0H...m.S..F.............................................................................................................................................................................................................................................................................................

      C:\Windows\Temp\SDIAG_ae037210-5751-4613-9a30-8624263d57a8\HTInteractiveRes.ps1

      Download File
      Process:C:\Windows\System32\msdt.exe
      File Type:C source, ISO-8859 text, with CRLF line terminators
      Category:dropped
      Size (bytes):951
      Entropy (8bit):5.0857751193503695
      Encrypted:false
      SSDEEP:24:Qb3DQ7NOepjIAflbfjbgTRmW26S1pGCXGiVd/ZF2GRaesBFw:mDzepZtjBtRRbCUae2q
      MD5:C25ED2111C6EE9299E6D9BF51012F2F5
      SHA1:2DEFBB5A2758AF744E3DD8AF3A4AA153A28E4713
      SHA-256:8E326EE0475208D4C943D885035058FAD7146BBA02B66305F7C9F31F6A57E81B
      SHA-512:AAC97463868162FE042748A279C38F6FB569E971E0CC0339D1A8969A7F5633EF7377B6F7DCFAE94BDD2BF96BBFF454B607EE8D7573E1C3C9569269FE82671D9E
      Malicious:false
      Reputation:low
      Preview:# Copyright . 2008, Microsoft Corporation. All rights reserved.....PARAM($RepairName, $RepairText, $HelpTopicLink, $HelpTopicLinkText, $FailResolution)..#Non NDF Help Topic Resolution (defined non-manual so we don't need to prompt the user to see the repair)....#include utility functions... .\UtilityFunctions.ps1..Import-LocalizedData -BindingVariable localizationString -FileName LocalizationData....#the strings come in as raw resource strings, load the actual strings..$repairNameStr = LoadResourceString $RepairName;..$repairTextStr = LoadResourceString $RepairText;..$helpTopicLinkTextStr = LoadResourceString $HelpTopicLinkText....#display the help topic interaction..Get-DiagInput -ID "IT_HelpTopicRepair" -Parameter @{"IT_P_Name"=$repairNameStr; "IT_P_Description"=$repairTextStr; "IT_P_HelpTopicText" = $helpTopicLinkTextStr; "IT_P_HelpTopicLink" = $HelpTopicLink;}....if($FailResolution -eq "TRUE")..{.. throw "Issue not resolved."..}..

      C:\Windows\Temp\SDIAG_ae037210-5751-4613-9a30-8624263d57a8\InteractiveRes.ps1

      Download File
      Process:C:\Windows\System32\msdt.exe
      File Type:C source, ISO-8859 text, with CRLF line terminators
      Category:dropped
      Size (bytes):770
      Entropy (8bit):5.043368661106705
      Encrypted:false
      SSDEEP:24:Qb3DQ7NcIKGlbfjbgTRmW26S1pGK/KrGFxw:mDl4jBtPKH
      MD5:25B8543DBF571F040118423BC3C7A75E
      SHA1:49044724698E6964DC93ACF5BEE2A77B8EAD4133
      SHA-256:D78E6291D6F27AC6FEBDCF0A4D5A34521E7F033AF8875E026DF21BA7513AB64A
      SHA-512:EC991FF552C1012209940CDCB081D64876B7989C56F07739B392DAAE9BCABA883B45AA90D50BEF31F276A9CD8492EE2B9DB700CD5E20E7B17BA43D98EC394DF5
      Malicious:false
      Reputation:low
      Preview:# Copyright . 2008, Microsoft Corporation. All rights reserved.....PARAM($RepairName, $RepairText, $FailResolution)..#Non NDF Informational Resolution (defined non-manual so we don't need to prompt the user to see the repair)....#include utility functions... .\UtilityFunctions.ps1..Import-LocalizedData -BindingVariable localizationString -FileName LocalizationData....#the strings come in as raw resource strings, load the actual strings..$repairNameStr = LoadResourceString $RepairName;..$repairTextStr = LoadResourceString $RepairText;....#display the help topic interaction..Get-DiagInput -ID "IT_InfoOnlyRepair" -Parameter @{"IT_P_Name"=$repairNameStr; "IT_P_Description"=$repairTextStr; }....if($FailResolution -eq "TRUE")..{.. throw "Issue not resolved."..}..

      C:\Windows\Temp\SDIAG_ae037210-5751-4613-9a30-8624263d57a8\NetworkDiagnosticSnapIn.dll

      Download File
      Process:C:\Windows\System32\msdt.exe
      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
      Category:dropped
      Size (bytes):9728
      Entropy (8bit):5.0031830583187595
      Encrypted:false
      SSDEEP:192:dXcso4xinzRCxtd3wz5AstHq9Y2f0mWjeLNW:dXckCMPGz9ZYWC5W
      MD5:502A165A5058F93FA7F84A9FB52887CD
      SHA1:43C723564649244A9FB28EDFEC83F0330420CEB1
      SHA-256:818DD25A449FEB9D30A108550940D3729FF1C83A8957049AA5E5EE56C89573DB
      SHA-512:A3B2B5A5D75DBBA17348FBECE170FB94E1406789724CC35FBDE36CAC55C58310F08E580E3FE5E9D7F306DE4FD579B69704CBD5B43D048CDA0B24CEED37770163
      Malicious:false
      Antivirus:
      • Antivirus: ReversingLabs, Detection: 0%
      Reputation:low
      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...>!............" ..0..............:... ...@....... ..............................D.....`..................................:..O....@..@....................`.......9..8............................................ ............... ..H............text........ ...................... ..`.rsrc...@....@......................@..@.reloc.......`.......$..............@..B.................:......H........"..|...................P9.......................................r...p*.r3..p*.rG..p*..(....*..(....*....0..,..........@......(....&.s......@......(....&.o....*..(....*V.(......(......(....*..{-...*"..}-...*..{....*"..}....*.0..........~.......~.....~.....s...... ..........(........,...s....z.....(........,...s....z..6M.....+;......(....(...............o........(....(....jX(.......X.....7..(.....(....&..*.0..F........o.....+ ..(......o.....{.....(....-.......(....-...

      C:\Windows\Temp\SDIAG_ae037210-5751-4613-9a30-8624263d57a8\NetworkDiagnosticsResolve.ps1

      Download File
      Process:C:\Windows\System32\msdt.exe
      File Type:C source, ISO-8859 text, with CRLF line terminators
      Category:dropped
      Size (bytes):12213
      Entropy (8bit):4.649249749706581
      Encrypted:false
      SSDEEP:192:eLXYPXsa+OjfI9HIufxAey+3OG78/ce+eT5WjifrM+BK:VPXaifqdfxAey+ecmAu7k
      MD5:D213491A2D74B38A9535D616B9161217
      SHA1:BDE94742D1E769638E2DE84DFB099F797ADCC217
      SHA-256:4662C3C94E0340A243C2A39CA8A88FD9F65C74FB197644A11D4FFCAE6B191211
      SHA-512:5FD8B91B27935711495934E5D7CA14F9DD72BC40A38072595879EF334A47F99E0608087DDC62668C6F783938D9F22A3688C5CDEF3A9AD6C3575F3CFA5A3B0104
      Malicious:false
      Reputation:low
      Preview:# Copyright . 2008, Microsoft Corporation. All rights reserved.....PARAM($InstanceID, $RepairID, $RepairID1)....#include utility functions... .\UtilityFunctions.ps1..Import-LocalizedData -BindingVariable localizationString -FileName LocalizationData....<# function Pop-Msg {... param([string]$msg ="message",... [string]$ttl = "Title",... [int]$type = 64) ... $popwin = new-object -comobject wscript.shell... $null = $popwin.popup($msg,0,$ttl,$type)... remove-variable popwin..} #>......$script:ExpectingException = $false..$selectedRepair = $null..#pop-msg $InstanceID..#list of repairs to execute..if($InstanceID -eq $null)..{.. throw "No InstanceID specified"..}..else..{.. # if we re-ran diagnostics after validation failure and found the same issues we'll get the repair call to the original session.. # in these cases, we should use the new session instead to avoid unexpected behavior.. if($Global:ndfRerun -ne $null).. {.. "Replacing original incident " + $Global:ndf.I

      C:\Windows\Temp\SDIAG_ae037210-5751-4613-9a30-8624263d57a8\NetworkDiagnosticsTroubleshoot.ps1

      Download File
      Process:C:\Windows\System32\msdt.exe
      File Type:C source, ASCII text, with CRLF line terminators
      Category:dropped
      Size (bytes):25783
      Entropy (8bit):4.500605198321576
      Encrypted:false
      SSDEEP:384:blSoNnCiXTShob5bdVTz6rZTvxlBNexTKmh+xdxBUNQGJ:xSoTh8Jq
      MD5:2857343E8845EADB9B60CA0727CBDCB7
      SHA1:82A5533B3739504C72F9DCE7D353845B35037DEE
      SHA-256:06D927AE1DB217378EA77146FDCCA66D1F1F6D90780B734B8748D1052FBD8B86
      SHA-512:56B09BFBFF32B43DDD8E4636A485AF111B6DBFA2B7181299A22A3D007CF87DF0B09433100DC693C81C4F746A40F42FC51C75436511BE26270B8D84F7AC8EAD7D
      Malicious:false
      Reputation:low
      Preview:# Copyright (C) Microsoft Corporation. All rights reserved.....#include utility functions and localization data... .\UtilityFunctions.ps1..Import-LocalizedData -BindingVariable localizationString -FileName LocalizationData....#set the environment constants...\UtilitySetConstants....Write-DiagProgress -activity $localizationString.progress_Diagnosing_Initializing......#reset the global NDF object..$Global:ndf = $null..$Global:previousNdf = $null....#initialize script level variables (script scope used to avoid odd powershell scope handling)..$script:ExpectingException = $false..$script:incidentID = $null..$Global:incidentData = $null #need to access this during verification as well..$script:skipRerun = $false..$script:attachTraceFile = $false..$script:isRerun = $false....#first check whether we're either elevated or a re-run scenario..&{.. $prevIncidentID = 0.. $prevFlags = 0.... $script:ExpectingException = $true.. #marked as no-ui. throws exception if not available.. $S

      C:\Windows\Temp\SDIAG_ae037210-5751-4613-9a30-8624263d57a8\NetworkDiagnosticsVerify.ps1

      Download File
      Process:C:\Windows\System32\msdt.exe
      File Type:C source, ISO-8859 text, with very long lines (307), with CRLF line terminators
      Category:dropped
      Size (bytes):11079
      Entropy (8bit):4.751587059666952
      Encrypted:false
      SSDEEP:192:YORm9mJWriv3iriv3oyriv3vgriv3qB3b8FnHayrBJckzrSartt0qF+rSG/rSurT:YORm9mJDv33v3oHv3lv3qB3b8FnHrrBA
      MD5:9B222D8EC4B20860F10EBF303035B984
      SHA1:B30EEA35C2516AFCAB2C49EF6531AF94EFAF7E1A
      SHA-256:A32E13DA40AC4B9E1DAC7DD28BC1D25E2F2136B61FF93BE943018B20796F15BC
      SHA-512:8331337CCB6E3137B01AEEC03E6921FD3B9E56C44FA1B17545AE5C7BFCDD39FCD8A90192884B3A82F56659009E24B63CE7F500E8766FD01E8D4E60A52DE0FE67
      Malicious:false
      Reputation:low
      Preview:# Copyright . 2008, Microsoft Corporation. All rights reserved.....PARAM($RootCauseID, $instanceID)....#include utility functions... .\UtilityFunctions.ps1..Import-LocalizedData -BindingVariable localizationString -FileName LocalizationData....#execute validation only once, and don't execute if repair skipped..$validationCalled = $false..if($Global:ValidateResult -eq $null -and ($Global:RepairSkipped -eq $false))..{.. $waitHandle = $Global:ndf.Validate($ValidateWaitTime);.. if($waitHandle -eq $null).. {.. throw "Validate call failed".. }.... WaitWithProgress $localizationString.progress_Vaildating_NoDetails $waitHandle $Global:ndf.. $Global:ValidateResult = $Global:ndf.ValidateResult.... #add the trace log to the session.. AddTraceFileToSession $Global:ndf $localizationString.TraceFileReportName "Verify".... $validationCalled = $true..}..else..{.. if(!$Global:ValidateResult -eq $null).. {.. "ID:" + $RootCauseID + " InstanceId:" + $instanc

      C:\Windows\Temp\SDIAG_ae037210-5751-4613-9a30-8624263d57a8\StartDPSService.ps1

      Download File
      Process:C:\Windows\System32\msdt.exe
      File Type:C source, ISO-8859 text, with CRLF line terminators
      Category:dropped
      Size (bytes):567
      Entropy (8bit):4.837302167759307
      Encrypted:false
      SSDEEP:12:QcM3BFN+7bxAPe/LACrfgjvj5s8x8i9OoXdEgnc8x8i9OoXdQIx:Qb3DQ7FMejjbgTNhii9dXDxii9dXOe
      MD5:A660422059D953C6D681B53A6977100E
      SHA1:0C95DD05514D062354C0EECC9AE8D437123305BB
      SHA-256:D19677234127C38A52AEC23686775A8EB3F4E3A406F4A11804D97602D6C31813
      SHA-512:26F8CF9AC95FF649ECC2ED349BC6C7C3A04B188594D5C3289AF8F2768AB59672BC95FFEFCC83ED3FFA44EDD0AFEB16A4C2490E633A89FCE7965843674D94B523
      Malicious:false
      Reputation:low
      Preview:# Copyright . 2008, Microsoft Corporation. All rights reserved.....PARAM($SetAuto)....#include localization data..Import-LocalizedData -BindingVariable localizationString -FileName LocalizationData....if($SetAuto)..{.. #make DPS automatic.. Write-DiagProgress -activity $localizationString.progress_Repairing -status $localizationString.repair_SetAutoDPS.. set-service dps -StartupType Automatic..}....#start the DPS service..Write-DiagProgress -activity $localizationString.progress_Repairing -status $localizationString.repair_StartDPS..start-service dps..

      C:\Windows\Temp\SDIAG_ae037210-5751-4613-9a30-8624263d57a8\UtilityFunctions.ps1

      Download File
      Process:C:\Windows\System32\msdt.exe
      File Type:ISO-8859 text, with CRLF line terminators
      Category:dropped
      Size (bytes):54687
      Entropy (8bit):4.91902609892868
      Encrypted:false
      SSDEEP:768:AaDgc60FE2UMeV6HQEqEVBWMBaRNdKdNh5BIW6Mk7svkxtFJuAQQW:j0a4bKcW6MkcSuj
      MD5:C912FAA190464CE7DEC867464C35A8DC
      SHA1:D1C6482DAD37720DB6BDC594C4757914D1B1DD70
      SHA-256:3891846307AA9E83BCA66B13198455AF72AF45BF721A2FBD41840D47E2A91201
      SHA-512:5C34352D36459FD8FCDA5B459A2E48601A033AF31D802A90ED82C443A5A346B9480880D30C64DB7AD0E4A8C35B98C98F69ECEEDAD72F2A70D9C6CCA74DCE826A
      Malicious:false
      Reputation:low
      Preview:# Copyright . 2008, Microsoft Corporation. All rights reserved.....function GetRuntimePath([string]$fileName = $(throw "No file name is specified"))..{.. if([string]::IsNullorEmpty($fileName)).. {.. throw "Invalid file name".. }.... [string]$runtimePath = [System.Runtime.InteropServices.RuntimeEnvironment]::GetRuntimeDirectory().. return Join-Path $runtimePath $fileName..}....function RegSnapin([string]$dllName = $(throw "No dll is specified"))..{.. $dllPath = ".\" + $dllName.. Import-Module $dllPath..}....function UnregSnapin([string]$dllName = $(throw "No dll is specified"))..{ .. $moduleName = $dllName.TrimEnd(".dll").. Remove-Module $moduleName..}....function GetExistingNDFInstance($IncidentID)..{.. &{.. #if fails we start a new session.. $script:ExpectingException = $true.. $ndf = new-object -comObject ndfapi.NetworkDiagnostics.1 -strict.. $ndf.OpenExistingIncident($IncidentID); #throws exception if fails..

      C:\Windows\Temp\SDIAG_ae037210-5751-4613-9a30-8624263d57a8\UtilitySetConstants.ps1

      Download File
      Process:C:\Windows\System32\msdt.exe
      File Type:ISO-8859 text, with CRLF line terminators
      Category:dropped
      Size (bytes):3011
      Entropy (8bit):5.393839415081681
      Encrypted:false
      SSDEEP:48:mDqbURueqlXC2ay3g+rAgeNTFNe5L9tkYnNn2E8/UBUyuzoth1GlB:mD+UR6XC2az4MjY5L9VnNnIUBUyuzoti
      MD5:0C75AE5E75C3E181D13768909C8240BA
      SHA1:288403FC4BEDAACEBCCF4F74D3073F082EF70EB9
      SHA-256:DE5C231C645D3AE1E13694284997721509F5DE64EE5C96C966CDFDA9E294DB3F
      SHA-512:8FC944515F41A837C61A6C4E5181CA273607A89E48FBF86CF8EB8DB837AED095AA04FC3043029C3B5CB3710D59ABFD86F086AC198200F634BFB1A5DD0823406B
      Malicious:false
      Reputation:low
      Preview:# Copyright . 2008, Microsoft Corporation. All rights reserved.....function DefineConstant($curVal, $name, $value)..{.. if($curVal -eq $null).. {.. set-variable -name $name -value $value -option constant -scope Global.. }..}....DefineConstant $DiagnoseWaitTime "DiagnoseWaitTime" 90000..DefineConstant $RepairWaitTime "RepairWaitTime" 90000..DefineConstant $ValidateWaitTime "ValidateWaitTime" 90000..DefineConstant $ProgressUpdateDelay "ProgressUpdateDelay" 1000..DefineConstant $WinBuiltinAdministratorsSid "WinBuiltinAdministratorsSid" 26..DefineConstant $WinBuiltinNetworkConfigurationOperatorsSid "WinBuiltinNetworkConfigurationOperatorsSid" 37..DefineConstant $WinLocalLogonSid "WinLocalLogonSid" 80..DefineConstant $GuidLength "GuidLength" 38..DefineConstant $DefaultDiagURL "DefaultDiagURL" ""..DefineConstant $S_OK "S_OK" 0..DefineConstant $S_FALSE "S_FALSE" 1..DefineConstant $RF_USER_ACTION "RF_USER_ACTION" 0x10000000..DefineConstant $RF_INFORMATION_ONLY "RF_INFORMATION_O

      C:\Windows\Temp\SDIAG_ae037210-5751-4613-9a30-8624263d57a8\en-GB\DiagPackage.dll.mui

      Download File
      Process:C:\Windows\System32\msdt.exe
      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
      Category:dropped
      Size (bytes):17408
      Entropy (8bit):3.463167967348922
      Encrypted:false
      SSDEEP:96:40OJmd+VoozojEIjPe/dQTVOd5hvhHyHMVqz+4MEvTLGlyQzwv7KCbVeog3+yt41:40njnexdUMR4wgK+gWlTWy
      MD5:42924954580FC0B97147D18CBD9064A2
      SHA1:E02B93D36214FB4A98AA9B4711920541C78D5B26
      SHA-256:B03FC44FCB28F039F94AC63B44617E04071D1DC5A5CD15E187AA806A085EF31A
      SHA-512:0B2737EE5C21538B120FD975850E7899F7F1B8B7FEC49B5E9F807EBFAE62DA3EB333CDBDB65912BACA43B39D63AFBE1258C8C54CC7E8A313D108339778585B73
      Malicious:false
      Antivirus:
      • Antivirus: ReversingLabs, Detection: 0%
      Reputation:low
      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5.<.q.R.q.R.q.R.e...p.R.e.P.p.R.Richq.R.................PE..L..................!.........B...............................................`......W.....@.......................................... ...?..............................8............................................................................rdata..............................@..@.rsrc....@... ...@..................@..@.....\0.........T...8...8........\0.........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01.....%...:...rsrc$02.... ....8D].m........2.2....j@e..\0.........................................................................................................................................................................................................................................................................................................................

      C:\Windows\Temp\SDIAG_ae037210-5751-4613-9a30-8624263d57a8\en-GB\LocalizationData.psd1

      Download File
      Process:C:\Windows\System32\msdt.exe
      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
      Category:dropped
      Size (bytes):5378
      Entropy (8bit):3.527173963273437
      Encrypted:false
      SSDEEP:96:i30smw/9nwbgDwlwn0iYveuQzRYkwj0pD+EijvxFvXG5B9c1rO4L:i30sZYlGe3vGfw
      MD5:B2780BE67C909635DAEC96B9C909EC54
      SHA1:F4A8562D46548CBF091EB5230D2A6A3C5859BA3E
      SHA-256:0E7173882297619CE2097133B9D5C69D69B29997C39A5CBC4A88247C580642C5
      SHA-512:8576D3313963A814870995FDE92F739A786ED7F93578F190DE07308E1DD66A8F511D4E06733298A250AAF48B64404DE4F99B03079B97FC33CDC3C798EAD0AFD0
      Malicious:false
      Reputation:low
      Preview:..#. .L.o.c.a.l.i.z.e.d...1.2./.0.7./.2.0.1.9. .1.1.:.5.3. .A.M. .(.G.M.T.)...3.0.3.:.6...4.0...2.0.5.2.0. ...L.o.c.a.l.i.z.a.t.i.o.n.D.a.t.a...p.s.d.1.....C.o.n.v.e.r.t.F.r.o.m.-.S.t.r.i.n.g.D.a.t.a. .@.'.........#.#.#.P.S.L.O.C.........p.r.o.g.r.e.s.s._.D.i.a.g.n.o.s.i.n.g._.N.o.D.e.t.a.i.l.s.=.L.o.o.k.i.n.g. .f.o.r. .p.r.o.b.l.e.m.s...........p.r.o.g.r.e.s.s._.D.i.a.g.n.o.s.i.n.g._.S.a.f.e.M.o.d.e.=.V.e.r.i.f.y.i.n.g. .b.o.o.t. .m.o.d.e...........p.r.o.g.r.e.s.s._.D.i.a.g.n.o.s.i.n.g._.D.P.S.=.V.e.r.i.f.y.i.n.g. .t.h.a.t. .t.h.e. .n.e.t.w.o.r.k. .d.i.a.g.n.o.s.t.i.c.s. .s.e.r.v.i.c.e. .i.s. .r.u.n.n.i.n.g...........p.r.o.g.r.e.s.s._.D.i.a.g.n.o.s.i.n.g._.I.n.i.t.i.a.l.i.z.i.n.g.=.S.t.a.r.t.i.n.g. .n.e.t.w.o.r.k. .d.i.a.g.n.o.s.t.i.c.s...........p.r.o.g.r.e.s.s._.R.e.p.a.i.r.i.n.g.=.E.x.e.c.u.t.i.n.g. .R.e.p.a.i.r...........p.r.o.g.r.e.s.s._.V.a.i.l.d.a.t.i.n.g._.N.o.D.e.t.a.i.l.s.=.V.e.r.i.f.y.i.n.g. .t.h.a.t. .t.h.e. .p.r.o.b.l.e.m. .i.s. .r.e.s.o.l.v.e.d...........p.r.o.g.r.e.s.s.

      C:\Windows\Temp\SDIAG_ae037210-5751-4613-9a30-8624263d57a8\result\results.xsl

      Download File
      Process:C:\Windows\System32\msdt.exe
      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
      Category:dropped
      Size (bytes):48956
      Entropy (8bit):5.103589775370961
      Encrypted:false
      SSDEEP:768:hUeTHmb0+tk+Ci10ycNV6OW9a+KDoVxrVF+bBH0t9mYNJ7u2+d:hUcHXDY10tNV6OW9abDoVxrVF+bBH0tO
      MD5:310E1DA2344BA6CA96666FB639840EA9
      SHA1:E8694EDF9EE68782AA1DE05470B884CC1A0E1DED
      SHA-256:67401342192BABC27E62D4C1E0940409CC3F2BD28F77399E71D245EAE8D3F63C
      SHA-512:62AB361FFEA1F0B6FF1CC76C74B8E20C2499D72F3EB0C010D47DBA7E6D723F9948DBA3397EA26241A1A995CFFCE2A68CD0AAA1BB8D917DD8F4C8F3729FA6D244
      Malicious:false
      Reputation:low
      Preview:<?xml version="1.0"?>..<?Copyright (c) Microsoft Corporation. All rights reserved.?>..<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt" xmlns:ms="urn:microsoft-performance" exclude-result-prefixes="msxsl" version="1.0">...<xsl:output method="html" indent="yes" standalone="yes" encoding="UTF-16"/>...<xsl:template name="localization">....<_locDefinition>.....<_locDefault _loc="locNone"/>.....<_locTag _loc="locData">String</_locTag>.....<_locTag _loc="locData">Font</_locTag>.....<_locTag _loc="locData">Mirror</_locTag>....</_locDefinition>...</xsl:template>... ********** Images ********** -->...<xsl:variable name="images">....<Image id="check">res://sdiageng.dll/check.png</Image>....<Image id="error">res://sdiageng.dll/error.png</Image>....<Image id="info">res://sdiageng.dll/info.png</Image>....<Image id="warning">res://sdiageng.dll/warning.png</Image>....<Image id="expand">res://sdiageng.dll/expand.png</Image>....<Image id="

      Static File Info

      No static file info

      Network Behavior

      Download Network PCAP: filteredfull

      Network Port Distribution

      • Total Packets: 21
      • 443 (HTTPS)
      • 80 (HTTP)
      • 53 (DNS)
      TimestampSource PortDest PortSource IPDest IP
      Apr 21, 2025 17:52:08.414371014 CEST4968180192.168.2.42.17.190.73
      Apr 21, 2025 17:52:10.242508888 CEST49680443192.168.2.4204.79.197.222
      Apr 21, 2025 17:52:15.621654987 CEST49671443192.168.2.4204.79.197.203
      Apr 21, 2025 17:52:15.961230993 CEST49671443192.168.2.4204.79.197.203
      Apr 21, 2025 17:52:16.665936947 CEST49671443192.168.2.4204.79.197.203
      Apr 21, 2025 17:52:17.905675888 CEST49671443192.168.2.4204.79.197.203
      Apr 21, 2025 17:52:18.023715973 CEST4968180192.168.2.42.17.190.73
      Apr 21, 2025 17:52:19.846237898 CEST49680443192.168.2.4204.79.197.222
      Apr 21, 2025 17:52:20.424772978 CEST49671443192.168.2.4204.79.197.203
      Apr 21, 2025 17:52:21.185610056 CEST49731443192.168.2.4192.178.49.164
      Apr 21, 2025 17:52:21.185662031 CEST44349731192.178.49.164192.168.2.4
      Apr 21, 2025 17:52:21.185758114 CEST49731443192.168.2.4192.178.49.164
      Apr 21, 2025 17:52:21.186012983 CEST49731443192.168.2.4192.178.49.164
      Apr 21, 2025 17:52:21.186028004 CEST44349731192.178.49.164192.168.2.4
      Apr 21, 2025 17:52:21.508464098 CEST44349731192.178.49.164192.168.2.4
      Apr 21, 2025 17:52:21.508544922 CEST49731443192.168.2.4192.178.49.164
      Apr 21, 2025 17:52:21.509910107 CEST49731443192.168.2.4192.178.49.164
      Apr 21, 2025 17:52:21.509922028 CEST44349731192.178.49.164192.168.2.4
      Apr 21, 2025 17:52:21.510163069 CEST44349731192.178.49.164192.168.2.4
      Apr 21, 2025 17:52:21.554522991 CEST49731443192.168.2.4192.178.49.164
      Apr 21, 2025 17:52:24.290152073 CEST49678443192.168.2.420.189.173.27
      Apr 21, 2025 17:52:24.601996899 CEST49678443192.168.2.420.189.173.27
      Apr 21, 2025 17:52:25.211404085 CEST49678443192.168.2.420.189.173.27
      Apr 21, 2025 17:52:25.227035046 CEST49671443192.168.2.4204.79.197.203
      Apr 21, 2025 17:52:26.413923979 CEST49678443192.168.2.420.189.173.27
      Apr 21, 2025 17:52:28.820405960 CEST49678443192.168.2.420.189.173.27
      Apr 21, 2025 17:52:31.488523006 CEST44349731192.178.49.164192.168.2.4
      Apr 21, 2025 17:52:31.488579988 CEST44349731192.178.49.164192.168.2.4
      Apr 21, 2025 17:52:31.488786936 CEST49731443192.168.2.4192.178.49.164
      Apr 21, 2025 17:52:32.073244095 CEST49731443192.168.2.4192.178.49.164
      Apr 21, 2025 17:52:32.073287964 CEST44349731192.178.49.164192.168.2.4
      Apr 21, 2025 17:52:33.633321047 CEST49678443192.168.2.420.189.173.27
      Apr 21, 2025 17:52:34.836548090 CEST49671443192.168.2.4204.79.197.203
      TimestampSource PortDest PortSource IPDest IP
      Apr 21, 2025 17:52:17.104454041 CEST53550931.1.1.1192.168.2.4
      Apr 21, 2025 17:52:17.171650887 CEST53568661.1.1.1192.168.2.4
      Apr 21, 2025 17:52:18.316576958 CEST53537781.1.1.1192.168.2.4
      Apr 21, 2025 17:52:21.040462971 CEST6541553192.168.2.41.1.1.1
      Apr 21, 2025 17:52:21.040783882 CEST5454053192.168.2.41.1.1.1
      Apr 21, 2025 17:52:21.183851004 CEST53654151.1.1.1192.168.2.4
      Apr 21, 2025 17:52:21.183872938 CEST53545401.1.1.1192.168.2.4
      Apr 21, 2025 17:52:22.330720901 CEST5057553192.168.2.48.8.8.8
      Apr 21, 2025 17:52:22.330990076 CEST5087453192.168.2.41.1.1.1
      Apr 21, 2025 17:52:22.472920895 CEST53508741.1.1.1192.168.2.4
      Apr 21, 2025 17:52:22.488168001 CEST53505758.8.8.8192.168.2.4
      Apr 21, 2025 17:52:35.385199070 CEST53581751.1.1.1192.168.2.4

      DNS Queries

      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
      Apr 21, 2025 17:52:21.040462971 CEST192.168.2.41.1.1.10x5dd7Standard query (0)www.google.comA (IP address)IN (0x0001)false
      Apr 21, 2025 17:52:21.040783882 CEST192.168.2.41.1.1.10x146eStandard query (0)www.google.com65IN (0x0001)false
      Apr 21, 2025 17:52:22.330720901 CEST192.168.2.48.8.8.80xf240Standard query (0)google.comA (IP address)IN (0x0001)false
      Apr 21, 2025 17:52:22.330990076 CEST192.168.2.41.1.1.10x6c29Standard query (0)google.comA (IP address)IN (0x0001)false

      DNS Answers

      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
      Apr 21, 2025 17:52:21.183851004 CEST1.1.1.1192.168.2.40x5dd7No error (0)www.google.com192.178.49.164A (IP address)IN (0x0001)false
      Apr 21, 2025 17:52:21.183872938 CEST1.1.1.1192.168.2.40x146eNo error (0)www.google.com65IN (0x0001)false
      Apr 21, 2025 17:52:22.472920895 CEST1.1.1.1192.168.2.40x6c29No error (0)google.com192.178.49.206A (IP address)IN (0x0001)false
      Apr 21, 2025 17:52:22.488168001 CEST8.8.8.8192.168.2.40xf240No error (0)google.com142.250.217.142A (IP address)IN (0x0001)false

      Statistics

      CPU Usage

      05101520s020406080100

      Click to jump to process

      Memory Usage

      05101520s0.0050100MB

      Click to jump to process

      High Level Behavior Distribution

      • File
      • Registry

      Click to dive into process behavior distribution

      Behavior

      Click to jump to process

      System Behavior

      General

      Target ID:1
      Start time:11:52:11
      Start date:21/04/2025
      Path:C:\Program Files\Google\Chrome\Application\chrome.exe
      Wow64 process (32bit):false
      Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
      Imagebase:0x7ff786830000
      File size:3'388'000 bytes
      MD5 hash:E81F54E6C1129887AEA47E7D092680BF
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:low
      Has exited:false
      Show Windows behavior

      File Activities

      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
      Show Windows behavior

      Process Activities

      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
      Show Windows behavior

      Memory Activities

      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
      Show Windows behavior

      Process Token Activities


      General

      Target ID:2
      Start time:11:52:14
      Start date:21/04/2025
      Path:C:\Program Files\Google\Chrome\Application\chrome.exe
      Wow64 process (32bit):false
      Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2328,i,6134061799270259057,10941547348514285084,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=2320 /prefetch:3
      Imagebase:0x7ff786830000
      File size:3'388'000 bytes
      MD5 hash:E81F54E6C1129887AEA47E7D092680BF
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:low
      Has exited:false
      Show Windows behavior

      File Activities

      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
      Show Windows behavior

      Memory Activities

      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

      General

      Target ID:4
      Start time:11:52:20
      Start date:21/04/2025
      Path:C:\Program Files\Google\Chrome\Application\chrome.exe
      Wow64 process (32bit):false
      Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" "http://6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417"
      Imagebase:0x7ff786830000
      File size:3'388'000 bytes
      MD5 hash:E81F54E6C1129887AEA47E7D092680BF
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:low
      Has exited:true
      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
      Show Windows behavior

      Memory Activities


      General

      Target ID:12
      Start time:11:52:29
      Start date:21/04/2025
      Path:C:\Windows\System32\msdt.exe
      Wow64 process (32bit):false
      Commandline: -modal "66320" -skip TRUE -path "C:\Windows\diagnostics\system\networking" -af "C:\Users\user\AppData\Local\Temp\NDF611.tmp" -ep "NetworkDiagnosticsWeb"
      Imagebase:0x7ff6ca680000
      File size:499'200 bytes
      MD5 hash:3AE6BFDF0257B303EDD695DA183C8462
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:low
      Has exited:false
      Show Windows behavior

      File Activities

      Show Windows behavior

      Section Activities

      Show Windows behavior

      Registry Activities

      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
      Show Windows behavior

      Thread Activities

      Show Windows behavior

      Memory Activities

      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
      Show Windows behavior

      Windows UI Activities

      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

      Disassembly

      No disassembly