hxxps://discord[.]com/vanityurl/dotcom/steakpants/flour/flower/index11[.]html

Resubmissions

16/06/2024, 15:33

240616-szcqtaydqg 6

16/06/2024, 15:27

240616-svs71aycpc 6

Analysis

max time kernel
71s
max time network
68s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
16/06/2024, 15:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://discord.com/vanityurl/dotcom/steakpants/flour/flower/index11.html

Score

6^/10

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs

Web Service

T1102

flow	ioc
24	discord.com
30	discord.com
31	discord.com
32	discord.com
4	discord.com
17	discord.com

Drops file in System32 directory 7 IoCs

description	ioc	Process
File created	C:\Windows\system32\NDF\{B03A62B5-B9F0-461D-B181-9E3418BF2F01}-temp-06162024-1528.etl	svchost.exe
File opened for modification	C:\Windows\system32\NDF\{B03A62B5-B9F0-461D-B181-9E3418BF2F01}-temp-06162024-1528.etl	svchost.exe
File opened for modification	C:\Windows\system32\SRU\SRU.chk	svchost.exe
File opened for modification	C:\Windows\system32\SRU\SRU.log	svchost.exe
File opened for modification	C:\Windows\system32\SRU\SRUDB.dat	svchost.exe
File opened for modification	C:\Windows\system32\SRU\SRUDB.jfm	svchost.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netrtl64.inf_amd64_8e9c2368fe308df2\netrtl64.PNF	svchost.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Network\Connections\Pbk\_hiddenPbk\rasphone.pbk	svchost.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
3316	ipconfig.exe

Modifies data under HKEY_USERS 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\RAS AutoDial\Default	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@%SystemRoot%\system32\hnetcfgclient.dll,-201 = "HNetCfg Client"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Classes\Local Settings\MuiCache\2a\52C64B7E\@%SystemRoot%\system32\hnetcfgclient.dll,-201 = "HNetCfg Client"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\RAS AutoDial	svchost.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2308	msedge.exe
2308	msedge.exe
3144	msedge.exe
3144	msedge.exe
3248	identity_helper.exe
3248	identity_helper.exe
5916	sdiagnhost.exe
5916	sdiagnhost.exe
436	svchost.exe
436	svchost.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	5916	sdiagnhost.exe

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3708	msdt.exe
3708	msdt.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3144 wrote to memory of 4664	3144	msedge.exe	83
PID 3144 wrote to memory of 4664	3144	msedge.exe	83
PID 3144 wrote to memory of 3700	3144	msedge.exe	84
PID 3144 wrote to memory of 3700	3144	msedge.exe	84
PID 3144 wrote to memory of 3700	3144	msedge.exe	84
PID 3144 wrote to memory of 3700	3144	msedge.exe	84
PID 3144 wrote to memory of 3700	3144	msedge.exe	84
PID 3144 wrote to memory of 3700	3144	msedge.exe	84
PID 3144 wrote to memory of 3700	3144	msedge.exe	84
PID 3144 wrote to memory of 3700	3144	msedge.exe	84
PID 3144 wrote to memory of 3700	3144	msedge.exe	84
PID 3144 wrote to memory of 3700	3144	msedge.exe	84
PID 3144 wrote to memory of 3700	3144	msedge.exe	84
PID 3144 wrote to memory of 3700	3144	msedge.exe	84
PID 3144 wrote to memory of 3700	3144	msedge.exe	84
PID 3144 wrote to memory of 3700	3144	msedge.exe	84
PID 3144 wrote to memory of 3700	3144	msedge.exe	84
PID 3144 wrote to memory of 3700	3144	msedge.exe	84
PID 3144 wrote to memory of 3700	3144	msedge.exe	84
PID 3144 wrote to memory of 3700	3144	msedge.exe	84
PID 3144 wrote to memory of 3700	3144	msedge.exe	84
PID 3144 wrote to memory of 3700	3144	msedge.exe	84
PID 3144 wrote to memory of 3700	3144	msedge.exe	84
PID 3144 wrote to memory of 3700	3144	msedge.exe	84
PID 3144 wrote to memory of 3700	3144	msedge.exe	84
PID 3144 wrote to memory of 3700	3144	msedge.exe	84
PID 3144 wrote to memory of 3700	3144	msedge.exe	84
PID 3144 wrote to memory of 3700	3144	msedge.exe	84
PID 3144 wrote to memory of 3700	3144	msedge.exe	84
PID 3144 wrote to memory of 3700	3144	msedge.exe	84
PID 3144 wrote to memory of 3700	3144	msedge.exe	84
PID 3144 wrote to memory of 3700	3144	msedge.exe	84
PID 3144 wrote to memory of 3700	3144	msedge.exe	84
PID 3144 wrote to memory of 3700	3144	msedge.exe	84
PID 3144 wrote to memory of 3700	3144	msedge.exe	84
PID 3144 wrote to memory of 3700	3144	msedge.exe	84
PID 3144 wrote to memory of 3700	3144	msedge.exe	84
PID 3144 wrote to memory of 3700	3144	msedge.exe	84
PID 3144 wrote to memory of 3700	3144	msedge.exe	84
PID 3144 wrote to memory of 3700	3144	msedge.exe	84
PID 3144 wrote to memory of 3700	3144	msedge.exe	84
PID 3144 wrote to memory of 3700	3144	msedge.exe	84
PID 3144 wrote to memory of 2308	3144	msedge.exe	85
PID 3144 wrote to memory of 2308	3144	msedge.exe	85
PID 3144 wrote to memory of 4216	3144	msedge.exe	86
PID 3144 wrote to memory of 4216	3144	msedge.exe	86
PID 3144 wrote to memory of 4216	3144	msedge.exe	86
PID 3144 wrote to memory of 4216	3144	msedge.exe	86
PID 3144 wrote to memory of 4216	3144	msedge.exe	86
PID 3144 wrote to memory of 4216	3144	msedge.exe	86
PID 3144 wrote to memory of 4216	3144	msedge.exe	86
PID 3144 wrote to memory of 4216	3144	msedge.exe	86
PID 3144 wrote to memory of 4216	3144	msedge.exe	86
PID 3144 wrote to memory of 4216	3144	msedge.exe	86
PID 3144 wrote to memory of 4216	3144	msedge.exe	86
PID 3144 wrote to memory of 4216	3144	msedge.exe	86
PID 3144 wrote to memory of 4216	3144	msedge.exe	86
PID 3144 wrote to memory of 4216	3144	msedge.exe	86
PID 3144 wrote to memory of 4216	3144	msedge.exe	86
PID 3144 wrote to memory of 4216	3144	msedge.exe	86
PID 3144 wrote to memory of 4216	3144	msedge.exe	86
PID 3144 wrote to memory of 4216	3144	msedge.exe	86
PID 3144 wrote to memory of 4216	3144	msedge.exe	86
PID 3144 wrote to memory of 4216	3144	msedge.exe	86

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://discord.com/vanityurl/dotcom/steakpants/flour/flower/index11.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdb7d346f8,0x7ffdb7d34708,0x7ffdb7d34718
  2⤵
  PID:4664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2040,7263056668064235045,12558751341091334326,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2044 /prefetch:2
  2⤵
  PID:3700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2040,7263056668064235045,12558751341091334326,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2308
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2040,7263056668064235045,12558751341091334326,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2884 /prefetch:8
  2⤵
  PID:4216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,7263056668064235045,12558751341091334326,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
  2⤵
  PID:2588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,7263056668064235045,12558751341091334326,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
  2⤵
  PID:4792
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2040,7263056668064235045,12558751341091334326,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4784 /prefetch:8
  2⤵
  PID:1152
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2040,7263056668064235045,12558751341091334326,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4784 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3248
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,7263056668064235045,12558751341091334326,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4940 /prefetch:1
  2⤵
  PID:3364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,7263056668064235045,12558751341091334326,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4924 /prefetch:1
  2⤵
  PID:5080
- C:\Windows\system32\msdt.exe
  -modal "328148" -skip TRUE -path "C:\Windows\diagnostics\system\networking" -af "C:\Users\Admin\AppData\Local\Temp\NDF90C6.tmp" -ep "NetworkDiagnosticsWeb"
  2⤵
  - Suspicious use of FindShellTrayWindow
  PID:3708
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,7263056668064235045,12558751341091334326,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4128 /prefetch:1
  2⤵
  PID:6112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,7263056668064235045,12558751341091334326,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5020 /prefetch:1
  2⤵
  PID:6120
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,7263056668064235045,12558751341091334326,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3512 /prefetch:1
  2⤵
  PID:1612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,7263056668064235045,12558751341091334326,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5296 /prefetch:1
  2⤵
  PID:5400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,7263056668064235045,12558751341091334326,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3088 /prefetch:1
  2⤵
  PID:4948

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4268

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3708

C:\Windows\System32\sdiagnhost.exe
C:\Windows\System32\sdiagnhost.exe -Embedding
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5916
- C:\Windows\system32\netsh.exe
  "C:\Windows\system32\netsh.exe" trace diagnose Scenario=NetworkSnapshot Mode=NetTroubleshooter
  2⤵
  PID:6084
- C:\Windows\system32\netsh.exe
  "C:\Windows\system32\netsh.exe" trace diagnose Scenario=NetworkSnapshot Mode=NetTroubleshooter
  2⤵
  PID:5224
- C:\Windows\system32\ipconfig.exe
  "C:\Windows\system32\ipconfig.exe" /all
  2⤵
  - Gathers network information
  PID:3316
- C:\Windows\system32\ROUTE.EXE
  "C:\Windows\system32\ROUTE.EXE" print
  2⤵
  PID:1716
- C:\Windows\system32\makecab.exe
  "C:\Windows\system32\makecab.exe" /f NetworkConfiguration.ddf
  2⤵
  PID:5124

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork -p -s DPS
1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:436

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s WdiServiceHost
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1252
- C:\Windows\System32\rundll32.exe
  "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\winethc.dll",ForceProxyDetectionOnNextRun
  2⤵
  PID:6108

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s WdiSystemHost
1⤵
PID:4776

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s Netman
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:1432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\ElevatedDiagnostics\460911090\2024061615.000\NetworkDiagnostics.debugreport.xml

Filesize
210KB

MD5
7c3b184dbc59e21fa938e3535149d360

SHA1
d09d95314171bcad26eb46d46ac4eee505d04371

SHA256
a50c65277b4343db9593d3ae272424b536a0a307f495ad2b67ae394e60f76eeb

SHA512
8274d5185bec9c4acf11d0ec661da48994f74f43ae9257ec106bce23567d2f1a4e8cfd04a4828f001aca6792a5fa0958b806815031dcc70ae8af6b5c55b01d67

Download Submit
C:\Users\Admin\AppData\Local\ElevatedDiagnostics\460911090\2024061615.000\ResultReport.xml

Filesize
38KB

MD5
9774cecb12a88a4245bee5ab0fccc444

SHA1
f18a6b3144f22d4349010f10382377b264eae3b2

SHA256
4e24662cfe412f94ae0df20eecf015d009bf3cce6716586cccda84c96b7065f0

SHA512
cc4ae2e793136f2c49b676cf8353ca178334aa393ae9291dae78ac146284d5e7bcf2085ee24d672fe2a5526f853980aa720f99bae6fc94f641925da5decf40cf

Download Submit
C:\Users\Admin\AppData\Local\ElevatedDiagnostics\460911090\2024061615.000\results.xsl

Filesize
47KB

MD5
310e1da2344ba6ca96666fb639840ea9

SHA1
e8694edf9ee68782aa1de05470b884cc1a0e1ded

SHA256
67401342192babc27e62d4c1e0940409cc3f2bd28f77399e71d245eae8d3f63c

SHA512
62ab361ffea1f0b6ff1cc76c74b8e20c2499d72f3eb0c010d47dba7e6d723f9948dba3397ea26241a1a995cffce2a68cd0aaa1bb8d917dd8f4c8f3729fa6d244

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ce4c898f8fc7601e2fbc252fdadb5115

SHA1
01bf06badc5da353e539c7c07527d30dccc55a91

SHA256
bce2dfaa91f0d44e977e0f79c60e64954a7b9dc828b0e30fbaa67dbe82f750aa

SHA512
80fff4c722c8d3e69ec4f09510779b7e3518ae60725d2d36903e606a27ec1eaedbdbfac5b662bf2c19194c572ccf0125445f22a907b329ad256e6c00b9cf032c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4158365912175436289496136e7912c2

SHA1
813d11f772b1cfe9ceac2bf37f4f741e5e8fbe59

SHA256
354de4b033ba6e4d85f94d91230cb8501f62e0a4e302cd4076c7e0ad73bedbd1

SHA512
74b4f7b24ad4ea395f3a4cd8dbfae54f112a7c87bce3d286ee5161f6b63d62dfa19bb0d96bb7ed1c6d925f5697a2580c25023d5052c6a09992e6fd9dd49ea82b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
35c04a1284125f8befbf735a7b866ea5

SHA1
7174a9c8f1f0cb5393b86ba55506740463f17e51

SHA256
9846c2ffbbfb0178d3c5eda1943bb8b28a276e321af0e783d6dbe9bb77eea5d6

SHA512
2f7f283dce60544a7eb3629204965f462721e95765b86018d311178a53d64284fc976582b85a9262bc9d4efec4e1687a2e343d362a495c06f0edd4afb4e086eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
139d26a5473aa144180ca4f460890e2a

SHA1
d7ac2dfbd58a1504933c2fc50298b45a88fe9448

SHA256
150e37097a4cb17901b1181bf3a6d9c4d47c90e637838320009201f6217d2f95

SHA512
7d27616c9fb79a81478767e7947d0a9be71ee8474275e9aa4379f9c8e5d1886d489eaedefeab64cf635ac904762aaa6e54d96a264c42fb02bb3ff999080a8402

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
b51850c93efd7db37e69c6273f868317

SHA1
cb9bc1c8b0888e54deb113e2022e9fe300474602

SHA256
d23b6d3bdc3dfd1333d13c5f6d9db9d19b8aeff3f1736017ae18aac2fb47a8d1

SHA512
8d9a39b22998c20965f97a4722474e3ffd8a729d42d313444c932ca94a53ec2b7bfd1a7be82eef3b07dbce647dde443ef91f5f36fa061d7cf6bde5d643ce5415

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
e41379802b2901917e52f1adbce9ff94

SHA1
bc9cd6d357258a447e84a9ce15883164e0654ccc

SHA256
2cf83a2b6ec414a19ba1adf881d41631e08796732d4c2c38bd4daa7f21ea278a

SHA512
86d482c463edaa4c90c50e85385e6190d1e825f99f4610aaccf29714dd0881a4141fde01535dea452af9c71bf695864707bb625d10ab6cb444fcdb226d6af31c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
2e0d8de4b277d97166c471dbe55d221f

SHA1
ef7798543356949f0e25333a13b999f364a254f5

SHA256
74df135447e71805a604daa6a129c56534b81b685b11c1fb31b0e3f6e70e47e4

SHA512
60fe25757ea12cdb37815d491d74d86e9116883e8963e02c65e0fc4a4d199a70e42906fb800cc213ee3e5089d2e762b1e223b4cba3a293c08d6a5c340ea8472b

Download Submit
C:\Users\Admin\AppData\Local\Temp\NDF90C6.tmp

Filesize
3KB

MD5
e456e3c5d5fb3bf06565bba9f0196bbe

SHA1
91e9a753d23dc14231a4cae119d4ec76f8d975d7

SHA256
8f6fea830f18c6f3957c5c926b51c5225ff65fc82e43d6cef63debc404b865df

SHA512
5e18bc6b641f580c68c9ebc40faa56c185dc7393eb4710d188f1a13a2896785a18f828bd102a8e3ee389b786649b8eed04e8c6c2e795b8674dc3a90be2cce70f

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wieuiige.kp5.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3F65.tmp\NetworkConfiguration.cab

Filesize
1KB

MD5
ea63cad731f685710279b2a5e87c4785

SHA1
93774a58cc32a55b7418bf88a173d96dad6e56df

SHA256
6bbbe464c90ff88aa911d1767a52a5e96a8a9e9b191b82b8a3f174fc48844c6f

SHA512
311f19ffbc7c96cb11ab9e16277c566389d16794257fab37b9d31ddf41e780f5dd21d0abb6843ad853977c99bc9d492982034f6fbc3e420eb0edf5fa778392ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3F65.tmp\NetworkConfiguration.ddf

Filesize
231B

MD5
00848049d4218c485d9e9d7a54aa3b5f

SHA1
d1d5f388221417985c365e8acaec127b971c40d0

SHA256
ffeafbb8e7163fd7ec9abc029076796c73cd7b4eddaeeda9ba394c547419769e

SHA512
3a4874a5289682e2b32108740feea586cb9ccdad9ca08bf30f67c9742370c081ad943ea714f08dbf722f9f98f3b0bb307619a8ba47f96b24301c68b0fd1086d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3F65.tmp\ipconfig.all.txt

Filesize
1KB

MD5
4fa1e93470f47dc8c36f29344f3dcb5b

SHA1
c94014408efa8d1441f7bb3c424e684ae80bebcc

SHA256
cdd20b43a16acce927495db7a9b28a329e83b5ca149eda27bde6ff4038289d2e

SHA512
102276bb4f318747fbc196e0205a0c19308e2727028e2a7e4bbb873976aedf969fc26970bab156c58a4bc943f7d6d2adb6c311b1787567eba86d275803244246

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3F65.tmp\route.print.txt

Filesize
4KB

MD5
6a7d581add8bef0072af08f117758123

SHA1
ff0c0804f196a7a8a4fd61e727dbdccf7b94a961

SHA256
d48327d87d0ba0c4bee763bfd93b7acb1656d198b1042ea0f1b7b349f4b6ae38

SHA512
80d296322f80bce5e902c8a1df3dca39ea45d6f59b823d7f850ece363ce29bc5584f1f688417361c25df2e09e65fac10b4fc55d66799ea5d6ddbd2d9813067ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3F65.tmp\setup.inf

Filesize
978B

MD5
5c859406ff51d21b6ebb75d7d891c327

SHA1
2e650c14eb0e6b8d4b5e806d96008b2e26868a2d

SHA256
2f78e3530278e9ed32a1de1d2cc5386a0b03664e7af939837107658699e4b128

SHA512
07ab43add57fef9f369c91f2aa9f9bacdc2ca87e12846f072178cd29d2684ba8f471102c1360dbdfd0365f15214ca444b5cb546107e23d109b8ddb05d681942c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3F65.tmp\setup.rpt

Filesize
283B

MD5
319de687d3429c98f0012f82b6dc316e

SHA1
be467d5ce6b560bdb867c99c2eca77cf8f21f547

SHA256
edc2efb47f00aba1042ce57ada5d0ba1d2fc1cf9b09d9f7a01ed34a54bcb36c4

SHA512
17cec91b90ad6cd4a1c7ca44c987a8076d931daeec38895bbd37e9e7d746a96e1a003168df3999dee58857ec69838946271c8d2c172ae5a84bc7e3779574b275

Download Submit
C:\Windows\TEMP\SDIAG_11765fe8-5035-45a9-9497-a37278a080d8\NetworkDiagnosticsResolve.ps1

Filesize
11KB

MD5
d213491a2d74b38a9535d616b9161217

SHA1
bde94742d1e769638e2de84dfb099f797adcc217

SHA256
4662c3c94e0340a243c2a39ca8a88fd9f65c74fb197644a11d4ffcae6b191211

SHA512
5fd8b91b27935711495934e5d7ca14f9dd72bc40a38072595879ef334a47f99e0608087ddc62668c6f783938d9f22a3688c5cdef3a9ad6c3575f3cfa5a3b0104

Download Submit
C:\Windows\TEMP\SDIAG_11765fe8-5035-45a9-9497-a37278a080d8\NetworkDiagnosticsTroubleshoot.ps1

Filesize
25KB

MD5
d0cfc204ca3968b891f7ce0dccfb2eda

SHA1
56dad1716554d8dc573d0ea391f808e7857b2206

SHA256
e3940266b4368c04333db89804246cb89bf2073626f22b8de72bea27c522282a

SHA512
4d2225b599ad8af8ba8516f12cfddca5ec0ce69c5c80b133a6a323e9aaf5e0312efbcfa54d2e4462a5095f9a7c42b9d5b39f3204e0be72c3b1992cf33b22087c

Download Submit
C:\Windows\TEMP\SDIAG_11765fe8-5035-45a9-9497-a37278a080d8\NetworkDiagnosticsVerify.ps1

Filesize
10KB

MD5
9b222d8ec4b20860f10ebf303035b984

SHA1
b30eea35c2516afcab2c49ef6531af94efaf7e1a

SHA256
a32e13da40ac4b9e1dac7dd28bc1d25e2f2136b61ff93be943018b20796f15bc

SHA512
8331337ccb6e3137b01aeec03e6921fd3b9e56c44fa1b17545ae5c7bfcdd39fcd8a90192884b3a82f56659009e24b63ce7f500e8766fd01e8d4e60a52de0fe67

Download Submit
C:\Windows\TEMP\SDIAG_11765fe8-5035-45a9-9497-a37278a080d8\StartDPSService.ps1

Filesize
567B

MD5
a660422059d953c6d681b53a6977100e

SHA1
0c95dd05514d062354c0eecc9ae8d437123305bb

SHA256
d19677234127c38a52aec23686775a8eb3f4e3a406f4a11804d97602d6c31813

SHA512
26f8cf9ac95ff649ecc2ed349bc6c7c3a04b188594d5c3289af8f2768ab59672bc95ffefcc83ed3ffa44edd0afeb16a4c2490e633a89fce7965843674d94b523

Download Submit
C:\Windows\TEMP\SDIAG_11765fe8-5035-45a9-9497-a37278a080d8\UtilityFunctions.ps1

Filesize
53KB

MD5
c912faa190464ce7dec867464c35a8dc

SHA1
d1c6482dad37720db6bdc594c4757914d1b1dd70

SHA256
3891846307aa9e83bca66b13198455af72af45bf721a2fbd41840d47e2a91201

SHA512
5c34352d36459fd8fcda5b459a2e48601a033af31d802a90ed82c443a5a346b9480880d30c64db7ad0e4a8c35b98c98f69eceedad72f2a70d9c6cca74dce826a

Download Submit
C:\Windows\TEMP\SDIAG_11765fe8-5035-45a9-9497-a37278a080d8\UtilitySetConstants.ps1

Filesize
2KB

MD5
0c75ae5e75c3e181d13768909c8240ba

SHA1
288403fc4bedaacebccf4f74d3073f082ef70eb9

SHA256
de5c231c645d3ae1e13694284997721509f5de64ee5c96c966cdfda9e294db3f

SHA512
8fc944515f41a837c61a6c4e5181ca273607a89e48fbf86cf8eb8db837aed095aa04fc3043029c3b5cb3710d59abfd86f086ac198200f634bfb1a5dd0823406b

Download Submit
C:\Windows\TEMP\SDIAG_11765fe8-5035-45a9-9497-a37278a080d8\en-US\LocalizationData.psd1

Filesize
5KB

MD5
380768979618b7097b0476179ec494ed

SHA1
af2a03a17c546e4eeb896b230e4f2a52720545ab

SHA256
0637af30fc3b3544b1f516f6196a8f821ffbfa5d36d65a8798aeeadbf2e8a7c2

SHA512
b9ef59e9bfdbd49052a4e754ead8cd54b77e79cc428e7aee2b80055ff5f0b038584af519bd2d66258cf3c01f8cc71384f6959ee32111eac4399c47e1c2352302

Download Submit
C:\Windows\Temp\SDIAG_11765fe8-5035-45a9-9497-a37278a080d8\DiagPackage.dll

Filesize
478KB

MD5
580dc3658fa3fe42c41c99c52a9ce6b0

SHA1
3c4be12c6e3679a6c2267f88363bbd0e6e00cac5

SHA256
5b7aa413e4a64679c550c77e6599a1c940ee947cbdf77d310e142a07a237aad2

SHA512
68c52cd7b762b8f5d2f546092ed9c4316924fa04bd3ab748ab99541a8b4e7d9aec70acf5c9594d1457ad3a2f207d0c189ec58421d4352ddbc7eae453324d13f2

Download Submit
C:\Windows\Temp\SDIAG_11765fe8-5035-45a9-9497-a37278a080d8\en-US\DiagPackage.dll.mui

Filesize
17KB

MD5
44c4385447d4fa46b407fc47c8a467d0

SHA1
41e4e0e83b74943f5c41648f263b832419c05256

SHA256
8be175e8fbdae0dade54830fece6c6980d1345dbeb4a06c07f7efdb1152743f4

SHA512
191cd534e85323a4cd9649a1fc372312ed4a600f6252dffc4435793650f9dd40d0c0e615ba5eb9aa437a58af334146aac7c0ba08e0a1bf24ec4837a40f966005

Download Submit
C:\Windows\Temp\SDIAG_11765fe8-5035-45a9-9497-a37278a080d8\result\B03A62B5-B9F0-461D-B181-9E3418BF2F01.Diagnose.Admin.0.etl

Filesize
192KB

MD5
0b9295689e65741c151337d3f9dedb9f

SHA1
a6163388d124252dfb6e5663ca8d918f5b541bb8

SHA256
2033b2b00cbfc7327656b58ef01116effc73deeaaf9c44caf51cb481becf7ecf

SHA512
a7733bb742ee13206b9551606ce647b15dc047b33a13f13c599a259dd09ba6b6fe4f33354164e02eeb6a7feaa477e8782808ec74a9301943ca0fd171a3eaedec

Download Submit
memory/436-467-0x0000019AA7D80000-0x0000019AA7D81000-memory.dmp

Filesize
4KB

Download
memory/436-459-0x0000019AA7180000-0x0000019AA7190000-memory.dmp

Filesize
64KB

Download
memory/436-463-0x0000019AA71C0000-0x0000019AA71D0000-memory.dmp

Filesize
64KB

Download
memory/5916-429-0x000001F1E6930000-0x000001F1E6952000-memory.dmp

Filesize
136KB

Download