hxxps://discord[.]com/vanityurl/dotcom/steakpants/flour/flower/index11[.]html

Resubmissions

16-06-2024 15:33

240616-szcqtaydqg 6

16-06-2024 15:27

240616-svs71aycpc 6

Analysis

max time kernel
136s
max time network
133s
platform
windows11-21h2_x64
resource
win11-20240508-fr
resource tags

arch:x64arch:x86image:win11-20240508-frlocale:fr-fros:windows11-21h2-x64systemwindows
submitted
16-06-2024 15:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://discord.com/vanityurl/dotcom/steakpants/flour/flower/index11.html

Score

6^/10

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 7 IoCs

Web Service

T1102

flow	ioc
25	discord.com
27	discord.com
29	discord.com
1	discord.com
15	discord.com
23	discord.com
24	discord.com

Drops file in System32 directory 13 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\NDF\{CFB396A6-97FE-495E-8E28-2D3A32DCE03E}-temp-06162024-1535.etl	svchost.exe
File created	C:\Windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\{ba78d54b-eee4-48dc-958c-7c4f98ff75b0}\snapshot.etl	svchost.exe
File opened for modification	C:\Windows\system32\SRU\SRU.log	svchost.exe
File opened for modification	C:\Windows\system32\SRU\SRUDB.dat	svchost.exe
File opened for modification	C:\Windows\system32\SRU\SRUtmp.log	svchost.exe
File opened for modification	C:\Windows\system32\SRU\SRUDB.jfm	svchost.exe
File opened for modification	C:\Windows\system32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1672260578-815027929-964132517-1000_UserData.bin	svchost.exe
File opened for modification	C:\Windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\{ba78d54b-eee4-48dc-958c-7c4f98ff75b0}\snapshot.etl	svchost.exe
File opened for modification	C:\Windows\system32\WDI\BootPerformanceDiagnostics_SystemData.bin	svchost.exe
File created	C:\Windows\system32\wdi\LogFiles\StartupInfo\S-1-5-21-1672260578-815027929-964132517-1000_StartupInfo3.xml	svchost.exe
File opened for modification	C:\Windows\system32\SRU\SRU.chk	svchost.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netrtl64.inf_amd64_8e9c2368fe308df2\netrtl64.PNF	svchost.exe
File created	C:\Windows\system32\NDF\{CFB396A6-97FE-495E-8E28-2D3A32DCE03E}-temp-06162024-1535.etl	svchost.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Network\Connections\Pbk\_hiddenPbk\rasphone.pbk	svchost.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
3692	ipconfig.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\RAS AutoDial	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\RAS AutoDial\Default	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@%SystemRoot%\system32\hnetcfgclient.dll,-201 = "HNetCfg Client"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@%SystemRoot%\system32\hnetcfgclient.dll,-201 = "HNetCfg Client"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
2772	msedge.exe
2772	msedge.exe
4360	msedge.exe
4360	msedge.exe
2752	identity_helper.exe
2752	identity_helper.exe
4740	sdiagnhost.exe
1784	msedge.exe
1784	msedge.exe
3588	sdiagnhost.exe
3768	svchost.exe
3768	svchost.exe
3768	svchost.exe
3768	svchost.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs

pid	Process
4360	msedge.exe
4360	msedge.exe
4360	msedge.exe
4360	msedge.exe
4360	msedge.exe
4360	msedge.exe
4360	msedge.exe
4360	msedge.exe
4360	msedge.exe
4360	msedge.exe
4360	msedge.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	4740	sdiagnhost.exe
Token: SeDebugPrivilege	3588	sdiagnhost.exe
Token: SeShutdownPrivilege	3768	svchost.exe
Token: SeCreatePagefilePrivilege	3768	svchost.exe

Suspicious use of FindShellTrayWindow 43 IoCs

pid	Process
4360	msedge.exe
4360	msedge.exe
4360	msedge.exe
4360	msedge.exe
4360	msedge.exe
4360	msedge.exe
4360	msedge.exe
4360	msedge.exe
4360	msedge.exe
4360	msedge.exe
4360	msedge.exe
4360	msedge.exe
4360	msedge.exe
4360	msedge.exe
4360	msedge.exe
4360	msedge.exe
4360	msedge.exe
4360	msedge.exe
4360	msedge.exe
4360	msedge.exe
4360	msedge.exe
4360	msedge.exe
4360	msedge.exe
4360	msedge.exe
4360	msedge.exe
4360	msedge.exe
4360	msedge.exe
4360	msedge.exe
4360	msedge.exe
4360	msedge.exe
4360	msedge.exe
4360	msedge.exe
4360	msedge.exe
4360	msedge.exe
4360	msedge.exe
4360	msedge.exe
4360	msedge.exe
4360	msedge.exe
4360	msedge.exe
4360	msedge.exe
4360	msedge.exe
860	msdt.exe
4896	msdt.exe

Suspicious use of SendNotifyMessage 20 IoCs

pid	Process
4360	msedge.exe
4360	msedge.exe
4360	msedge.exe
4360	msedge.exe
4360	msedge.exe
4360	msedge.exe
4360	msedge.exe
4360	msedge.exe
4360	msedge.exe
4360	msedge.exe
4360	msedge.exe
4360	msedge.exe
4360	msedge.exe
4360	msedge.exe
4360	msedge.exe
4360	msedge.exe
4360	msedge.exe
4360	msedge.exe
4360	msedge.exe
4360	msedge.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
4360	msedge.exe
4360	msedge.exe
4896	msdt.exe
4896	msdt.exe
4896	msdt.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4360 wrote to memory of 4180	4360	msedge.exe	76
PID 4360 wrote to memory of 4180	4360	msedge.exe	76
PID 4360 wrote to memory of 3864	4360	msedge.exe	77
PID 4360 wrote to memory of 3864	4360	msedge.exe	77
PID 4360 wrote to memory of 3864	4360	msedge.exe	77
PID 4360 wrote to memory of 3864	4360	msedge.exe	77
PID 4360 wrote to memory of 3864	4360	msedge.exe	77
PID 4360 wrote to memory of 3864	4360	msedge.exe	77
PID 4360 wrote to memory of 3864	4360	msedge.exe	77
PID 4360 wrote to memory of 3864	4360	msedge.exe	77
PID 4360 wrote to memory of 3864	4360	msedge.exe	77
PID 4360 wrote to memory of 3864	4360	msedge.exe	77
PID 4360 wrote to memory of 3864	4360	msedge.exe	77
PID 4360 wrote to memory of 3864	4360	msedge.exe	77
PID 4360 wrote to memory of 3864	4360	msedge.exe	77
PID 4360 wrote to memory of 3864	4360	msedge.exe	77
PID 4360 wrote to memory of 3864	4360	msedge.exe	77
PID 4360 wrote to memory of 3864	4360	msedge.exe	77
PID 4360 wrote to memory of 3864	4360	msedge.exe	77
PID 4360 wrote to memory of 3864	4360	msedge.exe	77
PID 4360 wrote to memory of 3864	4360	msedge.exe	77
PID 4360 wrote to memory of 3864	4360	msedge.exe	77
PID 4360 wrote to memory of 3864	4360	msedge.exe	77
PID 4360 wrote to memory of 3864	4360	msedge.exe	77
PID 4360 wrote to memory of 3864	4360	msedge.exe	77
PID 4360 wrote to memory of 3864	4360	msedge.exe	77
PID 4360 wrote to memory of 3864	4360	msedge.exe	77
PID 4360 wrote to memory of 3864	4360	msedge.exe	77
PID 4360 wrote to memory of 3864	4360	msedge.exe	77
PID 4360 wrote to memory of 3864	4360	msedge.exe	77
PID 4360 wrote to memory of 3864	4360	msedge.exe	77
PID 4360 wrote to memory of 3864	4360	msedge.exe	77
PID 4360 wrote to memory of 3864	4360	msedge.exe	77
PID 4360 wrote to memory of 3864	4360	msedge.exe	77
PID 4360 wrote to memory of 3864	4360	msedge.exe	77
PID 4360 wrote to memory of 3864	4360	msedge.exe	77
PID 4360 wrote to memory of 3864	4360	msedge.exe	77
PID 4360 wrote to memory of 3864	4360	msedge.exe	77
PID 4360 wrote to memory of 3864	4360	msedge.exe	77
PID 4360 wrote to memory of 3864	4360	msedge.exe	77
PID 4360 wrote to memory of 3864	4360	msedge.exe	77
PID 4360 wrote to memory of 3864	4360	msedge.exe	77
PID 4360 wrote to memory of 2772	4360	msedge.exe	78
PID 4360 wrote to memory of 2772	4360	msedge.exe	78
PID 4360 wrote to memory of 4116	4360	msedge.exe	79
PID 4360 wrote to memory of 4116	4360	msedge.exe	79
PID 4360 wrote to memory of 4116	4360	msedge.exe	79
PID 4360 wrote to memory of 4116	4360	msedge.exe	79
PID 4360 wrote to memory of 4116	4360	msedge.exe	79
PID 4360 wrote to memory of 4116	4360	msedge.exe	79
PID 4360 wrote to memory of 4116	4360	msedge.exe	79
PID 4360 wrote to memory of 4116	4360	msedge.exe	79
PID 4360 wrote to memory of 4116	4360	msedge.exe	79
PID 4360 wrote to memory of 4116	4360	msedge.exe	79
PID 4360 wrote to memory of 4116	4360	msedge.exe	79
PID 4360 wrote to memory of 4116	4360	msedge.exe	79
PID 4360 wrote to memory of 4116	4360	msedge.exe	79
PID 4360 wrote to memory of 4116	4360	msedge.exe	79
PID 4360 wrote to memory of 4116	4360	msedge.exe	79
PID 4360 wrote to memory of 4116	4360	msedge.exe	79
PID 4360 wrote to memory of 4116	4360	msedge.exe	79
PID 4360 wrote to memory of 4116	4360	msedge.exe	79
PID 4360 wrote to memory of 4116	4360	msedge.exe	79
PID 4360 wrote to memory of 4116	4360	msedge.exe	79

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://discord.com/vanityurl/dotcom/steakpants/flour/flower/index11.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4360
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffcdf583cb8,0x7ffcdf583cc8,0x7ffcdf583cd8
  2⤵
  PID:4180
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1900,18254601266178808452,9344389258420703947,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1888 /prefetch:2
  2⤵
  PID:3864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1900,18254601266178808452,9344389258420703947,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2372 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1900,18254601266178808452,9344389258420703947,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2624 /prefetch:8
  2⤵
  PID:4116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,18254601266178808452,9344389258420703947,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:1
  2⤵
  PID:1820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,18254601266178808452,9344389258420703947,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:1
  2⤵
  PID:2892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,18254601266178808452,9344389258420703947,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4636 /prefetch:1
  2⤵
  PID:3504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,18254601266178808452,9344389258420703947,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3672 /prefetch:1
  2⤵
  PID:1012
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1900,18254601266178808452,9344389258420703947,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4948 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2752
- C:\Windows\system32\msdt.exe
  -modal "917552" -skip TRUE -path "C:\Windows\diagnostics\system\networking" -af "C:\Users\Admin\AppData\Local\Temp\NDF9A9A.tmp" -ep "NetworkDiagnosticsWeb"
  2⤵
  - Suspicious use of FindShellTrayWindow
  PID:860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,18254601266178808452,9344389258420703947,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4520 /prefetch:1
  2⤵
  PID:3232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1900,18254601266178808452,9344389258420703947,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4516 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1784
- C:\Windows\system32\msdt.exe
  -modal "917552" -skip TRUE -path "C:\Windows\diagnostics\system\networking" -af "C:\Users\Admin\AppData\Local\Temp\NDFCD15.tmp" -ep "NetworkDiagnosticsWeb"
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:4896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,18254601266178808452,9344389258420703947,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2936 /prefetch:1
  2⤵
  PID:4492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,18254601266178808452,9344389258420703947,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1652 /prefetch:1
  2⤵
  PID:3172
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,18254601266178808452,9344389258420703947,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4476 /prefetch:1
  2⤵
  PID:1444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,18254601266178808452,9344389258420703947,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4576 /prefetch:1
  2⤵
  PID:3492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1900,18254601266178808452,9344389258420703947,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5036 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,18254601266178808452,9344389258420703947,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3536 /prefetch:1
  2⤵
  PID:1632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,18254601266178808452,9344389258420703947,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5932 /prefetch:1
  2⤵
  PID:5000

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4720

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2228

C:\Windows\System32\sdiagnhost.exe
C:\Windows\System32\sdiagnhost.exe -Embedding
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4740
- C:\Windows\system32\netsh.exe
  "C:\Windows\system32\netsh.exe" trace diagnose Scenario=NetworkSnapshot Mode=NetTroubleshooter
  2⤵
  PID:2708

C:\Windows\System32\sdiagnhost.exe
C:\Windows\System32\sdiagnhost.exe -Embedding
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3588
- C:\Windows\system32\netsh.exe
  "C:\Windows\system32\netsh.exe" trace diagnose Scenario=NetworkSnapshot Mode=NetTroubleshooter
  2⤵
  PID:3492
- C:\Windows\system32\netsh.exe
  "C:\Windows\system32\netsh.exe" trace diagnose Scenario=NetworkSnapshot Mode=NetTroubleshooter
  2⤵
  PID:1744
- C:\Windows\system32\ipconfig.exe
  "C:\Windows\system32\ipconfig.exe" /all
  2⤵
  - Gathers network information
  PID:3692
- C:\Windows\system32\ROUTE.EXE
  "C:\Windows\system32\ROUTE.EXE" print
  2⤵
  PID:4484
- C:\Windows\system32\makecab.exe
  "C:\Windows\system32\makecab.exe" /f NetworkConfiguration.ddf
  2⤵
  PID:4632

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork -p -s DPS
1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3768

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s WdiSystemHost
1⤵
PID:4352

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s WdiServiceHost
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1856
- C:\Windows\System32\rundll32.exe
  "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\winethc.dll",ForceProxyDetectionOnNextRun
  2⤵
  PID:2892

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s Netman
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:1396

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\c9678e39e0f54d24bfafae2d1502f17b /t 2704 /p 4896
1⤵
PID:3592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\ElevatedDiagnostics\460911090\2024061615.000\NetworkDiagnostics.debugreport.xml

Filesize
69KB

MD5
d8e406deb18d6ca3761ea4ef76f9da11

SHA1
bd29fe918f27b3247ed57fb8b5a3d530347c3cc4

SHA256
3c66aec48fe3c24beabee84efa26c9ee4da1bf30f0bd652753ab9d8e65a5de64

SHA512
aa23a2cb2c17c76ef72bd7bb563a0b9cfdcd374e049857c50234ddddc5227d2ddef3fc42dcec103880c7837366922b799f2d731db649144b058121477b145b8d

Download Submit
C:\Users\Admin\AppData\Local\ElevatedDiagnostics\460911090\2024061615.000\ResultReport.xml

Filesize
36KB

MD5
dd41a3131adcef9af9a636d1bbe221f4

SHA1
b902e2722d3ef86a4799ece41ddde99db8f9318e

SHA256
5aa2d9ab79bcb2a5d447ac0a20ec1b7b8e52dd63069e111af8d552ee09fd6a36

SHA512
b1aab6fe254a5aa6573c88086ad45224e3d7c38fa3cf7dd14ed6208e49e87618ab7c66928e1e9c84d56716ced4d192d6a84b6b058e4aad6e2269ff22946de34c

Download Submit
C:\Users\Admin\AppData\Local\ElevatedDiagnostics\460911090\2024061615.000\results.xsl

Filesize
47KB

MD5
90df783c6d95859f3a420cb6af1bafe1

SHA1
3fe1e63ca5efc0822fc3a4ae862557238aa22f78

SHA256
06db605b5969c93747313e6409ea84bdd8b7e1731b7e6e3656329d77bcf51093

SHA512
e5dcbb7d8f42eabf42966fccee11c3d3e3f965ecc7a4d9e4ecd0382a31c4e8afea931564b1c6931f6d7e6b3650dc01a4a1971e317dab6c1f03932c6b6b7d399f

Download Submit
C:\Users\Admin\AppData\Local\ElevatedDiagnostics\460911090\2024061615.001\NetworkDiagnostics.debugreport.xml

Filesize
210KB

MD5
a614963037a192f4b6e908fb6fb374c7

SHA1
2549f92847778411183ed2ed8df71c72d2d3fb0b

SHA256
08a26dfd376a3912b0adbaf30761df5b3feff3dfa18f019797c413e7b77f12c7

SHA512
fbaa389225787706eff02e1db8a48677467a5fd4961bde7799726420d361e237ba75c5b83becf9c1551abbb2067feb11943846dab87ec88b7d5224c63df635f4

Download Submit
C:\Users\Admin\AppData\Local\ElevatedDiagnostics\460911090\2024061615.001\ResultReport.xml

Filesize
38KB

MD5
8b7bfaefedcc2551384f7a5cba1be9d6

SHA1
ad99f56aa0404ba0fa70d144d83ffb5086779c01

SHA256
653954bc44dfe7fd3fa72bf99f5761aa07e81d269f368989912d2f82cb6fe59a

SHA512
a130f34b5c8f20aa10f6675f14c220e2fabf5e77e02a6f038b039b6bcb60d7a7c211da3eb794a640d005affd5ff8c936bb34baa2e0f7fd77c6630c2f4a7d1a20

Download Submit
C:\Users\Admin\AppData\Local\ElevatedDiagnostics\460911090\latest.cab

Filesize
15KB

MD5
57715e774bc91470e2f4ca2b6e84fb0b

SHA1
525ef5f83f7c506920e6a9bbb0c9ca484a6085a1

SHA256
0e05a14a11729eb381ddb93b2771c4c902179c8e3f650721b7dbf66dcc505a65

SHA512
934ed645e6e285b5f098762364641ccde21676440bb04ae84075c5de59dd57318a183ffbaebcb66f5ab23756ec6e05d465080eb74ac17818f8637eabc6a3b00e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\sdiagnhost.exe.log

Filesize
6KB

MD5
3c2abc0d38e23d4eb3fef8399c429eaa

SHA1
c20b5de0aac3c5e270cc1ffe68a6e28bc9fe7a52

SHA256
ff760afa4c9ac7f1accc2366ee87216193a3c139a33ed0c28133f24845eaba72

SHA512
1904429adac111bea0bbf0e1004b2c22e98f6d6a10546123d95c2749c9241121a856f9753a5e7b21fc40a297563dea29666cda942758e91e1a34fd5244adf540

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d56e8f308a28ac4183257a7950ab5c89

SHA1
044969c58cef041a073c2d132fa66ccc1ee553fe

SHA256
0bc24451c65457abc1e4e340be2f8faceae6b6ec7768a21d44bcd14636543bae

SHA512
fd5798559f4025ec3408f5550b8671d394b1ec83b85fdac8c005b0cc3e183272bdd07db15a156a572c9c5e5798badf235dc10aae62a052efa8dd9dfdbdca8189

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8f2eb94e31cadfb6eb07e6bbe61ef7ae

SHA1
3f42b0d5a90408689e7f7941f8db72a67d5a2eab

SHA256
d222c8e3b19cda2657629a486faf32962e016fc66561ce0d17010afdb283c9de

SHA512
9f7f84149885b851e0bf7173c540e466a2b2eb9907d8b608f60360933328cc75d9d1b63640ea4ecc1e64ecc5dd7ee74d82903f96a8b4418ca56296641a8c0703

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
68b77fa221fc500e891bedf05fbacb60

SHA1
1ac34fcaba822cda4a51482f1d94c4e754a60ec6

SHA256
18fd6af23c4968fa5e8165639758294bf104c8e6b9c4d9e28223f0e7c3890009

SHA512
f7c74f7df24bef07af98877bc284de792124472f543448dce9a3a1d608c46ad19cb342d0ef0679f3f8e59c4bc2619b2b7ff4c4612ce388823c8dbd9850083cd8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
84187db58480e0313f081f12cbaeb649

SHA1
a522f85cfa6fa1f9373c5f509d91dff6c0870143

SHA256
2c13e81b06938fea9540cbdc498bc8986087dd3bc73697189fd9cdc6cf6413bf

SHA512
a85359294bed8b0074660849d6f057c4ef6a8ffcf37e1400c2e61721ea185fcf3df70ad7ea820da544c3a02da425a3a14a41183b1e7c5835ff3f1884ef666189

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
8df060a439ccef18f36152daad69dbc6

SHA1
faf44159d87d86a095a786faff9278445049bf66

SHA256
c73dde3feb7e6dc8afd0a0139eb5399429c941772487d3d7fad2a80f0da8b788

SHA512
75db785b157f5629838f114965852e3f9eb5dbeb4edc591e3b4af82b03df914f0116cd76dc5ce4e4193168a5be1b6870f405ddb4f29f1d28e1ad677b7c5622f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
7bda62e2585c2d0f6e2b7e047b04f1f2

SHA1
30b312ec6d695e5569f9ca365b605e08809b7c0a

SHA256
f798635e82840b0b400bbf0046a6b6d22a2b6697b967ec19bc9e0a14dfdf6355

SHA512
3418cb923283fb32080696241ffd12093170f342e6a44a516d2e44bc2f1d0efbb369987283ee3a7003bb9fc46fef11f3f6696e6dfd24bf022a39187179041132

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
1e699cc646f83022bcfde0b486c5d9cd

SHA1
fb4ee69d4577afa10e1a48e1603fe57327f806fd

SHA256
bc62edc2fd895a878e34711b5128ea97845196bb90d3c4b4015caee8b74f58e2

SHA512
e2df6e3c7509ad06955add3f00b3749bbf515f9997d3d7d6b505d3fc4833dc3832ac20dd2d79e2351cb052bb7017e8dee692598290f19ede6c8f8f4ec6ef04dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
70e6305e590e786ec4c982b289d292d7

SHA1
9b373a3b46e8bece370c077086033e07298a1a8e

SHA256
130de0db45e33b869c103a370393ff5e1339cffcf737f4bc11a1d0fe7b8700c1

SHA512
8a246eb6f843b07c43d2058bcd59aaa34bd3a7d634527c24dd65b6033c92f656152e14599365bb25ff3b372bc3c9924c8462015213fbe16c98369b19b8188ce7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
34079af52726bc7139d8be1295863753

SHA1
4b06096f56fb8ff8f8a6812849e624f8cd2cdd0a

SHA256
0b95f6baf9de4f6f0487147aaf55cd15973f10281b630a3af90b838117777f65

SHA512
7e24d09f8727b0e567805a84313a026e9115fabfa564da43b405db42e0f471569541d8365f4b471f72454f2b896c9282e68e38fb7b2f834a9b45ef84e0d1a5ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\NetTraces\NdfSession-06162024-1535.etl

Filesize
192KB

MD5
ad3ad33df6d3f214bc5dcdd1e75eb96f

SHA1
e33bcfd819fa7d493e23b0ab86d98f15d396a7de

SHA256
830acdfd41a4a8c058b9ddccdc003df90fb0742cca7e81cb4e4492c36240c490

SHA512
3125735a24f48729ff13544d88bc0016a72c3e6bf232942ab36a281789cea9e11897fd6bf0fb36e67d21be85c5e52d51562976e29fddfc6f8d116408d54c3f5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\NDF9A9A.tmp

Filesize
3KB

MD5
e456e3c5d5fb3bf06565bba9f0196bbe

SHA1
91e9a753d23dc14231a4cae119d4ec76f8d975d7

SHA256
8f6fea830f18c6f3957c5c926b51c5225ff65fc82e43d6cef63debc404b865df

SHA512
5e18bc6b641f580c68c9ebc40faa56c185dc7393eb4710d188f1a13a2896785a18f828bd102a8e3ee389b786649b8eed04e8c6c2e795b8674dc3a90be2cce70f

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xzbwziuk.jmw.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8B82.tmp\NetworkConfiguration.cab

Filesize
1KB

MD5
d4b91909a6e3ac1b1d707f50f9dc8f3f

SHA1
63bb35093ab5a45fbdc76011254e9ef6f0ae5f57

SHA256
f36e5bd5cb5d8e956e9731fdf313c63c7b15ddae9fbb03c2e3b7daafb301bc95

SHA512
6bafe73e1f7a0116006d1cf2d2e4ac7ff821f4c2e01220bf3ced6674464c2df33449e4879fc9db26cb5e617cb4257b899a6bc78c2e46885b983322af2e18c55d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8B82.tmp\NetworkConfiguration.ddf

Filesize
231B

MD5
00848049d4218c485d9e9d7a54aa3b5f

SHA1
d1d5f388221417985c365e8acaec127b971c40d0

SHA256
ffeafbb8e7163fd7ec9abc029076796c73cd7b4eddaeeda9ba394c547419769e

SHA512
3a4874a5289682e2b32108740feea586cb9ccdad9ca08bf30f67c9742370c081ad943ea714f08dbf722f9f98f3b0bb307619a8ba47f96b24301c68b0fd1086d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8B82.tmp\ipconfig.all.txt

Filesize
1KB

MD5
1b542e8a90b4b23b7bcdbe55a4fe829f

SHA1
bc8573584bbd7c5cb921b51fc6ec9e7941adf624

SHA256
31a9c91e60f3e6678e5eaf270d9fd7f74f115035329e954261c12e334caaf867

SHA512
792956ea258cf98060af2aeddf6a832c0db813b89025c728706fc87396e452bdc1a4f53fe828507cc8b59f68c02d247121d5cec66b3c0743e8253b56fee6c9c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8B82.tmp\route.print.txt

Filesize
4KB

MD5
4756d6e5d1eadb1471a4ac01e279bb17

SHA1
3018cab42cd59eb93f0c65aeb43891f7a53b86fe

SHA256
0b0e64c0a22359be9060cc7dbd5eb6203d15c1ae5964241ae8664a902d931ea9

SHA512
c63ff6bca6eb529bc27e25d0a7bc3fb81b8ba897169f56d9b7cfa6c1c6f808e3fd2e1f776e416aa231d302580f558bd806ef4514c3b921962dede047c8229370

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8B82.tmp\setup.inf

Filesize
978B

MD5
4e0d9a6dc38fe605ace5e44a8272f0ab

SHA1
3636190045af0b353360fecefcd6453aa03818d8

SHA256
cd391ca6048ab3d56b893c394f8a79239e58ea4675510372f0a2938c288588d6

SHA512
a4d7a134a080c61ce4f75d168f8bf0e866789be54d68c62657bb1776f9b86d30a95496d4d5053084d2cb95b748c89196450c919ea9017c3727cd1872f88164a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8B82.tmp\setup.rpt

Filesize
283B

MD5
e4b53a3db7c7806191a15502b066e614

SHA1
be07d462b08715178e96bdc08610d290ca689bec

SHA256
ce5bb2a315d41b06cce60e659d83164f67c6904553e729903c936971b50f301a

SHA512
b68c3918ced73eaa0f754fb91216aa9b1324e0b342e39af8255a57af7eae2e6dc267a4e815a64afb1d16a1f244b027c6c833f8105ad8ab2cb2154ad06cd63093

Download Submit
C:\Windows\TEMP\SDIAG_35aabbd0-64b0-4776-b019-16563ea54a73\NetworkDiagnosticsTroubleshoot.ps1

Filesize
25KB

MD5
d0cfc204ca3968b891f7ce0dccfb2eda

SHA1
56dad1716554d8dc573d0ea391f808e7857b2206

SHA256
e3940266b4368c04333db89804246cb89bf2073626f22b8de72bea27c522282a

SHA512
4d2225b599ad8af8ba8516f12cfddca5ec0ce69c5c80b133a6a323e9aaf5e0312efbcfa54d2e4462a5095f9a7c42b9d5b39f3204e0be72c3b1992cf33b22087c

Download Submit
C:\Windows\TEMP\SDIAG_35aabbd0-64b0-4776-b019-16563ea54a73\UtilityFunctions.ps1

Filesize
53KB

MD5
c912faa190464ce7dec867464c35a8dc

SHA1
d1c6482dad37720db6bdc594c4757914d1b1dd70

SHA256
3891846307aa9e83bca66b13198455af72af45bf721a2fbd41840d47e2a91201

SHA512
5c34352d36459fd8fcda5b459a2e48601a033af31d802a90ed82c443a5a346b9480880d30c64db7ad0e4a8c35b98c98f69eceedad72f2a70d9c6cca74dce826a

Download Submit
C:\Windows\TEMP\SDIAG_35aabbd0-64b0-4776-b019-16563ea54a73\UtilitySetConstants.ps1

Filesize
2KB

MD5
0c75ae5e75c3e181d13768909c8240ba

SHA1
288403fc4bedaacebccf4f74d3073f082ef70eb9

SHA256
de5c231c645d3ae1e13694284997721509f5de64ee5c96c966cdfda9e294db3f

SHA512
8fc944515f41a837c61a6c4e5181ca273607a89e48fbf86cf8eb8db837aed095aa04fc3043029c3b5cb3710d59abfd86f086ac198200f634bfb1a5dd0823406b

Download Submit
C:\Windows\TEMP\SDIAG_35aabbd0-64b0-4776-b019-16563ea54a73\en-US\LocalizationData.psd1

Filesize
5KB

MD5
91f545459be2ff513b8d98c7831b8e54

SHA1
499e4aa76fc21540796c75ba5a6a47980ff1bc21

SHA256
1ccd68e58ead16d22a6385bb6bce0e2377ed573387bdafac3f72b62264d238ff

SHA512
469571a337120885ee57e0c73a3954d0280fa813e11709ee792285c046f6ddaf9be5583e475e627ea5f34e8e6fb723a4681289312f0e51dc8e9894492407b911

Download Submit
C:\Windows\TEMP\SDIAG_756e0819-7598-49ab-b585-a39321938fe8\NetworkDiagnosticsResolve.ps1

Filesize
11KB

MD5
d213491a2d74b38a9535d616b9161217

SHA1
bde94742d1e769638e2de84dfb099f797adcc217

SHA256
4662c3c94e0340a243c2a39ca8a88fd9f65c74fb197644a11d4ffcae6b191211

SHA512
5fd8b91b27935711495934e5d7ca14f9dd72bc40a38072595879ef334a47f99e0608087ddc62668c6f783938d9f22a3688c5cdef3a9ad6c3575f3cfa5a3b0104

Download Submit
C:\Windows\TEMP\SDIAG_756e0819-7598-49ab-b585-a39321938fe8\NetworkDiagnosticsVerify.ps1

Filesize
10KB

MD5
9b222d8ec4b20860f10ebf303035b984

SHA1
b30eea35c2516afcab2c49ef6531af94efaf7e1a

SHA256
a32e13da40ac4b9e1dac7dd28bc1d25e2f2136b61ff93be943018b20796f15bc

SHA512
8331337ccb6e3137b01aeec03e6921fd3b9e56c44fa1b17545ae5c7bfcdd39fcd8a90192884b3a82f56659009e24b63ce7f500e8766fd01e8d4e60a52de0fe67

Download Submit
C:\Windows\TEMP\SDIAG_756e0819-7598-49ab-b585-a39321938fe8\StartDPSService.ps1

Filesize
567B

MD5
a660422059d953c6d681b53a6977100e

SHA1
0c95dd05514d062354c0eecc9ae8d437123305bb

SHA256
d19677234127c38a52aec23686775a8eb3f4e3a406f4a11804d97602d6c31813

SHA512
26f8cf9ac95ff649ecc2ed349bc6c7c3a04b188594d5c3289af8f2768ab59672bc95ffefcc83ed3ffa44edd0afeb16a4c2490e633a89fce7965843674d94b523

Download Submit
C:\Windows\Temp\SDIAG_35aabbd0-64b0-4776-b019-16563ea54a73\DiagPackage.dll

Filesize
488KB

MD5
ec287e627bf07521b8b443e5d7836c92

SHA1
02595dde2bd98326d8608ee3ddabc481ddc39c3d

SHA256
35fa9f66ed386ee70cb28ec6e03a3b4848e3ae11c8375ba3b17b26d35bd5f694

SHA512
8465ae3ca6a4355888eecedda59d83806faf2682431f571185c31fb8a745f2ef4b26479f07aaf2693cd83f2d0526a1897a11c90a1f484a72f1e5965b72de9903

Download Submit
C:\Windows\Temp\SDIAG_35aabbd0-64b0-4776-b019-16563ea54a73\en-US\DiagPackage.dll.mui

Filesize
17KB

MD5
44b3399345bc836153df1024fa0a81e1

SHA1
ce979bfdc914c284a9a15c4d0f9f18db4d984cdd

SHA256
502abf2efedb7f76147a95dc0755723a070cdc3b2381f1860313fd5f01c4fb4d

SHA512
a49ba1a579eedca2356f8a4df94b1c273e483ceace93c617cddee77f66e90682836c77cea58047320b2c2f1d0e23ee7efa3d8af71e8ee864faef7e68f233bec4

Download Submit
C:\Windows\Temp\SDIAG_756e0819-7598-49ab-b585-a39321938fe8\DiagPackage.diagpkg

Filesize
163KB

MD5
0606098a37089bdc9d644dee1cc1cd78

SHA1
cadae9623a27bd22771bab9d26b97226e8f2318b

SHA256
284a7a8525b1777bdbc194fa38d28cd9ee91c2cbc7856f5968e79667c6b62a9d

SHA512
0711e2fef9fde17b87f3f6af1442bd46b4c86bb61c8519548b89c7a61dfcf734196ddf2d90e586d486a3b33f672a99379e8205c240bd4bcb23625ffb22936443

Download Submit
memory/3768-866-0x0000016A7BA40000-0x0000016A7BA50000-memory.dmp

Filesize
64KB

Download
memory/3768-863-0x0000016A7BA10000-0x0000016A7BA20000-memory.dmp

Filesize
64KB

Download
memory/3768-871-0x0000016A7BEE0000-0x0000016A7BEE1000-memory.dmp

Filesize
4KB

Download
memory/4740-416-0x00000221BF920000-0x00000221BF942000-memory.dmp

Filesize
136KB

Download