hxxps://simuos[.]com/visionos/

Resubmissions

17-06-2024 08:14

240617-j4zxgasale 5

17-06-2024 08:08

240617-j1szrawamj 1

Analysis

max time kernel
208s
max time network
210s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
17-06-2024 08:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://simuos.com/visionos/

Score

5^/10

Malware Config

Signatures

Drops file in System32 directory 13 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3558294865-3673844354-2255444939-1000_UserData.bin	svchost.exe
File opened for modification	C:\Windows\system32\SRU\SRU.chk	svchost.exe
File opened for modification	C:\Windows\system32\SRU\SRUtmp.log	svchost.exe
File created	C:\Windows\system32\NDF\{D9A7B9A8-FC5E-4BCC-A4D5-255D83A308DC}-temp-06172024-0816.etl	svchost.exe
File opened for modification	C:\Windows\system32\WDI\BootPerformanceDiagnostics_SystemData.bin	svchost.exe
File created	C:\Windows\system32\wdi\LogFiles\StartupInfo\S-1-5-21-3558294865-3673844354-2255444939-1000_StartupInfo3.xml	svchost.exe
File opened for modification	C:\Windows\system32\SRU\SRUDB.dat	svchost.exe
File opened for modification	C:\Windows\system32\SRU\SRU.log	svchost.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netrtl64.inf_amd64_8e9c2368fe308df2\netrtl64.PNF	svchost.exe
File created	C:\Windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\{7b03970e-0a79-4bea-b0f2-1434e9b1eae7}\snapshot.etl	svchost.exe
File opened for modification	C:\Windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\{7b03970e-0a79-4bea-b0f2-1434e9b1eae7}\snapshot.etl	svchost.exe
File opened for modification	C:\Windows\system32\SRU\SRUDB.jfm	svchost.exe
File opened for modification	C:\Windows\system32\NDF\{D9A7B9A8-FC5E-4BCC-A4D5-255D83A308DC}-temp-06172024-0816.etl	svchost.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Network\Connections\Pbk\_hiddenPbk\rasphone.pbk	svchost.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
5196	ipconfig.exe

Modifies data under HKEY_USERS 4 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Classes\Local Settings\MuiCache\2a\52C64B7E\@%SystemRoot%\system32\hnetcfgclient.dll,-201 = "HNetCfg Client"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\RAS AutoDial	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\RAS AutoDial\Default	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@%SystemRoot%\system32\hnetcfgclient.dll,-201 = "HNetCfg Client"	svchost.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
4592	msedge.exe
4592	msedge.exe
4976	msedge.exe
4976	msedge.exe
1308	identity_helper.exe
1308	identity_helper.exe
928	sdiagnhost.exe
928	sdiagnhost.exe
3560	svchost.exe
3560	svchost.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
3884	msedge.exe
3884	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 12 IoCs

pid	Process
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	928	sdiagnhost.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4824	msdt.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4976 wrote to memory of 4640	4976	msedge.exe	82
PID 4976 wrote to memory of 4640	4976	msedge.exe	82
PID 4976 wrote to memory of 3784	4976	msedge.exe	83
PID 4976 wrote to memory of 3784	4976	msedge.exe	83
PID 4976 wrote to memory of 3784	4976	msedge.exe	83
PID 4976 wrote to memory of 3784	4976	msedge.exe	83
PID 4976 wrote to memory of 3784	4976	msedge.exe	83
PID 4976 wrote to memory of 3784	4976	msedge.exe	83
PID 4976 wrote to memory of 3784	4976	msedge.exe	83
PID 4976 wrote to memory of 3784	4976	msedge.exe	83
PID 4976 wrote to memory of 3784	4976	msedge.exe	83
PID 4976 wrote to memory of 3784	4976	msedge.exe	83
PID 4976 wrote to memory of 3784	4976	msedge.exe	83
PID 4976 wrote to memory of 3784	4976	msedge.exe	83
PID 4976 wrote to memory of 3784	4976	msedge.exe	83
PID 4976 wrote to memory of 3784	4976	msedge.exe	83
PID 4976 wrote to memory of 3784	4976	msedge.exe	83
PID 4976 wrote to memory of 3784	4976	msedge.exe	83
PID 4976 wrote to memory of 3784	4976	msedge.exe	83
PID 4976 wrote to memory of 3784	4976	msedge.exe	83
PID 4976 wrote to memory of 3784	4976	msedge.exe	83
PID 4976 wrote to memory of 3784	4976	msedge.exe	83
PID 4976 wrote to memory of 3784	4976	msedge.exe	83
PID 4976 wrote to memory of 3784	4976	msedge.exe	83
PID 4976 wrote to memory of 3784	4976	msedge.exe	83
PID 4976 wrote to memory of 3784	4976	msedge.exe	83
PID 4976 wrote to memory of 3784	4976	msedge.exe	83
PID 4976 wrote to memory of 3784	4976	msedge.exe	83
PID 4976 wrote to memory of 3784	4976	msedge.exe	83
PID 4976 wrote to memory of 3784	4976	msedge.exe	83
PID 4976 wrote to memory of 3784	4976	msedge.exe	83
PID 4976 wrote to memory of 3784	4976	msedge.exe	83
PID 4976 wrote to memory of 3784	4976	msedge.exe	83
PID 4976 wrote to memory of 3784	4976	msedge.exe	83
PID 4976 wrote to memory of 3784	4976	msedge.exe	83
PID 4976 wrote to memory of 3784	4976	msedge.exe	83
PID 4976 wrote to memory of 3784	4976	msedge.exe	83
PID 4976 wrote to memory of 3784	4976	msedge.exe	83
PID 4976 wrote to memory of 3784	4976	msedge.exe	83
PID 4976 wrote to memory of 3784	4976	msedge.exe	83
PID 4976 wrote to memory of 3784	4976	msedge.exe	83
PID 4976 wrote to memory of 3784	4976	msedge.exe	83
PID 4976 wrote to memory of 4592	4976	msedge.exe	84
PID 4976 wrote to memory of 4592	4976	msedge.exe	84
PID 4976 wrote to memory of 4012	4976	msedge.exe	85
PID 4976 wrote to memory of 4012	4976	msedge.exe	85
PID 4976 wrote to memory of 4012	4976	msedge.exe	85
PID 4976 wrote to memory of 4012	4976	msedge.exe	85
PID 4976 wrote to memory of 4012	4976	msedge.exe	85
PID 4976 wrote to memory of 4012	4976	msedge.exe	85
PID 4976 wrote to memory of 4012	4976	msedge.exe	85
PID 4976 wrote to memory of 4012	4976	msedge.exe	85
PID 4976 wrote to memory of 4012	4976	msedge.exe	85
PID 4976 wrote to memory of 4012	4976	msedge.exe	85
PID 4976 wrote to memory of 4012	4976	msedge.exe	85
PID 4976 wrote to memory of 4012	4976	msedge.exe	85
PID 4976 wrote to memory of 4012	4976	msedge.exe	85
PID 4976 wrote to memory of 4012	4976	msedge.exe	85
PID 4976 wrote to memory of 4012	4976	msedge.exe	85
PID 4976 wrote to memory of 4012	4976	msedge.exe	85
PID 4976 wrote to memory of 4012	4976	msedge.exe	85
PID 4976 wrote to memory of 4012	4976	msedge.exe	85
PID 4976 wrote to memory of 4012	4976	msedge.exe	85
PID 4976 wrote to memory of 4012	4976	msedge.exe	85

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://simuos.com/visionos/
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff6dc846f8,0x7fff6dc84708,0x7fff6dc84718
  2⤵
  PID:4640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,12129182184291574368,16450627410869308920,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:2
  2⤵
  PID:3784
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,12129182184291574368,16450627410869308920,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2244 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4592
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2128,12129182184291574368,16450627410869308920,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2652 /prefetch:8
  2⤵
  PID:4012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,12129182184291574368,16450627410869308920,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
  2⤵
  PID:1640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,12129182184291574368,16450627410869308920,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
  2⤵
  PID:2492
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,12129182184291574368,16450627410869308920,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4276 /prefetch:8
  2⤵
  PID:1964
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,12129182184291574368,16450627410869308920,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4276 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1308
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,12129182184291574368,16450627410869308920,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5080 /prefetch:1
  2⤵
  PID:4488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,12129182184291574368,16450627410869308920,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4120 /prefetch:1
  2⤵
  PID:2620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,12129182184291574368,16450627410869308920,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
  2⤵
  PID:4504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,12129182184291574368,16450627410869308920,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3476 /prefetch:1
  2⤵
  PID:1424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,12129182184291574368,16450627410869308920,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4964 /prefetch:1
  2⤵
  PID:4356
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,12129182184291574368,16450627410869308920,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3512 /prefetch:1
  2⤵
  PID:4316
- C:\Windows\system32\msdt.exe
  -modal "393282" -skip TRUE -path "C:\Windows\diagnostics\system\networking" -af "C:\Users\Admin\AppData\Local\Temp\NDF9A5B.tmp" -ep "NetworkDiagnosticsWeb"
  2⤵
  - Suspicious use of FindShellTrayWindow
  PID:4824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,12129182184291574368,16450627410869308920,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3004 /prefetch:1
  2⤵
  PID:5328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,12129182184291574368,16450627410869308920,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1292 /prefetch:1
  2⤵
  PID:5948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,12129182184291574368,16450627410869308920,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5012 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4584
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,12129182184291574368,16450627410869308920,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5108 /prefetch:1
  2⤵
  PID:5420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,12129182184291574368,16450627410869308920,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4588 /prefetch:1
  2⤵
  PID:2584

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2272

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1296

C:\Windows\System32\sdiagnhost.exe
C:\Windows\System32\sdiagnhost.exe -Embedding
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:928
- C:\Windows\system32\netsh.exe
  "C:\Windows\system32\netsh.exe" trace diagnose Scenario=NetworkSnapshot Mode=NetTroubleshooter
  2⤵
  PID:2688
- C:\Windows\system32\netsh.exe
  "C:\Windows\system32\netsh.exe" trace diagnose Scenario=NetworkSnapshot Mode=NetTroubleshooter
  2⤵
  PID:1876
- C:\Windows\system32\ipconfig.exe
  "C:\Windows\system32\ipconfig.exe" /all
  2⤵
  - Gathers network information
  PID:5196
- C:\Windows\system32\ROUTE.EXE
  "C:\Windows\system32\ROUTE.EXE" print
  2⤵
  PID:5180
- C:\Windows\system32\makecab.exe
  "C:\Windows\system32\makecab.exe" /f NetworkConfiguration.ddf
  2⤵
  PID:4452

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork -p -s DPS
1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:3560

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s WdiServiceHost
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1540
- C:\Windows\System32\rundll32.exe
  "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\winethc.dll",ForceProxyDetectionOnNextRun
  2⤵
  PID:5844

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s WdiSystemHost
1⤵
PID:3292

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s Netman
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:6136

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault96861ab5h5cf4h422bhaed5h860e5c51b3f8
1⤵
PID:2568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7fff6dc846f8,0x7fff6dc84708,0x7fff6dc84718
  2⤵
  PID:1620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,11742242943039460977,13748771241474375639,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2128 /prefetch:2
  2⤵
  PID:4164
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2120,11742242943039460977,13748771241474375639,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3884

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault0c7ac46bhf5f0h49fah8362h4df04f3253ad
1⤵
PID:5868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x12c,0x130,0x134,0x108,0x138,0x7fff6dc846f8,0x7fff6dc84708,0x7fff6dc84718
  2⤵
  PID:3660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2188,2040469429867546206,15949946636132876551,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 /prefetch:3
  2⤵
  PID:464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\ElevatedDiagnostics\460911090\2024061708.000\NetworkDiagnostics.debugreport.xml

Filesize
209KB

MD5
ff5c367c00522c294a250d80300a8573

SHA1
d287107136b5bce27d1531d6de9e1c3a39624b72

SHA256
45f3525de7be9180d86a5b2c6dfc1cff22bc04c5ebd6e1a779691b61239a6eaf

SHA512
5cc03ac022c49d5ebbaa51f3d5f268c6501c01627538cbdbae003001e3c11f18862cac2a54a0504f8589f63f6744a179ca8a2d144fd2f40d64064024da80474a

Download Submit
C:\Users\Admin\AppData\Local\ElevatedDiagnostics\460911090\2024061708.000\ResultReport.xml

Filesize
38KB

MD5
314dca81476e8549c9489868532c1fc2

SHA1
f5474e95d3864e8d622d1d8564e8618b70612b18

SHA256
9931027c2588e909ea46cd228967c984dbd6d23603421db6ce61373545302582

SHA512
22804e4ea77a074c44f42cf637ac9151138af8b218e4186b15286ba01891a0ac5f808d2760e80382790ed949e3102c251b710aa7eb8688ac55a9270523cd7a32

Download Submit
C:\Users\Admin\AppData\Local\ElevatedDiagnostics\460911090\2024061708.000\results.xsl

Filesize
47KB

MD5
310e1da2344ba6ca96666fb639840ea9

SHA1
e8694edf9ee68782aa1de05470b884cc1a0e1ded

SHA256
67401342192babc27e62d4c1e0940409cc3f2bd28f77399e71d245eae8d3f63c

SHA512
62ab361ffea1f0b6ff1cc76c74b8e20c2499d72f3eb0c010d47dba7e6d723f9948dba3397ea26241a1a995cffce2a68cd0aaa1bb8d917dd8f4c8f3729fa6d244

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\59ee1c98-598b-4c68-bfeb-d5da136e5e03.tmp

Filesize
9KB

MD5
f0080cf0416f552406383e327969fade

SHA1
249809083804c691ff4139f719740fd7c9aa9e7a

SHA256
fbfe278c2d9a431c2957a7925e923bb07163038dfba1e3254acf7cabac90269a

SHA512
99f5771ff794e2dd4554c728cfb42158676e8d29067d18f8e1846a28069ed3c07e525d9cc45882da801758c415cc9a87b65039cd38cef013c8e7cff960da73dd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f61fa5143fe872d1d8f1e9f8dc6544f9

SHA1
df44bab94d7388fb38c63085ec4db80cfc5eb009

SHA256
284a24b5b40860240db00ef3ae6a33c9fa8349ab5490a634e27b2c6e9a191c64

SHA512
971000784a6518bb39c5cf043292c7ab659162275470f5f6b632ea91a6bcae83bc80517ceb983dd5abfe8fb4e157344cb65c27e609a879eec00b33c5fad563a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
87f7abeb82600e1e640b843ad50fe0a1

SHA1
045bbada3f23fc59941bf7d0210fb160cb78ae87

SHA256
b35d6906050d90a81d23646f86c20a8f5d42f058ffc6436fb0a2b8bd71ee1262

SHA512
ea8e7f24ab823ad710ce079c86c40aa957353a00d2775732c23e31be88a10d212e974c4691279aa86016c4660f5795febf739a15207833df6ed964a9ed99d618

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
666e6cc42e8ad007968cf9f5c001adf0

SHA1
8de26b29eae2cb93cc5aa7f8f17ad6d5cf4d29df

SHA256
e2459bd784281a0a1c709570afe4ecfafc807dad5d7db6bfbc37f52dd06e8515

SHA512
e8351e5c37312f17c6b2302b65aeb1435d33d5b9645187f6c20162b897990b2c2d5b6cf6698092dfa0a7030d0b2488fe8b809a9366bac784063d4cd8525a9136

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
8d94a79767ef5bf796b66a10fdc8c9a1

SHA1
4da6645bb48e02fa4ec5257f9113f7d2259d36be

SHA256
a98a6dd839f072c4b0aec1cc242d1ba166f0f3e5490bde00137b0c9dff9d928f

SHA512
29a57b5c061ff984667e26e467995026e58fe9b3d2768a012eea5922bdb16f64cf3b8a1addf80a5a64b04dd91ba67786412838b7dcb922f54ed905c14ebb924d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
36c6a302bcd28ece0017e2fc46ed217b

SHA1
de8f042dc5ab7aa8253a8e60e654f1551b4f4f3f

SHA256
5c452f42a6a8b6f65edbbe93d942e8bf0ac3de8fa9f02f689c9437f55770d808

SHA512
20959d1c12186c4d49c7fc196b929d787bc6eed3737312b3e904953a73006ef4a42b5970b6e96c46afe5254c55b2f56f97db8e8dfcb39423ca520755605d7b91

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
2113c145eb151e5245eaeba3589f6562

SHA1
35e2c0ba8cd395ed0ad97d26380c4a38dbb1ebee

SHA256
5b3c90963a64f60818875d777c2ca3f568cea8c4620d93455ce4ce0fe3f177be

SHA512
07b303b05875ebeee1c7caa56feef6d715fd269d7ca0bed4d884d9b8d9fb307c089de99b45012a5b4adb7df9e335d81bb54e8f1cd26fab7f42a4b4674ff7ab0e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
9KB

MD5
7163f1483046741007fa1fd89d6247c5

SHA1
55caa0327ddbb6f6c436925b51f6f143b1af23f4

SHA256
6c8584da865c8a789868828a81de2fa6cf2099e9ee081909cbcf25e043081746

SHA512
b3fe5d7907714dbf2425760a7aac5e66074483d1dea95582b975038b40c10d37fdaf9e50d9a1105149fe98f9d0bbfe2e3258857fc41a37a940dd1f1196e17237

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
9KB

MD5
57fd2bd09ea17c2a9080dcbc15cd793e

SHA1
98a63dd2de869e62cd77499b940a842c6c38a85e

SHA256
bade813dd8b54377a1b061d0ed3621a8b35408b3fb9528183a7a48a7a509a43c

SHA512
523707d4756e2463375cd02ec2edd99ff97e79b17e272cd7d3b6a8beb43955e22b88b935029dcb142ffc3ad8608d8285f880a0cabaa2023aeab9988beb6e3e46

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
b2a5e5ea683980e25619ddefe35adfef

SHA1
03536e09c72f85db50a032f941a7ecea41a0652c

SHA256
ddac89a7939254021c03b4e66ff1039f7a3c6728921082ad0b018a6e9cf455e1

SHA512
3f38d15de24f1af6306352d23838a4aad1761d6cd40a6711b951f048d9eb1b249edbecf838350d5de2dc6cdf02c38ea7e7e1540eab9b0656bfeaa5607dc723c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
9KB

MD5
e516e398a8cebfedbcded684b80633a0

SHA1
86cfb7296017ade94b2cb157734514e43d389116

SHA256
7547835c1374cd488a85903f81a5c8ffac4bceb62dd8e94d93f142ce66665c39

SHA512
13011e289feb2de8837d18432849ae2e7effdd4c9824b198e06ca099b75b0c105e90f8c42951d0eb2e1112c8ce54832b7bfd46a493a57b79e45855c7d83377de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
db9fa92701be1e3f309c0e3f3e62388e

SHA1
77807ead7ed4bc91c11f8a219a295006a059637b

SHA256
b83850126adcf24c542108b64539cd58a8911de5830bdad193fe40b92c453342

SHA512
91e1a7eb280c5a20ec5184047ed44e41940d0d97947a68f4118c3fd2210191cc26752f003148152b17eee625ad35d54a34838eb5e42ae97ae25170a8ed8b8c57

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
9KB

MD5
5699e93ca562ae336dbf6b3256090bec

SHA1
4e3d5d2109a6cbc15e3abea09cf7d8c8e2911624

SHA256
432201c3faa185fd849c590d61b5b233cbcc13dfba29091112499291e1b21446

SHA512
ed23ba0c57bb4911a7a6030f4df0f3525050642eb672e79323c8d741c9a3eadff7fe1a54c945b69c9d992c5900a16ac3f06b3b7b5fc2535426c8c1b472cd06db

Download Submit
C:\Users\Admin\AppData\Local\Temp\NDF9A5B.tmp

Filesize
3KB

MD5
7aaec598b488149066e122a40c28904f

SHA1
456eda76513f35f95d6a582482ad6a7aeb35accc

SHA256
e8c50d9c75a353ea2eadec99cae38743baa1b7ece2a58892bff1ab6af8e2aeba

SHA512
9d5aed675480bf2d292e599454b5280ab400cefa94c8234c3f7365a7d37d68633fa009d491b940d3f005572d345355d4409190bdd6b4fc4b334c2cf34adc9cd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5gfwv2xh.mpd.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp774E.tmp\NetworkConfiguration.cab

Filesize
1KB

MD5
8b17322ae264a97b346369f9d22daceb

SHA1
861b7556c7262f7f00424368eddd80e5b1fab708

SHA256
269a295520c6f1e4164ab179d17e14b0708ccaa7ad3e785cef192668bef1934d

SHA512
771345bc70481e69d475338b777bd76f9faa57de4351c2c83cd369433e3373f30a5fc14a33531f31cfde58d666a1fb903e63d62509c479f6286531abbabceb8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp774E.tmp\NetworkConfiguration.ddf

Filesize
231B

MD5
00848049d4218c485d9e9d7a54aa3b5f

SHA1
d1d5f388221417985c365e8acaec127b971c40d0

SHA256
ffeafbb8e7163fd7ec9abc029076796c73cd7b4eddaeeda9ba394c547419769e

SHA512
3a4874a5289682e2b32108740feea586cb9ccdad9ca08bf30f67c9742370c081ad943ea714f08dbf722f9f98f3b0bb307619a8ba47f96b24301c68b0fd1086d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp774E.tmp\ipconfig.all.txt

Filesize
2KB

MD5
b5e5e52ba6f8c5bb88054ee457848f33

SHA1
22b94f22e6fde8266f743863782255f0a951116f

SHA256
42441e94e549d4319a1f88205202454d550e7cfc16bad9df02ee8c17c2f15e8f

SHA512
5c8a83fc42da693cab661e3dcb8b86a0a094802e4d59a19d8725f2bcf638c9b71745e6dbec3955c451f42691b352f3340d0af09fcf8e93418b4ae17f623a126b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp774E.tmp\route.print.txt

Filesize
4KB

MD5
b6980d3fb358c32a09274dde1bb2eaf1

SHA1
ff39a086780bc536a5353b1b4f61f20533df24bd

SHA256
9ad08feb36a2adc0e8f5840c4339b421a6e9c3eb780f8758eca0d46f488b86c4

SHA512
9bc7a3b6a072dae3efd3c7446e7dd21e04849b623bb8d2620ca35c078144d71a6534026df2903f138441eb05cb3740a014c6e549741f679203a037d134c4c225

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp774E.tmp\setup.inf

Filesize
978B

MD5
d92c84b265a85415fe1d2daf03704e9f

SHA1
f76568c86cac2de3c71db71302319bf5d80b6aee

SHA256
0fd6a977ab629bd1c465fee3b07b3a9899ebc446b6772118f54a6aab9d32961f

SHA512
0ed0892240635f46d304860a47bacaadbc97130eace3456c9feb1adb6d0f5eed2bf977191b661a9ec465ccbd48f56ea86a10b4a74f00b1bee84665f6df3526ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp774E.tmp\setup.rpt

Filesize
283B

MD5
b878bceb8dfd07ca60117e541714ce0c

SHA1
52308bc1959bb82ad884640a0bc5303258770602

SHA256
b700579e811611a1ad87fe880150683a573643cf79c65280251821afd38f5c05

SHA512
a9653d71fee6dbec0923ad4d124ddd2cc52029d4c828202220e71244472739c5738925e7df0f586c77dbda98a2551d77d556d2cc1aeb73199a9aad096cc55b71

Download Submit
C:\Windows\TEMP\SDIAG_0f3a0812-5c4a-4363-856e-12442ec6152d\NetworkDiagnosticsResolve.ps1

Filesize
11KB

MD5
d213491a2d74b38a9535d616b9161217

SHA1
bde94742d1e769638e2de84dfb099f797adcc217

SHA256
4662c3c94e0340a243c2a39ca8a88fd9f65c74fb197644a11d4ffcae6b191211

SHA512
5fd8b91b27935711495934e5d7ca14f9dd72bc40a38072595879ef334a47f99e0608087ddc62668c6f783938d9f22a3688c5cdef3a9ad6c3575f3cfa5a3b0104

Download Submit
C:\Windows\TEMP\SDIAG_0f3a0812-5c4a-4363-856e-12442ec6152d\NetworkDiagnosticsTroubleshoot.ps1

Filesize
25KB

MD5
d0cfc204ca3968b891f7ce0dccfb2eda

SHA1
56dad1716554d8dc573d0ea391f808e7857b2206

SHA256
e3940266b4368c04333db89804246cb89bf2073626f22b8de72bea27c522282a

SHA512
4d2225b599ad8af8ba8516f12cfddca5ec0ce69c5c80b133a6a323e9aaf5e0312efbcfa54d2e4462a5095f9a7c42b9d5b39f3204e0be72c3b1992cf33b22087c

Download Submit
C:\Windows\TEMP\SDIAG_0f3a0812-5c4a-4363-856e-12442ec6152d\NetworkDiagnosticsVerify.ps1

Filesize
10KB

MD5
9b222d8ec4b20860f10ebf303035b984

SHA1
b30eea35c2516afcab2c49ef6531af94efaf7e1a

SHA256
a32e13da40ac4b9e1dac7dd28bc1d25e2f2136b61ff93be943018b20796f15bc

SHA512
8331337ccb6e3137b01aeec03e6921fd3b9e56c44fa1b17545ae5c7bfcdd39fcd8a90192884b3a82f56659009e24b63ce7f500e8766fd01e8d4e60a52de0fe67

Download Submit
C:\Windows\TEMP\SDIAG_0f3a0812-5c4a-4363-856e-12442ec6152d\StartDPSService.ps1

Filesize
567B

MD5
a660422059d953c6d681b53a6977100e

SHA1
0c95dd05514d062354c0eecc9ae8d437123305bb

SHA256
d19677234127c38a52aec23686775a8eb3f4e3a406f4a11804d97602d6c31813

SHA512
26f8cf9ac95ff649ecc2ed349bc6c7c3a04b188594d5c3289af8f2768ab59672bc95ffefcc83ed3ffa44edd0afeb16a4c2490e633a89fce7965843674d94b523

Download Submit
C:\Windows\TEMP\SDIAG_0f3a0812-5c4a-4363-856e-12442ec6152d\UtilityFunctions.ps1

Filesize
53KB

MD5
c912faa190464ce7dec867464c35a8dc

SHA1
d1c6482dad37720db6bdc594c4757914d1b1dd70

SHA256
3891846307aa9e83bca66b13198455af72af45bf721a2fbd41840d47e2a91201

SHA512
5c34352d36459fd8fcda5b459a2e48601a033af31d802a90ed82c443a5a346b9480880d30c64db7ad0e4a8c35b98c98f69eceedad72f2a70d9c6cca74dce826a

Download Submit
C:\Windows\TEMP\SDIAG_0f3a0812-5c4a-4363-856e-12442ec6152d\UtilitySetConstants.ps1

Filesize
2KB

MD5
0c75ae5e75c3e181d13768909c8240ba

SHA1
288403fc4bedaacebccf4f74d3073f082ef70eb9

SHA256
de5c231c645d3ae1e13694284997721509f5de64ee5c96c966cdfda9e294db3f

SHA512
8fc944515f41a837c61a6c4e5181ca273607a89e48fbf86cf8eb8db837aed095aa04fc3043029c3b5cb3710d59abfd86f086ac198200f634bfb1a5dd0823406b

Download Submit
C:\Windows\TEMP\SDIAG_0f3a0812-5c4a-4363-856e-12442ec6152d\en-US\LocalizationData.psd1

Filesize
5KB

MD5
380768979618b7097b0476179ec494ed

SHA1
af2a03a17c546e4eeb896b230e4f2a52720545ab

SHA256
0637af30fc3b3544b1f516f6196a8f821ffbfa5d36d65a8798aeeadbf2e8a7c2

SHA512
b9ef59e9bfdbd49052a4e754ead8cd54b77e79cc428e7aee2b80055ff5f0b038584af519bd2d66258cf3c01f8cc71384f6959ee32111eac4399c47e1c2352302

Download Submit
C:\Windows\Temp\SDIAG_0f3a0812-5c4a-4363-856e-12442ec6152d\DiagPackage.dll

Filesize
478KB

MD5
580dc3658fa3fe42c41c99c52a9ce6b0

SHA1
3c4be12c6e3679a6c2267f88363bbd0e6e00cac5

SHA256
5b7aa413e4a64679c550c77e6599a1c940ee947cbdf77d310e142a07a237aad2

SHA512
68c52cd7b762b8f5d2f546092ed9c4316924fa04bd3ab748ab99541a8b4e7d9aec70acf5c9594d1457ad3a2f207d0c189ec58421d4352ddbc7eae453324d13f2

Download Submit
C:\Windows\Temp\SDIAG_0f3a0812-5c4a-4363-856e-12442ec6152d\en-US\DiagPackage.dll.mui

Filesize
17KB

MD5
44c4385447d4fa46b407fc47c8a467d0

SHA1
41e4e0e83b74943f5c41648f263b832419c05256

SHA256
8be175e8fbdae0dade54830fece6c6980d1345dbeb4a06c07f7efdb1152743f4

SHA512
191cd534e85323a4cd9649a1fc372312ed4a600f6252dffc4435793650f9dd40d0c0e615ba5eb9aa437a58af334146aac7c0ba08e0a1bf24ec4837a40f966005

Download Submit
C:\Windows\Temp\SDIAG_0f3a0812-5c4a-4363-856e-12442ec6152d\result\D9A7B9A8-FC5E-4BCC-A4D5-255D83A308DC.Diagnose.Admin.0.etl

Filesize
192KB

MD5
089f187de66c101b421a522dadd7068f

SHA1
383d6304102537f5eef89ed6e0922c33bab93a43

SHA256
f2fa563d50448660bdfd4db0150446fbb0888c0dd991650c384196e74028e602

SHA512
68e4b980fdff2bb2ae6d5a01d9bcb6ba075e4abc2ca4133fc28f2f446fc13376400ab5896071487c442f612925160b07b3a30874c93d7330771805f01491f50f

Download Submit
memory/928-425-0x000002211FBF0000-0x000002211FC12000-memory.dmp

Filesize
136KB

Download
memory/3560-462-0x00000210276A0000-0x00000210276A1000-memory.dmp

Filesize
4KB

Download
memory/3560-457-0x0000021027200000-0x0000021027210000-memory.dmp

Filesize
64KB

Download
memory/3560-453-0x0000021026BA0000-0x0000021026BB0000-memory.dmp

Filesize
64KB

Download
memory/3560-705-0x00000210277C0000-0x00000210277C1000-memory.dmp

Filesize
4KB

Download
memory/3560-706-0x00000210277B0000-0x00000210277B1000-memory.dmp

Filesize
4KB

Download
memory/3560-708-0x00000210276B0000-0x00000210276B1000-memory.dmp

Filesize
4KB

Download
memory/3560-709-0x00000210276A0000-0x00000210276A1000-memory.dmp

Filesize
4KB

Download
memory/3560-711-0x00000210276A0000-0x00000210276A1000-memory.dmp

Filesize
4KB

Download
memory/3560-714-0x00000210275F0000-0x00000210275F1000-memory.dmp

Filesize
4KB

Download