Analysis

  • max time kernel
    273s
  • max time network
    245s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-06-2024 14:29

General

  • Target

    https://zonaclienteprome.cxblockwr.sa.com/

Malware Config

Signatures

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 26 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://zonaclienteprome.cxblockwr.sa.com/
    1⤵
    • Enumerates system info in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:4600
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbb08546f8,0x7ffbb0854708,0x7ffbb0854718
      2⤵
        PID:2836
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,17104022723572299937,15497317622076207119,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2108 /prefetch:2
        2⤵
          PID:5092
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2096,17104022723572299937,15497317622076207119,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 /prefetch:3
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:4512
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2096,17104022723572299937,15497317622076207119,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2684 /prefetch:8
          2⤵
            PID:3816
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,17104022723572299937,15497317622076207119,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
            2⤵
              PID:468
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,17104022723572299937,15497317622076207119,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
              2⤵
                PID:3992
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,17104022723572299937,15497317622076207119,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4704 /prefetch:1
                2⤵
                  PID:400
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,17104022723572299937,15497317622076207119,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3608 /prefetch:1
                  2⤵
                    PID:3808
                  • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,17104022723572299937,15497317622076207119,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5400 /prefetch:8
                    2⤵
                      PID:1840
                    • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,17104022723572299937,15497317622076207119,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5400 /prefetch:8
                      2⤵
                      • Suspicious behavior: EnumeratesProcesses
                      PID:1956
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,17104022723572299937,15497317622076207119,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4748 /prefetch:1
                      2⤵
                        PID:4712
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,17104022723572299937,15497317622076207119,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4820 /prefetch:1
                        2⤵
                          PID:1856
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,17104022723572299937,15497317622076207119,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4168 /prefetch:1
                          2⤵
                            PID:2960
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,17104022723572299937,15497317622076207119,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5396 /prefetch:1
                            2⤵
                              PID:4968
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,17104022723572299937,15497317622076207119,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3644 /prefetch:1
                              2⤵
                                PID:4912
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,17104022723572299937,15497317622076207119,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3120 /prefetch:1
                                2⤵
                                  PID:1944
                                • C:\Windows\system32\msdt.exe
                                  -modal "197184" -skip TRUE -path "C:\Windows\diagnostics\system\networking" -af "C:\Users\Admin\AppData\Local\Temp\NDF5143.tmp" -ep "NetworkDiagnosticsWeb"
                                  2⤵
                                  • Suspicious use of FindShellTrayWindow
                                  PID:1728
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,17104022723572299937,15497317622076207119,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5444 /prefetch:2
                                  2⤵
                                  • Suspicious behavior: EnumeratesProcesses
                                  PID:4448
                              • C:\Windows\System32\CompPkgSrv.exe
                                C:\Windows\System32\CompPkgSrv.exe -Embedding
                                1⤵
                                  PID:1624
                                • C:\Windows\System32\CompPkgSrv.exe
                                  C:\Windows\System32\CompPkgSrv.exe -Embedding
                                  1⤵
                                    PID:216
                                  • C:\Windows\System32\sdiagnhost.exe
                                    C:\Windows\System32\sdiagnhost.exe -Embedding
                                    1⤵
                                    • Suspicious behavior: EnumeratesProcesses
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:2856
                                    • C:\Windows\system32\netsh.exe
                                      "C:\Windows\system32\netsh.exe" trace diagnose Scenario=NetworkSnapshot Mode=NetTroubleshooter
                                      2⤵
                                      • Event Triggered Execution: Netsh Helper DLL
                                      PID:2688

                                  Network

                                  MITRE ATT&CK Matrix ATT&CK v13

                                  Persistence

                                  Event Triggered Execution

                                  1
                                  T1546

                                  Netsh Helper DLL

                                  1
                                  T1546.007

                                  Privilege Escalation

                                  Event Triggered Execution

                                  1
                                  T1546

                                  Netsh Helper DLL

                                  1
                                  T1546.007

                                  Discovery

                                  Query Registry

                                  1
                                  T1012

                                  System Information Discovery

                                  1
                                  T1082

                                  Replay Monitor

                                  Loading Replay Monitor...

                                  Downloads

                                  • C:\Users\Admin\AppData\Local\ElevatedDiagnostics\460911090\2024061814.000\NetworkDiagnostics.debugreport.xml
                                    Filesize

                                    69KB

                                    MD5

                                    dbebe0d1d074866729947e8817d453e4

                                    SHA1

                                    09de269c58b48409eaf470da92e5d4141a359043

                                    SHA256

                                    e32bc20908e7da01b11d14c9c931dff3110091637222ec47215fd19e086cb95a

                                    SHA512

                                    ab5d53241201640e9aa154945aeffd0b071ec83f6afb35444ed637ebeb2d311157ab3fa2ddd82085dae14d57cac6c6c473ee4882dc41bf9b3b536a25d4aa8ab0

                                  • C:\Users\Admin\AppData\Local\ElevatedDiagnostics\460911090\2024061814.000\results.xsl
                                    Filesize

                                    47KB

                                    MD5

                                    310e1da2344ba6ca96666fb639840ea9

                                    SHA1

                                    e8694edf9ee68782aa1de05470b884cc1a0e1ded

                                    SHA256

                                    67401342192babc27e62d4c1e0940409cc3f2bd28f77399e71d245eae8d3f63c

                                    SHA512

                                    62ab361ffea1f0b6ff1cc76c74b8e20c2499d72f3eb0c010d47dba7e6d723f9948dba3397ea26241a1a995cffce2a68cd0aaa1bb8d917dd8f4c8f3729fa6d244

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                    Filesize

                                    152B

                                    MD5

                                    257c0005d0c4d0bb282cb470925e4376

                                    SHA1

                                    f9b8efb511ed64292568977c9f2ec255509e8f7d

                                    SHA256

                                    8185c36aaacfc71e42f94fad8e198fe7fb2d868398ceabb89261cae94341cb22

                                    SHA512

                                    2f3e8f352ed3ef88e8c28650390f93f98c92174d268330b886f3ebd1ba0163999051298ee12a054606b4986005452a241c6864cd292e69492d79c37d500556f4

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                    Filesize

                                    152B

                                    MD5

                                    4819fbc4513c82d92618f50a379ee232

                                    SHA1

                                    ab618827ff269655283bf771fc957c8798ab51ee

                                    SHA256

                                    05e479e8ec96b7505e01e5ec757ccfe35cb73cd46b27ff4746dce90d43d9237c

                                    SHA512

                                    bc24fb972d04b55505101300e268f91b11e5833f1a18e925b5ded7e758b5e3e08bee1aa8f3a0b65514d6df981d0cbfa8798344db7f2a3675307df8de12ae475b

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                    Filesize

                                    5KB

                                    MD5

                                    4395e344157ec76f9d7e6c5b048585e2

                                    SHA1

                                    2427d167cd5d9c6a56364170e01887cf62411aa7

                                    SHA256

                                    ce43d7269d767a059e8fe02c64fb1e3c32cfa89a4c415f13b942770e05f676a9

                                    SHA512

                                    11625ef7d5df78c7f4b8a83543040512b3270bf27b245393fd4e838e136c326332d1f60f97ae3d3ee147078ce6d9f46b81996d1607e3decf0b4b89ed6538ed3b

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                    Filesize

                                    5KB

                                    MD5

                                    b1ef8251868f08efe4a91928f33368c2

                                    SHA1

                                    4790c51a4b8aedb57b353bcb2c3cce9f12eba7a9

                                    SHA256

                                    11c10ded3ce445b7c3266a5333e13cf3ece387322ff174e03ca93ec786122f65

                                    SHA512

                                    7b38b5e6706666828dbd6b0515652c5930a1594136a2f05536187b44bc8f3713d62f105bf2be002d3aec2109bd9891d2e8200c440c24d8c4d4a20683196f9fed

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                    Filesize

                                    6KB

                                    MD5

                                    c6827842362431702288ae41ca5e16db

                                    SHA1

                                    9b53f40abdb30f06142f105113f4ac9ffa275352

                                    SHA256

                                    28c24384a4fed66a245338243e1f8d88d7957da24a54a45b420639855795b2f5

                                    SHA512

                                    c6c30ed852cd8a74a4805da9985c08dfb1a05d730411200ecf23291e257a279dd2d1743257ca109dc0cd0440a8656d3646da7ea5a68ee5739bb70741f0f8c58c

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
                                    Filesize

                                    24KB

                                    MD5

                                    95cd1581c30a5c26f698a8210bcab430

                                    SHA1

                                    5e8e551a47dd682ec51a7d6808fe8e0f2af39e86

                                    SHA256

                                    d58162c5ae5e18fc06604c285e024c01686093d70994dc93b4ae9d85b4c3f7b9

                                    SHA512

                                    e49403df10177053634c431203a91d26df5dfb23cbbb88847459ecdf4b6107040d0944a3e84ee6bb26cb4e8017a35c8c31b658387cd1b6938ba4cb9f59606ece

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                                    Filesize

                                    16B

                                    MD5

                                    6752a1d65b201c13b62ea44016eb221f

                                    SHA1

                                    58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                    SHA256

                                    0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                    SHA512

                                    9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                    Filesize

                                    10KB

                                    MD5

                                    a468da069d5454d81303bbe1504681d3

                                    SHA1

                                    3c10d741d419742482da956df4a7b0a450b9a42b

                                    SHA256

                                    cf67635cd76e95faba4b782565ea7e312e9f3bb4f6cffeaa03fde86fa0b9a3c0

                                    SHA512

                                    2796160ecb4b61667375cf93054d1baf6ab0a286d86182d60af35d881a27549b9e8c88018537b2a41b7b212bdd677a2e7e9f51701579e9c440a08d93871de17b

                                  • C:\Users\Admin\AppData\Local\Temp\NDF5143.tmp
                                    Filesize

                                    3KB

                                    MD5

                                    9ea8097e6cf1047554a5b1e7377892ef

                                    SHA1

                                    a593863c864cb20fa63c86e276d513f86a5a17fa

                                    SHA256

                                    6637690ef0731ee0b15a3c45821ad9e63366bcecfb119aefc8c46e182ff797bf

                                    SHA512

                                    3653570268414b99c9fcd1eb54401cb840d03d87990e0c1ff44967654ccb5dbf192f606c9199f4a9ba55ca901f99236851c29bf3048532b1d316944aa76267a9

                                  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_y254rbnt.wrn.ps1
                                    Filesize

                                    60B

                                    MD5

                                    d17fe0a3f47be24a6453e9ef58c94641

                                    SHA1

                                    6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                    SHA256

                                    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                    SHA512

                                    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                  • C:\Windows\TEMP\SDIAG_988b6d1e-ae19-4638-b35c-ba942a099321\NetworkDiagnosticsTroubleshoot.ps1
                                    Filesize

                                    25KB

                                    MD5

                                    d0cfc204ca3968b891f7ce0dccfb2eda

                                    SHA1

                                    56dad1716554d8dc573d0ea391f808e7857b2206

                                    SHA256

                                    e3940266b4368c04333db89804246cb89bf2073626f22b8de72bea27c522282a

                                    SHA512

                                    4d2225b599ad8af8ba8516f12cfddca5ec0ce69c5c80b133a6a323e9aaf5e0312efbcfa54d2e4462a5095f9a7c42b9d5b39f3204e0be72c3b1992cf33b22087c

                                  • C:\Windows\TEMP\SDIAG_988b6d1e-ae19-4638-b35c-ba942a099321\UtilityFunctions.ps1
                                    Filesize

                                    53KB

                                    MD5

                                    c912faa190464ce7dec867464c35a8dc

                                    SHA1

                                    d1c6482dad37720db6bdc594c4757914d1b1dd70

                                    SHA256

                                    3891846307aa9e83bca66b13198455af72af45bf721a2fbd41840d47e2a91201

                                    SHA512

                                    5c34352d36459fd8fcda5b459a2e48601a033af31d802a90ed82c443a5a346b9480880d30c64db7ad0e4a8c35b98c98f69eceedad72f2a70d9c6cca74dce826a

                                  • C:\Windows\TEMP\SDIAG_988b6d1e-ae19-4638-b35c-ba942a099321\UtilitySetConstants.ps1
                                    Filesize

                                    2KB

                                    MD5

                                    0c75ae5e75c3e181d13768909c8240ba

                                    SHA1

                                    288403fc4bedaacebccf4f74d3073f082ef70eb9

                                    SHA256

                                    de5c231c645d3ae1e13694284997721509f5de64ee5c96c966cdfda9e294db3f

                                    SHA512

                                    8fc944515f41a837c61a6c4e5181ca273607a89e48fbf86cf8eb8db837aed095aa04fc3043029c3b5cb3710d59abfd86f086ac198200f634bfb1a5dd0823406b

                                  • C:\Windows\TEMP\SDIAG_988b6d1e-ae19-4638-b35c-ba942a099321\en-US\LocalizationData.psd1
                                    Filesize

                                    5KB

                                    MD5

                                    380768979618b7097b0476179ec494ed

                                    SHA1

                                    af2a03a17c546e4eeb896b230e4f2a52720545ab

                                    SHA256

                                    0637af30fc3b3544b1f516f6196a8f821ffbfa5d36d65a8798aeeadbf2e8a7c2

                                    SHA512

                                    b9ef59e9bfdbd49052a4e754ead8cd54b77e79cc428e7aee2b80055ff5f0b038584af519bd2d66258cf3c01f8cc71384f6959ee32111eac4399c47e1c2352302

                                  • C:\Windows\Temp\SDIAG_988b6d1e-ae19-4638-b35c-ba942a099321\DiagPackage.dll
                                    Filesize

                                    478KB

                                    MD5

                                    580dc3658fa3fe42c41c99c52a9ce6b0

                                    SHA1

                                    3c4be12c6e3679a6c2267f88363bbd0e6e00cac5

                                    SHA256

                                    5b7aa413e4a64679c550c77e6599a1c940ee947cbdf77d310e142a07a237aad2

                                    SHA512

                                    68c52cd7b762b8f5d2f546092ed9c4316924fa04bd3ab748ab99541a8b4e7d9aec70acf5c9594d1457ad3a2f207d0c189ec58421d4352ddbc7eae453324d13f2

                                  • C:\Windows\Temp\SDIAG_988b6d1e-ae19-4638-b35c-ba942a099321\en-US\DiagPackage.dll.mui
                                    Filesize

                                    17KB

                                    MD5

                                    44c4385447d4fa46b407fc47c8a467d0

                                    SHA1

                                    41e4e0e83b74943f5c41648f263b832419c05256

                                    SHA256

                                    8be175e8fbdae0dade54830fece6c6980d1345dbeb4a06c07f7efdb1152743f4

                                    SHA512

                                    191cd534e85323a4cd9649a1fc372312ed4a600f6252dffc4435793650f9dd40d0c0e615ba5eb9aa437a58af334146aac7c0ba08e0a1bf24ec4837a40f966005

                                  • \??\pipe\LOCAL\crashpad_4600_CJMLSBDFOWEJDZVX
                                    MD5

                                    d41d8cd98f00b204e9800998ecf8427e

                                    SHA1

                                    da39a3ee5e6b4b0d3255bfef95601890afd80709

                                    SHA256

                                    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                                    SHA512

                                    cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                                  • memory/2856-486-0x0000017AB1C30000-0x0000017AB1C52000-memory.dmp
                                    Filesize

                                    136KB