hxxps://u[.]to/Wr5RIQ

Analysis

max time kernel
131s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
16-01-2025 02:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://u.to/Wr5RIQ

Score

5^/10

discovery persistence privilege_escalation

Malware Config

Signatures

Drops file in System32 directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\NDF\{88DAD494-940B-4921-A687-8E395A49D693}-temp-01162025-0301.etl	svchost.exe
File opened for modification	C:\Windows\system32\SRU\SRU.chk	svchost.exe
File opened for modification	C:\Windows\system32\SRU\SRU.log	svchost.exe
File opened for modification	C:\Windows\system32\SRU\SRUDB.dat	svchost.exe
File opened for modification	C:\Windows\system32\SRU\SRUDB.jfm	svchost.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netrtl64.inf_amd64_8e9c2368fe308df2\netrtl64.PNF	svchost.exe
File created	C:\Windows\system32\NDF\{88DAD494-940B-4921-A687-8E395A49D693}-temp-01162025-0301.etl	svchost.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Network\Connections\Pbk\_hiddenPbk\rasphone.pbk	svchost.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
5632	ipconfig.exe

Modifies data under HKEY_USERS 4 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\system32\hnetcfgclient.dll,-201 = "HNetCfg Client"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\system32\hnetcfgclient.dll,-201 = "HNetCfg Client"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\RAS AutoDial	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\RAS AutoDial\Default	svchost.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
4084	msedge.exe
4084	msedge.exe
5012	msedge.exe
5012	msedge.exe
3156	identity_helper.exe
3156	identity_helper.exe
4996	sdiagnhost.exe
4996	sdiagnhost.exe
5272	svchost.exe
5272	svchost.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 16 IoCs

pid	Process
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4996	sdiagnhost.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
3776	msdt.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5012 wrote to memory of 3560	5012	msedge.exe	83
PID 5012 wrote to memory of 3560	5012	msedge.exe	83
PID 5012 wrote to memory of 4768	5012	msedge.exe	84
PID 5012 wrote to memory of 4768	5012	msedge.exe	84
PID 5012 wrote to memory of 4768	5012	msedge.exe	84
PID 5012 wrote to memory of 4768	5012	msedge.exe	84
PID 5012 wrote to memory of 4768	5012	msedge.exe	84
PID 5012 wrote to memory of 4768	5012	msedge.exe	84
PID 5012 wrote to memory of 4768	5012	msedge.exe	84
PID 5012 wrote to memory of 4768	5012	msedge.exe	84
PID 5012 wrote to memory of 4768	5012	msedge.exe	84
PID 5012 wrote to memory of 4768	5012	msedge.exe	84
PID 5012 wrote to memory of 4768	5012	msedge.exe	84
PID 5012 wrote to memory of 4768	5012	msedge.exe	84
PID 5012 wrote to memory of 4768	5012	msedge.exe	84
PID 5012 wrote to memory of 4768	5012	msedge.exe	84
PID 5012 wrote to memory of 4768	5012	msedge.exe	84
PID 5012 wrote to memory of 4768	5012	msedge.exe	84
PID 5012 wrote to memory of 4768	5012	msedge.exe	84
PID 5012 wrote to memory of 4768	5012	msedge.exe	84
PID 5012 wrote to memory of 4768	5012	msedge.exe	84
PID 5012 wrote to memory of 4768	5012	msedge.exe	84
PID 5012 wrote to memory of 4768	5012	msedge.exe	84
PID 5012 wrote to memory of 4768	5012	msedge.exe	84
PID 5012 wrote to memory of 4768	5012	msedge.exe	84
PID 5012 wrote to memory of 4768	5012	msedge.exe	84
PID 5012 wrote to memory of 4768	5012	msedge.exe	84
PID 5012 wrote to memory of 4768	5012	msedge.exe	84
PID 5012 wrote to memory of 4768	5012	msedge.exe	84
PID 5012 wrote to memory of 4768	5012	msedge.exe	84
PID 5012 wrote to memory of 4768	5012	msedge.exe	84
PID 5012 wrote to memory of 4768	5012	msedge.exe	84
PID 5012 wrote to memory of 4768	5012	msedge.exe	84
PID 5012 wrote to memory of 4768	5012	msedge.exe	84
PID 5012 wrote to memory of 4768	5012	msedge.exe	84
PID 5012 wrote to memory of 4768	5012	msedge.exe	84
PID 5012 wrote to memory of 4768	5012	msedge.exe	84
PID 5012 wrote to memory of 4768	5012	msedge.exe	84
PID 5012 wrote to memory of 4768	5012	msedge.exe	84
PID 5012 wrote to memory of 4768	5012	msedge.exe	84
PID 5012 wrote to memory of 4768	5012	msedge.exe	84
PID 5012 wrote to memory of 4768	5012	msedge.exe	84
PID 5012 wrote to memory of 4084	5012	msedge.exe	85
PID 5012 wrote to memory of 4084	5012	msedge.exe	85
PID 5012 wrote to memory of 2012	5012	msedge.exe	86
PID 5012 wrote to memory of 2012	5012	msedge.exe	86
PID 5012 wrote to memory of 2012	5012	msedge.exe	86
PID 5012 wrote to memory of 2012	5012	msedge.exe	86
PID 5012 wrote to memory of 2012	5012	msedge.exe	86
PID 5012 wrote to memory of 2012	5012	msedge.exe	86
PID 5012 wrote to memory of 2012	5012	msedge.exe	86
PID 5012 wrote to memory of 2012	5012	msedge.exe	86
PID 5012 wrote to memory of 2012	5012	msedge.exe	86
PID 5012 wrote to memory of 2012	5012	msedge.exe	86
PID 5012 wrote to memory of 2012	5012	msedge.exe	86
PID 5012 wrote to memory of 2012	5012	msedge.exe	86
PID 5012 wrote to memory of 2012	5012	msedge.exe	86
PID 5012 wrote to memory of 2012	5012	msedge.exe	86
PID 5012 wrote to memory of 2012	5012	msedge.exe	86
PID 5012 wrote to memory of 2012	5012	msedge.exe	86
PID 5012 wrote to memory of 2012	5012	msedge.exe	86
PID 5012 wrote to memory of 2012	5012	msedge.exe	86
PID 5012 wrote to memory of 2012	5012	msedge.exe	86
PID 5012 wrote to memory of 2012	5012	msedge.exe	86

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://u.to/Wr5RIQ
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffabf6646f8,0x7ffabf664708,0x7ffabf664718
  2⤵
  PID:3560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,6100030630432452356,7255815598661550728,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:2
  2⤵
  PID:4768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2144,6100030630432452356,7255815598661550728,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2144,6100030630432452356,7255815598661550728,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2736 /prefetch:8
  2⤵
  PID:2012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,6100030630432452356,7255815598661550728,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3160 /prefetch:1
  2⤵
  PID:4976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,6100030630432452356,7255815598661550728,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
  2⤵
  PID:3520
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,6100030630432452356,7255815598661550728,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5224 /prefetch:8
  2⤵
  PID:1112
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,6100030630432452356,7255815598661550728,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5224 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3156
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,6100030630432452356,7255815598661550728,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4832 /prefetch:1
  2⤵
  PID:4652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,6100030630432452356,7255815598661550728,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5380 /prefetch:1
  2⤵
  PID:4484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,6100030630432452356,7255815598661550728,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5672 /prefetch:1
  2⤵
  PID:4932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,6100030630432452356,7255815598661550728,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5704 /prefetch:1
  2⤵
  PID:3768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,6100030630432452356,7255815598661550728,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2624 /prefetch:1
  2⤵
  PID:2404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,6100030630432452356,7255815598661550728,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5988 /prefetch:1
  2⤵
  PID:4756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,6100030630432452356,7255815598661550728,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1788 /prefetch:1
  2⤵
  PID:3544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,6100030630432452356,7255815598661550728,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6012 /prefetch:1
  2⤵
  PID:2936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,6100030630432452356,7255815598661550728,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6072 /prefetch:1
  2⤵
  PID:236
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,6100030630432452356,7255815598661550728,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5940 /prefetch:1
  2⤵
  PID:4876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,6100030630432452356,7255815598661550728,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6020 /prefetch:1
  2⤵
  PID:3716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,6100030630432452356,7255815598661550728,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6004 /prefetch:1
  2⤵
  PID:5044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,6100030630432452356,7255815598661550728,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3028 /prefetch:1
  2⤵
  PID:2960
- C:\Windows\system32\msdt.exe
  -modal "524378" -skip TRUE -path "C:\Windows\diagnostics\system\networking" -af "C:\Users\Admin\AppData\Local\Temp\NDF6F01.tmp" -ep "NetworkDiagnosticsWeb"
  2⤵
  - Suspicious use of FindShellTrayWindow
  PID:3776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,6100030630432452356,7255815598661550728,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5992 /prefetch:1
  2⤵
  PID:5136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,6100030630432452356,7255815598661550728,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5756 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2060

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2360

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3752

C:\Windows\System32\sdiagnhost.exe
C:\Windows\System32\sdiagnhost.exe -Embedding
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4996
- C:\Windows\system32\netsh.exe
  "C:\Windows\system32\netsh.exe" trace diagnose Scenario=NetworkSnapshot Mode=NetTroubleshooter
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:5128
- C:\Windows\system32\netsh.exe
  "C:\Windows\system32\netsh.exe" trace diagnose Scenario=NetworkSnapshot Mode=NetTroubleshooter
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:5456
- C:\Windows\system32\ipconfig.exe
  "C:\Windows\system32\ipconfig.exe" /all
  2⤵
  - Gathers network information
  PID:5632
- C:\Windows\system32\ROUTE.EXE
  "C:\Windows\system32\ROUTE.EXE" print
  2⤵
  PID:5680
- C:\Windows\system32\makecab.exe
  "C:\Windows\system32\makecab.exe" /f NetworkConfiguration.ddf
  2⤵
  PID:5704

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork -p -s DPS
1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:5272

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s WdiServiceHost
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:5300
- C:\Windows\System32\rundll32.exe
  "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\winethc.dll",ForceProxyDetectionOnNextRun
  2⤵
  PID:6024

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s WdiSystemHost
1⤵
PID:5336

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s Netman
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:2688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\ElevatedDiagnostics\460911090\2025011603.000\NetworkDiagnostics.debugreport.xml

Filesize
209KB

MD5
d7cf890b4419f7d07f1857a674570e4a

SHA1
6151d0f531b58a2e4f935db7d6b900b83bd27569

SHA256
b7a460f07f4711691751ac564fb1fb363cef666d4b29b6d06f0060ff7e61e2e3

SHA512
88666e7d40f6a72e05683bede24d6ba898ae9342cb121fb2a0afbd106cf651dde4b08d232045d59037e564616cfd8785762a01f416c4836700138836d50998e2

Download Submit
C:\Users\Admin\AppData\Local\ElevatedDiagnostics\460911090\2025011603.000\ResultReport.xml

Filesize
38KB

MD5
9bf9801cfe0b5d206c8e438c00cb95b4

SHA1
f5ea7d92f3daf3abe6e9257cd9c33ce4acd99177

SHA256
2e19259409cdb02ec525e61bfc3863ecd33a4e3182f717a2f9e3d36098fe00f4

SHA512
1f502142a35500d7628c37da6da7694da1109af34f3eb5ea438fa0a7e523b28a9e85c11e4c04fabcacdfdf23602e9529f3ba15e14945182ad96dbbf49bac0322

Download Submit
C:\Users\Admin\AppData\Local\ElevatedDiagnostics\460911090\2025011603.000\results.xsl

Filesize
47KB

MD5
310e1da2344ba6ca96666fb639840ea9

SHA1
e8694edf9ee68782aa1de05470b884cc1a0e1ded

SHA256
67401342192babc27e62d4c1e0940409cc3f2bd28f77399e71d245eae8d3f63c

SHA512
62ab361ffea1f0b6ff1cc76c74b8e20c2499d72f3eb0c010d47dba7e6d723f9948dba3397ea26241a1a995cffce2a68cd0aaa1bb8d917dd8f4c8f3729fa6d244

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0a9dc42e4013fc47438e96d24beb8eff

SHA1
806ab26d7eae031a58484188a7eb1adab06457fc

SHA256
58d66151799526b3fa372552cd99b385415d9e9a119302b99aadc34dd51dd151

SHA512
868d6b421ae2501a519595d0c34ddef25b2a98b082c5203da8349035f1f6764ddf183197f1054e7e86a752c71eccbc0649e515b63c55bc18cf5f0592397e258f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
61cef8e38cd95bf003f5fdd1dc37dae1

SHA1
11f2f79ecb349344c143eea9a0fed41891a3467f

SHA256
ae671613623b4477fbd5daf1fd2d148ae2a09ddcc3804b2b6d4ffcb60b317e3e

SHA512
6fb9b333fe0e8fde19fdd0bd01a1990a4e60a87c0a02bc8297da1206e42f8690d06b030308e58c862e9e77714a585eed7cc1627590d99a10aeb77fc0dd3d864d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
716f15e47ff0c109ae2dd75fd200cdf8

SHA1
152fbe9be2678998a362b5c16e3d228ba48fa2d9

SHA256
0af89744bb3f3506c71c0aff01b1f23337f2ca4d68de5f3905c7245e2e72a61f

SHA512
6fbbc2f1bcdfd0c6919054f16ab5bcef44f24ecbc5962cb8bc2abff06014617767384108bfd4505c74129b32859e69efab1d0e5aa9b258dd71d25cac38b68910

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
678B

MD5
51819c24e04090d8055b4a0f7e4b3c80

SHA1
05c010209f9aaeda9d1203e589ce43e8e14e1274

SHA256
2e2f2c7d0df19b8286369e68cc065c55a18c4ef08c54ffa4b63da690093f7ffc

SHA512
1f7a6fc9055c68834c736a4ace49ba1de408d81147503fc586f800918e20ac07477d1d08cb21f8bb8c323dc6d792ca2561afff0844047ea5eb1c6e93482ebbed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
e3e0b0e10ddbb86ed758362e94ace3df

SHA1
60cf1d0e43d7c455805e433f6747d21470e6dd27

SHA256
6fc365b1ee023562543c2fcc17e9a823a23ed4289fa42146dd1fb332d2de77b4

SHA512
c034c646401ddd5b6597c63c7c82ceb4bf8fd87439205437f01d89a8282e2c5f0c2dbebd8019d9440671204019ef2de6c671eb6698bb302a1204a1eaafee4cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
26b6e5e475a6952bffba3692d483d2b8

SHA1
70c4342fcda79d35fbd66f9f9229e673affd343a

SHA256
8bbb347c6f0274f0f7d1e3c0936b65826c1f66db29a01082600487f4dfa75924

SHA512
9f04295048c7d49ac85ed10619e1f846ebd04883b923a96edc28794445fa8d4824e69c27fa70eb7eda2f44664343d1900f3a5a0b9e0bc168ae1013d9d9d093ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
475ea082fc3466524cfa452a87f47975

SHA1
20f949974ab412513c0b2f2b63b1a515f430c1c9

SHA256
cf87f13620a709d6c2599268743676b0ac1e46f6bdc07f58721933d85a9c86b5

SHA512
3fbb10bb0628d0c7d249bb3e088c3b764229b2317e12416a60ad753a18790b0e3da86d3515cab93cb2532713082753473b03a469e957b57206781ce4203a76e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
d76b7cf21390aba7d5b03d909cb2fd79

SHA1
fd25c1de6fb2eca99a05ff722dd5fa2408306ad4

SHA256
a30ed6ff27ba2447efce7accbc83f7758e5e705fe47e2d608dc166d765a81b4b

SHA512
b3b7dbd8e9a91174104ca1fefdadefc015126c826ed9fcf017149331a0310f95d57e9c1cd631fd4f27874de27d77d6da303cfc8c3a601694fc1d9af53e029f5b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
c4d67895b3fd1cf5c3ff6c0aa7b36b62

SHA1
1f8f376340ac08bec32f5434f46247bed868083e

SHA256
c1271e2c9a2c478ee2fd4c5e09ff3c961477cc89b6645921751974f89030d115

SHA512
f399cca690ad1dd45a02c14c4cf18a49ea11072cb04c6035416dbfc2a7e6589a8e60f764776bc2588cdb86cb82d6b5a924d20b32155517a7a51ecf30826dd2aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\NetTraces\NdfSession-01162025-0301.etl

Filesize
192KB

MD5
94e1c59e92414c12756820c94aa2ec6f

SHA1
1f8a3b40e51709b7f5b0aa37e98c7b15e89af8ce

SHA256
73128ffc11ec551949926b38f18e94bc405585a0ba62dcc2d6417cda11e1e168

SHA512
4c6ab26b08db9893bd56511572915680243d3f3c1760a6f299baf189668e1b07ceb9b58a7a3db07a0256439c92c7f6b34f2b9c29ff0939343437cd019d6ba860

Download Submit
C:\Users\Admin\AppData\Local\Temp\NDF6F01.tmp

Filesize
3KB

MD5
b3d25550a519ca01732743c8df66e5e0

SHA1
f3cabd284244053a423272807949541a4f985d59

SHA256
8b1fd751ce79858c98e61b55fd68e96967e5767f5bf68d69ad6310a2ca06aa74

SHA512
6e8ee9b8d11bd8b1776ea60af85a48fcc0f21b1f8d9b86172dc10cd80b7d54eaa1017e2f250210cb4072f0cba0363835603b64aa88e1314b53594b3da449a0a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2fxjqmaf.kvx.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2CE2.tmp\NetworkConfiguration.cab

Filesize
1KB

MD5
9b9b26326cf79a96aae154f35b35b829

SHA1
1feeeccf14497c9dbc31fa300d16ccc2e33628aa

SHA256
ef59793ea8347c746bb42e026cc19465da0bb82e75f61bcb38a1f7a1730e3a15

SHA512
e07b28659d22b0691e5bdb45524ae96b3d0008aff12d1cd965ca832d134faf2f356ed8c2c1ad0d11128793b963c9978d113a29a2ca71e83abd1bac5503c49e3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2CE2.tmp\NetworkConfiguration.ddf

Filesize
231B

MD5
00848049d4218c485d9e9d7a54aa3b5f

SHA1
d1d5f388221417985c365e8acaec127b971c40d0

SHA256
ffeafbb8e7163fd7ec9abc029076796c73cd7b4eddaeeda9ba394c547419769e

SHA512
3a4874a5289682e2b32108740feea586cb9ccdad9ca08bf30f67c9742370c081ad943ea714f08dbf722f9f98f3b0bb307619a8ba47f96b24301c68b0fd1086d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2CE2.tmp\ipconfig.all.txt

Filesize
2KB

MD5
cddd052b8e6e90d6d7324883659a3c53

SHA1
295739c1092d0156db26c15423deda009dc62631

SHA256
af0f9c6fc1fff60aa63841379137fd459ea46f5c2e81d0178b644889b1be4b29

SHA512
b4cd6ce305b1f9b2181346939de18a775c6a62ecd69b856fe434cdc9a95ab72442876d57f375fbb7d56837412ee84a612ece3d54aaaf8c1af5c8be5e4685426d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2CE2.tmp\route.print.txt

Filesize
4KB

MD5
1f29ec7fb2d8dd9b7e90e559ddb94bf2

SHA1
359c8bf8f6a4c8e439b0e48772a31f43b32cce7b

SHA256
6a2a32b6327b26e775862b0800b4982e01f95e4bf1915fae8209520476c3e016

SHA512
492a003552f3d7e129973eb36aa6935df4547c536ae6a88fe133d081ac9999a1bcc5ff09665508001b2d264693bb74dcf9d77b38f086b5bec8ab82297d01f63c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2CE2.tmp\setup.inf

Filesize
978B

MD5
26b91ce15b163891d0bddfdd7991590d

SHA1
0fe99c577ec0d398c37e0444ed69e15fc5863079

SHA256
5f5a36af836ee43d9014024450b89881c0073d8f61d0a9670c24c76f035c94f4

SHA512
da1f600ebcf9fdde013384c4553ebb7df885884e25c7ca717d9e4e9a84e61a4d287bb47f7fa8ba5559c081f7555d4ae326dfe7afc79c0d8a36a61df16fb2ff20

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2CE2.tmp\setup.rpt

Filesize
283B

MD5
50115cbaabd312bfbc3bc03f83ba9e04

SHA1
552f40312cd0050367169e46d615e64d2fbf125f

SHA256
581692dae1ac6fe4dae69a55823d8b6576a729e067db9e0124193e38b2c51827

SHA512
b069d78e6b872717eae899ae93fc12296fed45c9d30bea7344cedf800e6d3b5e54367f7383888a277934e2a97c706b9df76d28016190fb1825644b848296e8f0

Download Submit
C:\Windows\TEMP\SDIAG_19f11bdc-7619-480a-891d-1eb0b0a9af81\NetworkDiagnosticsResolve.ps1

Filesize
11KB

MD5
d213491a2d74b38a9535d616b9161217

SHA1
bde94742d1e769638e2de84dfb099f797adcc217

SHA256
4662c3c94e0340a243c2a39ca8a88fd9f65c74fb197644a11d4ffcae6b191211

SHA512
5fd8b91b27935711495934e5d7ca14f9dd72bc40a38072595879ef334a47f99e0608087ddc62668c6f783938d9f22a3688c5cdef3a9ad6c3575f3cfa5a3b0104

Download Submit
C:\Windows\TEMP\SDIAG_19f11bdc-7619-480a-891d-1eb0b0a9af81\NetworkDiagnosticsTroubleshoot.ps1

Filesize
25KB

MD5
d0cfc204ca3968b891f7ce0dccfb2eda

SHA1
56dad1716554d8dc573d0ea391f808e7857b2206

SHA256
e3940266b4368c04333db89804246cb89bf2073626f22b8de72bea27c522282a

SHA512
4d2225b599ad8af8ba8516f12cfddca5ec0ce69c5c80b133a6a323e9aaf5e0312efbcfa54d2e4462a5095f9a7c42b9d5b39f3204e0be72c3b1992cf33b22087c

Download Submit
C:\Windows\TEMP\SDIAG_19f11bdc-7619-480a-891d-1eb0b0a9af81\NetworkDiagnosticsVerify.ps1

Filesize
10KB

MD5
9b222d8ec4b20860f10ebf303035b984

SHA1
b30eea35c2516afcab2c49ef6531af94efaf7e1a

SHA256
a32e13da40ac4b9e1dac7dd28bc1d25e2f2136b61ff93be943018b20796f15bc

SHA512
8331337ccb6e3137b01aeec03e6921fd3b9e56c44fa1b17545ae5c7bfcdd39fcd8a90192884b3a82f56659009e24b63ce7f500e8766fd01e8d4e60a52de0fe67

Download Submit
C:\Windows\TEMP\SDIAG_19f11bdc-7619-480a-891d-1eb0b0a9af81\StartDPSService.ps1

Filesize
567B

MD5
a660422059d953c6d681b53a6977100e

SHA1
0c95dd05514d062354c0eecc9ae8d437123305bb

SHA256
d19677234127c38a52aec23686775a8eb3f4e3a406f4a11804d97602d6c31813

SHA512
26f8cf9ac95ff649ecc2ed349bc6c7c3a04b188594d5c3289af8f2768ab59672bc95ffefcc83ed3ffa44edd0afeb16a4c2490e633a89fce7965843674d94b523

Download Submit
C:\Windows\TEMP\SDIAG_19f11bdc-7619-480a-891d-1eb0b0a9af81\UtilityFunctions.ps1

Filesize
53KB

MD5
c912faa190464ce7dec867464c35a8dc

SHA1
d1c6482dad37720db6bdc594c4757914d1b1dd70

SHA256
3891846307aa9e83bca66b13198455af72af45bf721a2fbd41840d47e2a91201

SHA512
5c34352d36459fd8fcda5b459a2e48601a033af31d802a90ed82c443a5a346b9480880d30c64db7ad0e4a8c35b98c98f69eceedad72f2a70d9c6cca74dce826a

Download Submit
C:\Windows\TEMP\SDIAG_19f11bdc-7619-480a-891d-1eb0b0a9af81\UtilitySetConstants.ps1

Filesize
2KB

MD5
0c75ae5e75c3e181d13768909c8240ba

SHA1
288403fc4bedaacebccf4f74d3073f082ef70eb9

SHA256
de5c231c645d3ae1e13694284997721509f5de64ee5c96c966cdfda9e294db3f

SHA512
8fc944515f41a837c61a6c4e5181ca273607a89e48fbf86cf8eb8db837aed095aa04fc3043029c3b5cb3710d59abfd86f086ac198200f634bfb1a5dd0823406b

Download Submit
C:\Windows\TEMP\SDIAG_19f11bdc-7619-480a-891d-1eb0b0a9af81\en-US\LocalizationData.psd1

Filesize
5KB

MD5
380768979618b7097b0476179ec494ed

SHA1
af2a03a17c546e4eeb896b230e4f2a52720545ab

SHA256
0637af30fc3b3544b1f516f6196a8f821ffbfa5d36d65a8798aeeadbf2e8a7c2

SHA512
b9ef59e9bfdbd49052a4e754ead8cd54b77e79cc428e7aee2b80055ff5f0b038584af519bd2d66258cf3c01f8cc71384f6959ee32111eac4399c47e1c2352302

Download Submit
C:\Windows\Temp\SDIAG_19f11bdc-7619-480a-891d-1eb0b0a9af81\DiagPackage.dll

Filesize
478KB

MD5
580dc3658fa3fe42c41c99c52a9ce6b0

SHA1
3c4be12c6e3679a6c2267f88363bbd0e6e00cac5

SHA256
5b7aa413e4a64679c550c77e6599a1c940ee947cbdf77d310e142a07a237aad2

SHA512
68c52cd7b762b8f5d2f546092ed9c4316924fa04bd3ab748ab99541a8b4e7d9aec70acf5c9594d1457ad3a2f207d0c189ec58421d4352ddbc7eae453324d13f2

Download Submit
C:\Windows\Temp\SDIAG_19f11bdc-7619-480a-891d-1eb0b0a9af81\en-US\DiagPackage.dll.mui

Filesize
17KB

MD5
44c4385447d4fa46b407fc47c8a467d0

SHA1
41e4e0e83b74943f5c41648f263b832419c05256

SHA256
8be175e8fbdae0dade54830fece6c6980d1345dbeb4a06c07f7efdb1152743f4

SHA512
191cd534e85323a4cd9649a1fc372312ed4a600f6252dffc4435793650f9dd40d0c0e615ba5eb9aa437a58af334146aac7c0ba08e0a1bf24ec4837a40f966005

Download Submit
memory/4996-584-0x0000026BC7C70000-0x0000026BC7C92000-memory.dmp

Filesize
136KB

Download
memory/5272-603-0x000001777D7E0000-0x000001777D7E1000-memory.dmp

Filesize
4KB

Download
memory/5272-595-0x000001777D300000-0x000001777D310000-memory.dmp

Filesize
64KB

Download
memory/5272-600-0x000001777D350000-0x000001777D360000-memory.dmp

Filesize
64KB

Download