0788aaea249d92a84f70047efcacaa54c26320b439c490ba3ce00457955031d6

Analysis

max time kernel
426s
max time network
461s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
13-10-2023 13:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Mes_Drivers_3.0.4.exe
Size

1.5MB
MD5

50a5e891da27e63d54e68511e48aa026
SHA1

87073d85a7ba420b15c8bb9a9e4adc64db2bcfef
SHA256

0788aaea249d92a84f70047efcacaa54c26320b439c490ba3ce00457955031d6
SHA512

6df8811e3e1f6a4110ca3b7c498af13898b46962a30888879180b2f11dda24344a1de4807663d46dd86f7ea11855d08137980cc85fe71e688d082f2f79994909
SSDEEP

24576:AfHFw5b9DOnFYrv+kjqipUompMEoNMDYSkbDknoI6JK+ZYtEi8ETtAM5B:sjFYrv+kjV45oeYSRnyJhOtEVcf5B

Score

5^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation	Mes_Drivers_3.0.4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation	cmd.exe

Drops file in System32 directory 30 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\FileRepository\hdaudbus.inf_amd64_533c8d455025cc59\hdaudbus.PNF	detect_x64.exe
File created	\??\c:\windows\system32\driverstore\filerepository\monitor.inf_amd64_8a98af5011ee4dc6\monitor.PNF	detect_x64.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_amd64_0d06b6638bdb4763\mshdc.PNF	detect_x64.exe
File created	\??\c:\windows\system32\driverstore\filerepository\input.inf_amd64_adeb6424513f60a2\input.PNF	detect_x64.exe
File created	C:\Windows\System32\DriverStore\FileRepository\usbport.inf_amd64_254cd5ae09de6b08\usbport.PNF	detect_x64.exe
File created	\??\c:\windows\system32\driverstore\filerepository\msmouse.inf_amd64_1793a485b491b199\msmouse.PNF	detect_x64.exe
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	detect_x64.exe
File created	C:\Windows\System32\DriverStore\FileRepository\machine.inf_amd64_b748590104fe1c15\machine.PNF	detect_x64.exe
File created	C:\Windows\System32\DriverStore\FileRepository\input.inf_amd64_adeb6424513f60a2\input.PNF	detect_x64.exe
File created	\??\c:\windows\system32\driverstore\filerepository\usbport.inf_amd64_254cd5ae09de6b08\usbport.PNF	detect_x64.exe
File created	\??\c:\windows\system32\driverstore\filerepository\mshdc.inf_amd64_0d06b6638bdb4763\mshdc.PNF	detect_x64.exe
File created	\??\c:\windows\system32\driverstore\filerepository\machine.inf_amd64_b748590104fe1c15\machine.PNF	detect_x64.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netrtl64.inf_amd64_8e9c2368fe308df2\netrtl64.PNF	detect_x64.exe
File created	C:\Windows\System32\DriverStore\FileRepository\monitor.inf_amd64_8a98af5011ee4dc6\monitor.PNF	detect_x64.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_amd64_0d06b6638bdb4763\mshdc.PNF	detect_x64.exe
File created	C:\Windows\System32\DriverStore\FileRepository\msmouse.inf_amd64_1793a485b491b199\msmouse.PNF	detect_x64.exe
File created	C:\Windows\System32\DriverStore\FileRepository\hdaudio.inf_amd64_fe5b23ea7991a359\hdaudio.PNF	detect_x64.exe
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	detect_x64.exe
File created	\??\c:\windows\system32\driverstore\filerepository\netrtl64.inf_amd64_8e9c2368fe308df2\netrtl64.PNF	detect_x64.exe
File created	C:\Windows\System32\DriverStore\FileRepository\input.inf_amd64_adeb6424513f60a2\input.PNF	detect_x64.exe
File created	C:\Windows\System32\DriverStore\FileRepository\msmouse.inf_amd64_1793a485b491b199\msmouse.PNF	detect_x64.exe
File created	\??\c:\windows\system32\driverstore\filerepository\hdaudbus.inf_amd64_533c8d455025cc59\hdaudbus.PNF	detect_x64.exe
File created	\??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	detect_x64.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netrtl64.inf_amd64_8e9c2368fe308df2\netrtl64.PNF	detect_x64.exe
File created	C:\Windows\System32\DriverStore\FileRepository\monitor.inf_amd64_8a98af5011ee4dc6\monitor.PNF	detect_x64.exe
File created	C:\Windows\System32\DriverStore\FileRepository\machine.inf_amd64_b748590104fe1c15\machine.PNF	detect_x64.exe
File created	C:\Windows\System32\DriverStore\FileRepository\hdaudio.inf_amd64_fe5b23ea7991a359\hdaudio.PNF	detect_x64.exe
File created	\??\c:\windows\system32\driverstore\filerepository\hdaudio.inf_amd64_fe5b23ea7991a359\hdaudio.PNF	detect_x64.exe
File created	C:\Windows\System32\DriverStore\FileRepository\usbport.inf_amd64_254cd5ae09de6b08\usbport.PNF	detect_x64.exe
File created	C:\Windows\System32\DriverStore\FileRepository\hdaudbus.inf_amd64_533c8d455025cc59\hdaudbus.PNF	detect_x64.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\INF\ks.PNF	detect_x64.exe

Executes dropped EXE 9 IoCs

pid	Process
3520	detection.exe
3424	curl_x64.exe
592	detect_x64.exe
2096	detect_x64.exe
4600	detect_x64.exe
3932	detect_x64.exe
4852	detect_x64.exe
1460	aes_x64.exe
1872	curl_x64.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3764	SC.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 30 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	detect_x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	detect_x64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	detect_x64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	detect_x64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	detect_x64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	detect_x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	detect_x64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	detect_x64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	detect_x64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	detect_x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	detect_x64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	detect_x64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	detect_x64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	detect_x64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	detect_x64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	detect_x64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	detect_x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	detect_x64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	detect_x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	detect_x64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	detect_x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	detect_x64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	detect_x64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	detect_x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	detect_x64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	detect_x64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	detect_x64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	detect_x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	detect_x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	detect_x64.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
5060	msedge.exe
5060	msedge.exe
2016	msedge.exe
2016	msedge.exe
1764	identity_helper.exe
1764	identity_helper.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 14 IoCs

pid	Process
2016	msedge.exe
2016	msedge.exe
2016	msedge.exe
2016	msedge.exe
2016	msedge.exe
2016	msedge.exe
2016	msedge.exe
2016	msedge.exe
2016	msedge.exe
2016	msedge.exe
2016	msedge.exe
2016	msedge.exe
2016	msedge.exe
2016	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
2016	msedge.exe
2016	msedge.exe
2016	msedge.exe
2016	msedge.exe
2016	msedge.exe
2016	msedge.exe
2016	msedge.exe
2016	msedge.exe
2016	msedge.exe
2016	msedge.exe
2016	msedge.exe
2016	msedge.exe
2016	msedge.exe
2016	msedge.exe
2016	msedge.exe
2016	msedge.exe
2016	msedge.exe
2016	msedge.exe
2016	msedge.exe
2016	msedge.exe
2016	msedge.exe
2016	msedge.exe
2016	msedge.exe
2016	msedge.exe
2016	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2016	msedge.exe
2016	msedge.exe
2016	msedge.exe
2016	msedge.exe
2016	msedge.exe
2016	msedge.exe
2016	msedge.exe
2016	msedge.exe
2016	msedge.exe
2016	msedge.exe
2016	msedge.exe
2016	msedge.exe
2016	msedge.exe
2016	msedge.exe
2016	msedge.exe
2016	msedge.exe
2016	msedge.exe
2016	msedge.exe
2016	msedge.exe
2016	msedge.exe
2016	msedge.exe
2016	msedge.exe
2016	msedge.exe
2016	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4308 wrote to memory of 3688	4308	Mes_Drivers_3.0.4.exe	91
PID 4308 wrote to memory of 3688	4308	Mes_Drivers_3.0.4.exe	91
PID 4308 wrote to memory of 3688	4308	Mes_Drivers_3.0.4.exe	91
PID 4308 wrote to memory of 3520	4308	Mes_Drivers_3.0.4.exe	93
PID 4308 wrote to memory of 3520	4308	Mes_Drivers_3.0.4.exe	93
PID 4308 wrote to memory of 3520	4308	Mes_Drivers_3.0.4.exe	93
PID 3520 wrote to memory of 3424	3520	detection.exe	95
PID 3520 wrote to memory of 3424	3520	detection.exe	95
PID 3688 wrote to memory of 1884	3688	cmd.exe	99
PID 3688 wrote to memory of 1884	3688	cmd.exe	99
PID 3688 wrote to memory of 1884	3688	cmd.exe	99
PID 3520 wrote to memory of 1612	3520	detection.exe	100
PID 3520 wrote to memory of 1612	3520	detection.exe	100
PID 3520 wrote to memory of 1612	3520	detection.exe	100
PID 3520 wrote to memory of 3764	3520	detection.exe	104
PID 3520 wrote to memory of 3764	3520	detection.exe	104
PID 3520 wrote to memory of 3764	3520	detection.exe	104
PID 1884 wrote to memory of 3188	1884	cmd.exe	105
PID 1884 wrote to memory of 3188	1884	cmd.exe	105
PID 1884 wrote to memory of 3188	1884	cmd.exe	105
PID 1884 wrote to memory of 3416	1884	cmd.exe	106
PID 1884 wrote to memory of 3416	1884	cmd.exe	106
PID 1884 wrote to memory of 3416	1884	cmd.exe	106
PID 1884 wrote to memory of 4484	1884	cmd.exe	107
PID 1884 wrote to memory of 4484	1884	cmd.exe	107
PID 1884 wrote to memory of 4484	1884	cmd.exe	107
PID 1884 wrote to memory of 1524	1884	cmd.exe	108
PID 1884 wrote to memory of 1524	1884	cmd.exe	108
PID 1884 wrote to memory of 1524	1884	cmd.exe	108
PID 3520 wrote to memory of 2752	3520	detection.exe	109
PID 3520 wrote to memory of 2752	3520	detection.exe	109
PID 3520 wrote to memory of 2752	3520	detection.exe	109
PID 1884 wrote to memory of 4232	1884	cmd.exe	110
PID 1884 wrote to memory of 4232	1884	cmd.exe	110
PID 1884 wrote to memory of 4232	1884	cmd.exe	110
PID 3520 wrote to memory of 592	3520	detection.exe	115
PID 3520 wrote to memory of 592	3520	detection.exe	115
PID 3520 wrote to memory of 2096	3520	detection.exe	114
PID 3520 wrote to memory of 2096	3520	detection.exe	114
PID 3520 wrote to memory of 4600	3520	detection.exe	113
PID 3520 wrote to memory of 4600	3520	detection.exe	113
PID 3520 wrote to memory of 3932	3520	detection.exe	111
PID 3520 wrote to memory of 3932	3520	detection.exe	111
PID 3520 wrote to memory of 4852	3520	detection.exe	112
PID 3520 wrote to memory of 4852	3520	detection.exe	112
PID 3520 wrote to memory of 2844	3520	detection.exe	122
PID 3520 wrote to memory of 2844	3520	detection.exe	122
PID 3520 wrote to memory of 2844	3520	detection.exe	122
PID 1884 wrote to memory of 4432	1884	cmd.exe	124
PID 1884 wrote to memory of 4432	1884	cmd.exe	124
PID 1884 wrote to memory of 4432	1884	cmd.exe	124
PID 3520 wrote to memory of 1460	3520	detection.exe	125
PID 3520 wrote to memory of 1460	3520	detection.exe	125
PID 3520 wrote to memory of 1872	3520	detection.exe	126
PID 3520 wrote to memory of 1872	3520	detection.exe	126
PID 3520 wrote to memory of 4332	3520	detection.exe	127
PID 3520 wrote to memory of 4332	3520	detection.exe	127
PID 3520 wrote to memory of 4332	3520	detection.exe	127
PID 3520 wrote to memory of 220	3520	detection.exe	128
PID 3520 wrote to memory of 220	3520	detection.exe	128
PID 3520 wrote to memory of 220	3520	detection.exe	128
PID 1884 wrote to memory of 732	1884	cmd.exe	129
PID 1884 wrote to memory of 732	1884	cmd.exe	129
PID 1884 wrote to memory of 732	1884	cmd.exe	129

C:\Users\Admin\AppData\Local\Temp\Mes_Drivers_3.0.4.exe
"C:\Users\Admin\AppData\Local\Temp\Mes_Drivers_3.0.4.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4308
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C START "" "C:\Users\Admin\AppData\Local\Temp\interface.lnk"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:3688
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\interface.cmd" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1884
  - - C:\Windows\SysWOW64\mode.com
      MODE CON: COLS=76 LINES=15
      4⤵
      PID:3188
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" VER "
      4⤵
      PID:3416
  - - C:\Windows\SysWOW64\findstr.exe
      FINDSTR /I /R /C:"version 5\.[0-1]\."
      4⤵
      PID:4484
  - - C:\Windows\SysWOW64\waitfor.exe
      WAITFOR unlock
      4⤵
      PID:1524
  - - C:\Windows\SysWOW64\waitfor.exe
      WAITFOR unlock
      4⤵
      PID:4232
  - - C:\Windows\SysWOW64\waitfor.exe
      WAITFOR unlock
      4⤵
      PID:4432
  - - C:\Windows\SysWOW64\waitfor.exe
      WAITFOR unlock
      4⤵
      PID:732
- C:\Users\Admin\AppData\Local\Temp\detection.exe
  "C:\Users\Admin\AppData\Local\Temp\detection.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3520
- - C:\Users\Admin\AppData\Local\Temp\curl_x64.exe
    "C:\Users\Admin\AppData\Local\Temp\curl_x64.exe" --connect-timeout 5 --max-time 20 --fail --silent --request GET "https://www.touslesdrivers.com/php/mes_drivers/version.php?v_version=3.0.4"
    3⤵
    - Executes dropped EXE
    PID:3424
- - C:\Windows\SysWOW64\WAITFOR.exe
    WAITFOR /S DRMVXOTS /SI unlock
    3⤵
    PID:1612
- - C:\Windows\SysWOW64\SC.exe
    SC query Winmgmt
    3⤵
    - Launches sc.exe
    PID:3764
- - C:\Windows\SysWOW64\WAITFOR.exe
    WAITFOR /S DRMVXOTS /SI unlock
    3⤵
    PID:2752
- - C:\Users\Admin\AppData\Local\Temp\detect_x64.exe
    "C:\Users\Admin\AppData\Local\Temp\detect_x64.exe" stack 1394\* DISPLAY\* HDAUDIO\* HID\* MONITOR\* PCI\* PCMCIA\* SBP2\* SD\* USB\*
    3⤵
    - Executes dropped EXE
    - Checks SCSI registry key(s)
    PID:3932
- - C:\Users\Admin\AppData\Local\Temp\detect_x64.exe
    "C:\Users\Admin\AppData\Local\Temp\detect_x64.exe" status 1394\* DISPLAY\* HDAUDIO\* HID\* MONITOR\* PCI\* PCMCIA\* SBP2\* SD\* USB\*
    3⤵
    - Executes dropped EXE
    - Checks SCSI registry key(s)
    PID:4852
- - C:\Users\Admin\AppData\Local\Temp\detect_x64.exe
    "C:\Users\Admin\AppData\Local\Temp\detect_x64.exe" hwids 1394\* DISPLAY\* HDAUDIO\* HID\* MONITOR\* PCI\* PCMCIA\* SBP2\* SD\* USB\*
    3⤵
    - Executes dropped EXE
    - Checks SCSI registry key(s)
    PID:4600
- - C:\Users\Admin\AppData\Local\Temp\detect_x64.exe
    "C:\Users\Admin\AppData\Local\Temp\detect_x64.exe" drivernodes 1394\* DISPLAY\* HDAUDIO\* HID\* MONITOR\* PCI\* PCMCIA\* SBP2\* SD\* USB\*
    3⤵
    - Drops file in System32 directory
    - Executes dropped EXE
    - Checks SCSI registry key(s)
    PID:2096
- - C:\Users\Admin\AppData\Local\Temp\detect_x64.exe
    "C:\Users\Admin\AppData\Local\Temp\detect_x64.exe" driverfiles 1394\* DISPLAY\* HDAUDIO\* HID\* MONITOR\* PCI\* PCMCIA\* SBP2\* SD\* USB\*
    3⤵
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Executes dropped EXE
    - Checks SCSI registry key(s)
    PID:592
- - C:\Windows\SysWOW64\WAITFOR.exe
    WAITFOR /S DRMVXOTS /SI unlock
    3⤵
    PID:2844
- - C:\Users\Admin\AppData\Local\Temp\aes_x64.exe
    "C:\Users\Admin\AppData\Local\Temp\aes_x64.exe" -e -p anT^UpFuzpuC@lOvsoPVe2kiNTidaBo<zI]BeaRnU0ResFwAy@dEnuCkUd)hAzOh -o "C:\Users\Admin\AppData\Local\Temp\rX0uLMrJH9TR5YMv\rX0uLMrJH9TR5YMv" -
    3⤵
    - Executes dropped EXE
    PID:1460
- - C:\Users\Admin\AppData\Local\Temp\curl_x64.exe
    "C:\Users\Admin\AppData\Local\Temp\curl_x64.exe" --connect-timeout 5 --max-time 20 --fail --silent --request POST --form "v_configuration=<C:\Users\Admin\AppData\Local\Temp\rX0uLMrJH9TR5YMv\rX0uLMrJH9TR5YMv" "https://www.touslesdrivers.com/php/mes_drivers/envoi.php?v_id=rX0uLMrJH9TR5YMv&v_version=3.0.4"
    3⤵
    - Executes dropped EXE
    PID:1872
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C START "" "http://www.touslesdrivers.com/index.php?v_page=31&v_id=rX0uLMrJH9TR5YMv"
    3⤵
    PID:4332
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.touslesdrivers.com/index.php?v_page=31&v_id=rX0uLMrJH9TR5YMv
      4⤵
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:2016
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x128,0x12c,0x130,0x80,0x134,0x7ff8c05746f8,0x7ff8c0574708,0x7ff8c0574718
        5⤵
        
        PID:4888
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,16718102031994038737,17614662190436356701,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2168 /prefetch:2
        5⤵
        
        PID:4432
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2152,16718102031994038737,17614662190436356701,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2144 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5060
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2152,16718102031994038737,17614662190436356701,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2828 /prefetch:8
        5⤵
        
        PID:3520
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,16718102031994038737,17614662190436356701,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3476 /prefetch:1
        5⤵
        
        PID:2264
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,16718102031994038737,17614662190436356701,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3500 /prefetch:1
        5⤵
        
        PID:4584
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,16718102031994038737,17614662190436356701,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5052 /prefetch:1
        5⤵
        
        PID:4352
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,16718102031994038737,17614662190436356701,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5080 /prefetch:1
        5⤵
        
        PID:4628
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,16718102031994038737,17614662190436356701,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5720 /prefetch:1
        5⤵
        
        PID:1632
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,16718102031994038737,17614662190436356701,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5756 /prefetch:1
        5⤵
        
        PID:4420
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,16718102031994038737,17614662190436356701,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5980 /prefetch:1
        5⤵
        
        PID:5008
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,16718102031994038737,17614662190436356701,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4688 /prefetch:8
        5⤵
        
        PID:4752
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,16718102031994038737,17614662190436356701,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4688 /prefetch:8
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1764
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,16718102031994038737,17614662190436356701,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3236 /prefetch:2
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4032
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,16718102031994038737,17614662190436356701,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4668 /prefetch:1
        5⤵
        
        PID:3088
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,16718102031994038737,17614662190436356701,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6556 /prefetch:1
        5⤵
        
        PID:3108
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,16718102031994038737,17614662190436356701,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6588 /prefetch:1
        5⤵
        
        PID:1108
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,16718102031994038737,17614662190436356701,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6580 /prefetch:1
        5⤵
        
        PID:624
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,16718102031994038737,17614662190436356701,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4760 /prefetch:1
        5⤵
        
        PID:2244
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,16718102031994038737,17614662190436356701,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2988 /prefetch:1
        5⤵
        
        PID:840
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,16718102031994038737,17614662190436356701,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4664 /prefetch:1
        5⤵
        
        PID:3956
- - C:\Windows\SysWOW64\WAITFOR.exe
    WAITFOR /S DRMVXOTS /SI unlock
    3⤵
    PID:220

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:672

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4624

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
db9dbef3f8b1f616429f605c1ebca2f0

SHA1
ffba76f0836c024828d4ff1982cc4240c41a8f16

SHA256
3e0297327872058355ac041a5e0fc83ed017faee0f6c0105b44bb3e5399a93a1

SHA512
4eedc387fe304f27f9d52ff5d71461c7f22147f7a8c18b8e7982acb76515528a36486a567451daafe093f9563b133c6799f2ad046e04256ccb46c83eb99e86c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
96B

MD5
f12f4965d93cfb2e1960bd1a5921a357

SHA1
a6640a1ae67e918a521119a78b01d2701bfc69dc

SHA256
fffb9716120ea5923a3fa7f78bf442bdc937455d0683b847575428e6ec4bbda2

SHA512
1abfb5e7d3e0b7e642e7131194bc96aae19bea74873a829a552495af6623388a28563a9831a295b351e7836103da72e169804d9066d8e7fe0fe1af82a85e082d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
192B

MD5
952f33d2048789ef304c751718fd6b19

SHA1
e438243876f5e4acbc934658969d4e1339825b21

SHA256
7aa544c6d20683d18bfe75a202bdaf1e08fbea026bbc4a13acf70e8232cc7bbb

SHA512
3f9cb9619baeab05d62a22100d781f687320ce16961cce8df43b6ab4f42f63de3ba3ec6dfed74919160a29bf7ecea938851630205bb76f9590ecd87c4f46f3e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
604B

MD5
cceba0c2164831345c898de7bebfbf56

SHA1
65474682726f309cef7b5f6af44dffb7378183ec

SHA256
d413cfc38f8291268596f8cdb5f2836612f11730872bdd788eb26a7e82ef7290

SHA512
0b6f74ce446d89529260213f1b181f439f60a26813e7046ece2e5df77a7b60c06dbf35d59c7525275dc5136caae5599c9bd1066ed15d3743328522ee8af25990

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
6f0e1151ef019a40167970ec08348e8b

SHA1
a3f0b4a14fca52c2fc65acb937dad406408d77fa

SHA256
88e8ebe842c608834353482453327d647d2ba7a148ecbc5aee50ffbb4e41fdf7

SHA512
95984a75984bf79b2f69a1b737a94a179d1a95046b090e0f50d7d9ce8545fc3299d5598ba104f089c4b0a9e186e2d4a59330b546b487a41867d28ee2cccdbab3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
485936cc4082c3ecb400ce4510091239

SHA1
a3446ab95d2c6542b6164c038599adcb02fe00cd

SHA256
dba09aab16cb66e2c39c7c108681077a8baa808c04d28b0d82326e3bd5bc7ef0

SHA512
b98e10e7e31ceaf00471e03050344459ef5d02257a9577b7b615545ea06aa51578eadc6b6070507e7be1f2252c6da955c91ea3cdff98a04adc4a6c727e47df22

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
e2efd27711a405255406c3683aad42ca

SHA1
a5e1920747173f94e08cf661424d4ff7b8a7b678

SHA256
29d724d4a835b0c88b93d2c3aa4ecbe6624429faf58cfa8d6a432359150b7c28

SHA512
b4a8e5b57e135bb28920782647ed443c39273b6ea357d51a9216d42c778bb01f3ad591314101a58480b4668844030962b595f28cd6fd6761365efb4ff023cf2f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
9e99fff8a2677feda15e7bcc76eddfbc

SHA1
ade0ca09aefbfcf494f764a9523d9779663888f6

SHA256
96f4bd2148eb71d1cbe96afdac9d519cd7efb85f8022b19dbc96638760246fef

SHA512
230d982a1bc67b2ed8fee9d657ff7f409835b0a290bc2ebb67056279454fd410563a4664864000d972b20510bb5dc630d71d06413b9905b8d3232ae3527c5756

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
3e1fcc969cbd8dee0184436904fb5233

SHA1
4a0142684ef5c596e1bb94f8f12131ca148d57be

SHA256
8f4af0123730f519b9aa5ce415110b1a470f80ae36887a989c595736714e119b

SHA512
3214f9900dab5b0f56fbbcd6d2e430728ad8703c6d199e07a05718867158ddc53ce912afc2440c39647bf53b3ac03c62ffe021d5420cd81f34252b50b9813744

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
6b48b3297f096a87fbcbbea3d00b7aa3

SHA1
c29d1cc7d3afec91dc00371be8470a8ba4b75994

SHA256
e26d2f90b923b3d060586f0779cac5642eac118fc7cbdf4f4d7b59b467b1c380

SHA512
74da4652a0d0546543ba48c11c13d681b517ba225b3eb74b4587f9b8df110c33e577a968c3e7edaad4d005b96fdf77fdb657d409c89aa342e656f1e527cf70c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
6dcb90ba1ba8e06c1d4f27ec78f6911a

SHA1
71e7834c7952aeb9f1aa6eb88e1959a1ae4985d9

SHA256
30d89e5026668c5a58bef231930a8bfb27ca099b24399a2615b210210d418416

SHA512
dc31807eaeb5221ac60d598035ca3ccab1dbeecc95caaff5e1f5a2a89ba1c83ef0a708ee0b8ed05b588ea5d50e360032a534356f84c89d3791df91d419daeff9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
537B

MD5
3ebc8b92b7b5c25d4d5c42c32d72c183

SHA1
d89a65e2230744d2c5ea19976b96b750b9373221

SHA256
aca207d49122f7485ee491e049df559cf7e9816cb47bcbcbd7210747df3354f6

SHA512
34b4ef7a1cc6cf9de8ee2c201f43b03660e1869730d4ea409fb36df465ed8c3a5b6fe5ec9d54496e3eb937558eeb6f79e1a6f47bc3dacd1826f1066d91bef24e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
203B

MD5
d35d0604b5b6d0c57ec33fe745e7f0b4

SHA1
17b762b4ee88b0e0e36332faa4cb0d6a4da84054

SHA256
cd49ef67486fc8a81f522656dcdbf3e830a3098eb67f00e938f5c0a24fd2fefa

SHA512
e122776610d0e8103d7729b4f20960c5ac327662c8d5221cc2f6ed46b5d1709cc8d0d2fad839db7dbc435e427ed59fb023b7628ecefc8f4b6dcdf655126b0434

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
203B

MD5
6dbb23d9029ddf46f4599e5d2a8b2dc0

SHA1
46eac9f266c3bc4926fc6e204b60b70830c4372f

SHA256
f101418a2a92167bb30629f84599ce69126ba28e79bb5d6d41b76dd4205c2a24

SHA512
cbc8a745c4cf9d94436e6fd8db6293aa41ae42097ec2cffcb09842c409fa7948105cb92b2e8578734283a5ca0755a9f7400d9e2b922966b94ab65308f541aa77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5d73ac.TMP

Filesize
203B

MD5
0fb6878ddf270189ea98a404d6b8b0fc

SHA1
99a2479fcecdaf077345e5ccb040f32a9c3a3234

SHA256
23a964db82923eebb5e0bad696a13dff6d820d56b757f814a4e910edf668ecc5

SHA512
ef41467b860259e4dcbe1fef9d0e8475a9b996ee1eebd2e4e936205ad3131a1a0445afcdfa6f4939a6586ad14b258737f72c512ab3b2abf93f77a9f96c5e9305

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
d3c05ee8dc07f5c9e81307ad01e3f93d

SHA1
aca25ec9dc0f21072f8804b789fb57eda4328fd1

SHA256
3bda99efb5fba77464122dbd08b62910af84cdf58dd45bdaa9ac490e4247c325

SHA512
f666d383ced3e658c1dc60be1d305e85857f471be1e0199ac27e21f36db39fb2ab25802732a6b43d0e9825843128293fd2bcaebbd691c39c89deb60489287480

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
27f8cbcb826924ae00f81186bfa8fabd

SHA1
d16248933f1185ee8c6e1ed7aa1338ec6d0fd6a6

SHA256
8983789cc6fa52d10f16a076b0c1fceac44229c0cbbf07040ccec4e76cc2b0d4

SHA512
bb9afa6a9050e0047e4c40431c1714a9c3000ccb2db8a86e65a51b900d0a6c46e6a03ad839245af07a7f4aa3c5b69db61be5e7ead1f09aede6c52ee1e057ccfe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
3KB

MD5
f10b3f0a32d5ee409c7ed34b508b51dd

SHA1
6feca8e328bc37cc8aeac84e9c4f4192f529d5d0

SHA256
8c71afb8c2cd9c0299b9d6ec646e9e2299aebf84af09cb0195579d85b0e9215d

SHA512
0024a129f1bb9e5cd15f77ad8a30b996ba80fd6dad29695dee93fb84852b99881cb9307460397e823e8a802b2f276edcb495adda9940bdc9efeeb2e7854c1ff5

Download Submit
C:\Users\Admin\AppData\Local\Temp\aes_x64.exe

Filesize
151KB

MD5
e5125d4651c008eba61d9fd3abd5ab31

SHA1
4a85e5d6ab73891832c9adaa4a70c1896773c279

SHA256
874cb7a8513b781b25e176828fe8fe5ac73fa2fe29ea2aac5fe0eaad50e63f39

SHA512
26ba2cecf7324e1c5fe46112c31523e2fabad8de34fe84ce3a9e3a63922b0f85d84982e7c6bae13d2e3cf65193f7a19a67a2fc80af5a78ef8cfe611fce1a9409

Download Submit
C:\Users\Admin\AppData\Local\Temp\aes_x64.exe

Filesize
151KB

MD5
e5125d4651c008eba61d9fd3abd5ab31

SHA1
4a85e5d6ab73891832c9adaa4a70c1896773c279

SHA256
874cb7a8513b781b25e176828fe8fe5ac73fa2fe29ea2aac5fe0eaad50e63f39

SHA512
26ba2cecf7324e1c5fe46112c31523e2fabad8de34fe84ce3a9e3a63922b0f85d84982e7c6bae13d2e3cf65193f7a19a67a2fc80af5a78ef8cfe611fce1a9409

Download Submit
C:\Users\Admin\AppData\Local\Temp\curl_x64.exe

Filesize
840KB

MD5
e80c8cb9887a7c9426d4e843dddb8a44

SHA1
a04821e6d51f45b72a10bdbd3bb7e49de069ccd2

SHA256
3df4725778c0351e8472a0f8e18caf4fa9b95c98e4f2d160a26c3749f9869568

SHA512
41b4bd84336785d4da13b5653183bf2a405b918afad3acd934f253d23b1e00460173e36b2d65a61f77ef2b942dba735655fc5b4ec561c375896f5a010e053d33

Download Submit
C:\Users\Admin\AppData\Local\Temp\curl_x64.exe

Filesize
840KB

MD5
e80c8cb9887a7c9426d4e843dddb8a44

SHA1
a04821e6d51f45b72a10bdbd3bb7e49de069ccd2

SHA256
3df4725778c0351e8472a0f8e18caf4fa9b95c98e4f2d160a26c3749f9869568

SHA512
41b4bd84336785d4da13b5653183bf2a405b918afad3acd934f253d23b1e00460173e36b2d65a61f77ef2b942dba735655fc5b4ec561c375896f5a010e053d33

Download Submit
C:\Users\Admin\AppData\Local\Temp\curl_x64.exe

Filesize
840KB

MD5
e80c8cb9887a7c9426d4e843dddb8a44

SHA1
a04821e6d51f45b72a10bdbd3bb7e49de069ccd2

SHA256
3df4725778c0351e8472a0f8e18caf4fa9b95c98e4f2d160a26c3749f9869568

SHA512
41b4bd84336785d4da13b5653183bf2a405b918afad3acd934f253d23b1e00460173e36b2d65a61f77ef2b942dba735655fc5b4ec561c375896f5a010e053d33

Download Submit
C:\Users\Admin\AppData\Local\Temp\detect_x64.exe

Filesize
80KB

MD5
6a7ec375af8ba2e87ff7f23497e9944e

SHA1
791fb650e9e27e9857b332f534a0ade1eae28be7

SHA256
65c68fd55281a0a4598807ea83531a0cb0e4e79a8c5bf38e9637e776f72c3514

SHA512
c6fa4ac94692ddb8d60c8ab40aa33b17e9d0800c802ee5d3c7d6f0db24c507638743287a274d7ec62fe568b6aa1c69932d52e74a50040720a89138cb5c8be7aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\detect_x64.exe

Filesize
80KB

MD5
6a7ec375af8ba2e87ff7f23497e9944e

SHA1
791fb650e9e27e9857b332f534a0ade1eae28be7

SHA256
65c68fd55281a0a4598807ea83531a0cb0e4e79a8c5bf38e9637e776f72c3514

SHA512
c6fa4ac94692ddb8d60c8ab40aa33b17e9d0800c802ee5d3c7d6f0db24c507638743287a274d7ec62fe568b6aa1c69932d52e74a50040720a89138cb5c8be7aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\detect_x64.exe

Filesize
80KB

MD5
6a7ec375af8ba2e87ff7f23497e9944e

SHA1
791fb650e9e27e9857b332f534a0ade1eae28be7

SHA256
65c68fd55281a0a4598807ea83531a0cb0e4e79a8c5bf38e9637e776f72c3514

SHA512
c6fa4ac94692ddb8d60c8ab40aa33b17e9d0800c802ee5d3c7d6f0db24c507638743287a274d7ec62fe568b6aa1c69932d52e74a50040720a89138cb5c8be7aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\detect_x64.exe

Filesize
80KB

MD5
6a7ec375af8ba2e87ff7f23497e9944e

SHA1
791fb650e9e27e9857b332f534a0ade1eae28be7

SHA256
65c68fd55281a0a4598807ea83531a0cb0e4e79a8c5bf38e9637e776f72c3514

SHA512
c6fa4ac94692ddb8d60c8ab40aa33b17e9d0800c802ee5d3c7d6f0db24c507638743287a274d7ec62fe568b6aa1c69932d52e74a50040720a89138cb5c8be7aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\detect_x64.exe

Filesize
80KB

MD5
6a7ec375af8ba2e87ff7f23497e9944e

SHA1
791fb650e9e27e9857b332f534a0ade1eae28be7

SHA256
65c68fd55281a0a4598807ea83531a0cb0e4e79a8c5bf38e9637e776f72c3514

SHA512
c6fa4ac94692ddb8d60c8ab40aa33b17e9d0800c802ee5d3c7d6f0db24c507638743287a274d7ec62fe568b6aa1c69932d52e74a50040720a89138cb5c8be7aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\detect_x64.exe

Filesize
80KB

MD5
6a7ec375af8ba2e87ff7f23497e9944e

SHA1
791fb650e9e27e9857b332f534a0ade1eae28be7

SHA256
65c68fd55281a0a4598807ea83531a0cb0e4e79a8c5bf38e9637e776f72c3514

SHA512
c6fa4ac94692ddb8d60c8ab40aa33b17e9d0800c802ee5d3c7d6f0db24c507638743287a274d7ec62fe568b6aa1c69932d52e74a50040720a89138cb5c8be7aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\detection.exe

Filesize
1.1MB

MD5
02ba1c44b6392f013a7aa0b91314f45a

SHA1
724c1977101ecae88e4f104a8422b64bfec01a98

SHA256
7fbe59195f5f6f45c8b38b12488a169fdcb3a272004dbaf44c9d92a60a3690cb

SHA512
56bed935b028257e6eb485c555002f3e07e86788452cca0e28786098cc9254a7462b777a7a46ae6594911a73d786a6d15dee248f05a4c33a1bc749be071bcc3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\detection.exe

Filesize
1.1MB

MD5
02ba1c44b6392f013a7aa0b91314f45a

SHA1
724c1977101ecae88e4f104a8422b64bfec01a98

SHA256
7fbe59195f5f6f45c8b38b12488a169fdcb3a272004dbaf44c9d92a60a3690cb

SHA512
56bed935b028257e6eb485c555002f3e07e86788452cca0e28786098cc9254a7462b777a7a46ae6594911a73d786a6d15dee248f05a4c33a1bc749be071bcc3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\detection.exe

Filesize
1.1MB

MD5
02ba1c44b6392f013a7aa0b91314f45a

SHA1
724c1977101ecae88e4f104a8422b64bfec01a98

SHA256
7fbe59195f5f6f45c8b38b12488a169fdcb3a272004dbaf44c9d92a60a3690cb

SHA512
56bed935b028257e6eb485c555002f3e07e86788452cca0e28786098cc9254a7462b777a7a46ae6594911a73d786a6d15dee248f05a4c33a1bc749be071bcc3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\interface.cmd

Filesize
2KB

MD5
e0eb53551aca2acff814ddd7aca212e2

SHA1
ee825c865d5abf244d6165ee838735f1ba05bfcb

SHA256
11993a03f68a33500a3ce8fbeb3e3c2042a28299d04f39eed40147709e76ca79

SHA512
ddde3d274b2ea8da0d645f88bd6b340902dca83e599ba0c7249953a7c1f2dd512f764802134a6efa1f48ca6cae23b78881569228f908dd0746abe3c46e95a348

Download Submit
C:\Users\Admin\AppData\Local\Temp\interface.lnk

Filesize
1KB

MD5
ed808a9672d0bef99c343fb6d66ce2ec

SHA1
a600e5f6be01afe87f3ed2ed25c678ac5762609d

SHA256
7b3e8aecb3ab4c842623ad98949db2e9265a90e21476a0b9c90912ff86472bcc

SHA512
dbfc4657cecd6cf5114ec99d604f4306e2e0245467911f52833431a34b6841b4e1cf1e292d563f12a1690805ee13f6ea8bb8bbf458d700b608f182dc999097ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\rX0uLMrJH9TR5YMv\rX0uLMrJH9TR5YMv

Filesize
24KB

MD5
53cef864d65a4ec32f98e484994d2b94

SHA1
aeb45ffa089370e804eca3d986f8eefc5232ebe5

SHA256
34b9e3554959f773d8e999169bc6103027b8c71c220881ebb4d412199d114e7c

SHA512
30bc31b898497ccf15c885a6f42489d806806c7cc8158429a4a835f85e60dd28847412e74de5f5ebb54a556efeec001c6b4d502f2b4d9eee1e2ffff366a340f1

Download Submit
memory/3520-37-0x0000000000400000-0x0000000000693000-memory.dmp

Filesize
2.6MB

Download
memory/3520-30-0x0000000000400000-0x0000000000693000-memory.dmp

Filesize
2.6MB

Download
memory/3520-21-0x0000000000400000-0x0000000000693000-memory.dmp

Filesize
2.6MB

Download
memory/3520-72-0x00000000022F0000-0x00000000022F1000-memory.dmp

Filesize
4KB

Download
memory/3520-17-0x0000000000400000-0x0000000000693000-memory.dmp

Filesize
2.6MB

Download
memory/3520-79-0x0000000000400000-0x0000000000693000-memory.dmp

Filesize
2.6MB

Download
memory/4308-81-0x0000000000400000-0x000000000059F000-memory.dmp

Filesize
1.6MB

Download
memory/4308-4-0x0000000000400000-0x000000000059F000-memory.dmp

Filesize
1.6MB

Download
memory/4308-7-0x00000000021F0000-0x00000000021F1000-memory.dmp

Filesize
4KB

Download