Windows Analysis Report Mes_Drivers_3.0.4.exe

Overview

General Information

Sample Name: Mes_Drivers_3.0.4.exe
Analysis ID: 445340
MD5: 50a5e891da27e63d54e68511e48aa026
SHA1: 87073d85a7ba420b15c8bb9a9e4adc64db2bcfef
SHA256: 0788aaea249d92a84f70047efcacaa54c26320b439c490ba3ce00457955031d6
Infos:

Most interesting Screenshot:

Detection

Score: 72
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
AV process strings found (often used to terminate AV products)
Antivirus or Machine Learning detection for unpacked file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to create an SMB header
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read device registry values (via SetupAPI)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found evasive API chain (may stop execution after checking a module file name)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains sections with non-standard names
PE file contains strange resources
Queries device information via Setup API
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Queries time zone information
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected AESCRYPT Tool
Yara signature match

Classification

AV Detection:

barindex
Antivirus detection for URL or domain
Source: http://www.nationsbank.com/ Avira URL Cloud: Label: phishing
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\aes_x86.exe Metadefender: Detection: 20% Perma Link
Source: C:\Users\user\AppData\Local\Temp\aes_x86.exe ReversingLabs: Detection: 21%
Source: C:\Users\user\AppData\Local\Temp\detection.exe ReversingLabs: Detection: 27%
Multi AV Scanner detection for submitted file
Source: Mes_Drivers_3.0.4.exe Virustotal: Detection: 11% Perma Link
Source: Mes_Drivers_3.0.4.exe Metadefender: Detection: 13% Perma Link
Source: Mes_Drivers_3.0.4.exe ReversingLabs: Detection: 16%
Antivirus or Machine Learning detection for unpacked file
Source: 4.2.detection.exe.400000.0.unpack Avira: Label: TR/Dropper.Gen

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe Code function: 11_2_00456370 CryptAcquireContextA,CryptImportKey,CryptReleaseContext,CryptEncrypt,CryptDestroyKey,CryptReleaseContext, 11_2_00456370
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe Code function: 11_2_00431450 CryptHashData, 11_2_00431450
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe Code function: 11_2_00431460 CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext, 11_2_00431460
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe Code function: 11_2_00431400 CryptAcquireContextA,CryptCreateHash, 11_2_00431400
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe Code function: 11_2_00456660 CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext, 11_2_00456660
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe Code function: 11_2_0042FAF0 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,CryptReleaseContext, 11_2_0042FAF0
Source: C:\Users\user\AppData\Local\Temp\aes_x64.exe Code function: 36_2_00007FF697683750 CryptAcquireContextW,GetLastError,GetLastError,CryptAcquireContextW,GetLastError,CryptGenRandom,CryptReleaseContext,sprintf,CryptGenRandom,CryptReleaseContext,_fread_nolock,_fread_nolock,fflush, 36_2_00007FF697683750

Exploits:

barindex
Contains functionality to create an SMB header
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe Code function: mov dword ptr [rsi+0000490Dh], 424D53FFh 11_2_00435030
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe Code function: mov dword ptr [rdi+0000490Dh], 424D53FFh 11_2_00435730

Compliance:

barindex
Uses 32bit PE files
Source: Mes_Drivers_3.0.4.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI, RELOCS_STRIPPED
Source: Mes_Drivers_3.0.4.exe Static PE information: certificate valid
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll
Source: unknown HTTPS traffic detected: 46.105.202.207:443 -> 192.168.2.5:49741 version: TLS 1.2
Source: unknown HTTPS traffic detected: 46.105.202.207:443 -> 192.168.2.5:49740 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.7.39:443 -> 192.168.2.5:49747 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.7.39:443 -> 192.168.2.5:49748 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.250.180.226:443 -> 192.168.2.5:49743 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.250.180.226:443 -> 192.168.2.5:49742 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.227.209.167:443 -> 192.168.2.5:49752 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.227.209.167:443 -> 192.168.2.5:49751 version: TLS 1.2
Source: unknown HTTPS traffic detected: 216.58.214.194:443 -> 192.168.2.5:49755 version: TLS 1.2
Source: unknown HTTPS traffic detected: 216.58.214.194:443 -> 192.168.2.5:49756 version: TLS 1.2
Source: Binary string: devcon.pdbGCTL source: detection.exe, 00000004.00000003.225305782.000000007FA70000.00000004.00000001.sdmp, detect_x64.exe, 00000011.00000002.330349680.00007FF7A7458000.00000002.00020000.sdmp
Source: Binary string: C:\Users\paulej\Documents\Source\AESCrypt\Windows\Console\Win32\Release\aescrypt.pdb source: detection.exe, 00000004.00000003.225305782.000000007FA70000.00000004.00000001.sdmp
Source: Binary string: waitfor.pdb source: Mes_Drivers_3.0.4.exe, 00000001.00000003.407054994.00000000023C7000.00000004.00000001.sdmp, detection.exe, 00000004.00000003.225305782.000000007FA70000.00000004.00000001.sdmp
Source: Binary string: devcon.pdbH source: detection.exe, 00000004.00000003.225305782.000000007FA70000.00000004.00000001.sdmp
Source: Binary string: devcon.pdb8d:j source: detection.exe, 00000004.00000003.225305782.000000007FA70000.00000004.00000001.sdmp
Source: Binary string: C:\Users\paulej\Documents\Source\AESCrypt\Windows\Console\Win32\Release\aescrypt.pdb source: detection.exe, 00000004.00000003.225305782.000000007FA70000.00000004.00000001.sdmp
Source: Binary string: C:\Users\paulej\Documents\Source\AESCrypt\Windows\Console\x64\Release\aescrypt.pdb source: detection.exe, 00000004.00000003.225305782.000000007FA70000.00000004.00000001.sdmp
Source: Binary string: waitfor.pdbP' source: Mes_Drivers_3.0.4.exe, 00000001.00000003.407054994.00000000023C7000.00000004.00000001.sdmp, detection.exe, 00000004.00000003.225305782.000000007FA70000.00000004.00000001.sdmp
Source: Binary string: devcon.pdb source: detection.exe, 00000004.00000003.225305782.000000007FA70000.00000004.00000001.sdmp, detect_x64.exe, 00000011.00000002.330349680.00007FF7A7458000.00000002.00020000.sdmp
Source: C:\Users\user\Desktop\Mes_Drivers_3.0.4.exe Code function: 1_2_0044C2B0 GetLongPathNameW,FindFirstFileW,FindClose, 1_2_0044C2B0
Source: C:\Users\user\Desktop\Mes_Drivers_3.0.4.exe Code function: 1_2_004093DC FindFirstFileW,FindClose, 1_2_004093DC
Source: C:\Users\user\Desktop\Mes_Drivers_3.0.4.exe Code function: 1_2_004197A4 FindFirstFileW,FindClose, 1_2_004197A4
Source: C:\Users\user\Desktop\Mes_Drivers_3.0.4.exe Code function: 1_2_00408E18 GetModuleHandleW,GetProcAddress,lstrcpynW,lstrcpynW,lstrcpynW,FindFirstFileW,FindClose,lstrlenW,lstrcpynW,lstrlenW,lstrcpynW, 1_2_00408E18
Source: C:\Users\user\AppData\Local\Temp\detection.exe Code function: 4_2_00409CCC FindFirstFileW,FindClose, 4_2_00409CCC
Source: C:\Users\user\AppData\Local\Temp\detection.exe Code function: 4_2_0040B11E FindFirstFileW, 4_2_0040B11E
Source: C:\Users\user\AppData\Local\Temp\detection.exe Code function: 4_2_00409708 GetModuleHandleW,GetProcAddress,lstrcpynW,lstrcpynW,lstrcpynW,FindFirstFileW,FindClose,lstrlenW,lstrcpynW,lstrlenW,lstrcpynW, 4_2_00409708
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe Code function: 11_2_004624F0 FindFirstFileA,GetDriveTypeA,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose, 11_2_004624F0
Source: C:\Users\user\AppData\Local\Temp\detect_x64.exe Code function: 17_2_00007FF7A7456560 GetWindowsDirectoryW,FindFirstFileW,FindNextFileW,FindClose, 17_2_00007FF7A7456560
Source: C:\Users\user\AppData\Local\Temp\aes_x64.exe Code function: 36_2_00007FF69768AA44 FindClose,FindFirstFileExW,FindNextFileW,FindClose, 36_2_00007FF69768AA44
Source: C:\Users\user\Desktop\Mes_Drivers_3.0.4.exe File opened: C:\Users\user\Documents\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\Mes_Drivers_3.0.4.exe File opened: C:\Users\user Jump to behavior
Source: C:\Users\user\Desktop\Mes_Drivers_3.0.4.exe File opened: C:\Users\user\AppData\Local\Temp Jump to behavior
Source: C:\Users\user\Desktop\Mes_Drivers_3.0.4.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Users\user\Desktop\Mes_Drivers_3.0.4.exe File opened: C:\Users\user\AppData\Local Jump to behavior
Source: C:\Users\user\Desktop\Mes_Drivers_3.0.4.exe File opened: C:\Users\user\Desktop\desktop.ini Jump to behavior

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe Code function: 4x nop then mov rax, qword ptr [r8-08h] 11_2_00425170
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe Code function: 4x nop then movzx eax, byte ptr [rsp+rcx+20h] 11_2_00463850
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe Code function: 4x nop then movzx eax, word ptr [rcx] 11_2_0045F000
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe Code function: 4x nop then movzx eax, byte ptr [rcx] 11_2_00432080
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe Code function: 4x nop then mov rax, qword ptr [00000000004C76A8h] 11_2_0040A100
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe Code function: 4x nop then mov r9, qword ptr [rdi] 11_2_00416370
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe Code function: 4x nop then mov rax, qword ptr [r8-08h] 11_2_004254E8
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe Code function: 4x nop then mov rax, qword ptr [r8-08h] 11_2_00425562
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe Code function: 4x nop then mov rax, qword ptr [r8-08h] 11_2_00425504
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe Code function: 4x nop then movzx eax, byte ptr [r11] 11_2_0045F510
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe Code function: 4x nop then mov rax, qword ptr [r8-08h] 11_2_00425520
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe Code function: 4x nop then mov rax, qword ptr [r8-08h] 11_2_0042553C
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe Code function: 4x nop then mov rax, qword ptr [r8-08h] 11_2_004255D8
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe Code function: 4x nop then mov r8, qword ptr [rsi] 11_2_004055F0
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe Code function: 4x nop then movsxd rax, rcx 11_2_0046C5F0
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe Code function: 4x nop then mov rax, qword ptr [r8-08h] 11_2_004255A7
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe Code function: 4x nop then mov eax, ecx 11_2_004705B0
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe Code function: 4x nop then movsx eax, byte ptr [rbx] 11_2_0041364E
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe Code function: 4x nop then movzx eax, byte ptr [rdx] 11_2_00453630
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe Code function: 4x nop then lea rbx, qword ptr [rsp+40h] 11_2_00466720
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe Code function: 4x nop then movzx r9d, byte ptr [rbx] 11_2_0045285E
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe Code function: 4x nop then movzx ecx, byte ptr [r11] 11_2_0045F820
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe Code function: 4x nop then cmp dword ptr [r12+28h], 01h 11_2_004628B0
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe Code function: 4x nop then mov r9, qword ptr [rbx] 11_2_004479A0
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe Code function: 4x nop then movzx ebx, byte ptr [rsi+rbp] 11_2_00411CC0
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe Code function: 4x nop then movzx ecx, byte ptr [rdx] 11_2_00461CA0
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe Code function: 4x nop then test eax, eax 11_2_00436DC0
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe Code function: 4x nop then lea ecx, dword ptr [r15+10h] 11_2_00423DD0
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe Code function: 4x nop then movzx eax, byte ptr [r8+rdx] 11_2_0046DE60
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe Code function: 4x nop then lea ecx, dword ptr [r15+10h] 11_2_00423E6C
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe Code function: 4x nop then movsx eax, byte ptr [rdi] 11_2_00413E00
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe Code function: 4x nop then lea rcx, qword ptr [00000000004B25F8h] 11_2_00446E10
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe Code function: 4x nop then cmp dword ptr [r15+rbp*4+000008A8h], 00000000h 11_2_0044CE20
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe Code function: 4x nop then lea ecx, dword ptr [r15+10h] 11_2_00423ED5
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe Code function: 4x nop then lea ecx, dword ptr [r15+10h] 11_2_00423EF8
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe Code function: 4x nop then lea ecx, dword ptr [r15+10h] 11_2_00423EB2
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe Code function: 4x nop then mov rdx, rax 11_2_0043CF40
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe Code function: 4x nop then lea ecx, dword ptr [r15+10h] 11_2_00423F7B
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe Code function: 4x nop then lea ecx, dword ptr [r15+10h] 11_2_00423F3C
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe Code function: 4x nop then movzx r8d, al 11_2_00461FA0

Networking:

barindex
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 9e10692f1b7f78228b2d4e424db3a98c
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe Code function: 11_2_00427A30 recv, 11_2_00427A30
Source: global traffic HTTP traffic detected: GET /index.php?v_page=31&v_id=8KVKWmfznwDbzahM HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: www.touslesdrivers.comConnection: Keep-Alive
Source: detection.exe, 00000004.00000003.225305782.000000007FA70000.00000004.00000001.sdmp String found in binary or memory: Usage: curl [options...] <url>
Source: detection.exe, 00000004.00000003.225305782.000000007FA70000.00000004.00000001.sdmp String found in binary or memory: --ftp-pret Send PRET before PASV (for drftpd) (F) -P, --ftp-port ADR Use PORT with given address instead of PASV (F) --ftp-pasv Use PASV/EPSV instead of PORT (F) --ftp-method [MULTICWD/NOCWD/SINGLECWD] Control CWD usage (F) --ftp-create-dirs Create the remote dirs if not present (F) --ftp-alternative-to-user COMMAND String to replace "USER [name]" (F) --ftp-account DATA Account data string (F) --form-string STRING Specify HTTP multipart POST data (H) -F, --form CONTENT Specify HTTP multipart POST data (H) --false-start Enable TLS False Start. -f, --fail Fail silently (no output at all) on HTTP errors (H) --expect100-timeout SECONDS How long to wait for 100-continue (H) --engine ENGINE Crypto engine (use "--engine list" for list) (SSL) --egd-file FILE EGD socket path for random data (SSL) -D, --dump-header FILE Write the headers to FILE --dns-ipv6-addr IPv6 address to use for DNS requests, dot notation --dns-ipv4-addr IPv4 address to use for DNS requests, dot notation --dns-interface Interface to use for DNS requests --dns-servers DNS server addrs to use: 1.1.1.1;2.2.2.2 --disable-epsv Inhibit using EPSV (F) --disable-eprt Inhibit using EPRT or LPRT (F) --digest Use HTTP Digest Authentication (H) --delegation STRING GSS-API delegation permission --data-urlencode DATA HTTP POST data url encoded (H) --data-binary DATA HTTP POST binary data (H) --data-ascii DATA HTTP POST ASCII data (H) --data-raw DATA HTTP POST data, '@' allowed (H) -d, --data DATA HTTP POST data (H) --crlfile FILE Get a CRL list in PEM format from the given file --crlf Convert LF to CRLF in upload --create-dirs Create necessary local directory hierarchy -c, --cookie-jar FILE Write cookies to FILE after operation (H) -b, --cookie STRING/FILE Read cookies from STRING/FILE (H) -C, --continue-at OFFSET Resumed transfer OFFSET --connect-to HOST1:PORT1:HOST2:PORT2 Connect to host (network level) --connect-timeout SECONDS Maximum time allowed for connection -K, --config FILE Read config from FILE --compressed Request compressed response (using deflate or gzip) --ciphers LIST SSL ciphers to use (SSL) --cert-type TYPE Certificate file type (DER/PEM/ENG) (SSL) --cert-status Verify the status of the server certificate (SSL) -E, --cert CERT[:PASSWD] Client certificate file and password (SSL) --capath DIR CA directory to verify peer against (SSL) --cacert FILE CA certificate to verify peer against (SSL) --basic Use HTTP Basic Authentication (H) -a, --append Append to target file when uploading (F/SFTP) --anyauth Pick "any" authentication method (H)Options: (H) means HTTP/HTTPS only, (F) means FTP onlyUsage: curl [options...] <url>Features: %s Protocols: curl 7.51.0 (x86_64-pc-win32) %s
Source: detection.exe, 00000004.00000003.225305782.000000007FA70000.00000004.00000001.sdmp String found in binary or memory: --ftp-pret Send PRET before PASV (for drftpd) (F) -P, --ftp-port ADR Use PORT with given address instead of PASV (F) --ftp-pasv Use PASV/EPSV instead of PORT (F) --ftp-method [MULTICWD/NOCWD/SINGLECWD] Control CWD usage (F) --ftp-create-dirs Create the remote dirs if not present (F) --ftp-alternative-to-user COMMAND String to replace "USER [name]" (F) --ftp-account DATA Account data string (F) --form-string STRING Specify HTTP multipart POST data (H) -F, --form CONTENT Specify HTTP multipart POST data (H) --false-start Enable TLS False Start. -f, --fail Fail silently (no output at all) on HTTP errors (H) --expect100-timeout SECONDS How long to wait for 100-continue (H) --engine ENGINE Crypto engine (use "--engine list" for list) (SSL) --egd-file FILE EGD socket path for random data (SSL) -D, --dump-header FILE Write the headers to FILE --dns-ipv6-addr IPv6 address to use for DNS requests, dot notation --dns-ipv4-addr IPv4 address to use for DNS requests, dot notation --dns-interface Interface to use for DNS requests --dns-servers DNS server addrs to use: 1.1.1.1;2.2.2.2 --disable-epsv Inhibit using EPSV (F) --disable-eprt Inhibit using EPRT or LPRT (F) --digest Use HTTP Digest Authentication (H) --delegation STRING GSS-API delegation permission --data-urlencode DATA HTTP POST data url encoded (H) --data-binary DATA HTTP POST binary data (H) --data-ascii DATA HTTP POST ASCII data (H) --data-raw DATA HTTP POST data, '@' allowed (H) -d, --data DATA HTTP POST data (H) --crlfile FILE Get a CRL list in PEM format from the given file --crlf Convert LF to CRLF in upload --create-dirs Create necessary local directory hierarchy -c, --cookie-jar FILE Write cookies to FILE after operation (H) -b, --cookie STRING/FILE Read cookies from STRING/FILE (H) -C, --continue-at OFFSET Resumed transfer OFFSET --connect-to HOST1:PORT1:HOST2:PORT2 Connect to host (network level) --connect-timeout SECONDS Maximum time allowed for connection -K, --config FILE Read config from FILE --compressed Request compressed response (using deflate or gzip) --ciphers LIST SSL ciphers to use (SSL) --cert-type TYPE Certificate file type (DER/PEM/ENG) (SSL) --cert-status Verify the status of the server certificate (SSL) -E, --cert CERT[:PASSWD] Client certificate file and password (SSL) --capath DIR CA directory to verify peer against (SSL) --cacert FILE CA certificate to verify peer against (SSL) --basic Use HTTP Basic Authentication (H) -a, --append Append to target file when uploading (F/SFTP) --anyauth Pick "any" authentication method (H)Options: (H) means HTTP/HTTPS only, (F) means FTP onlyUsage: curl [options...] <url>Features: %s Protocols: curl 7.51.0 (i386-pc-win32) %s
Source: curl_x64.exe, 0000000B.00000000.230122223.0000000000475000.00000002.00020000.sdmp String found in binary or memory: Usage: curl [options...] <url>
Source: curl_x64.exe, 0000000B.00000000.230122223.0000000000475000.00000002.00020000.sdmp String found in binary or memory: --ftp-pret Send PRET before PASV (for drftpd) (F) -P, --ftp-port ADR Use PORT with given address instead of PASV (F) --ftp-pasv Use PASV/EPSV instead of PORT (F) --ftp-method [MULTICWD/NOCWD/SINGLECWD] Control CWD usage (F) --ftp-create-dirs Create the remote dirs if not present (F) --ftp-alternative-to-user COMMAND String to replace "USER [name]" (F) --ftp-account DATA Account data string (F) --form-string STRING Specify HTTP multipart POST data (H) -F, --form CONTENT Specify HTTP multipart POST data (H) --false-start Enable TLS False Start. -f, --fail Fail silently (no output at all) on HTTP errors (H) --expect100-timeout SECONDS How long to wait for 100-continue (H) --engine ENGINE Crypto engine (use "--engine list" for list) (SSL) --egd-file FILE EGD socket path for random data (SSL) -D, --dump-header FILE Write the headers to FILE --dns-ipv6-addr IPv6 address to use for DNS requests, dot notation --dns-ipv4-addr IPv4 address to use for DNS requests, dot notation --dns-interface Interface to use for DNS requests --dns-servers DNS server addrs to use: 1.1.1.1;2.2.2.2 --disable-epsv Inhibit using EPSV (F) --disable-eprt Inhibit using EPRT or LPRT (F) --digest Use HTTP Digest Authentication (H) --delegation STRING GSS-API delegation permission --data-urlencode DATA HTTP POST data url encoded (H) --data-binary DATA HTTP POST binary data (H) --data-ascii DATA HTTP POST ASCII data (H) --data-raw DATA HTTP POST data, '@' allowed (H) -d, --data DATA HTTP POST data (H) --crlfile FILE Get a CRL list in PEM format from the given file --crlf Convert LF to CRLF in upload --create-dirs Create necessary local directory hierarchy -c, --cookie-jar FILE Write cookies to FILE after operation (H) -b, --cookie STRING/FILE Read cookies from STRING/FILE (H) -C, --continue-at OFFSET Resumed transfer OFFSET --connect-to HOST1:PORT1:HOST2:PORT2 Connect to host (network level) --connect-timeout SECONDS Maximum time allowed for connection -K, --config FILE Read config from FILE --compressed Request compressed response (using deflate or gzip) --ciphers LIST SSL ciphers to use (SSL) --cert-type TYPE Certificate file type (DER/PEM/ENG) (SSL) --cert-status Verify the status of the server certificate (SSL) -E, --cert CERT[:PASSWD] Client certificate file and password (SSL) --capath DIR CA directory to verify peer against (SSL) --cacert FILE CA certificate to verify peer against (SSL) --basic Use HTTP Basic Authentication (H) -a, --append Append to target file when uploading (F/SFTP) --anyauth Pick "any" authentication method (H)Options: (H) means HTTP/HTTPS only, (F) means FTP onlyUsage: curl [options...] <url>Features: %s Protocols: curl 7.51.0 (x86_64-pc-win32) %s
Source: unknown DNS traffic detected: queries for: www.touslesdrivers.com
Source: detection.exe, 00000004.00000003.225305782.000000007FA70000.00000004.00000001.sdmp, curl_x64.exe, 0000000B.00000000.230122223.0000000000475000.00000002.00020000.sdmp String found in binary or memory: ftp://cool.haxx.se/
Source: detection.exe, 00000004.00000003.225305782.000000007FA70000.00000004.00000001.sdmp, curl_x64.exe, 0000000B.00000000.230122223.0000000000475000.00000002.00020000.sdmp String found in binary or memory: ftp://ftp.com/moo.exe
Source: curl_x64.exe String found in binary or memory: ftp://ftp.funet.fi/README
Source: curl_x64.exe String found in binary or memory: ftp://ftp.leachsite.com/README
Source: curl_x64.exe String found in binary or memory: ftp://ftp.server.com/path/file
Source: curl_x64.exe String found in binary or memory: ftp://ftp.sunet.se/pub/www/utilities/curl/
Source: curl_x64.exe String found in binary or memory: ftp://ftp.sunet.se/pub/www/utilities/curl/SEE
Source: detection.exe, 00000004.00000003.225305782.000000007FA70000.00000004.00000001.sdmp String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: detection.exe, 00000004.00000003.225305782.000000007FA70000.00000004.00000001.sdmp String found in binary or memory: http://curl.haxx.se/0
Source: detection.exe, 00000004.00000003.225305782.000000007FA70000.00000004.00000001.sdmp, curl_x64.exe, 0000000B.00000000.230122223.0000000000475000.00000002.00020000.sdmp String found in binary or memory: http://help.with.curl.com/curlhelp.html
Source: detection.exe, 00000004.00000003.225305782.000000007FA70000.00000004.00000001.sdmp, curl_x64.exe, 0000000B.00000000.230122223.0000000000475000.00000002.00020000.sdmp String found in binary or memory: http://machine.domain/full/path/to/file
Source: detection.exe, 00000004.00000003.225305782.000000007FA70000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.thawte.com0
Source: curl_x64.exe, 0000000B.00000000.230122223.0000000000475000.00000002.00020000.sdmp String found in binary or memory: http://remote.server.com/remote.html
Source: detection.exe, 00000004.00000003.225305782.000000007FA70000.00000004.00000001.sdmp, curl_x64.exe, curl_x64.exe, 0000000B.00000000.230122223.0000000000475000.00000002.00020000.sdmp String found in binary or memory: http://that.secret.site.com
Source: curl_x64.exe String found in binary or memory: http://that.secret.site.comEXTRA
Source: detection.exe, 00000004.00000003.225305782.000000007FA70000.00000004.00000001.sdmp String found in binary or memory: http://trust.web.de/crl/ca03.crl0
Source: detection.exe, 00000004.00000003.225305782.000000007FA70000.00000004.00000001.sdmp String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: detection.exe, 00000004.00000003.225305782.000000007FA70000.00000004.00000001.sdmp String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: detection.exe, 00000004.00000003.225305782.000000007FA70000.00000004.00000001.sdmp String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: detection.exe, 00000004.00000003.225305782.000000007FA70000.00000004.00000001.sdmp, curl_x64.exe, 0000000B.00000000.230122223.0000000000475000.00000002.00020000.sdmp String found in binary or memory: http://url.com/file.txt
Source: detection.exe, 00000004.00000002.403007918.0000000000472000.00000040.00020000.sdmp String found in binary or memory: http://www.abyssmedia.com
Source: curl_x64.exe String found in binary or memory: http://www.drh-consultancy.d
Source: detection.exe, 00000004.00000003.225305782.000000007FA70000.00000004.00000001.sdmp, curl_x64.exe, 0000000B.00000000.230122223.0000000000475000.00000002.00020000.sdmp String found in binary or memory: http://www.drh-consultancy.demon.co.uk/
Source: detection.exe, 00000004.00000003.225305782.000000007FA70000.00000004.00000001.sdmp, curl_x64.exe, 0000000B.00000000.230122223.0000000000475000.00000002.00020000.sdmp String found in binary or memory: http://www.formpost.com/getthis/
Source: detection.exe, 00000004.00000003.225305782.000000007FA70000.00000004.00000001.sdmp, curl_x64.exe, 0000000B.00000000.230122223.0000000000475000.00000002.00020000.sdmp String found in binary or memory: http://www.formpost.com/getthis/post.cgi
Source: curl_x64.exe, 0000000B.00000000.230122223.0000000000475000.00000002.00020000.sdmp String found in binary or memory: http://www.get.this/
Source: detection.exe, 00000004.00000003.225305782.000000007FA70000.00000004.00000001.sdmp, curl_x64.exe, 0000000B.00000000.230122223.0000000000475000.00000002.00020000.sdmp String found in binary or memory: http://www.nationsbank.com/
Source: curl_x64.exe, 0000000B.00000000.230122223.0000000000475000.00000002.00020000.sdmp String found in binary or memory: http://www.netscape.com/
Source: curl_x64.exe String found in binary or memory: http://www.netscape.com/HTTPS
Source: detection.exe, 00000004.00000003.225305782.000000007FA70000.00000004.00000001.sdmp, curl_x64.exe, 0000000B.00000000.230122223.0000000000475000.00000002.00020000.sdmp String found in binary or memory: http://www.netscape.com/index.html
Source: curl_x64.exe, 0000000B.00000000.230122223.0000000000475000.00000002.00020000.sdmp String found in binary or memory: http://www.post.com/postit.cgi
Source: curl_x64.exe, curl_x64.exe, 0000000B.00000000.230122223.0000000000475000.00000002.00020000.sdmp String found in binary or memory: http://www.server.com/
Source: detection.exe, 00000004.00000003.225305782.000000007FA70000.00000004.00000001.sdmp, curl_x64.exe, 0000000B.00000000.230122223.0000000000475000.00000002.00020000.sdmp String found in binary or memory: http://www.showme.com/
Source: detection.exe, 00000004.00000003.228885857.0000000002AB8000.00000004.00000001.sdmp, detection.exe, 00000004.00000003.226335116.0000000002AB1000.00000004.00000001.sdmp String found in binary or memory: http://www.touslesdrivers.com/index.php?v_page=31&v_id=
Source: detection.exe, 00000004.00000003.399270098.00000000009F9000.00000004.00000001.sdmp, detection.exe, 00000004.00000002.405879804.0000000002AE8000.00000004.00000001.sdmp, detection.exe, 00000004.00000003.400133733.0000000002ABB000.00000004.00000001.sdmp, detection.exe, 00000004.00000003.399944667.00000000009B3000.00000004.00000001.sdmp String found in binary or memory: http://www.touslesdrivers.com/index.php?v_page=31&v_id=8KVKWmfznwDbzahM
Source: detection.exe, 00000004.00000002.404454752.00000000009DC000.00000004.00000001.sdmp, detection.exe, 00000004.00000003.398665475.00000000009DA000.00000004.00000001.sdmp String found in binary or memory: http://www.touslesdrivers.com/index.php?v_page=31&v_id=8KVKWmfznwDbzahMAzOh
Source: detection.exe, 00000004.00000003.228885857.0000000002AB8000.00000004.00000001.sdmp String found in binary or memory: http://www.touslesdrivers.com/index.php?v_page=31&v_id=V
Source: Mes_Drivers_3.0.4.exe, 00000001.00000003.407054994.00000000023C7000.00000004.00000001.sdmp, Mes_Drivers_3.0.4.exe, 00000001.00000002.410166298.0000000002810000.00000004.00000001.sdmp, detection.exe, 00000004.00000003.228885857.0000000002AB8000.00000004.00000001.sdmp String found in binary or memory: http://www.touslesdrivers.com/php/mes_drivers/code_source.php
Source: detection.exe, 00000004.00000003.225305782.000000007FA70000.00000004.00000001.sdmp, curl_x64.exe, 0000000B.00000000.230122223.0000000000475000.00000002.00020000.sdmp String found in binary or memory: http://www.upload.com/myfile
Source: curl_x64.exe, 0000000B.00000000.230122223.0000000000475000.00000002.00020000.sdmp String found in binary or memory: http://www.weirdserver.com:8000/
Source: curl_x64.exe, curl_x64.exe, 0000000B.00000000.230122223.0000000000475000.00000002.00020000.sdmp String found in binary or memory: http://www.where.com/guest.cgi
Source: curl_x64.exe, 0000000B.00000000.230122223.0000000000475000.00000002.00020000.sdmp String found in binary or memory: https://curl.haxx.se
Source: curl_x64.exe String found in binary or memory: https://curl.haxx.se/
Source: detection.exe, 00000004.00000003.225305782.000000007FA70000.00000004.00000001.sdmp, curl_x64.exe, 0000000B.00000002.232106855.00000000004CA000.00000002.00020000.sdmp String found in binary or memory: https://curl.haxx.se/P
Source: detection.exe, 00000004.00000003.225305782.000000007FA70000.00000004.00000001.sdmp, curl_x64.exe, 0000000B.00000000.230122223.0000000000475000.00000002.00020000.sdmp String found in binary or memory: https://curl.haxx.se/docs/
Source: curl_x64.exe String found in binary or memory: https://curl.haxx.se/docs/copyright.html
Source: detection.exe, 00000004.00000003.225305782.000000007FA70000.00000004.00000001.sdmp, curl_x64.exe, 0000000B.00000002.232106855.00000000004CA000.00000002.00020000.sdmp String found in binary or memory: https://curl.haxx.se/docs/copyright.htmlD
Source: detection.exe, 00000004.00000003.225305782.000000007FA70000.00000004.00000001.sdmp, curl_x64.exe, curl_x64.exe, 0000000B.00000000.230122223.0000000000475000.00000002.00020000.sdmp String found in binary or memory: https://curl.haxx.se/docs/http-cookies.html
Source: curl_x64.exe String found in binary or memory: https://curl.haxx.se/docs/http-cookies.html#
Source: curl_x64.exe, 0000000B.00000000.230122223.0000000000475000.00000002.00020000.sdmp String found in binary or memory: https://curl.haxx.se/docs/sslcerts.html
Source: curl_x64.exe String found in binary or memory: https://curl.haxx.se/docs/sslcerts.htmlcurl
Source: curl_x64.exe, 0000000B.00000000.230122223.0000000000475000.00000002.00020000.sdmp String found in binary or memory: https://curl.haxx.se/libcurl/c/curl_easy_setopt.html
Source: detection.exe, 00000004.00000003.225305782.000000007FA70000.00000004.00000001.sdmp, curl_x64.exe, 0000000B.00000000.230122223.0000000000475000.00000002.00020000.sdmp String found in binary or memory: https://curl.haxx.se/mail/.
Source: detection.exe, 00000004.00000003.225305782.000000007FA70000.00000004.00000001.sdmp, curl_x64.exe, 0000000B.00000000.230122223.0000000000475000.00000002.00020000.sdmp String found in binary or memory: https://curl.haxx.se/rfc/rfc2255.txt
Source: curl_x64.exe String found in binary or memory: https://curl.haxx.seFTP
Source: detection.exe, 00000004.00000003.225305782.000000007FA70000.00000004.00000001.sdmp, curl_x64.exe, 0000000B.00000000.230122223.0000000000475000.00000002.00020000.sdmp String found in binary or memory: https://ftp.mozilla.org
Source: detection.exe, 00000004.00000003.225305782.000000007FA70000.00000004.00000001.sdmp, curl_x64.exe, 0000000B.00000000.230122223.0000000000475000.00000002.00020000.sdmp String found in binary or memory: https://git.fedora-
Source: curl_x64.exe, 0000000B.00000000.230122223.0000000000475000.00000002.00020000.sdmp String found in binary or memory: https://secure.site.com/
Source: detection.exe, 00000004.00000003.225305782.000000007FA70000.00000004.00000001.sdmp String found in binary or memory: https://trust.web.de/crl/ca03.crl0
Source: detection.exe, 00000004.00000003.225305782.000000007FA70000.00000004.00000001.sdmp String found in binary or memory: https://trust.web.de0
Source: detection.exe, 00000004.00000003.225305782.000000007FA70000.00000004.00000001.sdmp String found in binary or memory: https://trust.web.de01
Source: curl_x64.exe, curl_x64.exe, 0000000B.00000000.230122223.0000000000475000.00000002.00020000.sdmp String found in binary or memory: https://www.openssl.org/docs/apps/ciphers.html
Source: detection.exe, 00000004.00000003.225305782.000000007FA70000.00000004.00000001.sdmp, curl_x64.exe, 0000000B.00000000.230122223.0000000000475000.00000002.00020000.sdmp String found in binary or memory: https://www.secure-site.com
Source: detection.exe, 00000004.00000003.228885857.0000000002AB8000.00000004.00000001.sdmp, detection.exe, 00000004.00000003.226335116.0000000002AB1000.00000004.00000001.sdmp String found in binary or memory: https://www.touslesdrivers.com/php/mes_drivers/envoi.php?v_id=
Source: detection.exe, 00000004.00000003.228885857.0000000002AB8000.00000004.00000001.sdmp String found in binary or memory: https://www.touslesdrivers.com/php/mes_drivers/envoi.php?v_id=.S
Source: detection.exe, 00000004.00000003.399270098.00000000009F9000.00000004.00000001.sdmp String found in binary or memory: https://www.touslesdrivers.com/php/mes_drivers/envoi.php?v_id=8KVKWmfznwDbzahM&v_versio
Source: detection.exe, 00000004.00000003.399826501.0000000000A22000.00000004.00000001.sdmp String found in binary or memory: https://www.touslesdrivers.com/php/mes_drivers/envoi.php?v_id=8KVKWmfznwDbzahM&v_version=3.0.4
Source: detection.exe, 00000004.00000003.400740202.0000000000A3F000.00000004.00000001.sdmp String found in binary or memory: https://www.touslesdrivers.com/php/mes_drivers/envoi.php?v_id=8KVKWmfznwDbzahM&v_version=3.0.4work
Source: detection.exe, 00000004.00000002.404357113.000000000099B000.00000004.00000001.sdmp String found in binary or memory: https://www.touslesdrivers.com/php/mes_drivers/envoi.php?v_id=8KVKWmfznwDbzahM&v_version=3.0.4x
Source: detection.exe, 00000004.00000003.228885857.0000000002AB8000.00000004.00000001.sdmp, detection.exe, 00000004.00000003.226335116.0000000002AB1000.00000004.00000001.sdmp String found in binary or memory: https://www.touslesdrivers.com/php/mes_drivers/version.php?v_version=
Source: curl_x64.exe, 0000000B.00000002.232370646.00000000009D0000.00000004.00000040.sdmp String found in binary or memory: https://www.touslesdrivers.com/php/mes_drivers/version.php?v_version=3.0.4
Source: detection.exe, 00000004.00000003.399944667.00000000009B3000.00000004.00000001.sdmp String found in binary or memory: https://www.touslesdrivers.com/php/mes_drivers/version.php?v_version=3.0.4ahM&v_version=indo
Source: detection.exe, 00000004.00000003.228885857.0000000002AB8000.00000004.00000001.sdmp String found in binary or memory: https://www.touslesdrivers.com/php/mes_drivers/version.php?v_version=Ad
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown HTTPS traffic detected: 46.105.202.207:443 -> 192.168.2.5:49741 version: TLS 1.2
Source: unknown HTTPS traffic detected: 46.105.202.207:443 -> 192.168.2.5:49740 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.7.39:443 -> 192.168.2.5:49747 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.7.39:443 -> 192.168.2.5:49748 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.250.180.226:443 -> 192.168.2.5:49743 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.250.180.226:443 -> 192.168.2.5:49742 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.227.209.167:443 -> 192.168.2.5:49752 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.227.209.167:443 -> 192.168.2.5:49751 version: TLS 1.2
Source: unknown HTTPS traffic detected: 216.58.214.194:443 -> 192.168.2.5:49755 version: TLS 1.2
Source: unknown HTTPS traffic detected: 216.58.214.194:443 -> 192.168.2.5:49756 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)
Source: detection.exe, 00000004.00000002.404267982.000000000097A000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe Code function: 11_2_00456370 CryptAcquireContextA,CryptImportKey,CryptReleaseContext,CryptEncrypt,CryptDestroyKey,CryptReleaseContext, 11_2_00456370

System Summary:

barindex
Detected potential crypto function
Source: C:\Users\user\Desktop\Mes_Drivers_3.0.4.exe Code function: 1_2_00451718 1_2_00451718
Source: C:\Users\user\Desktop\Mes_Drivers_3.0.4.exe Code function: 1_2_00412816 1_2_00412816
Source: C:\Users\user\Desktop\Mes_Drivers_3.0.4.exe Code function: 1_2_00407E34 1_2_00407E34
Source: C:\Users\user\AppData\Local\Temp\detection.exe Code function: 4_2_0041313A 4_2_0041313A
Source: C:\Users\user\AppData\Local\Temp\detection.exe Code function: 4_2_00408724 4_2_00408724
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe Code function: 11_2_0042F130 11_2_0042F130
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe Code function: 11_2_0040D4E9 11_2_0040D4E9
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe Code function: 11_2_004264A1 11_2_004264A1
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe Code function: 11_2_00448670 11_2_00448670
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe Code function: 11_2_00422960 11_2_00422960
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe Code function: 11_2_0044A090 11_2_0044A090
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe Code function: 11_2_00416370 11_2_00416370
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe Code function: 11_2_00456370 11_2_00456370
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe Code function: 11_2_0045D484 11_2_0045D484
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe Code function: 11_2_00453670 11_2_00453670
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe Code function: 11_2_0045D729 11_2_0045D729
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe Code function: 11_2_00467800 11_2_00467800
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe Code function: 11_2_0045F820 11_2_0045F820
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe Code function: 11_2_004288F0 11_2_004288F0
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe Code function: 11_2_00440900 11_2_00440900
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe Code function: 11_2_0045EAB0 11_2_0045EAB0
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe Code function: 11_2_0044DB60 11_2_0044DB60
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe Code function: 11_2_00452C90 11_2_00452C90
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe Code function: 11_2_00472D70 11_2_00472D70
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe Code function: 11_2_00468DC0 11_2_00468DC0
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe Code function: 11_2_00413E00 11_2_00413E00
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe Code function: 11_2_0044CE20 11_2_0044CE20
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe Code function: 11_2_0045CE2F 11_2_0045CE2F
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe Code function: 11_2_00451EA0 11_2_00451EA0
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe Code function: 11_2_0043CF40 11_2_0043CF40
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe Code function: 11_2_0045CFD0 11_2_0045CFD0
Source: C:\Users\user\AppData\Local\Temp\detect_x64.exe Code function: 17_2_00007FF7A745286C 17_2_00007FF7A745286C
Source: C:\Users\user\AppData\Local\Temp\detect_x64.exe Code function: 17_2_00007FF7A7451970 17_2_00007FF7A7451970
Source: C:\Users\user\AppData\Local\Temp\detect_x64.exe Code function: 17_2_00007FF7A7455890 17_2_00007FF7A7455890
Source: C:\Users\user\AppData\Local\Temp\detect_x64.exe Code function: 17_2_00007FF7A7453EA0 17_2_00007FF7A7453EA0
Source: C:\Users\user\AppData\Local\Temp\aes_x64.exe Code function: 36_2_00007FF697683750 36_2_00007FF697683750
Source: C:\Users\user\AppData\Local\Temp\aes_x64.exe Code function: 36_2_00007FF697692810 36_2_00007FF697692810
Source: C:\Users\user\AppData\Local\Temp\aes_x64.exe Code function: 36_2_00007FF69768CA14 36_2_00007FF69768CA14
Source: C:\Users\user\AppData\Local\Temp\aes_x64.exe Code function: 36_2_00007FF697684840 36_2_00007FF697684840
Source: C:\Users\user\AppData\Local\Temp\aes_x64.exe Code function: 36_2_00007FF697688900 36_2_00007FF697688900
Source: C:\Users\user\AppData\Local\Temp\aes_x64.exe Code function: 36_2_00007FF697681300 36_2_00007FF697681300
Source: C:\Users\user\AppData\Local\Temp\aes_x64.exe Code function: 36_2_00007FF69768B4C0 36_2_00007FF69768B4C0
Source: C:\Users\user\AppData\Local\Temp\aes_x64.exe Code function: 36_2_00007FF69768FD60 36_2_00007FF69768FD60
Source: C:\Users\user\AppData\Local\Temp\aes_x64.exe Code function: 36_2_00007FF697681760 36_2_00007FF697681760
Source: C:\Users\user\AppData\Local\Temp\aes_x64.exe Code function: 36_2_00007FF697682750 36_2_00007FF697682750
Source: C:\Users\user\AppData\Local\Temp\aes_x64.exe Code function: 36_2_00007FF69768D54C 36_2_00007FF69768D54C
Source: C:\Users\user\AppData\Local\Temp\aes_x64.exe Code function: 36_2_00007FF697681000 36_2_00007FF697681000
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\aes_x86.exe B68FC901D758BA9EA3A5A616ABD34D1662197AA31B502F27CBF2579A947E53E9
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe Code function: String function: 00427190 appears 312 times
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe Code function: String function: 00427290 appears 328 times
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe Code function: String function: 0041C050 appears 36 times
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe Code function: String function: 0045FEC0 appears 47 times
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe Code function: String function: 00414800 appears 35 times
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe Code function: String function: 0045FB50 appears 375 times
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe Code function: String function: 00402DA0 appears 40 times
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe Code function: String function: 0040ACC0 appears 38 times
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe Code function: String function: 00454EB0 appears 42 times
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe Code function: String function: 0045AEF0 appears 31 times
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe Code function: String function: 00414970 appears 57 times
PE file contains strange resources
Source: aes_x64.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: aes_x86.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: curl_x64.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version info
Source: Mes_Drivers_3.0.4.exe, 00000001.00000002.410587105.0000000002E80000.00000002.00000001.sdmp Binary or memory string: System.OriginalFileName vs Mes_Drivers_3.0.4.exe
Source: Mes_Drivers_3.0.4.exe, 00000001.00000003.220926484.000000000282F000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameMsMpLics.dllj% vs Mes_Drivers_3.0.4.exe
Source: Mes_Drivers_3.0.4.exe, 00000001.00000003.407054994.00000000023C7000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamewaitfor.exej% vs Mes_Drivers_3.0.4.exe
Source: Mes_Drivers_3.0.4.exe, 00000001.00000003.407054994.00000000023C7000.00000004.00000001.sdmp Binary or memory string: OriginalFilename8 vs Mes_Drivers_3.0.4.exe
Source: Mes_Drivers_3.0.4.exe, 00000001.00000002.411022700.0000000002F80000.00000002.00000001.sdmp Binary or memory string: originalfilename vs Mes_Drivers_3.0.4.exe
Source: Mes_Drivers_3.0.4.exe, 00000001.00000002.411022700.0000000002F80000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs Mes_Drivers_3.0.4.exe
Uses 32bit PE files
Source: Mes_Drivers_3.0.4.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI, RELOCS_STRIPPED
Yara signature match
Source: 00000004.00000003.399944667.00000000009B3000.00000004.00000001.sdmp, type: MEMORY Matched rule: webshell_asp_generic date = 2021/03/07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, license = https://creativecommons.org/licenses/by-nc/4.0/, score = a8c63c418609c1c291b3e731ca85ded4b3e0fba83f3489c21a3199173b176a75
Source: classification engine Classification label: mal72.evad.winEXE@52/81@9/7
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe Code function: 11_2_004183B4 GetLastError,FormatMessageA,GetLastError,SetLastError, 11_2_004183B4
Source: C:\Users\user\AppData\Local\Temp\detect_x64.exe Code function: 17_2_00007FF7A7451194 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,CloseHandle,InitiateSystemShutdownExW, 17_2_00007FF7A7451194
Source: C:\Users\user\Desktop\Mes_Drivers_3.0.4.exe Code function: 1_2_00419CF4 GetDiskFreeSpaceW, 1_2_00419CF4
Source: C:\Users\user\Desktop\Mes_Drivers_3.0.4.exe Code function: 1_2_00448AA4 CoCreateInstance, 1_2_00448AA4
Source: C:\Users\user\Desktop\Mes_Drivers_3.0.4.exe Code function: 1_2_0043D5F0 FindResourceW,LoadResource,SizeofResource,LockResource, 1_2_0043D5F0
Source: C:\Program Files\internet explorer\iexplore.exe File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{CB2B1FBA-DF79-11EB-90E5-ECF4BB570DC9}.dat
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5976:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2904:120:WilError_01
Source: C:\Users\user\Desktop\Mes_Drivers_3.0.4.exe File created: C:\Users\user\AppData\Local\Temp\detection.exe Jump to behavior
Source: Yara match File source: Mes_Drivers_3.0.4.exe, type: SAMPLE
Source: Yara match File source: 4.2.detection.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Mes_Drivers_3.0.4.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.Mes_Drivers_3.0.4.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000000.218185318.0000000000401000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.407834625.0000000000401000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.402849297.0000000000401000.00000040.00020000.sdmp, type: MEMORY
Source: C:\Users\user\Desktop\Mes_Drivers_3.0.4.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\Mes_Drivers_3.0.4.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\detection.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\detection.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\detection.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Caption, Manufacturer, MaxClockSpeed, Name, SocketDesignation FROM Win32_Processor
Source: C:\Users\user\Desktop\Mes_Drivers_3.0.4.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\Mes_Drivers_3.0.4.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\waitfor.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\waitfor.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\waitfor.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\waitfor.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\waitfor.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\waitfor.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\waitfor.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\waitfor.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\waitfor.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\waitfor.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\waitfor.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\waitfor.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: Mes_Drivers_3.0.4.exe Virustotal: Detection: 11%
Source: Mes_Drivers_3.0.4.exe Metadefender: Detection: 13%
Source: Mes_Drivers_3.0.4.exe ReversingLabs: Detection: 16%
Source: curl_x64.exe String found in binary or memory: curl: try 'curl --help' or 'curl --manual' for more information
Source: curl_x64.exe String found in binary or memory: curl: try 'curl --help' or 'curl --manual' for more information
Source: curl_x64.exe String found in binary or memory: document that is newer than the specified date/time. If this option is used several times, the last one will be used. -h, --help Usage help. This lists all current command line options with a s
Source: curl_x64.exe String found in binary or memory: document that is newer than the specified date/time. If this option is used several times, the last one will be used. -h, --help Usage help. This lists all current command line options with a s
Source: curl_x64.exe String found in binary or memory: This option requires that libcurl was built with a resolver backend that supports this operation. The c-ares backend is the only such one. (Added in 7.33.0) --dns-servers <ip-address,ip-address>
Source: curl_x64.exe String found in binary or memory: This option requires that libcurl was built with a resolver backend that supports this operation. The c-ares backend is the only such one. (Added in 7.33.0) --dns-ipv6-addr <ip-address> Tel
Source: curl_x64.exe String found in binary or memory: Only digit characters (0-9) are valid in the 'start' and 'stop' fields of the 'start-stop' range syntax. If a non-digit charac- ter is given in the range, the server's response will be unspec- ified, de
Source: curl_x64.exe String found in binary or memory: This option requires that libcurl was built with a resolver backend that supports this operation. The c-ares backend is the only such one. (Added in 7.33.0) --dns-ipv4-addr <ip-address> Tell
Source: curl_x64.exe String found in binary or memory: This option requires that libcurl was built with a resolver backend that supports this operation. The c-ares backend is the only such one. (Added in 7.33.0) --dns-servers <ip-address,ip-address>
Source: curl_x64.exe String found in binary or memory: Only digit characters (0-9) are valid in the 'start' and 'stop' fields of the 'start-stop' range syntax. If a non-digit charac- ter is given in the range, the server's response will be unspec- ified, de
Source: curl_x64.exe String found in binary or memory: document that is newer than the specified date/time. If this option is used several times, the last one will be used. -h, --help Usage help. This lists all current command line options with a s
Source: curl_x64.exe String found in binary or memory: document that is newer than the specified date/time. If this option is used several times, the last one will be used. -h, --help Usage help. This lists all current command line options with a s
Source: curl_x64.exe String found in binary or memory: This option requires that libcurl was built with a resolver backend that supports this operation. The c-ares backend is the only such one. (Added in 7.33.0) --dns-ipv4-addr <ip-address> Tell
Source: curl_x64.exe String found in binary or memory: This option requires that libcurl was built with a resolver backend that supports this operation. The c-ares backend is the only such one. (Added in 7.33.0) --dns-ipv6-addr <ip-address> Tel
Source: curl_x64.exe String found in binary or memory: curl: try 'curl --help' or 'curl --manual' for more information
Source: curl_x64.exe String found in binary or memory: curl: try 'curl --help' or 'curl --manual' for more information
Source: detect_x64.exe String found in binary or memory: positioned on the newly-added filter. ! Deletes the next occurrence of the specified filter. When the subcommand
Source: detect_x64.exe String found in binary or memory: ng of the list. When the subcommand completes, the cursor is positioned on the newly-added filter. + Add after
Source: C:\Users\user\Desktop\Mes_Drivers_3.0.4.exe File read: C:\Users\user\Desktop\Mes_Drivers_3.0.4.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Mes_Drivers_3.0.4.exe 'C:\Users\user\Desktop\Mes_Drivers_3.0.4.exe'
Source: C:\Users\user\Desktop\Mes_Drivers_3.0.4.exe Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\system32\cmd.exe' /C START '' 'C:\Users\user\AppData\Local\Temp\interface.lnk'
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Mes_Drivers_3.0.4.exe Process created: C:\Users\user\AppData\Local\Temp\detection.exe 'C:\Users\user\AppData\Local\Temp\detection.exe'
Source: C:\Users\user\AppData\Local\Temp\detection.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\user\AppData\Local\Temp\interface.cmd' '
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\mode.com MODE CON: COLS=76 LINES=15
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c' VER '
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe FINDSTR /I /R /C:'version 5\.[0-1]\.'
Source: C:\Users\user\AppData\Local\Temp\detection.exe Process created: C:\Users\user\AppData\Local\Temp\curl_x64.exe 'C:\Users\user\AppData\Local\Temp\curl_x64.exe' --connect-timeout 5 --max-time 20 --fail --silent --request GET 'https://www.touslesdrivers.com/php/mes_drivers/version.php?v_version=3.0.4'
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\waitfor.exe WAITFOR unlock
Source: C:\Users\user\AppData\Local\Temp\detection.exe Process created: C:\Windows\SysWOW64\waitfor.exe WAITFOR /S computer /SI unlock
Source: C:\Users\user\AppData\Local\Temp\detection.exe Process created: C:\Windows\SysWOW64\sc.exe SC query Winmgmt
Source: C:\Users\user\AppData\Local\Temp\detection.exe Process created: C:\Windows\SysWOW64\waitfor.exe WAITFOR /S computer /SI unlock
Source: C:\Users\user\AppData\Local\Temp\detection.exe Process created: C:\Users\user\AppData\Local\Temp\detect_x64.exe 'C:\Users\user\AppData\Local\Temp\detect_x64.exe' driverfiles 1394\* DISPLAY\* HDAUDIO\* HID\* MONITOR\* PCI\* PCMCIA\* SBP2\* SD\* USB\*
Source: C:\Users\user\AppData\Local\Temp\detection.exe Process created: C:\Users\user\AppData\Local\Temp\detect_x64.exe 'C:\Users\user\AppData\Local\Temp\detect_x64.exe' drivernodes 1394\* DISPLAY\* HDAUDIO\* HID\* MONITOR\* PCI\* PCMCIA\* SBP2\* SD\* USB\*
Source: C:\Users\user\AppData\Local\Temp\detection.exe Process created: C:\Users\user\AppData\Local\Temp\detect_x64.exe 'C:\Users\user\AppData\Local\Temp\detect_x64.exe' hwids 1394\* DISPLAY\* HDAUDIO\* HID\* MONITOR\* PCI\* PCMCIA\* SBP2\* SD\* USB\*
Source: C:\Users\user\AppData\Local\Temp\detection.exe Process created: C:\Users\user\AppData\Local\Temp\detect_x64.exe 'C:\Users\user\AppData\Local\Temp\detect_x64.exe' stack 1394\* DISPLAY\* HDAUDIO\* HID\* MONITOR\* PCI\* PCMCIA\* SBP2\* SD\* USB\*
Source: C:\Users\user\AppData\Local\Temp\detection.exe Process created: C:\Users\user\AppData\Local\Temp\detect_x64.exe 'C:\Users\user\AppData\Local\Temp\detect_x64.exe' status 1394\* DISPLAY\* HDAUDIO\* HID\* MONITOR\* PCI\* PCMCIA\* SBP2\* SD\* USB\*
Source: C:\Users\user\AppData\Local\Temp\detection.exe Process created: C:\Windows\SysWOW64\waitfor.exe WAITFOR /S computer /SI unlock
Source: C:\Users\user\AppData\Local\Temp\detection.exe Process created: C:\Users\user\AppData\Local\Temp\aes_x64.exe 'C:\Users\user\AppData\Local\Temp\aes_x64.exe' -e -p anT^UpFuzpuC@lOvsoPVe2kiNTidaBo<zI]BeaRnU0ResFwAy@dEnuCkUd)hAzOh -o 'C:\Users\user\AppData\Local\Temp\8KVKWmfznwDbzahM\8KVKWmfznwDbzahM' -
Source: C:\Users\user\AppData\Local\Temp\detection.exe Process created: C:\Users\user\AppData\Local\Temp\curl_x64.exe 'C:\Users\user\AppData\Local\Temp\curl_x64.exe' --connect-timeout 5 --max-time 20 --fail --silent --request POST --form 'v_configuration=<C:\Users\user\AppData\Local\Temp\8KVKWmfznwDbzahM\8KVKWmfznwDbzahM' 'https://www.touslesdrivers.com/php/mes_drivers/envoi.php?v_id=8KVKWmfznwDbzahM&v_version=3.0.4'
Source: C:\Users\user\AppData\Local\Temp\detection.exe Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\system32\cmd.exe' /C START '' 'http://www.touslesdrivers.com/index.php?v_page=31&v_id=8KVKWmfznwDbzahM'
Source: C:\Users\user\AppData\Local\Temp\detection.exe Process created: C:\Windows\SysWOW64\waitfor.exe WAITFOR /S computer /SI unlock
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' http://www.touslesdrivers.com/index.php?v_page=31&v_id=8KVKWmfznwDbzahM
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:7120 CREDAT:17410 /prefetch:2
Source: C:\Users\user\Desktop\Mes_Drivers_3.0.4.exe Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\system32\cmd.exe' /C START '' 'C:\Users\user\AppData\Local\Temp\interface.lnk' Jump to behavior
Source: C:\Users\user\Desktop\Mes_Drivers_3.0.4.exe Process created: C:\Users\user\AppData\Local\Temp\detection.exe 'C:\Users\user\AppData\Local\Temp\detection.exe' Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\user\AppData\Local\Temp\interface.cmd' ' Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\detection.exe Process created: C:\Users\user\AppData\Local\Temp\curl_x64.exe 'C:\Users\user\AppData\Local\Temp\curl_x64.exe' --connect-timeout 5 --max-time 20 --fail --silent --request GET 'https://www.touslesdrivers.com/php/mes_drivers/version.php?v_version=3.0.4' Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\detection.exe Process created: C:\Windows\SysWOW64\waitfor.exe WAITFOR /S computer /SI unlock Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\detection.exe Process created: C:\Windows\SysWOW64\sc.exe SC query Winmgmt Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\detection.exe Process created: C:\Windows\SysWOW64\waitfor.exe WAITFOR /S computer /SI unlock Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\detection.exe Process created: C:\Users\user\AppData\Local\Temp\detect_x64.exe 'C:\Users\user\AppData\Local\Temp\detect_x64.exe' driverfiles 1394\* DISPLAY\* HDAUDIO\* HID\* MONITOR\* PCI\* PCMCIA\* SBP2\* SD\* USB\* Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\detection.exe Process created: C:\Users\user\AppData\Local\Temp\detect_x64.exe 'C:\Users\user\AppData\Local\Temp\detect_x64.exe' drivernodes 1394\* DISPLAY\* HDAUDIO\* HID\* MONITOR\* PCI\* PCMCIA\* SBP2\* SD\* USB\* Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\detection.exe Process created: C:\Windows\SysWOW64\waitfor.exe WAITFOR /S computer /SI unlock Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\detection.exe Process created: C:\Users\user\AppData\Local\Temp\detect_x64.exe 'C:\Users\user\AppData\Local\Temp\detect_x64.exe' stack 1394\* DISPLAY\* HDAUDIO\* HID\* MONITOR\* PCI\* PCMCIA\* SBP2\* SD\* USB\* Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\detection.exe Process created: C:\Users\user\AppData\Local\Temp\detect_x64.exe 'C:\Users\user\AppData\Local\Temp\detect_x64.exe' status 1394\* DISPLAY\* HDAUDIO\* HID\* MONITOR\* PCI\* PCMCIA\* SBP2\* SD\* USB\* Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\detection.exe Process created: C:\Windows\SysWOW64\waitfor.exe WAITFOR /S computer /SI unlock Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\detection.exe Process created: C:\Users\user\AppData\Local\Temp\aes_x64.exe 'C:\Users\user\AppData\Local\Temp\aes_x64.exe' -e -p anT^UpFuzpuC@lOvsoPVe2kiNTidaBo<zI]BeaRnU0ResFwAy@dEnuCkUd)hAzOh -o 'C:\Users\user\AppData\Local\Temp\8KVKWmfznwDbzahM\8KVKWmfznwDbzahM' - Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\detection.exe Process created: C:\Users\user\AppData\Local\Temp\curl_x64.exe 'C:\Users\user\AppData\Local\Temp\curl_x64.exe' --connect-timeout 5 --max-time 20 --fail --silent --request POST --form 'v_configuration=<C:\Users\user\AppData\Local\Temp\8KVKWmfznwDbzahM\8KVKWmfznwDbzahM' 'https://www.touslesdrivers.com/php/mes_drivers/envoi.php?v_id=8KVKWmfznwDbzahM&v_version=3.0.4' Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\detection.exe Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\system32\cmd.exe' /C START '' 'http://www.touslesdrivers.com/index.php?v_page=31&v_id=8KVKWmfznwDbzahM' Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\detection.exe Process created: C:\Windows\SysWOW64\waitfor.exe WAITFOR /S computer /SI unlock Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\mode.com MODE CON: COLS=76 LINES=15 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c' VER ' Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe FINDSTR /I /R /C:'version 5\.[0-1]\.' Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\waitfor.exe WAITFOR unlock Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' http://www.touslesdrivers.com/index.php?v_page=31&v_id=8KVKWmfznwDbzahM
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:7120 CREDAT:17410 /prefetch:2
Source: C:\Users\user\Desktop\Mes_Drivers_3.0.4.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: Mes_Drivers_3.0.4.exe Static PE information: certificate valid
Source: Mes_Drivers_3.0.4.exe Static file information: File size 1624440 > 1048576
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll
Source: Mes_Drivers_3.0.4.exe Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x130400
Source: Binary string: devcon.pdbGCTL source: detection.exe, 00000004.00000003.225305782.000000007FA70000.00000004.00000001.sdmp, detect_x64.exe, 00000011.00000002.330349680.00007FF7A7458000.00000002.00020000.sdmp
Source: Binary string: C:\Users\paulej\Documents\Source\AESCrypt\Windows\Console\Win32\Release\aescrypt.pdb source: detection.exe, 00000004.00000003.225305782.000000007FA70000.00000004.00000001.sdmp
Source: Binary string: waitfor.pdb source: Mes_Drivers_3.0.4.exe, 00000001.00000003.407054994.00000000023C7000.00000004.00000001.sdmp, detection.exe, 00000004.00000003.225305782.000000007FA70000.00000004.00000001.sdmp
Source: Binary string: devcon.pdbH source: detection.exe, 00000004.00000003.225305782.000000007FA70000.00000004.00000001.sdmp
Source: Binary string: devcon.pdb8d:j source: detection.exe, 00000004.00000003.225305782.000000007FA70000.00000004.00000001.sdmp
Source: Binary string: C:\Users\paulej\Documents\Source\AESCrypt\Windows\Console\Win32\Release\aescrypt.pdb source: detection.exe, 00000004.00000003.225305782.000000007FA70000.00000004.00000001.sdmp
Source: Binary string: C:\Users\paulej\Documents\Source\AESCrypt\Windows\Console\x64\Release\aescrypt.pdb source: detection.exe, 00000004.00000003.225305782.000000007FA70000.00000004.00000001.sdmp
Source: Binary string: waitfor.pdbP' source: Mes_Drivers_3.0.4.exe, 00000001.00000003.407054994.00000000023C7000.00000004.00000001.sdmp, detection.exe, 00000004.00000003.225305782.000000007FA70000.00000004.00000001.sdmp
Source: Binary string: devcon.pdb source: detection.exe, 00000004.00000003.225305782.000000007FA70000.00000004.00000001.sdmp, detect_x64.exe, 00000011.00000002.330349680.00007FF7A7458000.00000002.00020000.sdmp

Data Obfuscation:

barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\AppData\Local\Temp\detection.exe Unpacked PE file: 4.2.detection.exe.400000.0.unpack .MPRESS1:EW;.MPRESS2:EW;.rsrc:W; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
Obfuscated command line found
Source: C:\Users\user\AppData\Local\Temp\detection.exe Process created: C:\Users\user\AppData\Local\Temp\aes_x64.exe 'C:\Users\user\AppData\Local\Temp\aes_x64.exe' -e -p anT^UpFuzpuC@lOvsoPVe2kiNTidaBo<zI]BeaRnU0ResFwAy@dEnuCkUd)hAzOh -o 'C:\Users\user\AppData\Local\Temp\8KVKWmfznwDbzahM\8KVKWmfznwDbzahM' -
Source: C:\Users\user\AppData\Local\Temp\detection.exe Process created: C:\Users\user\AppData\Local\Temp\aes_x64.exe 'C:\Users\user\AppData\Local\Temp\aes_x64.exe' -e -p anT^UpFuzpuC@lOvsoPVe2kiNTidaBo<zI]BeaRnU0ResFwAy@dEnuCkUd)hAzOh -o 'C:\Users\user\AppData\Local\Temp\8KVKWmfznwDbzahM\8KVKWmfznwDbzahM' - Jump to behavior
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe Code function: 11_2_0042C2E0 GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryExA,GetSystemDirectoryA,GetSystemDirectoryA,LoadLibraryA, 11_2_0042C2E0
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .MPRESS2
PE file contains sections with non-standard names
Source: Mes_Drivers_3.0.4.exe Static PE information: section name: .didata
Source: detection.exe.1.dr Static PE information: section name: .MPRESS1
Source: detection.exe.1.dr Static PE information: section name: .MPRESS2
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Mes_Drivers_3.0.4.exe Code function: 1_2_004562E0 push 0045636Ch; ret 1_2_00456364
Source: C:\Users\user\Desktop\Mes_Drivers_3.0.4.exe Code function: 1_2_0042C018 push 0042C084h; ret 1_2_0042C07C
Source: C:\Users\user\Desktop\Mes_Drivers_3.0.4.exe Code function: 1_2_004413CC push ecx; mov dword ptr [esp], edx 1_2_004413CE
Source: C:\Users\user\Desktop\Mes_Drivers_3.0.4.exe Code function: 1_2_0043D3D4 push ecx; mov dword ptr [esp], edx 1_2_0043D3D6
Source: C:\Users\user\Desktop\Mes_Drivers_3.0.4.exe Code function: 1_2_00456394 push 0045644Ah; ret 1_2_00456442
Source: C:\Users\user\Desktop\Mes_Drivers_3.0.4.exe Code function: 1_2_00456454 push 004564DFh; ret 1_2_004564D7
Source: C:\Users\user\Desktop\Mes_Drivers_3.0.4.exe Code function: 1_2_0042B50C push ecx; mov dword ptr [esp], ecx 1_2_0042B50F
Source: C:\Users\user\Desktop\Mes_Drivers_3.0.4.exe Code function: 1_2_004145EC push 00414A17h; ret 1_2_00414A0F
Source: C:\Users\user\Desktop\Mes_Drivers_3.0.4.exe Code function: 1_2_0045073C push 00450774h; ret 1_2_0045076C
Source: C:\Users\user\Desktop\Mes_Drivers_3.0.4.exe Code function: 1_2_00449860 push 004498DDh; ret 1_2_004498D5
Source: C:\Users\user\Desktop\Mes_Drivers_3.0.4.exe Code function: 1_2_004508D4 push ecx; mov dword ptr [esp], ecx 1_2_004508D7
Source: C:\Users\user\Desktop\Mes_Drivers_3.0.4.exe Code function: 1_2_004218F4 push 00421A8Eh; ret 1_2_00421A86
Source: C:\Users\user\Desktop\Mes_Drivers_3.0.4.exe Code function: 1_2_004149D4 push 00414A17h; ret 1_2_00414A0F
Source: C:\Users\user\Desktop\Mes_Drivers_3.0.4.exe Code function: 1_2_00451AA8 push 00451AECh; ret 1_2_00451AE4
Source: C:\Users\user\Desktop\Mes_Drivers_3.0.4.exe Code function: 1_2_00444B68 push 00444C35h; ret 1_2_00444C2D
Source: C:\Users\user\Desktop\Mes_Drivers_3.0.4.exe Code function: 1_2_00438E70 push ecx; mov dword ptr [esp], edx 1_2_00438E75
Source: C:\Users\user\Desktop\Mes_Drivers_3.0.4.exe Code function: 1_2_0041FE94 push ecx; mov dword ptr [esp], edx 1_2_0041FE99
Source: C:\Users\user\Desktop\Mes_Drivers_3.0.4.exe Code function: 1_2_0042DEA8 push 0042DEF5h; ret 1_2_0042DEED
Source: C:\Users\user\Desktop\Mes_Drivers_3.0.4.exe Code function: 1_2_00409FB0 push 0040A037h; ret 1_2_0040A02F
Source: C:\Users\user\AppData\Local\Temp\detection.exe Code function: 4_2_0040A8D4 push 0040A95Bh; ret 4_2_0040A953
Source: C:\Users\user\AppData\Local\Temp\detection.exe Code function: 4_2_00414F10 push 0041533Bh; ret 4_2_00415333

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Users\user\AppData\Local\Temp\detection.exe File created: C:\Users\user\AppData\Local\Temp\waitfor_x86_2.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\detection.exe File created: C:\Users\user\AppData\Local\Temp\detect_x64_2.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\detection.exe File created: C:\Users\user\AppData\Local\Temp\aes_x86.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\detection.exe File created: C:\Users\user\AppData\Local\Temp\curl_x64.exe Jump to dropped file
Source: C:\Users\user\Desktop\Mes_Drivers_3.0.4.exe File created: C:\Users\user\AppData\Local\Temp\detection.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\detection.exe File created: C:\Users\user\AppData\Local\Temp\curl_x86.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\detection.exe File created: C:\Users\user\AppData\Local\Temp\aes_x64.exe Jump to dropped file
Source: C:\Users\user\Desktop\Mes_Drivers_3.0.4.exe File created: C:\Users\user\AppData\Local\Temp\waitfor_x86.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\detection.exe File created: C:\Users\user\AppData\Local\Temp\detect_x64.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\detection.exe File created: C:\Users\user\AppData\Local\Temp\detect_x86.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\detection.exe Process created: C:\Windows\SysWOW64\sc.exe SC query Winmgmt

Hooking and other Techniques for Hiding and Protection:

barindex
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\Mes_Drivers_3.0.4.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Users\user\Desktop\Mes_Drivers_3.0.4.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mes_Drivers_3.0.4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mes_Drivers_3.0.4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mes_Drivers_3.0.4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\detection.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\detection.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\detection.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Queries memory information (via WMI often done to detect virtual machines)
Source: C:\Users\user\AppData\Local\Temp\detection.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT BankLabel, Capacity, PartNumber FROM Win32_PhysicalMemory
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\AppData\Local\Temp\detection.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Manufacturer, Product, Version FROM Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\detection.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Caption, SMBIOSBIOSVersion FROM Win32_BIOS
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Source: C:\Users\user\AppData\Local\Temp\detection.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Caption, InterfaceType, Size FROM Win32_DiskDrive
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Users\user\AppData\Local\Temp\detection.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT MACAddress, Manufacturer, Name FROM Win32_NetworkAdapter WHERE PNPDeviceID LIKE &quot;PCI\\%&quot; OR PNPDeviceID LIKE &quot;PCMCIA\\%&quot; OR PNPDeviceID LIKE &quot;USB\\%&quot;
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Source: C:\Users\user\AppData\Local\Temp\detection.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT BankLabel, Capacity, PartNumber FROM Win32_PhysicalMemory
Contains functionality to read device registry values (via SetupAPI)
Source: C:\Users\user\AppData\Local\Temp\detect_x64.exe Code function: 17_2_00007FF7A745286C SetupDiGetDeviceInstallParamsW,SetupDiSetDeviceInstallParamsW,SetupDiBuildDriverInfoList,SetupDiEnumDriverInfoW,SetupDiOpenDevRegKey,RegQueryValueExW,RegQueryValueExW,RegQueryValueExW,RegQueryValueExW,RegCloseKey,SetupDiGetDeviceRegistryPropertyW,SetupDiSetDeviceInstallParamsW,SetupDiBuildDriverInfoList,SetupDiEnumDriverInfoW,SetupDiGetDriverInfoDetailW,GetLastError,SetupDiEnumDriverInfoW,SetupDiDestroyDriverInfoList,RegCloseKey, 17_2_00007FF7A745286C
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\AppData\Local\Temp\detection.exe Window / User API: threadDelayed 1139 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\AppData\Local\Temp\detection.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\waitfor_x86_2.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\detection.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\detect_x64_2.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\detection.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\aes_x86.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\detection.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\curl_x86.exe Jump to dropped file
Source: C:\Users\user\Desktop\Mes_Drivers_3.0.4.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\waitfor_x86.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\detection.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\detect_x86.exe Jump to dropped file
Found evasive API chain (date check)
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Found evasive API chain (may stop execution after checking a module file name)
Source: C:\Users\user\AppData\Local\Temp\aes_x64.exe Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Found large amount of non-executed APIs
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe API coverage: 9.8 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\SysWOW64\waitfor.exe TID: 980 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\waitfor.exe TID: 2540 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\waitfor.exe TID: 6984 Thread sleep time: -30000s >= -30000s
Source: C:\Windows\SysWOW64\waitfor.exe TID: 7128 Thread sleep time: -30000s >= -30000s
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\AppData\Local\Temp\detection.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Caption, Manufacturer, MaxClockSpeed, Name, SocketDesignation FROM Win32_Processor
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\Mes_Drivers_3.0.4.exe Code function: 1_2_0044C2B0 GetLongPathNameW,FindFirstFileW,FindClose, 1_2_0044C2B0
Source: C:\Users\user\Desktop\Mes_Drivers_3.0.4.exe Code function: 1_2_004093DC FindFirstFileW,FindClose, 1_2_004093DC
Source: C:\Users\user\Desktop\Mes_Drivers_3.0.4.exe Code function: 1_2_004197A4 FindFirstFileW,FindClose, 1_2_004197A4
Source: C:\Users\user\Desktop\Mes_Drivers_3.0.4.exe Code function: 1_2_00408E18 GetModuleHandleW,GetProcAddress,lstrcpynW,lstrcpynW,lstrcpynW,FindFirstFileW,FindClose,lstrlenW,lstrcpynW,lstrlenW,lstrcpynW, 1_2_00408E18
Source: C:\Users\user\AppData\Local\Temp\detection.exe Code function: 4_2_00409CCC FindFirstFileW,FindClose, 4_2_00409CCC
Source: C:\Users\user\AppData\Local\Temp\detection.exe Code function: 4_2_0040B11E FindFirstFileW, 4_2_0040B11E
Source: C:\Users\user\AppData\Local\Temp\detection.exe Code function: 4_2_00409708 GetModuleHandleW,GetProcAddress,lstrcpynW,lstrcpynW,lstrcpynW,FindFirstFileW,FindClose,lstrlenW,lstrcpynW,lstrlenW,lstrcpynW, 4_2_00409708
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe Code function: 11_2_004624F0 FindFirstFileA,GetDriveTypeA,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose, 11_2_004624F0
Source: C:\Users\user\AppData\Local\Temp\detect_x64.exe Code function: 17_2_00007FF7A7456560 GetWindowsDirectoryW,FindFirstFileW,FindNextFileW,FindClose, 17_2_00007FF7A7456560
Source: C:\Users\user\AppData\Local\Temp\aes_x64.exe Code function: 36_2_00007FF69768AA44 FindClose,FindFirstFileExW,FindNextFileW,FindClose, 36_2_00007FF69768AA44
Source: C:\Users\user\Desktop\Mes_Drivers_3.0.4.exe Code function: 1_2_00409F3C GetSystemInfo, 1_2_00409F3C
Source: C:\Users\user\Desktop\Mes_Drivers_3.0.4.exe File opened: C:\Users\user\Documents\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\Mes_Drivers_3.0.4.exe File opened: C:\Users\user Jump to behavior
Source: C:\Users\user\Desktop\Mes_Drivers_3.0.4.exe File opened: C:\Users\user\AppData\Local\Temp Jump to behavior
Source: C:\Users\user\Desktop\Mes_Drivers_3.0.4.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Users\user\Desktop\Mes_Drivers_3.0.4.exe File opened: C:\Users\user\AppData\Local Jump to behavior
Source: C:\Users\user\Desktop\Mes_Drivers_3.0.4.exe File opened: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: detect_x64.exe, 00000012.00000003.358084577.000002CC8AB32000.00000004.00000001.sdmp Binary or memory string: vmnetextensionusAddReg
Source: detect_x64.exe, 00000012.00000003.277605945.000002CC8AA6F000.00000004.00000001.sdmp Binary or memory string: vmnetextension
Source: waitfor.exe, 0000000D.00000002.245262917.00000000046B0000.00000002.00000001.sdmp, waitfor.exe, 0000000F.00000002.260394870.0000000004D20000.00000002.00000001.sdmp, detect_x64.exe, 00000011.00000002.325684353.000001C1DA470000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: detect_x64.exe, 00000012.00000003.307496512.000002CC8AAFF000.00000004.00000001.sdmp Binary or memory string: vmnetextensionO@
Source: detect_x64.exe, 00000012.00000003.359448477.000002CC8AAF2000.00000004.00000001.sdmp Binary or memory string: vmnetextensionu@
Source: detect_x64.exe, 00000012.00000003.313739760.000002CC8AAF5000.00000004.00000001.sdmp Binary or memory string: vmnetextensionrs
Source: waitfor.exe, 0000000D.00000002.245262917.00000000046B0000.00000002.00000001.sdmp, waitfor.exe, 0000000F.00000002.260394870.0000000004D20000.00000002.00000001.sdmp, detect_x64.exe, 00000011.00000002.325684353.000001C1DA470000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: waitfor.exe, 0000000D.00000002.245262917.00000000046B0000.00000002.00000001.sdmp, waitfor.exe, 0000000F.00000002.260394870.0000000004D20000.00000002.00000001.sdmp, detect_x64.exe, 00000011.00000002.325684353.000001C1DA470000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: detect_x64.exe, 00000012.00000003.306013471.000002CC8AB2C000.00000004.00000001.sdmp Binary or memory string: vmnetextensionOCIOI;GA;;;SY)(A;;0x1301bf;;;BA)(A;IOCIOI;GA;;;BA)(A;CIOI;GRGX;;;BU)(A;OICIIO;GA;;;CO)(A;CIOI;GRGWGXSD;;;PU)
Source: detect_x64.exe, 00000012.00000003.344834461.000002CC8AA72000.00000004.00000001.sdmp Binary or memory string: vmnetextension@h(XM
Source: detect_x64.exe, 00000012.00000003.319540550.000002CC8AA8D000.00000004.00000001.sdmp Binary or memory string: vmnetextensionsystem32\drivers\wfplwfs.sys,-6001g
Source: detect_x64.exe, 00000012.00000003.351611083.000002CC8AA86000.00000004.00000001.sdmp Binary or memory string: vmnetextensionHh(XM
Source: detect_x64.exe, 00000012.00000003.355404187.000002CC8AB0A000.00000004.00000001.sdmp Binary or memory string: HKR, Ndi\Interfaces,FilterMediaTypes,,"vmnetextension"
Source: curl_x64.exe, 0000000B.00000002.232324322.0000000000611000.00000004.00000020.sdmp, waitfor.exe, 0000000F.00000002.259868660.0000000002FA7000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: waitfor.exe, 0000000D.00000002.245262917.00000000046B0000.00000002.00000001.sdmp, waitfor.exe, 0000000F.00000002.260394870.0000000004D20000.00000002.00000001.sdmp, detect_x64.exe, 00000011.00000002.325684353.000001C1DA470000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Users\user\AppData\Local\Temp\detection.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\aes_x64.exe API call chain: ExitProcess graph end node

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\AppData\Local\Temp\aes_x64.exe Code function: 36_2_00007FF697688EE0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 36_2_00007FF697688EE0
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe Code function: 11_2_0042C2E0 GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryExA,GetSystemDirectoryA,GetSystemDirectoryA,LoadLibraryA, 11_2_0042C2E0
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe Code function: 11_2_00464730 EntryPoint,GetProcessHeap,HeapAlloc,GetVersionExA,GetProcessHeap,HeapFree,GetCommandLineA, 11_2_00464730
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe Code function: 11_2_00418CD0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 11_2_00418CD0
Source: C:\Users\user\AppData\Local\Temp\detect_x64.exe Code function: 17_2_00007FF7A7456CB0 SetUnhandledExceptionFilter, 17_2_00007FF7A7456CB0
Source: C:\Users\user\AppData\Local\Temp\detect_x64.exe Code function: 17_2_00007FF7A7456A94 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 17_2_00007FF7A7456A94
Source: C:\Users\user\AppData\Local\Temp\aes_x64.exe Code function: 36_2_00007FF69768FD1C SetUnhandledExceptionFilter, 36_2_00007FF69768FD1C
Source: C:\Users\user\AppData\Local\Temp\aes_x64.exe Code function: 36_2_00007FF697688EE0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 36_2_00007FF697688EE0
Source: C:\Users\user\AppData\Local\Temp\aes_x64.exe Code function: 36_2_00007FF69768BF74 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 36_2_00007FF69768BF74

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Mes_Drivers_3.0.4.exe Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\system32\cmd.exe' /C START '' 'C:\Users\user\AppData\Local\Temp\interface.lnk' Jump to behavior
Source: C:\Users\user\Desktop\Mes_Drivers_3.0.4.exe Process created: C:\Users\user\AppData\Local\Temp\detection.exe 'C:\Users\user\AppData\Local\Temp\detection.exe' Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\user\AppData\Local\Temp\interface.cmd' ' Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\detection.exe Process created: C:\Users\user\AppData\Local\Temp\curl_x64.exe 'C:\Users\user\AppData\Local\Temp\curl_x64.exe' --connect-timeout 5 --max-time 20 --fail --silent --request GET 'https://www.touslesdrivers.com/php/mes_drivers/version.php?v_version=3.0.4' Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\detection.exe Process created: C:\Windows\SysWOW64\waitfor.exe WAITFOR /S computer /SI unlock Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\detection.exe Process created: C:\Windows\SysWOW64\sc.exe SC query Winmgmt Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\detection.exe Process created: C:\Windows\SysWOW64\waitfor.exe WAITFOR /S computer /SI unlock Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\detection.exe Process created: C:\Users\user\AppData\Local\Temp\detect_x64.exe 'C:\Users\user\AppData\Local\Temp\detect_x64.exe' driverfiles 1394\* DISPLAY\* HDAUDIO\* HID\* MONITOR\* PCI\* PCMCIA\* SBP2\* SD\* USB\* Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\detection.exe Process created: C:\Users\user\AppData\Local\Temp\detect_x64.exe 'C:\Users\user\AppData\Local\Temp\detect_x64.exe' drivernodes 1394\* DISPLAY\* HDAUDIO\* HID\* MONITOR\* PCI\* PCMCIA\* SBP2\* SD\* USB\* Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\detection.exe Process created: C:\Windows\SysWOW64\waitfor.exe WAITFOR /S computer /SI unlock Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\detection.exe Process created: C:\Users\user\AppData\Local\Temp\detect_x64.exe 'C:\Users\user\AppData\Local\Temp\detect_x64.exe' stack 1394\* DISPLAY\* HDAUDIO\* HID\* MONITOR\* PCI\* PCMCIA\* SBP2\* SD\* USB\* Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\detection.exe Process created: C:\Users\user\AppData\Local\Temp\detect_x64.exe 'C:\Users\user\AppData\Local\Temp\detect_x64.exe' status 1394\* DISPLAY\* HDAUDIO\* HID\* MONITOR\* PCI\* PCMCIA\* SBP2\* SD\* USB\* Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\detection.exe Process created: C:\Windows\SysWOW64\waitfor.exe WAITFOR /S computer /SI unlock Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\detection.exe Process created: C:\Users\user\AppData\Local\Temp\aes_x64.exe 'C:\Users\user\AppData\Local\Temp\aes_x64.exe' -e -p anT^UpFuzpuC@lOvsoPVe2kiNTidaBo<zI]BeaRnU0ResFwAy@dEnuCkUd)hAzOh -o 'C:\Users\user\AppData\Local\Temp\8KVKWmfznwDbzahM\8KVKWmfznwDbzahM' - Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\detection.exe Process created: C:\Users\user\AppData\Local\Temp\curl_x64.exe 'C:\Users\user\AppData\Local\Temp\curl_x64.exe' --connect-timeout 5 --max-time 20 --fail --silent --request POST --form 'v_configuration=<C:\Users\user\AppData\Local\Temp\8KVKWmfznwDbzahM\8KVKWmfznwDbzahM' 'https://www.touslesdrivers.com/php/mes_drivers/envoi.php?v_id=8KVKWmfznwDbzahM&v_version=3.0.4' Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\detection.exe Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\system32\cmd.exe' /C START '' 'http://www.touslesdrivers.com/index.php?v_page=31&v_id=8KVKWmfznwDbzahM' Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\detection.exe Process created: C:\Windows\SysWOW64\waitfor.exe WAITFOR /S computer /SI unlock Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\mode.com MODE CON: COLS=76 LINES=15 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c' VER ' Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe FINDSTR /I /R /C:'version 5\.[0-1]\.' Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\waitfor.exe WAITFOR unlock Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' http://www.touslesdrivers.com/index.php?v_page=31&v_id=8KVKWmfznwDbzahM
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Users\user\AppData\Local\Temp\detection.exe Process created: C:\Users\user\AppData\Local\Temp\curl_x64.exe 'C:\Users\user\AppData\Local\Temp\curl_x64.exe' --connect-timeout 5 --max-time 20 --fail --silent --request POST --form 'v_configuration=<C:\Users\user\AppData\Local\Temp\8KVKWmfznwDbzahM\8KVKWmfznwDbzahM' 'https://www.touslesdrivers.com/php/mes_drivers/envoi.php?v_id=8KVKWmfznwDbzahM&v_version=3.0.4'
Source: C:\Users\user\AppData\Local\Temp\detection.exe Process created: C:\Users\user\AppData\Local\Temp\curl_x64.exe 'C:\Users\user\AppData\Local\Temp\curl_x64.exe' --connect-timeout 5 --max-time 20 --fail --silent --request POST --form 'v_configuration=<C:\Users\user\AppData\Local\Temp\8KVKWmfznwDbzahM\8KVKWmfznwDbzahM' 'https://www.touslesdrivers.com/php/mes_drivers/envoi.php?v_id=8KVKWmfznwDbzahM&v_version=3.0.4' Jump to behavior
Source: waitfor.exe, 0000000C.00000002.489250483.00000000030E0000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: waitfor.exe, 0000000C.00000002.489250483.00000000030E0000.00000002.00000001.sdmp Binary or memory string: Progman
Source: waitfor.exe, 0000000C.00000002.489250483.00000000030E0000.00000002.00000001.sdmp Binary or memory string: SProgram Managerl
Source: waitfor.exe, 0000000C.00000002.489250483.00000000030E0000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd,
Source: waitfor.exe, 0000000C.00000002.489250483.00000000030E0000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\Mes_Drivers_3.0.4.exe Code function: 1_2_00404CA8 cpuid 1_2_00404CA8
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\Mes_Drivers_3.0.4.exe Code function: GetUserDefaultUILanguage,GetLocaleInfoW, 1_2_00409514
Source: C:\Users\user\Desktop\Mes_Drivers_3.0.4.exe Code function: GetLocaleInfoW, 1_2_0042037C
Source: C:\Users\user\Desktop\Mes_Drivers_3.0.4.exe Code function: EnumSystemLocalesW, 1_2_0042053C
Source: C:\Users\user\Desktop\Mes_Drivers_3.0.4.exe Code function: GetLocaleInfoW, 1_2_0041D5D8
Source: C:\Users\user\Desktop\Mes_Drivers_3.0.4.exe Code function: GetLocaleInfoW, 1_2_0041D624
Source: C:\Users\user\Desktop\Mes_Drivers_3.0.4.exe Code function: IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 1_2_004089BC
Source: C:\Users\user\AppData\Local\Temp\detection.exe Code function: GetUserDefaultUILanguage,GetLocaleInfoW, 4_2_00409E04
Source: C:\Users\user\AppData\Local\Temp\detection.exe Code function: EnumSystemLocalesW, 4_2_0040B10E
Source: C:\Users\user\AppData\Local\Temp\detection.exe Code function: GetLocaleInfoW, 4_2_0040B1C6
Source: C:\Users\user\AppData\Local\Temp\detection.exe Code function: GetLocaleInfoW, 4_2_0040B1BE
Source: C:\Users\user\AppData\Local\Temp\detection.exe Code function: IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 4_2_004092AC
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe Code function: GetUserDefaultLCID,EnumSystemLocalesA,GetUserDefaultLangID,GetLocaleInfoA,GetLocaleInfoA,IsValidCodePage,IsValidLocale,GetLocaleInfoA,GetLocaleInfoA, 11_2_0046D1D0
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe Code function: EnumSystemLocalesA, 11_2_0046D060
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe Code function: EnumSystemLocalesA, 11_2_0046D130
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe Code function: GetLocaleInfoW,GetLastError,GetLocaleInfoW,GetLocaleInfoA,GetLocaleInfoA,MultiByteToWideChar,MultiByteToWideChar, 11_2_004733A0
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe Code function: GetLocaleInfoA,MultiByteToWideChar, 11_2_004734C7
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe Code function: GetLocaleInfoA, 11_2_004714A0
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe Code function: GetLocaleInfoW,GetLastError,GetLocaleInfoW,GetLocaleInfoW,WideCharToMultiByte,WideCharToMultiByte,GetLocaleInfoA, 11_2_004735B0
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe Code function: GetLocaleInfoW,WideCharToMultiByte, 11_2_004736D0
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe Code function: GetLocaleInfoA, 11_2_0046C860
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe Code function: GetLocaleInfoA, 11_2_0046C9C0
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe Code function: GetLocaleInfoA, 11_2_0046CAD0
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe Code function: GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA, 11_2_0046CBE0
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe Code function: GetLocaleInfoA, 11_2_0046CF30
Queries device information via Setup API
Source: C:\Users\user\AppData\Local\Temp\detect_x64.exe Code function: 17_2_00007FF7A745286C SetupDiGetDeviceInstallParamsW,SetupDiSetDeviceInstallParamsW,SetupDiBuildDriverInfoList,SetupDiEnumDriverInfoW,SetupDiOpenDevRegKey,RegQueryValueExW,RegQueryValueExW,RegQueryValueExW,RegQueryValueExW,RegCloseKey,SetupDiGetDeviceRegistryPropertyW,SetupDiSetDeviceInstallParamsW,SetupDiBuildDriverInfoList,SetupDiEnumDriverInfoW,SetupDiGetDriverInfoDetailW,GetLastError,SetupDiEnumDriverInfoW,SetupDiDestroyDriverInfoList,RegCloseKey, 17_2_00007FF7A745286C
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\Mes_Drivers_3.0.4.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Queries time zone information
Source: C:\Users\user\AppData\Local\Temp\detection.exe Key value queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\TimeZoneInformation ActiveTimeBias Jump to behavior
Source: C:\Users\user\Desktop\Mes_Drivers_3.0.4.exe Code function: 1_2_0041BB80 GetLocalTime, 1_2_0041BB80
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe Code function: 11_2_00467160 GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte, 11_2_00467160
Source: C:\Users\user\Desktop\Mes_Drivers_3.0.4.exe Code function: 1_2_0041F038 GetVersionExW, 1_2_0041F038
Source: C:\Users\user\AppData\Local\Temp\aes_x64.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
AV process strings found (often used to terminate AV products)
Source: detect_x64.exe, 00000012.00000003.262044414.000002CC8AAB6000.00000004.00000001.sdmp Binary or memory string: PGSETUP.EXE
Source: detect_x64.exe, 00000012.00000003.262044414.000002CC8AAB6000.00000004.00000001.sdmp Binary or memory string: 123.exe

Remote Access Functionality:

barindex
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\Desktop\Mes_Drivers_3.0.4.exe Code function: 1_2_0044F3E4 CreateBindCtx,MkParseDisplayNameEx, 1_2_0044F3E4
Source: C:\Users\user\AppData\Local\Temp\detection.exe Code function: 4_2_0040B882 CreateBindCtx, 4_2_0040B882
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe Code function: 11_2_0042A600 htons,htons,htons,htons,bind,htons,htons,bind,getsockname,WSAGetLastError,WSAGetLastError, 11_2_0042A600
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe Code function: 11_2_00440900 getsockname,WSAGetLastError,WSAGetLastError,htons,htons,bind,WSAGetLastError,getsockname,WSAGetLastError,getsockname,WSAGetLastError,listen,WSAGetLastError,htons,htons, 11_2_00440900
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe Code function: 11_2_0043AFF0 bind,WSAGetLastError, 11_2_0043AFF0
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 445340 Sample: Mes_Drivers_3.0.4.exe Startdate: 07/07/2021 Architecture: WINDOWS Score: 72 78 Antivirus detection for URL or domain 2->78 80 Multi AV Scanner detection for dropped file 2->80 82 Multi AV Scanner detection for submitted file 2->82 9 Mes_Drivers_3.0.4.exe 1 5 2->9         started        process3 file4 48 C:\Users\user\AppData\Local\...\detection.exe, MS-DOS 9->48 dropped 50 C:\Users\user\AppData\...\waitfor_x86.exe, PE32 9->50 dropped 12 detection.exe 10 9->12         started        16 cmd.exe 2 9->16         started        process5 file6 52 C:\Users\user\AppData\Local\...\aes_x86.exe, PE32 12->52 dropped 54 C:\Users\user\AppData\Local\...\aes_x64.exe, PE32+ 12->54 dropped 56 C:\Users\user\AppData\...\waitfor_x86_2.exe, PE32 12->56 dropped 58 5 other files (none is malicious) 12->58 dropped 84 Multi AV Scanner detection for dropped file 12->84 86 Detected unpacking (changes PE section rights) 12->86 88 Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) 12->88 90 5 other signatures 12->90 18 aes_x64.exe 12->18         started        21 cmd.exe 12->21         started        23 curl_x64.exe 1 12->23         started        30 12 other processes 12->30 26 cmd.exe 1 16->26         started        28 conhost.exe 16->28         started        signatures7 process8 dnsIp9 46 C:\Users\user\AppData\...\8KVKWmfznwDbzahM, data 18->46 dropped 32 iexplore.exe 21->32         started        66 srv1.touslesdrivers.com 85.31.204.81, 443, 49718, 49734 JAGUAR-ASFR Sweden 23->66 68 www.touslesdrivers.com 23->68 35 conhost.exe 1 26->35         started        37 cmd.exe 1 26->37         started        39 waitfor.exe 1 26->39         started        41 2 other processes 26->41 70 www.touslesdrivers.com 30->70 file10 process11 dnsIp12 60 www.touslesdrivers.com 32->60 62 srv1.touslesdrivers.com 32->62 43 iexplore.exe 32->43         started        64 192.168.2.1 unknown unknown 35->64 process13 dnsIp14 72 46-105-202-207.any.cdn.anycast.me 46.105.202.207, 443, 49740, 49741 OVHFR France 43->72 74 partnerad.l.doubleclick.net 142.250.180.226, 443, 49742, 49743 GOOGLEUS United States 43->74 76 8 other IPs or domains 43->76
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
85.31.204.81
 srv1.touslesdrivers.com Sweden
30781 JAGUAR-ASFR false
46.105.202.207
 46-105-202-207.any.cdn.anycast.me France
16276 OVHFR false
142.250.180.226
 partnerad.l.doubleclick.net United States
15169 GOOGLEUS false
104.26.7.39
 tags.smilewanted.com United States
13335 CLOUDFLARENETUS false
35.227.209.167
 cdn.appconsent.io United States
15169 GOOGLEUS false
216.58.214.194
 googleads.g.doubleclick.net United States
15169 GOOGLEUS false

Private
IP
192.168.2.1

Contacted Domains

Name IP Active
partnerad.l.doubleclick.net 142.250.180.226 true
googleads.g.doubleclick.net 216.58.214.194 true
srv1.touslesdrivers.com 85.31.204.81 true
46-105-202-207.any.cdn.anycast.me 46.105.202.207 true
cdn.appconsent.io 35.227.209.167 true
tags.smilewanted.com 104.26.7.39 true
securepubads.g.doubleclick.net unknown unknown
ads.sportslocalmedia.com unknown unknown
www.touslesdrivers.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://www.touslesdrivers.com/index.php?v_page=31&v_id=8KVKWmfznwDbzahM false
    		high