Play interactive tour

Edit tour

Windows Analysis Report Mes_Drivers_3.0.4.exe

Overview

General Information

Sample Name:	Mes_Drivers_3.0.4.exe
Analysis ID:	445340
MD5:	50a5e891da27e63d54e68511e48aa026
SHA1:	87073d85a7ba420b15c8bb9a9e4adc64db2bcfef
SHA256:	0788aaea249d92a84f70047efcacaa54c26320b439c490ba3ce00457955031d6
Infos:
Most interesting Screenshot:

Detection

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Detected unpacking (changes PE section rights)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Obfuscated command line found

Queries memory information (via WMI often done to detect virtual machines)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)

AV process strings found (often used to terminate AV products)

Antivirus or Machine Learning detection for unpacked file

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to create an SMB header

Contains functionality to dynamically determine API calls

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read device registry values (via SetupAPI)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Entry point lies outside standard sections

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evasive API chain (date check)

Found evasive API chain (may stop execution after checking a module file name)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains sections with non-standard names

PE file contains strange resources

Queries device information via Setup API

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Queries time zone information

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara detected AESCRYPT Tool

Yara signature match

Classification

Process Tree

System is w10x64

Mes_Drivers_3.0.4.exe (PID: 400 cmdline: 'C:\Users\user\Desktop\Mes_Drivers_3.0.4.exe' MD5: 50A5E891DA27E63D54E68511E48AA026)

cmd.exe (PID: 1500 cmdline: 'C:\Windows\system32\cmd.exe' /C START '' 'C:\Users\user\AppData\Local\Temp\interface.lnk' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 2904 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.exe (PID: 5064 cmdline: C:\Windows\system32\cmd.exe /c ''C:\Users\user\AppData\Local\Temp\interface.cmd' ' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 5468 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

mode.com (PID: 5624 cmdline: MODE CON: COLS=76 LINES=15 MD5: D781CD6A6484C276A4D0750D9206A382)

cmd.exe (PID: 2588 cmdline: C:\Windows\system32\cmd.exe /S /D /c' VER ' MD5: F3BDBE3BB6F734E357235F4D5898582D)

findstr.exe (PID: 6040 cmdline: FINDSTR /I /R /C:'version 5\.[0-1]\.' MD5: 8B534A7FC0630DE41BB1F98C882C19EC)

waitfor.exe (PID: 2172 cmdline: WAITFOR unlock MD5: 83E921720CA3BD03CF6BF5686E802C3D)

detection.exe (PID: 5556 cmdline: 'C:\Users\user\AppData\Local\Temp\detection.exe' MD5: 02BA1C44B6392F013A7AA0B91314F45A)

conhost.exe (PID: 5976 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

curl_x64.exe (PID: 5968 cmdline: 'C:\Users\user\AppData\Local\Temp\curl_x64.exe' --connect-timeout 5 --max-time 20 --fail --silent --request GET 'https://www.touslesdrivers.com/php/mes_drivers/version.php?v_version=3.0.4' MD5: E80C8CB9887A7C9426D4E843DDDB8A44)

waitfor.exe (PID: 1012 cmdline: WAITFOR /S DESKTOP-716T771 /SI unlock MD5: 83E921720CA3BD03CF6BF5686E802C3D)

sc.exe (PID: 5852 cmdline: SC query Winmgmt MD5: 24A3E2603E63BCB9695A2935D3B24695)

waitfor.exe (PID: 2904 cmdline: WAITFOR /S DESKTOP-716T771 /SI unlock MD5: 83E921720CA3BD03CF6BF5686E802C3D)

detect_x64.exe (PID: 360 cmdline: 'C:\Users\user\AppData\Local\Temp\detect_x64.exe' driverfiles 1394\* DISPLAY\* HDAUDIO\* HID\* MONITOR\* PCI\* PCMCIA\* SBP2\* SD\* USB\* MD5: 6A7EC375AF8BA2E87FF7F23497E9944E)

detect_x64.exe (PID: 5504 cmdline: 'C:\Users\user\AppData\Local\Temp\detect_x64.exe' drivernodes 1394\* DISPLAY\* HDAUDIO\* HID\* MONITOR\* PCI\* PCMCIA\* SBP2\* SD\* USB\* MD5: 6A7EC375AF8BA2E87FF7F23497E9944E)

detect_x64.exe (PID: 1012 cmdline: 'C:\Users\user\AppData\Local\Temp\detect_x64.exe' hwids 1394\* DISPLAY\* HDAUDIO\* HID\* MONITOR\* PCI\* PCMCIA\* SBP2\* SD\* USB\* MD5: 6A7EC375AF8BA2E87FF7F23497E9944E)

detect_x64.exe (PID: 1692 cmdline: 'C:\Users\user\AppData\Local\Temp\detect_x64.exe' stack 1394\* DISPLAY\* HDAUDIO\* HID\* MONITOR\* PCI\* PCMCIA\* SBP2\* SD\* USB\* MD5: 6A7EC375AF8BA2E87FF7F23497E9944E)

detect_x64.exe (PID: 1704 cmdline: 'C:\Users\user\AppData\Local\Temp\detect_x64.exe' status 1394\* DISPLAY\* HDAUDIO\* HID\* MONITOR\* PCI\* PCMCIA\* SBP2\* SD\* USB\* MD5: 6A7EC375AF8BA2E87FF7F23497E9944E)

waitfor.exe (PID: 6812 cmdline: WAITFOR /S DESKTOP-716T771 /SI unlock MD5: 83E921720CA3BD03CF6BF5686E802C3D)

aes_x64.exe (PID: 7004 cmdline: 'C:\Users\user\AppData\Local\Temp\aes_x64.exe' -e -p anT^UpFuzpuC@lOvsoPVe2kiNTidaBo<zI]BeaRnU0ResFwAy@dEnuCkUd)hAzOh -o 'C:\Users\user\AppData\Local\Temp\8KVKWmfznwDbzahM\8KVKWmfznwDbzahM' - MD5: E5125D4651C008EBA61D9FD3ABD5AB31)

curl_x64.exe (PID: 7020 cmdline: 'C:\Users\user\AppData\Local\Temp\curl_x64.exe' --connect-timeout 5 --max-time 20 --fail --silent --request POST --form 'v_configuration=<C:\Users\user\AppData\Local\Temp\8KVKWmfznwDbzahM\8KVKWmfznwDbzahM' 'https://www.touslesdrivers.com/php/mes_drivers/envoi.php?v_id=8KVKWmfznwDbzahM&v_version=3.0.4' MD5: E80C8CB9887A7C9426D4E843DDDB8A44)

cmd.exe (PID: 7064 cmdline: 'C:\Windows\system32\cmd.exe' /C START '' 'http://www.touslesdrivers.com/index.php?v_page=31&v_id=8KVKWmfznwDbzahM' MD5: F3BDBE3BB6F734E357235F4D5898582D)

iexplore.exe (PID: 7120 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' http://www.touslesdrivers.com/index.php?v_page=31&v_id=8KVKWmfznwDbzahM MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)

iexplore.exe (PID: 3000 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:7120 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

waitfor.exe (PID: 7072 cmdline: WAITFOR /S DESKTOP-716T771 /SI unlock MD5: 83E921720CA3BD03CF6BF5686E802C3D)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

Source	Rule	Description	Author	Strings
Mes_Drivers_3.0.4.exe	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Temp\aes_x64.exe	JoeSecurity_AESCRYPTTool	Yara detected AESCRYPT Tool	Joe Security
C:\Users\user\AppData\Local\Temp\aes_x86.exe	JoeSecurity_AESCRYPTTool	Yara detected AESCRYPT Tool	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000001.00000000.218185318.0000000000401000.00000020.00020000.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
00000001.00000002.407834625.0000000000401000.00000020.00020000.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
00000024.00000002.388115021.00007FF697695000.00000002.00020000.sdmp	JoeSecurity_AESCRYPTTool	Yara detected AESCRYPT Tool	Joe Security
00000004.00000003.399944667.00000000009B3000.00000004.00000001.sdmp	webshell_asp_generic	Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file	Arnim Rupp	0x3cce:$asp_gen_obf1: "+" 0x3da4:$asp_gen_obf1: "+" 0x3f20:$asp_gen_obf1: "+" 0x148e2:$tagasp_classid1: 72C24DD5-D70A-438B-8A42-98424B88AFB8 0xa040:$asp_input1: request 0xf2be:$asp_input1: request 0x9ccc:$asp_xml_method1: GET 0xa050:$asp_xml_method1: GET 0xee06:$asp_xml_method2: POST 0xf2ce:$asp_xml_method2: POST 0x13d4:$asp_payload11: WScript.Shell 0x1340:$asp_multi_payload_one1: CreateObject 0x13b8:$asp_multi_payload_one1: CreateObject 0x1340:$asp_multi_payload_four1: CreateObject 0x13b8:$asp_multi_payload_four1: CreateObject 0xeb56:$asp_always_write1: .Write 0xaa80:$asp_write_way_one3: CreateTextFile 0x1340:$asp_cr_write1: CreateObject( 0x13b8:$asp_cr_write1: CreateObject( 0x148e2:$tagasp_capa_classid1: 72C24DD5-D70A-438B-8A42-98424B88AFB8
00000004.00000002.402849297.0000000000401000.00000040.00020000.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
00000004.00000003.225305782.000000007FA70000.00000004.00000001.sdmp	JoeSecurity_AESCRYPTTool	Yara detected AESCRYPT Tool	Joe Security
00000024.00000000.386024517.00007FF697695000.00000002.00020000.sdmp	JoeSecurity_AESCRYPTTool	Yara detected AESCRYPT Tool	Joe Security
00000004.00000003.401509038.0000000002A78000.00000004.00000001.sdmp	JoeSecurity_AESCRYPTTool	Yara detected AESCRYPT Tool	Joe Security
00000004.00000003.401894830.00000000024D1000.00000004.00000001.sdmp	JoeSecurity_AESCRYPTTool	Yara detected AESCRYPT Tool	Joe Security
Process Memory Space: detection.exe PID: 5556	JoeSecurity_AESCRYPTTool	Yara detected AESCRYPT Tool	Joe Security
Process Memory Space: aes_x64.exe PID: 7004	JoeSecurity_AESCRYPTTool	Yara detected AESCRYPT Tool	Joe Security
Click to see the 6 entries

Unpacked PEs

Source	Rule	Description	Author
4.3.detection.exe.7fa95e2c.0.unpack	JoeSecurity_AESCRYPTTool	Yara detected AESCRYPT Tool	Joe Security
36.0.aes_x64.exe.7ff697680000.0.unpack	JoeSecurity_AESCRYPTTool	Yara detected AESCRYPT Tool	Joe Security
4.3.detection.exe.2506990.6.raw.unpack	JoeSecurity_AESCRYPTTool	Yara detected AESCRYPT Tool	Joe Security
4.3.detection.exe.2506990.6.unpack	JoeSecurity_AESCRYPTTool	Yara detected AESCRYPT Tool	Joe Security
4.2.detection.exe.400000.0.unpack	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
36.2.aes_x64.exe.7ff697680000.0.unpack	JoeSecurity_AESCRYPTTool	Yara detected AESCRYPT Tool	Joe Security
1.2.Mes_Drivers_3.0.4.exe.400000.0.unpack	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
1.0.Mes_Drivers_3.0.4.exe.400000.0.unpack	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
4.3.detection.exe.7fa95e2c.0.raw.unpack	JoeSecurity_AESCRYPTTool	Yara detected AESCRYPT Tool	Joe Security
Click to see the 4 entries

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus detection for URL or domain

Show sources

Source: http://www.nationsbank.com/

Avira URL Cloud: Label: phishing

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Temp\aes_x86.exe	Metadefender: Detection: 20%	Perma Link
Source: C:\Users\user\AppData\Local\Temp\aes_x86.exe	ReversingLabs: Detection: 21%
Source: C:\Users\user\AppData\Local\Temp\detection.exe	ReversingLabs: Detection: 27%

Multi AV Scanner detection for submitted file

Show sources

Source: Mes_Drivers_3.0.4.exe	Virustotal: Detection: 11%	Perma Link
Source: Mes_Drivers_3.0.4.exe	Metadefender: Detection: 13%	Perma Link
Source: Mes_Drivers_3.0.4.exe	ReversingLabs: Detection: 16%

Source: 4.2.detection.exe.400000.0.unpack

Avira: Label: TR/Dropper.Gen

Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe	Code function: 11_2_00456370 CryptAcquireContextA,CryptImportKey,CryptReleaseContext,CryptEncrypt,CryptDestroyKey,CryptReleaseContext,
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe	Code function: 11_2_00431450 CryptHashData,
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe	Code function: 11_2_00431460 CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe	Code function: 11_2_00431400 CryptAcquireContextA,CryptCreateHash,
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe	Code function: 11_2_00456660 CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe	Code function: 11_2_0042FAF0 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,CryptReleaseContext,
Source: C:\Users\user\AppData\Local\Temp\aes_x64.exe	Code function: 36_2_00007FF697683750 CryptAcquireContextW,GetLastError,GetLastError,CryptAcquireContextW,GetLastError,CryptGenRandom,CryptReleaseContext,sprintf,CryptGenRandom,CryptReleaseContext,_fread_nolock,_fread_nolock,fflush,

Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe	Code function: mov dword ptr [rsi+0000490Dh], 424D53FFh
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe	Code function: mov dword ptr [rdi+0000490Dh], 424D53FFh

Source: Mes_Drivers_3.0.4.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI, RELOCS_STRIPPED

Source: Mes_Drivers_3.0.4.exe

Static PE information: certificate valid

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Source: unknown	HTTPS traffic detected: 46.105.202.207:443 -> 192.168.2.5:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 46.105.202.207:443 -> 192.168.2.5:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.7.39:443 -> 192.168.2.5:49747 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.7.39:443 -> 192.168.2.5:49748 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.180.226:443 -> 192.168.2.5:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.180.226:443 -> 192.168.2.5:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.227.209.167:443 -> 192.168.2.5:49752 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.227.209.167:443 -> 192.168.2.5:49751 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 216.58.214.194:443 -> 192.168.2.5:49755 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 216.58.214.194:443 -> 192.168.2.5:49756 version: TLS 1.2

Source:	Binary string: devcon.pdbGCTL source: detection.exe, 00000004.00000003.225305782.000000007FA70000.00000004.00000001.sdmp, detect_x64.exe, 00000011.00000002.330349680.00007FF7A7458000.00000002.00020000.sdmp
Source:	Binary string: C:\Users\paulej\Documents\Source\AESCrypt\Windows\Console\Win32\Release\aescrypt.pdb source: detection.exe, 00000004.00000003.225305782.000000007FA70000.00000004.00000001.sdmp
Source:	Binary string: waitfor.pdb source: Mes_Drivers_3.0.4.exe, 00000001.00000003.407054994.00000000023C7000.00000004.00000001.sdmp, detection.exe, 00000004.00000003.225305782.000000007FA70000.00000004.00000001.sdmp
Source:	Binary string: devcon.pdbH source: detection.exe, 00000004.00000003.225305782.000000007FA70000.00000004.00000001.sdmp
Source:	Binary string: devcon.pdb8d:j source: detection.exe, 00000004.00000003.225305782.000000007FA70000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\paulej\Documents\Source\AESCrypt\Windows\Console\Win32\Release\aescrypt.pdb source: detection.exe, 00000004.00000003.225305782.000000007FA70000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\paulej\Documents\Source\AESCrypt\Windows\Console\x64\Release\aescrypt.pdb source: detection.exe, 00000004.00000003.225305782.000000007FA70000.00000004.00000001.sdmp
Source:	Binary string: waitfor.pdbP' source: Mes_Drivers_3.0.4.exe, 00000001.00000003.407054994.00000000023C7000.00000004.00000001.sdmp, detection.exe, 00000004.00000003.225305782.000000007FA70000.00000004.00000001.sdmp
Source:	Binary string: devcon.pdb source: detection.exe, 00000004.00000003.225305782.000000007FA70000.00000004.00000001.sdmp, detect_x64.exe, 00000011.00000002.330349680.00007FF7A7458000.00000002.00020000.sdmp

Source: C:\Users\user\Desktop\Mes_Drivers_3.0.4.exe	Code function: 1_2_0044C2B0 GetLongPathNameW,FindFirstFileW,FindClose,
Source: C:\Users\user\Desktop\Mes_Drivers_3.0.4.exe	Code function: 1_2_004093DC FindFirstFileW,FindClose,
Source: C:\Users\user\Desktop\Mes_Drivers_3.0.4.exe	Code function: 1_2_004197A4 FindFirstFileW,FindClose,
Source: C:\Users\user\Desktop\Mes_Drivers_3.0.4.exe	Code function: 1_2_00408E18 GetModuleHandleW,GetProcAddress,lstrcpynW,lstrcpynW,lstrcpynW,FindFirstFileW,FindClose,lstrlenW,lstrcpynW,lstrlenW,lstrcpynW,
Source: C:\Users\user\AppData\Local\Temp\detection.exe	Code function: 4_2_00409CCC FindFirstFileW,FindClose,
Source: C:\Users\user\AppData\Local\Temp\detection.exe	Code function: 4_2_0040B11E FindFirstFileW,
Source: C:\Users\user\AppData\Local\Temp\detection.exe	Code function: 4_2_00409708 GetModuleHandleW,GetProcAddress,lstrcpynW,lstrcpynW,lstrcpynW,FindFirstFileW,FindClose,lstrlenW,lstrcpynW,lstrlenW,lstrcpynW,
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe	Code function: 11_2_004624F0 FindFirstFileA,GetDriveTypeA,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose,
Source: C:\Users\user\AppData\Local\Temp\detect_x64.exe	Code function: 17_2_00007FF7A7456560 GetWindowsDirectoryW,FindFirstFileW,FindNextFileW,FindClose,
Source: C:\Users\user\AppData\Local\Temp\aes_x64.exe	Code function: 36_2_00007FF69768AA44 FindClose,FindFirstFileExW,FindNextFileW,FindClose,

Source: C:\Users\user\Desktop\Mes_Drivers_3.0.4.exe	File opened: C:\Users\user\Documents\desktop.ini
Source: C:\Users\user\Desktop\Mes_Drivers_3.0.4.exe	File opened: C:\Users\user
Source: C:\Users\user\Desktop\Mes_Drivers_3.0.4.exe	File opened: C:\Users\user\AppData\Local\Temp
Source: C:\Users\user\Desktop\Mes_Drivers_3.0.4.exe	File opened: C:\Users\user\AppData
Source: C:\Users\user\Desktop\Mes_Drivers_3.0.4.exe	File opened: C:\Users\user\AppData\Local
Source: C:\Users\user\Desktop\Mes_Drivers_3.0.4.exe	File opened: C:\Users\user\Desktop\desktop.ini

Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe	Code function: 4x nop then mov rax, qword ptr [r8-08h]
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe	Code function: 4x nop then movzx eax, byte ptr [rsp+rcx+20h]
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe	Code function: 4x nop then movzx eax, word ptr [rcx]
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe	Code function: 4x nop then movzx eax, byte ptr [rcx]
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe	Code function: 4x nop then mov rax, qword ptr [00000000004C76A8h]
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe	Code function: 4x nop then mov r9, qword ptr [rdi]
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe	Code function: 4x nop then mov rax, qword ptr [r8-08h]
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe	Code function: 4x nop then mov rax, qword ptr [r8-08h]
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe	Code function: 4x nop then mov rax, qword ptr [r8-08h]
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe	Code function: 4x nop then movzx eax, byte ptr [r11]
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe	Code function: 4x nop then mov rax, qword ptr [r8-08h]
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe	Code function: 4x nop then mov rax, qword ptr [r8-08h]
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe	Code function: 4x nop then mov rax, qword ptr [r8-08h]
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe	Code function: 4x nop then mov r8, qword ptr [rsi]
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe	Code function: 4x nop then movsxd rax, rcx
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe	Code function: 4x nop then mov rax, qword ptr [r8-08h]
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe	Code function: 4x nop then mov eax, ecx
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe	Code function: 4x nop then movsx eax, byte ptr [rbx]
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe	Code function: 4x nop then movzx eax, byte ptr [rdx]
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe	Code function: 4x nop then lea rbx, qword ptr [rsp+40h]
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe	Code function: 4x nop then movzx r9d, byte ptr [rbx]
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe	Code function: 4x nop then movzx ecx, byte ptr [r11]
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe	Code function: 4x nop then cmp dword ptr [r12+28h], 01h
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe	Code function: 4x nop then mov r9, qword ptr [rbx]
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe	Code function: 4x nop then movzx ebx, byte ptr [rsi+rbp]
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe	Code function: 4x nop then movzx ecx, byte ptr [rdx]
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe	Code function: 4x nop then test eax, eax
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe	Code function: 4x nop then lea ecx, dword ptr [r15+10h]
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe	Code function: 4x nop then movzx eax, byte ptr [r8+rdx]
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe	Code function: 4x nop then lea ecx, dword ptr [r15+10h]
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe	Code function: 4x nop then movsx eax, byte ptr [rdi]
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe	Code function: 4x nop then lea rcx, qword ptr [00000000004B25F8h]
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe	Code function: 4x nop then cmp dword ptr [r15+rbp*4+000008A8h], 00000000h
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe	Code function: 4x nop then lea ecx, dword ptr [r15+10h]
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe	Code function: 4x nop then lea ecx, dword ptr [r15+10h]
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe	Code function: 4x nop then lea ecx, dword ptr [r15+10h]
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe	Code function: 4x nop then mov rdx, rax
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe	Code function: 4x nop then lea ecx, dword ptr [r15+10h]
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe	Code function: 4x nop then lea ecx, dword ptr [r15+10h]
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe	Code function: 4x nop then movzx r8d, al

Source: Joe Sandbox View

JA3 fingerprint: 9e10692f1b7f78228b2d4e424db3a98c

Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe

Code function: 11_2_00427A30 recv,

Source: global traffic

HTTP traffic detected: GET /index.php?v_page=31&v_id=8KVKWmfznwDbzahM HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: www.touslesdrivers.comConnection: Keep-Alive

Source: detection.exe, 00000004.00000003.225305782.000000007FA70000.00000004.00000001.sdmp	String found in binary or memory: Usage: curl [options...] <url>
Source: detection.exe, 00000004.00000003.225305782.000000007FA70000.00000004.00000001.sdmp	String found in binary or memory: --ftp-pret Send PRET before PASV (for drftpd) (F) -P, --ftp-port ADR Use PORT with given address instead of PASV (F) --ftp-pasv Use PASV/EPSV instead of PORT (F) --ftp-method [MULTICWD/NOCWD/SINGLECWD] Control CWD usage (F) --ftp-create-dirs Create the remote dirs if not present (F) --ftp-alternative-to-user COMMAND String to replace "USER [name]" (F) --ftp-account DATA Account data string (F) --form-string STRING Specify HTTP multipart POST data (H) -F, --form CONTENT Specify HTTP multipart POST data (H) --false-start Enable TLS False Start. -f, --fail Fail silently (no output at all) on HTTP errors (H) --expect100-timeout SECONDS How long to wait for 100-continue (H) --engine ENGINE Crypto engine (use "--engine list" for list) (SSL) --egd-file FILE EGD socket path for random data (SSL) -D, --dump-header FILE Write the headers to FILE --dns-ipv6-addr IPv6 address to use for DNS requests, dot notation --dns-ipv4-addr IPv4 address to use for DNS requests, dot notation --dns-interface Interface to use for DNS requests --dns-servers DNS server addrs to use: 1.1.1.1;2.2.2.2 --disable-epsv Inhibit using EPSV (F) --disable-eprt Inhibit using EPRT or LPRT (F) --digest Use HTTP Digest Authentication (H) --delegation STRING GSS-API delegation permission --data-urlencode DATA HTTP POST data url encoded (H) --data-binary DATA HTTP POST binary data (H) --data-ascii DATA HTTP POST ASCII data (H) --data-raw DATA HTTP POST data, '@' allowed (H) -d, --data DATA HTTP POST data (H) --crlfile FILE Get a CRL list in PEM format from the given file --crlf Convert LF to CRLF in upload --create-dirs Create necessary local directory hierarchy -c, --cookie-jar FILE Write cookies to FILE after operation (H) -b, --cookie STRING/FILE Read cookies from STRING/FILE (H) -C, --continue-at OFFSET Resumed transfer OFFSET --connect-to HOST1:PORT1:HOST2:PORT2 Connect to host (network level) --connect-timeout SECONDS Maximum time allowed for connection -K, --config FILE Read config from FILE --compressed Request compressed response (using deflate or gzip) --ciphers LIST SSL ciphers to use (SSL) --cert-type TYPE Certificate file type (DER/PEM/ENG) (SSL) --cert-status Verify the status of the server certificate (SSL) -E, --cert CERT[:PASSWD] Client certificate file and password (SSL) --capath DIR CA directory to verify peer against (SSL) --cacert FILE CA certificate to verify peer against (SSL) --basic Use HTTP Basic Authentication (H) -a, --append Append to target file when uploading (F/SFTP) --anyauth Pick "any" authentication method (H)Options: (H) means HTTP/HTTPS only, (F) means FTP onlyUsage: curl [options...] <url>Features: %s Protocols: curl 7.51.0 (x86_64-pc-win32) %s
Source: detection.exe, 00000004.00000003.225305782.000000007FA70000.00000004.00000001.sdmp	String found in binary or memory: --ftp-pret Send PRET before PASV (for drftpd) (F) -P, --ftp-port ADR Use PORT with given address instead of PASV (F) --ftp-pasv Use PASV/EPSV instead of PORT (F) --ftp-method [MULTICWD/NOCWD/SINGLECWD] Control CWD usage (F) --ftp-create-dirs Create the remote dirs if not present (F) --ftp-alternative-to-user COMMAND String to replace "USER [name]" (F) --ftp-account DATA Account data string (F) --form-string STRING Specify HTTP multipart POST data (H) -F, --form CONTENT Specify HTTP multipart POST data (H) --false-start Enable TLS False Start. -f, --fail Fail silently (no output at all) on HTTP errors (H) --expect100-timeout SECONDS How long to wait for 100-continue (H) --engine ENGINE Crypto engine (use "--engine list" for list) (SSL) --egd-file FILE EGD socket path for random data (SSL) -D, --dump-header FILE Write the headers to FILE --dns-ipv6-addr IPv6 address to use for DNS requests, dot notation --dns-ipv4-addr IPv4 address to use for DNS requests, dot notation --dns-interface Interface to use for DNS requests --dns-servers DNS server addrs to use: 1.1.1.1;2.2.2.2 --disable-epsv Inhibit using EPSV (F) --disable-eprt Inhibit using EPRT or LPRT (F) --digest Use HTTP Digest Authentication (H) --delegation STRING GSS-API delegation permission --data-urlencode DATA HTTP POST data url encoded (H) --data-binary DATA HTTP POST binary data (H) --data-ascii DATA HTTP POST ASCII data (H) --data-raw DATA HTTP POST data, '@' allowed (H) -d, --data DATA HTTP POST data (H) --crlfile FILE Get a CRL list in PEM format from the given file --crlf Convert LF to CRLF in upload --create-dirs Create necessary local directory hierarchy -c, --cookie-jar FILE Write cookies to FILE after operation (H) -b, --cookie STRING/FILE Read cookies from STRING/FILE (H) -C, --continue-at OFFSET Resumed transfer OFFSET --connect-to HOST1:PORT1:HOST2:PORT2 Connect to host (network level) --connect-timeout SECONDS Maximum time allowed for connection -K, --config FILE Read config from FILE --compressed Request compressed response (using deflate or gzip) --ciphers LIST SSL ciphers to use (SSL) --cert-type TYPE Certificate file type (DER/PEM/ENG) (SSL) --cert-status Verify the status of the server certificate (SSL) -E, --cert CERT[:PASSWD] Client certificate file and password (SSL) --capath DIR CA directory to verify peer against (SSL) --cacert FILE CA certificate to verify peer against (SSL) --basic Use HTTP Basic Authentication (H) -a, --append Append to target file when uploading (F/SFTP) --anyauth Pick "any" authentication method (H)Options: (H) means HTTP/HTTPS only, (F) means FTP onlyUsage: curl [options...] <url>Features: %s Protocols: curl 7.51.0 (i386-pc-win32) %s
Source: curl_x64.exe, 0000000B.00000000.230122223.0000000000475000.00000002.00020000.sdmp	String found in binary or memory: Usage: curl [options...] <url>
Source: curl_x64.exe, 0000000B.00000000.230122223.0000000000475000.00000002.00020000.sdmp	String found in binary or memory: --ftp-pret Send PRET before PASV (for drftpd) (F) -P, --ftp-port ADR Use PORT with given address instead of PASV (F) --ftp-pasv Use PASV/EPSV instead of PORT (F) --ftp-method [MULTICWD/NOCWD/SINGLECWD] Control CWD usage (F) --ftp-create-dirs Create the remote dirs if not present (F) --ftp-alternative-to-user COMMAND String to replace "USER [name]" (F) --ftp-account DATA Account data string (F) --form-string STRING Specify HTTP multipart POST data (H) -F, --form CONTENT Specify HTTP multipart POST data (H) --false-start Enable TLS False Start. -f, --fail Fail silently (no output at all) on HTTP errors (H) --expect100-timeout SECONDS How long to wait for 100-continue (H) --engine ENGINE Crypto engine (use "--engine list" for list) (SSL) --egd-file FILE EGD socket path for random data (SSL) -D, --dump-header FILE Write the headers to FILE --dns-ipv6-addr IPv6 address to use for DNS requests, dot notation --dns-ipv4-addr IPv4 address to use for DNS requests, dot notation --dns-interface Interface to use for DNS requests --dns-servers DNS server addrs to use: 1.1.1.1;2.2.2.2 --disable-epsv Inhibit using EPSV (F) --disable-eprt Inhibit using EPRT or LPRT (F) --digest Use HTTP Digest Authentication (H) --delegation STRING GSS-API delegation permission --data-urlencode DATA HTTP POST data url encoded (H) --data-binary DATA HTTP POST binary data (H) --data-ascii DATA HTTP POST ASCII data (H) --data-raw DATA HTTP POST data, '@' allowed (H) -d, --data DATA HTTP POST data (H) --crlfile FILE Get a CRL list in PEM format from the given file --crlf Convert LF to CRLF in upload --create-dirs Create necessary local directory hierarchy -c, --cookie-jar FILE Write cookies to FILE after operation (H) -b, --cookie STRING/FILE Read cookies from STRING/FILE (H) -C, --continue-at OFFSET Resumed transfer OFFSET --connect-to HOST1:PORT1:HOST2:PORT2 Connect to host (network level) --connect-timeout SECONDS Maximum time allowed for connection -K, --config FILE Read config from FILE --compressed Request compressed response (using deflate or gzip) --ciphers LIST SSL ciphers to use (SSL) --cert-type TYPE Certificate file type (DER/PEM/ENG) (SSL) --cert-status Verify the status of the server certificate (SSL) -E, --cert CERT[:PASSWD] Client certificate file and password (SSL) --capath DIR CA directory to verify peer against (SSL) --cacert FILE CA certificate to verify peer against (SSL) --basic Use HTTP Basic Authentication (H) -a, --append Append to target file when uploading (F/SFTP) --anyauth Pick "any" authentication method (H)Options: (H) means HTTP/HTTPS only, (F) means FTP onlyUsage: curl [options...] <url>Features: %s Protocols: curl 7.51.0 (x86_64-pc-win32) %s

Source: unknown

DNS traffic detected: queries for: www.touslesdrivers.com

Source: detection.exe, 00000004.00000003.225305782.000000007FA70000.00000004.00000001.sdmp, curl_x64.exe, 0000000B.00000000.230122223.0000000000475000.00000002.00020000.sdmp	String found in binary or memory: ftp://cool.haxx.se/
Source: detection.exe, 00000004.00000003.225305782.000000007FA70000.00000004.00000001.sdmp, curl_x64.exe, 0000000B.00000000.230122223.0000000000475000.00000002.00020000.sdmp	String found in binary or memory: ftp://ftp.com/moo.exe
Source: curl_x64.exe	String found in binary or memory: ftp://ftp.funet.fi/README
Source: curl_x64.exe	String found in binary or memory: ftp://ftp.leachsite.com/README
Source: curl_x64.exe	String found in binary or memory: ftp://ftp.server.com/path/file
Source: curl_x64.exe	String found in binary or memory: ftp://ftp.sunet.se/pub/www/utilities/curl/
Source: curl_x64.exe	String found in binary or memory: ftp://ftp.sunet.se/pub/www/utilities/curl/SEE
Source: detection.exe, 00000004.00000003.225305782.000000007FA70000.00000004.00000001.sdmp	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: detection.exe, 00000004.00000003.225305782.000000007FA70000.00000004.00000001.sdmp	String found in binary or memory: http://curl.haxx.se/0
Source: detection.exe, 00000004.00000003.225305782.000000007FA70000.00000004.00000001.sdmp, curl_x64.exe, 0000000B.00000000.230122223.0000000000475000.00000002.00020000.sdmp	String found in binary or memory: http://help.with.curl.com/curlhelp.html
Source: detection.exe, 00000004.00000003.225305782.000000007FA70000.00000004.00000001.sdmp, curl_x64.exe, 0000000B.00000000.230122223.0000000000475000.00000002.00020000.sdmp	String found in binary or memory: http://machine.domain/full/path/to/file
Source: detection.exe, 00000004.00000003.225305782.000000007FA70000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.thawte.com0
Source: curl_x64.exe, 0000000B.00000000.230122223.0000000000475000.00000002.00020000.sdmp	String found in binary or memory: http://remote.server.com/remote.html
Source: detection.exe, 00000004.00000003.225305782.000000007FA70000.00000004.00000001.sdmp, curl_x64.exe, curl_x64.exe, 0000000B.00000000.230122223.0000000000475000.00000002.00020000.sdmp	String found in binary or memory: http://that.secret.site.com
Source: curl_x64.exe	String found in binary or memory: http://that.secret.site.comEXTRA
Source: detection.exe, 00000004.00000003.225305782.000000007FA70000.00000004.00000001.sdmp	String found in binary or memory: http://trust.web.de/crl/ca03.crl0
Source: detection.exe, 00000004.00000003.225305782.000000007FA70000.00000004.00000001.sdmp	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: detection.exe, 00000004.00000003.225305782.000000007FA70000.00000004.00000001.sdmp	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: detection.exe, 00000004.00000003.225305782.000000007FA70000.00000004.00000001.sdmp	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: detection.exe, 00000004.00000003.225305782.000000007FA70000.00000004.00000001.sdmp, curl_x64.exe, 0000000B.00000000.230122223.0000000000475000.00000002.00020000.sdmp	String found in binary or memory: http://url.com/file.txt
Source: detection.exe, 00000004.00000002.403007918.0000000000472000.00000040.00020000.sdmp	String found in binary or memory: http://www.abyssmedia.com
Source: curl_x64.exe	String found in binary or memory: http://www.drh-consultancy.d
Source: detection.exe, 00000004.00000003.225305782.000000007FA70000.00000004.00000001.sdmp, curl_x64.exe, 0000000B.00000000.230122223.0000000000475000.00000002.00020000.sdmp	String found in binary or memory: http://www.drh-consultancy.demon.co.uk/
Source: detection.exe, 00000004.00000003.225305782.000000007FA70000.00000004.00000001.sdmp, curl_x64.exe, 0000000B.00000000.230122223.0000000000475000.00000002.00020000.sdmp	String found in binary or memory: http://www.formpost.com/getthis/
Source: detection.exe, 00000004.00000003.225305782.000000007FA70000.00000004.00000001.sdmp, curl_x64.exe, 0000000B.00000000.230122223.0000000000475000.00000002.00020000.sdmp	String found in binary or memory: http://www.formpost.com/getthis/post.cgi
Source: curl_x64.exe, 0000000B.00000000.230122223.0000000000475000.00000002.00020000.sdmp	String found in binary or memory: http://www.get.this/
Source: detection.exe, 00000004.00000003.225305782.000000007FA70000.00000004.00000001.sdmp, curl_x64.exe, 0000000B.00000000.230122223.0000000000475000.00000002.00020000.sdmp	String found in binary or memory: http://www.nationsbank.com/
Source: curl_x64.exe, 0000000B.00000000.230122223.0000000000475000.00000002.00020000.sdmp	String found in binary or memory: http://www.netscape.com/
Source: curl_x64.exe	String found in binary or memory: http://www.netscape.com/HTTPS
Source: detection.exe, 00000004.00000003.225305782.000000007FA70000.00000004.00000001.sdmp, curl_x64.exe, 0000000B.00000000.230122223.0000000000475000.00000002.00020000.sdmp	String found in binary or memory: http://www.netscape.com/index.html
Source: curl_x64.exe, 0000000B.00000000.230122223.0000000000475000.00000002.00020000.sdmp	String found in binary or memory: http://www.post.com/postit.cgi
Source: curl_x64.exe, curl_x64.exe, 0000000B.00000000.230122223.0000000000475000.00000002.00020000.sdmp	String found in binary or memory: http://www.server.com/
Source: detection.exe, 00000004.00000003.225305782.000000007FA70000.00000004.00000001.sdmp, curl_x64.exe, 0000000B.00000000.230122223.0000000000475000.00000002.00020000.sdmp	String found in binary or memory: http://www.showme.com/
Source: detection.exe, 00000004.00000003.228885857.0000000002AB8000.00000004.00000001.sdmp, detection.exe, 00000004.00000003.226335116.0000000002AB1000.00000004.00000001.sdmp	String found in binary or memory: http://www.touslesdrivers.com/index.php?v_page=31&v_id=
Source: detection.exe, 00000004.00000003.399270098.00000000009F9000.00000004.00000001.sdmp, detection.exe, 00000004.00000002.405879804.0000000002AE8000.00000004.00000001.sdmp, detection.exe, 00000004.00000003.400133733.0000000002ABB000.00000004.00000001.sdmp, detection.exe, 00000004.00000003.399944667.00000000009B3000.00000004.00000001.sdmp	String found in binary or memory: http://www.touslesdrivers.com/index.php?v_page=31&v_id=8KVKWmfznwDbzahM
Source: detection.exe, 00000004.00000002.404454752.00000000009DC000.00000004.00000001.sdmp, detection.exe, 00000004.00000003.398665475.00000000009DA000.00000004.00000001.sdmp	String found in binary or memory: http://www.touslesdrivers.com/index.php?v_page=31&v_id=8KVKWmfznwDbzahMAzOh
Source: detection.exe, 00000004.00000003.228885857.0000000002AB8000.00000004.00000001.sdmp	String found in binary or memory: http://www.touslesdrivers.com/index.php?v_page=31&v_id=V
Source: Mes_Drivers_3.0.4.exe, 00000001.00000003.407054994.00000000023C7000.00000004.00000001.sdmp, Mes_Drivers_3.0.4.exe, 00000001.00000002.410166298.0000000002810000.00000004.00000001.sdmp, detection.exe, 00000004.00000003.228885857.0000000002AB8000.00000004.00000001.sdmp	String found in binary or memory: http://www.touslesdrivers.com/php/mes_drivers/code_source.php
Source: detection.exe, 00000004.00000003.225305782.000000007FA70000.00000004.00000001.sdmp, curl_x64.exe, 0000000B.00000000.230122223.0000000000475000.00000002.00020000.sdmp	String found in binary or memory: http://www.upload.com/myfile
Source: curl_x64.exe, 0000000B.00000000.230122223.0000000000475000.00000002.00020000.sdmp	String found in binary or memory: http://www.weirdserver.com:8000/
Source: curl_x64.exe, curl_x64.exe, 0000000B.00000000.230122223.0000000000475000.00000002.00020000.sdmp	String found in binary or memory: http://www.where.com/guest.cgi
Source: curl_x64.exe, 0000000B.00000000.230122223.0000000000475000.00000002.00020000.sdmp	String found in binary or memory: https://curl.haxx.se
Source: curl_x64.exe	String found in binary or memory: https://curl.haxx.se/
Source: detection.exe, 00000004.00000003.225305782.000000007FA70000.00000004.00000001.sdmp, curl_x64.exe, 0000000B.00000002.232106855.00000000004CA000.00000002.00020000.sdmp	String found in binary or memory: https://curl.haxx.se/P
Source: detection.exe, 00000004.00000003.225305782.000000007FA70000.00000004.00000001.sdmp, curl_x64.exe, 0000000B.00000000.230122223.0000000000475000.00000002.00020000.sdmp	String found in binary or memory: https://curl.haxx.se/docs/
Source: curl_x64.exe	String found in binary or memory: https://curl.haxx.se/docs/copyright.html
Source: detection.exe, 00000004.00000003.225305782.000000007FA70000.00000004.00000001.sdmp, curl_x64.exe, 0000000B.00000002.232106855.00000000004CA000.00000002.00020000.sdmp	String found in binary or memory: https://curl.haxx.se/docs/copyright.htmlD
Source: detection.exe, 00000004.00000003.225305782.000000007FA70000.00000004.00000001.sdmp, curl_x64.exe, curl_x64.exe, 0000000B.00000000.230122223.0000000000475000.00000002.00020000.sdmp	String found in binary or memory: https://curl.haxx.se/docs/http-cookies.html
Source: curl_x64.exe	String found in binary or memory: https://curl.haxx.se/docs/http-cookies.html#
Source: curl_x64.exe, 0000000B.00000000.230122223.0000000000475000.00000002.00020000.sdmp	String found in binary or memory: https://curl.haxx.se/docs/sslcerts.html
Source: curl_x64.exe	String found in binary or memory: https://curl.haxx.se/docs/sslcerts.htmlcurl
Source: curl_x64.exe, 0000000B.00000000.230122223.0000000000475000.00000002.00020000.sdmp	String found in binary or memory: https://curl.haxx.se/libcurl/c/curl_easy_setopt.html
Source: detection.exe, 00000004.00000003.225305782.000000007FA70000.00000004.00000001.sdmp, curl_x64.exe, 0000000B.00000000.230122223.0000000000475000.00000002.00020000.sdmp	String found in binary or memory: https://curl.haxx.se/mail/.
Source: detection.exe, 00000004.00000003.225305782.000000007FA70000.00000004.00000001.sdmp, curl_x64.exe, 0000000B.00000000.230122223.0000000000475000.00000002.00020000.sdmp	String found in binary or memory: https://curl.haxx.se/rfc/rfc2255.txt
Source: curl_x64.exe	String found in binary or memory: https://curl.haxx.seFTP
Source: detection.exe, 00000004.00000003.225305782.000000007FA70000.00000004.00000001.sdmp, curl_x64.exe, 0000000B.00000000.230122223.0000000000475000.00000002.00020000.sdmp	String found in binary or memory: https://ftp.mozilla.org
Source: detection.exe, 00000004.00000003.225305782.000000007FA70000.00000004.00000001.sdmp, curl_x64.exe, 0000000B.00000000.230122223.0000000000475000.00000002.00020000.sdmp	String found in binary or memory: https://git.fedora-
Source: curl_x64.exe, 0000000B.00000000.230122223.0000000000475000.00000002.00020000.sdmp	String found in binary or memory: https://secure.site.com/
Source: detection.exe, 00000004.00000003.225305782.000000007FA70000.00000004.00000001.sdmp	String found in binary or memory: https://trust.web.de/crl/ca03.crl0
Source: detection.exe, 00000004.00000003.225305782.000000007FA70000.00000004.00000001.sdmp	String found in binary or memory: https://trust.web.de0
Source: detection.exe, 00000004.00000003.225305782.000000007FA70000.00000004.00000001.sdmp	String found in binary or memory: https://trust.web.de01
Source: curl_x64.exe, curl_x64.exe, 0000000B.00000000.230122223.0000000000475000.00000002.00020000.sdmp	String found in binary or memory: https://www.openssl.org/docs/apps/ciphers.html
Source: detection.exe, 00000004.00000003.225305782.000000007FA70000.00000004.00000001.sdmp, curl_x64.exe, 0000000B.00000000.230122223.0000000000475000.00000002.00020000.sdmp	String found in binary or memory: https://www.secure-site.com
Source: detection.exe, 00000004.00000003.228885857.0000000002AB8000.00000004.00000001.sdmp, detection.exe, 00000004.00000003.226335116.0000000002AB1000.00000004.00000001.sdmp	String found in binary or memory: https://www.touslesdrivers.com/php/mes_drivers/envoi.php?v_id=
Source: detection.exe, 00000004.00000003.228885857.0000000002AB8000.00000004.00000001.sdmp	String found in binary or memory: https://www.touslesdrivers.com/php/mes_drivers/envoi.php?v_id=.S
Source: detection.exe, 00000004.00000003.399270098.00000000009F9000.00000004.00000001.sdmp	String found in binary or memory: https://www.touslesdrivers.com/php/mes_drivers/envoi.php?v_id=8KVKWmfznwDbzahM&v_versio
Source: detection.exe, 00000004.00000003.399826501.0000000000A22000.00000004.00000001.sdmp	String found in binary or memory: https://www.touslesdrivers.com/php/mes_drivers/envoi.php?v_id=8KVKWmfznwDbzahM&v_version=3.0.4
Source: detection.exe, 00000004.00000003.400740202.0000000000A3F000.00000004.00000001.sdmp	String found in binary or memory: https://www.touslesdrivers.com/php/mes_drivers/envoi.php?v_id=8KVKWmfznwDbzahM&v_version=3.0.4work
Source: detection.exe, 00000004.00000002.404357113.000000000099B000.00000004.00000001.sdmp	String found in binary or memory: https://www.touslesdrivers.com/php/mes_drivers/envoi.php?v_id=8KVKWmfznwDbzahM&v_version=3.0.4x
Source: detection.exe, 00000004.00000003.228885857.0000000002AB8000.00000004.00000001.sdmp, detection.exe, 00000004.00000003.226335116.0000000002AB1000.00000004.00000001.sdmp	String found in binary or memory: https://www.touslesdrivers.com/php/mes_drivers/version.php?v_version=
Source: curl_x64.exe, 0000000B.00000002.232370646.00000000009D0000.00000004.00000040.sdmp	String found in binary or memory: https://www.touslesdrivers.com/php/mes_drivers/version.php?v_version=3.0.4
Source: detection.exe, 00000004.00000003.399944667.00000000009B3000.00000004.00000001.sdmp	String found in binary or memory: https://www.touslesdrivers.com/php/mes_drivers/version.php?v_version=3.0.4ahM&v_version=indo
Source: detection.exe, 00000004.00000003.228885857.0000000002AB8000.00000004.00000001.sdmp	String found in binary or memory: https://www.touslesdrivers.com/php/mes_drivers/version.php?v_version=Ad

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443

Source: unknown	HTTPS traffic detected: 46.105.202.207:443 -> 192.168.2.5:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 46.105.202.207:443 -> 192.168.2.5:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.7.39:443 -> 192.168.2.5:49747 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.7.39:443 -> 192.168.2.5:49748 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.180.226:443 -> 192.168.2.5:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.180.226:443 -> 192.168.2.5:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.227.209.167:443 -> 192.168.2.5:49752 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.227.209.167:443 -> 192.168.2.5:49751 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 216.58.214.194:443 -> 192.168.2.5:49755 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 216.58.214.194:443 -> 192.168.2.5:49756 version: TLS 1.2

Source: detection.exe, 00000004.00000002.404267982.000000000097A000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe

Code function: 11_2_00456370 CryptAcquireContextA,CryptImportKey,CryptReleaseContext,CryptEncrypt,CryptDestroyKey,CryptReleaseContext,

Source: C:\Users\user\Desktop\Mes_Drivers_3.0.4.exe	Code function: 1_2_00451718
Source: C:\Users\user\Desktop\Mes_Drivers_3.0.4.exe	Code function: 1_2_00412816
Source: C:\Users\user\Desktop\Mes_Drivers_3.0.4.exe	Code function: 1_2_00407E34
Source: C:\Users\user\AppData\Local\Temp\detection.exe	Code function: 4_2_0041313A
Source: C:\Users\user\AppData\Local\Temp\detection.exe	Code function: 4_2_00408724
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe	Code function: 11_2_0042F130
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe	Code function: 11_2_0040D4E9
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe	Code function: 11_2_004264A1
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe	Code function: 11_2_00448670
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe	Code function: 11_2_00422960
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe	Code function: 11_2_0044A090
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe	Code function: 11_2_00416370
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe	Code function: 11_2_00456370
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe	Code function: 11_2_0045D484
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe	Code function: 11_2_00453670
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe	Code function: 11_2_0045D729
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe	Code function: 11_2_00467800
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe	Code function: 11_2_0045F820
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe	Code function: 11_2_004288F0
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe	Code function: 11_2_00440900
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe	Code function: 11_2_0045EAB0
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe	Code function: 11_2_0044DB60
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe	Code function: 11_2_00452C90
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe	Code function: 11_2_00472D70
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe	Code function: 11_2_00468DC0
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe	Code function: 11_2_00413E00
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe	Code function: 11_2_0044CE20
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe	Code function: 11_2_0045CE2F
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe	Code function: 11_2_00451EA0
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe	Code function: 11_2_0043CF40
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe	Code function: 11_2_0045CFD0
Source: C:\Users\user\AppData\Local\Temp\detect_x64.exe	Code function: 17_2_00007FF7A745286C
Source: C:\Users\user\AppData\Local\Temp\detect_x64.exe	Code function: 17_2_00007FF7A7451970
Source: C:\Users\user\AppData\Local\Temp\detect_x64.exe	Code function: 17_2_00007FF7A7455890
Source: C:\Users\user\AppData\Local\Temp\detect_x64.exe	Code function: 17_2_00007FF7A7453EA0
Source: C:\Users\user\AppData\Local\Temp\aes_x64.exe	Code function: 36_2_00007FF697683750
Source: C:\Users\user\AppData\Local\Temp\aes_x64.exe	Code function: 36_2_00007FF697692810
Source: C:\Users\user\AppData\Local\Temp\aes_x64.exe	Code function: 36_2_00007FF69768CA14
Source: C:\Users\user\AppData\Local\Temp\aes_x64.exe	Code function: 36_2_00007FF697684840
Source: C:\Users\user\AppData\Local\Temp\aes_x64.exe	Code function: 36_2_00007FF697688900
Source: C:\Users\user\AppData\Local\Temp\aes_x64.exe	Code function: 36_2_00007FF697681300
Source: C:\Users\user\AppData\Local\Temp\aes_x64.exe	Code function: 36_2_00007FF69768B4C0
Source: C:\Users\user\AppData\Local\Temp\aes_x64.exe	Code function: 36_2_00007FF69768FD60
Source: C:\Users\user\AppData\Local\Temp\aes_x64.exe	Code function: 36_2_00007FF697681760
Source: C:\Users\user\AppData\Local\Temp\aes_x64.exe	Code function: 36_2_00007FF697682750
Source: C:\Users\user\AppData\Local\Temp\aes_x64.exe	Code function: 36_2_00007FF69768D54C
Source: C:\Users\user\AppData\Local\Temp\aes_x64.exe	Code function: 36_2_00007FF697681000

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\aes_x86.exe B68FC901D758BA9EA3A5A616ABD34D1662197AA31B502F27CBF2579A947E53E9

Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe	Code function: String function: 00427190 appears 312 times
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe	Code function: String function: 00427290 appears 328 times
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe	Code function: String function: 0041C050 appears 36 times
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe	Code function: String function: 0045FEC0 appears 47 times
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe	Code function: String function: 00414800 appears 35 times
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe	Code function: String function: 0045FB50 appears 375 times
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe	Code function: String function: 00402DA0 appears 40 times
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe	Code function: String function: 0040ACC0 appears 38 times
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe	Code function: String function: 00454EB0 appears 42 times
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe	Code function: String function: 0045AEF0 appears 31 times
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe	Code function: String function: 00414970 appears 57 times

Source: aes_x64.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: aes_x86.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: curl_x64.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: Mes_Drivers_3.0.4.exe, 00000001.00000002.410587105.0000000002E80000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs Mes_Drivers_3.0.4.exe
Source: Mes_Drivers_3.0.4.exe, 00000001.00000003.220926484.000000000282F000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs Mes_Drivers_3.0.4.exe
Source: Mes_Drivers_3.0.4.exe, 00000001.00000003.407054994.00000000023C7000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamewaitfor.exej% vs Mes_Drivers_3.0.4.exe
Source: Mes_Drivers_3.0.4.exe, 00000001.00000003.407054994.00000000023C7000.00000004.00000001.sdmp	Binary or memory string: OriginalFilename8 vs Mes_Drivers_3.0.4.exe
Source: Mes_Drivers_3.0.4.exe, 00000001.00000002.411022700.0000000002F80000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs Mes_Drivers_3.0.4.exe
Source: Mes_Drivers_3.0.4.exe, 00000001.00000002.411022700.0000000002F80000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs Mes_Drivers_3.0.4.exe

Source: Mes_Drivers_3.0.4.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI, RELOCS_STRIPPED

Source: 00000004.00000003.399944667.00000000009B3000.00000004.00000001.sdmp, type: MEMORY

Matched rule: webshell_asp_generic date = 2021/03/07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, license = https://creativecommons.org/licenses/by-nc/4.0/, score = a8c63c418609c1c291b3e731ca85ded4b3e0fba83f3489c21a3199173b176a75

Source: classification engine

Classification label: mal72.evad.winEXE@52/81@9/7

Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe

Code function: 11_2_004183B4 GetLastError,FormatMessageA,GetLastError,SetLastError,

Source: C:\Users\user\AppData\Local\Temp\detect_x64.exe

Code function: 17_2_00007FF7A7451194 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,CloseHandle,InitiateSystemShutdownExW,

Source: C:\Users\user\Desktop\Mes_Drivers_3.0.4.exe

Code function: 1_2_00419CF4 GetDiskFreeSpaceW,

Source: C:\Users\user\Desktop\Mes_Drivers_3.0.4.exe

Code function: 1_2_00448AA4 CoCreateInstance,

Source: C:\Users\user\Desktop\Mes_Drivers_3.0.4.exe

Code function: 1_2_0043D5F0 FindResourceW,LoadResource,SizeofResource,LockResource,

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{CB2B1FBA-DF79-11EB-90E5-ECF4BB570DC9}.dat

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5976:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2904:120:WilError_01

Source: C:\Users\user\Desktop\Mes_Drivers_3.0.4.exe

File created: C:\Users\user\AppData\Local\Temp\detection.exe

Jump to behavior

Source: Yara match	File source: Mes_Drivers_3.0.4.exe, type: SAMPLE
Source: Yara match	File source: 4.2.detection.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Mes_Drivers_3.0.4.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.Mes_Drivers_3.0.4.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000000.218185318.0000000000401000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.407834625.0000000000401000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.402849297.0000000000401000.00000040.00020000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\Mes_Drivers_3.0.4.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\Desktop\Mes_Drivers_3.0.4.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\detection.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\detection.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Source: C:\Users\user\AppData\Local\Temp\detection.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Caption, Manufacturer, MaxClockSpeed, Name, SocketDesignation FROM Win32_Processor

Source: C:\Users\user\Desktop\Mes_Drivers_3.0.4.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Mes_Drivers_3.0.4.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\waitfor.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\waitfor.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\waitfor.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\waitfor.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\waitfor.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\waitfor.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\waitfor.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\waitfor.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\waitfor.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\waitfor.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\waitfor.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\waitfor.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: Mes_Drivers_3.0.4.exe	Virustotal: Detection: 11%
Source: Mes_Drivers_3.0.4.exe	Metadefender: Detection: 13%
Source: Mes_Drivers_3.0.4.exe	ReversingLabs: Detection: 16%

Source: curl_x64.exe	String found in binary or memory: curl: try 'curl --help' or 'curl --manual' for more information
Source: curl_x64.exe	String found in binary or memory: curl: try 'curl --help' or 'curl --manual' for more information
Source: curl_x64.exe	String found in binary or memory: document that is newer than the specified date/time. If this option is used several times, the last one will be used. -h, --help Usage help. This lists all current command line options with a s
Source: curl_x64.exe	String found in binary or memory: document that is newer than the specified date/time. If this option is used several times, the last one will be used. -h, --help Usage help. This lists all current command line options with a s
Source: curl_x64.exe	String found in binary or memory: This option requires that libcurl was built with a resolver backend that supports this operation. The c-ares backend is the only such one. (Added in 7.33.0) --dns-servers <ip-address,ip-address>
Source: curl_x64.exe	String found in binary or memory: This option requires that libcurl was built with a resolver backend that supports this operation. The c-ares backend is the only such one. (Added in 7.33.0) --dns-ipv6-addr <ip-address> Tel
Source: curl_x64.exe	String found in binary or memory: Only digit characters (0-9) are valid in the 'start' and 'stop' fields of the 'start-stop' range syntax. If a non-digit charac- ter is given in the range, the server's response will be unspec- ified, de
Source: curl_x64.exe	String found in binary or memory: This option requires that libcurl was built with a resolver backend that supports this operation. The c-ares backend is the only such one. (Added in 7.33.0) --dns-ipv4-addr <ip-address> Tell
Source: curl_x64.exe	String found in binary or memory: This option requires that libcurl was built with a resolver backend that supports this operation. The c-ares backend is the only such one. (Added in 7.33.0) --dns-servers <ip-address,ip-address>
Source: curl_x64.exe	String found in binary or memory: Only digit characters (0-9) are valid in the 'start' and 'stop' fields of the 'start-stop' range syntax. If a non-digit charac- ter is given in the range, the server's response will be unspec- ified, de
Source: curl_x64.exe	String found in binary or memory: document that is newer than the specified date/time. If this option is used several times, the last one will be used. -h, --help Usage help. This lists all current command line options with a s
Source: curl_x64.exe	String found in binary or memory: document that is newer than the specified date/time. If this option is used several times, the last one will be used. -h, --help Usage help. This lists all current command line options with a s
Source: curl_x64.exe	String found in binary or memory: This option requires that libcurl was built with a resolver backend that supports this operation. The c-ares backend is the only such one. (Added in 7.33.0) --dns-ipv4-addr <ip-address> Tell
Source: curl_x64.exe	String found in binary or memory: This option requires that libcurl was built with a resolver backend that supports this operation. The c-ares backend is the only such one. (Added in 7.33.0) --dns-ipv6-addr <ip-address> Tel
Source: curl_x64.exe	String found in binary or memory: curl: try 'curl --help' or 'curl --manual' for more information
Source: curl_x64.exe	String found in binary or memory: curl: try 'curl --help' or 'curl --manual' for more information
Source: detect_x64.exe	String found in binary or memory: positioned on the newly-added filter. ! Deletes the next occurrence of the specified filter. When the subcommand
Source: detect_x64.exe	String found in binary or memory: ng of the list. When the subcommand completes, the cursor is positioned on the newly-added filter. + Add after

Source: C:\Users\user\Desktop\Mes_Drivers_3.0.4.exe

File read: C:\Users\user\Desktop\Mes_Drivers_3.0.4.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Mes_Drivers_3.0.4.exe 'C:\Users\user\Desktop\Mes_Drivers_3.0.4.exe'
Source: C:\Users\user\Desktop\Mes_Drivers_3.0.4.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\system32\cmd.exe' /C START '' 'C:\Users\user\AppData\Local\Temp\interface.lnk'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Mes_Drivers_3.0.4.exe	Process created: C:\Users\user\AppData\Local\Temp\detection.exe 'C:\Users\user\AppData\Local\Temp\detection.exe'
Source: C:\Users\user\AppData\Local\Temp\detection.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\user\AppData\Local\Temp\interface.cmd' '
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\mode.com MODE CON: COLS=76 LINES=15
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c' VER '
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe FINDSTR /I /R /C:'version 5\.[0-1]\.'
Source: C:\Users\user\AppData\Local\Temp\detection.exe	Process created: C:\Users\user\AppData\Local\Temp\curl_x64.exe 'C:\Users\user\AppData\Local\Temp\curl_x64.exe' --connect-timeout 5 --max-time 20 --fail --silent --request GET 'https://www.touslesdrivers.com/php/mes_drivers/version.php?v_version=3.0.4'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\waitfor.exe WAITFOR unlock
Source: C:\Users\user\AppData\Local\Temp\detection.exe	Process created: C:\Windows\SysWOW64\waitfor.exe WAITFOR /S computer /SI unlock
Source: C:\Users\user\AppData\Local\Temp\detection.exe	Process created: C:\Windows\SysWOW64\sc.exe SC query Winmgmt
Source: C:\Users\user\AppData\Local\Temp\detection.exe	Process created: C:\Windows\SysWOW64\waitfor.exe WAITFOR /S computer /SI unlock
Source: C:\Users\user\AppData\Local\Temp\detection.exe	Process created: C:\Users\user\AppData\Local\Temp\detect_x64.exe 'C:\Users\user\AppData\Local\Temp\detect_x64.exe' driverfiles 1394\* DISPLAY\* HDAUDIO\* HID\* MONITOR\* PCI\* PCMCIA\* SBP2\* SD\* USB\*
Source: C:\Users\user\AppData\Local\Temp\detection.exe	Process created: C:\Users\user\AppData\Local\Temp\detect_x64.exe 'C:\Users\user\AppData\Local\Temp\detect_x64.exe' drivernodes 1394\* DISPLAY\* HDAUDIO\* HID\* MONITOR\* PCI\* PCMCIA\* SBP2\* SD\* USB\*
Source: C:\Users\user\AppData\Local\Temp\detection.exe	Process created: C:\Users\user\AppData\Local\Temp\detect_x64.exe 'C:\Users\user\AppData\Local\Temp\detect_x64.exe' hwids 1394\* DISPLAY\* HDAUDIO\* HID\* MONITOR\* PCI\* PCMCIA\* SBP2\* SD\* USB\*
Source: C:\Users\user\AppData\Local\Temp\detection.exe	Process created: C:\Users\user\AppData\Local\Temp\detect_x64.exe 'C:\Users\user\AppData\Local\Temp\detect_x64.exe' stack 1394\* DISPLAY\* HDAUDIO\* HID\* MONITOR\* PCI\* PCMCIA\* SBP2\* SD\* USB\*
Source: C:\Users\user\AppData\Local\Temp\detection.exe	Process created: C:\Users\user\AppData\Local\Temp\detect_x64.exe 'C:\Users\user\AppData\Local\Temp\detect_x64.exe' status 1394\* DISPLAY\* HDAUDIO\* HID\* MONITOR\* PCI\* PCMCIA\* SBP2\* SD\* USB\*
Source: C:\Users\user\AppData\Local\Temp\detection.exe	Process created: C:\Windows\SysWOW64\waitfor.exe WAITFOR /S computer /SI unlock
Source: C:\Users\user\AppData\Local\Temp\detection.exe	Process created: C:\Users\user\AppData\Local\Temp\aes_x64.exe 'C:\Users\user\AppData\Local\Temp\aes_x64.exe' -e -p anT^UpFuzpuC@lOvsoPVe2kiNTidaBo<zI]BeaRnU0ResFwAy@dEnuCkUd)hAzOh -o 'C:\Users\user\AppData\Local\Temp\8KVKWmfznwDbzahM\8KVKWmfznwDbzahM' -
Source: C:\Users\user\AppData\Local\Temp\detection.exe	Process created: C:\Users\user\AppData\Local\Temp\curl_x64.exe 'C:\Users\user\AppData\Local\Temp\curl_x64.exe' --connect-timeout 5 --max-time 20 --fail --silent --request POST --form 'v_configuration=<C:\Users\user\AppData\Local\Temp\8KVKWmfznwDbzahM\8KVKWmfznwDbzahM' 'https://www.touslesdrivers.com/php/mes_drivers/envoi.php?v_id=8KVKWmfznwDbzahM&v_version=3.0.4'
Source: C:\Users\user\AppData\Local\Temp\detection.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\system32\cmd.exe' /C START '' 'http://www.touslesdrivers.com/index.php?v_page=31&v_id=8KVKWmfznwDbzahM'
Source: C:\Users\user\AppData\Local\Temp\detection.exe	Process created: C:\Windows\SysWOW64\waitfor.exe WAITFOR /S computer /SI unlock
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' http://www.touslesdrivers.com/index.php?v_page=31&v_id=8KVKWmfznwDbzahM
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:7120 CREDAT:17410 /prefetch:2
Source: C:\Users\user\Desktop\Mes_Drivers_3.0.4.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\system32\cmd.exe' /C START '' 'C:\Users\user\AppData\Local\Temp\interface.lnk'
Source: C:\Users\user\Desktop\Mes_Drivers_3.0.4.exe	Process created: C:\Users\user\AppData\Local\Temp\detection.exe 'C:\Users\user\AppData\Local\Temp\detection.exe'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\user\AppData\Local\Temp\interface.cmd' '
Source: C:\Users\user\AppData\Local\Temp\detection.exe	Process created: C:\Users\user\AppData\Local\Temp\curl_x64.exe 'C:\Users\user\AppData\Local\Temp\curl_x64.exe' --connect-timeout 5 --max-time 20 --fail --silent --request GET 'https://www.touslesdrivers.com/php/mes_drivers/version.php?v_version=3.0.4'
Source: C:\Users\user\AppData\Local\Temp\detection.exe	Process created: C:\Windows\SysWOW64\waitfor.exe WAITFOR /S computer /SI unlock
Source: C:\Users\user\AppData\Local\Temp\detection.exe	Process created: C:\Windows\SysWOW64\sc.exe SC query Winmgmt
Source: C:\Users\user\AppData\Local\Temp\detection.exe	Process created: C:\Windows\SysWOW64\waitfor.exe WAITFOR /S computer /SI unlock
Source: C:\Users\user\AppData\Local\Temp\detection.exe	Process created: C:\Users\user\AppData\Local\Temp\detect_x64.exe 'C:\Users\user\AppData\Local\Temp\detect_x64.exe' driverfiles 1394\* DISPLAY\* HDAUDIO\* HID\* MONITOR\* PCI\* PCMCIA\* SBP2\* SD\* USB\*
Source: C:\Users\user\AppData\Local\Temp\detection.exe	Process created: C:\Users\user\AppData\Local\Temp\detect_x64.exe 'C:\Users\user\AppData\Local\Temp\detect_x64.exe' drivernodes 1394\* DISPLAY\* HDAUDIO\* HID\* MONITOR\* PCI\* PCMCIA\* SBP2\* SD\* USB\*
Source: C:\Users\user\AppData\Local\Temp\detection.exe	Process created: C:\Windows\SysWOW64\waitfor.exe WAITFOR /S computer /SI unlock
Source: C:\Users\user\AppData\Local\Temp\detection.exe	Process created: C:\Users\user\AppData\Local\Temp\detect_x64.exe 'C:\Users\user\AppData\Local\Temp\detect_x64.exe' stack 1394\* DISPLAY\* HDAUDIO\* HID\* MONITOR\* PCI\* PCMCIA\* SBP2\* SD\* USB\*
Source: C:\Users\user\AppData\Local\Temp\detection.exe	Process created: C:\Users\user\AppData\Local\Temp\detect_x64.exe 'C:\Users\user\AppData\Local\Temp\detect_x64.exe' status 1394\* DISPLAY\* HDAUDIO\* HID\* MONITOR\* PCI\* PCMCIA\* SBP2\* SD\* USB\*
Source: C:\Users\user\AppData\Local\Temp\detection.exe	Process created: C:\Windows\SysWOW64\waitfor.exe WAITFOR /S computer /SI unlock
Source: C:\Users\user\AppData\Local\Temp\detection.exe	Process created: C:\Users\user\AppData\Local\Temp\aes_x64.exe 'C:\Users\user\AppData\Local\Temp\aes_x64.exe' -e -p anT^UpFuzpuC@lOvsoPVe2kiNTidaBo<zI]BeaRnU0ResFwAy@dEnuCkUd)hAzOh -o 'C:\Users\user\AppData\Local\Temp\8KVKWmfznwDbzahM\8KVKWmfznwDbzahM' -
Source: C:\Users\user\AppData\Local\Temp\detection.exe	Process created: C:\Users\user\AppData\Local\Temp\curl_x64.exe 'C:\Users\user\AppData\Local\Temp\curl_x64.exe' --connect-timeout 5 --max-time 20 --fail --silent --request POST --form 'v_configuration=<C:\Users\user\AppData\Local\Temp\8KVKWmfznwDbzahM\8KVKWmfznwDbzahM' 'https://www.touslesdrivers.com/php/mes_drivers/envoi.php?v_id=8KVKWmfznwDbzahM&v_version=3.0.4'
Source: C:\Users\user\AppData\Local\Temp\detection.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\system32\cmd.exe' /C START '' 'http://www.touslesdrivers.com/index.php?v_page=31&v_id=8KVKWmfznwDbzahM'
Source: C:\Users\user\AppData\Local\Temp\detection.exe	Process created: C:\Windows\SysWOW64\waitfor.exe WAITFOR /S computer /SI unlock
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\mode.com MODE CON: COLS=76 LINES=15
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c' VER '
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe FINDSTR /I /R /C:'version 5\.[0-1]\.'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\waitfor.exe WAITFOR unlock
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' http://www.touslesdrivers.com/index.php?v_page=31&v_id=8KVKWmfznwDbzahM
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:7120 CREDAT:17410 /prefetch:2

Source: C:\Users\user\Desktop\Mes_Drivers_3.0.4.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: Mes_Drivers_3.0.4.exe

Static PE information: certificate valid

Source: Mes_Drivers_3.0.4.exe

Static file information: File size 1624440 > 1048576

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Source: Mes_Drivers_3.0.4.exe

Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x130400

Source:	Binary string: devcon.pdbGCTL source: detection.exe, 00000004.00000003.225305782.000000007FA70000.00000004.00000001.sdmp, detect_x64.exe, 00000011.00000002.330349680.00007FF7A7458000.00000002.00020000.sdmp
Source:	Binary string: C:\Users\paulej\Documents\Source\AESCrypt\Windows\Console\Win32\Release\aescrypt.pdb source: detection.exe, 00000004.00000003.225305782.000000007FA70000.00000004.00000001.sdmp
Source:	Binary string: waitfor.pdb source: Mes_Drivers_3.0.4.exe, 00000001.00000003.407054994.00000000023C7000.00000004.00000001.sdmp, detection.exe, 00000004.00000003.225305782.000000007FA70000.00000004.00000001.sdmp
Source:	Binary string: devcon.pdbH source: detection.exe, 00000004.00000003.225305782.000000007FA70000.00000004.00000001.sdmp
Source:	Binary string: devcon.pdb8d:j source: detection.exe, 00000004.00000003.225305782.000000007FA70000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\paulej\Documents\Source\AESCrypt\Windows\Console\Win32\Release\aescrypt.pdb source: detection.exe, 00000004.00000003.225305782.000000007FA70000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\paulej\Documents\Source\AESCrypt\Windows\Console\x64\Release\aescrypt.pdb source: detection.exe, 00000004.00000003.225305782.000000007FA70000.00000004.00000001.sdmp
Source:	Binary string: waitfor.pdbP' source: Mes_Drivers_3.0.4.exe, 00000001.00000003.407054994.00000000023C7000.00000004.00000001.sdmp, detection.exe, 00000004.00000003.225305782.000000007FA70000.00000004.00000001.sdmp
Source:	Binary string: devcon.pdb source: detection.exe, 00000004.00000003.225305782.000000007FA70000.00000004.00000001.sdmp, detect_x64.exe, 00000011.00000002.330349680.00007FF7A7458000.00000002.00020000.sdmp

Data Obfuscation:

Detected unpacking (changes PE section rights)

Show sources

Source: C:\Users\user\AppData\Local\Temp\detection.exe

Unpacked PE file: 4.2.detection.exe.400000.0.unpack .MPRESS1:EW;.MPRESS2:EW;.rsrc:W; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;

Obfuscated command line found

Show sources

Source: C:\Users\user\AppData\Local\Temp\detection.exe	Process created: C:\Users\user\AppData\Local\Temp\aes_x64.exe 'C:\Users\user\AppData\Local\Temp\aes_x64.exe' -e -p anT^UpFuzpuC@lOvsoPVe2kiNTidaBo<zI]BeaRnU0ResFwAy@dEnuCkUd)hAzOh -o 'C:\Users\user\AppData\Local\Temp\8KVKWmfznwDbzahM\8KVKWmfznwDbzahM' -
Source: C:\Users\user\AppData\Local\Temp\detection.exe	Process created: C:\Users\user\AppData\Local\Temp\aes_x64.exe 'C:\Users\user\AppData\Local\Temp\aes_x64.exe' -e -p anT^UpFuzpuC@lOvsoPVe2kiNTidaBo<zI]BeaRnU0ResFwAy@dEnuCkUd)hAzOh -o 'C:\Users\user\AppData\Local\Temp\8KVKWmfznwDbzahM\8KVKWmfznwDbzahM' -

Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe

Code function: 11_2_0042C2E0 GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryExA,GetSystemDirectoryA,GetSystemDirectoryA,LoadLibraryA,

Source: initial sample

Static PE information: section where entry point is pointing to: .MPRESS2

Source: Mes_Drivers_3.0.4.exe	Static PE information: section name: .didata
Source: detection.exe.1.dr	Static PE information: section name: .MPRESS1
Source: detection.exe.1.dr	Static PE information: section name: .MPRESS2

Source: C:\Users\user\Desktop\Mes_Drivers_3.0.4.exe	Code function: 1_2_004562E0 push 0045636Ch; ret
Source: C:\Users\user\Desktop\Mes_Drivers_3.0.4.exe	Code function: 1_2_0042C018 push 0042C084h; ret
Source: C:\Users\user\Desktop\Mes_Drivers_3.0.4.exe	Code function: 1_2_004413CC push ecx; mov dword ptr [esp], edx
Source: C:\Users\user\Desktop\Mes_Drivers_3.0.4.exe	Code function: 1_2_0043D3D4 push ecx; mov dword ptr [esp], edx
Source: C:\Users\user\Desktop\Mes_Drivers_3.0.4.exe	Code function: 1_2_00456394 push 0045644Ah; ret
Source: C:\Users\user\Desktop\Mes_Drivers_3.0.4.exe	Code function: 1_2_00456454 push 004564DFh; ret
Source: C:\Users\user\Desktop\Mes_Drivers_3.0.4.exe	Code function: 1_2_0042B50C push ecx; mov dword ptr [esp], ecx
Source: C:\Users\user\Desktop\Mes_Drivers_3.0.4.exe	Code function: 1_2_004145EC push 00414A17h; ret
Source: C:\Users\user\Desktop\Mes_Drivers_3.0.4.exe	Code function: 1_2_0045073C push 00450774h; ret
Source: C:\Users\user\Desktop\Mes_Drivers_3.0.4.exe	Code function: 1_2_00449860 push 004498DDh; ret
Source: C:\Users\user\Desktop\Mes_Drivers_3.0.4.exe	Code function: 1_2_004508D4 push ecx; mov dword ptr [esp], ecx
Source: C:\Users\user\Desktop\Mes_Drivers_3.0.4.exe	Code function: 1_2_004218F4 push 00421A8Eh; ret
Source: C:\Users\user\Desktop\Mes_Drivers_3.0.4.exe	Code function: 1_2_004149D4 push 00414A17h; ret
Source: C:\Users\user\Desktop\Mes_Drivers_3.0.4.exe	Code function: 1_2_00451AA8 push 00451AECh; ret
Source: C:\Users\user\Desktop\Mes_Drivers_3.0.4.exe	Code function: 1_2_00444B68 push 00444C35h; ret
Source: C:\Users\user\Desktop\Mes_Drivers_3.0.4.exe	Code function: 1_2_00438E70 push ecx; mov dword ptr [esp], edx
Source: C:\Users\user\Desktop\Mes_Drivers_3.0.4.exe	Code function: 1_2_0041FE94 push ecx; mov dword ptr [esp], edx
Source: C:\Users\user\Desktop\Mes_Drivers_3.0.4.exe	Code function: 1_2_0042DEA8 push 0042DEF5h; ret
Source: C:\Users\user\Desktop\Mes_Drivers_3.0.4.exe	Code function: 1_2_00409FB0 push 0040A037h; ret
Source: C:\Users\user\AppData\Local\Temp\detection.exe	Code function: 4_2_0040A8D4 push 0040A95Bh; ret
Source: C:\Users\user\AppData\Local\Temp\detection.exe	Code function: 4_2_00414F10 push 0041533Bh; ret

Source: C:\Users\user\AppData\Local\Temp\detection.exe	File created: C:\Users\user\AppData\Local\Temp\waitfor_x86_2.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\detection.exe	File created: C:\Users\user\AppData\Local\Temp\detect_x64_2.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\detection.exe	File created: C:\Users\user\AppData\Local\Temp\aes_x86.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\detection.exe	File created: C:\Users\user\AppData\Local\Temp\curl_x64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Mes_Drivers_3.0.4.exe	File created: C:\Users\user\AppData\Local\Temp\detection.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\detection.exe	File created: C:\Users\user\AppData\Local\Temp\curl_x86.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\detection.exe	File created: C:\Users\user\AppData\Local\Temp\aes_x64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Mes_Drivers_3.0.4.exe	File created: C:\Users\user\AppData\Local\Temp\waitfor_x86.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\detection.exe	File created: C:\Users\user\AppData\Local\Temp\detect_x64.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\detection.exe	File created: C:\Users\user\AppData\Local\Temp\detect_x86.exe	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\detection.exe

Process created: C:\Windows\SysWOW64\sc.exe SC query Winmgmt

Source: C:\Users\user\Desktop\Mes_Drivers_3.0.4.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Source: C:\Users\user\Desktop\Mes_Drivers_3.0.4.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Mes_Drivers_3.0.4.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Mes_Drivers_3.0.4.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Mes_Drivers_3.0.4.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\detection.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\detection.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\detection.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Queries memory information (via WMI often done to detect virtual machines)

Show sources

Source: C:\Users\user\AppData\Local\Temp\detection.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT BankLabel, Capacity, PartNumber FROM Win32_PhysicalMemory

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Show sources

Source: C:\Users\user\AppData\Local\Temp\detection.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Manufacturer, Product, Version FROM Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\detection.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Caption, SMBIOSBIOSVersion FROM Win32_BIOS

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Show sources

Source: C:\Users\user\AppData\Local\Temp\detection.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Caption, InterfaceType, Size FROM Win32_DiskDrive

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Show sources

Source: C:\Users\user\AppData\Local\Temp\detection.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT MACAddress, Manufacturer, Name FROM Win32_NetworkAdapter WHERE PNPDeviceID LIKE "PCI\\%" OR PNPDeviceID LIKE "PCMCIA\\%" OR PNPDeviceID LIKE "USB\\%"

Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)

Show sources

Source: C:\Users\user\AppData\Local\Temp\detection.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT BankLabel, Capacity, PartNumber FROM Win32_PhysicalMemory

Source: C:\Users\user\AppData\Local\Temp\detect_x64.exe

Code function: 17_2_00007FF7A745286C SetupDiGetDeviceInstallParamsW,SetupDiSetDeviceInstallParamsW,SetupDiBuildDriverInfoList,SetupDiEnumDriverInfoW,SetupDiOpenDevRegKey,RegQueryValueExW,RegQueryValueExW,RegQueryValueExW,RegQueryValueExW,RegCloseKey,SetupDiGetDeviceRegistryPropertyW,SetupDiSetDeviceInstallParamsW,SetupDiBuildDriverInfoList,SetupDiEnumDriverInfoW,SetupDiGetDriverInfoDetailW,GetLastError,SetupDiEnumDriverInfoW,SetupDiDestroyDriverInfoList,RegCloseKey,

Source: C:\Users\user\AppData\Local\Temp\detection.exe

Window / User API: threadDelayed 1139

Source: C:\Users\user\AppData\Local\Temp\detection.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\waitfor_x86_2.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\detection.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\detect_x64_2.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\detection.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\aes_x86.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\detection.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\curl_x86.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Mes_Drivers_3.0.4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\waitfor_x86.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\detection.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\detect_x86.exe	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

Source: C:\Users\user\AppData\Local\Temp\aes_x64.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess

Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe

API coverage: 9.8 %

Source: C:\Windows\SysWOW64\waitfor.exe TID: 980	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\SysWOW64\waitfor.exe TID: 2540	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\SysWOW64\waitfor.exe TID: 6984	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\SysWOW64\waitfor.exe TID: 7128	Thread sleep time: -30000s >= -30000s

Source: C:\Users\user\AppData\Local\Temp\detection.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Caption, Manufacturer, MaxClockSpeed, Name, SocketDesignation FROM Win32_Processor

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\Mes_Drivers_3.0.4.exe	Code function: 1_2_0044C2B0 GetLongPathNameW,FindFirstFileW,FindClose,
Source: C:\Users\user\Desktop\Mes_Drivers_3.0.4.exe	Code function: 1_2_004093DC FindFirstFileW,FindClose,
Source: C:\Users\user\Desktop\Mes_Drivers_3.0.4.exe	Code function: 1_2_004197A4 FindFirstFileW,FindClose,
Source: C:\Users\user\Desktop\Mes_Drivers_3.0.4.exe	Code function: 1_2_00408E18 GetModuleHandleW,GetProcAddress,lstrcpynW,lstrcpynW,lstrcpynW,FindFirstFileW,FindClose,lstrlenW,lstrcpynW,lstrlenW,lstrcpynW,
Source: C:\Users\user\AppData\Local\Temp\detection.exe	Code function: 4_2_00409CCC FindFirstFileW,FindClose,
Source: C:\Users\user\AppData\Local\Temp\detection.exe	Code function: 4_2_0040B11E FindFirstFileW,
Source: C:\Users\user\AppData\Local\Temp\detection.exe	Code function: 4_2_00409708 GetModuleHandleW,GetProcAddress,lstrcpynW,lstrcpynW,lstrcpynW,FindFirstFileW,FindClose,lstrlenW,lstrcpynW,lstrlenW,lstrcpynW,
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe	Code function: 11_2_004624F0 FindFirstFileA,GetDriveTypeA,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose,
Source: C:\Users\user\AppData\Local\Temp\detect_x64.exe	Code function: 17_2_00007FF7A7456560 GetWindowsDirectoryW,FindFirstFileW,FindNextFileW,FindClose,
Source: C:\Users\user\AppData\Local\Temp\aes_x64.exe	Code function: 36_2_00007FF69768AA44 FindClose,FindFirstFileExW,FindNextFileW,FindClose,

Source: C:\Users\user\Desktop\Mes_Drivers_3.0.4.exe

Code function: 1_2_00409F3C GetSystemInfo,

Source: C:\Users\user\Desktop\Mes_Drivers_3.0.4.exe	File opened: C:\Users\user\Documents\desktop.ini
Source: C:\Users\user\Desktop\Mes_Drivers_3.0.4.exe	File opened: C:\Users\user
Source: C:\Users\user\Desktop\Mes_Drivers_3.0.4.exe	File opened: C:\Users\user\AppData\Local\Temp
Source: C:\Users\user\Desktop\Mes_Drivers_3.0.4.exe	File opened: C:\Users\user\AppData
Source: C:\Users\user\Desktop\Mes_Drivers_3.0.4.exe	File opened: C:\Users\user\AppData\Local
Source: C:\Users\user\Desktop\Mes_Drivers_3.0.4.exe	File opened: C:\Users\user\Desktop\desktop.ini

Source: detect_x64.exe, 00000012.00000003.358084577.000002CC8AB32000.00000004.00000001.sdmp	Binary or memory string: vmnetextensionusAddReg
Source: detect_x64.exe, 00000012.00000003.277605945.000002CC8AA6F000.00000004.00000001.sdmp	Binary or memory string: vmnetextension
Source: waitfor.exe, 0000000D.00000002.245262917.00000000046B0000.00000002.00000001.sdmp, waitfor.exe, 0000000F.00000002.260394870.0000000004D20000.00000002.00000001.sdmp, detect_x64.exe, 00000011.00000002.325684353.000001C1DA470000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: detect_x64.exe, 00000012.00000003.307496512.000002CC8AAFF000.00000004.00000001.sdmp	Binary or memory string: vmnetextensionO@
Source: detect_x64.exe, 00000012.00000003.359448477.000002CC8AAF2000.00000004.00000001.sdmp	Binary or memory string: vmnetextensionu@
Source: detect_x64.exe, 00000012.00000003.313739760.000002CC8AAF5000.00000004.00000001.sdmp	Binary or memory string: vmnetextensionrs
Source: waitfor.exe, 0000000D.00000002.245262917.00000000046B0000.00000002.00000001.sdmp, waitfor.exe, 0000000F.00000002.260394870.0000000004D20000.00000002.00000001.sdmp, detect_x64.exe, 00000011.00000002.325684353.000001C1DA470000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: waitfor.exe, 0000000D.00000002.245262917.00000000046B0000.00000002.00000001.sdmp, waitfor.exe, 0000000F.00000002.260394870.0000000004D20000.00000002.00000001.sdmp, detect_x64.exe, 00000011.00000002.325684353.000001C1DA470000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: detect_x64.exe, 00000012.00000003.306013471.000002CC8AB2C000.00000004.00000001.sdmp	Binary or memory string: vmnetextensionOCIOI;GA;;;SY)(A;;0x1301bf;;;BA)(A;IOCIOI;GA;;;BA)(A;CIOI;GRGX;;;BU)(A;OICIIO;GA;;;CO)(A;CIOI;GRGWGXSD;;;PU)
Source: detect_x64.exe, 00000012.00000003.344834461.000002CC8AA72000.00000004.00000001.sdmp	Binary or memory string: vmnetextension@h(XM
Source: detect_x64.exe, 00000012.00000003.319540550.000002CC8AA8D000.00000004.00000001.sdmp	Binary or memory string: vmnetextensionsystem32\drivers\wfplwfs.sys,-6001g
Source: detect_x64.exe, 00000012.00000003.351611083.000002CC8AA86000.00000004.00000001.sdmp	Binary or memory string: vmnetextensionHh(XM
Source: detect_x64.exe, 00000012.00000003.355404187.000002CC8AB0A000.00000004.00000001.sdmp	Binary or memory string: HKR, Ndi\Interfaces,FilterMediaTypes,,"vmnetextension"
Source: curl_x64.exe, 0000000B.00000002.232324322.0000000000611000.00000004.00000020.sdmp, waitfor.exe, 0000000F.00000002.259868660.0000000002FA7000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: waitfor.exe, 0000000D.00000002.245262917.00000000046B0000.00000002.00000001.sdmp, waitfor.exe, 0000000F.00000002.260394870.0000000004D20000.00000002.00000001.sdmp, detect_x64.exe, 00000011.00000002.325684353.000001C1DA470000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\AppData\Local\Temp\detection.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\aes_x64.exe	API call chain: ExitProcess graph end node

Source: C:\Users\user\AppData\Local\Temp\aes_x64.exe

Code function: 36_2_00007FF697688EE0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe

Code function: 11_2_0042C2E0 GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryExA,GetSystemDirectoryA,GetSystemDirectoryA,LoadLibraryA,

Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe

Code function: 11_2_00464730 EntryPoint,GetProcessHeap,HeapAlloc,GetVersionExA,GetProcessHeap,HeapFree,GetCommandLineA,

Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe	Code function: 11_2_00418CD0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Users\user\AppData\Local\Temp\detect_x64.exe	Code function: 17_2_00007FF7A7456CB0 SetUnhandledExceptionFilter,
Source: C:\Users\user\AppData\Local\Temp\detect_x64.exe	Code function: 17_2_00007FF7A7456A94 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Users\user\AppData\Local\Temp\aes_x64.exe	Code function: 36_2_00007FF69768FD1C SetUnhandledExceptionFilter,
Source: C:\Users\user\AppData\Local\Temp\aes_x64.exe	Code function: 36_2_00007FF697688EE0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Users\user\AppData\Local\Temp\aes_x64.exe	Code function: 36_2_00007FF69768BF74 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

Source: C:\Users\user\Desktop\Mes_Drivers_3.0.4.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\system32\cmd.exe' /C START '' 'C:\Users\user\AppData\Local\Temp\interface.lnk'
Source: C:\Users\user\Desktop\Mes_Drivers_3.0.4.exe	Process created: C:\Users\user\AppData\Local\Temp\detection.exe 'C:\Users\user\AppData\Local\Temp\detection.exe'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\user\AppData\Local\Temp\interface.cmd' '
Source: C:\Users\user\AppData\Local\Temp\detection.exe	Process created: C:\Users\user\AppData\Local\Temp\curl_x64.exe 'C:\Users\user\AppData\Local\Temp\curl_x64.exe' --connect-timeout 5 --max-time 20 --fail --silent --request GET 'https://www.touslesdrivers.com/php/mes_drivers/version.php?v_version=3.0.4'
Source: C:\Users\user\AppData\Local\Temp\detection.exe	Process created: C:\Windows\SysWOW64\waitfor.exe WAITFOR /S computer /SI unlock
Source: C:\Users\user\AppData\Local\Temp\detection.exe	Process created: C:\Windows\SysWOW64\sc.exe SC query Winmgmt
Source: C:\Users\user\AppData\Local\Temp\detection.exe	Process created: C:\Windows\SysWOW64\waitfor.exe WAITFOR /S computer /SI unlock
Source: C:\Users\user\AppData\Local\Temp\detection.exe	Process created: C:\Users\user\AppData\Local\Temp\detect_x64.exe 'C:\Users\user\AppData\Local\Temp\detect_x64.exe' driverfiles 1394\* DISPLAY\* HDAUDIO\* HID\* MONITOR\* PCI\* PCMCIA\* SBP2\* SD\* USB\*
Source: C:\Users\user\AppData\Local\Temp\detection.exe	Process created: C:\Users\user\AppData\Local\Temp\detect_x64.exe 'C:\Users\user\AppData\Local\Temp\detect_x64.exe' drivernodes 1394\* DISPLAY\* HDAUDIO\* HID\* MONITOR\* PCI\* PCMCIA\* SBP2\* SD\* USB\*
Source: C:\Users\user\AppData\Local\Temp\detection.exe	Process created: C:\Windows\SysWOW64\waitfor.exe WAITFOR /S computer /SI unlock
Source: C:\Users\user\AppData\Local\Temp\detection.exe	Process created: C:\Users\user\AppData\Local\Temp\detect_x64.exe 'C:\Users\user\AppData\Local\Temp\detect_x64.exe' stack 1394\* DISPLAY\* HDAUDIO\* HID\* MONITOR\* PCI\* PCMCIA\* SBP2\* SD\* USB\*
Source: C:\Users\user\AppData\Local\Temp\detection.exe	Process created: C:\Users\user\AppData\Local\Temp\detect_x64.exe 'C:\Users\user\AppData\Local\Temp\detect_x64.exe' status 1394\* DISPLAY\* HDAUDIO\* HID\* MONITOR\* PCI\* PCMCIA\* SBP2\* SD\* USB\*
Source: C:\Users\user\AppData\Local\Temp\detection.exe	Process created: C:\Windows\SysWOW64\waitfor.exe WAITFOR /S computer /SI unlock
Source: C:\Users\user\AppData\Local\Temp\detection.exe	Process created: C:\Users\user\AppData\Local\Temp\aes_x64.exe 'C:\Users\user\AppData\Local\Temp\aes_x64.exe' -e -p anT^UpFuzpuC@lOvsoPVe2kiNTidaBo<zI]BeaRnU0ResFwAy@dEnuCkUd)hAzOh -o 'C:\Users\user\AppData\Local\Temp\8KVKWmfznwDbzahM\8KVKWmfznwDbzahM' -
Source: C:\Users\user\AppData\Local\Temp\detection.exe	Process created: C:\Users\user\AppData\Local\Temp\curl_x64.exe 'C:\Users\user\AppData\Local\Temp\curl_x64.exe' --connect-timeout 5 --max-time 20 --fail --silent --request POST --form 'v_configuration=<C:\Users\user\AppData\Local\Temp\8KVKWmfznwDbzahM\8KVKWmfznwDbzahM' 'https://www.touslesdrivers.com/php/mes_drivers/envoi.php?v_id=8KVKWmfznwDbzahM&v_version=3.0.4'
Source: C:\Users\user\AppData\Local\Temp\detection.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\system32\cmd.exe' /C START '' 'http://www.touslesdrivers.com/index.php?v_page=31&v_id=8KVKWmfznwDbzahM'
Source: C:\Users\user\AppData\Local\Temp\detection.exe	Process created: C:\Windows\SysWOW64\waitfor.exe WAITFOR /S computer /SI unlock
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\mode.com MODE CON: COLS=76 LINES=15
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c' VER '
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe FINDSTR /I /R /C:'version 5\.[0-1]\.'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\waitfor.exe WAITFOR unlock
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' http://www.touslesdrivers.com/index.php?v_page=31&v_id=8KVKWmfznwDbzahM

Source: C:\Users\user\AppData\Local\Temp\detection.exe	Process created: C:\Users\user\AppData\Local\Temp\curl_x64.exe 'C:\Users\user\AppData\Local\Temp\curl_x64.exe' --connect-timeout 5 --max-time 20 --fail --silent --request POST --form 'v_configuration=<C:\Users\user\AppData\Local\Temp\8KVKWmfznwDbzahM\8KVKWmfznwDbzahM' 'https://www.touslesdrivers.com/php/mes_drivers/envoi.php?v_id=8KVKWmfznwDbzahM&v_version=3.0.4'
Source: C:\Users\user\AppData\Local\Temp\detection.exe	Process created: C:\Users\user\AppData\Local\Temp\curl_x64.exe 'C:\Users\user\AppData\Local\Temp\curl_x64.exe' --connect-timeout 5 --max-time 20 --fail --silent --request POST --form 'v_configuration=<C:\Users\user\AppData\Local\Temp\8KVKWmfznwDbzahM\8KVKWmfznwDbzahM' 'https://www.touslesdrivers.com/php/mes_drivers/envoi.php?v_id=8KVKWmfznwDbzahM&v_version=3.0.4'

Source: waitfor.exe, 0000000C.00000002.489250483.00000000030E0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: waitfor.exe, 0000000C.00000002.489250483.00000000030E0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: waitfor.exe, 0000000C.00000002.489250483.00000000030E0000.00000002.00000001.sdmp	Binary or memory string: SProgram Managerl
Source: waitfor.exe, 0000000C.00000002.489250483.00000000030E0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd,
Source: waitfor.exe, 0000000C.00000002.489250483.00000000030E0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\Mes_Drivers_3.0.4.exe

Code function: 1_2_00404CA8 cpuid

Source: C:\Users\user\Desktop\Mes_Drivers_3.0.4.exe	Code function: GetUserDefaultUILanguage,GetLocaleInfoW,
Source: C:\Users\user\Desktop\Mes_Drivers_3.0.4.exe	Code function: GetLocaleInfoW,
Source: C:\Users\user\Desktop\Mes_Drivers_3.0.4.exe	Code function: EnumSystemLocalesW,
Source: C:\Users\user\Desktop\Mes_Drivers_3.0.4.exe	Code function: GetLocaleInfoW,
Source: C:\Users\user\Desktop\Mes_Drivers_3.0.4.exe	Code function: GetLocaleInfoW,
Source: C:\Users\user\Desktop\Mes_Drivers_3.0.4.exe	Code function: IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,
Source: C:\Users\user\AppData\Local\Temp\detection.exe	Code function: GetUserDefaultUILanguage,GetLocaleInfoW,
Source: C:\Users\user\AppData\Local\Temp\detection.exe	Code function: EnumSystemLocalesW,
Source: C:\Users\user\AppData\Local\Temp\detection.exe	Code function: GetLocaleInfoW,
Source: C:\Users\user\AppData\Local\Temp\detection.exe	Code function: GetLocaleInfoW,
Source: C:\Users\user\AppData\Local\Temp\detection.exe	Code function: IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe	Code function: GetUserDefaultLCID,EnumSystemLocalesA,GetUserDefaultLangID,GetLocaleInfoA,GetLocaleInfoA,IsValidCodePage,IsValidLocale,GetLocaleInfoA,GetLocaleInfoA,
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe	Code function: EnumSystemLocalesA,
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe	Code function: EnumSystemLocalesA,
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe	Code function: GetLocaleInfoW,GetLastError,GetLocaleInfoW,GetLocaleInfoA,GetLocaleInfoA,MultiByteToWideChar,MultiByteToWideChar,
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe	Code function: GetLocaleInfoA,MultiByteToWideChar,
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe	Code function: GetLocaleInfoA,
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe	Code function: GetLocaleInfoW,GetLastError,GetLocaleInfoW,GetLocaleInfoW,WideCharToMultiByte,WideCharToMultiByte,GetLocaleInfoA,
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe	Code function: GetLocaleInfoW,WideCharToMultiByte,
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe	Code function: GetLocaleInfoA,
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe	Code function: GetLocaleInfoA,
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe	Code function: GetLocaleInfoA,
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe	Code function: GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe	Code function: GetLocaleInfoA,

Source: C:\Users\user\AppData\Local\Temp\detect_x64.exe

Source: C:\Users\user\Desktop\Mes_Drivers_3.0.4.exe

Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\AppData\Local\Temp\detection.exe

Key value queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\TimeZoneInformation ActiveTimeBias

Source: C:\Users\user\Desktop\Mes_Drivers_3.0.4.exe

Code function: 1_2_0041BB80 GetLocalTime,

Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe

Code function: 11_2_00467160 GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

Source: C:\Users\user\Desktop\Mes_Drivers_3.0.4.exe

Code function: 1_2_0041F038 GetVersionExW,

Source: C:\Users\user\AppData\Local\Temp\aes_x64.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Source: detect_x64.exe, 00000012.00000003.262044414.000002CC8AAB6000.00000004.00000001.sdmp	Binary or memory string: PGSETUP.EXE
Source: detect_x64.exe, 00000012.00000003.262044414.000002CC8AAB6000.00000004.00000001.sdmp	Binary or memory string: 123.exe

Source: C:\Users\user\Desktop\Mes_Drivers_3.0.4.exe	Code function: 1_2_0044F3E4 CreateBindCtx,MkParseDisplayNameEx,
Source: C:\Users\user\AppData\Local\Temp\detection.exe	Code function: 4_2_0040B882 CreateBindCtx,
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe	Code function: 11_2_0042A600 htons,htons,htons,htons,bind,htons,htons,bind,getsockname,WSAGetLastError,WSAGetLastError,
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe	Code function: 11_2_00440900 getsockname,WSAGetLastError,WSAGetLastError,htons,htons,bind,WSAGetLastError,getsockname,WSAGetLastError,getsockname,WSAGetLastError,listen,WSAGetLastError,htons,htons,
Source: C:\Users\user\AppData\Local\Temp\curl_x64.exe	Code function: 11_2_0043AFF0 bind,WSAGetLastError,

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation511	Windows Service1	Access Token Manipulation1	Deobfuscate/Decode Files or Information11	Input Capture1	System Time Discovery12	Exploitation of Remote Services1	Archive Collected Data11	Exfiltration Over Other Network Medium	Ingress Tool Transfer2	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Data Encrypted for Impact1
Default Accounts	Native API3	Boot or Logon Initialization Scripts	Windows Service1	Obfuscated Files or Information3	LSASS Memory	File and Directory Discovery3	Remote Desktop Protocol	Input Capture1	Exfiltration Over Bluetooth	Encrypted Channel22	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	Command and Scripting Interpreter112	Logon Script (Windows)	Process Injection12	Software Packing11	Security Account Manager	System Information Discovery247	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol2	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	Service Execution1	Logon Script (Mac)	Logon Script (Mac)	Masquerading1	NTDS	Query Registry2	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol4	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Virtualization/Sandbox Evasion32	LSA Secrets	Security Software Discovery541	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Access Token Manipulation1	Cached Domain Credentials	Virtualization/Sandbox Evasion32	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Process Injection12	DCSync	Process Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	Application Window Discovery1	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Masquerading	/etc/passwd and /etc/shadow	Remote System Discovery1	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Link
Mes_Drivers_3.0.4.exe	12%	Virustotal	Browse
Mes_Drivers_3.0.4.exe	14%	Metadefender	Browse
Mes_Drivers_3.0.4.exe	17%	ReversingLabs

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\aes_x64.exe	0%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\aes_x64.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\aes_x86.exe	21%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\aes_x86.exe	21%	ReversingLabs	Win32.Packed.Generic
C:\Users\user\AppData\Local\Temp\curl_x64.exe	0%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\curl_x64.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\curl_x86.exe	0%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\curl_x86.exe	3%	ReversingLabs
C:\Users\user\AppData\Local\Temp\detect_x64.exe	0%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\detect_x64.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\detect_x64_2.exe	0%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\detect_x64_2.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\detect_x86.exe	0%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\detect_x86.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\detection.exe	10%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\detection.exe	28%	ReversingLabs	Win32.Infostealer.Limitail

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
4.2.detection.exe.400000.0.unpack	100%	Avira	TR/Dropper.Gen		Download File
4.1.detection.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen		Download File

Domains

Source	Detection	Scanner	Link
46-105-202-207.any.cdn.anycast.me	0%	Virustotal	Browse
cdn.appconsent.io	1%	Virustotal	Browse
ads.sportslocalmedia.com	1%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label
http://www.post.com/postit.cgi	0%	Avira URL Cloud	safe
http://help.with.curl.com/curlhelp.html	0%	Avira URL Cloud	safe
http://www.weirdserver.com:8000/	0%	Avira URL Cloud	safe
http://www.nationsbank.com/	100%	Avira URL Cloud	phishing
https://www.secure-site.com	0%	Avira URL Cloud	safe
https://trust.web.de0	0%	Avira URL Cloud	safe
http://machine.domain/full/path/to/file	0%	Avira URL Cloud	safe
http://www.formpost.com/getthis/post.cgi	0%	Avira URL Cloud	safe
https://git.fedora-	0%	Avira URL Cloud	safe
http://www.abyssmedia.com	0%	Avira URL Cloud	safe
http://that.secret.site.comEXTRA	0%	Avira URL Cloud	safe
http://www.where.com/guest.cgi	0%	Avira URL Cloud	safe
http://ocsp.thawte.com0	0%	URL Reputation	safe
http://ocsp.thawte.com0	0%	URL Reputation	safe
http://ocsp.thawte.com0	0%	URL Reputation	safe
https://curl.haxx.seFTP	0%	Avira URL Cloud	safe
https://trust.web.de01	0%	Avira URL Cloud	safe
http://www.drh-consultancy.d	0%	Avira URL Cloud	safe
ftp://ftp.leachsite.com/README	0%	Avira URL Cloud	safe
http://www.formpost.com/getthis/	0%	Avira URL Cloud	safe
ftp://ftp.com/moo.exe	0%	Avira URL Cloud	safe
http://www.drh-consultancy.demon.co.uk/	0%	Avira URL Cloud	safe
http://www.get.this/	0%	Avira URL Cloud	safe
http://www.upload.com/myfile	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
partnerad.l.doubleclick.net	142.250.180.226	true	false		high
googleads.g.doubleclick.net	216.58.214.194	true	false		high
srv1.touslesdrivers.com	85.31.204.81	true	false		high
46-105-202-207.any.cdn.anycast.me	46.105.202.207	true	false	0%, Virustotal, Browse	unknown
cdn.appconsent.io	35.227.209.167	true	false	1%, Virustotal, Browse	unknown
tags.smilewanted.com	104.26.7.39	true	false		high
securepubads.g.doubleclick.net	unknown	unknown	false		high
ads.sportslocalmedia.com	unknown	unknown	false	1%, Virustotal, Browse	unknown
www.touslesdrivers.com	unknown	unknown	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.touslesdrivers.com/index.php?v_page=31&v_id=8KVKWmfznwDbzahM	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.post.com/postit.cgi	curl_x64.exe, 0000000B.00000000.230122223.0000000000475000.00000002.00020000.sdmp	false	Avira URL Cloud: safe	unknown
https://trust.web.de/crl/ca03.crl0	detection.exe, 00000004.00000003.225305782.000000007FA70000.00000004.00000001.sdmp	false		high
http://help.with.curl.com/curlhelp.html	detection.exe, 00000004.00000003.225305782.000000007FA70000.00000004.00000001.sdmp, curl_x64.exe, 0000000B.00000000.230122223.0000000000475000.00000002.00020000.sdmp	false	Avira URL Cloud: safe	unknown
ftp://ftp.sunet.se/pub/www/utilities/curl/SEE	curl_x64.exe	false		high
https://secure.site.com/	curl_x64.exe, 0000000B.00000000.230122223.0000000000475000.00000002.00020000.sdmp	false		high
ftp://ftp.funet.fi/README	curl_x64.exe	false		high
https://www.touslesdrivers.com/php/mes_drivers/envoi.php?v_id=8KVKWmfznwDbzahM&v_version=3.0.4	detection.exe, 00000004.00000003.399826501.0000000000A22000.00000004.00000001.sdmp	false		high
http://that.secret.site.com	detection.exe, 00000004.00000003.225305782.000000007FA70000.00000004.00000001.sdmp, curl_x64.exe, curl_x64.exe, 0000000B.00000000.230122223.0000000000475000.00000002.00020000.sdmp	false		high
http://www.weirdserver.com:8000/	curl_x64.exe, 0000000B.00000000.230122223.0000000000475000.00000002.00020000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.nationsbank.com/	detection.exe, 00000004.00000003.225305782.000000007FA70000.00000004.00000001.sdmp, curl_x64.exe, 0000000B.00000000.230122223.0000000000475000.00000002.00020000.sdmp	true	Avira URL Cloud: phishing	unknown
https://curl.haxx.se/libcurl/c/curl_easy_setopt.html	curl_x64.exe, 0000000B.00000000.230122223.0000000000475000.00000002.00020000.sdmp	false		high
ftp://ftp.sunet.se/pub/www/utilities/curl/	curl_x64.exe	false		high
http://curl.haxx.se/0	detection.exe, 00000004.00000003.225305782.000000007FA70000.00000004.00000001.sdmp	false		high
http://trust.web.de/crl/ca03.crl0	detection.exe, 00000004.00000003.225305782.000000007FA70000.00000004.00000001.sdmp	false		high
https://www.secure-site.com	detection.exe, 00000004.00000003.225305782.000000007FA70000.00000004.00000001.sdmp, curl_x64.exe, 0000000B.00000000.230122223.0000000000475000.00000002.00020000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.touslesdrivers.com/index.php?v_page=31&v_id=8KVKWmfznwDbzahMAzOh	detection.exe, 00000004.00000002.404454752.00000000009DC000.00000004.00000001.sdmp, detection.exe, 00000004.00000003.398665475.00000000009DA000.00000004.00000001.sdmp	false		high
https://curl.haxx.se/docs/http-cookies.html	detection.exe, 00000004.00000003.225305782.000000007FA70000.00000004.00000001.sdmp, curl_x64.exe, curl_x64.exe, 0000000B.00000000.230122223.0000000000475000.00000002.00020000.sdmp	false		high
https://curl.haxx.se/docs/http-cookies.html#	curl_x64.exe	false		high
https://trust.web.de0	detection.exe, 00000004.00000003.225305782.000000007FA70000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://curl.haxx.se/P	detection.exe, 00000004.00000003.225305782.000000007FA70000.00000004.00000001.sdmp, curl_x64.exe, 0000000B.00000002.232106855.00000000004CA000.00000002.00020000.sdmp	false		high
https://www.openssl.org/docs/apps/ciphers.html	curl_x64.exe, curl_x64.exe, 0000000B.00000000.230122223.0000000000475000.00000002.00020000.sdmp	false		high
http://crl.thawte.com/ThawteTimestampingCA.crl0	detection.exe, 00000004.00000003.225305782.000000007FA70000.00000004.00000001.sdmp	false		high
https://curl.haxx.se/docs/copyright.htmlD	detection.exe, 00000004.00000003.225305782.000000007FA70000.00000004.00000001.sdmp, curl_x64.exe, 0000000B.00000002.232106855.00000000004CA000.00000002.00020000.sdmp	false		high
https://www.touslesdrivers.com/php/mes_drivers/envoi.php?v_id=.S	detection.exe, 00000004.00000003.228885857.0000000002AB8000.00000004.00000001.sdmp	false		high
https://curl.haxx.se/docs/	detection.exe, 00000004.00000003.225305782.000000007FA70000.00000004.00000001.sdmp, curl_x64.exe, 0000000B.00000000.230122223.0000000000475000.00000002.00020000.sdmp	false		high
http://machine.domain/full/path/to/file	detection.exe, 00000004.00000003.225305782.000000007FA70000.00000004.00000001.sdmp, curl_x64.exe, 0000000B.00000000.230122223.0000000000475000.00000002.00020000.sdmp	false	Avira URL Cloud: safe	unknown
https://curl.haxx.se	curl_x64.exe, 0000000B.00000000.230122223.0000000000475000.00000002.00020000.sdmp	false		high
http://www.formpost.com/getthis/post.cgi	detection.exe, 00000004.00000003.225305782.000000007FA70000.00000004.00000001.sdmp, curl_x64.exe, 0000000B.00000000.230122223.0000000000475000.00000002.00020000.sdmp	false	Avira URL Cloud: safe	unknown
https://ftp.mozilla.org	detection.exe, 00000004.00000003.225305782.000000007FA70000.00000004.00000001.sdmp, curl_x64.exe, 0000000B.00000000.230122223.0000000000475000.00000002.00020000.sdmp	false		high
https://git.fedora-	detection.exe, 00000004.00000003.225305782.000000007FA70000.00000004.00000001.sdmp, curl_x64.exe, 0000000B.00000000.230122223.0000000000475000.00000002.00020000.sdmp	false	Avira URL Cloud: safe	low
http://www.abyssmedia.com	detection.exe, 00000004.00000002.403007918.0000000000472000.00000040.00020000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.netscape.com/index.html	detection.exe, 00000004.00000003.225305782.000000007FA70000.00000004.00000001.sdmp, curl_x64.exe, 0000000B.00000000.230122223.0000000000475000.00000002.00020000.sdmp	false		high
http://that.secret.site.comEXTRA	curl_x64.exe	false	Avira URL Cloud: safe	unknown
https://curl.haxx.se/rfc/rfc2255.txt	detection.exe, 00000004.00000003.225305782.000000007FA70000.00000004.00000001.sdmp, curl_x64.exe, 0000000B.00000000.230122223.0000000000475000.00000002.00020000.sdmp	false		high
https://www.touslesdrivers.com/php/mes_drivers/version.php?v_version=3.0.4	curl_x64.exe, 0000000B.00000002.232370646.00000000009D0000.00000004.00000040.sdmp	false		high
https://curl.haxx.se/mail/.	detection.exe, 00000004.00000003.225305782.000000007FA70000.00000004.00000001.sdmp, curl_x64.exe, 0000000B.00000000.230122223.0000000000475000.00000002.00020000.sdmp	false		high
http://www.where.com/guest.cgi	curl_x64.exe, curl_x64.exe, 0000000B.00000000.230122223.0000000000475000.00000002.00020000.sdmp	false	Avira URL Cloud: safe	unknown
http://ocsp.thawte.com0	detection.exe, 00000004.00000003.225305782.000000007FA70000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.touslesdrivers.com/php/mes_drivers/code_source.php	Mes_Drivers_3.0.4.exe, 00000001.00000003.407054994.00000000023C7000.00000004.00000001.sdmp, Mes_Drivers_3.0.4.exe, 00000001.00000002.410166298.0000000002810000.00000004.00000001.sdmp, detection.exe, 00000004.00000003.228885857.0000000002AB8000.00000004.00000001.sdmp	false		high
https://curl.haxx.seFTP	curl_x64.exe	false	Avira URL Cloud: safe	unknown
http://url.com/file.txt	detection.exe, 00000004.00000003.225305782.000000007FA70000.00000004.00000001.sdmp, curl_x64.exe, 0000000B.00000000.230122223.0000000000475000.00000002.00020000.sdmp	false		high
https://www.touslesdrivers.com/php/mes_drivers/version.php?v_version=3.0.4ahM&v_version=indo	detection.exe, 00000004.00000003.399944667.00000000009B3000.00000004.00000001.sdmp	false		high
https://www.touslesdrivers.com/php/mes_drivers/envoi.php?v_id=	detection.exe, 00000004.00000003.228885857.0000000002AB8000.00000004.00000001.sdmp, detection.exe, 00000004.00000003.226335116.0000000002AB1000.00000004.00000001.sdmp	false		high
ftp://cool.haxx.se/	detection.exe, 00000004.00000003.225305782.000000007FA70000.00000004.00000001.sdmp, curl_x64.exe, 0000000B.00000000.230122223.0000000000475000.00000002.00020000.sdmp	false		high
https://trust.web.de01	detection.exe, 00000004.00000003.225305782.000000007FA70000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.netscape.com/	curl_x64.exe, 0000000B.00000000.230122223.0000000000475000.00000002.00020000.sdmp	false		high
http://remote.server.com/remote.html	curl_x64.exe, 0000000B.00000000.230122223.0000000000475000.00000002.00020000.sdmp	false		high
https://curl.haxx.se/docs/sslcerts.htmlcurl	curl_x64.exe	false		high
ftp://ftp.server.com/path/file	curl_x64.exe	false		high
http://www.touslesdrivers.com/index.php?v_page=31&v_id=	detection.exe, 00000004.00000003.228885857.0000000002AB8000.00000004.00000001.sdmp, detection.exe, 00000004.00000003.226335116.0000000002AB1000.00000004.00000001.sdmp	false		high
https://curl.haxx.se/docs/sslcerts.html	curl_x64.exe, 0000000B.00000000.230122223.0000000000475000.00000002.00020000.sdmp	false		high
http://www.drh-consultancy.d	curl_x64.exe	false	Avira URL Cloud: safe	unknown
http://www.showme.com/	detection.exe, 00000004.00000003.225305782.000000007FA70000.00000004.00000001.sdmp, curl_x64.exe, 0000000B.00000000.230122223.0000000000475000.00000002.00020000.sdmp	false		high
http://www.netscape.com/HTTPS	curl_x64.exe	false		high
https://www.touslesdrivers.com/php/mes_drivers/envoi.php?v_id=8KVKWmfznwDbzahM&v_versio	detection.exe, 00000004.00000003.399270098.00000000009F9000.00000004.00000001.sdmp	false		high
https://www.touslesdrivers.com/php/mes_drivers/envoi.php?v_id=8KVKWmfznwDbzahM&v_version=3.0.4work	detection.exe, 00000004.00000003.400740202.0000000000A3F000.00000004.00000001.sdmp	false		high
ftp://ftp.leachsite.com/README	curl_x64.exe	false	Avira URL Cloud: safe	unknown
http://www.server.com/	curl_x64.exe, curl_x64.exe, 0000000B.00000000.230122223.0000000000475000.00000002.00020000.sdmp	false		high
http://www.formpost.com/getthis/	detection.exe, 00000004.00000003.225305782.000000007FA70000.00000004.00000001.sdmp, curl_x64.exe, 0000000B.00000000.230122223.0000000000475000.00000002.00020000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.touslesdrivers.com/index.php?v_page=31&v_id=V	detection.exe, 00000004.00000003.228885857.0000000002AB8000.00000004.00000001.sdmp	false		high
https://www.touslesdrivers.com/php/mes_drivers/version.php?v_version=	detection.exe, 00000004.00000003.228885857.0000000002AB8000.00000004.00000001.sdmp, detection.exe, 00000004.00000003.226335116.0000000002AB1000.00000004.00000001.sdmp	false		high
ftp://ftp.com/moo.exe	detection.exe, 00000004.00000003.225305782.000000007FA70000.00000004.00000001.sdmp, curl_x64.exe, 0000000B.00000000.230122223.0000000000475000.00000002.00020000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.touslesdrivers.com/php/mes_drivers/envoi.php?v_id=8KVKWmfznwDbzahM&v_version=3.0.4x	detection.exe, 00000004.00000002.404357113.000000000099B000.00000004.00000001.sdmp	false		high
http://www.drh-consultancy.demon.co.uk/	detection.exe, 00000004.00000003.225305782.000000007FA70000.00000004.00000001.sdmp, curl_x64.exe, 0000000B.00000000.230122223.0000000000475000.00000002.00020000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.touslesdrivers.com/php/mes_drivers/version.php?v_version=Ad	detection.exe, 00000004.00000003.228885857.0000000002AB8000.00000004.00000001.sdmp	false		high
http://www.get.this/	curl_x64.exe, 0000000B.00000000.230122223.0000000000475000.00000002.00020000.sdmp	false	Avira URL Cloud: safe	unknown
https://curl.haxx.se/docs/copyright.html	curl_x64.exe	false		high
http://www.upload.com/myfile	detection.exe, 00000004.00000003.225305782.000000007FA70000.00000004.00000001.sdmp, curl_x64.exe, 0000000B.00000000.230122223.0000000000475000.00000002.00020000.sdmp	false	Avira URL Cloud: safe	unknown
https://curl.haxx.se/	curl_x64.exe	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
85.31.204.81	srv1.touslesdrivers.com	Sweden	30781	JAGUAR-ASFR	false
46.105.202.207	46-105-202-207.any.cdn.anycast.me	France	16276	OVHFR	false
142.250.180.226	partnerad.l.doubleclick.net	United States	15169	GOOGLEUS	false
104.26.7.39	tags.smilewanted.com	United States	13335	CLOUDFLARENETUS	false
35.227.209.167	cdn.appconsent.io	United States	15169	GOOGLEUS	false
216.58.214.194	googleads.g.doubleclick.net	United States	15169	GOOGLEUS	false

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	32.0.0 Black Diamond
Analysis ID:	445340
Start date:	07.07.2021
Start time:	16:17:26
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 13m 13s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	Mes_Drivers_3.0.4.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	45
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal72.evad.winEXE@52/81@9/7
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 10.2% (good quality ratio 8.7%) Quality average: 63.5% Quality standard deviation: 34.3%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe TCP Packets have been reduced to 100 Excluded IPs from analysis (whitelisted): 104.42.151.234, 131.253.33.200, 13.107.22.200, 52.255.188.83, 151.139.128.14, 23.35.236.56, 20.82.210.154, 173.222.108.210, 173.222.108.226, 40.112.88.60, 80.67.82.211, 80.67.82.235, 23.203.80.193, 172.217.20.2, 142.250.180.238, 152.199.19.161 Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, e11290.dspg.akamaiedge.net, iecvlist.microsoft.com, go.microsoft.com, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, www.google-analytics.com, www.bing.com, fs.microsoft.com, ocsp.usertrust.com, www-google-analytics.l.google.com, ie9comview.vo.msecnd.net, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, pagead2.googlesyndication.com, dual-a-0001.dc-msedge.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, a-0001.a-afdentry.net.trafficmanager.net, blobcollector.events.data.trafficmanager.net, go.microsoft.com.edgekey.net, skypedataprdcolwus16.cloudapp.net, cs9.wpc.v0cdn.net Not all processes where analyzed, report is missing behavior information Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtDeviceIoControlFile calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
16:18:27	API Interceptor	4x Sleep call for process: waitfor.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
85.31.204.81	https://fichiers2.touslesdrivers.com/Mes_Drivers_3.0.4.exe	Get hash	malicious	Browse	www.touslesdrivers.com/index.php?v_page=31&v_id=qh9KWfRS01S5Sbvf

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
tags.smilewanted.com	https://fichiers2.touslesdrivers.com/Mes_Drivers_3.0.4.exe	Get hash	malicious	Browse	104.24.19.41
srv1.touslesdrivers.com	https://fichiers2.touslesdrivers.com/Mes_Drivers_3.0.4.exe	Get hash	malicious	Browse	85.31.204.81

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
JAGUAR-ASFR	ZCOE3V1Cvt.exe	Get hash	malicious	Browse	194.242.45.41
	SecuriteInfo.com.BehavesLike.Win32.Generic.cm.exe	Get hash	malicious	Browse	194.242.45.41
	SecuriteInfo.com.Trojan.PackedNET.540.9726.exe	Get hash	malicious	Browse	194.242.45.41
	SilaeClient.application	Get hash	malicious	Browse	31.7.255.66
	X1xGVS7K4qY.doc	Get hash	malicious	Browse	194.88.246.242
	X1xGVS7K4qY.doc	Get hash	malicious	Browse	194.88.246.242
	Outstanding Invoices.doc	Get hash	malicious	Browse	194.88.246.242
	Outstanding Invoices.doc	Get hash	malicious	Browse	194.88.246.242
	Media Shower.exe	Get hash	malicious	Browse	194.88.246.242
	67207.exe	Get hash	malicious	Browse	194.88.246.242
	2018.doc	Get hash	malicious	Browse	194.88.246.242
	2018.doc	Get hash	malicious	Browse	194.88.246.242
	AYkrhDP.doc	Get hash	malicious	Browse	194.88.246.242
	AYkrhDP.doc	Get hash	malicious	Browse	194.88.246.242
	Fwd_ ACH form.doc	Get hash	malicious	Browse	194.88.246.242
	Fwd_ ACH form.doc	Get hash	malicious	Browse	194.88.246.242
	emotet2.exe	Get hash	malicious	Browse	194.88.246.242
	LSteR4mqIIzH3.doc	Get hash	malicious	Browse	194.88.246.242
	LSteR4mqIIzH3.doc	Get hash	malicious	Browse	194.88.246.242
	Outstanding Invoices.doc	Get hash	malicious	Browse	194.88.246.242
OVHFR	NWMEaRqF7s.exe	Get hash	malicious	Browse	5.39.91.110
	OMJe815AqT.exe	Get hash	malicious	Browse	51.254.241.28
	His4jRklYe.exe	Get hash	malicious	Browse	51.79.119.231
	4z5jQqNiJl.exe	Get hash	malicious	Browse	51.75.77.27
	H9QnI1DbC1.exe	Get hash	malicious	Browse	142.44.243.6
	Wws1Rnd02H.exe	Get hash	malicious	Browse	176.31.117.84
	HTbemZcLWN.exe	Get hash	malicious	Browse	176.31.117.84
	nC4niiFqg0.exe	Get hash	malicious	Browse	176.31.117.84
	i	Get hash	malicious	Browse	192.99.3.72
	978B4AC05A227B23EF7E4FADFF92966339BA1413BAC5A.exe	Get hash	malicious	Browse	188.165.207.8
	62EAE1F670683A10909351D0DBA4C6CBDADD53C056FE5.exe	Get hash	malicious	Browse	51.68.125.34
	7xhLwiPIrR.exe	Get hash	malicious	Browse	142.44.243.6
	SoMuAF6xvf.dll	Get hash	malicious	Browse	54.39.106.25
	SoMuAF6xvf.dll	Get hash	malicious	Browse	54.39.106.25
	19495C90691E8B6EEF5D55D50B9D76AE6CEB5629D6C08.exe	Get hash	malicious	Browse	142.4.200.50
	u867uMlwux.dll	Get hash	malicious	Browse	54.39.106.25
	Payment Slip.xlsb	Get hash	malicious	Browse	178.33.222.243
	2020-TAX-EXTENSION.doc	Get hash	malicious	Browse	145.239.131.55
	Gift Card 0796907.xlsb	Get hash	malicious	Browse	217.182.175.206
	Gift Card 0796907.xlsb	Get hash	malicious	Browse	217.182.175.206
CLOUDFLARENETUS	PW1-WO-004 PDF.exe	Get hash	malicious	Browse	104.21.19.200
	4997169.exe	Get hash	malicious	Browse	104.21.80.171
	INVITATI.EXE	Get hash	malicious	Browse	104.21.19.200
	Machine Specification.exe	Get hash	malicious	Browse	172.67.188.154
	P.O.exe	Get hash	malicious	Browse	172.67.188.154
	3MIvJieGXT.exe	Get hash	malicious	Browse	104.21.51.99
	SaI1j8jXQY.exe	Get hash	malicious	Browse	162.159.135.233
	FEED DEBTORS AGEWISE JUNE-21.exe	Get hash	malicious	Browse	104.21.91.43
	runsys32.dll	Get hash	malicious	Browse	104.20.184.68
	6aSBBC4aJx.exe	Get hash	malicious	Browse	104.21.42.63
	RFQ# ETS Project-070721B3.doc	Get hash	malicious	Browse	162.159.130.233
	tMAfN344rmHC9Zi.exe	Get hash	malicious	Browse	104.21.19.200
	OMJe815AqT.exe	Get hash	malicious	Browse	162.159.129.233
	sud-life-mobcast.apk	Get hash	malicious	Browse	104.22.10.83
	7MPEfVAwHo.exe	Get hash	malicious	Browse	172.67.188.154
	sud-life-outwork.apk	Get hash	malicious	Browse	104.22.11.83
	SecuriteInfo.com.Trojan.Win32.Save.a.9623.exe	Get hash	malicious	Browse	104.21.19.200
	Payment Details.exe	Get hash	malicious	Browse	104.21.19.200
	Schedule072021R7218468.xlsm	Get hash	malicious	Browse	104.21.52.111
	Outfordelivery-787848.xlsm	Get hash	malicious	Browse	104.21.52.111

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
9e10692f1b7f78228b2d4e424db3a98c	FAX.HTML	Get hash	malicious	Browse	104.26.7.39 46.105.202.207 142.250.180.226 35.227.209.167 216.58.214.194
	runsys32.dll	Get hash	malicious	Browse	104.26.7.39 46.105.202.207 142.250.180.226 35.227.209.167 216.58.214.194
	Mclawslaw.ca_Fax-Message.html	Get hash	malicious	Browse	104.26.7.39 46.105.202.207 142.250.180.226 35.227.209.167 216.58.214.194
	E00E.dll	Get hash	malicious	Browse	104.26.7.39 46.105.202.207 142.250.180.226 35.227.209.167 216.58.214.194
	Payslip070620219359636Z.html	Get hash	malicious	Browse	104.26.7.39 46.105.202.207 142.250.180.226 35.227.209.167 216.58.214.194
	attach.html	Get hash	malicious	Browse	104.26.7.39 46.105.202.207 142.250.180.226 35.227.209.167 216.58.214.194
	VM52MC9YQDUO0P.html	Get hash	malicious	Browse	104.26.7.39 46.105.202.207 142.250.180.226 35.227.209.167 216.58.214.194
	RFQ40110 (2).html	Get hash	malicious	Browse	104.26.7.39 46.105.202.207 142.250.180.226 35.227.209.167 216.58.214.194
	runsys32.dll	Get hash	malicious	Browse	104.26.7.39 46.105.202.207 142.250.180.226 35.227.209.167 216.58.214.194
	2790000.dll	Get hash	malicious	Browse	104.26.7.39 46.105.202.207 142.250.180.226 35.227.209.167 216.58.214.194
	2770174.dll	Get hash	malicious	Browse	104.26.7.39 46.105.202.207 142.250.180.226 35.227.209.167 216.58.214.194
	q7p7x4f4gX.dll	Get hash	malicious	Browse	104.26.7.39 46.105.202.207 142.250.180.226 35.227.209.167 216.58.214.194
	q7p7x4f4gX.dll	Get hash	malicious	Browse	104.26.7.39 46.105.202.207 142.250.180.226 35.227.209.167 216.58.214.194
	PO # 2367.html	Get hash	malicious	Browse	104.26.7.39 46.105.202.207 142.250.180.226 35.227.209.167 216.58.214.194
	( 1 ) Voice note-Dassault-aviation.htm	Get hash	malicious	Browse	104.26.7.39 46.105.202.207 142.250.180.226 35.227.209.167 216.58.214.194
	mJSDCeNxFi.exe	Get hash	malicious	Browse	104.26.7.39 46.105.202.207 142.250.180.226 35.227.209.167 216.58.214.194
	3rc4z6ltNu.dll	Get hash	malicious	Browse	104.26.7.39 46.105.202.207 142.250.180.226 35.227.209.167 216.58.214.194
	3rc4z6ltNu.dll	Get hash	malicious	Browse	104.26.7.39 46.105.202.207 142.250.180.226 35.227.209.167 216.58.214.194
	iew852qEQI.exe	Get hash	malicious	Browse	104.26.7.39 46.105.202.207 142.250.180.226 35.227.209.167 216.58.214.194
	6us663UjcE.dll	Get hash	malicious	Browse	104.26.7.39 46.105.202.207 142.250.180.226 35.227.209.167 216.58.214.194

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Users\user\AppData\Local\Temp\aes_x86.exe	53c0505a_by_Libranalysis.exe	Get hash	malicious	Browse
	hztxqReczN.exe	Get hash	malicious	Browse
	BleachGap.exe	Get hash	malicious	Browse
	SuperEnjoy.exe	Get hash	malicious	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\DOMStore\DURNCK2N\www.touslesdrivers[1].xml Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	1149
Entropy (8bit):	4.747828800985921
Encrypted:	false
SSDEEP:	24:WU5QKG4RpG4RfG4RVK9G4RO5G4RkG4MU5QKG4RpG4RfG4RVK9G4RO5G4RkG4ghnh:L5Qx4+4Y4W44884d4N5Qx4+4Y4W4488I
MD5:	38431A6165E6465C6653B93612467878
SHA1:	B5AB5255FD5F650380D890E8F98A68F68A7F3C85
SHA-256:	19EF1B12D477C4B14F0E0C2B9584CC46B85963BDCA9AD97AFC036AA84C3DCBC9
SHA-512:	735A2F226F2B8FE6E936BBC5AEB2B09EFF19F947B85A7210CDFC75D89B3DD98E47193C8B004B184A4D4594330984065A765BA580FE364A206011371BC5406C1F
Malicious:	false
Preview:	<root></root><root><item name="goog_pem_mod" value="219" ltime="2404659120" htime="30897030" /><item name="google_experiment_mod34" value="233" ltime="2404659120" htime="30897030" /><item name="google_experiment_mod53" value="546" ltime="2404659120" htime="30897030" /><item name="google_experiment_mod36" value="593" ltime="2404659120" htime="30897030" /><item name="google_experiment_mod37" value="538" ltime="2404659120" htime="30897030" /><item name="google_experiment_mod44" value="66" ltime="2404659120" htime="30897030" /></root><root><item name="goog_pem_mod" value="219" ltime="2404659120" htime="30897030" /><item name="google_experiment_mod34" value="233" ltime="2404659120" htime="30897030" /><item name="google_experiment_mod53" value="546" ltime="2404659120" htime="30897030" /><item name="google_experiment_mod36" value="593" ltime="2404659120" htime="30897030" /><item name="google_experiment_mod37" value="538" ltime="2404659120" htime="30897030" /><item name="google_experiment_mod4

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{CB2B1FBA-DF79-11EB-90E5-ECF4BB570DC9}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	24152
Entropy (8bit):	1.7566510753587679
Encrypted:	false
SSDEEP:	96:rAZHZen2eGkWeGoZteGovfeGo587teGo5TItAKWeGoIaTxY6:rAZHZg2IWctSf/tRLWM
MD5:	F2094B58785E889300E51A297B323A13
SHA1:	3E0656A812951617423CD41E7343F8C9AB52D289
SHA-256:	A362C87F77828C195DC393A3A8246D454E1C8526F77091E4A741F0BD09D95BF8
SHA-512:	C14BB522BE7DA852EEF14756B8472CC4A6A86F1DEA6CC9CC6E0353A9F5030444DFD94715C4EEBBFCC77FFE0BA80269C9810BE1D89F8E28D3352E519CB3A7F50F
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{CB2B1FBC-DF79-11EB-90E5-ECF4BB570DC9}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	28434
Entropy (8bit):	2.121175278022863
Encrypted:	false
SSDEEP:	192:rIZ/QjiQh0QEFKQHuWQL2QlvQKbyi7y+89MVcKJQXs/Mt8r:rI4ehHKSBOLpoM6XsUK
MD5:	3D75EF0B794B72284F831C33F1CF911F
SHA1:	28CA94F0CCE17724AEFF73BBAF1C45CD994A976E
SHA-256:	6A91C9CFDE7ED356C4647E28DEA9B6F9299094C8D74231D7B5C2E64BE338C6FB
SHA-512:	1BCA7CE57C6016E14579F6F6586E1321A8E22D1D6CB61F8A1B8B7C469185CAE1AC3E9F44F9978CC7CDD1E551E3763D4DBD6F43536EB99AC381A8277B4F6FF7E3
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-17529550060\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	657
Entropy (8bit):	5.070960637996196
Encrypted:	false
SSDEEP:	12:TMHdNMNxOEGwJw/CnWimI002EtM3MHdNMNxOEGwJw/CnWimI00ONVbkEtMb:2d6NxOlSHSZHKd6NxOlSHSZ7Qb
MD5:	C820C86A16E361C049E45BD7BD2633B1
SHA1:	8C490BBD560F1C156F467FEDEC469F7992B9E427
SHA-256:	70D14EDC26FF956FB80AB91C702AB9433639F498F05844F25E3983049BDEC58B
SHA-512:	87C8170F7C3A29027796C5A7F9F2B2EA76250C1141CBD9E78969A486E354168148367EC72EE03FF23FF74A2B7E4710E236EB6D036C6DF713E76F8FF68D804758
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xa20013e5,0x01d77386</date><accdate>0xa20013e5,0x01d77386</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xa20013e5,0x01d77386</date><accdate>0xa20013e5,0x01d77386</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-18270793970\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	654
Entropy (8bit):	5.0767930435485145
Encrypted:	false
SSDEEP:	12:TMHdNMNxe2kUKTK7CnWimI002EtM3MHdNMNxe2kUKTK7CnWimI00ONkak6EtMb:2d6NxrLKTKuSZHKd6NxrLKTKuSZ72a7b
MD5:	0566A379CAD412A4472E56F3012ADE53
SHA1:	09C59E53918537468B6BA4C87B8E4D9779C25211
SHA-256:	700A16961A5A598794052284518200F7E7CF50967066AA7540CB0241F287A6A2
SHA-512:	DB6ADCBADF682A766F7DA1AF796500C3121629431138247CFD249F5C1E5AD87A5DF98D53BBE1F9A3602B60001F48AA981E809BC3649426D4785079FB6695873F
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.amazon.com/"/><date>0xa1f0d1a5,0x01d77386</date><accdate>0xa1f0d1a5,0x01d77386</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.amazon.com/"/><date>0xa1f0d1a5,0x01d77386</date><accdate>0xa1f0d1a5,0x01d77386</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Amazon.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-21706820\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	663
Entropy (8bit):	5.09038772814423
Encrypted:	false
SSDEEP:	12:TMHdNMNxvLGwJw/CnWimI002EtM3MHdNMNxvLGwJw/CnWimI00ONmZEtMb:2d6NxviSHSZHKd6NxviSHSZ7Ub
MD5:	324831E1E7870332C641A0ADC532DB48
SHA1:	ED6641C62255137886967E337B56ACA1B8103E72
SHA-256:	0A4551E8674190FF4C6CA4DA430DCAA6E4652BA8FEF9B9A7C8554C6E6AD1EB0B
SHA-512:	9CF0414B252A88D3B0D5CF6177222BEF8398DAE53B2753C354DE99F0E4B6E71FFD0519C6F7D091E3002CEED5D83F1E47D0C8E615021A10F6A048743B205E9AFA
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.wikipedia.com/"/><date>0xa20013e5,0x01d77386</date><accdate>0xa20013e5,0x01d77386</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.wikipedia.com/"/><date>0xa20013e5,0x01d77386</date><accdate>0xa20013e5,0x01d77386</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Wikipedia.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-4759708130\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	648
Entropy (8bit):	5.085808071867358
Encrypted:	false
SSDEEP:	12:TMHdNMNxiGwJw/CnWimI002EtM3MHdNMNxiGwJw/CnWimI00ONd5EtMb:2d6NxbSHSZHKd6NxbSHSZ7njb
MD5:	F2A7FD434E6DA631F08C263AA5CB8D86
SHA1:	0B87F3DEC9775670FAC4ED2B8C73D0220328F83E
SHA-256:	2F1AA046DE93B7F62BF2983D5710DCAAC6A4864D377FC34F99AD8B0C7577EE9C
SHA-512:	915B08D87832D92213BD204D598BACCA043BC3056362837352C6626B24B9B2416B7ED5F971A90014AC7DFEF4C1EC87971C8B01EEBBBF4E4F075F69230EE9D430
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.live.com/"/><date>0xa20013e5,0x01d77386</date><accdate>0xa20013e5,0x01d77386</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.live.com/"/><date>0xa20013e5,0x01d77386</date><accdate>0xa20013e5,0x01d77386</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Live.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-6757900\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	657
Entropy (8bit):	5.111091333937085
Encrypted:	false
SSDEEP:	12:TMHdNMNxhGwGwJw/CnWimI002EtM3MHdNMNxhGwGw5CnWimI00ON8K075EtMb:2d6NxQ5SHSZHKd6NxQ5vSZ7uKajb
MD5:	9B16649B7FB0304B871035958FA6E45F
SHA1:	18A15A23266DAB013DC5B0533242A6504C949964
SHA-256:	178A3C0B0FFD4D51E8964574836BAF7B02AB19D280D36FA32EC4B8131F78A869
SHA-512:	3B49CC4DC056FFECA26AC3E3CEFC8F911BD09CC19AE7DA7D33D916DC769A0080B86C8BA277AC0D70B251220A2664F300A88B7F4CDE2C2B6F23C5D856D977B653
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xa20013e5,0x01d77386</date><accdate>0xa20013e5,0x01d77386</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xa20013e5,0x01d77386</date><accdate>0xa207b505,0x01d77386</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-8760897390\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	654
Entropy (8bit):	5.074601648309996
Encrypted:	false
SSDEEP:	12:TMHdNMNx0nGwJw/CnWimI002EtM3MHdNMNx0nGwJw/CnWimI00ONxEtMb:2d6Nx0GSHSZHKd6Nx0GSHSZ7Vb
MD5:	46B355072F66142857F85733C9845FDF
SHA1:	87EB8ED7053F49C3EAF9348EA8D36B70FE5AE30E
SHA-256:	A78C9B36EF276B589D84D36375ED25EAD84154772AAA70B33C2F3AEF3302E6FD
SHA-512:	98B9375ADD8232449387829287340599496110F1A5BA4ACDF3E5E441511F96B6B06943EFCF246DDBFFF21C8D38879DAFC7ACD431D2009C060CCCE169F9101ECE
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.reddit.com/"/><date>0xa20013e5,0x01d77386</date><accdate>0xa20013e5,0x01d77386</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.reddit.com/"/><date>0xa20013e5,0x01d77386</date><accdate>0xa20013e5,0x01d77386</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Reddit.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20259167780\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	657
Entropy (8bit):	5.11053558965378
Encrypted:	false
SSDEEP:	12:TMHdNMNxxGwJw/CnWimI002EtM3MHdNMNxxGwJw/CnWimI00ON6Kq5EtMb:2d6NxoSHSZHKd6NxoSHSZ7ub
MD5:	29C27095F70CE27F08ED4680D4AC18CE
SHA1:	BF26A97CECD18DD8F78D4DBF4440394F494D4B7E
SHA-256:	4DEC647A5C0320FF239EFAE87E2C4181BF813409A9AB019F3403F67ECADC033A
SHA-512:	E27B5366F287F1DC9C603BB17D8CC0CF8531C9E3F38B193D46204DDBA0436C8A69E1F89B4DEFE5ACC3446F72C3307D1A83F5BEAD1DA960769F7737086AD57974
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.nytimes.com/"/><date>0xa20013e5,0x01d77386</date><accdate>0xa20013e5,0x01d77386</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.nytimes.com/"/><date>0xa20013e5,0x01d77386</date><accdate>0xa20013e5,0x01d77386</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\NYTimes.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20332743330\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	660
Entropy (8bit):	5.090841465801232
Encrypted:	false
SSDEEP:	12:TMHdNMNxcGwJw/CnWimI002EtM3MHdNMNxcGwJw/CnWimI00ONVEtMb:2d6Nx9SHSZHKd6Nx9SHSZ71b
MD5:	714DC758FEADC372CF5979C7A52E26A0
SHA1:	28930CA1058279D870189DB532B1996D9BF64F96
SHA-256:	874AA2450E699F8BDDE6D8FCC705265328790FF1B76CDF664825BA7C8111739E
SHA-512:	A810183045FEF141D37A6AEE4AEFA4F3601AF407F6ED60A6843797F63761703F70635C7C1462D86D99F5C99900F7683914FB2FDDBD3F1389E2E485D0E14EC6D8
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xa20013e5,0x01d77386</date><accdate>0xa20013e5,0x01d77386</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xa20013e5,0x01d77386</date><accdate>0xa20013e5,0x01d77386</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin8215062560\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	654
Entropy (8bit):	5.071300069294579
Encrypted:	false
SSDEEP:	12:TMHdNMNxfnGwJw/CnWimI002EtM3MHdNMNxfnGwJw/CnWimI00ONe5EtMb:2d6Nx+SHSZHKd6Nx+SHSZ7Ejb
MD5:	DF1C8E0ED2200BDAD29BB5E68A5B86A6
SHA1:	67500311DD242A0B554ADB5CBB97BCCDB5F60AE9
SHA-256:	72E9737B3336D415FF75E06A4BEE0F1536B1B58C2C71F73212172BC60B436495
SHA-512:	40476AE6C98F437E629AB7BFAF901663D792390F934B3AD32B141BFE8029155383159FE285C41E50E26CB620AFCD0B1FA2C254295FDD3DE68DDD14F5E8B5BA41
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.google.com/"/><date>0xa20013e5,0x01d77386</date><accdate>0xa20013e5,0x01d77386</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.google.com/"/><date>0xa20013e5,0x01d77386</date><accdate>0xa20013e5,0x01d77386</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Google.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\imagestore\dikxvqf\imagestore.dat Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	data
Category:	modified
Size (bytes):	3384
Entropy (8bit):	4.546830126769735
Encrypted:	false
SSDEEP:	48:pONSvGNwTiNNUBd8dKEGBgT+bzoz7QzM8Y45vl/f4OrWF:gkvGN/NN6uKEn6YXQwMoOr+
MD5:	8F4DED883F678051B34684898FCA42C1
SHA1:	95138326896D7E394AB6E69E12A5BF45952D56EF
SHA-256:	EFFFA36F8FCE3897799F1ED80A93F656F7D46B5E17E226C438690980BFB09D62
SHA-512:	D46EBA8A776D6B076D53D6E4A1D3AA8510C8EDC5A90BBD6C0E6797BAAA453256158D30E66A92D850CD4740152A30F19A9975DF56D46547631B393A24C3989DEB
Malicious:	false
Preview:	.h.t.t.p.s.:././.w.w.w...t.o.u.s.l.e.s.d.r.i.v.e.r.s...c.o.m./.f.a.v.i.c.o.n...i.c.o........... ..............(... ...@...............................................................................................................................!.c^..........................................................aZ........................................IB.....................................................E>...........................................XS...............................................................................................-$.................................................................................................................................................................................................................................................LI...................#..#..#..#..#..!..!...........................................................................#.#.#.#.#.(!.(..&..#.....!.............................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\f[1].txt Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines
Category:	downloaded
Size (bytes):	138064
Entropy (8bit):	5.5669460283060115
Encrypted:	false
SSDEEP:	1536:2Xhvx2zPDi4gC4lsfg4tS+kssmhpfWTxK01CPYxStSTulj6JILDrJOF7R7lMMdPm:NzYl67k2gJxCj62KR7lX1RQ69PM
MD5:	BDB37E14039F70677DCE242D596CABBC
SHA1:	8AD1E0BB3A471D584F6A5ABCACB7C1D3ADB573D2
SHA-256:	BE708150523CC8B5E75C597397DB27DA8A982A077BD14EDB0164EA097C3A7A62
SHA-512:	793978B9CB5C394827E7F0177F625D6A1D51E6BBA067A8BACCD9E96053D2F24ADAC3F227758F17A540FD242557AAD22F768D23518107D4D60EE47657C6A96BA9
Malicious:	false
IE Cache URL:	https://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js
Preview:	(function(sttc){/* . . Copyright The Closure Library Authors. . SPDX-License-Identifier: Apache-2.0 .*/ .var n,aa;function ba(a){var b=0;return function(){return b<a.length?{done:!1,value:a[b++]}:{done:!0}}}var ca="function"==typeof Object.defineProperties?Object.defineProperty:function(a,b,c){if(a==Array.prototype\|\|a==Object.prototype)return a;a[b]=c.value;return a}; .function ea(a){a=["object"==typeof globalThis&&globalThis,a,"object"==typeof window&&window,"object"==typeof self&&self,"object"==typeof global&&global];for(var b=0;b<a.length;++b){var c=a[b];if(c&&c.Math==Math)return c}throw Error("Cannot find global object");}var fa=ea(this),ha="function"===typeof Symbol&&"symbol"===typeof Symbol("x"),p={},ia={};function r(a,b){var c=ia[b];if(null==c)return a[b];c=a[c];return void 0!==c?c:a[b]} .function ja(a,b,c){if(b)a:{var d=a.split(".");a=1===d.length;var e=d[0],f;!a&&e in p?f=p:f=fa;for(e=0;e<d.length-1;e++){var g=d[e];if(!(g in f))break a;f=f[g]}d=d[d.length-1];c=ha&&"es6"===c?f[

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\favicon[1].ico Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	MS Windows icon resource - 1 icon, 32x32, 24 bits/pixel
Category:	downloaded
Size (bytes):	3262
Entropy (8bit):	4.485268324024185
Encrypted:	false
SSDEEP:	48:wvGNwTiNNUBd8dKEGBgT+bzoz7QzM8Y45vl/f4OrW:wvGN/NN6uKEn6YXQwMoOr
MD5:	0580BE944FDB0CA958CEE222CE2C33EF
SHA1:	76840612E4FB069A0257E1D541CEFF3E05258C5B
SHA-256:	EFDCC2E389940AF4E17F30027E2DE083A4A6206BD93865D573F35AEB24D48548
SHA-512:	2EE223EE90D804AD96C7CD34B37FEE91B04426BBF03390AC3D5BA25D4636E7F0CCE0BCD5F96DD8CF04FCA197C2A4A049EE47FABCB93942558D8117A3803F1842
Malicious:	false
IE Cache URL:	https://www.touslesdrivers.com/favicon.ico
Preview:	...... ..............(... ...@...............................................................................................................................!.c^..........................................................aZ........................................IB.....................................................E>...........................................XS...............................................................................................-$.................................................................................................................................................................................................................................................LI...................#..#..#..#..#..!..!...........................................................................#.#.#.#.#.(!.(..&..#.....!.............................................................1.2+.2+.1.1./(./(.-&.+$.*#.#..@;.......................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\fond_cadre_gauche[1].gif Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	GIF image data, version 89a, 20 x 1
Category:	downloaded
Size (bytes):	96
Entropy (8bit):	5.537374739988986
Encrypted:	false
SSDEEP:	3:C2lmRKVA2Hy8jGYF+YdmRa//lillhojE:6sq23Gm+YdQl74E
MD5:	C24692F799AAF2F5AD6639C6B7951AA5
SHA1:	41AAC8D27A14C1A44E0259624B26FD34A548EFFD
SHA-256:	F460795DED908CA63FD1EDDC5A41FE275A916A0DCACDB7A28E2B3D37FB5E36B2
SHA-512:	560B7832F0AA1E02BBDA31A5BD25EBD69EA84CB856F2847B714F6D1F2410D3B104D2C8A6FA9D8B6CAEDDACB01E97F8C6964B48D6B387E3879474599A447D6D4D
Malicious:	false
IE Cache URL:	https://www.touslesdrivers.com/images/site/fond_cadre_gauche.gif
Preview:	GIF89a........L.{.....e..)b....;p.......P~..V........D....!.......,.............EL.....@O.F.;

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\host_name[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	2193
Entropy (8bit):	7.889290673872146
Encrypted:	false
SSDEEP:	48:dM1pX9knogc+HJ2F6onxETbr5a+OwenXz7mD7paMfQ3wPOe:q1sndc+U1ETbrdxenXXmRffPOe
MD5:	AD8E6747D4030231BA900F9B099E7290
SHA1:	3510865939B06510F48A73495B9EF09E8B325C40
SHA-256:	B3208CACE7FFE15BE999E3A06335FDADF465F4AD9D5B53817C73AFD78701CB26
SHA-512:	99F12AC94A7AB8753B3D3F9667DFF84819F0ACA27F092282FC2127F20447D4102813886C7D34A7477A80B568D2D7E060791A3791622EE33196E76EFD0A95D5EA
Malicious:	false
IE Cache URL:	https://www.touslesdrivers.com/images/mes_drivers/resume/host_name.png
Preview:	.PNG........IHDR... ... .....szz.....tEXtSoftware.Adobe ImageReadyq.e<...3IDATx..Wil..........z.....$`.7.0k.H..v.J.!.^.J.$.">T.P..Z..R.D.UT.U.4R....BK...u.q..s..X.w...k..........&......{....3........1.J.A..y...i.d.L.....&..t"n(J.&....L(.\P..X,.q.....ZZZ.L&..WRI.f.....w\|.u..'<.JO{..\|..n..H........7:/....$M..e.mmmp.\3....QUU.UU.%P.z.?:..U.6.....w;..9\.L.?...:.<..%.\|..9.._.....(.7.L..\|.x<.g.%..E.}...[..>.../.Kf..S...W..............`.......o...\|C.m.=...7..I.f.w^\|...Ub..#.S.....7..n....J[2...*.............xjw....l.}..~~.7&R/t...9..`$...'.z[.........1.....#..C.....\|.S.ry..w....n.e.....$.&.3`.Dd4.B ..@...PT..h0."TC....Ze\....).......ZZ..^{....7h.=.R.D@..=..V.....A.;........tH..........4.x.....hL./...aC$.`..[..5}.QI&/.!@.....Mc..c.nug2.i..O.}.?......?.A ).n...8;...7.gc""..,.'..L9.i..oRh.#.k.W.l\|ty..1.;}.':;;O.BS...........a..@....R....=:...f..,"..a.3X.a..Q.....L.C.[.V?m...i)w.[....3....-....$<K...N...........uJ....w=..._.(..^.....,...Q].ry..e%.;9'.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\loader[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text
Category:	downloaded
Size (bytes):	263
Entropy (8bit):	4.845707282245
Encrypted:	false
SSDEEP:	6:Qr/8/iFSgbDRWs+Oi+8mgO9l3sGAicLmsBtWcawncG5n:YYiFxDRWXu3xAixsj0wn35
MD5:	939C4AB6F35E346B2014E2719E073E03
SHA1:	A24ACAFA350E3CF1DB80557BF1F5FBF1F1F0F842
SHA-256:	45FCB9A07E3F111F6EB17F93E31450B0D60240FAB0A8CF361478D12F3CA908AB
SHA-512:	0D87F0CE57463594E827F30DE056008A8875B77CEFD45BF0B347ADBC466D03998FE68C3A616D1001B038906160A094BD7A12CE4F05085CDD34F39E6AB484D2F3
Malicious:	false
IE Cache URL:	https://cdn.appconsent.io/loader.js
Preview:	'use strict'.var baseUrl = 'https://cdn.appconsent.io/tcf2/28.4.0'.var head = document.getElementsByTagName('head')[0].var script = document.createElement('script').script.type = 'text/javascript'.script.src = baseUrl + '/core.bundle.js'.head.appendChild(script).

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\memory[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	1077
Entropy (8bit):	7.775326271252012
Encrypted:	false
SSDEEP:	24:J8Uvz66BLEp7oPKfsx3OuDivHwaMVAYKpFUOqqr:J8+EhzycHfMVzvYr
MD5:	2BC67C912BCC4A8FCDDD17D405A1F3D5
SHA1:	986EBE371D7040D1740D12AF537BD9755E411781
SHA-256:	EB7813C98D7B33ED273059B95B781918B53F1D02AE42D888577BCE7F8F7DD61A
SHA-512:	55D6BE705F771385C09E5D9E05DA0BFE396FFAB853B884C7C1FBC77D249CF1AAFC1832004F1741D0246CB280AE05DE40089F79A90AA75855675E79FEBA2646B3
Malicious:	false
IE Cache URL:	https://www.touslesdrivers.com/images/mes_drivers/resume/memory.png
Preview:	.PNG........IHDR... ... .....szz.....tEXtSoftware.Adobe ImageReadyq.e<....IDATx..V.o#E......k.v.I8r..:8...DC......!Q .._...QPSs..@.....%$qrk{vg.7.^...).g.....}....{...8..Z9.r`...; .."V..5./.s...z...9cp.73.\4.9.X....5v.....l.7....y...Y.6...;.....^...xT.;]L.)..........Rhc ...9.'....t.6...1h1z.Q....yQ ...w>~e.......NOO...q.qL.J.N.....EB.!.8.Sr`.tVSv..1.4..%.9..C.XlN(.....s....v..Q.i=.........B.<.N,...0s.7:H..S.].\..T......?..;......s...."9...^O...1#.....BJs.......6 p..7H.h.I.5...2..?>~.\..hd._.z..\|..Z.D..@...h..W2.Q.\......V.Q...b..Y+/F..K..P..J.....G..<07.l...A^......K.\|..7N.. BWH...~.PM....p....;.l...d./S~).Qnum..r._A.5.0..H..8c.........U.(..&.V4...QS@..Ui`.......W4.]X.Z..L.....j.7;.\|o.Z-I.t...._~... .=.1t.k.:..`c.d....5dM....A.0..}{29}.........x2....F?b(.Q..gPQ...97n...._..#......W........9C..gKx.....9.q..?.G?9..{o..bw..7.......'(MM.<R;r.....9<....wt....D;...r..L.6...H....:!j..g...t.p..QU.A.....Ht.p./......S...i(2i..0l...Y..D...@....=.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\motherboard[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	1286
Entropy (8bit):	7.774039023750853
Encrypted:	false
SSDEEP:	24:LLXrJ8DTdqPB0iXo4ApvL9Oan+Gkn72PQjUtnRHNpB1MJLdJOHCidTsR:LHJ8vddiXivLEFMPQIBRxe7J0sR
MD5:	8B0DF2F8C82A0E94378DE269173A6245
SHA1:	445CB77AB76C36E36687D512882A9547E169FAE2
SHA-256:	7624E79929506F747AAB48020B944198DE22D008CB3F94195B8FEC3C88044BD2
SHA-512:	24066AF31B910A99FE18BEE33AF2632B65AADBCACEBFA8BEE4E60427A985EE3D338F3CAA8FB63EE3C8BAD9D621957458E130F55256A3C0751B0881F895D83077
Malicious:	false
IE Cache URL:	https://www.touslesdrivers.com/images/mes_drivers/resume/motherboard.png
Preview:	.PNG........IHDR... ... .....szz.....tEXtSoftware.Adobe ImageReadyq.e<....IDATx..V]L[e.~........e...c....dH....b..c.,.......%.h\4..g...-t.#..O.*.eA.8(......=..=.._.@7...79..s...y......TU..4=....8$pH...PZ'.....z..........A.1..I.R..f0..]_RR.C...@WW..:`-((8^VV.YXX.n2....b...A......L...u..^.]4..ZZZz........M..rLQ....DQ...\_TTT_UU.....{8..y._TfF.$6s/..C`?.....&...@....z.H...>!A.....EA]]...#....2....g.D...x..3.z.T]]..h....f(...'.F.eY ....}..v........YS555....:..=//..P..@u:]:.d>z.n1\.\|.......<tv...i4g&.6........k....D@...y..j......444....lo.LL......eL.._..k.=..f...{B......g ..x..x<..P(. .p.L/47.@.)......c8&.....(.c...r..M....g....<...6-.v...F...\|...6[..W<..^..Nv..:.....H../..)y....{Mf..t.2P.Y.i:.b2..&..z.aaqxvv...r...b2....&...<X.......h\|...._....!.6.....=..{w.->.........q.UH!%E6..n.W.P.$.$..g>....:..6.x...M.2...%`y......<[...\|.F.c+...{DA...[..]....<.yDU.AQT..UD'PL.....$..h.rs.z..h.%)..z...\| .....KX.Nb.<.(.yh....._......G.$.b.X..c.$!..;.@.F2...Q.,....W...#.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\option_moteur[1].gif Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	GIF image data, version 89a, 16 x 16
Category:	downloaded
Size (bytes):	1022
Entropy (8bit):	6.064376998696999
Encrypted:	false
SSDEEP:	12:pKSinliOl9outoBvk+/O7bUCjSfLZYRHHpwCif+iX3:UGSpe/yGz8HQGiX3
MD5:	C4A9703806307A8F55D5D0DEB047EFCA
SHA1:	5C8A91273A6A2B36E215E2761DDFBE9A7970BCBD
SHA-256:	F76A5BA234C7A9DF93A5566B3ED9E9562934D589F610079418525C1728775633
SHA-512:	D7CB660411B5EA23A68B1D7C0446A1D70804658397705E6BFD87125ECB1F5D87BB19EEE31D56BD3D4DEF9BC7982928E1D92C3B93C05CC48EE70E0FA50E70F779
Malicious:	false
IE Cache URL:	https://www.touslesdrivers.com/images/site/option_moteur.gif
Preview:	GIF89a...........%,....................KII........^`.49.#+.39........./5...<>.......\|~.+0MMM....8;.PT..........ty.6;..........FJK..B....._%'T)*.EJ.^a......6...RW....48..........................ccc.....d...JP=.........?D...>...}........W[..$..be.....-..QQQ...x\|.y}......?::.....&....3..___.......VZ.............JM......FL.RRRC.........")...2...BC....hk.......JM/...MR.....===......[').@F...222....BG=......N.....PPP...<B...AAA...+1.....9>...svE$%...<<<.....................................................................................................................................................................................................................................................................................................!.......,............!.a.(.%@.@)\.P@........b&0..)S.....Y.hM..V..pcH...yD.....464Eq..JG.v..!Df....@M84...>..t8.GI.9A@..4HR..j.. .(....I.Q.....#"9(..#O.6.x1.....(<i...#.Z8...'...u.\.(......0i....;{...#'...2. . ...\

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\processor[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	1132
Entropy (8bit):	7.78418742492434
Encrypted:	false
SSDEEP:	24:LgcGvPgI+5dyO6dKS/LOPcl1yIhYvEvIFeAEkMrNgvjscomC5H:LgfPgI+5ZzYLCpvDVMiLHOZ
MD5:	BFD62B86E92836CB415C208E20041EA4
SHA1:	8F77DE6D4CFEE18FEE144F11CAC3CCA29FD3FC8A
SHA-256:	4CF76316082969F2EF3200B2E6B7EEF27A9E715E208CBC23DC5BC7987AD2B1E9
SHA-512:	BD1E935FD56C43D829796545829FF6FA0898475778FE663CFABCF30782951C452A6157D3212BDF15A8D738FAC3AE481FEDA5A9DC7B0ED0DF22345D7FB797156B
Malicious:	false
IE Cache URL:	https://www.touslesdrivers.com/images/mes_drivers/resume/processor.png
Preview:	.PNG........IHDR... ... .....szz.....tEXtSoftware.Adobe ImageReadyq.e<....IDATx..[O.G...=...0..v1-%.`.8i." .V.J...U{.....w.D..J..R.P...%.B&F....166.k.=t....G.zF...9<...}3.,..B.K.....h.\8.}..........E.. @..}..}..4....)).14H.:w.......M........\|...jvY?.\..=6.-C3.....K....O..8o...~......t........c.C.S#C7.=.n......kY._.Nx...w....\|.....8.^...\|...^.?{.o....:z..n..........fE2.R.B.D..G(..dE.......\|..]....,.........}.>_..#.z0.G.}.S.}.....w'...5.lN.U.<...f,.R.e..$.3.}a...o?....f.........N)`...]N.g...{.....aiv....G.{0[.iZ5.$I.C.$.>....v...1.wAT+.{.1oN.x..u....P...)..._.c-.v.4~\|.+Lf.>.9...%.B3...bA.....T..`.I.EEQD..C".G:.F./"/..d.y.........v.(.aX.E.y....-..[..t4 ht....u=...F...d..0...:XZ.....aWvM!.L"..X)..e.....e...X!......T..R..Vv5V>....&?.._f~..i.....v..;..P.f.@[...6G4.E1......).).-....v:.L.&..>...N.9...%..k.....f..y.]....=@....g.x&;.4gO.\|..Ti...g...J..X..V.U.....eN....9../..............'C.g...N..Z....X.N...Sr...,.r.vw!..H...._\>._.....V.o..._...

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\resume[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 48 x 48, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	3089
Entropy (8bit):	7.91147236565472
Encrypted:	false
SSDEEP:	48:hA/JGMA5AYHNw0FZRIV56tlcx6qdE0pbH2boCXbDD7xCXFK9koyZcr0kNoGUx:hA/J25AYweMpPxlEnYXeyZPkNAx
MD5:	113C088A7AF096B0780EA8C7EFE9A05C
SHA1:	5DB34253736A4DA8A4B399F412391C9076E2A443
SHA-256:	41D08DA568B2A2E8703144828DCFADB56D8AB31B221FA8439D26FB8ACB30F80A
SHA-512:	0DCDB93D9DFE821239749412DE2C346519D69EDF9B3E8C1683AB736212B7F8732004A955614511DB420EAD95F0E0CB33E2D9615A5AE3E23857F99D837162E382
Malicious:	false
IE Cache URL:	https://www.touslesdrivers.com/images/mes_drivers/resume.png
Preview:	.PNG........IHDR...0...0.....W.......tEXtSoftware.Adobe ImageReadyq.e<....IDATx..YkL[..?.....6.........B.4.J..j.Nk.t...K2......n_..U.}i...&u..tY..P.......&,O........{...^....K6U..\s...w..w....q.M.h..oO.<....@...0....;033..B..B......H$PPX..k...fs....x.......h.d2..D".(..L...7...F..OE.h0........k.T.v..u...7UW....2.h.r ......47}V__.Y......zOO......PZZ....q.#...;vn..B.....{.z}..r...0..E..D,..\N....@0.64.}~...sii.}\.K.R.}.6.......o...q..1...;^.....z.^o.e9..^.&..9R...?..l...[...sL.q.X.....y....]?u.'...]..$..h.eY....}.7o9.g..333s..~4......e....SpoD..W?.....u....`.5......4.S.....OT.r.\b..?.,...v..\..h.Z..`)...y\..Q........A..m.u.2(..@......7XA....ccaG.u...... .wzfy...n...mY.i..s~>...!....0R.F.(P\.DA..1..b;@...~.z=...].(;>..T.<.......z..Z./.s..\~\`...Y..`......9....Q..x.....x0.......,.0K..@.b0(.(....vPZ..B..B0.{.H..Tl..O.xp....;.70.oij<......`$.d..!.l..Eb.h.3..X.........o~.r..05=...x.td..ad.q.&.hP"............LS.-S~........A0....Z/...8..P......l.V........P..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\style[1].css Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	UTF-8 Unicode text, with very long lines, with CRLF line terminators
Category:	downloaded
Size (bytes):	24423
Entropy (8bit):	5.069870974752049
Encrypted:	false
SSDEEP:	192:d2wjAMhAUn2J52n4sEcjzg7aD8JL8fWAzy4AXqCFxdlY88E+7ubSL38pR9fOpG5Y:iezPG/4Zx
MD5:	45A9ADE38A96D6750D6B38B769DFEB06
SHA1:	AF7D1E493DEFD724FFE8F79DBA72BA3EC750897E
SHA-256:	104B3BB884AE25296EDE724AF5AEDF559BF5E51C8F38F5E9090F1B97E0484EC3
SHA-512:	650C5C4A9833FC23A8DF24BC23031DA8E8269920914976E492027ABEEFE44B66E8D54225E724AA6ADFA3650EAE416A1201E3446B739A98B60E7F68BD62DCD050
Malicious:	false
IE Cache URL:	https://www.touslesdrivers.com/style.css
Preview:	body.site..{...margin:5px;...background:#F0F0F0;...font-family:"segoe ui","trebuchet ms",tahoma,verdana;...font-size:13px;...color:#000000;...text-align:center;..}..div.div_principal..{...width:988px;...height:100%;...margin:auto;...padding:0px;...border:1px solid #000000;...background:#004483;..}..div.menu..{...width:100%;...height:25px;...margin:0px;...padding:0px;...border:0px;...font-size:12px;...font-weight:bold;...text-transform:uppercase;...clear:both;..}..div.recherche..{...width:510px;...height:25px;...margin:0px;...padding:0px;...padding-left:10px;...border:0px;...font-size:12px;...font-weight:bold;...color:#FFFFFF;...text-align:left;...float:left;..}..div.options..{...width:auto;...height:25px;...margin:0px;...padding:0px;...padding-right:10px;...border:0px;...font-size:12px;...font-weight:bold;...color:#FFFFFF;...text-align:right;...float:right;..}..div.accueil_alphabetique..{...border:0px;...text-align:center;...line-height:20px;..}..table.tableau_haut..{...width:100%;...h

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\touslesdrivers[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	UTF-8 Unicode text, with very long lines, with CRLF, LF line terminators
Category:	downloaded
Size (bytes):	17150
Entropy (8bit):	5.39774626082103
Encrypted:	false
SSDEEP:	384:4GYyLZTviuBFtpRSy+QytqNqTpRSHNkrK6z13mAZJSF1KIZKlpj4Up:kyLZTviOFnR1+ftqQNR8M7mJK7Lj4C
MD5:	88DA5EF5222E92651FAF2358BFCBA19E
SHA1:	8503805D80717E81F2E42CC6DC02E51209C5D350
SHA-256:	45165DE545F39D4DB70F0EEEB93F4AE7DAFEEBB91252B839513929BC4089F544
SHA-512:	65F8A7F707CF601C2103A7903115446C09896523B75B781BF6628F906DD8C1FDB62EB239E4066CBB4112CDA12D5FBC04229ABDE89C0A2784B7E22608AD509868
Malicious:	false
IE Cache URL:	https://tags.smilewanted.com/formats/corner-video/touslesdrivers.com
Preview:	../* TAGS 2 - 2021-07-07 16:02:43 /....function create_pixel_ad_sw(){.. var smile_img = document.createElement('img');.... smile_img.height = 1;.. smile_img.width = 1;.. smile_img.style = 'border-style:none';.. smile_img.alt = '';.... return smile_img;..}....function getRandomInt(min, max){.. return Math.floor(Math.random() (max - min + 1)) + min;..}......function insert_script_js(script_src){.. var insert_script_js = document.createElement('script');.. insert_script_js.type = 'text/javascript';.. insert_script_js.async = true;.. insert_script_js.src = script_src;.. top.document.getElementsByTagName('head')[0].appendChild(insert_script_js);..}......function insert_stylesheet_css(css_src){.. var insert_stylesheet_css = document.createElement('link');.. insert_stylesheet_css.rel = 'stylesheet';.. insert_stylesheet_css.type = 'text/css';.. insert_stylesheet_css.href = css_src;.. top.document.getElementsByTagName('head')[0].appendC

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\windows-10[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	795
Entropy (8bit):	7.635887404652688
Encrypted:	false
SSDEEP:	24:sj+XPY9NUyr8wmHDw1GcJlsYi2j2cFCD48:swkH0HDwZ5Ck8
MD5:	70E6CA2183E6990D2D07C64C812B8610
SHA1:	620BC3ECC5D4DC8A31674974DDC894BBB9A7C03C
SHA-256:	5C5ECDF1D507D2FCCA0880DE4548BF435FDBA0895381FB983D2A3269AD44D4C2
SHA-512:	81861D2DBF3832F7C67E15DA7D713FE8D444803C8F422599C7340A2F5FDFA8038574EB763C0A121943DAD05BF59D7E8164783543BF30F3CD89060BF16EE6EC7A
Malicious:	false
IE Cache URL:	https://www.touslesdrivers.com/images/systemes/windows-10.png
Preview:	.PNG........IHDR... ... .....szz.....tEXtSoftware.Adobe ImageReadyq.e<....IDATx..W?o.P....(...).i....G>..R'.G@,H\|.&....0 .:.!.Z..1t..H.U-...mH.&...g?'i.qb(.x..\|O.w.{........(.......7_.H?,Vr..OC>.:O$..G.Fl....T.+..-.SW.,...Y....&..)P.W..4t.!KhmM...t.s..u..\|#.......3_?@:...b..D..g...i)..R...w.1...u.GA'@c.......I16!.@.P..?.2.5...m3.q.m3.?X...&.<.9.JAa.t(..P.l...x ......A.8H...D..=@..!.Gb.u.d..F..i?..E..u ..1L.....@1wE l.p......0 ....$.Ib.Y...v.~.. .r..K.~.^.D.m.G.&.%.J.e....lu..q.........t....z...}Q.t..n\S....,.I..../..h.Gp..p.Xn....XxNsb?.@...#i...w.....k..}.`m.....".....T.g0.+9.+9.]....y5...G....i....N..\|.\..a...)!.$]..w.....jN..M.....=.:.fik...os.A.....x>...P..w63]..zC....p..6:.{.4j9.}<...n:&i.D.[(}oN`]..s.v..F.@..Rwh....f.....ky..S.k..I...-.....J.f....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\aide[1].gif Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	GIF image data, version 89a, 16 x 16
Category:	downloaded
Size (bytes):	1070
Entropy (8bit):	5.7516212260153265
Encrypted:	false
SSDEEP:	12:W4z/2hyWMt8VVv8bCX2pzlFUqsh4+wab04H25u97QCGl8Knq+O/A9ELdjF5RBphw:7zLATtMaYdMQCa8Kq+8iGpzw
MD5:	F0D40551F94B4B5C709B00858474EE18
SHA1:	8ED6447D78E62966031DD75B0E7E2FBE65B7C2DE
SHA-256:	DB979530CD662BE3DF8742FA1E68E30B5797F84A32F07DED951C43347D4391A2
SHA-512:	9A413C2B862D12DC3F55354B793483781A597A656E40A37BDDBD7E7BF701F20CE2ABA05C79089D4CC6E8B291B3179F6661D343A12102D485215A6787F13A7890
Malicious:	false
IE Cache URL:	https://www.touslesdrivers.com/images/site/aide.gif
Preview:	GIF89a.....................................)_.'X.+`.(Z.-b.+].[..b.0d.-^.1e.0c.2e.2f.4g.3f.2c.2c.1b.5h.4f.4g.2b.6h.6i.6h.6h.8k.3a.;m.8f.Cm.Is.]..c..g..q..........bgq.......................................................................QSV...........................................................................................................................................................................pppWWW..................................................................................................................................................................................................................................................................................................................................................................!.......,.............)3E...8n.9..@.e...(%...B..@...PBBy....3...P.RO.0`^......2?X...(../qP.P..P.%OZ.x....<..!....1P...5.."..*J.G...#..1....[..)0......(Z.!...a........^......k...A.....\..a..0C...c......(...A.+4

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\coin_bas_gauche[1].gif Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	GIF image data, version 89a, 20 x 20
Category:	downloaded
Size (bytes):	758
Entropy (8bit):	7.5004875313232535
Encrypted:	false
SSDEEP:	12:E8VfIPuPvm5alTEUNU4GskL5TkM7p348/WgY8DfZiopTmX9BUnXeN4:E8Wu+algwULskxpp3ZFYSi4TmHqeW
MD5:	F15847DF515D7F4B6C95C1301919D0F5
SHA1:	31B9F56EA0598C86C514E7DC32A2B314274E3566
SHA-256:	AF65CB93C4094FA0B363881CD59B48887C6CD5361A1F10BD0924F5D215F0FFA4
SHA-512:	2E872EFB5D7DEA272B12E79F5C573856D6DD72777AA156B3416BEF302863DD90F7D7744C1F9AF905DC3A142C9AD1333E65C3C8971CC438966722104AC5E30B6A
Malicious:	false
IE Cache URL:	https://www.touslesdrivers.com/images/site/coin_bas_gauche.gif
Preview:	GIF89a........J..R.;o..V..H.V...F....c......r.......Bt.b.....8m."]..K.......f........"].L\|.N}....Ew.d.._...E..X..M.(b..E..G./f..N..................1h.....P.h...T.P...S.6k....4j.......x.........I.'`....)b.R..v..k...........Z....Ew....S........=q..L..O.c.......\|..j...G..U.......X..&`....Hx.......\...Y.3i.....Z.u..M\|..L.....K.....E....Gx....+c.....L........D..................................!.......,............tg..NA1..L+Y..<s..t.W#.3.T..E.8_R...2[...:c..j)J..st...7]`.(?D\F...t%PG&..U;H.^9M-..$O.@...B/X6S.r-..R<tt=.b.ZC...,n.M.J_...'!..0.a...lXL.a$...t...@#...K<...@../\.@......\|.HR.B.4..4 ..u.j... B....Px...LJ..@.M.$K>...........1.)....hyPe........k...S.t.P....1.......Q..p.E. Z.%.F..@L. .Ib.....0...-#.\....(.d\.0..D:$J..0.L..t...;

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\f[1].txt Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with no line terminators
Category:	downloaded
Size (bytes):	145
Entropy (8bit):	4.498125758800745
Encrypted:	false
SSDEEP:	3:xRqzdK6JAJuLRLOdK6J9QpH6yWHaEHWcHZaE+kpHsWU+J60EHQJq:xReLJRLSLJxyW9HZlsWU+4QJq
MD5:	1A92A1FD251BD6AA2A01FA62F1341B16
SHA1:	E8C29B7B0C5DF6D3730D94F567F5985C7C9FC539
SHA-256:	676D52535C21965D7FE22AF9731986407A002C596AC0E8A1011CB0525D79FA63
SHA-512:	BD4F30640E35596DABDFAA26D0E0C1A9EAACE9378DFFFFD98A12890D23BF3A8468A8D43FFBA744400F93F0C7C1124561CFA8F263C45D3A20247CA4A562F1A05D
Malicious:	false
IE Cache URL:	https://securepubads.g.doubleclick.net/pagead/ppub_config?ippd=www.touslesdrivers.com
Preview:	[["touslesdrivers.com",null,"www.touslesdrivers.com",[[null,"1015413",1,0],[null,"1023879",2,1],[null,"158819131",5,0],[null,"6917646",5,2]]],[]]

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\graphics[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	1553
Entropy (8bit):	7.830135956630017
Encrypted:	false
SSDEEP:	48:PIoZkEDW87Kb1ShdyPZ98wHrHUWj8gr//7ExMT:PIoZkESpREyPZ9PHrHUa8+G+
MD5:	FC611C23DFA2DCB45B81E655FFA7917E
SHA1:	4A089C97EB976F8F1B6E63FE258C41AE2C30A04C
SHA-256:	3CE5A65EB73B13A87CD4074C4A57519663D8DCEED164B07842442980E5871B0A
SHA-512:	9C845A8166A9F8F0947778CA54D0A25AA6501074CEF0F2B06E4B4C114ABF01BE5981E94B0B3B22635EF74F28399636D66EB1D4495228CD263048A0A53C1A45AF
Malicious:	false
IE Cache URL:	https://www.touslesdrivers.com/images/mes_drivers/resume/graphics.png
Preview:	.PNG........IHDR... ... .....szz.....tEXtSoftware.Adobe ImageReadyq.e<....IDATx..WK..E.=...{.g...@...4#.0b$..+.$.\d...U."..+!....C....].H$.... J$Y..D&L.....{..U.~3.7...i..w....{.j4)%...._..0.$Ip......}s422R>u......9.(...r..m(...m5....>\|x.......977..k.F.oc..B..F..o..J%.R..y...V...@.%...Hy@.].1....i...........q".Q....=..2.u.;/.T#Hx...r\".3.}#.\.......$d&3F_.~.....X.......AQ.6.Rr..iD.1M..8pL...M...&.A<.m.CLY.........J.;P.c9W{.....5)....Vh..l.-.p.Z.!.'&...D.~..j.....0.....w....w$"..r.X.:...!."....<....Ty."'.....#.;.. X.bz. ..)......2...X...78..T.:.z..N..6........[....&.m...>a..s).f.Cp.H....>$...f.......G.`...T&gb...@?.Q...>.C.i\P...p...'.R....h.i..k.B"Y3...[.gG..\|T..J...'.".mZ`.Ch.D2E..pC...M'"gZo......oP.9...2..)...0.e.H%.H.t...L..6.]..#...K..Up9C.J..\...P.e...@1......0.c..c.........t2.p. ...ew.B-.`@..f`l`.... r..:.H(.h...*U.W....q.y_.c.!..D.px../0.\..N.t..[.}>WD.3.V.@..`..qj...N.D.8................q`v.W~......u...]!....f4CF.iF&....

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\index[1].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, UTF-8 Unicode text
Category:	dropped
Size (bytes):	211
Entropy (8bit):	5.2516964360365215
Encrypted:	false
SSDEEP:	3:8ROFKGQIeRvvXbvx9M849RvZ8ouRYQxdzfmEZDqDISLxOdK3MKbHY6Vrxh4z4uhv:AYSIaXLxu9RRtuHzHgLxSbKbHY6TM4n4
MD5:	07EED7B5172684A3129E0ECD0B2FCCC4
SHA1:	3C5079950C57E9EF28A7D771EC6B6CE7125A6E0C
SHA-256:	CEAFB5D7DA9C6B37B506ECB23CF3C212A31F5D9EC3BD1D25C21BA24535206785
SHA-512:	DC622B7AB54FD0350DA295DD367BC24054FC5F61A9CCF483EB5841C4CE87EC0DCCEC82FEA2822247A89400A7AA40E548F35103072704B758172E96AE5958D724
Malicious:	false
Preview:	<head><title>Document d.plac.</title></head>.<body><h1>Objet d.plac.</h1>Ce document peut .tre consult. <a HREF="https://www.touslesdrivers.com/index.php?v_page=31&v_id=8KVKWmfznwDbzahM">ici</a></body>

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\logo_fond_bleu[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 230x90, frames 3
Category:	downloaded
Size (bytes):	9555
Entropy (8bit):	7.940269913655646
Encrypted:	false
SSDEEP:	192:ZrZ47bKsgDpBHt/PNm8cfj+8Z5CK1JZcizICSSWVAp8eY6KMJUwjRTUAnQ4J0P/:DlpB94/nCMJZ9zrZp5JU43nQTX
MD5:	23E22ABF0229B627DA00445714AF9AC3
SHA1:	AE9DEA0D5132D9819362D7A21DF8FCA270D4BBAA
SHA-256:	B1428BA0BB29A2709DE20C8AE63E4366F6E77B2B9E9CF72AF8619758F06BD3CA
SHA-512:	5DEC3E39244E4B883212D497B6FF27893BD298C3BEF0F3D51207EDAD0E65A9157276EF526CDC35E65DE777B785CE729AFECA3982F14488D78715110808813282
Malicious:	false
IE Cache URL:	https://www.touslesdrivers.com/images/site/logo_fond_bleu.jpg
Preview:	......JFIF.....d.d......Ducky.......F......Adobe.d.................................................................................................................................................Z..............................................................................................!1A.Qa.."2...BRq#..r....$...b..V...4U.......................!.1AQ....aq"R......2#..B..3...............?....l2.t..d:[t2.-.......Kn.C..C!....m..t..d:[t2.d6O`t2.m..O.C!........y.~....u..t...X.'...u.%....2.`.Gq....t2.gn.C...{$..2.g.s..v.C..9...C!..+..}....PGq....t2.-.......]..FQ.[t2.-.......Kn.C..C!.9..VF..q.(d...u..(......J.\~).Al.v.......t..R...`...t.'JH...Xi&...}cZY4....../.n..M1.m...~.u..HSqR..h.VB..=4.:...\.F<A&.oj.&..e.s..2]p x.d:...$OB]..2.@.:.....A..%.t..RYX.....aK..I.eJd...].).(._.<Bu.........m....g.\|.].....2x...d..o'.).......o...!..X<x{.G.\|'.,.......)...Bn....e._.JK(AUM;i.J./.5.F..R..\|.R.}.'.o./...U.G. \|......QM.nB..%'..w.Mb....P..(H.k..].S]J.+S.)B..<s.BQ..c.Z.V..Cf..#I.GP...

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\network[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	1106
Entropy (8bit):	7.764479488532236
Encrypted:	false
SSDEEP:	24:ZO9hdOufulObiyILHNdMUqGCwvU7r2DgCKNtKaNtGcKoxJ813L5Nu97:ZOHddfGOerLEUK7rYCrNt5+1b5Nc
MD5:	627C716857CB369DB460456CEF212FC6
SHA1:	D633581A401417F737AFE99CA377F12238946705
SHA-256:	DAFA2DE794AA0DB620D3C4EC5E0F2F4BAC6584A8ADA34F0A79BB1D970AA0FEE8
SHA-512:	900E572A441CFF96ECB3FB47A876A3C328CC4F1E0FBCFE429DBA0C6A590CE5BFF5E31C4539D3E8EC4D453B3123810CBA5EEAAEAB3C84016207F77968B576182D
Malicious:	false
IE Cache URL:	https://www.touslesdrivers.com/images/mes_drivers/resume/network.png
Preview:	.PNG........IHDR... ... .....szz.....tEXtSoftware.Adobe ImageReadyq.e<....IDATx...o.U.....v&v=.xI..%......"..bR.U."..@......'@B.._.......@H....:DQ....7..8i.'6^fl....V..Q{...F?.y.7.....}:UU.I..O8..u.:@..x.........y.q...C.}.@..2....N..q8....iM$...\|>0.........as__....F\|ii).....:...........+.+g...Gh..F..Y,.O......{....r....q....R..W..G."...?d.s.hv.xmg!5...%..S.....j}..+t...).:#...2.m............H.lM....I4.N...AH]m]..w......T..Y..f..........o..9.u.......l.x#F.2.l..2$.$........Y.k.....l.CK.V-....vuu..\.=&a.9e......7.F.p.li...P..b..!......(.P..P).\.C.../.)LH......(X..Z..,............}...._..mS.I.A.@.....0...$Q.Y.ak..6ogA..h.R...>...k..O..$..L&....6.R....aww..'..z.......0....F..@.z.....H..~..$...p. ......."._...{.S...x.Z[[k..J.....%.b..>.l...4.z..`.).e%d........=dn..;/..L..........\...f~^\\.U....(..zagg....N...G...cL....ld4.$..%y..m/.D...O1.=.$.L........\|.y....y..'Ei....n.s-....~...k.5.x.1\..L..7...Q...9..8.m8yhh....%.8....D.?...`..../E].z..\|.w..?40..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\option_imprimer[1].gif Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	GIF image data, version 89a, 16 x 16
Category:	downloaded
Size (bytes):	344
Entropy (8bit):	5.625170380731303
Encrypted:	false
SSDEEP:	6:NO/bp45z4tLXbV3udgXt5tWunZfhT9qw1JfR32Fo1d2:AF4l4t/V3agdzWu/12W1Y
MD5:	52AB34BB7CDBCD7A1A48C8475E64F643
SHA1:	A0A9035A41765EC1D5C86D0EDEF4564C3182C16C
SHA-256:	CF5CD181B19B9E3FFEAE358C8C3E41CAAEEAFF03CF3C682123D0955ADB56C20D
SHA-512:	1F239E01099AC2B3B09F5AAED19ED9CF89EC40CE62F40279FE2143A257A6A3C71FE0251B5684BE1239272507F5F5AF0DFEA6EFA1173C4847DEEC53FBB5903605
Malicious:	false
IE Cache URL:	https://www.touslesdrivers.com/images/site/option_imprimer.gif
Preview:	GIF89a................$$5@AFy........................M..Pn..Z.CXdu..,l....C[SP.q...$`9..............{{{xxxhhhTTT..........................................................................................!.....".,..........u@.P.)...$..ln..M`J}B..j...x.`..p..h2w....p6.`...x.....?..}}.\.......\...........................I......W".YS......IA.;

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\option_rechercher[1].gif Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	GIF image data, version 89a, 16 x 16
Category:	downloaded
Size (bytes):	567
Entropy (8bit):	6.654219453782099
Encrypted:	false
SSDEEP:	12:x9NetOXBQhvswzdCWRBaxlN2zauIxamx4XpVgHNy00KC:x/45s2dCWRBaKauaBWXCNe9
MD5:	B23F2CC1CAD76B4F1C57621E0AFD7775
SHA1:	FB1C3E2193A551570B39114F7F9010CEAF08EBDD
SHA-256:	B3C26803A31FACEA8F871CE1484CC662B903630F306098DC44ADEBE9753883F0
SHA-512:	461AAC1928CE34E331D84A33D63B4DC51B85D8FEE01C5576800B7CD387B18399FA99EE29363F965DA5F99F1D0D906269A8986767D59801F14714049EFBBC3CD0
Malicious:	false
IE Cache URL:	https://www.touslesdrivers.com/images/site/option_rechercher.gif
Preview:	GIF89a.................................................................................................................................................................................................................................................K..N..N..O........z.......<.<.=.@.A.......sp.ro.sp....sr.........................................................!.....m.,............m..........m..:?=*......,& 07...Q.!)24>/..-8%.BFGDC..6($@HNPMI..#1'BLSURJ...51A...3....<EKOT...[`f..+;9".._Vdg..ZYbi...\Waj..m^X.!.M.2l..l.f..6...;

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\options[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 48 x 48, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	1976
Entropy (8bit):	7.872877123173845
Encrypted:	false
SSDEEP:	48:YMp92RgpMuBbUOhZo17PEFgSrmMa+jIy9I:YMWcMPso1YZI
MD5:	940ED732BF865EDA62DC30F097D1430A
SHA1:	45AFFAD2A061DCB21911563668A9FDE44F4C13CD
SHA-256:	FB3D8F2500CDAC839A8A1CD8483A11FFADC20D71CBBBA4ABFC3387DDD0F02867
SHA-512:	270AF31EB67B6B19E8E20C9815D57535AC727EA2DEA72C1CB59B7D19845289DBA99CFFBB381313768D9D4AD545C4EBEEB09AAA307DDE18F57033BFB723E971A1
Malicious:	false
IE Cache URL:	https://www.touslesdrivers.com/images/mes_drivers/options.png
Preview:	.PNG........IHDR...0...0.....W.......tEXtSoftware.Adobe ImageReadyq.e<...ZIDATx..Zyl.U.....mA.E...k..r..T..`.(6@....A$^..........E....G AA.pZB.B..r....p.......-...;..ZCd.......s..Y\..)........p1.D............~...l../..9.......t..va.... .l..!..=..{MI..4...q.\|.=FH..mo.i..x.+.A(v\|....J/1.gAv...Q~...rDa..X`Q.!.dI..2.h.w....5.(.6h:.;`OE.u.a.+.1&.&..r.."....LZ.0....s]...2h.V.X.G....@I%.RS.J..;.....T.Y)..tVEb.!)ru...}0>I...8J...'..O.V.....N.$......3....0'p..m=.3Y....o5....n..3....$x...[...,..S......Q..<.c%....R.\|.m.nu..u\...%.%sB....W...#-.B".~.B.\jAOS.+.....o..`..5...B.. .@AH...4.R2...b.*%x..x/.K:..[<......~..{.DT+....."........L...hF.Xz..3..+...'.iX...>.sW..3...\.{.g;....k..#...4..N...t.f.C!...5..8.....a/oN..J\|....E$......z/JAd%.L...@4.>.U.H.I..v.Q...@....bH.K.&.....k..gv..=....&D..x.DK.s..II..}.!..............:.@+..A..WU..\.....'y.........U...qvX.....2...X....(.1j.E-.B1.w.V..g....M..?..p<.^.tJ ....Am.H^9.a.-5L.c...]...3..B..}(....d.<.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\pubads_impl_2021062901[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines
Category:	downloaded
Size (bytes):	336329
Entropy (8bit):	5.4979853949800335
Encrypted:	false
SSDEEP:	3072:17F0x4/w25h0NHg+10awM1IfruQLmLCAJSwg39P7G+LwgarXt:4xxr9uLaxJy39Pr8gaDt
MD5:	F2DC4879B80EF68790C42C3F0958FC95
SHA1:	A0981897EAB0F18D0F658F29B7BEC2DDC4C462D6
SHA-256:	B3AF206751CC535EA2F272EE9C3B5A3D2CE8957A719C103720234C2A02472C26
SHA-512:	5FDC94896C61891BCF778B9E87173C58DB2CF07052E5F119E2673BFBB2A65CBCD33B688693181256548DD8238E89882B7030A1F382296064B59C3482BED4E98F
Malicious:	false
IE Cache URL:	https://securepubads.g.doubleclick.net/gpt/pubads_impl_2021062901.js
Preview:	(function(_){/.. Copyright The Closure Library Authors.. SPDX-License-Identifier: Apache-2.0./.var aa,ca,ba,ea,fa,ha,ka,ma,pa,ua,la,sa,va,wa,xa,ya,za,Ba,Ea,Ga,Ia,Fa,La,Ma,Oa,Qa,Ra,Ta,Va,Xa,Ya,$a,bb,cb,fb,gb,ib,kb,qb,rb,tb,ub,vb,Fb,Gb,Hb,Kb,Lb,Mb,Nb,Pb,Ob,Sb,Ub,Tb,hc,w,mc,jc,qc,rc,sc,uc,wc,yc,zc,Oc,Rc,ad,hd,kd,md,rd,td,wd,Ad,Dd,Ed,Fd,Gd,Kd,Md,Od,Ud,Wd,ce,he,ie,le,ne,pe,qe,se,te,ve,we,xe,ze,Ae,Be,Ee,Fe,He,Je,Le,Ne,Ke,Te,Xe,bf,gf,We,zf,Af,Ef,Ff,Hf,Kf,Lf,Mf,Nf,Of,Pf,Rf,Wf,Yf,$f,ag,bg,dg,fg,eg,kg,lg,og,qg,rg,wg,zg,Bg,Dg,Ig,Jg,Kg,Mg,Ng,Og,Pg,Vg,$g,ch,fh,ih,kh,oh,sh,uh,xh,Bh,Ch,Mh,J,Nh,Oh,Ph,Qh,Rh,D,Sh,Th,Uh,Vh,Tf,Wh,Xh,Yh,bi,ci,di,si,ti,ra,ja,ui,vi,wi,xi,Df;ca=function(a,b){b=ba(a,b);return 0>b?null:"string"===typeof a?a.charAt(b):a[b]};ba=function(a,b){for(var c=a.length,d="string"===typeof a?a.split(""):a,e=0;e<c;e++)if(e in d&&b.call(void 0,d[e],e,a))return e;return-1};ea=function(a,b){b=_.da(a,b);var c;(c=0<=b)&&Array.prototype.splice.call(a,b,1);return c};fa=function(a){var b=a.length

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\storage[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	1461
Entropy (8bit):	7.806113204330809
Encrypted:	false
SSDEEP:	24:93qOSZVICK6qPaOvUpQ/7hwvSONPbFswjgodQWJFn/lVyfLP1HWkqub:4OeHKJBDjyvSOdmwBQEN/ls5HWkqub
MD5:	C6D43B97B02A1FC945C88F3CBB645609
SHA1:	4E253786BCF27FADDA2A999FE372519968F1A822
SHA-256:	D3768B9D6DF3F6BBB7E8440FC22E249D2048885E44A5CA8187B850C1A4CD3022
SHA-512:	3B0B8E154B44DBE2B313D4F2940E8707A3104BA0C83BC6FAE9BA5217DA26EB9C3DE332AA55205F132E68655E8AD782218D8640051ED6F0EBDC3C6A9061B90B0D
Malicious:	false
IE Cache URL:	https://www.touslesdrivers.com/images/mes_drivers/resume/storage.png
Preview:	.PNG........IHDR... ... .....szz.....tEXtSoftware.Adobe ImageReadyq.e<...WIDATx..V[O[G..c...&./..P.$..MB.m...%.N...=........&...~A+....T.MP... .......ccl..9.Y...H /ya...>g..v...$I./9.S...N... ..T.....$d.&......D^PXP.r...H.T.(.J.8.>.r9(....`0.....J.......l.l...o\|.Rk....}h........g".` G.)..k...X.j.3..d.......S.pDL.D.W)...v.1.~olz.....w..S[[[}.?.D..V.=.%"..y......3.).......vp....;...H..5i.'........S__.E......\|..Q.}2>.........i.L..(Bnn...dj...n].Z.kll4.UJ..K@<....D....p8.V.yV....S....%...(,,T.....kj.a.8.R..d..}..D.4..B?q.c"........=.......O....CYy9TWWCee%...@&.A...8?.4...<.B...(JY.....T..j.....U.h.PZZ.U..S.#..@.....e..V.....<H..)8rN.F/..9!..22.l8.....k@......qM~..E..$..........`.E.N.SVV.^.&:L0#$.fz.<..d..P(.uu..qQj.t.(...,u.(UQ..o......d..t:C....kk.r^...X..^Y9.#......^..8..b.(.l.i......@D`.6.....V.UX...h.X~...D.6...^O.......&t...... @ .`...\|.1.I.fv....\.(4.....H..h.m...G..6..,....j,E....0.:.\|.....455C..Yd...T.i.S.D1....Vk.......a..FcQ.K..&a..a...`.t.b....

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\systeme[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	2324
Entropy (8bit):	7.887056390234713
Encrypted:	false
SSDEEP:	48:IhPG7RZdhxRKlNy1aWm4wiY3EaTJeTQyeS2z1:Ih+/3xRKlYFztwzT4cyeSI1
MD5:	4B96278270EC17AB767A668989C4F906
SHA1:	C4651AEC1CEA11042CBB78E7765FE5778D39B6D7
SHA-256:	36875AB32B094B7E436945EEC069C29466E6FE2F61A0EEC4E897AFC099D3ABA1
SHA-512:	E233818550D30C354228729EB368EB159BF9DFA7F5994A3F91B7DAE8D21DA2863F93820DA44A3191F4CCCEF324B8F00CA1A2FDCB1906EC624D20DFFC92C4920D
Malicious:	false
IE Cache URL:	https://www.touslesdrivers.com/images/mes_drivers/classes/systeme.png
Preview:	.PNG........IHDR... ... .....szz.....IDATx..V{PT........KX.P.".(.C....1.5q...c;..j.6.M..IG.T'#M..........X......X.N#.......,.>...{QF;..t..3.f.....;..;........m..LK&{....G$..O.6..-.9.......K.......\|^YYY..b1.7.MR..K.g.^\.@..W,;...}l.J-.i..=..+?)...IK.....Y.C.B.B..`...u.#_.....>fnIII~q.%..by..t.n..X.d..../..>x....H.X....}..;....:-b.#0iR...2%...%yyy.93#2.e.''..GEF>e.1..U.$>.~..Y.s..l..s...S.N....G.HMN2...Jv{.......G..#.j@f..Z..`.n...H.2R.N.Ebb.&.1...Tei.s....~.....#....?R<-.Nfwu..?5. i...sF..h....5....(.....h.^_....\.@..B..@..................y...V.!Wh.%.... ....(.`~J...;2.8t.j..a...........x=..b..=6.._.y..G2p...../...f.\|.yX....`u.X ...b.{o...{.0.&\|..S...6.../v..QI.T.G..w.....,.J9/:.r...R..u.W..EYk..Q?....\|Z$$..s...y$n e.3$sF.C.?k..%.?......~..........d...sYttLJtt,.x.0..HX.....a...>B...z[E@.D@..N..M.0...$........K...;..1.......@...mU.]..j.yZJJvrJ...\|>.....?#j2.\|M......N7.....(....S.r].2&.i.C..T..L..L..k..@'.GQWW...8:..W~v~...+_T...<..v..S*

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\zrt_lookup[1].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, ASCII text, with very long lines
Category:	downloaded
Size (bytes):	10178
Entropy (8bit):	5.4736397929046365
Encrypted:	false
SSDEEP:	192:28di1oblV3nWkQO86/Mf085PIoZ+ToHCDZ2pridM:2tyDWsEfF5gy+TpZ2pridM
MD5:	0A37869DAD80436884288D9FD263E34F
SHA1:	A70DEFB0E96A5D81A2559D82AB9896FDA7D6DD53
SHA-256:	20B3BAD1427E2212DD847357841F993F025B5061C4AF1D382DCC727E102CC1E4
SHA-512:	6754AB7373A0BEFAE160A606EEA85DD0B8D55104D47DDAF3CA047DB2490D7193C4511D8D89B0E669CEEB91DD06ECD9193765ADB93935D69084FA1DE6F801B03A
Malicious:	false
IE Cache URL:	https://googleads.g.doubleclick.net/pagead/html/r20210630/r20190131/zrt_lookup.html
Preview:	<!DOCTYPE html><html><head></head><body><script>.(function(){/.. Copyright The Closure Library Authors.. SPDX-License-Identifier: Apache-2.0./.var aa="function"==typeof Object.defineProperties?Object.defineProperty:function(a,b,c){if(a==Array.prototype\|\|a==Object.prototype)return a;a[b]=c.value;return a};function ba(a){a=["object"==typeof globalThis&&globalThis,a,"object"==typeof window&&window,"object"==typeof self&&self,"object"==typeof global&&global];for(var b=0;b<a.length;++b){var c=a[b];if(c&&c.Math==Math)return c}throw Error("Cannot find global object");}var ca=ba(this);.function da(a,b){if(b)a:{var c=ca;a=a.split(".");for(var d=0;d<a.length-1;d++){var e=a[d];if(!(e in c))break a;c=c[e]}a=a[a.length-1];d=c[a];b=b(d);b!=d&&null!=b&&aa(c,a,{configurable:!0,writable:!0,value:b})}}da("Array.prototype.find",function(a){return a?a:function(b,c){a:{var d=this;d instanceof String&&(d=String(d));for(var e=d.length,f=0;f<e;f++){var g=d[f];if(b.call(c,g,f,d)){b=g;break a}}b=void 0}return

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\analytics[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines
Category:	downloaded
Size (bytes):	49377
Entropy (8bit):	5.521008419138659
Encrypted:	false
SSDEEP:	768:/yR3fYFBCwsNDsP5XqY0TyPnHpl1TY3SoavyVv6PU+CgYUD0lgEw0stZK:/y9g1r5h0UHp/Y3SowCw0sy
MD5:	042B7183D8645F5CF9D0D6ACD5FF8358
SHA1:	447A98467EA31E253ECB63EE8564C8B5E1E77D58
SHA-256:	73D6A5EA11FB7BF6E6A6CCD44B1635D52C79B0A00623D0387C9DDDD4B7C68E89
SHA-512:	72AA2F221BB5EFEC3A9C0CBC2D01DEBD827361369F7E84AA613D4CA70838FF68EA2C3300167FB263A4F416A857BABF0354A1FF8B3EC669BF88452633981CA18F
Malicious:	false
IE Cache URL:	https://www.google-analytics.com/analytics.js
Preview:	(function(){/.. Copyright The Closure Library Authors.. SPDX-License-Identifier: Apache-2.0./.var n=this\|\|self,p=function(a,b){a=a.split(".");var c=n;a[0]in c\|\|"undefined"==typeof c.execScript\|\|c.execScript("var "+a[0]);for(var d;a.length&&(d=a.shift());)a.length\|\|void 0===b?c=c[d]&&c[d]!==Object.prototype[d]?c[d]:c[d]={}:c[d]=b};var q={},r=function(){q.TAGGING=q.TAGGING\|\|[];q.TAGGING[1]=!0};var t=function(a,b){for(var c in b)b.hasOwnProperty(c)&&(a[c]=b[c])},v=function(a){for(var b in a)if(a.hasOwnProperty(b))return!0;return!1};var x=/^(?:(?:https?\|mailto\|ftp):\|[^:/?#]*(?:[/?#]\|$))/i;var y=window,z=document,A=function(a,b){z.addEventListener?z.addEventListener(a,b,!1):z.attachEvent&&z.attachEvent("on"+a,b)};var B=/:[0-9]+$/,C=function(a,b,c){a=a.split("&");for(var d=0;d<a.length;d++){var e=a[d].split("=");if(decodeURIComponent(e[0]).replace(/\+/g," ")===b)return b=e.slice(1).join("="),c?b:decodeURIComponent(b).replace(/\+/g," ")}},F=function(a,b){b&&(b=String(b).toLowerCase());if("p

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\coin_haut_gauche[1].gif Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	GIF image data, version 89a, 20 x 20
Category:	downloaded
Size (bytes):	758
Entropy (8bit):	7.448773312814686
Encrypted:	false
SSDEEP:	12:E8VfIPuPvm5alTEUNU4GskL5TkM7p3clnH+PEFPbrKw/oKO05MsKz4Ua7D5pw7uS:E8Wu+algwULskxpp3+H3FjrX5b5B7D38
MD5:	58D1EF5E4D9950918BADDD39CDD5F1A6
SHA1:	BA808305C1198333426F1144B4CC309308B5C9A5
SHA-256:	0D250FEB5FD1F1686D04CB8C78A6A1CC1F390605CCBB5B590371FBFE451949E1
SHA-512:	5B3880D6120B487D2B044D98595B97A1F5B99A22351696692B7680D102707C26BCF29CBD535D52BC22D30BF80B7513B4ADA02CDBD3D1D7B7321E41A2C74A7379
Malicious:	false
IE Cache URL:	https://www.touslesdrivers.com/images/site/coin_haut_gauche.gif
Preview:	GIF89a........J..R.;o..V..H.V...F....c......r.......Bt.b.....8m."]..K.......f........"].L\|.N}....Ew.d.._...E..X..M.(b..E..G./f..N..................1h.....P.h...T.P...S.6k....4j.......x.........I.'`....)b.R..v..k...........Z....Ew....S........=q..L..O.c.......\|..j...G..U.......X..&`....Hx.......\...Y.3i.....Z.u..M\|..L.....K.....E....Gx....+c.....L........D..................................!.......,............t.......V.$%...g.t...=OP.2W..t..'..G.[#..i.."4!.@&7..N.qt .0..Qb..].3A..k..a>.....`..1. .d.5.fZ.U.:T....do.IK.CB;(c.....0a..m...(.@.CA.&.....F....a.....EV.Q..F....x(.'...^.......Q.....M.6,..0....A=.H..A......p....%_*.!.d......y.....rZ\. ....P..pP...$.S..h...9x...z....(~..b....x.L..%...:.(.&.....N.2B...T.4(....)......I....0Y..@......;

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\ecrans[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	2552
Entropy (8bit):	7.908104740806198
Encrypted:	false
SSDEEP:	48:0A7DrodpiwR/cigbzSll5NQt6M+VBjSnX4jzqkxTQ+S/0xY35/9ymc:dH4/cbzSFNQR+VhSnX4jzq0t1YB9tc
MD5:	18D833E44DF2DD742BE9188284C20546
SHA1:	644EE4FD678BDCA8B3F27A1C6E16D8A425F98C68
SHA-256:	06EB1DF7F5F99ACD74C86B0E47F41EF3DBA445E24883E64A33E667728DCA884E
SHA-512:	2CE913B73BA1439803E62BE8CA04974AC237F9003C58365C06A9C7F7C0CC070A6BB381EEAB3261DA908990214C88C1FB77C27FA4177B3E8D3101BBE429F15CEE
Malicious:	false
IE Cache URL:	https://www.touslesdrivers.com/images/mes_drivers/classes/ecrans.png
Preview:	.PNG........IHDR... ... .....szz.....IDATx...yl\......f.g..c;..K.....%,J[..".)..E......H..".4@..G(.5.MZR5.5..,..8&`...3.x......{.s..'.1...+....w.s......w.5.Pq.cF..K..!..zDQ.Z..:..c.f/j.>....K?h4..H..qQ....5...5k..Y}].]uu5..jk.......M&.Yv........^...x8&l...b.._.8\......I(..0.3..".M.."..r...;{..!.p..2Qd2Az.g.!. .'E{.. .}#cI.....,..z%....l.U...y..?..y.Q.....(.a...2O..i$%c...I$...$..'.IE.D&........_..9w_ I..=.8.w.k..2.0c(hG(.G..b.XV.......@..Qu.....r..ym!........z..r>.~.s.}..s.....{....kw..E.Y.....Z".J.. ...%..H....<N.>..B..b..y^.n..V..C.&@M."Dp..+.L&w~..'..g...c..l6...=.h>.`F...2+....@.b..?o.a.J.l.....@..B..{..{.IP).d...N..n...+..45.Z..S...b........M.`.y.>e..z+......i... ..t..../.X..#..K.=M..5..p..M?.Dc......]>.j...#...8.\. .[q..l.Q.G.UT............f..:.Ncpp.o..........W...-...B..2..W.c.....U.7..I..V.q...\|.....&=.mV....u..q....=.H$.........4}pe0..ko.Q..2.\|...T..cqV..W.8m.......$RY....sN.W...Xx.....S..b.......G..tv......X...c......

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\f[1].txt Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines
Category:	downloaded
Size (bytes):	277784
Entropy (8bit):	5.512300070739565
Encrypted:	false
SSDEEP:	3072:DkHn6jxH8gd4ICcdF5VWjW0qydAvz3mahbGrxWQyPaJdOnXhKacDBHpto:b2gqICcdF52iqAvTmahbkV0cacDd8
MD5:	28EC0C791D6CEED5874946013989C66E
SHA1:	1DA65838CD547A33B3B5A3BABB8643FFA757B00D
SHA-256:	BEA65CFCABEC36415D41AD2D31CDCFECE92129DE0329D11AC0373AC623F07ED2
SHA-512:	BC6163516DF91553312388A096203A718A0764ADFC25E175A67F4D4C7BDF718FCF0A646A75D70899448DF2D2D79498E61B2773BDE8533F448E5CB10D5170FB21
Malicious:	false
IE Cache URL:	https://pagead2.googlesyndication.com/pagead/js/r20210630/r20190131/show_ads_impl_with_ama.js?client=ca-pub-9949628778928908&plah=www.touslesdrivers.com&amaexp=1&bust=exp%3D31061746
Preview:	(function(sttc){/* . . Copyright The Closure Library Authors. . SPDX-License-Identifier: Apache-2.0 .*/ .var t,aa;function ba(a){var b=0;return function(){return b<a.length?{done:!1,value:a[b++]}:{done:!0}}}var ca="function"==typeof Object.defineProperties?Object.defineProperty:function(a,b,c){if(a==Array.prototype\|\|a==Object.prototype)return a;a[b]=c.value;return a}; .function fa(a){a=["object"==typeof globalThis&&globalThis,a,"object"==typeof window&&window,"object"==typeof self&&self,"object"==typeof global&&global];for(var b=0;b<a.length;++b){var c=a[b];if(c&&c.Math==Math)return c}throw Error("Cannot find global object");}var ha=fa(this),ja="function"===typeof Symbol&&"symbol"===typeof Symbol("x"),u={},ka={};function v(a,b){var c=ka[b];if(null==c)return a[b];c=a[c];return void 0!==c?c:a[b]} .function x(a,b,c){if(b)a:{var d=a.split(".");a=1===d.length;var e=d[0],f;!a&&e in u?f=u:f=ha;for(e=0;e<d.length-1;e++){var g=d[e];if(!(g in f))break a;f=f[g]}d=d[d.length-1];c=ja&&"es6"===c?f[d

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\fleche[1].gif Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	GIF image data, version 89a, 12 x 12
Category:	downloaded
Size (bytes):	123
Entropy (8bit):	5.543481781708185
Encrypted:	false
SSDEEP:	3:CkGlpGB1GQl+zaXaaa/lwljr6spSgtd5im6We:HyW1Eea5dIS69e
MD5:	93EE8B1F523DAE138C009317F5901E5B
SHA1:	805A8CBAD70517540ED6DE3E57771B3230F35854
SHA-256:	41B3BAB569F3397D8CA19738D8CE5F4A0BE337F09F12E18B06AE71A6594B172E
SHA-512:	37A75C2DD7CE42B444CA4E7ACCA537B674F07D4AE0A38086997BED8486130902584DC495636FD4D5AE92EEF9860C2D9613513AEDAE5152B3ACA483296DB03C4A
Malicious:	false
IE Cache URL:	https://www.touslesdrivers.com/images/site/fleche.gif
Preview:	GIF89a.................d..k..n..x#..K.g..z.................!.......,..........(..I....u..\.m.1.g1... 0....!us.%._gH...;

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\fond_cadre_bas[1].gif Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	GIF image data, version 89a, 1 x 20
Category:	downloaded
Size (bytes):	96
Entropy (8bit):	5.495708073322321
Encrypted:	false
SSDEEP:	3:CBM0KVA2Hy8jGYF+YdmRa//liZCMJn:wCq23Gm+Yd4ZCMJ
MD5:	76FE5C98A87C786DD24C78CC83BE35C2
SHA1:	4A07827CBA888544B8A7F264B7991210044D7BE9
SHA-256:	0C69488DDAEC47BA919B9262CEC30872392161D1348CD927043CDC1665CC645B
SHA-512:	D4AD16750DF12671F54AC0131BCD5E8749958BB4F088B2F27473E9942E0F838FD2373B24EB8256BA2F513D5E31EE0177101B497BE099FE7420269FBEF6FDB8D0
Malicious:	false
IE Cache URL:	https://www.touslesdrivers.com/images/site/fond_cadre_bas.gif
Preview:	GIF89a........L.{.....e..)b....;p.......P~..V........D....!.......,............I.DY..0.!..D.;

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\javascript[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	UTF-8 Unicode text, with very long lines, with CRLF line terminators
Category:	downloaded
Size (bytes):	28609
Entropy (8bit):	5.356446510786698
Encrypted:	false
SSDEEP:	768:/Mqa7g7TkoETgshtGaf6wZKLzdLueRv0zZ7fxSlcRA5dQfSi7RHyum:/Mqa7g7Mg4Gaf6wZKLzdLueRv0zZ7fx6
MD5:	FBF6DB649596193E7FA1CEA3B4048F5D
SHA1:	81D4406B460EA4FEDBC14DD0582979D4A8134AD8
SHA-256:	5B98B036FF932A147228CEAED725CA868B9B6D8D502EA70575FCF98C87671B90
SHA-512:	5D00BD936BEE43EC82F41979D3F004B3F4B0F4EB23E9C5AFE54438292CDAD40693C9C42E8FAEA31EBBD97E44F23A468583F3FCD958168E443386A74D5049FA14
Malicious:	false
IE Cache URL:	https://www.touslesdrivers.com/javascript.php
Preview:	..function navigateur()..{...var ua = navigator.userAgent;...var reg_ie12 = new RegExp('.msie 12.','i');...var reg_ie11 = new RegExp('.msie 11.','i');...var reg_ie10 = new RegExp('.msie 10.','i');...var reg_ie9 = new RegExp('.msie 9.','i');...var reg_ie8 = new RegExp('.msie 8.','i');...var reg_ie7 = new RegExp('.msie 7.','i');...var reg_ie6 = new RegExp('.msie 6.','i');...var reg_ie5 = new RegExp('.msie 5.','i');...var reg_ie4 = new RegExp('.msie 4.','i');...var reg_ff = new RegExp('.firefox.','i');...if(navigator.appName == 'Microsoft Internet Explorer' && reg_ie12.exec(ua) != null)...{....return 'ie12';...}...if(navigator.appName == 'Microsoft Internet Explorer' && reg_ie11.exec(ua) != null)...{....return 'ie11';...}...if(navigator.appName == 'Microsoft Internet Explorer' && reg_ie10.exec(ua) != null)...{....return 'ie10';...}...if(navigator.appName == 'Microsoft Internet Explorer' && reg_ie9.exec(ua) != null)...{....return 'ie9';...}...if(navigator.appName == 'Mi

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\option_demarrage[1].gif Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	GIF image data, version 89a, 16 x 16
Category:	downloaded
Size (bytes):	1039
Entropy (8bit):	5.735189013161626
Encrypted:	false
SSDEEP:	12:tjeQYpTk2Ro/v2RDxCoxNVxGZyGgfLLRvpBFQEEyUYnPacmjGSM1E:IQ0TkHnoDxRH2yGgfLFnFQEEMic0Gh1E
MD5:	86D1C8F1D03361FBAFFA7D510FCF741A
SHA1:	8B96C6AC221D6F97E9E9B9FDEC3E95229198B9A2
SHA-256:	45F55ED174CE419D4583BB5AA861D6605C864E3B313AAC04583EAED7B7059E25
SHA-512:	2EFF160D028ABB73417CA83CAA71A953C378971C920C5793D2DA15C6482DF377FC30A0EFCDDAB956D5475ADC72830767BA054EE6E3EA981E2C99E90DCF5A7CC4
Malicious:	false
IE Cache URL:	https://www.touslesdrivers.com/images/site/option_demarrage.gif
Preview:	GIF89a..........8S..................dq...............;.&A........O..................................0@...............................&?.....H........=..................?y..........gim(Gt......"<a/C^...=CQ.........L.#O....<Y.....=.......................................................TZf....D............1Q{....Ao/A....;=C...........................AFR...JV..............................3.HMZ......`.@.BY}.........................................................................................................................................................................................................................................................................................................................................................!.......,..............X....>..t.....n..`. @.....Q.@G..9,b...A..\...PDdC...1! ...@.\.X.......\.s.....v....h..4.<.c4...YF....M..-..1..L.8+...q...+B..!C......8.......$.Rc...?...C...:H\x.c.o.Af. r..E..T.p....*4....A..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\option_rss[1].gif Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	GIF image data, version 89a, 16 x 16
Category:	downloaded
Size (bytes):	1085
Entropy (8bit):	7.019133672798381
Encrypted:	false
SSDEEP:	24:GuWGTPxqr24VzADSskVoooe5hAivkQ5HoH1:1vj49eQVVh5kQKV
MD5:	7CEB3D6E2A6BA71E1FF4DEFAFADA2F46
SHA1:	3882737C518CAC57FE9B6D68DB2125D7D286CF7E
SHA-256:	3561DA5EF20565EC264830E67E282FF04D782183C3C86E76421A6B03299EDF26
SHA-512:	E968D1AB1810E4DB05D9D136F9C3D85C7E670DE7B861D126BD72BF7672ECBA998F471D85FEFFE3A3B99B2A8C89C5EA6F85692B380409A2E712EDB8819DC5CF36
Malicious:	false
IE Cache URL:	https://www.touslesdrivers.com/images/site/option_rss.gif
Preview:	GIF89a......................../..0..4..8..8..9..:..G..R..S..]...............#../..7..8..9..9..9..<..C..F..]..^.._..s........................%.'.0..1.1..1.3..6.5.6.6..7..7.6..8..8.7..9..9..:..<.@.C..E..t..t..w..\|...............&.).)..,.-..2..3.4.4.4.6.>.A.?.@..i.z.................-..-./.0.0.1.2.3.?.=.>.?.?.?.>.>.@.@.?.B.K.R.`.a._._.`.k...............s%.z.x.x-.}1.~3..4.~3.>..<.=.=.>.>.>.?.?.?.N.W.h....p'.q).u0.w2.z5.\|:.{<.{;.}=.~=..>.}=.V.W.l........h$.m&.k(.o).n-.p0.r3.u8.y;.x;.w;.y<.N...b".g(.j+.n2.J.~L...~.....^ .Z .^%.f+....U..U .[&.Z'.d.............................................................................................................................................!.......,.............M...$Jv..sgK...@.zU...+Wh...a..i.`.b....'-n..@..?.b..@sL.!.4..`..$D...JA...4....4f..A"&....fLY.f..=.....AB..E..I.I...4..x`.D.Bx.}.....!#(.@..G...8..GG....L..DJ....:.'..#..tP....b.....EF..%

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\plus[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 12 x 12, 8-bit/color RGB, non-interlaced
Category:	downloaded
Size (bytes):	323
Entropy (8bit):	6.996682098827877
Encrypted:	false
SSDEEP:	6:6v/lhPkd5nDsp7JOhDJE6T2JX+YZ+2TOGsj60Nfw7k20R0JrFjp:6v/7yOROJPT6k2CPG0Nfw7/0iJJN
MD5:	B0CAB0221BE8F354F593A7E0C55B0CFC
SHA1:	F122C70B312091DD06B9A253B680F1EAE02EE951
SHA-256:	50B47EDCAF67166B3F97A97F9A4D90476694223DDC33AC493038051C21101C37
SHA-512:	D20EB00C48528D201D85507818C9034518BC695726F4C8EC4B60575BAFC58620A1E0878F3ECEDEEE23BA580BD682A51CAAEC01A4B1F12E5E452D2EAD77448D74
Malicious:	false
IE Cache URL:	https://www.touslesdrivers.com/images/mes_drivers/plus.png
Preview:	.PNG........IHDR....................tEXtSoftware.Adobe ImageReadyq.e<....IDATx.\|P..D@.....(..Ft>.O...N.;T*.F..$..N.'.+..N"Vv..3g.=s...A..:c..#.e!.=.#._..mI.eM...TU.p..qR..."d....}../..z..,....(..i..Y..a@...(J...0..$Y... ...a.Y..y..1..q.....((:..n....4"...4M.e9...W. T....,.#0..$P....a.S....\|v.@<."....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\titres[1].gif Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	GIF image data, version 89a, 16 x 16
Category:	downloaded
Size (bytes):	1016
Entropy (8bit):	5.86443252822339
Encrypted:	false
SSDEEP:	12:PuKkxdBYM0aR69GdHmenlR5fhiOPHkxfWDJmWukQp1/ktijOaaO7rnq5aw6yXJZd:PyFYM0nQnn75fEOHkJWz8/5iaaJ9J6An
MD5:	64662C06E79D5BA2A7FBF0E59A77A3D9
SHA1:	35B9E7EB489C92F076C7CC86F47BDCFBCCD9BAC8
SHA-256:	218DE8AA4E39FE2E929D901A264C38B604C56893222DE282FD4A3913A185F5BD
SHA-512:	1FDE8F7A88ADC80F01AEBA1B01D85702D51165C321B4D441B14E56CE550B81360BD80A9DF6DE8DDAD5950AE49F890D2BA8615C009346958987041C24C2117ADF
Malicious:	false
IE Cache URL:	https://www.touslesdrivers.com/images/site/titres.gif
Preview:	GIF89a..........................................................................................................................................................................o.......................a..........s..t..}....v...................y..y..p.....x.................C..Q..d..A..I..R..p..j..K..j.g.................?.8.D..:..9..S..S.T..b..[..]..]..D..o.._..u.\|L....Y..Z..............j........x..............Y.~H..R.......................................................................................................................................................................................................................................................................................................................!.......,............9..H......Ar.).@M#.:a..."I\..r..%.nVT.pAF.+K.l.....N.b..a...3N....N..P...G...<t.f..D~Lp..C...j.!".....&..K...M.1.I...0..Y ....<z..{.....}ar...%B..1.g.....\.2.L.;^...e..7v*.S..!8$.@ 0...K.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\usb[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	1125
Entropy (8bit):	7.818938363635054
Encrypted:	false
SSDEEP:	24:ckwxaWzKaE3b+7xhy4zT/PAGcZHEYrj91mbNG4i62V1qIORXNPoOchJwW227:6xv+13aNo43p1YrpyNvi62V1qIOdNX27
MD5:	DEB8BE8E772CB97EA6B2FA4F56471CA3
SHA1:	C6C5CBC200EF6DC15B46AA426F2A909685E504F8
SHA-256:	0D021445DF903C57A7DE927A542E5E5EEC7373B71B2C156DDC598D28017EFDB7
SHA-512:	0C7B2D1A264015468F5811807038A5D9605AC9322B530EFA9D727E4FFDAC09EBE6D926C40EA4C25C5230AA15BECC339E094B7B4E7A15515ADAC1B1C0F2B857FE
Malicious:	false
IE Cache URL:	https://www.touslesdrivers.com/images/mes_drivers/classes/usb.png
Preview:	.PNG........IHDR... ... .....szz....,IDATx..TkL[e.~......r.F..B......s.C.....1....F.. 1.X\b.....G.f.....ua..dq3..@`....=PJ;z9.-.......<.\|'.}..y.....C.1.">..'.i.U..&..Hk:......3&.y.............../.......q..d.....~...8.j..&Z....7.........db.\|.i..../X.. .J.I..]juz~.&]..hd..g..8.....A...wB#.#..].....I].i.....i...\|.;......l.b{..bKK..x.....,..$Zj.FYl..H.UU.......U...H.........L[C.~.e...R..I.I!....I...AaA>.j....[.]...c......y.Iy_.-(..&IY9.q................u5.N........4.4p...i..9]....u.m....T..2.,.mD..6.D.U..0..F.}?.Co..X^^......t.G-...e(.<.Q..P8LLN...5...JHKK...P(....h.i.4\|'.!.0.q..A.`(.R.$@Q.....c.x........a...S.N.{.d..\..~.4j....p.\|/...%XXrAfF..dg...2.\..SSSXI.$"..+R..&&T.....x[./4E.VQ.....h.^'...`,..T.i...........!....h..s066..``....Nh..y..........w2..J...... ..a..{....}8.xX.........A.QO.....8409q.w....UO ..c.P.g;...@J.1...>..=......@o0Br....5..D.L.........W....:.N...37. ....\|.I......pf+F../..+.U.........,.l..`...A._..=XZ\...ZX.x....S"nD....?

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\cartes-reseaux[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	1320
Entropy (8bit):	7.822834708351263
Encrypted:	false
SSDEEP:	24:ZJJJPox0YTr+hkpZ1ClmtPK9AYn4FsD/KC5ayPTNewaYQbgw9LK2+uuiecboO1:3J5oB+s1ClmFKiY4yD/KCcyPxeClwk2d
MD5:	A2AF4E32BE5326B570465E1689CD628A
SHA1:	4F01D503D192D07458997C185207F62C6089B393
SHA-256:	28D2CA0C449AF087B5BFB75577CC4A8A08A60EFF24F025D31CCCEF45F01D3712
SHA-512:	879C038AF6F75309616548D0AA607C198DFEE07647DCC011856828183949C37DB083849792BE3199F50DE52E05D4D6F1402BDE67FCC76F2C2651B5B32DCFF59C
Malicious:	false
IE Cache URL:	https://www.touslesdrivers.com/images/mes_drivers/classes/cartes-reseaux.png
Preview:	.PNG........IHDR... ... .....szz.....IDATx..W{L[e.?}...-t.F.#v..)..#..if..6.h ....Kt......d...m...%c.C......._...:..e<..(..BK......[.0{..'.q...}.;...]...54\|.......LB..#./.577[...N....V..nj.6=... ...b..1.XI...K.Z[[_.j.O.^V.!,..%..G....-0z........D.\|..,//..s$-..,f.- ,...^..-._.-%iP.........0/I.A._........5_(.T..S..D..W....@.....w......X..t.>.S.G"B.EH.Q-I.[.n..... ..}.d..\..8.....n.e .@...X..<......022y9..yH./F..M..(.....qw.....=.YPf.......tc....T....d..@.k....l..#i..@d.O..E06.3....8.........}}Ca.)9..p.9.<.........%%.YuumE.l..du...GT)..-}.T.H$a0.d.P,.T.........b\...s...L...x ........Y.>..\|...\.d.t`Qc\k@W\\|..../...?.r-..ir8.............'..!L.ka..]....UTTG....3.w....z....69`.d......N..=je$......<................7...u..6;../^b.Q)\|6.+....VUU......7;..6f<.d..%6...Vb.....Mhjj".l....{..%.l...X..........vvv......{...SA.Z[H.".\.....{K.b.GN.Jb...#GJ.2/...........I......a..J6q...R..d,.....8q..rv..Q.V.x...f..X.3#W....*>..l$...VV.../...,dB.h...&.H..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\core.bundle[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	downloaded
Size (bytes):	322912
Entropy (8bit):	5.335646858089646
Encrypted:	false
SSDEEP:	3072:1CcY/QFb6ncS/ebSEIuB3wZdFkI1VGPeQ/yoaMSgh1oUKgi4cwcAd4o:1CcPuFGPXqoHci
MD5:	EF40427DE4D853AC6C7DF003FEE68F17
SHA1:	0CC88A0CB14EBE3A46B7A7312E1A9DE94EBA8B19
SHA-256:	722C50C6E8C66E55DC3BE656D1DEE0D0091451A65F012259508AACC81E87C1A5
SHA-512:	7386CC1B2B41685141BB5E0364680B531BA67B7C40D72B18CDE8533241A73FAFE4030CA47E9EB1508D1984A26AE25428A40DC588F33266A195F4A0447079EBE2
Malicious:	false
IE Cache URL:	https://cdn.appconsent.io/tcf2/28.4.0/core.bundle.js
Preview:	var appconsent=function(e){function t(t){for(var n,s,a=t[0],c=t[1],l=t[3]\|\|[],p=0,f=[];p<a.length;p++)s=a[p],Object.prototype.hasOwnProperty.call(r,s)&&r[s]&&f.push(r[s][0]),r[s]=0;for(n in c)Object.prototype.hasOwnProperty.call(c,n)&&(e[n]=c[n]);for(u&&u(t),l.forEach((function(e){if(void 0===r[e]){r[e]=null;var t=document.createElement("link");i.nc&&t.setAttribute("nonce",i.nc),t.rel="prefetch",t.as="script",t.href=o(e),document.head.appendChild(t)}}));f.length;)f.shift()()}var n={},r={10:0};function o(e){return i.p+""+({0:"Consentable~Mandatories~Mandatory~Privacy~StackDetails~VendorsScene",1:"Banner",2:"Consentable",3:"Mandatories",4:"Mandatory",5:"Privacy",6:"StackDetails",7:"Success",8:"VendorScene",9:"VendorsScene",11:"ui",12:"vendors~VendorsScene",13:"vendors~ui"}[e]\|\|e)+".bundle.js"}function i(t){if(n[t])return n[t].exports;var r=n[t]={i:t,l:!1,exports:{}};return e[t].call(r.exports,r,r.exports,i),r.l=!0,r.exports}i.e=function(e){var t=[],n=r[e];if(0!==n)if(n)t.push(n[2]);else{

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\devices[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 48 x 48, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	2908
Entropy (8bit):	7.916331340776394
Encrypted:	false
SSDEEP:	48:taC1HzBbjkJmPsrogzL9YaohHIF2yJiF1i:XtXFPs7H9AoF2yJiFU
MD5:	FEB8F633A2BFC01CC571526E9AA0926F
SHA1:	718F32D2F40B30E39E41BF8A09F6B610383AB168
SHA-256:	D5EAFA01511DDCE1D284306ED3362578EEE26D7FEB0CFB9D5FCFD701BF00275E
SHA-512:	ED5C56E1F83C9023664A309DE0E7A35D67FC1C2CEA712B7292C4326B775CB8F7AA6C7C60119CF58FAD8325FEFB04CEC54825FD49B874228255890B4D5C957637
Malicious:	false
IE Cache URL:	https://www.touslesdrivers.com/images/mes_drivers/devices.png
Preview:	.PNG........IHDR...0...0.....W.......tEXtSoftware.Adobe ImageReadyq.e<....IDATx..Z[l.....;.......l.......&1$5.M..75..P...Z./.U.ZEU$.-$.)T..PD.D.&j(..&.................=...4`...~........#.../.!..~\|..K...P.I4.../...q......7m..C.....%g. ...9.;ssq.\|H.Qm....v.hgg.T..g...B.POO.jjj.H......9f.7....\|.`%.6...b....y...A.9..4d.#G.l...<..D"s..e.~.....(..V.. .$.#......\..k.sq.XA.....$.::...eB...<...;..~.n.C#..4W...WP..T...C...H....,.....H\.r:......`...pg..fz....x9.......Y....[...y..`.<..E...n..0z?...8.N.&.d..PP.n4......B.=J\|.5.....,......Qh.5.g.d.u..gA8......R...(.k).-..X..4...=/-.]....Du..;YA]..=Mr....".....+ =+....]........g.l~.B!444..+.z......^....{x...}2....4..G!/......q..YQ.Q..p~..Kv.E"3...._..\|Y..u<.......`.ooj.mo..><48....-....w..N74n.{..mm;......-.8..N.<1.&...>....QxxT..+..@...jw....m;w=.~..z..!..m...v.A.....7o...J!.[..H$...e...vjtt4F...}.+...S.;...K...o..5.B.4h._..N....R pD.f..2..L.u....q...hAa..N.8...O......L#1._.\O\|..u...Z..z<..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\disques-durs-internes[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	1289
Entropy (8bit):	7.771537600081928
Encrypted:	false
SSDEEP:	24:OVLUao94DAq7EVtLYphu34U6t6Ox5DlF80jt4HccG9SuIGC8Lx9OqfTSCW:Uz1Dp78tYY4UkLBlF80j9SuIYxIgTxW
MD5:	64804589C24B89169B0E21ADF20B707A
SHA1:	90F583E900EB6550FEF58D53CCFFDAF33CC7D8FF
SHA-256:	3B9BEF5C6192B1167D6CE3DD1D8DC748A2335740255356848295A06E6B0D64AE
SHA-512:	800E080E5C2150E6A55F78B840327A506F39C96A25A878BEAF88BF16F419E597BE7EBC5CC682A8F1B5684C3F119D6E30EED88181021E36FEF3D4D3DA04DFB277
Malicious:	false
IE Cache URL:	https://www.touslesdrivers.com/images/mes_drivers/classes/disques-durs-internes.png
Preview:	.PNG........IHDR... ... .....szz.....IDATx..ViH.W....8..w.....Q+.P..\.......K.6b#tA....1.....Vh.HA..R...RE.u...d..1u7~=..ZHC..)^8\|...{.9....:..:.......)--........[...zRWW.mJJ......H1..f.zYPP.fhhh......K.V.QVVVBHH.......-...B...X.8666...Cmff......-N.D...5.M..W...4.........@kkk+ooo....$......LLLH.R....*===.33.}."22Rcii.B.....[(!.H@............. @...488H..........-...+..............ff.........m.....iG.k..MHH....!......`...Sss3UTTPLL. s.`u..bH...B.....555.........-.F#.3...'......%.'sss:88...=.....;::........icc...#.$...y.....U.).>....<.-.$I..666.2...D..D...DA............)._....;&..omm..7...=..~!..H..o...... ..R... .n.....4??/6.l..........$...999..c(.J.....yyy.'+....9j......}4<...E.NP.......<.........!!;.".z^7...$K...'.mnnR[[.edd....MOO.'....L......Mcc?..bm...nP..Y....\|........]...SSS...!.......2....e.2...E$..S.9. .x1.{....&&...},?.Ab=.(........n............O H.......9./t`%,...x..._.....o.r............a..R..}.O;...m.y/8882;;[....6b+....G.H......1tzQ.g..LMMA.......

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\fond[1].gif Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	GIF image data, version 89a, 1 x 110
Category:	downloaded
Size (bytes):	531
Entropy (8bit):	5.236762969184709
Encrypted:	false
SSDEEP:	6:KZv24QEdpyJfKDfyFBaKylGmsYgOR+TINwi9YWbHUXS6L9lDh15lzlJnhlP4Bf1h:8OHGoJFB5xCoTwHYc0TDhfnp4af4p
MD5:	65894FBCA40316DB335F6C46489D6A82
SHA1:	21D15B84CE95C348D3539327369CAF434347B1F8
SHA-256:	2B540D49D5121A63B206F73240713D331A8A308CFB0D89860773686C63ECF32B
SHA-512:	BAA7A6080A72C45792408EDBFDF7EF567D12F6CAD322FC6911AEEB3EF2F35B423754B37BB020BFECD4E09ECF0A9DA51FD9DEBF0BCEE15AC8595B8912AD09651D
Malicious:	false
IE Cache URL:	https://www.touslesdrivers.com/images/site/fond.gif
Preview:	GIF89a..n.....;q.B..@{.9m.......B..@\|. <.!>."@.B~..3.(M....)P....+S.,T.'K.2`.3b..,....6i.&J.7j.?z.D..1_..'.0^...&H.3c.C...'.."..;./\.!?.C..P..9.#C.)N.0].=v.7l..2..8.$F.. ..!..)..7. =."A....(L....,U.2a..%.:o.6h.>x..$../.-X.<t.=u..6.>y.4e..1.<s..#..(.....:..Y..".5g.:p.A}.D...,.&G./Z.$E..0.#D..%.7k.4d..5.;s.>w.+R.-W................................................................................!.......,......n...p...<..O..45%RMC]?.$N6 e.W.:D[K1.`H72+P&.8.(.9,\Z3X!..;.-.c..=dEQY'....>."_JSA..^0..@T..aLFG/bBI.....U.....)#.V..;

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\fond_cadre_haut[1].gif Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	GIF image data, version 89a, 1 x 20
Category:	downloaded
Size (bytes):	96
Entropy (8bit):	5.537374739988986
Encrypted:	false
SSDEEP:	3:CBM0KVA2Hy8jGYF+YdmRa//lRE:wCq23Gm+YdvE
MD5:	4B71B963E4B535A7DAEBCE91951D8032
SHA1:	88F22E4E042B1ECF2D09EB4F5BBC3F540391E7FD
SHA-256:	E445A6B92FEFDA7B58D77E741F18168EF9F6E60E26293EC30B8B68AE8BE02BAA
SHA-512:	94514D2E8E682D9031DBD4ED2F3CCF1B00E58233A93704DB048AD9823207D14ACEAA891C1BF3D3452319B3F33D2B52C5346AA7EB01A70DF5C44B077A7B4D3658
Malicious:	false
IE Cache URL:	https://www.touslesdrivers.com/images/site/fond_cadre_haut.gif
Preview:	GIF89a........L.{.....e..)b....;p.......P~..V........D....!.......,.............EL.....@O.F.;

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\gpt[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines
Category:	downloaded
Size (bytes):	70017
Entropy (8bit):	5.631218215251697
Encrypted:	false
SSDEEP:	1536:uJstHwjMlwyx03j/m9DwwjuqfFBBPLNVtxirPtL/iS:6s9wjOC/mPBbTUPtLf
MD5:	DAE2D8F68E7C0DF6075F47CFE46F76EB
SHA1:	F4FD399EC1D8B64E3C8060FD816077F90A931445
SHA-256:	2A4FDC9B11DABFBA0B95C811036BE6523C8502F43A21783F0C55E91958BDABBB
SHA-512:	FFD060439FE75B1BDF0BD10E3614C65E42673634702E8FCFB1D60270F054AC73B8E89F8D9EC97FCEB7A255D492DBC5DC5755D7EA2213BE12DD67B9DBC1F3CFB1
Malicious:	false
IE Cache URL:	https://securepubads.g.doubleclick.net/tag/js/gpt.js
Preview:	(function(E){var window=this;if(window.googletag&&googletag.evalScripts){googletag.evalScripts();}if(window.googletag&&googletag._loaded_)return;/.. Copyright The Closure Library Authors.. SPDX-License-Identifier: Apache-2.0./.var aa=function(a){var b=0;return function(){return b<a.length?{done:!1,value:a[b++]}:{done:!0}}},ba="function"==typeof Object.defineProperties?Object.defineProperty:function(a,b,c){if(a==Array.prototype\|\|a==Object.prototype)return a;a[b]=c.value;return a},ca=function(a){a=["object"==typeof globalThis&&globalThis,a,"object"==typeof window&&window,"object"==typeof self&&self,"object"==typeof global&&global];for(var b=0;b<a.length;++b){var c=a[b];if(c&&c.Math==Math)return c}throw Error("Cannot find global object");},da=ca(this),ea="function"===typeof Symbol&&"symbol"===typeof Symbol("x"),m={},fa={},n=function(a,b){var c=fa[b];if(null==c)return a[b];c=a[c];return void 0!==c?c:a[b]},p=function(a,b,c){if(b)a:{var d=a.split(".");a=1===d.length;var e=d[0],f;!a&&e in m

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\index[1].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, ASCII text, with very long lines, with CRLF line terminators
Category:	downloaded
Size (bytes):	39056
Entropy (8bit):	5.240538189249216
Encrypted:	false
SSDEEP:	384:SMuWsR0ToqiKlKilKit7aJHfc3eN/XjcB7utVMEvAi6dCCKDCU+75Mu1l6H2aQil:SuDToqiSzlzVEr+7H+65cB
MD5:	54EA94F9B16797296F0E34CCFA9C7E6D
SHA1:	07083D67A091BC5CDF8AFEBDEC2ACAF93DF726C2
SHA-256:	F06FAED5C678C840BDB779640BAA9E7CDE432DA4BC7A4DA6DE2DDB43B955EFFA
SHA-512:	B05CD09C6AA74EC9F2A9E70269C397A1172D30E698B959117A43B3D627680A09DE6BC37BAE8FA48A0C7B50884FCD7B0C14EB0253F3B10708A2EA6F7724D3CABC
Malicious:	false
IE Cache URL:	https://www.touslesdrivers.com/index.php?v_page=31&v_id=8KVKWmfznwDbzahM
Preview:	<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">..<html xmlns="http://www.w3.org/1999/xhtml">...<head>....<title>Mes Drivers - détection automatique des drivers, des pilotes et de la configuration</title>...<meta name="description" content="TousLesDrivers.com permet de télécharger gratuitement toutes les mises à jour nécessaires au bon fonctionnement d'un PC. Les drivers, pilotes, BIOS, firmwares, utilitaires, logiciels et applications sont téléchargeables rapidement et facilement grâce au classement des fichiers par catégories de matériel et par marques. Plus de 1500 fabricants informatiques sont référencés." />...<meta name="keywords" content="drivers,driver,pilotes,pilote,bios,firmware,firmwares,drivers carte graphique,driver carte graphique,drivers carte son,driver carte son,drivers carte mere,driver carte mere,drivers im

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\manettes[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	2140
Entropy (8bit):	7.901809119079006
Encrypted:	false
SSDEEP:	48:SCuLCTgRuNknMXnumq6k07OHSbh6NeJ9SHbaMFpdy+7pdIBxImz:S0ZXqd07lbW8S2m8Vz
MD5:	F703CC1FADF387E3AD3543AB6166DDB5
SHA1:	85C8F512D8B3951F51482A88764D14CDA09F745B
SHA-256:	93047161D6B912EE525228FA1B1BB183D169FA28AFD4D81EBA482D83BCA65708
SHA-512:	7EB8C02D8B379471571976BC44A5220688416DDAC1257279816EAF01B6D812E8DE61944611801B2691709ECEC806F9B4846650DED36A74D773C7AD6A353E4868
Malicious:	false
IE Cache URL:	https://www.touslesdrivers.com/images/mes_drivers/classes/manettes.png
Preview:	.PNG........IHDR... ... .....szz....#IDATx..VyP...~v.]........K...9DP.rU@.%.5....hD...5.&..<.jl..)U)VGkt.JHL...C\.Z..e..~..hF.8.....g.ov.}.y........0z.....&01iM..-...?\....21u.[..c..3.cV,[..........\|....Pa...9.:9.D....d..R..Jfalm%a..Fl.....XFF^..]Lx...Qq..JO.....b......e...+=...?/T..N.mj.v`..]..vh.]...-...wuC...#6.m)...1..A.Q.....{e....m....N.7=.v...rW..?f..z.......=.b1.L...<..\|3...0.1..A...[.B".4...L....z.._..1~.x..........<t.".k..Ox.X.3>.....x.Gk....A..&....d#...C.8.8]\|.o.Bnc.x....k..z.....8.(...:\.......~g.).H.[...<f..l..Z.&5P1.F...N...Z...Q..)....z.z.....&{L...l..Y?..U[........<0.....\|Q[p.wK.p.....1.Lr.......b90.>}d...L0....1f.4A..@}G.2......n.C30....=.U..l.Q.>-,....F.c...G)/8.#.x....`.^..X.'.l....a.@...oB.p.m..../.:I.-9x.R.I..0.[......>\...sW.\|...~...........o"...JI.d.....H..../.s....hi..;.Q]..L...Ssx{.chd.e.=@HH..l.@7..u......V....j.u.B:...=0a2i......_mA.y:..@.....BK.r.7.Z..E1..n..t..Z.6........!....l....(*...E%.....Dcs...&..N.^

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\mes_drivers[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 180x60, frames 3
Category:	downloaded
Size (bytes):	5078
Entropy (8bit):	7.889414565056289
Encrypted:	false
SSDEEP:	96:D0Z2+/jO9GLDla5SRLh2G4aRiRPXqHtEAip5eB4fX7n8jhV:f+/yola5SRLgPkiRfqHtja8jhV
MD5:	A1EC386AD35E52BBF7378F43ECAA3F05
SHA1:	584CBE8683703F0C030AB8E2EAE384DECBF8F5E0
SHA-256:	C1134C18F6CFA5025695E819A60322E14145502D75D4AFF8175C0557184BC6DE
SHA-512:	BE3E532E56CAC977AE57ADF278C1F37EC645EA77F3E9E61A9C4FE72A143B0497760FEE0FFF91726DDAAFF7CF4DB639EB21009CDB89304EFBEC70212A1D0F6B95
Malicious:	false
IE Cache URL:	https://www.touslesdrivers.com/images/mes_drivers/mes_drivers.jpg
Preview:	......JFIF.....d.d......Ducky.......F......Adobe.d.................................................................................................................................................<.............................................................................................!...1A"Qq...a.2#..BRb3...r$..c..&V........................!1..AQa.q".....2.BR.....b#..r................?....(.;....c4Sm..f`.........../.$U...T.._.......D...J...Ob.H.......B`rJ/.mj?.#...o<..L.sn...S.p[^h2%.q<.<.9~..Sm~..O...,9W.{w.l.cX.N[..........<....2.......J.S..E....O...../6.@B.h..(.Y..&.0..L"a...D.&.0..L"a...ER...H..Q.9%...W...5...OQ~.<..&W.....0..VP^.Ft.J\|.L.}Yo..3_>.....I.........z...!n..z..$.HD.S........L.5..3.?.8...`.,yrB+.......I.h^...(..@.F.`.....W..s......5M..y....=..].wB.\...l.A........<.W....x...0.Z^...=.x.xc.9x..........Qr.u."a...D.&.0..L"a...D.&.0..}........58.F.x.<h.:^.U...g,..!..Y.+....t..d...y....k.E.M.2.#.\|Um...5;+y.l.?=.. `.,..y..:....c..5."...:.....w.c.<

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\option_envoyer[1].gif Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	GIF image data, version 89a, 16 x 16
Category:	downloaded
Size (bytes):	1051
Entropy (8bit):	6.527634676403194
Encrypted:	false
SSDEEP:	24:EOCkWvrEYcl8I+VyIFzyz1HzWs6xNVnSZ4usE:qQviLyIFzyzxzWs6xNNSuQ
MD5:	6B8E1CBDA2E2E7C6851BC9272DB2F156
SHA1:	C5D8D19713599F5833C54D1E90C7FB6AA4018691
SHA-256:	F3FBE24E565206A92046F4FFB55A571FAA054E2005FF257C8EB2B06FE33986D7
SHA-512:	9AAAD2EB13B5993E8FA88C749E8426B317413190D06E0B25C905634DC101383EE938C84FC88F1B51EDBE44A65E31DEA6C45A2C9F1DBC36755DF5BAB608E9B1C5
Malicious:	false
IE Cache URL:	https://www.touslesdrivers.com/images/site/option_envoyer.gif
Preview:	GIF89a.....................................................................................................................................................................................................................................................................................................................................................................................................................................{.............................................................................................................................................................................................................................................!.......,...............H....*.8B..Q.l18.P .N.J..5K.0....B....Z.\|..6..@..L.E..`........a....t.R.P........W.2a.D.&O..........6.Ze A..X.1...O$:M,D.$...j.....O.F...14I..99..aR."DO.<r.h..CrlPA.....A.%...7o...1#M..q

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\option_favoris[1].gif Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	GIF image data, version 89a, 16 x 16
Category:	downloaded
Size (bytes):	574
Entropy (8bit):	7.212915520705348
Encrypted:	false
SSDEEP:	12:n/5P6ClLzJxG4CvFCr18tiprYFSpWKJcc+hcXTCfoxhJTbttCVmrhKPSWe:n/NzJxkFSJpeS8c+qjiattvoPe
MD5:	E4EDDF2D20FCEA5320963A52F0C73D69
SHA1:	099519A5E939D9DA4099587BDFCA7196F4FDD5F7
SHA-256:	5C1FADC5DBEE4BC7EB75BE521D7C88E4C163B48E34383AB4E3FB3DC2AE8DC695
SHA-512:	1785BC70EA8A40DD4B66B2536AD1B41C472579D2A5758E85D047755B7F218D5490CC7E03DA62B6AA70E9C355EDC9C564953432761216CD5A225D7AD388B030A1
Malicious:	false
IE Cache URL:	https://www.touslesdrivers.com/images/site/option_favoris.gif
Preview:	GIF89a..........................................i..{........P..a..m....@..W..b....?..J..L..R..R...........%..&..-..1..1..6..<..F..b..c..i...........................................#..(.)..0..C..J..L..u...............!..d..v...............7.<...(.....4..........,..0..>..C..F..M..M.s....-..>.f..a.e....K..b.._.{.{.}.{............^..h..p.....................!.....{.,............{..{l`...b>..{J8d..u?1Z..o(,U..a%.Fi.\=*.+MI06.LB@G<^zT9....C"..../Oj.cN$#25....:[.tX;.....Ps.kH3....].h&.....Eq.yR4!Qf..Dm.w'-S..Y..J.+7....$..D_.$rsF..@.;

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\slm.prebid.touslesdrivers[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	downloaded
Size (bytes):	16749
Entropy (8bit):	5.409147335144714
Encrypted:	false
SSDEEP:	384:Ti/kOXmXC38F7DJgDfQf4Dsyfxv0ZqJBt:2MumX7FIt
MD5:	89E6092876ECDD0820176584BE14BE40
SHA1:	FB30F0DC022C6526F1C0E6BBA455B74F941526E6
SHA-256:	5C1EE526F487606C846F5465C380C9D6B86241DE0DD58CB7915DF2F75BF025FC
SHA-512:	80BC92FC5D8DCD8BDB413BE484209CBBF7D3B4F4504D818F7D84A218E5ADF2673CBFA183195E5806855566A742D195FF6C084D8EA0CC51548F87035C256426E6
Malicious:	false
IE Cache URL:	https://ads.sportslocalmedia.com/slm.prebid.touslesdrivers.js
Preview:	(()=>{var e,a,d={},i={};function r(e){if(i[e])return i[e].exports;var a=i[e]={id:e,loaded:!1,exports:{}};return d[e].call(a.exports,a,a.exports,r),a.loaded=!0,a.exports}r.m=d,r.n=e=>{var a=e&&e.__esModule?()=>e.default:()=>e;return r.d(a,{a}),a},r.d=(e,a)=>{for(var d in a)r.o(a,d)&&!r.o(e,d)&&Object.defineProperty(e,d,{enumerable:!0,get:a[d]})},r.f={},r.e=e=>Promise.all(Object.keys(r.f).reduce(((a,d)=>(r.f[d](e,a),a)),[])),r.u=e=>({1662:"slmadshb",2937:"instream",8216:"advanced-video-player"}[e]+".js"),r.g=function(){if("object"==typeof globalThis)return globalThis;try{return this\|\|new Function("return this")()}catch(e){if("object"==typeof window)return window}}(),r.hmd=e=>((e=Object.create(e)).children\|\|(e.children=[]),Object.defineProperty(e,"exports",{enumerable:!0,set:()=>{throw new Error("ES Modules may not assign module.exports or exports.*, Use ESM export syntax, instead: "+e.id)}}),e),r.o=(e,a)=>Object.prototype.hasOwnProperty.call(e,a),e={},a="slm-ads:",r.l=(d,i,s)=>{if(e[d])e

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\souris[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	1542
Entropy (8bit):	7.8247839964894865
Encrypted:	false
SSDEEP:	24:7A0APoLZo9zlYwn/bu6BMDyeADrNei3d5709ddSTwEj6oKWtHEGx6:M06oL2zDu6imfDrgi3wddUwM7KMEGx6
MD5:	8158744CD7509D7AC5B58AF7154669D5
SHA1:	5462F27B98223202FF3B900C922DDDC19ED8B34B
SHA-256:	6C9736223A39C89BF37ED59BB818A0F47F627DFB1E149C87215FAE07F245DD44
SHA-512:	57674061DA6B06D54A617395C30CE050DE1A54AE134C9988A8BC17106A42C12D5B1A7838CE0B3896DC99E2BA9E8C406F239A61069CB2D9E8D27F4C265D0EFBAE
Malicious:	false
IE Cache URL:	https://www.touslesdrivers.com/images/mes_drivers/classes/souris.png
Preview:	.PNG........IHDR... ... .....szz.....IDATx..VkH.g..?O...)M.CZ..<-...a..$[...p...c....ls.1h...).....?.. A..h5.K.<.Y...].=?...b...........~.y5^..}8>....C...~.......9.FQQQzaaaBYY......;7......ZRR.g.}...........~......V..............=~.x..Gm._.;s...z...........'....9::.,--e. t...yyy......;o...P/..a_...m.)....NCCC....~...].v.........x&......%88X."....\XX.....[@.q.-......R.....g.~2...Y.eff~...y....)ioo...7..;...d..w..~........{.Jgg..?.^....e....ILL..RU....=...J.....q..............[.$$$Dz{{...[....^.....y....+........o\|.........mY...G..........!.03777.{.>[ZZdnnNe...........H]].X,.........9e...;cfdd.<66V.O.Y........o1#........L.^....r........(.....RbOOO9~.....{l6..+..0&I.Vd#v....zegg.....F.n......4k...Nk.l`,]'A...jkk.......:KFp.Q..,..._...@nn.......t...t......-.L.L.....c......k.I\|\|../.P.q..}...A"..u.?....X.$...I5..677k..DP.Iy)7.QN...Q.2K.Np.M.%.q..c.Fp...X%.L..`.d...".....!..g@u......N....&%...*...I..ettT.9I...4........k........pr

C:\Users\user\AppData\Local\Temp\8KVKWmfznwDbzahM\8KVKWmfznwDbzahM Download File
Process:	C:\Users\user\AppData\Local\Temp\aes_x64.exe
File Type:	data
Category:	dropped
Size (bytes):	22964
Entropy (8bit):	7.988416177688223
Encrypted:	false
SSDEEP:	384:2vIEb1SlH/ad6/yqlZGZLwgwgF8FI3ojaON4rXEiD7blpPlpFFh7QkD/idV2Tsop:uaHyPQ8LT8FGOMUiDHlvpFFh7Q8/idVA
MD5:	9E12786503113586E5B7697F573D37F9
SHA1:	525A4D4D38B9EC5711CB8F1318E0DFED64921CAF
SHA-256:	16A8BEDB47003743DDDAC64848275A0FB49AA9761A05AD481CA0C1CE3303E5A5
SHA-512:	1DF907649A9117ADCB1463F8460A361DBE4B36689CD87CBA0E68563A40CFA721A3FE39C90993B82C20B379EDBEE8D20F42D597697EE04B55E48B380E853ACA67
Malicious:	true
Preview:	AES....CREATED_BY.aescrypt 3.10......................................................................................................................................P.........on../^..)._...../.A.].ol{.H.(......~d..=3.JO...E7a=.NG....(#......l..Z.r...D`.EzWG.......k..........:.pY.4.ld.+...."..T..Z....0]awiQz......).f..(.....pW.WX..e.<...M$...../m=I.))..&Q.....~..5.e6....kB ........]k-......A.\|.$Z\|H...aD:/.>..h%g,..M(.d..jE...VR...K...?d].M..jK..?....(.8.=....s.'O..wi........6;....L..~.`..Sc.a/...)..4........?.".!.....;...+...-tF.K.k..O`...'...a.\|N,X) 9eyN..j.u"Bb.T.............=z.S.0./8......Q..^Q.u.[t...QF.b>.7.e&...v0.....w....Q..B..V.3...N5....f...........X.d..q.}.z....5..#..'.....b.c."o..G@.Yy.2....l.g!0.O..A.....S..^..I..mN1`....bn8.$.5.....FZ.....;....Zd.`3...H.D.Up.=._.x.$B.q.{3J.d......GT.E.....FG..c .#2~[.r-<.+..L..{.`..Z.px..8B...Rt.....3...V.9*..........}...O......\..L...iS....e...u.e.D+L..I.d.^m.m...9...i?o9.ga.9...f..\.`

C:\Users\user\AppData\Local\Temp\aes_x64.exe Download File
Process:	C:\Users\user\AppData\Local\Temp\detection.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	155136
Entropy (8bit):	6.66841365910386
Encrypted:	false
SSDEEP:	3072:qPjqdc4gShSWvT+Ykjse0/xZ3ElLpPShi76u7:qPWIWvT+jse05KEi
MD5:	E5125D4651C008EBA61D9FD3ABD5AB31
SHA1:	4A85E5D6AB73891832C9ADAA4A70C1896773C279
SHA-256:	874CB7A8513B781B25E176828FE8FE5AC73FA2FE29EA2AAC5FE0EAAD50E63F39
SHA-512:	26BA2CECF7324E1C5FE46112C31523E2FABAD8DE34FE84CE3A9E3A63922B0F85D84982E7C6BAE13D2E3CF65193F7A19A67A2FC80AF5A78EF8CFE611FCE1A9409
Malicious:	true
Yara Hits:	Rule: JoeSecurity_AESCRYPTTool, Description: Yara detected AESCRYPT Tool, Source: C:\Users\user\AppData\Local\Temp\aes_x64.exe, Author: Joe Security
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........e....O...O...O.\|.O...O.\|.O...O.\|.O...O..O...O...O...O...O...O.\|.O...O.\|.O...O.\|.O...ORich...O........PE..d...u{1U.........."......>.....................@.....................................%....@.....................................................<....0....... .......................R...............................................P..h............................text...j<.......>.................. ..`.rdata...E...P...F...B..............@..@.data....q..........................@....pdata....... ......................@..@.rsrc........0......................@..@.reloc..:............X..............@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\aes_x86.exe Download File
Process:	C:\Users\user\AppData\Local\Temp\detection.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	144384
Entropy (8bit):	6.805779966193588
Encrypted:	false
SSDEEP:	3072:NgzEhDpHGk/gqrYxgHNEt3koN0Shi76u7:NiEhNHgqrLme+i
MD5:	82FF688AA9253B356E5D890FF311B59E
SHA1:	4A143FC08B6A55866403966918026509BEFCC7C1
SHA-256:	B68FC901D758BA9EA3A5A616ABD34D1662197AA31B502F27CBF2579A947E53E9
SHA-512:	CBB3D81E3237B856E158C5F38F84230A50F913BDADA0EF37B679E27E7DDF3C970173B68D2415DD8A7377BA543206BB8E0FE77C61334B47C5684E3DDFFF86ACED
Malicious:	true
Yara Hits:	Rule: JoeSecurity_AESCRYPTTool, Description: Yara detected AESCRYPT Tool, Source: C:\Users\user\AppData\Local\Temp\aes_x86.exe, Author: Joe Security
Antivirus:	Antivirus: Metadefender, Detection: 21%, Browse Antivirus: ReversingLabs, Detection: 21%
Joe Sandbox View:	Filename: 53c0505a_by_Libranalysis.exe, Detection: malicious, Browse Filename: hztxqReczN.exe, Detection: malicious, Browse Filename: BleachGap.exe, Detection: malicious, Browse Filename: SuperEnjoy.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............d..d..d.A...d.A...d.A..7.d.....d..e...d.....d.A...d.A...d.A...d.Rich..d.........................PE..L...P.1U.................$...................@....@.................................N.....@..................................p..<...............................p...pA...............................k..@............@..0............................text...J#.......$.................. ..`.rdata...7...@...8...(..............@..@.data... g...........`..............@....rsrc................p..............@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\curl_x64.exe Download File
Process:	C:\Users\user\AppData\Local\Temp\detection.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	860232
Entropy (8bit):	6.330103845723899
Encrypted:	false
SSDEEP:	12288:VBhSKWefubWiuJBmMSa1ayJZlQyyEmRwYGd0Cj/cHBg3ui7KMTFhlMVs+b:VBhSBwy76MM1vBycddHj/cGTFS
MD5:	E80C8CB9887A7C9426D4E843DDDB8A44
SHA1:	A04821E6D51F45B72A10BDBD3BB7E49DE069CCD2
SHA-256:	3DF4725778C0351E8472A0F8E18CAF4FA9B95C98E4F2D160A26C3749F9869568
SHA-512:	41B4BD84336785D4DA13B5653183BF2A405B918AFAD3ACD934F253D23B1E00460173E36B2D65A61F77EF2B942DBA735655FC5B4EC561C375896F5A010E053D33
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............._..._..._..._..._.-._..._.-._..._..._..._.-._..._.-._..._.-._..._.-._..._Rich..._........PE..d......X..........#......6..........0G........@..............................P..............................................................4Q..x........B......h^......H............................................................P..H............................text...n4.......6.................. ..`.rdata.......P.......:..............@..@.data....;...`.......J..............@....pdata..h^.......`...b..............@..@.rsrc....B.......D..................@..@........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\curl_x86.exe Download File
Process:	C:\Users\user\AppData\Local\Temp\detection.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	690760
Entropy (8bit):	6.379028616802886
Encrypted:	false
SSDEEP:	12288:yy+N4we0nEbORHuybDm5EsKDiVwx3g5smKQwT49zw64GdUCjfcwC6dum7O8TPVsT:CN4X0nvjbDm5v5wizH9dnjfcsTI
MD5:	213A2CE0C3E3BCC71DF42A9EDAD0BA35
SHA1:	A82D8374BDBEA0CD3B08EDBDE32EAC29E061AD96
SHA-256:	FBC0D3A56DCC0B9C6FFE556D1FD58C57502325780F137B64788FBBBDFC13BB82
SHA-512:	77BECC9354014573A7C348E94632ED484C156C24585EB4CBA3E62FD8BB13085D41090EBBED056A58BE0658DA5918E639BF5F0AEBF4FCEE3F2270E8A701A1348C
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 3%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r...r...r...a..~...w..p...w.o...w.......r...........y...............s.......s...Richr...................PE..L...+..X..........................................@.................................I6......................................8...x....0...B...........p..H...............................................@............................................text.............................. ..`.rdata...3.......@..................@..@.data...d+....... ..................@....rsrc....B...0...P... ..............@..@................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\detect_x64.exe Download File
Process:	C:\Users\user\AppData\Local\Temp\detection.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	82432
Entropy (8bit):	4.904297032300948
Encrypted:	false
SSDEEP:	1536:mGdmm1zdwlinYnyxH0GSrFc5VfJF4O7W5ia:mGdsqZxM5cXLRW5i
MD5:	6A7EC375AF8BA2E87FF7F23497E9944E
SHA1:	791FB650E9E27E9857B332F534A0ADE1EAE28BE7
SHA-256:	65C68FD55281A0A4598807EA83531A0CB0E4E79A8C5BF38E9637E776F72C3514
SHA-512:	C6FA4AC94692DDB8D60C8AB40AA33B17E9D0800C802EE5D3C7D6F0DB24C507638743287A274D7EC62FE568B6AA1C69932D52E74A50040720A89138CB5C8BE7AA
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........j....pN..pN..pN.VsO..pN.VtO..pN.VuO..pN.VqO..pN..qN..pN.VyO..pN.V.N..pN.VrO..pNRich..pN........................PE..d...2..W.........."......b..........@j.........@.....................................P....`.......... ..................................................................................8............................................................................text...0a.......b.................. ..`.rdata... ......."...f..............@..@.data...............................@....pdata..............................@..@.rsrc...............................@..@.reloc...............@..............@..B................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\detect_x64_2.exe Download File
Process:	C:\Users\user\AppData\Local\Temp\detection.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	81408
Entropy (8bit):	4.8816791730814995
Encrypted:	false
SSDEEP:	768:rrNzEAAwF11A/YuQu2QVoh1Ad5pWQlqTORopXJAiFaptHJ82BSOe9oKSJ2SLD0BF:NEAlA/YuQNNeUTORopXebptHJF4O7W1
MD5:	635E57FD7AEFFAF87F6242AF79F419AA
SHA1:	BC727A929A778C395675BACCF281A803B4CAD4EF
SHA-256:	4A097314779F4D9CC594F40DB5509487AA4C2C8BDC58BC7230FCB183334BFD97
SHA-512:	69E5BEDB1925CFD5A2618C57C2F7DE82816183423B8F022614681511931B86A961FE02DB4F9FB94700981A0B8948E8A55DFCC60897462233DB819594D4DECEAD
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......j^...?...?...?....q.,?....r.o?....s.>?....w.!?...?...?....o.-?...../?....u./?....p./?..Rich.?..................PE..d...P..S.........."......l...........n.........@....................................z9....`.......... .........................................................l............p......@................................................................................text....j.......l.................. ..`.data................p..............@....pdata..l............t..............@..@.idata...............x..............@..@.rsrc...............................@..@.reloc.......p.......<..............@..B................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\detect_x86.exe Download File
Process:	C:\Users\user\AppData\Local\Temp\detection.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	78848
Entropy (8bit):	4.9059415705271885
Encrypted:	false
SSDEEP:	768:w44f/8vj/BaTwqy4Sj5dED/bAzqYptHh82BSOe9oKSJ2SLD0BEZWkSiSbA:wHsvFaUY/khptHhF4O7W5iSbA
MD5:	42344B0A6F2941A402BF7AAC3893A6BA
SHA1:	713476D0AF007882639A8F703EE5CBCE34380293
SHA-256:	F6971D84A1600EA51FD7508C4DA636BE8BF9EA406D472FC2D9E42B4AC58B77D8
SHA-512:	8C3BBB98507B963FB0F77C404CAAE78ADFDCFD132DF53985C9D8E9692FFC50744B19D52477C2701810A7967BD6E5ECF13AF912D2EFF47FC2CA68BD045C56D695
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........nG.i...i...i..^....i..^....i..^....i..^....i...i..&i..^....i....~..i..^....i..^....i..Rich.i..........................PE..L...\|..S.................^..........2b.......p....@..........................P.......r....@...... ...........................................................@..0... ...................................@............................................text...4\.......^.................. ..`.data...D....p.......b..............@....idata..h............d..............@..@.rsrc................t..............@..@.reloc..\....@.......$..............@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\detection.exe Download File
Process:	C:\Users\user\Desktop\Mes_Drivers_3.0.4.exe
File Type:	MS-DOS executable, MZ for MS-DOS
Category:	dropped
Size (bytes):	1165312
Entropy (8bit):	7.9946328993180025
Encrypted:	true
SSDEEP:	24576:4AmTUWOc8w79cO634s6zyG2fzjTrqVHqOx:4B/OBVloswV2LjHzOx
MD5:	02BA1C44B6392F013A7AA0B91314F45A
SHA1:	724C1977101ECAE88E4F104A8422B64BFEC01A98
SHA-256:	7FBE59195F5F6F45C8B38B12488A169FDCB3A272004DBAF44C9D92A60A3690CB
SHA-512:	56BED935B028257E6EB485C555002F3E07E86788452CCA0E28786098CC9254A7462B777A7A46AE6594911A73D786A6D15DEE248F05A4C33A1BC749BE071BCC3D
Malicious:	true
Antivirus:	Antivirus: Metadefender, Detection: 10%, Browse Antivirus: ReversingLabs, Detection: 28%
Preview:	MZ@.....................................!..L.!Win32 .EXE...$@...PE..L....+.W.................d...$".......(...........@..........................0)......O........................................(.......(.l6............'.x/...`..............................0.(.....................@.(.@....0..T....................MPRESS1..(......~.......................MPRESS2X.....(..........................rsrc...l6....(..8..................@..............................................................................v2.19..n\|.. ..........h../'.'...xN.r..^BT%.....6.sJ.F..n..L.U...RX.Tsb....^.y...zIw. .1..x.;T.^#..#....cy..u....DW.....w.k.z._by..hp...YCJ..D(@....k~?...w..W...Ho0.%e\|L(...n...n..mR..<.;..#=UF"z..x=]..]..9..("#...~...okoQt.-...V2iZ.....0J..r..2UK5.Njz.Sx..Wr@..@(X..E..;.g...o.Z.D.~"....Ui...$`....UD6.v.....w ...J.....A...........L...1V.TE9...6....F......f./.......5...JX.kLg...R.a....+..X.51?...S...<G...".NNm.....m..wW'o'a....W..%.....:j!.=.#.-.,B..< ...G..w.\..~)V...

C:\Users\user\AppData\Local\Temp\interface.cmd Download File
Process:	C:\Users\user\Desktop\Mes_Drivers_3.0.4.exe
File Type:	DOS batch file, Non-ISO extended-ASCII text, with CRLF, NEL line terminators
Category:	dropped
Size (bytes):	2669
Entropy (8bit):	5.137308062929335
Encrypted:	false
SSDEEP:	48:A5SvrvPuel4uFaBRACQzqNuXl5bRTmlvy5BkdNN439kfOk0rn:A5SvzPJl4FRAPzGuV5bmvs84kfvgn
MD5:	E0EB53551ACA2ACFF814DDD7ACA212E2
SHA1:	EE825C865D5ABF244D6165EE838735F1BA05BFCB
SHA-256:	11993A03F68A33500A3CE8FBEB3E3C2042A28299D04F39EED40147709E76CA79
SHA-512:	DDDE3D274B2EA8DA0D645F88BD6B340902DCA83E599BA0C7249953A7C1F2DD512F764802134A6EFA1F48CA6CAE23B78881569228F908DD0746ABE3C46E95A348
Malicious:	false
Preview:	@ECHO OFF..SETLOCAL....COLOR F0..MODE CON: COLS=76 LINES=15....SET "version=3.0.4"..::SET "version=%version% b.ta"....TITLE Mes Drivers %version%....SET "dossier=%TMP%\"....IF EXIST "%dossier%mes_drivers_update" (DEL /F "%dossier%mes_drivers_update")....VER \| FINDSTR /I /R /C:"version 5\.[0-1]\." > NUL 2>&1..IF %ERRORLEVEL% EQU 0 (SET "waitfor=waitfor_x86.exe") ELSE (SET "waitfor=WAITFOR")....SET "titre=TousLesDrivers.com - Mes Drivers - %version%"..SET "message_1=Etape 1/4 - Recherche d'une nouvelle version de l'application..."..SET "message_2=Etape 2/4 - D.tection de la configuration syst.me..."..SET "message_3=Etape 3/4 - D.tection des composants mat.riels et des drivers install.s..."..SET "message_4=Etape 4/4 - Envoi des informations au serveur TousLesDrivers.com..."..SET "message_update_1=Cette version de l'application n'est plus . jour."..SET "message_update_2=T.l.chargez la derni.re version sur www.TousLesDrivers.com"..SET "message_error=Erreur fatale"..SET "message_attente=Merc

C:\Users\user\AppData\Local\Temp\interface.lnk Download File
Process:	C:\Users\user\Desktop\Mes_Drivers_3.0.4.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Icon number=0, Archive, ctime=Wed Jul 7 22:18:15 2021, mtime=Wed Jul 7 22:18:15 2021, atime=Wed Jul 7 22:18:15 2021, length=2669, window=hide
Category:	dropped
Size (bytes):	1947
Entropy (8bit):	3.6394959900450687
Encrypted:	false
SSDEEP:	24:8C2/kFJNMGAZREgKDbmM4m2yAfo8KYbOPYCTp7aB6m:8v/kF7AZR+6MXufo8vCEB6
MD5:	5A67FBC6C1C047B2548C6B2ADD486510
SHA1:	8A35A359AD9987D3B599FA00E502078D7D3E7431
SHA-256:	95D4DD8CE16C7F44BBE46DDCBE2A71F6D23A2D9B5E85CE7F8F234BF73AD767AE
SHA-512:	B3BF54845F70811FF9CDBD8B66F988DA744EA0367BBF899E8BB1C53EC9BBE1195132594E0133576A771AD1DDEBCBB48264E9058648617E42E1CBFA012F02F36E
Malicious:	false
Preview:	L..................F.@.. ....q.\.s...q.\.s...q.\.s..m.........................:..DG..Yr?.D..U..k0.&...&...........-.....8...8p.].s......t...CFSF..1......NM...AppData...t.Y^...H.g.3..(.....gVA.G..k...@.......NM..RB......Y.....................R..A.p.p.D.a.t.a...B.P.1.....>Qbu..Local.<.......NM..RB......Y...................../..L.o.c.a.l.....N.1......RC...Temp..:.......NM..RC......Y......................A.T.e.m.p.....h.2.m....RH. .INTERF~1.CMD..L.......RH..RH.....:S....................,.n.i.n.t.e.r.f.a.c.e...c.m.d......._...............-.......^..............g.....C:\Users\user\AppData\Local\Temp\interface.cmd......\.i.n.t.e.r.f.a.c.e...c.m.d.#.C.:.\.U.s.e.r.s.\.a.l.f.o.n.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.-.C.:.\.U.s.e.r.s.\.a.l.f.o.n.s.\.D.e.s.k.t.o.p.\.M.e.s._.D.r.i.v.e.r.s._.3...0...4...e.x.e.........%USERPROFILE%\Desktop\Mes_Drivers_3.0.4.exe................................................................................................................................

C:\Users\user\AppData\Local\Temp\waitfor_x86.exe Download File
Process:	C:\Users\user\Desktop\Mes_Drivers_3.0.4.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	38400
Entropy (8bit):	5.771125779123941
Encrypted:	false
SSDEEP:	768:ZQ1aoTfPUGS21Rux8NVB/QA6I1uZXs8f0XUwpBq4pjC0uIr3HX:+1Tr8ovpQA6I1isiTEB8Ir33
MD5:	DD8C73BDCF2077B82DBB6DDD8ECB6A6D
SHA1:	34D59EAFBC485052C5BD5C61697FCCC3D0878D5B
SHA-256:	C3370E8EC5CA54E8FD7EAC19C278689CF122EDAC91FAA4376DC24B1D807FE510
SHA-512:	8E01822020C34B9F08BF01CB64FCCEBE03709797C4B2350C3E14DC174D2B8CD0A7D46A1108409DFEEFAFED13F30B8E217E55F6A47E791868EE60C14F774482D9
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......J..u...&...&...&...&...&..&...&...&g..&..&...&..&...&..&...&..&...&Rich...&................PE..L......>.................h...*......0%..............................................&\........... .......................... o..........8&..............................................................@...P........................................text....g.......h.................. ..`.data................l..............@....rsrc...8&.......(...n..............@..@.$.>X....$.>e....$.>o....$.>z....$.>.....$.>.....$.>.....$.>.....$.>.....$.>............KERNEL32.dll.NTDLL.DLL.msvcrt.dll.USER32.dll.NETAPI32.dll.WS2_32.dll.SHLWAPI.dll.MPR.dll.Secur32.dll.VERSION.dll................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\waitfor_x86_2.exe Download File
Process:	C:\Users\user\AppData\Local\Temp\detection.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	38400
Entropy (8bit):	5.771125779123941
Encrypted:	false
SSDEEP:	768:ZQ1aoTfPUGS21Rux8NVB/QA6I1uZXs8f0XUwpBq4pjC0uIr3HX:+1Tr8ovpQA6I1isiTEB8Ir33
MD5:	DD8C73BDCF2077B82DBB6DDD8ECB6A6D
SHA1:	34D59EAFBC485052C5BD5C61697FCCC3D0878D5B
SHA-256:	C3370E8EC5CA54E8FD7EAC19C278689CF122EDAC91FAA4376DC24B1D807FE510
SHA-512:	8E01822020C34B9F08BF01CB64FCCEBE03709797C4B2350C3E14DC174D2B8CD0A7D46A1108409DFEEFAFED13F30B8E217E55F6A47E791868EE60C14F774482D9
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......J..u...&...&...&...&...&..&...&...&g..&..&...&..&...&..&...&..&...&Rich...&................PE..L......>.................h...*......0%..............................................&\........... .......................... o..........8&..............................................................@...P........................................text....g.......h.................. ..`.data................l..............@....rsrc...8&.......(...n..............@..@.$.>X....$.>e....$.>o....$.>z....$.>.....$.>.....$.>.....$.>.....$.>.....$.>............KERNEL32.dll.NTDLL.DLL.msvcrt.dll.USER32.dll.NETAPI32.dll.WS2_32.dll.SHLWAPI.dll.MPR.dll.Secur32.dll.VERSION.dll................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF085E27A7477E5391.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	37347
Entropy (8bit):	0.8254349064808411
Encrypted:	false
SSDEEP:	192:kBqoxKYQ1Q5QSQnKQdKQVQnQBQSQ2y+89MVcKJQXs/M:kBqoxKYqGtYKyKKQuN5IM6XsU
MD5:	EDD41FC06BF8A21DCF9C4CA190C3CB72
SHA1:	6DF7968465B8388D4A7D5DFE7C694CBB1113C7BA
SHA-256:	4AB3F27326EC6714FEB54A5EAD1CA2A12537DC49D2186161F95D270847AF1893
SHA-512:	6CD58CC5465A598F3E793DC7C12EF83AE7830935404BE55F869A9F97A4106BFA91F2E404ECD513460BE9A305B31C905116F0AE153A7EB076C91DF5E5B3BBC892
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF64AAEB065551F5B2.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	12965
Entropy (8bit):	0.4181458623307724
Encrypted:	false
SSDEEP:	24:c9lLh9lLh9lIn9lIn9loeI9loeY9lWeDKIkNkYKQII2:kBqoIejeVeGIkNkYTII2
MD5:	FDDB2C34C8D8854EC0A0B438C2836284
SHA1:	0BB28171D280454C46BF468AB91B27BE6C420C17
SHA-256:	BA4FCA736A2075E91B07B932523A8D2B141B8C5102E097882C2B1111EACEBB97
SHA-512:	EA5DFB8140252D67FB3D7FB46A59E8D85A5F378E4EE7A8956254F6173A077F84BF27018889A5BF204EDDE0C507973AE9134A5C574CE1F9CECD7E1C25B716D764
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.80639394183153
TrID:	Win32 Executable (generic) a (10002005/4) 99.40% Win32 EXE PECompact compressed (generic) (41571/9) 0.41% Windows Screen Saver (13104/52) 0.13% Win16/32 Executable Delphi generic (2074/23) 0.02% Generic Win/DOS Executable (2004/3) 0.02%
File name:	Mes_Drivers_3.0.4.exe
File size:	1624440
MD5:	50a5e891da27e63d54e68511e48aa026
SHA1:	87073d85a7ba420b15c8bb9a9e4adc64db2bcfef
SHA256:	0788aaea249d92a84f70047efcacaa54c26320b439c490ba3ce00457955031d6
SHA512:	6df8811e3e1f6a4110ca3b7c498af13898b46962a30888879180b2f11dda24344a1de4807663d46dd86f7ea11855d08137980cc85fe71e688d082f2f79994909
SSDEEP:	24576:AfHFw5b9DOnFYrv+kjqipUompMEoNMDYSkbDknoI6JK+ZYtEi8ETtAM5B:sjFYrv+kjV45oeYSRnyJhOtEVcf5B
File Content Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

File Icon


Icon Hash:	03894ca5a5c1e074

Static PE Info

General
Entrypoint:	0x45678c
Entrypoint Section:	.itext
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x57D32BF4 [Fri Sep 9 21:39:00 2016 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	1d58845e01168b11e8fe1f814f39f398

Authenticode Signature

Signature Valid:	true
Signature Issuer:	CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	11/30/2016 4:00:00 PM 12/1/2017 3:59:59 PM
Subject Chain	CN=Tous Les Drivers, OU=IT, O=Tous Les Drivers, STREET=75 avenue de Marseille, L=Vitrolles, S=Bouches-du-RhÃ´ne, PostalCode=13127, C=FR
Version:	3
Thumbprint MD5:	9FCA37DC296D67356D8D08964CD71785
Thumbprint SHA-1:	48171D12F1CC636CEC19B926648D3CA247711D48
Thumbprint SHA-256:	70833935EE77C609DAFC1CF8395D3E99A1D44ED204943FB57D375B1F3AFF8343
Serial:	4513E8E5C8BBB6D79305E44A01921076

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
mov ecx, 00000006h
push 00000000h
push 00000000h
dec ecx
jne 00007F3C4CAFFD3Bh
push ecx
push ebx
push esi
push edi
mov eax, 00451AF0h
call 00007F3C4CAB36E4h
xor eax, eax
push ebp
push 00456C06h
push dword ptr fs:[eax]
mov dword ptr fs:[eax], esp
xor eax, eax
mov dword ptr [0045F080h], eax
mov eax, dword ptr [00458934h]
xor edx, edx
mov dword ptr [eax], edx
mov bl, 01h
xor eax, eax
push ebp
push 00456801h
push dword ptr fs:[eax]
mov dword ptr fs:[eax], esp
push 00456C24h
push 0000000Ah
mov ecx, dword ptr [00458A24h]
mov ecx, dword ptr [ecx]
mov dl, 01h
mov eax, dword ptr [00433D40h]
call 00007F3C4CAE6A4Bh
mov dword ptr [0045F080h], eax
xor eax, eax
pop edx
pop ecx
pop ecx
mov dword ptr fs:[eax], edx
jmp 00007F3C4CAFFD58h
jmp 00007F3C4CAAEF43h
xor ebx, ebx
mov eax, dword ptr [0045F080h]
call 00007F3C4CAAE34Fh
call 00007F3C4CAAF44Eh
test bl, bl
je 00007F3C4CB00102h
mov dl, 01h
mov eax, dword ptr [00450778h]
call 00007F3C4CAF9D6Ah
mov dword ptr [0045F078h], eax
mov eax, dword ptr [0045F078h]
mov byte ptr [eax+04h], 00000000h
mov eax, dword ptr [0045F078h]
mov byte ptr [eax+05h], 00000001h
mov eax, dword ptr [0045F078h]
add eax, 08h
mov edx, 00456C44h
call 00007F3C4CAAFF29h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x60000	0x1486	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x6e000	0x13029c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x189a00	0x2f78	.rsrc
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x65000	0x0	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x64000	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x6044c	0x30c	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x62000	0x154	.didata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x54bac	0x54c00	False	0.41686255531	data	6.34358551635	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.itext	0x56000	0xcd0	0xe00	False	0.561383928571	data	5.76394574755	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x57000	0x1c90	0x1e00	False	0.377213541667	data	3.91882656946	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.bss	0x59000	0x6098	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.idata	0x60000	0x1486	0x1600	False	0.323686079545	MIPSEB-LE MIPS-III ECOFF executable stripped - version 0.6	4.84798937347	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.didata	0x62000	0x154	0x200	False	0.30859375	data	2.41945210787	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.tls	0x63000	0x10	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rdata	0x64000	0x18	0x200	False	0.05078125	data	0.206920017787	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x65000	0x80a8	0x0	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.rsrc	0x6e000	0x13029c	0x130400	False	0.954636786154	data	7.98099551661	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
TYPELIB	0x6e420	0x204c	data
RT_ICON	0x7046c	0xca8	data
RT_STRING	0x71114	0x38	data
RT_STRING	0x7114c	0x6f8	data
RT_STRING	0x71844	0x32c	data
RT_STRING	0x71b70	0x388	data
RT_STRING	0x71ef8	0x3a4	data
RT_STRING	0x7229c	0x148	data
RT_STRING	0x723e4	0xcc	data
RT_STRING	0x724b0	0x204	data
RT_STRING	0x726b4	0x39c	data
RT_STRING	0x72a50	0x368	data
RT_STRING	0x72db8	0x2b8	data
RT_RCDATA	0x73070	0x12acd2	data
RT_GROUP_ICON	0x19dd44	0x14	data
RT_VERSION	0x19dd58	0x33c	data	English	United States
RT_MANIFEST	0x19e094	0x205	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States

Imports

DLL	Import
oleaut32.dll	SysFreeString, SysReAllocStringLen, SysAllocStringLen
advapi32.dll	RegQueryValueExW, RegOpenKeyExW, RegCloseKey
user32.dll	MessageBoxA, CharNextW, LoadStringW
kernel32.dll	Sleep, VirtualFree, VirtualAlloc, lstrlenW, lstrcpynW, VirtualQuery, GetTickCount, GetSystemInfo, GetVersion, CompareStringW, IsValidLocale, SetThreadLocale, GetSystemDefaultUILanguage, GetUserDefaultUILanguage, GetLocaleInfoW, WideCharToMultiByte, MultiByteToWideChar, GetACP, LoadLibraryExW, GetStartupInfoW, GetProcAddress, GetModuleHandleW, GetModuleFileNameW, GetCommandLineW, FreeLibrary, GetLastError, UnhandledExceptionFilter, RtlUnwind, RaiseException, ExitProcess, GetCurrentThreadId, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, FindFirstFileW, FindClose, WriteFile, GetStdHandle, CloseHandle
kernel32.dll	GetProcAddress, RaiseException, LoadLibraryA, GetLastError, TlsSetValue, TlsGetValue, LocalFree, LocalAlloc, GetModuleHandleW, FreeLibrary
user32.dll	SetWindowLongW, GetWindowLongW, CreateWindowExW, UnregisterClassW, TranslateMessage, SetTimer, RegisterClassW, PostThreadMessageW, PeekMessageW, MessageBoxW, LoadStringW, KillTimer, GetSystemMetrics, GetClassInfoW, DispatchMessageW, DestroyWindow, DefWindowProcW, CharUpperBuffW, CharUpperW
version.dll	VerQueryValueW, GetFileVersionInfoSizeW, GetFileVersionInfoW
kernel32.dll	WriteFile, WideCharToMultiByte, WaitForSingleObject, VirtualQueryEx, VirtualQuery, VirtualFree, VirtualAlloc, SizeofResource, SetLastError, SetFilePointer, SetEvent, SetErrorMode, SetEndOfFile, ResetEvent, RemoveDirectoryW, ReadFile, LockResource, LocalFree, LoadResource, LoadLibraryW, IsValidLocale, GetVersionExW, GetUserDefaultLCID, GetTickCount, GetThreadLocale, GetTempPathW, GetSystemDefaultLCID, GetStdHandle, GetShortPathNameW, GetProcAddress, GetModuleHandleW, GetModuleFileNameW, GetLocaleInfoW, GetLocalTime, GetLastError, GetFullPathNameW, GetFileAttributesW, GetDiskFreeSpaceW, GetDateFormatW, GetCurrentThreadId, GetCurrentProcess, GetCPInfoExW, GetCPInfo, GetACP, FreeResource, InterlockedIncrement, InterlockedExchangeAdd, InterlockedExchange, InterlockedDecrement, FreeLibrary, FormatMessageW, FindResourceW, FindFirstFileW, FindClose, EnumSystemLocalesW, EnumCalendarInfoW, DeleteFileW, CreateFileW, CreateEventW, CompareStringW, CloseHandle
advapi32.dll	RegSetValueExW, RegDeleteKeyW, RegCreateKeyExW, RegCloseKey
oleaut32.dll	CreateErrorInfo, GetErrorInfo, SetErrorInfo, DispGetIDsOfNames, RegisterTypeLib, LoadTypeLibEx, SafeArrayGetElement, SafeArrayGetLBound, SafeArrayGetUBound, SysFreeString
ole32.dll	CreateBindCtx, CoTaskMemFree, CLSIDFromProgID, StringFromCLSID, CoCreateInstance, CoLockObjectExternal, CoDisconnectObject, CoRevokeClassObject, CoRegisterClassObject, CoUninitialize, CoInitialize, IsEqualGUID
kernel32.dll	Sleep
oleaut32.dll	SafeArrayPtrOfIndex, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayCreate, VariantChangeType, VariantCopyInd, VariantCopy, VariantClear, VariantInit
URLMON.DLL	MkParseDisplayNameEx
shell32.dll	SHGetSpecialFolderPathW

Version Infos

Description	Data
LegalCopyright	Copyright 2016 Tous Les Drivers - Tous droits rservs
InternalName
FileVersion	3. 0. 4. 0
CompanyName	Tous Les Drivers
LegalTrademarks
Comments
ProductName	Mes Drivers
ProductVersion	3. 0. 4. 0
FileDescription	Mes Drivers
OriginalFilename
Translation	0x0409 0x04e4

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 7, 2021 16:18:20.480421066 CEST	49718	443	192.168.2.5	85.31.204.81
Jul 7, 2021 16:18:20.540138960 CEST	443	49718	85.31.204.81	192.168.2.5
Jul 7, 2021 16:18:20.540363073 CEST	49718	443	192.168.2.5	85.31.204.81
Jul 7, 2021 16:18:20.559083939 CEST	49718	443	192.168.2.5	85.31.204.81
Jul 7, 2021 16:18:20.619585037 CEST	443	49718	85.31.204.81	192.168.2.5
Jul 7, 2021 16:18:20.619623899 CEST	443	49718	85.31.204.81	192.168.2.5
Jul 7, 2021 16:18:20.619651079 CEST	443	49718	85.31.204.81	192.168.2.5
Jul 7, 2021 16:18:20.619668961 CEST	443	49718	85.31.204.81	192.168.2.5
Jul 7, 2021 16:18:20.619987965 CEST	49718	443	192.168.2.5	85.31.204.81
Jul 7, 2021 16:18:20.809349060 CEST	49718	443	192.168.2.5	85.31.204.81
Jul 7, 2021 16:18:20.870106936 CEST	443	49718	85.31.204.81	192.168.2.5
Jul 7, 2021 16:18:20.886295080 CEST	49718	443	192.168.2.5	85.31.204.81
Jul 7, 2021 16:18:20.943873882 CEST	443	49718	85.31.204.81	192.168.2.5
Jul 7, 2021 16:18:20.944575071 CEST	49718	443	192.168.2.5	85.31.204.81
Jul 7, 2021 16:18:20.944601059 CEST	49718	443	192.168.2.5	85.31.204.81
Jul 7, 2021 16:18:21.001641989 CEST	443	49718	85.31.204.81	192.168.2.5
Jul 7, 2021 16:18:21.001687050 CEST	443	49718	85.31.204.81	192.168.2.5
Jul 7, 2021 16:18:21.001890898 CEST	49718	443	192.168.2.5	85.31.204.81
Jul 7, 2021 16:19:34.425966978 CEST	49734	443	192.168.2.5	85.31.204.81
Jul 7, 2021 16:19:34.483319998 CEST	443	49734	85.31.204.81	192.168.2.5
Jul 7, 2021 16:19:34.483565092 CEST	49734	443	192.168.2.5	85.31.204.81
Jul 7, 2021 16:19:34.529664993 CEST	49734	443	192.168.2.5	85.31.204.81
Jul 7, 2021 16:19:34.590296984 CEST	443	49734	85.31.204.81	192.168.2.5
Jul 7, 2021 16:19:34.590333939 CEST	443	49734	85.31.204.81	192.168.2.5
Jul 7, 2021 16:19:34.590358019 CEST	443	49734	85.31.204.81	192.168.2.5
Jul 7, 2021 16:19:34.590517044 CEST	443	49734	85.31.204.81	192.168.2.5
Jul 7, 2021 16:19:34.590547085 CEST	49734	443	192.168.2.5	85.31.204.81
Jul 7, 2021 16:19:34.590701103 CEST	49734	443	192.168.2.5	85.31.204.81
Jul 7, 2021 16:19:34.599939108 CEST	49734	443	192.168.2.5	85.31.204.81
Jul 7, 2021 16:19:34.661529064 CEST	443	49734	85.31.204.81	192.168.2.5
Jul 7, 2021 16:19:34.694638968 CEST	49734	443	192.168.2.5	85.31.204.81
Jul 7, 2021 16:19:34.751827002 CEST	443	49734	85.31.204.81	192.168.2.5
Jul 7, 2021 16:19:34.752733946 CEST	49734	443	192.168.2.5	85.31.204.81
Jul 7, 2021 16:19:34.759641886 CEST	49734	443	192.168.2.5	85.31.204.81
Jul 7, 2021 16:19:34.819139957 CEST	443	49734	85.31.204.81	192.168.2.5
Jul 7, 2021 16:19:34.819286108 CEST	443	49734	85.31.204.81	192.168.2.5
Jul 7, 2021 16:19:34.819442987 CEST	49734	443	192.168.2.5	85.31.204.81
Jul 7, 2021 16:19:34.819480896 CEST	49734	443	192.168.2.5	85.31.204.81
Jul 7, 2021 16:19:34.819520950 CEST	443	49734	85.31.204.81	192.168.2.5
Jul 7, 2021 16:19:34.819679976 CEST	49734	443	192.168.2.5	85.31.204.81
Jul 7, 2021 16:19:34.819789886 CEST	443	49734	85.31.204.81	192.168.2.5
Jul 7, 2021 16:19:34.819895983 CEST	443	49734	85.31.204.81	192.168.2.5
Jul 7, 2021 16:19:34.838443995 CEST	443	49734	85.31.204.81	192.168.2.5
Jul 7, 2021 16:19:34.876914024 CEST	443	49734	85.31.204.81	192.168.2.5
Jul 7, 2021 16:19:34.877105951 CEST	443	49734	85.31.204.81	192.168.2.5
Jul 7, 2021 16:19:34.877245903 CEST	443	49734	85.31.204.81	192.168.2.5
Jul 7, 2021 16:19:34.877397060 CEST	443	49734	85.31.204.81	192.168.2.5
Jul 7, 2021 16:19:34.953710079 CEST	443	49734	85.31.204.81	192.168.2.5
Jul 7, 2021 16:19:34.954535961 CEST	49734	443	192.168.2.5	85.31.204.81
Jul 7, 2021 16:19:34.954673052 CEST	49734	443	192.168.2.5	85.31.204.81
Jul 7, 2021 16:19:35.013068914 CEST	443	49734	85.31.204.81	192.168.2.5
Jul 7, 2021 16:19:35.013091087 CEST	443	49734	85.31.204.81	192.168.2.5
Jul 7, 2021 16:19:35.013262033 CEST	49734	443	192.168.2.5	85.31.204.81
Jul 7, 2021 16:19:38.333246946 CEST	49735	80	192.168.2.5	85.31.204.81
Jul 7, 2021 16:19:38.333874941 CEST	49736	80	192.168.2.5	85.31.204.81
Jul 7, 2021 16:19:38.390886068 CEST	80	49735	85.31.204.81	192.168.2.5
Jul 7, 2021 16:19:38.390923023 CEST	80	49736	85.31.204.81	192.168.2.5
Jul 7, 2021 16:19:38.391021013 CEST	49735	80	192.168.2.5	85.31.204.81
Jul 7, 2021 16:19:38.391068935 CEST	49736	80	192.168.2.5	85.31.204.81
Jul 7, 2021 16:19:38.407059908 CEST	49735	80	192.168.2.5	85.31.204.81
Jul 7, 2021 16:19:38.464884043 CEST	80	49735	85.31.204.81	192.168.2.5
Jul 7, 2021 16:19:38.465008974 CEST	49735	80	192.168.2.5	85.31.204.81
Jul 7, 2021 16:19:38.483196974 CEST	49737	443	192.168.2.5	85.31.204.81
Jul 7, 2021 16:19:38.542851925 CEST	443	49737	85.31.204.81	192.168.2.5
Jul 7, 2021 16:19:38.543082952 CEST	49737	443	192.168.2.5	85.31.204.81
Jul 7, 2021 16:19:38.554483891 CEST	49737	443	192.168.2.5	85.31.204.81
Jul 7, 2021 16:19:38.614872932 CEST	443	49737	85.31.204.81	192.168.2.5
Jul 7, 2021 16:19:38.614932060 CEST	443	49737	85.31.204.81	192.168.2.5
Jul 7, 2021 16:19:38.614969015 CEST	443	49737	85.31.204.81	192.168.2.5
Jul 7, 2021 16:19:38.615041018 CEST	49737	443	192.168.2.5	85.31.204.81
Jul 7, 2021 16:19:38.615087032 CEST	49737	443	192.168.2.5	85.31.204.81
Jul 7, 2021 16:19:38.615093946 CEST	49737	443	192.168.2.5	85.31.204.81
Jul 7, 2021 16:19:38.652616024 CEST	49737	443	192.168.2.5	85.31.204.81
Jul 7, 2021 16:19:38.659405947 CEST	49737	443	192.168.2.5	85.31.204.81
Jul 7, 2021 16:19:38.714837074 CEST	443	49737	85.31.204.81	192.168.2.5
Jul 7, 2021 16:19:38.715034962 CEST	49737	443	192.168.2.5	85.31.204.81
Jul 7, 2021 16:19:38.745074034 CEST	443	49737	85.31.204.81	192.168.2.5
Jul 7, 2021 16:19:38.805619001 CEST	443	49737	85.31.204.81	192.168.2.5
Jul 7, 2021 16:19:38.805707932 CEST	443	49737	85.31.204.81	192.168.2.5
Jul 7, 2021 16:19:38.805747986 CEST	443	49737	85.31.204.81	192.168.2.5
Jul 7, 2021 16:19:38.805753946 CEST	49737	443	192.168.2.5	85.31.204.81
Jul 7, 2021 16:19:38.805804014 CEST	443	49737	85.31.204.81	192.168.2.5
Jul 7, 2021 16:19:38.805814981 CEST	49737	443	192.168.2.5	85.31.204.81
Jul 7, 2021 16:19:38.805831909 CEST	443	49737	85.31.204.81	192.168.2.5
Jul 7, 2021 16:19:38.805876970 CEST	49737	443	192.168.2.5	85.31.204.81
Jul 7, 2021 16:19:38.805891991 CEST	49737	443	192.168.2.5	85.31.204.81
Jul 7, 2021 16:19:38.805949926 CEST	443	49737	85.31.204.81	192.168.2.5
Jul 7, 2021 16:19:38.806016922 CEST	49737	443	192.168.2.5	85.31.204.81
Jul 7, 2021 16:19:38.806032896 CEST	49737	443	192.168.2.5	85.31.204.81
Jul 7, 2021 16:19:38.864624023 CEST	443	49737	85.31.204.81	192.168.2.5
Jul 7, 2021 16:19:38.864690065 CEST	443	49737	85.31.204.81	192.168.2.5
Jul 7, 2021 16:19:38.864818096 CEST	49737	443	192.168.2.5	85.31.204.81
Jul 7, 2021 16:19:38.864856005 CEST	49737	443	192.168.2.5	85.31.204.81
Jul 7, 2021 16:19:38.955403090 CEST	49737	443	192.168.2.5	85.31.204.81
Jul 7, 2021 16:19:38.956854105 CEST	49738	443	192.168.2.5	85.31.204.81
Jul 7, 2021 16:19:39.012830019 CEST	443	49737	85.31.204.81	192.168.2.5
Jul 7, 2021 16:19:39.012890100 CEST	443	49737	85.31.204.81	192.168.2.5
Jul 7, 2021 16:19:39.012932062 CEST	443	49737	85.31.204.81	192.168.2.5
Jul 7, 2021 16:19:39.012969017 CEST	443	49737	85.31.204.81	192.168.2.5
Jul 7, 2021 16:19:39.013019085 CEST	49737	443	192.168.2.5	85.31.204.81

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 7, 2021 16:18:08.084530115 CEST	52441	53	192.168.2.5	8.8.8.8
Jul 7, 2021 16:18:08.130726099 CEST	53	52441	8.8.8.8	192.168.2.5
Jul 7, 2021 16:18:09.334423065 CEST	62176	53	192.168.2.5	8.8.8.8
Jul 7, 2021 16:18:09.382443905 CEST	53	62176	8.8.8.8	192.168.2.5
Jul 7, 2021 16:18:09.485014915 CEST	59596	53	192.168.2.5	8.8.8.8
Jul 7, 2021 16:18:09.555056095 CEST	53	59596	8.8.8.8	192.168.2.5
Jul 7, 2021 16:18:10.440381050 CEST	65296	53	192.168.2.5	8.8.8.8
Jul 7, 2021 16:18:10.495359898 CEST	53	65296	8.8.8.8	192.168.2.5
Jul 7, 2021 16:18:11.646542072 CEST	63183	53	192.168.2.5	8.8.8.8
Jul 7, 2021 16:18:11.694940090 CEST	53	63183	8.8.8.8	192.168.2.5
Jul 7, 2021 16:18:13.035132885 CEST	60151	53	192.168.2.5	8.8.8.8
Jul 7, 2021 16:18:13.081505060 CEST	53	60151	8.8.8.8	192.168.2.5
Jul 7, 2021 16:18:14.139647961 CEST	56969	53	192.168.2.5	8.8.8.8
Jul 7, 2021 16:18:14.185878038 CEST	53	56969	8.8.8.8	192.168.2.5
Jul 7, 2021 16:18:15.339871883 CEST	55161	53	192.168.2.5	8.8.8.8
Jul 7, 2021 16:18:15.386109114 CEST	53	55161	8.8.8.8	192.168.2.5
Jul 7, 2021 16:18:16.529110909 CEST	54757	53	192.168.2.5	8.8.8.8
Jul 7, 2021 16:18:16.584440947 CEST	53	54757	8.8.8.8	192.168.2.5
Jul 7, 2021 16:18:17.950264931 CEST	49992	53	192.168.2.5	8.8.8.8
Jul 7, 2021 16:18:17.996478081 CEST	53	49992	8.8.8.8	192.168.2.5
Jul 7, 2021 16:18:20.389908075 CEST	60075	53	192.168.2.5	8.8.8.8
Jul 7, 2021 16:18:20.444008112 CEST	53	60075	8.8.8.8	192.168.2.5
Jul 7, 2021 16:18:20.647758007 CEST	55016	53	192.168.2.5	8.8.8.8
Jul 7, 2021 16:18:20.696362019 CEST	53	55016	8.8.8.8	192.168.2.5
Jul 7, 2021 16:18:36.161525965 CEST	53813	53	192.168.2.5	8.8.8.8
Jul 7, 2021 16:18:36.220650911 CEST	53	53813	8.8.8.8	192.168.2.5
Jul 7, 2021 16:18:40.911262989 CEST	63732	53	192.168.2.5	8.8.8.8
Jul 7, 2021 16:18:40.967371941 CEST	53	63732	8.8.8.8	192.168.2.5
Jul 7, 2021 16:19:03.852724075 CEST	57344	53	192.168.2.5	8.8.8.8
Jul 7, 2021 16:19:03.909598112 CEST	53	57344	8.8.8.8	192.168.2.5
Jul 7, 2021 16:19:08.766072989 CEST	54450	53	192.168.2.5	8.8.8.8
Jul 7, 2021 16:19:08.833605051 CEST	53	54450	8.8.8.8	192.168.2.5
Jul 7, 2021 16:19:16.703607082 CEST	59261	53	192.168.2.5	8.8.8.8
Jul 7, 2021 16:19:16.775482893 CEST	53	59261	8.8.8.8	192.168.2.5
Jul 7, 2021 16:19:22.148367882 CEST	57151	53	192.168.2.5	8.8.8.8
Jul 7, 2021 16:19:22.204935074 CEST	53	57151	8.8.8.8	192.168.2.5
Jul 7, 2021 16:19:34.233503103 CEST	56432	53	192.168.2.5	8.8.8.8
Jul 7, 2021 16:19:34.289171934 CEST	53	56432	8.8.8.8	192.168.2.5
Jul 7, 2021 16:19:37.000659943 CEST	61004	53	192.168.2.5	8.8.8.8
Jul 7, 2021 16:19:37.056885958 CEST	53	61004	8.8.8.8	192.168.2.5
Jul 7, 2021 16:19:37.108648062 CEST	56895	53	192.168.2.5	8.8.8.8
Jul 7, 2021 16:19:37.166660070 CEST	53	56895	8.8.8.8	192.168.2.5
Jul 7, 2021 16:19:38.239557981 CEST	62372	53	192.168.2.5	8.8.8.8
Jul 7, 2021 16:19:38.311676025 CEST	53	62372	8.8.8.8	192.168.2.5
Jul 7, 2021 16:19:38.977114916 CEST	61515	53	192.168.2.5	8.8.8.8
Jul 7, 2021 16:19:38.982193947 CEST	56675	53	192.168.2.5	8.8.8.8
Jul 7, 2021 16:19:39.035197020 CEST	57172	53	192.168.2.5	8.8.8.8
Jul 7, 2021 16:19:39.036107063 CEST	53	61515	8.8.8.8	192.168.2.5
Jul 7, 2021 16:19:39.037107944 CEST	53	56675	8.8.8.8	192.168.2.5
Jul 7, 2021 16:19:39.077255011 CEST	55267	53	192.168.2.5	8.8.8.8
Jul 7, 2021 16:19:39.093420029 CEST	53	57172	8.8.8.8	192.168.2.5
Jul 7, 2021 16:19:39.131894112 CEST	53	55267	8.8.8.8	192.168.2.5
Jul 7, 2021 16:19:39.151463032 CEST	50969	53	192.168.2.5	8.8.8.8
Jul 7, 2021 16:19:39.200596094 CEST	53	50969	8.8.8.8	192.168.2.5
Jul 7, 2021 16:19:39.450536013 CEST	64362	53	192.168.2.5	8.8.8.8
Jul 7, 2021 16:19:39.504690886 CEST	53	64362	8.8.8.8	192.168.2.5
Jul 7, 2021 16:19:39.846795082 CEST	54766	53	192.168.2.5	8.8.8.8
Jul 7, 2021 16:19:39.913527966 CEST	53	54766	8.8.8.8	192.168.2.5
Jul 7, 2021 16:19:51.669810057 CEST	61446	53	192.168.2.5	8.8.8.8
Jul 7, 2021 16:19:51.727696896 CEST	53	61446	8.8.8.8	192.168.2.5
Jul 7, 2021 16:19:54.833399057 CEST	57515	53	192.168.2.5	8.8.8.8
Jul 7, 2021 16:19:54.891074896 CEST	53	57515	8.8.8.8	192.168.2.5
Jul 7, 2021 16:20:06.822349072 CEST	58199	53	192.168.2.5	8.8.8.8
Jul 7, 2021 16:20:06.877989054 CEST	53	58199	8.8.8.8	192.168.2.5
Jul 7, 2021 16:20:07.828789949 CEST	58199	53	192.168.2.5	8.8.8.8
Jul 7, 2021 16:20:07.875370979 CEST	53	58199	8.8.8.8	192.168.2.5
Jul 7, 2021 16:20:07.896188974 CEST	65221	53	192.168.2.5	8.8.8.8
Jul 7, 2021 16:20:07.945730925 CEST	53	65221	8.8.8.8	192.168.2.5
Jul 7, 2021 16:20:08.830646038 CEST	58199	53	192.168.2.5	8.8.8.8
Jul 7, 2021 16:20:08.877408028 CEST	53	58199	8.8.8.8	192.168.2.5
Jul 7, 2021 16:20:08.892146111 CEST	65221	53	192.168.2.5	8.8.8.8
Jul 7, 2021 16:20:08.949754000 CEST	53	65221	8.8.8.8	192.168.2.5
Jul 7, 2021 16:20:09.892213106 CEST	65221	53	192.168.2.5	8.8.8.8
Jul 7, 2021 16:20:09.944355965 CEST	53	65221	8.8.8.8	192.168.2.5
Jul 7, 2021 16:20:10.847820044 CEST	58199	53	192.168.2.5	8.8.8.8
Jul 7, 2021 16:20:10.897819042 CEST	53	58199	8.8.8.8	192.168.2.5
Jul 7, 2021 16:20:11.907320976 CEST	65221	53	192.168.2.5	8.8.8.8
Jul 7, 2021 16:20:11.964919090 CEST	53	65221	8.8.8.8	192.168.2.5
Jul 7, 2021 16:20:14.845395088 CEST	58199	53	192.168.2.5	8.8.8.8
Jul 7, 2021 16:20:14.900710106 CEST	53	58199	8.8.8.8	192.168.2.5
Jul 7, 2021 16:20:15.923302889 CEST	65221	53	192.168.2.5	8.8.8.8
Jul 7, 2021 16:20:15.982098103 CEST	53	65221	8.8.8.8	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jul 7, 2021 16:18:20.389908075 CEST	192.168.2.5	8.8.8.8	0xbee	Standard query (0)	www.touslesdrivers.com	A (IP address)	IN (0x0001)
Jul 7, 2021 16:19:34.233503103 CEST	192.168.2.5	8.8.8.8	0x6df	Standard query (0)	www.touslesdrivers.com	A (IP address)	IN (0x0001)
Jul 7, 2021 16:19:37.108648062 CEST	192.168.2.5	8.8.8.8	0xf631	Standard query (0)	www.touslesdrivers.com	A (IP address)	IN (0x0001)
Jul 7, 2021 16:19:38.239557981 CEST	192.168.2.5	8.8.8.8	0x3ddd	Standard query (0)	www.touslesdrivers.com	A (IP address)	IN (0x0001)
Jul 7, 2021 16:19:38.977114916 CEST	192.168.2.5	8.8.8.8	0x5a92	Standard query (0)	ads.sportslocalmedia.com	A (IP address)	IN (0x0001)
Jul 7, 2021 16:19:38.982193947 CEST	192.168.2.5	8.8.8.8	0x30ac	Standard query (0)	securepubads.g.doubleclick.net	A (IP address)	IN (0x0001)
Jul 7, 2021 16:19:39.035197020 CEST	192.168.2.5	8.8.8.8	0xeafa	Standard query (0)	tags.smilewanted.com	A (IP address)	IN (0x0001)
Jul 7, 2021 16:19:39.151463032 CEST	192.168.2.5	8.8.8.8	0x6328	Standard query (0)	cdn.appconsent.io	A (IP address)	IN (0x0001)
Jul 7, 2021 16:19:39.846795082 CEST	192.168.2.5	8.8.8.8	0xb80d	Standard query (0)	googleads.g.doubleclick.net	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Jul 7, 2021 16:18:20.444008112 CEST	8.8.8.8	192.168.2.5	0xbee	No error (0)	www.touslesdrivers.com	srv1.touslesdrivers.com		CNAME (Canonical name)	IN (0x0001)
Jul 7, 2021 16:18:20.444008112 CEST	8.8.8.8	192.168.2.5	0xbee	No error (0)	srv1.touslesdrivers.com		85.31.204.81	A (IP address)	IN (0x0001)
Jul 7, 2021 16:19:34.289171934 CEST	8.8.8.8	192.168.2.5	0x6df	No error (0)	www.touslesdrivers.com	srv1.touslesdrivers.com		CNAME (Canonical name)	IN (0x0001)
Jul 7, 2021 16:19:34.289171934 CEST	8.8.8.8	192.168.2.5	0x6df	No error (0)	srv1.touslesdrivers.com		85.31.204.81	A (IP address)	IN (0x0001)
Jul 7, 2021 16:19:37.166660070 CEST	8.8.8.8	192.168.2.5	0xf631	No error (0)	www.touslesdrivers.com	srv1.touslesdrivers.com		CNAME (Canonical name)	IN (0x0001)
Jul 7, 2021 16:19:37.166660070 CEST	8.8.8.8	192.168.2.5	0xf631	No error (0)	srv1.touslesdrivers.com		85.31.204.81	A (IP address)	IN (0x0001)
Jul 7, 2021 16:19:38.311676025 CEST	8.8.8.8	192.168.2.5	0x3ddd	No error (0)	www.touslesdrivers.com	srv1.touslesdrivers.com		CNAME (Canonical name)	IN (0x0001)
Jul 7, 2021 16:19:38.311676025 CEST	8.8.8.8	192.168.2.5	0x3ddd	No error (0)	srv1.touslesdrivers.com		85.31.204.81	A (IP address)	IN (0x0001)
Jul 7, 2021 16:19:39.036107063 CEST	8.8.8.8	192.168.2.5	0x5a92	No error (0)	ads.sportslocalmedia.com	ads.sportslocalmedia.com.web.cdn.anycast.me		CNAME (Canonical name)	IN (0x0001)
Jul 7, 2021 16:19:39.036107063 CEST	8.8.8.8	192.168.2.5	0x5a92	No error (0)	ads.sportslocalmedia.com.web.cdn.anycast.me	46-105-202-207.any.cdn.anycast.me		CNAME (Canonical name)	IN (0x0001)
Jul 7, 2021 16:19:39.036107063 CEST	8.8.8.8	192.168.2.5	0x5a92	No error (0)	46-105-202-207.any.cdn.anycast.me		46.105.202.207	A (IP address)	IN (0x0001)
Jul 7, 2021 16:19:39.037107944 CEST	8.8.8.8	192.168.2.5	0x30ac	No error (0)	securepubads.g.doubleclick.net	partnerad.l.doubleclick.net		CNAME (Canonical name)	IN (0x0001)
Jul 7, 2021 16:19:39.037107944 CEST	8.8.8.8	192.168.2.5	0x30ac	No error (0)	partnerad.l.doubleclick.net		142.250.180.226	A (IP address)	IN (0x0001)
Jul 7, 2021 16:19:39.093420029 CEST	8.8.8.8	192.168.2.5	0xeafa	No error (0)	tags.smilewanted.com		104.26.7.39	A (IP address)	IN (0x0001)
Jul 7, 2021 16:19:39.093420029 CEST	8.8.8.8	192.168.2.5	0xeafa	No error (0)	tags.smilewanted.com		172.67.71.185	A (IP address)	IN (0x0001)
Jul 7, 2021 16:19:39.093420029 CEST	8.8.8.8	192.168.2.5	0xeafa	No error (0)	tags.smilewanted.com		104.26.6.39	A (IP address)	IN (0x0001)
Jul 7, 2021 16:19:39.200596094 CEST	8.8.8.8	192.168.2.5	0x6328	No error (0)	cdn.appconsent.io		35.227.209.167	A (IP address)	IN (0x0001)
Jul 7, 2021 16:19:39.913527966 CEST	8.8.8.8	192.168.2.5	0xb80d	No error (0)	googleads.g.doubleclick.net		216.58.214.194	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

www.touslesdrivers.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.5	49735	85.31.204.81	80	C:\Users\user\AppData\Local\Temp\curl_x64.exe

Timestamp	kBytes transferred	Direction	Data
Jul 7, 2021 16:19:38.407059908 CEST	5945	OUT	GET /index.php?v_page=31&v_id=8KVKWmfznwDbzahM HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: www.touslesdrivers.com Connection: Keep-Alive
Jul 7, 2021 16:19:38.464884043 CEST	5946	IN	HTTP/1.1 301 Moved Permanently Content-Type: text/html; charset=UTF-8 Location: https://www.touslesdrivers.com/index.php?v_page=31&v_id=8KVKWmfznwDbzahM Server: HTTP X-Frame-Options: SAMEORIGIN Date: Wed, 07 Jul 2021 14:19:35 GMT Content-Length: 211 Data Raw: 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 44 6f 63 75 6d 65 6e 74 20 64 c3 a9 70 6c 61 63 c3 a9 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 3c 68 31 3e 4f 62 6a 65 74 20 64 c3 a9 70 6c 61 63 c3 a9 3c 2f 68 31 3e 43 65 20 64 6f 63 75 6d 65 6e 74 20 70 65 75 74 20 c3 aa 74 72 65 20 63 6f 6e 73 75 6c 74 c3 a9 20 3c 61 20 48 52 45 46 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 74 6f 75 73 6c 65 73 64 72 69 76 65 72 73 2e 63 6f 6d 2f 69 6e 64 65 78 2e 70 68 70 3f 76 5f 70 61 67 65 3d 33 31 26 61 6d 70 3b 76 5f 69 64 3d 38 4b 56 4b 57 6d 66 7a 6e 77 44 62 7a 61 68 4d 22 3e 69 63 69 3c 2f 61 3e 3c 2f 62 6f 64 79 3e Data Ascii: <head><title>Document dplac</title></head><body><h1>Objet dplac</h1>Ce document peut tre consult <a HREF="https://www.touslesdrivers.com/index.php?v_page=31&v_id=8KVKWmfznwDbzahM">ici</a></body>

HTTPS Packets

Timestamp	Source IP	Source Port	Dest IP	Dest Port	Subject	Issuer	Not Before	Not After	JA3 SSL Client Fingerprint	JA3 SSL Client Digest
Jul 7, 2021 16:19:39.159789085 CEST	46.105.202.207	443	192.168.2.5	49741	CN=ads.slmads.com CN=R3, O=Let's Encrypt, C=US	CN=R3, O=Let's Encrypt, C=US CN=DST Root CA X3, O=Digital Signature Trust Co.	Fri May 21 17:28:17 CEST 2021 Wed Oct 07 21:21:40 CEST 2020	Thu Aug 19 17:28:17 CEST 2021 Wed Sep 29 21:21:40 CEST 2021	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
Jul 7, 2021 16:19:39.159789085 CEST	46.105.202.207	443	192.168.2.5	49741	CN=R3, O=Let's Encrypt, C=US	CN=DST Root CA X3, O=Digital Signature Trust Co.	Wed Oct 07 21:21:40 CEST 2020	Wed Sep 29 21:21:40 CEST 2021		9e10692f1b7f78228b2d4e424db3a98c
Jul 7, 2021 16:19:39.160123110 CEST	46.105.202.207	443	192.168.2.5	49740	CN=ads.slmads.com CN=R3, O=Let's Encrypt, C=US	CN=R3, O=Let's Encrypt, C=US CN=DST Root CA X3, O=Digital Signature Trust Co.	Fri May 21 17:28:17 CEST 2021 Wed Oct 07 21:21:40 CEST 2020	Thu Aug 19 17:28:17 CEST 2021 Wed Sep 29 21:21:40 CEST 2021	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
Jul 7, 2021 16:19:39.160123110 CEST	46.105.202.207	443	192.168.2.5	49740	CN=R3, O=Let's Encrypt, C=US	CN=DST Root CA X3, O=Digital Signature Trust Co.	Wed Oct 07 21:21:40 CEST 2020	Wed Sep 29 21:21:40 CEST 2021		9e10692f1b7f78228b2d4e424db3a98c
Jul 7, 2021 16:19:39.195291042 CEST	104.26.7.39	443	192.168.2.5	49747	CN=sni.cloudflaressl.com, O="Cloudflare, Inc.", L=San Francisco, ST=CA, C=US CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US	CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Tue Aug 18 02:00:00 CEST 2020 Mon Jan 27 13:48:08 CET 2020	Wed Aug 18 14:00:00 CEST 2021 Wed Jan 01 00:59:59 CET 2025	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
Jul 7, 2021 16:19:39.195291042 CEST	104.26.7.39	443	192.168.2.5	49747	CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US	CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Mon Jan 27 13:48:08 CET 2020	Wed Jan 01 00:59:59 CET 2025		9e10692f1b7f78228b2d4e424db3a98c
Jul 7, 2021 16:19:39.198674917 CEST	104.26.7.39	443	192.168.2.5	49748	CN=sni.cloudflaressl.com, O="Cloudflare, Inc.", L=San Francisco, ST=CA, C=US CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US	CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Tue Aug 18 02:00:00 CEST 2020 Mon Jan 27 13:48:08 CET 2020	Wed Aug 18 14:00:00 CEST 2021 Wed Jan 01 00:59:59 CET 2025	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
Jul 7, 2021 16:19:39.198674917 CEST	104.26.7.39	443	192.168.2.5	49748	CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US	CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Mon Jan 27 13:48:08 CET 2020	Wed Jan 01 00:59:59 CET 2025		9e10692f1b7f78228b2d4e424db3a98c
Jul 7, 2021 16:19:39.224272966 CEST	142.250.180.226	443	192.168.2.5	49743	CN=*.g.doubleclick.net, O=Google LLC, L=Mountain View, ST=California, C=US CN=GTS CA 1O1, O=Google Trust Services, C=US	CN=GTS CA 1O1, O=Google Trust Services, C=US CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R2	Tue Jun 22 15:35:18 CEST 2021 Thu Jun 15 02:00:42 CEST 2017	Tue Sep 14 15:35:17 CEST 2021 Wed Dec 15 01:00:42 CET 2021	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
Jul 7, 2021 16:19:39.224272966 CEST	142.250.180.226	443	192.168.2.5	49743	CN=GTS CA 1O1, O=Google Trust Services, C=US	CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R2	Thu Jun 15 02:00:42 CEST 2017	Wed Dec 15 01:00:42 CET 2021		9e10692f1b7f78228b2d4e424db3a98c
Jul 7, 2021 16:19:39.240375996 CEST	142.250.180.226	443	192.168.2.5	49742	CN=*.g.doubleclick.net, O=Google LLC, L=Mountain View, ST=California, C=US CN=GTS CA 1O1, O=Google Trust Services, C=US	CN=GTS CA 1O1, O=Google Trust Services, C=US CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R2	Tue Jun 22 15:35:18 CEST 2021 Thu Jun 15 02:00:42 CEST 2017	Tue Sep 14 15:35:17 CEST 2021 Wed Dec 15 01:00:42 CET 2021	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
Jul 7, 2021 16:19:39.240375996 CEST	142.250.180.226	443	192.168.2.5	49742	CN=GTS CA 1O1, O=Google Trust Services, C=US	CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R2	Thu Jun 15 02:00:42 CEST 2017	Wed Dec 15 01:00:42 CET 2021		9e10692f1b7f78228b2d4e424db3a98c
Jul 7, 2021 16:19:39.332803965 CEST	35.227.209.167	443	192.168.2.5	49752	CN=cdn.appconsent.io CN=R3, O=Let's Encrypt, C=US	CN=R3, O=Let's Encrypt, C=US CN=DST Root CA X3, O=Digital Signature Trust Co.	Wed May 26 12:09:31 CEST 2021 Wed Oct 07 21:21:40 CEST 2020	Tue Aug 24 12:09:31 CEST 2021 Wed Sep 29 21:21:40 CEST 2021	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
Jul 7, 2021 16:19:39.332803965 CEST	35.227.209.167	443	192.168.2.5	49752	CN=R3, O=Let's Encrypt, C=US	CN=DST Root CA X3, O=Digital Signature Trust Co.	Wed Oct 07 21:21:40 CEST 2020	Wed Sep 29 21:21:40 CEST 2021		9e10692f1b7f78228b2d4e424db3a98c
Jul 7, 2021 16:19:39.334471941 CEST	35.227.209.167	443	192.168.2.5	49751	CN=cdn.appconsent.io CN=R3, O=Let's Encrypt, C=US	CN=R3, O=Let's Encrypt, C=US CN=DST Root CA X3, O=Digital Signature Trust Co.	Wed May 26 12:09:31 CEST 2021 Wed Oct 07 21:21:40 CEST 2020	Tue Aug 24 12:09:31 CEST 2021 Wed Sep 29 21:21:40 CEST 2021	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
Jul 7, 2021 16:19:39.334471941 CEST	35.227.209.167	443	192.168.2.5	49751	CN=R3, O=Let's Encrypt, C=US	CN=DST Root CA X3, O=Digital Signature Trust Co.	Wed Oct 07 21:21:40 CEST 2020	Wed Sep 29 21:21:40 CEST 2021		9e10692f1b7f78228b2d4e424db3a98c
Jul 7, 2021 16:19:40.067873001 CEST	216.58.214.194	443	192.168.2.5	49755	CN=*.g.doubleclick.net CN=GTS CA 1C3, O=Google Trust Services LLC, C=US CN=GTS Root R1, O=Google Trust Services LLC, C=US	CN=GTS CA 1C3, O=Google Trust Services LLC, C=US CN=GTS Root R1, O=Google Trust Services LLC, C=US CN=GlobalSign Root CA, OU=Root CA, O=GlobalSign nv-sa, C=BE	Tue Jun 22 15:35:26 CEST 2021 Thu Aug 13 02:00:42 CEST 2020 Fri Jun 19 02:00:42 CEST 2020	Tue Sep 14 15:35:25 CEST 2021 Thu Sep 30 02:00:42 CEST 2027 Fri Jan 28 01:00:42 CET 2028	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
					CN=GTS CA 1C3, O=Google Trust Services LLC, C=US	CN=GTS Root R1, O=Google Trust Services LLC, C=US	Thu Aug 13 02:00:42 CEST 2020	Thu Sep 30 02:00:42 CEST 2027
					CN=GTS Root R1, O=Google Trust Services LLC, C=US	CN=GlobalSign Root CA, OU=Root CA, O=GlobalSign nv-sa, C=BE	Fri Jun 19 02:00:42 CEST 2020	Fri Jan 28 01:00:42 CET 2028
Jul 7, 2021 16:19:40.068058014 CEST	216.58.214.194	443	192.168.2.5	49756	CN=*.g.doubleclick.net CN=GTS CA 1C3, O=Google Trust Services LLC, C=US CN=GTS Root R1, O=Google Trust Services LLC, C=US	CN=GTS CA 1C3, O=Google Trust Services LLC, C=US CN=GTS Root R1, O=Google Trust Services LLC, C=US CN=GlobalSign Root CA, OU=Root CA, O=GlobalSign nv-sa, C=BE	Tue Jun 22 15:35:26 CEST 2021 Thu Aug 13 02:00:42 CEST 2020 Fri Jun 19 02:00:42 CEST 2020	Tue Sep 14 15:35:25 CEST 2021 Thu Sep 30 02:00:42 CEST 2027 Fri Jan 28 01:00:42 CET 2028	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
					CN=GTS CA 1C3, O=Google Trust Services LLC, C=US	CN=GTS Root R1, O=Google Trust Services LLC, C=US	Thu Aug 13 02:00:42 CEST 2020	Thu Sep 30 02:00:42 CEST 2027
					CN=GTS Root R1, O=Google Trust Services LLC, C=US	CN=GlobalSign Root CA, OU=Root CA, O=GlobalSign nv-sa, C=BE	Fri Jun 19 02:00:42 CEST 2020	Fri Jan 28 01:00:42 CET 2028

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: Mes_Drivers_3.0.4.exe PID: 400 Parent PID: 5784

General

Start time:	16:18:14
Start date:	07/07/2021
Path:	C:\Users\user\Desktop\Mes_Drivers_3.0.4.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\Mes_Drivers_3.0.4.exe'
Imagebase:	0x400000
File size:	1624440 bytes
MD5 hash:	50A5E891DA27E63D54E68511E48AA026
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000001.00000000.218185318.0000000000401000.00000020.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000001.00000002.407834625.0000000000401000.00000020.00020000.sdmp, Author: Joe Security
Reputation:	low

Analysis Process: cmd.exe PID: 1500 Parent PID: 400

General

Start time:	16:18:16
Start date:	07/07/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\system32\cmd.exe' /C START '' 'C:\Users\user\AppData\Local\Temp\interface.lnk'
Imagebase:	0x150000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: conhost.exe PID: 2904 Parent PID: 1500

General

Start time:	16:18:16
Start date:	07/07/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7ecfc0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: detection.exe PID: 5556 Parent PID: 400

General

Start time:	16:18:17
Start date:	07/07/2021
Path:	C:\Users\user\AppData\Local\Temp\detection.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\AppData\Local\Temp\detection.exe'
Imagebase:	0x400000
File size:	1165312 bytes
MD5 hash:	02BA1C44B6392F013A7AA0B91314F45A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: webshell_asp_generic, Description: Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, Source: 00000004.00000003.399944667.00000000009B3000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000004.00000002.402849297.0000000000401000.00000040.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_AESCRYPTTool, Description: Yara detected AESCRYPT Tool, Source: 00000004.00000003.225305782.000000007FA70000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AESCRYPTTool, Description: Yara detected AESCRYPT Tool, Source: 00000004.00000003.401509038.0000000002A78000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AESCRYPTTool, Description: Yara detected AESCRYPT Tool, Source: 00000004.00000003.401894830.00000000024D1000.00000004.00000001.sdmp, Author: Joe Security
Antivirus matches:	Detection: 10%, Metadefender, Browse Detection: 28%, ReversingLabs
Reputation:	low

Analysis Process: conhost.exe PID: 5976 Parent PID: 5556

General

Start time:	16:18:17
Start date:	07/07/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7ecfc0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: cmd.exe PID: 5064 Parent PID: 1500

General

Start time:	16:18:17
Start date:	07/07/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c ''C:\Users\user\AppData\Local\Temp\interface.cmd' '
Imagebase:	0x150000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: conhost.exe PID: 5468 Parent PID: 5064

General

Start time:	16:18:18
Start date:	07/07/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7ecfc0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: mode.com PID: 5624 Parent PID: 5064

General

Start time:	16:18:18
Start date:	07/07/2021
Path:	C:\Windows\SysWOW64\mode.com
Wow64 process (32bit):	true
Commandline:	MODE CON: COLS=76 LINES=15
Imagebase:	0x7ff797770000
File size:	27648 bytes
MD5 hash:	D781CD6A6484C276A4D0750D9206A382
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Analysis Process: cmd.exe PID: 2588 Parent PID: 5064

General

Start time:	16:18:19
Start date:	07/07/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /S /D /c' VER '
Imagebase:	0x150000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: findstr.exe PID: 6040 Parent PID: 5064

General

Start time:	16:18:19
Start date:	07/07/2021
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	FINDSTR /I /R /C:'version 5\.[0-1]\.'
Imagebase:	0x11c0000
File size:	29696 bytes
MD5 hash:	8B534A7FC0630DE41BB1F98C882C19EC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Analysis Process: curl_x64.exe PID: 5968 Parent PID: 5556

General

Start time:	16:18:20
Start date:	07/07/2021
Path:	C:\Users\user\AppData\Local\Temp\curl_x64.exe
Wow64 process (32bit):	false
Commandline:	'C:\Users\user\AppData\Local\Temp\curl_x64.exe' --connect-timeout 5 --max-time 20 --fail --silent --request GET 'https://www.touslesdrivers.com/php/mes_drivers/version.php?v_version=3.0.4'
Imagebase:	0x400000
File size:	860232 bytes
MD5 hash:	E80C8CB9887A7C9426D4E843DDDB8A44
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, Metadefender, Browse Detection: 0%, ReversingLabs

Analysis Process: waitfor.exe PID: 2172 Parent PID: 5064

General

Start time:	16:18:20
Start date:	07/07/2021
Path:	C:\Windows\SysWOW64\waitfor.exe
Wow64 process (32bit):	true
Commandline:	WAITFOR unlock
Imagebase:	0x910000
File size:	32256 bytes
MD5 hash:	83E921720CA3BD03CF6BF5686E802C3D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: waitfor.exe PID: 1012 Parent PID: 5556

General

Start time:	16:18:21
Start date:	07/07/2021
Path:	C:\Windows\SysWOW64\waitfor.exe
Wow64 process (32bit):	true
Commandline:	WAITFOR /S DESKTOP-716T771 /SI unlock
Imagebase:	0x910000
File size:	32256 bytes
MD5 hash:	83E921720CA3BD03CF6BF5686E802C3D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: sc.exe PID: 5852 Parent PID: 5556

General

Start time:	16:18:28
Start date:	07/07/2021
Path:	C:\Windows\SysWOW64\sc.exe
Wow64 process (32bit):	true
Commandline:	SC query Winmgmt
Imagebase:	0xb60000
File size:	60928 bytes
MD5 hash:	24A3E2603E63BCB9695A2935D3B24695
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: waitfor.exe PID: 2904 Parent PID: 5556

General

Start time:	16:18:30
Start date:	07/07/2021
Path:	C:\Windows\SysWOW64\waitfor.exe
Wow64 process (32bit):	true
Commandline:	WAITFOR /S DESKTOP-716T771 /SI unlock
Imagebase:	0x910000
File size:	32256 bytes
MD5 hash:	83E921720CA3BD03CF6BF5686E802C3D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: detect_x64.exe PID: 360 Parent PID: 5556

General

Start time:	16:18:34
Start date:	07/07/2021
Path:	C:\Users\user\AppData\Local\Temp\detect_x64.exe
Wow64 process (32bit):	false
Commandline:	'C:\Users\user\AppData\Local\Temp\detect_x64.exe' driverfiles 1394\* DISPLAY\* HDAUDIO\* HID\* MONITOR\* PCI\* PCMCIA\* SBP2\* SD\* USB\*
Imagebase:	0x7ff7a7450000
File size:	82432 bytes
MD5 hash:	6A7EC375AF8BA2E87FF7F23497E9944E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, Metadefender, Browse Detection: 0%, ReversingLabs

Analysis Process: detect_x64.exe PID: 5504 Parent PID: 5556

General

Start time:	16:18:34
Start date:	07/07/2021
Path:	C:\Users\user\AppData\Local\Temp\detect_x64.exe
Wow64 process (32bit):	false
Commandline:	'C:\Users\user\AppData\Local\Temp\detect_x64.exe' drivernodes 1394\* DISPLAY\* HDAUDIO\* HID\* MONITOR\* PCI\* PCMCIA\* SBP2\* SD\* USB\*
Imagebase:	0x7ff7a7450000
File size:	82432 bytes
MD5 hash:	6A7EC375AF8BA2E87FF7F23497E9944E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: detect_x64.exe PID: 1012 Parent PID: 5556

General

Start time:	16:18:35
Start date:	07/07/2021
Path:	C:\Users\user\AppData\Local\Temp\detect_x64.exe
Wow64 process (32bit):	false
Commandline:	'C:\Users\user\AppData\Local\Temp\detect_x64.exe' hwids 1394\* DISPLAY\* HDAUDIO\* HID\* MONITOR\* PCI\* PCMCIA\* SBP2\* SD\* USB\*
Imagebase:	0x7ff7a7450000
File size:	82432 bytes
MD5 hash:	6A7EC375AF8BA2E87FF7F23497E9944E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: detect_x64.exe PID: 1692 Parent PID: 5556

General

Start time:	16:18:35
Start date:	07/07/2021
Path:	C:\Users\user\AppData\Local\Temp\detect_x64.exe
Wow64 process (32bit):	false
Commandline:	'C:\Users\user\AppData\Local\Temp\detect_x64.exe' stack 1394\* DISPLAY\* HDAUDIO\* HID\* MONITOR\* PCI\* PCMCIA\* SBP2\* SD\* USB\*
Imagebase:	0x7ff7a7450000
File size:	82432 bytes
MD5 hash:	6A7EC375AF8BA2E87FF7F23497E9944E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: detect_x64.exe PID: 1704 Parent PID: 5556

General

Start time:	16:18:36
Start date:	07/07/2021
Path:	C:\Users\user\AppData\Local\Temp\detect_x64.exe
Wow64 process (32bit):	false
Commandline:	'C:\Users\user\AppData\Local\Temp\detect_x64.exe' status 1394\* DISPLAY\* HDAUDIO\* HID\* MONITOR\* PCI\* PCMCIA\* SBP2\* SD\* USB\*
Imagebase:	0x7ff7a7450000
File size:	82432 bytes
MD5 hash:	6A7EC375AF8BA2E87FF7F23497E9944E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: waitfor.exe PID: 6812 Parent PID: 5556

General

Start time:	16:19:27
Start date:	07/07/2021
Path:	C:\Windows\SysWOW64\waitfor.exe
Wow64 process (32bit):	true
Commandline:	WAITFOR /S DESKTOP-716T771 /SI unlock
Imagebase:	0x910000
File size:	32256 bytes
MD5 hash:	83E921720CA3BD03CF6BF5686E802C3D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: aes_x64.exe PID: 7004 Parent PID: 5556

General

Start time:	16:19:32
Start date:	07/07/2021
Path:	C:\Users\user\AppData\Local\Temp\aes_x64.exe
Wow64 process (32bit):	false
Commandline:	'C:\Users\user\AppData\Local\Temp\aes_x64.exe' -e -p anT^UpFuzpuC@lOvsoPVe2kiNTidaBo<zI]BeaRnU0ResFwAy@dEnuCkUd)hAzOh -o 'C:\Users\user\AppData\Local\Temp\8KVKWmfznwDbzahM\8KVKWmfznwDbzahM' -
Imagebase:	0x7ff697680000
File size:	155136 bytes
MD5 hash:	E5125D4651C008EBA61D9FD3ABD5AB31
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AESCRYPTTool, Description: Yara detected AESCRYPT Tool, Source: 00000024.00000002.388115021.00007FF697695000.00000002.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_AESCRYPTTool, Description: Yara detected AESCRYPT Tool, Source: 00000024.00000000.386024517.00007FF697695000.00000002.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_AESCRYPTTool, Description: Yara detected AESCRYPT Tool, Source: C:\Users\user\AppData\Local\Temp\aes_x64.exe, Author: Joe Security
Antivirus matches:	Detection: 0%, Metadefender, Browse Detection: 0%, ReversingLabs

Analysis Process: curl_x64.exe PID: 7020 Parent PID: 5556

General

Start time:	16:19:33
Start date:	07/07/2021
Path:	C:\Users\user\AppData\Local\Temp\curl_x64.exe
Wow64 process (32bit):	false
Commandline:	'C:\Users\user\AppData\Local\Temp\curl_x64.exe' --connect-timeout 5 --max-time 20 --fail --silent --request POST --form 'v_configuration=<C:\Users\user\AppData\Local\Temp\8KVKWmfznwDbzahM\8KVKWmfznwDbzahM' 'https://www.touslesdrivers.com/php/mes_drivers/envoi.php?v_id=8KVKWmfznwDbzahM&v_version=3.0.4'
Imagebase:	0x400000
File size:	860232 bytes
MD5 hash:	E80C8CB9887A7C9426D4E843DDDB8A44
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: cmd.exe PID: 7064 Parent PID: 5556

General

Start time:	16:19:35
Start date:	07/07/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\system32\cmd.exe' /C START '' 'http://www.touslesdrivers.com/index.php?v_page=31&v_id=8KVKWmfznwDbzahM'
Imagebase:	0x150000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: waitfor.exe PID: 7072 Parent PID: 5556

General

Start time:	16:19:35
Start date:	07/07/2021
Path:	C:\Windows\SysWOW64\waitfor.exe
Wow64 process (32bit):	true
Commandline:	WAITFOR /S DESKTOP-716T771 /SI unlock
Imagebase:	0x910000
File size:	32256 bytes
MD5 hash:	83E921720CA3BD03CF6BF5686E802C3D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: iexplore.exe PID: 7120 Parent PID: 7064

General

Start time:	16:19:36
Start date:	07/07/2021
Path:	C:\Program Files\internet explorer\iexplore.exe
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Internet Explorer\iexplore.exe' http://www.touslesdrivers.com/index.php?v_page=31&v_id=8KVKWmfznwDbzahM
Imagebase:	0x7ff69bf80000
File size:	823560 bytes
MD5 hash:	6465CB92B25A7BC1DF8E01D8AC5E7596
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: iexplore.exe PID: 3000 Parent PID: 7120

General

Start time:	16:19:37
Start date:	07/07/2021
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:7120 CREDAT:17410 /prefetch:2
Imagebase:	0x1030000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry. Service configurations can be modified using utilities such as sc.exe and Reg .
Tactics:	Persistence, Privilege Escalation
Data Sources:	API monitoring, File monitoring, Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. A common goal for post-compromise exploitation of remote services is for lateral movement to enable access to a remote system.
Tactics:	Lateral Movement
Data Sources:	File monitoring, Process monitoring, Windows Error Reporting
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report Mes_Drivers_3.0.4.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Overview

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Overview

Jbx Signature Overview

AV Detection:

Cryptography:

Exploits:

Compliance:

Spreading:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Spam, unwanted Advertisements and Ransom Demands:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.In the case of ransomware, it is typical that common user files like Office documents, PDFs, images, videos, audio, text, and source code files will be encrypted. In some cases, adversaries may encrypt critical system files, disk partitions, and the MBR.
Tactics:	Impact
Data Sources:	File monitoring, Kernel drivers, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre