ID: 180101 Sample Name: FL2000- 2.1.33676.0.exe Cookbook: default.jbs Time: 23:40:48 Date: 01/10/2019 Version: 27.0.0 Red Agate Table of Contents

Table of Contents 2 Analysis Report FL2000-2.1.33676.0.exe 5 Overview 5 General Information 5 Detection 6 Confidence 6 Classification 6 Analysis Advice 7 Mitre Att&ck Matrix 7 Signature Overview 8 Spreading: 8 Networking: 8 Key, Mouse, Clipboard, Microphone and Screen Capturing: 9 E-Banking Fraud: 9 System Summary: 9 Data Obfuscation: 10 Persistence and Installation Behavior: 10 Boot Survival: 10 Hooking and other Techniques for Hiding and Protection: 10 Malware Analysis System Evasion: 10 Anti Debugging: 10 HIPS / PFW / Operating System Protection Evasion: 10 Language, Device and Operating System Detection: 11 Behavior Graph 11 Simulations 11 Behavior and APIs 11 Antivirus, Machine Learning and Genetic Malware Detection 12 Initial Sample 12 Dropped Files 12 Unpacked PE Files 12 Domains 12 URLs 12 Yara Overview 12 Initial Sample 13 PCAP (Network Traffic) 13 Dropped Files 13 Memory Dumps 13 Unpacked PEs 13 Joe Sandbox View / Context 13 IPs 13 Domains 13 ASN 13 JA3 Fingerprints 14 Dropped Files 14 Screenshots 14 Thumbnails 14 Startup 15 Created / dropped Files 16 Domains and IPs 24 Contacted Domains 24 Contacted URLs 24 URLs from Memory and Binaries 24 Contacted IPs 25 Public 25 Static File Info 25 General 25 File Icon 26 Static PE Info 26 General 26 Copyright Joe Security LLC 2019 Page 2 of 49 Authenticode Signature 26 Entrypoint Preview 27 Rich Headers 28 Data Directories 28 Sections 28 Resources 28 Imports 29 Version Infos 29 Possible Origin 29 Network Behavior 30 Network Port Distribution 30 TCP Packets 30 UDP Packets 32 DNS Queries 32 DNS Answers 32 HTTP Request Dependency Graph 32 HTTP Packets 32 Code Manipulations 33 Statistics 33 Behavior 33 System Behavior 33 Analysis Process: FL2000-2.1.33676.0.exe PID: 772 Parent PID: 3836 34 General 34 File Activities 34 File Created 34 File Deleted 35 File Moved 35 File Written 35 File Read 37 Analysis Process: FL2000-2.1.34054.0.exe PID: 1704 Parent PID: 772 37 General 37 File Activities 37 File Created 37 File Deleted 39 File Written 39 File Read 42 Registry Activities 42 Key Created 42 Key Value Created 42 Analysis Process: msiexec.exe PID: 4312 Parent PID: 1704 43 General 43 File Activities 43 Registry Activities 43 Analysis Process: msiexec.exe PID: 4360 Parent PID: 1712 43 General 43 Analysis Process: msiexec.exe PID: 2212 Parent PID: 1712 44 General 44 File Activities 44 Analysis Process: msiexec.exe PID: 396 Parent PID: 1712 44 General 44 Registry Activities 44 Analysis Process: msiexec.exe PID: 3828 Parent PID: 1712 44 General 44 File Activities 44 Registry Activities 45 Analysis Process: drvinst.exe PID: 4712 Parent PID: 700 45 General 45 Analysis Process: drvinst.exe PID: 3928 Parent PID: 700 45 General 45 Analysis Process: drvinst.exe PID: 1196 Parent PID: 700 45 General 45 Analysis Process: cmd.exe PID: 4308 Parent PID: 1712 46 General 46 Analysis Process: conhost.exe PID: 4660 Parent PID: 4308 46 General 46 Analysis Process: xcopy.exe PID: 4496 Parent PID: 4308 46 General 46 Analysis Process: cmd.exe PID: 4628 Parent PID: 4308 47 General 47 Analysis Process: powershell.exe PID: 4504 Parent PID: 4628 47 Copyright Joe Security LLC 2019 Page 3 of 49 General 47 Analysis Process: cmd.exe PID: 2352 Parent PID: 4308 47 General 47 Analysis Process: powershell.exe PID: 5028 Parent PID: 2352 47 General 47 Analysis Process: flvga_tray.exe PID: 4236 Parent PID: 3040 48 General 48 Analysis Process: sc.exe PID: 1836 Parent PID: 4308 48 General 48 Analysis Process: sc.exe PID: 4056 Parent PID: 4308 48 General 48 Analysis Process: flvga_tray.exe PID: 4212 Parent PID: 4308 48 General 48 Analysis Process: flvga_tray.exe PID: 2232 Parent PID: 3040 49 General 49 Disassembly 49 Code Analysis 49

Copyright Joe Security LLC 2019 Page 4 of 49 Analysis Report FL2000-2.1.33676.0.exe

Overview

General Information

Joe Sandbox Version: 27.0.0 Red Agate Analysis ID: 180101 Start date: 01.10.2019 Start time: 23:40:48 Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 10m 43s Hypervisor based Inspection enabled: false Report type: light Sample file name: FL2000-2.1.33676.0.exe Cookbook file name: default.jbs Analysis system description: Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113 Number of analysed new started processes analysed: 28 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies: HCA enabled EGA enabled HDC enabled AMSI enabled Analysis stop reason: Timeout Detection: SUS Classification: sus36.evad.winEXE@32/35@1/1 EGA Information: Successful, ratio: 83.3% HDC Information: Successful, ratio: 87.9% (good quality ratio 82%) Quality average: 74.1% Quality standard deviation: 30% HCA Information: Successful, ratio: 61% Number of executed functions: 0 Number of non-executed functions: 0 Cookbook Comments: Adjust boot time Enable AMSI Found application associated with file extension: .exe

Warnings: Show All Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe, CompatTelRunner.exe TCP Packets have been reduced to 100 Excluded IPs from analysis (whitelisted): 216.58.201.100, 13.107.4.50, 205.185.216.10, 205.185.216.42, 93.184.221.240 Excluded domains from analysis (whitelisted): wu.ec.azureedge.net, ctldl.windowsupdate.com, c- 0001.c-msedge.net, cds.d2s7q6s2.hwcdn.net, wu.azureedge.net, au.au-msedge.net, audownload.windowsupdate.nsatc.net, au.download.windowsupdate.com.hwcdn.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2- 0.edgecastdns.net, www.google.com, au.c-0001.c- msedge.net, wu.wpc.apr-52dd2.edgecastdns.net Report size exceeded maximum capacity and may have missing behavior information. Report size exceeded maximum capacity and may have missing disassembly code. Report size getting too big, too many NtDeviceIoControlFile calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found. Report size getting too big, too many NtSetInformationFile calls found.

Copyright Joe Security LLC 2019 Page 5 of 49 Detection

Strategy Score Range Reporting Whitelisted Detection

Threshold 36 0 - 100 false

Confidence

Strategy Score Range Further Analysis Required? Confidence

Threshold 0 0 - 5 true

Classification

Copyright Joe Security LLC 2019 Page 6 of 49 Ransomware

Miner Spreading

mmaallliiiccciiioouusss

malicious

Evader Phishing

sssuusssppiiiccciiioouusss

suspicious

cccllleeaann

clean

Exploiter Banker

Spyware Trojan / Bot

Adware

Analysis Advice

Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox

Sample is looking for USB drives. Launch the sample with the USB Fake Disk cookbook

Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")

Sample monitors window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook

Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior

Mitre Att&ck Matrix

Privilege Credential Lateral Command Initial Access Execution Persistence Escalation Defense Evasion Access Discovery Movement Collection Exfiltration and Control Replication Execution Modify Existing Exploitation for Deobfuscate/Decode Input System Time Remote File Input Data Remote File Through through API 1 Service 1 Privilege Files or Capture 1 Discovery 1 Copy 2 Capture 1 Encrypted 1 Copy 2 Removable Escalation 1 Information 1 Media 1

Copyright Joe Security LLC 2019 Page 7 of 49 Privilege Credential Lateral Command Initial Access Execution Persistence Escalation Defense Evasion Access Discovery Movement Collection Exfiltration and Control Replication Command-Line Port Monitors Access Token File Deletion 1 Network Peripheral Replication Data from Exfiltration Standard Through Interface 1 Manipulation 1 Sniffing Device Through Removable Over Other Cryptographic Removable Discovery 2 1 Removable Media Network Protocol 1 Media Media 1 Medium Drive-by Windows Accessibility Process Obfuscated Files or Input Capture Security Windows Data from Automated Standard Non- Compromise Management Features Injection 1 1 Information 2 Software Remote Network Exfiltration Application Instrumentation Discovery 5 1 Management Shared Drive Layer Protocol 2 Exploit Public- Scheduled Task System DLL Search Masquerading 4 Credentials in File and Logon Scripts Input Capture Data Standard Facing Firmware Order Hijacking Files Directory Encrypted Application Application Discovery 3 Layer Protocol 2 Spearphishing Command-Line Shortcut File System Access Token Account System Shared Data Staged Scheduled Standard Link Interface Modification Permissions Manipulation 1 Manipulation Information Webroot Transfer Cryptographic Weakness Discovery 5 4 Protocol Spearphishing Graphical User Modify Existing New Service Process Brute Force Query Third-party Screen Data Transfer Commonly Attachment Interface Service Injection 1 1 Registry 1 Software Capture Size Limits Used Port Spearphishing Scripting Path Scheduled Task DLL Side- Two-Factor Process Pass the Hash Email Exfiltration Uncommonly via Service Interception Loading 1 Authentication Discovery 3 Collection Over Used Port Interception Command and Control Channel Supply Chain Third-party Logon Scripts Process Indicator Blocking Bash History Application Remote Clipboard Data Exfiltration Standard Compromise Software Injection Window Desktop Over Application Discovery 1 Protocol Alternative Layer Protocol Protocol Trusted Rundll32 DLL Search Service Process Injection Input Prompt Remote System Windows Automated Exfiltration Multilayer Relationship Order Hijacking Registry Discovery 1 Admin Shares Collection Over Physical Encryption Permissions Medium Weakness

Signature Overview

• Spreading • Networking • Key, Mouse, Clipboard, Microphone and Screen Capturing • E-Banking Fraud • System Summary • Data Obfuscation • Persistence and Installation Behavior • Boot Survival • Hooking and other Techniques for Hiding and Protection • Malware Analysis System Evasion • Anti Debugging • HIPS / PFW / Operating System Protection Evasion • Language, Device and Operating System Detection

Click to jump to signature section

Spreading:

Checks for available system drives (often done to infect USB drives)

Contains functionality to get notified if a device is plugged in / out

Contains functionality to enumerate / list files inside a directory

Contains functionality to query local drives

Networking:

Contains functionality to download additional files from the internet

Downloads files from webservers via HTTP

Found strings which match to known social media urls

Performs DNS lookups

Urls found in memory or binary data

Copyright Joe Security LLC 2019 Page 8 of 49 Key, Mouse, Clipboard, Microphone and Screen Capturing:

Creates a DirectInput object (often for capturing keystrokes)

E-Banking Fraud:

Drops certificate files (DER)

System Summary:

Contains functionality to call native functions

Contains functionality to communicate with device drivers

Creates files inside the driver directory

Creates files inside the system directory

Creates mutexes

Deletes files inside the Windows folder

Detected potential crypto function

Enables security privileges

Found potential string decryption / allocating functions

PE file contains executable resources (Code or Archives)

PE file contains strange resources

Reads the hosts file

Sample file is different than original file name gathered from version info

Sample reads its own file content

Tries to load missing DLLs

Binary contains device paths (device paths are often used for kernel mode <-> user mode communication)

Classification label

Contains functionality for error logging

Contains functionality to adjust token privileges (e.g. debug / backup)

Contains functionality to check free disk space

Contains functionality to enum processes or threads

Contains functionality to load and extract PE file embedded resources

Creates files inside the user directory

Creates temporary files

Might use command line arguments

PE file has an executable .text section and no other executable section

Parts of this applications are using the .NET runtime (Probably coded in C#)

Reads ini files

Reads software policies

Sample might require command line arguments

Spawns processes

Uses an in-process (OLE) Automation server

Found GUI installer (many successful clicks)

Found graphical window changes (likely an installer)

Uses Microsoft Silverlight

Creates a software uninstall entry

PE file has a valid certificate

Submission file is bigger than most known malware samples

PE file contains a mix of data directories often seen in goodware

Contains modern PE file flags such as dynamic base (ASLR) or NX

PE file contains a debug data directory

Binary contains paths to debug symbols

PE file contains a valid data directory to section mapping

Copyright Joe Security LLC 2019 Page 9 of 49 Data Obfuscation:

Contains functionality to dynamically determine API calls

PE file contains an invalid checksum

Uses code obfuscation techniques (call, push, ret)

Persistence and Installation Behavior:

Drops executables to the windows directory (C:\Windows) and starts them

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Drops files with a non-matching file extension (content does not match file extension)

Boot Survival:

Uses sc.exe to modify the status of services

Hooking and other Techniques for Hiding and Protection:

Disables application error messsages (SetErrorMode)

Malware Analysis System Evasion:

Found evasive API chain (may stop execution after checking mutex)

Checks the free space of harddrives

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to detect virtual machines (SLDT)

Contains functionality to read device registry values (via SetupAPI)

Contains long sleeps (>= 3 min)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evasive API chain checking for process token information

Found large amount of non-executed APIs

May sleep (evasive loops) to hinder dynamic analysis

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to enumerate / list files inside a directory

Contains functionality to query local drives

Contains functionality to query system information

May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)

Program exit points

Queries a list of all running processes

Anti Debugging:

Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to dynamically determine API calls

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Enables debug privileges

Contains functionality to register its own exception handler

HIPS / PFW / Operating System Protection Evasion:

Copyright Joe Security LLC 2019 Page 10 of 49 Contains functionality to launch a program with higher privileges

Creates a process in suspended mode (likely to inject code)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Contains functionality to create a new security descriptor

May try to detect the Windows Explorer process (often used for injection)

Language, Device and Operating System Detection:

Contains functionality locales information (e.g. system language)

Contains functionality to query CPU information (cpuid)

Queries device information via Setup API

Queries the volume information (name, serial number etc) of a device

Contains functionality to create pipes for IPC

Contains functionality to query local / system time

Contains functionality to query windows version

Queries the cryptographic machine GUID

Behavior Graph

Hide Legend Legend: Process Signature

Behavior Graph Created File ID: 180101

Sample: FL2000-2.1.33676.0.exe Startdate: 01/10/2019 DNS/IP Info Architecture: WINDOWS Score: 36 Is Dropped

Found evasive API chain (may stop execution started started started Is Windows Process after checking mutex) Number of created Registry Values

cmd.exe FL2000-2.1.33676.0.exe msiexec.exe Numb8 oether p roocesfse screated Files 23 34 9 Visual Basic

s3-us-west-2-w.amazonaws.com

52.218.236.123, 49706, 80 updates.frescologic.com.s3.amazonaws.com updates.frescologic.com dropped dropped Delphi dropped dropped unknown United States Java

started started started C:\Users\user\...\FL2000-2.1.34054.0.exe.part, PE32 started C:\Program Files\DIFX\...\DIFxAppA.dll, PE32+ .CN:\Winedowts \SCyste#m3 2\o...\SrE T3V9FB.tmp., NPE3E2 T C:\Windows\System32\...\SET2A3B.tmp, PE32+

Drops executables to C, C++ or other language the windows directory (C:\Windows) and starts them Is malicious

flvga_tray.exe xcopy.exe cmd.exe FL2000-2.1.34054.0.exe Internet 4 other processes

1 22

dropped dropped

C:\Windows\System32\flvga_tray.exe, PE32+ C:\Users\user\AppData\Local\...\shiD778.tmp, PE32+

started started started

Found evasive API chain (may stop execution after checking mutex)

powershell.exe powershell.exe msiexec.exe

10

dropped dropped dropped dropped

C:\Users\user\AppData\Local\...\MSIE44C.tmp, PE32 C:\Users\user\AppData\Local\...\MSIE41C.tmp, PE32 C:\Users\user\AppData\Local\...\MSIE3EC.tmp, PE32 C:\Users\user\AppData\Local\...\MSIE284.tmp, PE32

Simulations

Behavior and APIs

Time Type Description

Copyright Joe Security LLC 2019 Page 11 of 49 Time Type Description 23:42:40 Autostart Run: HKLM\Software\Microsoft\Windows\CurrentVersion\Run flvga_tray32 C:\Program Files\Fresco Logic\Fresco Logic USB Display Driver\FL2000\x86\flvga_tray.exe i 23:42:48 Autostart Run: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run flvga_tray C:\Program Files\Fresco Logic\Fresco Logic USB Display Driver\FL2000\x64\flvga_tray.exe i

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source Detection Scanner Label Link FL2000-2.1.33676.0.exe 1% Virustotal Browse FL2000-2.1.33676.0.exe 3% Metadefender Browse

Dropped Files

Source Detection Scanner Label Link C:\Program Files\DIFX\ED00A7CB25A64AAB\DIFxAppA.dll 0% Virustotal Browse C:\Program Files\DIFX\ED00A7CB25A64AAB\DIFxAppA.dll 0% Metadefender Browse C:\Users\user\AppData\Local\Temp\MSIE284.tmp 0% Virustotal Browse C:\Users\user\AppData\Local\Temp\MSIE284.tmp 0% Metadefender Browse C:\Users\user\AppData\Local\Temp\MSIE3EC.tmp 0% Virustotal Browse C:\Users\user\AppData\Local\Temp\MSIE3EC.tmp 0% Metadefender Browse C:\Users\user\AppData\Local\Temp\MSIE41C.tmp 0% Virustotal Browse C:\Users\user\AppData\Local\Temp\MSIE41C.tmp 0% Metadefender Browse C:\Users\user\AppData\Local\Temp\MSIE44C.tmp 0% Virustotal Browse C:\Users\user\AppData\Local\Temp\MSIE44C.tmp 0% Metadefender Browse C:\Users\user\AppData\Local\Temp\shiD778.tmp 0% Virustotal Browse C:\Users\user\AppData\Local\Temp\shiD778.tmp 0% Metadefender Browse C:\Users\user\Downloads\FL2000-2.1.34054.0.exe.part 1% Virustotal Browse C:\Users\user\Downloads\FL2000-2.1.34054.0.exe.part NaN% Metadefender Browse C:\Windows\System32\flvga_tray.exe 0% Virustotal Browse C:\Windows\System32\flvga_tray.exe 0% Metadefender Browse

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source Detection Scanner Label Link https://www.google.co.uk/intl/en/about/products?tab=wh 0% Virustotal Browse https://www.google.co.uk/intl/en/about/products?tab=wh 0% Avira URL Cloud safe www.google.co.uk/imghp?hl=en&tab=wi 0% Virustotal Browse www.google.co.uk/imghp?hl=en&tab=wi 0% Avira URL Cloud safe ocsp.thawte.com0 0% Avira URL Cloud safe ocsp.thawte.com0 0% Google Safe safe Browsing www.advancedinstaller.com0 0% Avira URL Cloud safe www.google.co.uk/history/optout?hl=en 0% Virustotal Browse www.google.co.uk/history/optout?hl=en 0% Avira URL Cloud safe maps.google.co.uk/maps?hl=en&tab=wl 0% Virustotal Browse maps.google.co.uk/maps?hl=en&tab=wl 0% Avira URL Cloud safe news.google.co.uk/nwshp?hl=en&tab=wn 0% Virustotal Browse news.google.co.uk/nwshp?hl=en&tab=wn 0% Avira URL Cloud safe

Yara Overview

Copyright Joe Security LLC 2019 Page 12 of 49 Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Joe Sandbox View / Context

IPs

No context

Domains

Match Associated Sample Name / URL SHA 256 Detection Link Context s3-us-west-2-w.amazonaws.com https://www.evernote.com/shard/s316/sh/d00a8d84- Get hash malicious Browse 54.231.185.70 5e50-4c48-8558- e449328e231c/e79738f18e1188b9529e06a95a5c87e8 Get hash malicious Browse 54.231.169.30 tracking.onlinebesteducation.com/campaigns/gg5264rz9sa20/t rack- url/kx3049341c95c/ae3b8194d0ab224de956b50a0999362ac5e f5ba8

ASN

Match Associated Sample Name / URL SHA 256 Detection Link Context unknown Receipt#81058369422287255138661.vbs Get hash malicious Browse 217.48.25.112 https://nam01.safelinks.protection.outlook.com/? Get hash malicious Browse 217.174.15 url=https%3A%2F%2Fhimiloconstruction.com%2Fllg%2FZS% 2.200 3Femzo%3Dlyn%26lin%3Deportacio%40stanfordhealthcare.or g&data=01%7C01%7Ceportacio%40stanfordhealthcare.org%7 C19a2b358c55f4fe9e0b708d74695ed3f%7C9866b506dc9d48d db7203a50db77a1cc%7C0&sdata=8SwjMiACaC8XFSvtOk2% 2BOWzclRmDGEPC2LRyiSsLW%2Bc%3D&reserved=0 Get hash malicious Browse 92.123.10.60 https://cdn1.evernote.com/win6/public/Evernote_6.21.2.8716.e xe Get hash malicious Browse 92.123.10.60 https://cdn1.evernote.com/win6/public/Evernote_6.21.2.8716.e xe docu-signen.dynu.net/ Get hash malicious Browse 23.54.112.111 sync.madnet.ru Get hash malicious Browse 78.140.184.98 IMG001.exe Get hash malicious Browse 37.1.216.8 information.vbe Get hash malicious Browse 91.235.116.58 https://galvaomoura.com.br/llg/ZS? Get hash malicious Browse 162.241.53.43 [email protected] vogueknitting.com Get hash malicious Browse 205.185.208.52 Get hash malicious Browse 148.62.79.96 www.dbrsupportportal.dellbackupandrecovery.com/service/sp update.svc

Copyright Joe Security LLC 2019 Page 13 of 49 Match Associated Sample Name / URL SHA 256 Detection Link Context https://docs.google.com/uc? Get hash malicious Browse 172.217.22.193 id=118XPglUA65Wbjlw77zdn8xXsLZn6b1D0 https://publicisteastafrica.com/wp- Get hash malicious Browse 158.85.53.149 content/uploads/2019/09/file/ord_21.zip https://docs.google.com/uc? Get hash malicious Browse 172.217.22.193 id=1hQ8OD4F0bVQsiZLCUImS8f2OHWHJChaS W-9.pdf Get hash malicious Browse 3.3.0.2 https://nam02.safelinks.protection.outlook.com/? Get hash malicious Browse 138.201.10 url=https%3A%2F%2Faegypten- 7.250 hurghada.com%2Fvs%2FZS%3Femzo%3Dlyn%26lin%3Dros alee.bard%40benefitmall.com&data=02%7C01%7CServiceDe sk%40benefitmall.com%7Cbb26a7e29c3947e4439208d7468f9 928%7Cd5254c64bea1491da6a09719464ce9db%7C0%7C0% 7C637055454872469199&sdata=m2%2FQvq%2BrVkWiSTn8 pVFuy5tpOjTfEytQXiNGz6%2B7Whw%3D&reserved=0 https://cutt.us/LR5Pu Get hash malicious Browse 78.135.65.25 https://docs.google.com/uc? Get hash malicious Browse 172.217.22.193 id=118XPglUA65Wbjlw77zdn8xXsLZn6b1D0 Get hash malicious Browse 104.192.108.19 104.192.108.19/softdl.360tpcdn.com/softadd/softadd_list_1.0. 0.1010.cab Shutdown, Turnaround Maitenance & Insepction Forum Get hash malicious Browse 3.3.0.2 2020.pdf

JA3 Fingerprints

No context

Dropped Files

No context

Screenshots

Thumbnails This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Copyright Joe Security LLC 2019 Page 14 of 49 Startup

Copyright Joe Security LLC 2019 Page 15 of 49 System is w10x64 FL2000-2.1.33676.0.exe (PID: 772 cmdline: 'C:\Users\user\Desktop\FL2000-2.1.33676.0.exe' MD5: 18D9DA8E28B2704AAA5BBA34CBDFC8F8) FL2000-2.1.34054.0.exe (PID: 1704 cmdline: 'C:\Users\user\Downloads\FL2000-2.1.34054.0.exe' /exenoupdates MD5: 18B0139CA76E7447BC64F9A812F4A9F2) msiexec.exe (PID: 4312 cmdline: /i 'C:\Users\user\AppData\Roaming\Fresco Logic\Fresco Logic USB Display Driver 2.1.34054.0\install\FL2000.x64.msi' AI_S ETUPEXEPATH='C:\Users\user\Downloads\FL2000-2.1.34054.0.exe' SETUPEXEDIR='C:\Users\user\Downloads\' EXE_CMD_LINE='/exenoupdates /exelang 0 /noprereqs ' MD5: 4767B71A318E201188A0D0A420C8B608) msiexec.exe (PID: 4360 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding C6444D21B09D0365D1AED66B8A4CA67A C MD5: 12C17B5A5C2A7B97342C362CA467E9A2) msiexec.exe (PID: 2212 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding EB421D04152A3CFE105606858778CD06 MD5: 12C17B5A5C2A7B97342C362CA467E9A2) msiexec.exe (PID: 396 cmdline: C:\Windows\System32\MsiExec.exe -Embedding 7A58AD71FC3DD6FEC788BA8C51E6D236 MD5: 4767B71A318E201188A0D0A420C8B608) msiexec.exe (PID: 3828 cmdline: C:\Windows\System32\MsiExec.exe -Embedding 8569D3FC8CD9EF5D1052ECCA6FEE354C E Global\MSI0000 MD5: 4767B71A318E201188A0D0A420C8B608) drvinst.exe (PID: 4712 cmdline: DrvInst.exe '4' '1' 'C:\Program Files\Fresco Logic\Fresco Logic USB Display Driver\FL2000\FL2000.inf' '9' '40101c057' '0000000000000968' 'Wi nSta0\Default' '0000000000000BF8' '208' 'C:\Program Files\Fresco Logic\Fresco Logic USB Display Driver\FL2000' MD5: 46F5A16FA391AB6EA97C602B4D2E7819) drvinst.exe (PID: 3928 cmdline: DrvInst.exe '4' '1' 'C:\Program Files\Fresco Logic\Fresco Logic USB Display Driver\lci_proxykmd\lci_proxykmd.inf' '9' '4d9ccbb2f' '000000000 0000BF8' 'WinSta0\Default' '0000000000000610' '208' 'C:\Program Files\Fresco Logic\Fresco Logic USB Display Driver\lci_proxykmd' MD5: 46F5A16FA391AB6EA97C602B4D2E7819) drvinst.exe (PID: 1196 cmdline: DrvInst.exe '4' '1' 'C:\Program Files\Fresco Logic\Fresco Logic USB Display Driver\fresco_iddcx\fresco_iddcx.inf' '9' '4d7097e0f' '000000000 0000610' 'WinSta0\Default' '000000000000099C' '208' 'C:\Program Files\Fresco Logic\Fresco Logic USB Display Driver\fresco_iddcx' MD5: 46F5A16FA391AB6EA97C602B4D2E7819) cmd.exe (PID: 4308 cmdline: C:\Windows\system32\cmd.exe /c ''C:\Program Files\Fresco Logic\Fresco Logic USB Display Driver\post_install.cmd'' MD5: 4E2ACF4F8A396486AB4268C94A6A245F) conhost.exe (PID: 4660 cmdline: C:\Windows\system32\conhost.exe 0x4 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) xcopy.exe (PID: 4496 cmdline: xcopy /y /q .\fl2000\x64\flvga_tray.exe C:\Windows\System32\ MD5: 6BC7DB1465BEB7607CBCBD7F64007219) cmd.exe (PID: 4628 cmdline: C:\Windows\system32\cmd.exe /c powershell [environment]::OsVersion.Version.Major MD5: 4E2ACF4F8A396486AB4268C94A6A245F) powershell.exe (PID: 4504 cmdline: powershell [environment]::OsVersion.Version.Major MD5: 95000560239032BC68B4C2FDFCDEF913) cmd.exe (PID: 2352 cmdline: C:\Windows\system32\cmd.exe /c powershell [environment]::OsVersion.Version.Build MD5: 4E2ACF4F8A396486AB4268C94A6A245F) powershell.exe (PID: 5028 cmdline: powershell [environment]::OsVersion.Version.Build MD5: 95000560239032BC68B4C2FDFCDEF913) sc.exe (PID: 1836 cmdline: sc delete flxhciv MD5: D79784553A9410D15E04766AAAB77CD6) sc.exe (PID: 4056 cmdline: sc query ddmgr MD5: D79784553A9410D15E04766AAAB77CD6) flvga_tray.exe (PID: 4212 cmdline: C:\Windows\System32\flvga_tray.exe i MD5: 7B16174FF4C023F4A9DE26D7A6F678F8) flvga_tray.exe (PID: 4236 cmdline: 'C:\Program Files\Fresco Logic\Fresco Logic USB Display Driver\FL2000\x86\flvga_tray.exe' i MD5: 4D9DE5366E2CB20A68BAEDA9C4A8D05E) flvga_tray.exe (PID: 2232 cmdline: 'C:\Program Files\Fresco Logic\Fresco Logic USB Display Driver\FL2000\x64\flvga_tray.exe' i MD5: 7B16174FF4C023F4A9DE26D7A6F678F8) cleanup

Created / dropped Files

C:\Program Files\DIFX\ED00A7CB25A64AAB\DIFxAppA.dll

Process: C:\Windows\System32\msiexec.exe File Type: PE32+ executable (DLL) (GUI) x86-64, for MS Windows Size (bytes): 723000 Entropy (8bit): 5.964446343990589 Encrypted: false MD5: 89596BCC6B7ADD0A805C9F7A2EC120DE SHA1: E576A07E09DF2BD69773334189C431B2369D1F93 SHA-256: EB2AAF64E9F74EE1C1D687777BDFE9911989059D04E980685C9350153B6BC677 SHA-512: 0E72E53BA512F10AF5B75F2651D5D481D455A2D67B412A4FC7A2A3C2EF086953322F54B3BA0F9D3F3E27B964F6A75C16087F98D721342F719E217BB39F0D780D Malicious: false Antivirus: Antivirus: Virustotal, Detection: 0%, Browse Antivirus: Metadefender, Detection: 0%, Browse Preview: MZ...... @...... !..L.!This program cannot be run in DOS mode....$...... Rich...... PE..d...Vj.H...... " ...... F...... @...... u....@...... 0...... L...... @...... 8(...... 0...... text...... `.data...X...... @....pdata..@...... @[email protected]...... N...... @[email protected]...... @..B......

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File Type: data Size (bytes): 64 Entropy (8bit): 0.34726597513537405 Encrypted: false MD5: 446DD1CF97EABA21CF14D03AEBC79F27 SHA1: 36E4CC7367E0C7B40F4A8ACE272941EA46373799 SHA-256: A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF SHA-512: A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7 Malicious: false Preview: @...e......

C:\Users\user\AppData\Local\Temp\MSIE284.tmp

Process: C:\Windows\System32\msiexec.exe

Copyright Joe Security LLC 2019 Page 16 of 49 C:\Users\user\AppData\Local\Temp\MSIE284.tmp

File Type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows Size (bytes): 97280 Entropy (8bit): 6.3781622546125885 Encrypted: false MD5: 3056644ACE6294C801A8010E99888525 SHA1: BBB622450269B1918E9FE11ED32DEECF65E7E0E2 SHA-256: 77ABFF1B7322ECA3DD35CBADF268D06C9EF920CF923EE3A77E97EDD050C28A1B SHA-512: 853E263E4A921B332CF573B8271759CFF5CEC569B08AF78ED8F022D76567868A66455C12FAB728A96BABEBD3859FC1ED2C8507E7233B45B2811542E2D38E1C3A Malicious: false Antivirus: Antivirus: Virustotal, Detection: 0%, Browse Antivirus: Metadefender, Detection: 0%, Browse Preview: MZ...... @...... !..L.!This program cannot be run in DOS mode....$...... w..q3.."3.."3..":.H"2..":.X"*.."3.."..."...#..."...#2.."..4"2.."3.\"2.." ...#2.."Rich3.."...... PE..L...=..W...... !...... @...... 6..l...d?...... `..0...... J...2...p...... 06..p...... text...... `.rdata..$l...... n...... @[email protected]...`....P...... 4...... @....rsrc...0....`...... 6...... @[email protected]...... p...... <...... @. .B......

C:\Users\user\AppData\Local\Temp\MSIE3EC.tmp

Process: C:\Windows\System32\msiexec.exe File Type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows Size (bytes): 97280 Entropy (8bit): 6.3781622546125885 Encrypted: false MD5: 3056644ACE6294C801A8010E99888525 SHA1: BBB622450269B1918E9FE11ED32DEECF65E7E0E2 SHA-256: 77ABFF1B7322ECA3DD35CBADF268D06C9EF920CF923EE3A77E97EDD050C28A1B SHA-512: 853E263E4A921B332CF573B8271759CFF5CEC569B08AF78ED8F022D76567868A66455C12FAB728A96BABEBD3859FC1ED2C8507E7233B45B2811542E2D38E1C3A Malicious: false Antivirus: Antivirus: Virustotal, Detection: 0%, Browse Antivirus: Metadefender, Detection: 0%, Browse Preview: MZ...... @...... !..L.!This program cannot be run in DOS mode....$...... w..q3.."3.."3..":.H"2..":.X"*.."3.."..."...#..."...#2.."..4"2.."3.\"2.." ...#2.."Rich3.."...... PE..L...=..W...... !...... @...... 6..l...d?...... `..0...... J...2...p...... 06..p...... text...... `.rdata..$l...... n...... @[email protected]...`....P...... 4...... @....rsrc...0....`...... 6...... @[email protected]...... p...... <...... @. .B......

C:\Users\user\AppData\Local\Temp\MSIE41C.tmp

Process: C:\Windows\System32\msiexec.exe File Type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows Size (bytes): 97280 Entropy (8bit): 6.3781622546125885 Encrypted: false MD5: 3056644ACE6294C801A8010E99888525 SHA1: BBB622450269B1918E9FE11ED32DEECF65E7E0E2 SHA-256: 77ABFF1B7322ECA3DD35CBADF268D06C9EF920CF923EE3A77E97EDD050C28A1B SHA-512: 853E263E4A921B332CF573B8271759CFF5CEC569B08AF78ED8F022D76567868A66455C12FAB728A96BABEBD3859FC1ED2C8507E7233B45B2811542E2D38E1C3A Malicious: false Antivirus: Antivirus: Virustotal, Detection: 0%, Browse Antivirus: Metadefender, Detection: 0%, Browse Preview: MZ...... @...... !..L.!This program cannot be run in DOS mode....$...... w..q3.."3.."3..":.H"2..":.X"*.."3.."..."...#..."...#2.."..4"2.."3.\"2.." ...#2.."Rich3.."...... PE..L...=..W...... !...... @...... 6..l...d?...... `..0...... J...2...p...... 06..p...... text...... `.rdata..$l...... n...... @[email protected]...`....P...... 4...... @....rsrc...0....`...... 6...... @[email protected]...... p...... <...... @. .B......

C:\Users\user\AppData\Local\Temp\MSIE44C.tmp

Process: C:\Windows\System32\msiexec.exe File Type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows Size (bytes): 97280 Entropy (8bit): 6.3781622546125885 Encrypted: false MD5: 3056644ACE6294C801A8010E99888525 SHA1: BBB622450269B1918E9FE11ED32DEECF65E7E0E2 SHA-256: 77ABFF1B7322ECA3DD35CBADF268D06C9EF920CF923EE3A77E97EDD050C28A1B SHA-512: 853E263E4A921B332CF573B8271759CFF5CEC569B08AF78ED8F022D76567868A66455C12FAB728A96BABEBD3859FC1ED2C8507E7233B45B2811542E2D38E1C3A Malicious: false Antivirus: Antivirus: Virustotal, Detection: 0%, Browse Antivirus: Metadefender, Detection: 0%, Browse

Copyright Joe Security LLC 2019 Page 17 of 49 C:\Users\user\AppData\Local\Temp\MSIE44C.tmp

Preview: MZ...... @...... !..L.!This program cannot be run in DOS mode....$...... w..q3.."3.."3..":.H"2..":.X"*.."3.."..."...#..."...#2.."..4"2.."3.\"2.." ...#2.."Rich3.."...... PE..L...=..W...... !...... @...... 6..l...d?...... `..0...... J...2...p...... 06..p...... text...... `.rdata..$l...... n...... @[email protected]...`....P...... 4...... @....rsrc...0....`...... 6...... @[email protected]...... p...... <...... @. .B......

C:\Users\user\AppData\Local\Temp\MSIfdca8.LOG Process: C:\Windows\System32\msiexec.exe File Type: data Size (bytes): 144522 Entropy (8bit): 3.7994799970489095 Encrypted: false MD5: 535CA32A8D54B569ADD713E8F8F12391 SHA1: 8E09B308EAE0F52AEB6DA796622152B7AB9C88BC SHA-256: 22FE19C58A84A54B66477B5438275C2C953D1CC5F037C4D62A9D8E212D5BE349 SHA-512: FE2FB306D3AA05E1395EF36BAB4F3526B4307D22B3E00EC0390AD11F7476C023EB3E2E0DF5958EA319816DD500515423B7CFCF5566E3D53F362DD84D919F7070 Malicious: false Preview: ..=.=.=. .V.e.r.b.o.s.e. .l.o.g.g.i.n.g. .s.t.a.r.t.e.d.:. .1.0./.1./.2.0.1.9. . .2.3.:.4.2.:.0.6. . .B.u.i.l.d. .t.y.p.e.:. .S.H.I.P. .U.N.I.C.O.D.E. .5...0.0...1.0.0.1.1...0.0. . .C.a.l.l.i.n.g. .p. r.o.c.e.s.s.:. .C.:.\.W.i.n.d.o.w.s.\.s.y.s.t.e.m.3.2.\.m.s.i.e.x.e.c...e.x.e. .=.=.=.....M.S.I. .(.c.). .(.D.8.:.0.4.). .[.2.3.:.4.2.:.0.6.:.8.7.5.].:. .F.o.n.t. .c.r.e.a.t.e.d... . .C.h.a.r.s.e.t.:. .R.e.q.=.0.,. .R.e.t.=.0.,. .F.o.n.t.:. .R.e.q.=.M.S. .S.h.e.l.l. .D.l.g.,. .R.e.t.=.M.S. .S.h.e.l.l. .D.l.g...... M.S.I. .(.c.). .(.D.8.:.0.4.). .[.2.3.:.4.2.:.0.6.:.8.7.5.].:. .F.o.n.t. .c.r.e.a.t.e.d... . .C.h.a.r.s.e.t.:. .R.e.q.=.0.,. .R.e.t.=.0.,. .F.o.n.t.:. .R.e.q.=.M.S. .S.h.e.l.l. .D.l.g.,. .R.e.t.=.M.S. .S.h.e.l.l. .D.l.g...... M.S.I. .(.c.). .(.D.8.:.B.4.). .[.2.3.:.4.2.:.0.7.:.0.3.5.].:. .R.e. s.e.t.t.i.n.g. .c.a.c.h.e.d. .p.o.l.i.c.y. .v.a.l.u.e.s.....M.S.I. .(.c.). .(.D.8.:.B.4.). .[.2.3.:.4.2.:.0.7.:.0.3.5.].:. .M.a.c.h.i.n.e. .p.o.l.i.c.y. .v.a.l.u.e. .'.D.e.b.u.g.'. .i.s. .0.

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2i1vv3aj.51t.psm1 Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File Type: ASCII text, with no line terminators Size (bytes): 81 Entropy (8bit): 4.547106011513244 Encrypted: false MD5: 50166F3B7BCC742C290F2648143D0FA7 SHA1: 0E443A003675F8579485EB7B98E53279FB92A762 SHA-256: BA82A5AB06BC925D8EFF0CEE7998BA111A5BE1DDC10DD77D166E3863F8376A21 SHA-512: 79BC22D714E9A110E3387CC80544C46695B9A9EDCCD55DB89215F83EAAF62ECB18FDC8CDD339A83F1C2CE0F7C87701A012B33B2239889DFA0DAA14E57BE612 B1 Malicious: false Preview: # PowerShell test file to determine AppLocker lockdown mode 10/1/2019 11:42:39 PM

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jbbqdbnp.gwc.ps1 Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File Type: ASCII text, with no line terminators Size (bytes): 81 Entropy (8bit): 4.547106011513244 Encrypted: false MD5: 68957F89CD5C28D98310BBDFE76DB734 SHA1: 4290978EAF0C0288F607E84AB82A42D4E836D9CE SHA-256: 43A4EDAEF90746EB189ADD4A4E87CF0E29FA996A1B8B5CD4890CE40B03680E00 SHA-512: 49654E7A4498AE107561021C81F358A88963619463B3961860DA0A0AF4AA8C4941D62115B2225CAF4ED106C4E5ECECDB224DF5F3C60DC605D3EFF1CD62D229C0 Malicious: false Preview: # PowerShell test file to determine AppLocker lockdown mode 10/1/2019 11:42:45 PM

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wad1bd4i.j5j.psm1 Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File Type: ASCII text, with no line terminators Size (bytes): 81 Entropy (8bit): 4.547106011513244 Encrypted: false MD5: 68957F89CD5C28D98310BBDFE76DB734 SHA1: 4290978EAF0C0288F607E84AB82A42D4E836D9CE SHA-256: 43A4EDAEF90746EB189ADD4A4E87CF0E29FA996A1B8B5CD4890CE40B03680E00 SHA-512: 49654E7A4498AE107561021C81F358A88963619463B3961860DA0A0AF4AA8C4941D62115B2225CAF4ED106C4E5ECECDB224DF5F3C60DC605D3EFF1CD62D229C0 Malicious: false Preview: # PowerShell test file to determine AppLocker lockdown mode 10/1/2019 11:42:45 PM

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xgzesk3i.cyf.ps1 Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File Type: ASCII text, with no line terminators Size (bytes): 81

Copyright Joe Security LLC 2019 Page 18 of 49 C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xgzesk3i.cyf.ps1 Entropy (8bit): 4.547106011513244 Encrypted: false MD5: 50166F3B7BCC742C290F2648143D0FA7 SHA1: 0E443A003675F8579485EB7B98E53279FB92A762 SHA-256: BA82A5AB06BC925D8EFF0CEE7998BA111A5BE1DDC10DD77D166E3863F8376A21 SHA-512: 79BC22D714E9A110E3387CC80544C46695B9A9EDCCD55DB89215F83EAAF62ECB18FDC8CDD339A83F1C2CE0F7C87701A012B33B2239889DFA0DAA14E57BE612 B1 Malicious: false Preview: # PowerShell test file to determine AppLocker lockdown mode 10/1/2019 11:42:39 PM

C:\Users\user\AppData\Local\Temp\shiD778.tmp

Process: C:\Users\user\Downloads\FL2000-2.1.34054.0.exe File Type: PE32+ executable (DLL) (console) x86-64, for MS Windows Size (bytes): 4070400 Entropy (8bit): 6.189876613469743 Encrypted: false MD5: 71A25F5901A58354EDA73A500FABA9FF SHA1: 871C0D6E6FA19F8976FEDE4EDD3C6B8AD18EA5FA SHA-256: A30BD6BBE26342A4FA5300606DB99EA414CD4FAE3886BA5F29CFA6488AAAED82 SHA-512: F8828714C9A98504FB92B0050B1A6286BF569798AB828BBC511517F8B89655EBEA8CD2FF9FB4C71F607BB6500414A36DEF41E5CE775A32EE6E5140270F33203B Malicious: false Antivirus: Antivirus: Virustotal, Detection: 0%, Browse Antivirus: Metadefender, Detection: 0%, Browse Preview: MZ...... @...... !..L.!This program cannot be run in DOS mode....$...... hR...... Rich ...... PE..d...... " ...... 0...... >...... }>...`A...... ^;..$....;...... @=...... 0<...... `>..0..0Z2.T...... 1...... 1...... text...w.0...... 0...... `.rdata..4.....0...... 0...... @[email protected]....;..0....;...... @....pdata...... 0<...... ;...... @[email protected]...... @=...... <...... @[email protected]...`>..2....=...... @..B......

C:\Users\user\AppData\Local\Temp\tin8735.tmp.part Process: C:\Users\user\Desktop\FL2000-2.1.33676.0.exe File Type: HTML document, ISO-8859 text, with very long lines Size (bytes): 12569 Entropy (8bit): 5.690419063048549 Encrypted: false MD5: 4C62DFEC999B3CE0A3301AADC418D7AE SHA1: EB72690247FDA1DFC08AE60F9A49E7C9389C7A86 SHA-256: BC57C7639919FED7EEA7779290270923EF7D6ACFCD226D5F873CCB77A2EC8E81 SHA-512: EE1DDDF7EFD417E559274BE88DDECF7609BEEF9D528345159D77C0D43112717934F99EE07707C8CE3DEEEFB3A024A7BA18F41AF4353C20A78AC6C08F06E7FB FB Malicious: false Preview:

C:\Users\user\AppData\Local\Temp\upd8D70.tmp.part Process: C:\Users\user\Desktop\FL2000-2.1.33676.0.exe File Type: ASCII text, with CRLF line terminators Size (bytes): 1831 Entropy (8bit): 5.337541339418556 Encrypted: false MD5: 54AB87D570346F70EAE42ABAC0CEE76B SHA1: A4CB1890225F6E37E2488B4E69FB6BF00F168BAA SHA-256: 7FBD8678415BF9F7A462A290F74FA32B148FE05C54B73F9C6FB01B38D919C690 SHA-512: 5F4F95417BEC805AB6B2B2C10D284D5CF7C78E2C6DD42FBCDAAE9BF78D71249C205AEAD6A7E0C35C3C0293DB40763BB1E80348288B48F1B7CFD4B1E2EAF26 1D1 Malicious: false Preview: ;aiu;....[FL2000-2.1.34054.0]..Name = Fresco Logic USB Display Driver 2.1.34054.0..ProductVersion = 2.1.34054.0..URL = http://updates.frescologic.com/FL2000/FL2000- 2.1.34054.0.exe..Size = 8058744..ReleaseDate = 23/11/2017..MD5 = 18b0139ca76e7447bc64f9a812f4a9f2..CommandLine = /qn..ServerFileName = FL2000-2.1. 34054.0.exe..Flags = SilentInstall..RegistryKey = HKUD\Software\Fresco Logic\Fresco Logic USB Display Driver\Version..Version = 2.1.34054.0..Replaces = All....[ FL2000-2.1.33788.0]..Name = Fresco Logic USB Display Driver 2.1.33788.0..ProductVersion = 2.1.33788.0..URL = http://updates.frescologic.com/FL2000/FL2000-2.1.33 788.0.exe..Size = 8057920..ReleaseDate = 18/08/2017..MD5 = a26f77605f5a6bab00280f039e9b359c..CommandLine = /qn..ServerFileName = FL2000-2.1.33788.0.ex e..Flags = SilentInstall..RegistryKey = HKUD\Software\Fresco Logic\Fresco Logic USB Display Driver\Version..Version = 2.1.33788.0..Replaces = All....[FL2000-2.1 .33676.0]..Name = Fresco Logic USB Display Driver 2.1.33676.

Copyright Joe Security LLC 2019 Page 19 of 49 C:\Users\user\AppData\Roaming\Fresco Logic\Fresco Logic USB Display Driver 2.1.34054.0\install\FL2000.msi Process: C:\Users\user\Downloads\FL2000-2.1.34054.0.exe File Type: This installer database contains the logic and data required to install Fresco Logic USB Display Driver. Size (bytes): 7500167 Entropy (8bit): 7.592839130091192 Encrypted: false MD5: 96DD1ABF9BA59BA8C5CDC51C9337848B SHA1: 714E19D9653EB6FAB67F0FC9B353BFA9716E9381 SHA-256: 435A5529898B449779C4EEAA80D8C085604C36DA8C005FD16D25BB2A49B5D1A9 SHA-512: 121F125A341A1BA5294B96D838A10CE400E78471402BBA9AD21024418D14C073754DA609C51F9865DBED75B970A055814C593BDC70E086C07A29F275A0254226 Malicious: false Preview: ...... >......

C:\Users\user\Documents\20191001\PowerShell_transcript.849224.DbT4LdsP.20191001234238.txt Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File Type: UTF-8 Unicode (with BOM) text, with CRLF line terminators Size (bytes): 930 Entropy (8bit): 4.983383801996105 Encrypted: false MD5: C50B5E45C6DECFFE92C430885EB9164E SHA1: 9E94D44B4B2A76E67DBEAAAAA5E8114D0B03A921 SHA-256: 2F35069F8671E3DDB768694BD62F033E5C1F7089DA1900241C75F20B94DC2FA8 SHA-512: F014DD053D4ABB6E68F754CC42CF7911E43348D7338DC562F977DAB5B27F1DF2E3BC71DB0EDCE0360665DC50D128C4DCF26F766AF5F933EB7DF48671DF70D3A 5 Malicious: false Preview: .**********************..Windows PowerShell transcript start..Start time: 20191001234239..Username: user-PC\user..RunAs User: user-PC\user..Configuration Name: ..Machine: 849224 (Microsoft Windows NT 10.0.17134.0)..Host Application: powershell [environment]::OsVersion.Version.Major..Process ID: 4504..PSVersion: 5.1.171 34.165..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.165..BuildVersion: 10.0.17134.165..CLRVersion: 4.0.30319.42000..WSManStackV ersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20191001234239..********** ************..PS>[environment]::OsVersion.Version.Major..10..**********************..Command start time: 20191001234240..**********************..PS>$global:?..True..***** *****************..Windows PowerShell transcript end..End time: 20191001234240..**********************..

C:\Users\user\Documents\20191001\PowerShell_transcript.849224.M6r382jO.20191001234244.txt Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File Type: UTF-8 Unicode (with BOM) text, with CRLF line terminators Size (bytes): 933 Entropy (8bit): 4.994495550558465 Encrypted: false MD5: BF8428A8217D949A447407F91C3C1D2A SHA1: F7AE750ADF0C7158826631323309BE1340E074D4 SHA-256: 0AE62D2BAFE9BC8A7051885D3AC942E810F4F7A5A2FF97F54890B8FB8149CD08 SHA-512: 51C5A6DCCADDB816A7222972ABC68B381914011D9BC3AB5AAECB18BC7BB8F3FE608C90ED6D8600D2043165BADBC8A56CB59C530AB318A1252661426D1DD53 BE8 Malicious: false Preview: .**********************..Windows PowerShell transcript start..Start time: 20191001234245..Username: user-PC\user..RunAs User: user-PC\user..Configuration Name: ..Machine: 849224 (Microsoft Windows NT 10.0.17134.0)..Host Application: powershell [environment]::OsVersion.Version.Build..Process ID: 5028..PSVersion: 5.1.171 34.165..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.165..BuildVersion: 10.0.17134.165..CLRVersion: 4.0.30319.42000..WSManStackV ersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20191001234245..********** ************..PS>[environment]::OsVersion.Version.Build..17134..**********************..Command start time: 20191001234245..**********************..PS>$global:?..True..** ********************..Windows PowerShell transcript end..End time: 20191001234245..**********************..

C:\Users\user\Downloads\FL2000-2.1.34054.0.exe.part

Process: C:\Users\user\Desktop\FL2000-2.1.33676.0.exe File Type: PE32 executable (GUI) Intel 80386, for MS Windows Size (bytes): 8058744 Entropy (8bit): 7.528930784926416 Encrypted: false MD5: 18B0139CA76E7447BC64F9A812F4A9F2 SHA1: 4B1163AC860F88696FFB54759E8DE9A5A581F878 SHA-256: 5E0590D6DCCC198B427C7C51CA5CC50448C2D4AAAE275322B1378D78058750E7 SHA-512: 9C22528A91835FA63DA8EDC334DC9AD3BB22CDDD17831F38CCC4A8A01A969DF8706C7B417FC5F2DD61F901F968A400D8ADE6C039080A06AD3E00B3815F39FD2 A Malicious: false Antivirus: Antivirus: Virustotal, Detection: 1%, Browse Antivirus: Metadefender, Detection: NaN%, Browse

Copyright Joe Security LLC 2019 Page 20 of 49 C:\Users\user\Downloads\FL2000-2.1.34054.0.exe.part

Preview: MZ...... @...... !..L.!This program cannot be run in DOS mode....$...... J...J...J .xJ...J .zJ...J .{J...J..K...J..K...Jq.K...J..K...J...J...J...J.. .J...J...J...J...J..K..J..vJ...J..K...JRich...J...... PE..L...... W...... 4...... %...... @...... 0...... V{...@...... (...(...... z...... 7...|..p...... P}...... `...@...... `...... text...v...... `.rdata...... @[email protected]....#...... @....gfids..8...... @[email protected]...... @....rsrc...... @[email protected]...... 8...... @..B......

C:\Windows\INF\oem3.inf Process: C:\Windows\System32\drvinst.exe File Type: Windows setup INFormation, ASCII text, with CRLF line terminators Size (bytes): 3011 Entropy (8bit): 5.4894439301116105 Encrypted: false MD5: DFF6F55358762EB9970450BE02DC316D SHA1: 02B94313A3DAF5BA27BCC4FAEA0716A0F660086C SHA-256: 01B2EB0F9C5E800981BA14668319B2A9B691DC208AE8079B0BD526E81931C7A0 SHA-512: E3258DE664A8B5377CF92EBCC92E58448C50685C279320EBC4A91774D0C4A78DA5E609110E462E48744A3558D9C1C9EEA202D3045967EEA00C3551B9C276641E Malicious: false Preview: ; fl2000.inf..; Fresco Logic Video Render Devices....[Version]..Signature="$WINDOWS NT$"..Class=AVClass..ClassGuid={E115CBB2-8F23-4BC3-9C78-DF56533EAA FB}..Provider=%FRESCO%..DriverVer=11/13/2017,2.1.34054.0..CatalogFile=fl2000.cat....[ClassInstall32]..Addreg=AVClassClassReg....[AVClassClassReg]..HKR ,,,0,%ClassName%..HKR,,Icon,,-5....[Manufacturer]..%FRESCO%=FL2000, NTx86, NTamd64....[FL2000.NTx86]..%FL2000.DeviceDesc%=FL2000_INSTALL, US B\VID_1D5C&PID_2000 ; FL2000...%Lenovo.DeviceDesc%=FL2000_INSTALL, USB\VID_17EF&PID_7209 ; Lenovo...%NoBrand.DeviceDesc%=FL2000_INSTALL, USB\VID_1D5C&PID_1FFE ; no brand..%Insignia.DeviceDesc%=FL2000_INSTALL, USB\VID_1D5C&PID_1998 ; Insignia....[FL2000.NTAMD64]..%FL2000.Devi ceDesc%=FL2000_INSTALL, USB\VID_1D5C&PID_2000 ; FL2000...%Lenovo.DeviceDesc%=FL2000_INSTALL, USB\VID_17EF&PID_7209 ; Lenovo...%NoBrand.D eviceDesc%=FL2000_INSTALL, USB\VID_1D5C&PID_1FFE ; no brand..%Insignia.DeviceDesc%=FL2000_INSTALL, USB\VID_1D5C&PID_1998 ; Insignia....[FL2

C:\Windows\INF\oem4.inf Process: C:\Windows\System32\drvinst.exe File Type: Windows setup INFormation, ASCII text, with CRLF line terminators Size (bytes): 2763 Entropy (8bit): 5.3909418897820816 Encrypted: false MD5: BF0449963CB8E168DD7AA4BF41E444D7 SHA1: 7C22E1F94C4AE5334C0BEE70551B20BEE3C293FA SHA-256: 55041093261C95AF4320610260C0B2FDB04D6113345EBFE4BB435038A21162AC SHA-512: 90756D61A5E74A0AFED74E4EFB37C418CC4FBBE46D31341139EBBA205E08F6EC50DA3BC18F7C2C491ABB4B3DB9012386C69C3D64CCE9708896AC48D76232E3 A1 Malicious: false Preview: ;..;..;Module Name:..;..; lci_proxykmd.INF..;..;Abstract:..; Fresco Logic Display Proxy Driver..;..;..[Version]..Signature="$WINDOWS NT$"..Class=System..ClassGuid={ 4d36e97d-e325-11ce-bfc1-08002be10318}..Provider=%FrescoLogic%..DriverVer=11/13/2017,2.1.34054.0..CatalogFile=lci_proxykmd.cat....[DestinationDirs]..De faultDestDir = 12..lci_proxykmd.CopyFiles = 12 ; drivers..lci_proxyumd.CopyFiles = 11 ; system32..lci_proxyumdwow.CopyFiles = 10, SysWow64 ; x64-specific....[SourceDisksNames.x86]..1=%DiskId1%, lci_proxykmd.sys,,\x86..1=%DiskId1%, lci_proxyumd.dll,,\x86....[SourceDisksNames.amd64 ]..1=%DiskId1%, lci_proxykmd.sys,,\x64..1=%DiskId1%, lci_proxyumd.dll,,\x64..1=%DiskId1%, lci_proxyumd32.dll,,\x64....[SourceDisksFiles.x86]..lci_proxykmd.sys = 1..lci_proxyumd.dll = 1....[SourceDisksFiles.amd64]..lci_proxykmd.sys = 1..lci_proxyumd.dll = 1..lci_proxyumd32.dll = 1...... ;****************************************

C:\Windows\INF\oem5.inf Process: C:\Windows\System32\drvinst.exe File Type: Windows setup INFormation, Little-endian UTF-16 Unicode text, with CRLF, CR line terminators Size (bytes): 4640 Entropy (8bit): 3.7942199187916312 Encrypted: false MD5: 67F83C75FF60B98155B0A34403B5375F SHA1: 9328342CF3E5994E24BB0C09FBD875141BEF3984 SHA-256: A36EC56FA17F39A2C4BA9441960E971CF3C1FFFCDC437746C7AA58BBF01DC8B9 SHA-512: 1D7748BAFA1C8BD6A33B90309D884C9B701BF6B15225EC0623489F64627AA6834260F26FBB2C8921D27B773A7567D7A16BAFB205DB927B2BE4D929F88B32F907 Malicious: false Preview: ..;.....;.M.o.d.u.l.e. .N.a.m.e.:.....;. . . . .f.r.e.s.c.o._.i.d.d.c.x...I.N.F.....;.....;.A.b.s.t.r.a.c.t.:.....;. . . . .I.N.F. .f.i.l.e. .f.o.r. .i.n.s.t.a.l.l.i.n.g. .t.h.e. .F.L.2.0.0.0. .U.M.D.F.2. .D.r. i.v.e.r.....;...... [.V.e.r.s.i.o.n.].....S.i.g.n.a.t.u.r.e.=.".$.W.i.n.d.o.w.s. .N.T.$.".....C.l.a.s.s.G.U.I.D. .=. .{.4.D.3.6.E.9.6.8.-.E.3.2.5.-.1.1.C.E.-.B.F.C.1.-.0.8.0.0.2.B.E.1.0.3. 1.8.}.....C.l.a.s.s. .=. .D.i.s.p.l.a.y.....C.l.a.s.s.V.e.r. .=. .2...0.....P.r.o.v.i.d.e.r.=.%.F.R.E.S.C.O.%.....C.a.t.a.l.o.g.F.i.l.e.=.f.r.e.s.c.o._.i.d.d.c.x...c.a.t.....D.r.i.v.e.r.V.e.r.=.1.1./. 1.3./.2.0.1.7.,.2...1...3.4.0.5.4...0...... [.D.e.s.t.i.n.a.t.i.o.n.D.i.r.s.].....D.e.f.a.u.l.t.D.e.s.t.D.i.r. .=. .1.2.....U.M.D.r.i.v.e.r.C.o.p.y.=.1.2.,.U.M.D.F. .;. .c.o.p.y. .t.o. .d.r.i.v.e.r. s.\.u.m.d.f...... [.S.o.u.r.c.e.D.i.s.k.s.N.a.m.e.s...x.8.6.].....1.=.%.D.I.S.K._.N.A.M.E.%.,.,...... [.S.o.u.r.c.e.D.i.s.k.s.N.a.m.e.s...a.m.d.6.4.].....1.=.%.D.I.S.K._.N.A.M.E.%.,.,...... [.S.

C:\Windows\System32\DriverStore\FileRepository\fl2000.inf_amd64_c6887e95b10ab4f4\FL2000.PNF Process: C:\Windows\System32\msiexec.exe File Type: data Size (bytes): 10612 Entropy (8bit): 3.617794998295327 Encrypted: false MD5: DC87E6C689D06AA81B21C26F0A0AF6D2 SHA1: 0C75134A4EBF26EDFA2B90A4C725B98348BBD669

Copyright Joe Security LLC 2019 Page 21 of 49 C:\Windows\System32\DriverStore\FileRepository\fl2000.inf_amd64_c6887e95b10ab4f4\FL2000.PNF SHA-256: D44A66D28027C343862CD87429DDFED9BE3FD8B83A88F40B9BE63893A614876F SHA-512: CDC663D098B4AC8F6F2BBE415F44DCBDA72B57D8DD0273873B35987583D2DBD03AA6DB262E6E2F563513989B21E2505B525F1B2E08D311A561DC745C8434E785 Malicious: false Preview: ...... 0...@...... d...... p...... @ ...... "..<...0&..h...... p)...... C.:.\.W.i.n.d.o.w.s.....H...... L...... X...... \...... X...... P...... $...,...... $...... T...... `...$...... 0...... p...... ,...... X......

C:\Windows\System32\DriverStore\FileRepository\fresco_iddcx.inf_amd64_c0a96d9de0966939\fresco_iddcx.PNF Process: C:\Windows\System32\msiexec.exe File Type: data Size (bytes): 8932 Entropy (8bit): 3.5501198148217403 Encrypted: false MD5: 19A14D3BFC8DF15410E306752B63A925 SHA1: 9F815DD25E3BABAB71EB5FB04F7856E12BF706EA SHA-256: CE1ED98531F9371B20CA71E8F4F1464CAD8DD187BF5C44B9C340D3DA628B826C SHA-512: 1ECFC9930AA1BA8B853B91DEE4333CF23B3B7204DCD04650E7DA347F50351F0D5427B1F6BD04F7A5D436DCAEDAA7C8F7B73D4E275FE64C18AE7CF0344C1B43 88 Malicious: false Preview: ...... V...... d...... ,...... h...p...... `...<...... h...... "...... C.:.\.W.i.n.d.o.w.s...... H...... L...... P...... H...... 0...... H...... ,...... X...... d...... x...... |...... h...... d...... 8......

C:\Windows\System32\DriverStore\FileRepository\lci_proxykmd.inf_amd64_ace2d311f3c3f377\lci_proxykmd.PNF Process: C:\Windows\System32\msiexec.exe File Type: data Size (bytes): 8884 Entropy (8bit): 3.523031770536457 Encrypted: false MD5: 586215775EDC09FEF6C3E025B1957ECB SHA1: 718A04EEE4A82A7319535386BAE97C692282A09A SHA-256: 592829A93080EEFE55EF92B1A21B1C9BAFF68BE18950CC4ED1777678330846A5 SHA-512: 60D9B4455B3700561171A6533760EA58BC7785B93EBF0AEE55AFD56FBFC31697D0823F9505841F31CB40C0D6DDE86E77705B35448D08BE245B77CC87148E404B Malicious: false Preview: ...... :...... -.d...... |...P...... p...... h...... "...... C.:.\.W.i.n.d.o.w.s...... 0...... |...... @...... 8...... T...... 8...... $...... t...... @......

C:\Windows\System32\DriverStore\Temp\{5d6eda63-4f2e-2747-be59-f0c8bbf28937}\SET4620.tmp Process: C:\Windows\System32\drvinst.exe File Type: data Size (bytes): 67726 Entropy (8bit): 6.554047673232434 Encrypted: false MD5: 355908AA428E5895FA72CAF392353685 SHA1: E2050E601EBA93BA3C95DCD69FCD431ADE3D3FA8 SHA-256: 080ACA40E67E725A2432F9B545EA91F22C44C07D1895CF522CEE12609CB43FBE SHA-512: CEF6892913BA3AE2F968DA04334A9F1ED3B15DE23A344E6D039C9805EA6B27C65F357F1D4FD5BC989C640F738F65D1B66BAEA9B3E6298D8B954A84BF82315A9 4 Malicious: false Preview: 0.#...*.H...... #.0.#....1.0...+...... 0.....+.....7...... 0...0...+.....7...... q.n.C...a..I..171123030418Z0...+.....7.....0...0....R5.8.4.4.0.9.C.8.A.7.2.4.2.E.9.F.2.6.6.2.F.C.5.C.5.9.2.2. 4.C.4.F.2.2.D.F.4.9.E.6...1..S0D..+.....7...1604...F.i.l.e...... "f.r.e.s.c.o._.i.d.d.c.x...d.l.l...0M..+.....7...1?0=0...+.....7...0...... 0!0...+...... XD..$..&b.\Y"LO".I.0X..+.....7. ..1J0H...O.S.A.t.t.r...... 22.:.6...1.,.2.:.6...2.,.2.:.6...3.,.2.:.1.0...0...0b..+.....7...1T0R.L.{.C.6.8.9.A.A.B.8.-.8.E.7.8.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0....R7.9.6. 1.7.B.4.5.3.F.3.B.1.4.C.E.8.D.9.F.7.7.A.4.A.2.2.9.8.F.C.E.3.C.8.E.5.F.7.1...1..S0D..+.....7...1604...F.i.l.e...... "f.r.e.s.c.o._.i.d.d.c.x...d.l.l...0M..+.....7...1?0=0...+.....7...0...... 0!0...+...... ya{E?;...w..)..<._q0X..+.....7...1J0H...O.S.A.t.t.r...... 22.:.6...1.,.2.:.6...2.,.2.:.6...3.,.2.:.1.0...0...0b..+.....7...1T0R.L.{.C.6.8.9.A.A.B.8.-.8.E.7.8.-.1.1.D.0.-.8 .C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0....R9.3

C:\Windows\System32\DriverStore\Temp\{a5e89f35-fa15-974e-baa9-dcd2ccf0ff5c}\x64\SET2A3B.tmp Process: C:\Windows\System32\drvinst.exe File Type: PE32+ executable (native) x86-64, for MS Windows Size (bytes): 2481854 Entropy (8bit): 7.602212707569997 Encrypted: false MD5: 42F05B2900DC899718655B705ED8B8AE SHA1: F852FFAFEEF8159DEB44457800026F8F3ED21A38 SHA-256: 7A8B3773280B208983C6B04DB4CEA4DF3F4900D85E831DA73FC61716B1A93941

Copyright Joe Security LLC 2019 Page 22 of 49 C:\Windows\System32\DriverStore\Temp\{a5e89f35-fa15-974e-baa9-dcd2ccf0ff5c}\x64\SET2A3B.tmp SHA-512: C5FD117E1BAF667155BA609DE8F8909316EAC7AFF963CF732E38161766A3971CF3E140FDD5FEFA8E5910215A28758D346F9DF4B603AE6BBD14B9A1DD1F9DFC4 D Malicious: false Preview: MZ...... @...... !..L.!This program cannot be run in DOS mode....$...... j...j...j...7...j....I..j...j..j...7..j...7..j...7..j..b4..j..g4...j..b4..j..Rich.j...... PE..d...... Z...... "...... >...... @...... @...... o.....`...... P...... ?...... [email protected]...... 8...... x...... text...... h.rdata...... @..H.data...... @....pdata...... f...... @..H.gfids...... t...... @..HP AGE.....!...... "...v...... `INIT....V...... b.rsrc....?...... @...... @..H.reloc..D....0...... @..B......

C:\Windows\System32\DriverStore\Temp\{fbab5bd5-88c7-fc4a-a8b6-0ba5d13e9c56}\x64\SET39FB.tmp Process: C:\Windows\System32\drvinst.exe File Type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows Size (bytes): 437126 Entropy (8bit): 6.536954162154328 Encrypted: false MD5: 0D8EB354F5A1FDAB6D80DF304EDE7705 SHA1: 3404818E4E9DF8EE29E2FC1BE96B374B325A5DB9 SHA-256: 44F33D41B1C876920C645C873F554EFF039FB2CBF9D317DFE4C85C6BE700D11E SHA-512: 03416C43C2B305BE4567DD3E8CF4152515BCA8AC582C53C7782337A5B1C95C39D21D96F7EFD9DA5B3B2A919A6FD17F780C999E0263A4C6EF7DA91581F3E41D7 F Malicious: false Preview: MZ...... @...... !..L.!This program cannot be run in DOS mode....$...... v.X.v.X.v.X.+.Y.v.X.+.Y.v.X.(.Y.v.X.(.Y.v.X.(.Y.v.X.+.Y.v .X.v.X.v.X.+.Y.v.Xu(.Y.v.Xu(.Y.v.Xu(.Y.v.Xp(;X.v.Xu(.Y.v.XRich.v.X...... PE..L...... Z...... !.....6...... P...... 0...... e)....@...... <...... @...... 8...... @...... P..$...... text....5...... 6...... `.rdata..bw...P...x...:...... @[email protected]...... @.... gfids...... @[email protected]...... @[email protected]...... @..B......

C:\Windows\System32\catroot2\dberr.txt Process: C:\Windows\System32\drvinst.exe File Type: ASCII text, with CRLF line terminators Size (bytes): 77 Entropy (8bit): 4.90142700891427 Encrypted: false MD5: D3106653C959EF9B72DB13AAF72C8F75 SHA1: F16E35EF885CC682AC98E4BB8CC713892195E7FB SHA-256: FCF6FFF6C532F5A6AB65F41EDD23D5B5C05D517A2549CAC8A29B133462A59241 SHA-512: 7C86A825D0A42A67306EAB9E42F402B762045C7BB63AB053ACB7F8285BF40466CAF04391DA1780E178653AA8F28397C7EAF7A36E1DEEDE50FD4A0FAC7110EA1 4 Malicious: false Preview: CatalogDB: 11:42:34 PM 10/1/2019: DONE Adding Catalog File (62ms): oem5.cat..

C:\Windows\System32\flvga_tray.exe

Process: C:\Windows\System32\xcopy.exe File Type: PE32+ executable (GUI) x86-64, for MS Windows Size (bytes): 457336 Entropy (8bit): 5.091151163818643 Encrypted: false MD5: 7B16174FF4C023F4A9DE26D7A6F678F8 SHA1: 816C598F031FC9A4BE18FB58B010EE9C19DCCA21 SHA-256: 9AB4B2CC06F425CDAB011E63793E1C1FEDA16352E5A607E5A6C45070AA4EBD53 SHA-512: 95E3E943FBDB792445D1F08FEA34E2E1DF0C3F6BAE0BB4D6A6FAB360EFE39872DF2A6E874652F42ADCFD3AB21268449CDA54C6106E7DBCD118C7886710466F C7 Malicious: true Antivirus: Antivirus: Virustotal, Detection: 0%, Browse Antivirus: Metadefender, Detection: 0%, Browse Preview: MZ...... @...... !..L.!This program cannot be run in DOS mode....$...... bC...... ~...... ~...... ~...... f...... f...... ,...... )...... ,...... Rich...... PE..d...... Z...... "...... p...\...... Q...... @...... `...... V...... *...... <...... x@...... x....2..p...... @3...... text....o...... p...... `.rdata...... t...... @[email protected]....$...p...... Z...... @....pdata..<...... j...... @[email protected] ids...... @[email protected]....*...... ,...... @[email protected]...... @..B......

\Device\Null Process: C:\Windows\System32\sc.exe File Type: ASCII text, with CRLF line terminators Size (bytes): 122 Entropy (8bit): 4.7381372398275685 Encrypted: false MD5: 6BBCFD360C0797E6650F0D3CB1C36109 SHA1: E22B5F6A4654134D687A3908464E67FAA23D84FF

Copyright Joe Security LLC 2019 Page 23 of 49 \Device\Null SHA-256: DF023CA139E8DCB21F0D4A603B34AF95F980C1E388C97E4735DD698D0329113C SHA-512: 0281C1CC1B104C73F130068A905E37B75F3C3A40884D3E2CC421AEAF6A3C6B938393894FE750FA7DE44B9D0A25F9B3C11BB386FD133B3D710A549632ED9EA604 Malicious: false Preview: [SC] EnumQueryServicesStatus:OpenService FAILED 1060:....The specified service does not exist as an installed service.....

Domains and IPs

Contacted Domains

Name IP Active Malicious Antivirus Detection Reputation s3-us-west-2-w.amazonaws.com 52.218.236.123 true false high updates.frescologic.com unknown unknown false high

Contacted URLs

Name Malicious Antivirus Detection Reputation updates.frescologic.com/FL2000/FL2000-2.1.34054.0.exe false high updates.frescologic.com/FL2000_Updates.txt false high

URLs from Memory and Binaries

Name Source Malicious Antivirus Detection Reputation https://www.google.co.uk/intl/en/about/products?tab=wh FL2000-2.1.33676.0.exe, 000000 false 0%, Virustotal, Browse low 00.00000003.1719923148.0000000 Avira URL Cloud: safe 000BF1000.00000004.00000001.sdmp, tin8735.tmp.part.0.dr www.google.co.uk/imghp?hl=en&tab=wi FL2000-2.1.33676.0.exe, 000000 false 0%, Virustotal, Browse low 00.00000003.1719923148.0000000 Avira URL Cloud: safe 000BF1000.00000004.00000001.sdmp, tin8735.tmp.part.0.dr updates.frescologic.com/FL2000/FL2000- FL2000-2.1.33676.0.exe, 000000 false high 2.1.33676.0.exe 00.00000003.1728523935.0000000 003850000.00000004.00000001.sdmp, upd8D70.tmp.part.0.dr updates.frescologic.com/FL2000/FL2000- FL2000-2.1.33676.0.exe, 000000 false high 2.1.33581.0.exe 00.00000003.1728523935.0000000 003850000.00000004.00000001.sdmp, upd8D70.tmp.part.0.dr updates.frescologic.com/FL2000/FL2000_Updates.txt MSIfdca8.LOG.3.dr false high www.youtube.com/?gl=GB&tab=w1 FL2000-2.1.33676.0.exe, 000000 false high 00.00000003.1719923148.0000000 000BF1000.00000004.00000001.sdmp, tin8735.tmp.part.0.dr ocsp.thawte.com0 FL2000-2.1.33676.0.exe false Avira URL Cloud: safe unknown Google Safe Browsing: safe www.advancedinstaller.com0 FL2000-2.1.33676.0.exe false Avira URL Cloud: safe unknown www.yahoo.com FL2000-2.1.33676.0.exe, FL2000- false high 2.1.34054.0.exe www.google.co.uk/history/optout?hl=en FL2000-2.1.33676.0.exe, 000000 false 0%, Virustotal, Browse low 00.00000003.1719923148.0000000 Avira URL Cloud: safe 000BF1000.00000004.00000001.sdmp, tin8735.tmp.part.0.dr updates.frescologic.com/FL2000/FL2000- FL2000-2.1.33676.0.exe, 000000 false high 2.1.33788.0.exe 00.00000003.1728523935.0000000 003850000.00000004.00000001.sdmp, upd8D70.tmp.part.0.dr schema.org/WebPage tin8735.tmp.part.0.dr false high updates.frescologic.com/FL2000_Updates.txtZ FL2000-2.1.33676.0.exe, 000000 false high 00.00000002.1787509187.0000000 000B5A000.00000004.00000020.sdmp maps.google.co.uk/maps?hl=en&tab=wl FL2000-2.1.33676.0.exe, 000000 false 0%, Virustotal, Browse low 00.00000003.1719923148.0000000 Avira URL Cloud: safe 000BF1000.00000004.00000001.sdmp, tin8735.tmp.part.0.dr crl.thawte.com/ThawteTimestampingCA.crl0 FL2000-2.1.33676.0.exe false high news.google.co.uk/nwshp?hl=en&tab=wn FL2000-2.1.33676.0.exe, 000000 false 0%, Virustotal, Browse low 00.00000003.1719923148.0000000 Avira URL Cloud: safe 000BF1000.00000004.00000001.sdmp, tin8735.tmp.part.0.dr

Copyright Joe Security LLC 2019 Page 24 of 49 Name Source Malicious Antivirus Detection Reputation https://www.thawte.com/cps0/ msiexec.exe, 00000003.00000003 false high .1976549560.000002F36865B000.0 0000004.00000001.sdmp, FL2000- 2.1.33676.0.exe updates.frescologic.com/FL2000/FL2000- FL2000-2.1.33676.0.exe, 000000 false high 2.1.34054.0.exel 00.00000003.1786634842.0000000 000B8B000.00000004.00000001.sdmp msiexec.exe, 00000003.00000003 false high updates.frescologic.com/FL2000/FL2000_Updates.txtf=g .1976068161.000002F365F3A000.0 0000004.00000001.sdmp updates.frescologic.com/No_Updates.txt MSIfdca8.LOG.3.dr false high https://www.thawte.com/r msiexec.exe, 00000003.00000003 false high .1976549560.000002F36865B000.0 0000004.00000001.sdmp https://www.thawte.com/repository0 FL2000-2.1.33676.0.exe false high schemas.xmlsoap.org/ws/2005/05/identity/claims/name powershell.exe, 00000011.00000 false high 002.1909641456.00000266BC63000 0.00000004.00000001.sdmp, powe rshell.exe, 00000014.00000002. 1927249131.00000240438BA000.00 000004.00000001.sdmp

Contacted IPs

No. of IPs < 25% 25% < No. of IPs < 50% 50% < No. of IPs < 75%

75% < No. of IPs

Public

IP Country Flag ASN ASN Name Malicious 52.218.236.123 United States 16509 unknown false

Static File Info

General File type: PE32 executable (GUI) Intel 80386, for MS Windows Entropy (8bit): 7.526448176341106

Copyright Joe Security LLC 2019 Page 25 of 49 General TrID: Win32 Executable (generic) a (10002005/4) 99.94% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Java Script embedded in Visual Basic Script (1500/0) 0.01% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00% File name: FL2000-2.1.33676.0.exe File size: 8033240 MD5: 18d9da8e28b2704aaa5bba34cbdfc8f8 SHA1: 0390ec416d74502ec2acc920db132b4d3e8dd4af SHA256: f1969b1ce2a8ed547348a4009ab3be4f4d97a4f2df6031a e5c1f62cc7d0b3278 SHA512: 0e3e00b29603e8d6af1a277154c42e526e103716b63260 2a38469fb8eee54ad8231bd710dcccab3386fff3c342213 db891e8811f72d046b8d507885afc2101e7 SSDEEP: 98304:oXpTTfL5m2GMGSY5Ay5AfzCweiY5AgbrTRYX XzQHMcOloIJ11aSGfzFdL7AS7tVY:keTwe5ojMFU91P GpR7ASZVjbg File Content Preview: MZ...... @...... !..L.!Th is program cannot be run in DOS mode....$...... J...J ...J .xJ...J .zJ...J .{J...J...K...J...K...Jq..K...J...K...J...J...J.. .J...J...J...J...J...J...K...J..vJ...J...K...

File Icon

Icon Hash: 6969edc3919092e0

Static PE Info

General Entrypoint: 0x43251d Entrypoint Section: .text Digitally signed: true Imagebase: 0x400000 Subsystem: windows gui Image File Characteristics: 32BIT_MACHINE, EXECUTABLE_IMAGE DLL Characteristics: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT Time Stamp: 0x5787A993 [Thu Jul 14 15:02:43 2016 UTC] TLS Callbacks: CLR (.Net) Version: OS Version Major: 5 OS Version Minor: 1 File Version Major: 5 File Version Minor: 1 Subsystem Version Major: 5 Subsystem Version Minor: 1 Import Hash: a85d1ff8430aa5b4659e57bfe09aba1f

Authenticode Signature

Signature Valid: true Signature Issuer: CN=DigiCert EV Code Signing CA (SHA2), OU=www.digicert.com, O=DigiCert Inc, C=US Signature Validation Error: The operation completed successfully Error Number: 0 Not Before, Not After 5/2/2016 5:00:00 PM 5/8/2019 5:00:00 AM Subject Chain CN="Fresco Logic, Inc", O="Fresco Logic, Inc", L=Beaverton, S=Oregon, C=US, PostalCode=97005, STREET="Cascade Plaza West, Suite #230", STREET=12655 SW Center St, SERIALNUMBER=488117-98, OID.1.3.6.1.4.1.311.60.2.1.2=Oregon, OID.1.3.6.1.4.1.311.60.2.1.3=US, OID.2.5.4.15=Private Organization Version: 3 Thumbprint MD5: 0BB0573972CD0DE62A5C9C4F921B60C8 Thumbprint SHA-1: FA1FE90863B83057B61A8E4A099B95FF9A047014 Thumbprint SHA-256: E46211C5FEC1D1107FE59485CB4F70965BB5A28095FE5C336870F130B1A686C3 Serial: 0407B711F972C5DB5492D7A96D097D84

Copyright Joe Security LLC 2019 Page 26 of 49 Entrypoint Preview

Instruction call 00007F8A2892CD47h jmp 00007F8A2892C623h jmp dword ptr [0044B260h] push ebp mov ebp, esp test byte ptr [ebp+08h], 00000001h push esi mov esi, ecx mov dword ptr [esi], 0044B5C0h je 00007F8A2892C79Ch push 0000000Ch push esi call 00007F8A2892C2EEh pop ecx pop ecx mov eax, esi pop esi pop ebp retn 0004h push ecx lea ecx, dword ptr [esp+08h] sub ecx, eax and ecx, 0Fh add eax, ecx sbb ecx, ecx or eax, ecx pop ecx jmp 00007F8A2892CE6Fh push ecx lea ecx, dword ptr [esp+08h] sub ecx, eax and ecx, 07h add eax, ecx sbb ecx, ecx or eax, ecx pop ecx jmp 00007F8A2892CE59h push ebp mov ebp, esp sub esp, 00000324h push ebx push esi push 00000017h call 00007F8A28943455h test eax, eax je 00007F8A2892C797h mov ecx, dword ptr [ebp+08h] int 29h xor esi, esi lea eax, dword ptr [ebp-00000324h] push 000002CCh push esi push eax mov dword ptr [0045C334h], esi call 00007F8A2892CE54h add esp, 0Ch mov dword ptr [ebp-00000274h], eax mov dword ptr [ebp-00000278h], ecx mov dword ptr [ebp-0000027Ch], edx mov dword ptr [ebp-00000280h], ebx mov dword ptr [ebp-00000284h], esi mov dword ptr [ebp-00000288h], edi

Copyright Joe Security LLC 2019 Page 27 of 49 Instruction mov word ptr [ebp-0000025Ch], ss mov word ptr [ebp+00FFFD98h], cs

Rich Headers

Programming Language: [C++] VS2008 SP1 build 30729 [RES] VS2015 UPD3 build 24213 [ C ] VS2008 SP1 build 30729 [IMP] VS2008 SP1 build 30729

Data Directories

Name Virtual Address Virtual Size Is in Section IMAGE_DIRECTORY_ENTRY_EXPORT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_IMPORT 0x59d28 0x28 .rdata IMAGE_DIRECTORY_ENTRY_RESOURCE 0x60000 0xeb0c .rsrc IMAGE_DIRECTORY_ENTRY_EXCEPTION 0x0 0x0 IMAGE_DIRECTORY_ENTRY_SECURITY 0x7a7178 0x2260 IMAGE_DIRECTORY_ENTRY_BASERELOC 0x6f000 0x37ec .reloc IMAGE_DIRECTORY_ENTRY_DEBUG 0x57ce0 0x70 .rdata IMAGE_DIRECTORY_ENTRY_COPYRIGHT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_GLOBALPTR 0x0 0x0 IMAGE_DIRECTORY_ENTRY_TLS 0x57d50 0x18 .rdata IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG 0x4b560 0x40 .rdata IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_IAT 0x4b000 0x260 .rdata IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT 0x5899c 0x1c0 .rdata IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR 0x0 0x0 IMAGE_DIRECTORY_ENTRY_RESERVED 0x0 0x0

Sections

Name Virtual Address Virtual Size Raw Size Xored PE ZLIB Complexity File Type Entropy Characteristics .text 0x1000 0x49476 0x49600 False 0.571327326448 data 6.62273338447 IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ .rdata 0x4b000 0xfaca 0xfc00 False 0.395352802579 data 4.84047386917 IMAGE_SCN_CNT_INITIALIZED_D ATA, IMAGE_SCN_MEM_READ .data 0x5b000 0x23f4 0x1000 False 0.297119140625 data 3.28409806556 IMAGE_SCN_CNT_INITIALIZED_D ATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ .gfids 0x5e000 0x138 0x200 False 0.439453125 data 2.7504074177 IMAGE_SCN_CNT_INITIALIZED_D ATA, IMAGE_SCN_MEM_READ .tls 0x5f000 0x9 0x200 False 0.033203125 data 0.0203931352361 IMAGE_SCN_CNT_INITIALIZED_D ATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ .rsrc 0x60000 0xeb0c 0xec00 False 0.16791909428 data 4.07123777807 IMAGE_SCN_CNT_INITIALIZED_D ATA, IMAGE_SCN_MEM_READ .reloc 0x6f000 0x37ec 0x3800 False 0.774135044643 data 6.72409540312 IMAGE_SCN_CNT_INITIALIZED_D ATA, IMAGE_SCN_MEM_DISCARDABL E, IMAGE_SCN_MEM_READ

Resources

Name RVA Size Type Language Country IMAGE_FILE 0x607d0 0x6 ISO-8859 text, with no line terminators English United States IMAGE_FILE 0x607d8 0x6 ISO-8859 text, with no line terminators English United States RTF_FILE 0x607e0 0x2e9 Rich Text Format data, version 1, ANSI English United States RTF_FILE 0x60acc 0xa1 Rich Text Format data, version 1, ANSI English United States RT_ICON 0x60b70 0x4228 dBase IV DBT of \200.DBF, blocks size 0, block length English United States 16896, next free block index 40, next free block 0, next used block 4294901760 RT_ICON 0x64d98 0x25a8 data English United States RT_ICON 0x67340 0x10a8 data English United States RT_ICON 0x683e8 0x988 data English United States RT_ICON 0x68d70 0x468 GLS_BINARY_LSB_FIRST English United States RT_MENU 0x691d8 0x5c data English United States RT_MENU 0x69234 0x2a data English United States RT_DIALOG 0x69260 0xac data English United States RT_DIALOG 0x6930c 0x2a6 data English United States Copyright Joe Security LLC 2019 Page 28 of 49 Name RVA Size Type Language Country

RT_DIALOG 0x695b4 0x3b4 data English United States RT_DIALOG 0x69968 0xbc data English United States RT_DIALOG 0x69a24 0x204 data English United States RT_DIALOG 0x69c28 0x282 data English United States RT_DIALOG 0x69eac 0xcc data English United States RT_DIALOG 0x69f78 0x146 data English United States RT_DIALOG 0x6a0c0 0x226 data English United States RT_DIALOG 0x6a2e8 0x388 data English United States RT_DIALOG 0x6a670 0x1b4 data English United States RT_DIALOG 0x6a824 0x136 data English United States RT_STRING 0x6a95c 0x45c data English United States RT_STRING 0x6adb8 0x760 data English United States RT_STRING 0x6b518 0x2f8 data English United States RT_STRING 0x6b810 0x598 data English United States RT_STRING 0x6bda8 0x3e8 data English United States RT_STRING 0x6c190 0x7a6 data English United States RT_STRING 0x6c938 0x746 data English United States RT_STRING 0x6d080 0x7ba data English United States RT_STRING 0x6d83c 0x598 data English United States RT_STRING 0x6ddd4 0x186 data English United States RT_GROUP_ICON 0x6df5c 0x4c data English United States RT_VERSION 0x6dfa8 0x3ec data English United States RT_MANIFEST 0x6e394 0x775 XML 1.0 document, ASCII text, with CRLF line English United States terminators

Imports

DLL Import KERNEL32.dll WideCharToMultiByte, MultiByteToWideChar, HeapDestroy, HeapSize, HeapReAlloc, HeapFree, HeapAlloc, GetProcessHeap, RaiseException, SizeofResource, LockResource, LoadResource, FindResourceW, FindResourceExW, CreateFileW, WriteFile, GetLastError, GetModuleHandleW, GetProcAddress, GetSystemDirectoryW, LoadLibraryExW, FreeLibrary, lstrcmpiW, LeaveCriticalSection, EnterCriticalSection, GetModuleFileNameW, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThreadId, DecodePointer, CloseHandle, GetShortPathNameW, CreateEventW, GetCurrentProcessId, GetCommandLineW, SetCurrentDirectoryW, CreateThread, WaitForSingleObject, SetEvent, GetDriveTypeW, GetFileAttributesW, SetFileAttributesW, CopyFileW, GetExitCodeThread, SetLastError, GetSystemInfo, VirtualProtect, VirtualQuery, LoadLibraryExA, GetTempPathW, GetTempFileNameW, DeleteFileW, FindFirstFileW, FindNextFileW, FindClose, RemoveDirectoryW, CreateDirectoryW, GetLogicalDriveStringsW, GetFileSize, ReadFile, GetDiskFreeSpaceExW, GetEnvironmentVariableW, SetFilePointer, SetEndOfFile, InterlockedExchange, EnumResourceLanguagesW, GetLocaleInfoW, GetSystemDefaultLangID, GetUserDefaultLangID, LoadLibraryW, GetSystemTime, SystemTimeToFileTime, FileTimeToSystemTime, CreateProcessW, GetExitCodeProcess, GetWindowsDirectoryW, GetCurrentProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, GetPrivateProfileStringW, GetPrivateProfileSectionNamesW, WritePrivateProfileStringW, OutputDebugStringW, InitializeCriticalSection, GetLocalTime, FlushFileBuffers, MulDiv, TerminateThread, CreateNamedPipeW, ConnectNamedPipe, FormatMessageW, GetFileTime, GetStdHandle, GetStringTypeW, GetLocaleInfoA, MoveFileW, ResetEvent, GlobalFree, GetVersionExW, Sleep, GlobalLock, GlobalUnlock, GlobalAlloc, LocalFree, LocalAlloc, CompareFileTime, CopyFileExW, IsDebuggerPresent, EncodePointer, InitializeSListHead, InterlockedPopEntrySList, InterlockedPushEntrySList, FlushInstructionCache, IsProcessorFeaturePresent, VirtualAlloc, VirtualFree, WaitForSingleObjectEx, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, GetStartupInfoW, QueryPerformanceCounter, GetSystemTimeAsFileTime, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, RtlUnwind, GetACP, ExitProcess, GetModuleHandleExW, GetFileType, GetCPInfo, IsValidCodePage, GetOEMCP, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, LCMapStringW, FindFirstFileExW, GetCommandLineA, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetStdHandle, GetConsoleCP, GetConsoleMode, SetFilePointerEx, WriteConsoleW

Version Infos

Description Data LegalCopyright Copyright (C) 2017 Fresco Logic InternalName FL2000-2.1.33676.0 FileVersion 2.1.33676.0 CompanyName Fresco Logic ProductName Fresco Logic USB Display Driver ProductVersion 2.1.33676.0 FileDescription This installer database contains the logic and data required to install Fresco Logic USB Display Driver. OriginalFileName FL2000-2.1.33676.0.exe Translation 0x0409 0x04b0

Possible Origin

Language of compilation system Country where language is spoken Map

Copyright Joe Security LLC 2019 Page 29 of 49 Language of compilation system Country where language is spoken Map

English United States

Network Behavior

Network Port Distribution

Total Packets: 30 • 53 (DNS) • 80 (HTTP)

TCP Packets

Timestamp Source Port Dest Port Source IP Dest IP Oct 1, 2019 23:41:47.146553993 CEST 49706 80 192.168.2.5 52.218.236.123 Oct 1, 2019 23:41:47.332746983 CEST 80 49706 52.218.236.123 192.168.2.5 Oct 1, 2019 23:41:47.332997084 CEST 49706 80 192.168.2.5 52.218.236.123 Oct 1, 2019 23:41:47.335124969 CEST 49706 80 192.168.2.5 52.218.236.123 Oct 1, 2019 23:41:47.523739100 CEST 80 49706 52.218.236.123 192.168.2.5 Oct 1, 2019 23:41:47.541160107 CEST 80 49706 52.218.236.123 192.168.2.5 Oct 1, 2019 23:41:47.541204929 CEST 80 49706 52.218.236.123 192.168.2.5 Oct 1, 2019 23:41:47.541225910 CEST 80 49706 52.218.236.123 192.168.2.5 Oct 1, 2019 23:41:47.541435957 CEST 49706 80 192.168.2.5 52.218.236.123 Oct 1, 2019 23:41:47.563111067 CEST 80 49706 52.218.236.123 192.168.2.5 Oct 1, 2019 23:41:47.563241005 CEST 49706 80 192.168.2.5 52.218.236.123 Oct 1, 2019 23:41:55.488755941 CEST 49706 80 192.168.2.5 52.218.236.123 Oct 1, 2019 23:41:55.723094940 CEST 80 49706 52.218.236.123 192.168.2.5 Oct 1, 2019 23:41:55.751820087 CEST 80 49706 52.218.236.123 192.168.2.5 Oct 1, 2019 23:41:55.751880884 CEST 80 49706 52.218.236.123 192.168.2.5 Oct 1, 2019 23:41:55.751923084 CEST 80 49706 52.218.236.123 192.168.2.5 Oct 1, 2019 23:41:55.751945972 CEST 80 49706 52.218.236.123 192.168.2.5 Oct 1, 2019 23:41:55.751985073 CEST 80 49706 52.218.236.123 192.168.2.5 Oct 1, 2019 23:41:55.752007961 CEST 80 49706 52.218.236.123 192.168.2.5 Oct 1, 2019 23:41:55.752027988 CEST 80 49706 52.218.236.123 192.168.2.5 Oct 1, 2019 23:41:55.752048016 CEST 80 49706 52.218.236.123 192.168.2.5 Oct 1, 2019 23:41:55.752067089 CEST 80 49706 52.218.236.123 192.168.2.5 Oct 1, 2019 23:41:55.752088070 CEST 80 49706 52.218.236.123 192.168.2.5 Oct 1, 2019 23:41:55.752398014 CEST 49706 80 192.168.2.5 52.218.236.123 Oct 1, 2019 23:41:55.773130894 CEST 80 49706 52.218.236.123 192.168.2.5 Oct 1, 2019 23:41:55.773389101 CEST 49706 80 192.168.2.5 52.218.236.123 Oct 1, 2019 23:41:55.941138029 CEST 80 49706 52.218.236.123 192.168.2.5 Oct 1, 2019 23:41:55.941203117 CEST 80 49706 52.218.236.123 192.168.2.5 Oct 1, 2019 23:41:55.941263914 CEST 80 49706 52.218.236.123 192.168.2.5 Oct 1, 2019 23:41:55.941293955 CEST 80 49706 52.218.236.123 192.168.2.5 Oct 1, 2019 23:41:55.941323042 CEST 80 49706 52.218.236.123 192.168.2.5

Copyright Joe Security LLC 2019 Page 30 of 49 Timestamp Source Port Dest Port Source IP Dest IP Oct 1, 2019 23:41:55.941351891 CEST 80 49706 52.218.236.123 192.168.2.5 Oct 1, 2019 23:41:55.941380978 CEST 80 49706 52.218.236.123 192.168.2.5 Oct 1, 2019 23:41:55.941410065 CEST 80 49706 52.218.236.123 192.168.2.5 Oct 1, 2019 23:41:55.941438913 CEST 80 49706 52.218.236.123 192.168.2.5 Oct 1, 2019 23:41:55.941468000 CEST 80 49706 52.218.236.123 192.168.2.5 Oct 1, 2019 23:41:55.941497087 CEST 80 49706 52.218.236.123 192.168.2.5 Oct 1, 2019 23:41:55.941525936 CEST 80 49706 52.218.236.123 192.168.2.5 Oct 1, 2019 23:41:55.941555023 CEST 80 49706 52.218.236.123 192.168.2.5 Oct 1, 2019 23:41:55.941567898 CEST 49706 80 192.168.2.5 52.218.236.123 Oct 1, 2019 23:41:55.941584110 CEST 80 49706 52.218.236.123 192.168.2.5 Oct 1, 2019 23:41:55.941613913 CEST 80 49706 52.218.236.123 192.168.2.5 Oct 1, 2019 23:41:55.941642046 CEST 80 49706 52.218.236.123 192.168.2.5 Oct 1, 2019 23:41:55.941670895 CEST 80 49706 52.218.236.123 192.168.2.5 Oct 1, 2019 23:41:55.941699982 CEST 80 49706 52.218.236.123 192.168.2.5 Oct 1, 2019 23:41:55.941729069 CEST 80 49706 52.218.236.123 192.168.2.5 Oct 1, 2019 23:41:55.941931009 CEST 49706 80 192.168.2.5 52.218.236.123 Oct 1, 2019 23:41:55.962025881 CEST 80 49706 52.218.236.123 192.168.2.5 Oct 1, 2019 23:41:55.962066889 CEST 80 49706 52.218.236.123 192.168.2.5 Oct 1, 2019 23:41:55.962384939 CEST 49706 80 192.168.2.5 52.218.236.123 Oct 1, 2019 23:41:56.063090086 CEST 80 49706 52.218.236.123 192.168.2.5 Oct 1, 2019 23:41:56.063415051 CEST 49706 80 192.168.2.5 52.218.236.123 Oct 1, 2019 23:41:56.130414009 CEST 80 49706 52.218.236.123 192.168.2.5 Oct 1, 2019 23:41:56.130494118 CEST 80 49706 52.218.236.123 192.168.2.5 Oct 1, 2019 23:41:56.130584002 CEST 80 49706 52.218.236.123 192.168.2.5 Oct 1, 2019 23:41:56.130613089 CEST 80 49706 52.218.236.123 192.168.2.5 Oct 1, 2019 23:41:56.130705118 CEST 80 49706 52.218.236.123 192.168.2.5 Oct 1, 2019 23:41:56.130718946 CEST 49706 80 192.168.2.5 52.218.236.123 Oct 1, 2019 23:41:56.130758047 CEST 80 49706 52.218.236.123 192.168.2.5 Oct 1, 2019 23:41:56.130810976 CEST 80 49706 52.218.236.123 192.168.2.5 Oct 1, 2019 23:41:56.130841017 CEST 80 49706 52.218.236.123 192.168.2.5 Oct 1, 2019 23:41:56.130877018 CEST 80 49706 52.218.236.123 192.168.2.5 Oct 1, 2019 23:41:56.130913973 CEST 80 49706 52.218.236.123 192.168.2.5 Oct 1, 2019 23:41:56.130943060 CEST 80 49706 52.218.236.123 192.168.2.5 Oct 1, 2019 23:41:56.130971909 CEST 80 49706 52.218.236.123 192.168.2.5 Oct 1, 2019 23:41:56.131000996 CEST 80 49706 52.218.236.123 192.168.2.5 Oct 1, 2019 23:41:56.131030083 CEST 80 49706 52.218.236.123 192.168.2.5 Oct 1, 2019 23:41:56.131035089 CEST 49706 80 192.168.2.5 52.218.236.123 Oct 1, 2019 23:41:56.131059885 CEST 80 49706 52.218.236.123 192.168.2.5 Oct 1, 2019 23:41:56.131088972 CEST 80 49706 52.218.236.123 192.168.2.5 Oct 1, 2019 23:41:56.131124973 CEST 80 49706 52.218.236.123 192.168.2.5 Oct 1, 2019 23:41:56.131160975 CEST 80 49706 52.218.236.123 192.168.2.5 Oct 1, 2019 23:41:56.131190062 CEST 80 49706 52.218.236.123 192.168.2.5 Oct 1, 2019 23:41:56.131221056 CEST 80 49706 52.218.236.123 192.168.2.5 Oct 1, 2019 23:41:56.131258965 CEST 80 49706 52.218.236.123 192.168.2.5 Oct 1, 2019 23:41:56.131299019 CEST 80 49706 52.218.236.123 192.168.2.5 Oct 1, 2019 23:41:56.131329060 CEST 80 49706 52.218.236.123 192.168.2.5 Oct 1, 2019 23:41:56.131357908 CEST 80 49706 52.218.236.123 192.168.2.5 Oct 1, 2019 23:41:56.131386995 CEST 80 49706 52.218.236.123 192.168.2.5 Oct 1, 2019 23:41:56.131416082 CEST 80 49706 52.218.236.123 192.168.2.5 Oct 1, 2019 23:41:56.131416082 CEST 49706 80 192.168.2.5 52.218.236.123 Oct 1, 2019 23:41:56.131444931 CEST 80 49706 52.218.236.123 192.168.2.5 Oct 1, 2019 23:41:56.131474018 CEST 80 49706 52.218.236.123 192.168.2.5 Oct 1, 2019 23:41:56.131509066 CEST 80 49706 52.218.236.123 192.168.2.5 Oct 1, 2019 23:41:56.131546021 CEST 80 49706 52.218.236.123 192.168.2.5 Oct 1, 2019 23:41:56.131575108 CEST 80 49706 52.218.236.123 192.168.2.5 Oct 1, 2019 23:41:56.131603956 CEST 80 49706 52.218.236.123 192.168.2.5 Oct 1, 2019 23:41:56.131632090 CEST 80 49706 52.218.236.123 192.168.2.5 Oct 1, 2019 23:41:56.131660938 CEST 80 49706 52.218.236.123 192.168.2.5 Oct 1, 2019 23:41:56.131678104 CEST 49706 80 192.168.2.5 52.218.236.123 Oct 1, 2019 23:41:56.131689072 CEST 80 49706 52.218.236.123 192.168.2.5 Oct 1, 2019 23:41:56.131719112 CEST 80 49706 52.218.236.123 192.168.2.5 Oct 1, 2019 23:41:56.131757975 CEST 80 49706 52.218.236.123 192.168.2.5 Oct 1, 2019 23:41:56.131975889 CEST 49706 80 192.168.2.5 52.218.236.123 Oct 1, 2019 23:41:56.150954962 CEST 80 49706 52.218.236.123 192.168.2.5

Copyright Joe Security LLC 2019 Page 31 of 49 Timestamp Source Port Dest Port Source IP Dest IP Oct 1, 2019 23:41:56.150989056 CEST 80 49706 52.218.236.123 192.168.2.5 Oct 1, 2019 23:41:56.151011944 CEST 80 49706 52.218.236.123 192.168.2.5 Oct 1, 2019 23:41:56.151042938 CEST 80 49706 52.218.236.123 192.168.2.5 Oct 1, 2019 23:41:56.151173115 CEST 49706 80 192.168.2.5 52.218.236.123 Oct 1, 2019 23:41:56.252027988 CEST 80 49706 52.218.236.123 192.168.2.5

UDP Packets

Timestamp Source Port Dest Port Source IP Dest IP Oct 1, 2019 23:41:45.790709972 CEST 60642 53 192.168.2.5 8.8.8.8 Oct 1, 2019 23:41:45.824098110 CEST 53 60642 8.8.8.8 192.168.2.5 Oct 1, 2019 23:41:47.103827000 CEST 61907 53 192.168.2.5 8.8.8.8 Oct 1, 2019 23:41:47.140521049 CEST 53 61907 8.8.8.8 192.168.2.5 Oct 1, 2019 23:42:32.808073044 CEST 49957 53 192.168.2.5 8.8.8.8 Oct 1, 2019 23:42:32.833360910 CEST 53 49957 8.8.8.8 192.168.2.5 Oct 1, 2019 23:42:33.813843966 CEST 49957 53 192.168.2.5 8.8.8.8 Oct 1, 2019 23:42:33.839054108 CEST 53 49957 8.8.8.8 192.168.2.5 Oct 1, 2019 23:42:34.821580887 CEST 49957 53 192.168.2.5 8.8.8.8 Oct 1, 2019 23:42:34.846889019 CEST 53 49957 8.8.8.8 192.168.2.5 Oct 1, 2019 23:42:36.820102930 CEST 49957 53 192.168.2.5 8.8.8.8 Oct 1, 2019 23:42:36.845377922 CEST 53 49957 8.8.8.8 192.168.2.5 Oct 1, 2019 23:42:40.827872992 CEST 49957 53 192.168.2.5 8.8.8.8 Oct 1, 2019 23:42:40.853146076 CEST 53 49957 8.8.8.8 192.168.2.5 Oct 1, 2019 23:43:45.090944052 CEST 61734 53 192.168.2.5 8.8.8.8 Oct 1, 2019 23:43:45.116297960 CEST 53 61734 8.8.8.8 192.168.2.5 Oct 1, 2019 23:43:46.090250015 CEST 61734 53 192.168.2.5 8.8.8.8 Oct 1, 2019 23:43:46.115556955 CEST 53 61734 8.8.8.8 192.168.2.5 Oct 1, 2019 23:43:47.090502977 CEST 61734 53 192.168.2.5 8.8.8.8 Oct 1, 2019 23:43:47.115778923 CEST 53 61734 8.8.8.8 192.168.2.5 Oct 1, 2019 23:43:49.096687078 CEST 61734 53 192.168.2.5 8.8.8.8 Oct 1, 2019 23:43:49.121984959 CEST 53 61734 8.8.8.8 192.168.2.5 Oct 1, 2019 23:43:53.107476950 CEST 61734 53 192.168.2.5 8.8.8.8 Oct 1, 2019 23:43:53.132730961 CEST 53 61734 8.8.8.8 192.168.2.5

DNS Queries

Timestamp Source IP Dest IP Trans ID OP Code Name Type Class Oct 1, 2019 23:41:47.103827000 CEST 192.168.2.5 8.8.8.8 0x4bd7 Standard query updates.fr A (IP address) IN (0x0001) (0) escologic.com

DNS Answers

Timestamp Source IP Dest IP Trans ID Reply Code Name CName Address Type Class Oct 1, 2019 8.8.8.8 192.168.2.5 0x4bd7 No error (0) updates.fr updates.frescologic.com.s CNAME IN (0x0001) 23:41:47.140521049 escologic.com 3.amazonaws.com (Canonical CEST name) Oct 1, 2019 8.8.8.8 192.168.2.5 0x4bd7 No error (0) updates.fr s3-us-west-2- CNAME IN (0x0001) 23:41:47.140521049 escologic. w.amazonaws.com (Canonical CEST com.s3.ama name) zonaws.com Oct 1, 2019 8.8.8.8 192.168.2.5 0x4bd7 No error (0) s3-us-west-2- 52.218.236.123 A (IP address) IN (0x0001) 23:41:47.140521049 w.amazo CEST naws.com

HTTP Request Dependency Graph

updates.frescologic.com

HTTP Packets

Session ID Source IP Source Port Destination IP Destination Port Process 0 192.168.2.5 49706 52.218.236.123 80 C:\Users\user\Desktop\FL2000-2.1.33676.0.exe

kBytes Timestamp transferred Direction Data

Copyright Joe Security LLC 2019 Page 32 of 49 kBytes Timestamp transferred Direction Data Oct 1, 2019 14 OUT GET /FL2000_Updates.txt HTTP/1.1 23:41:47.335124969 CEST Accept: */* User-Agent: AdvancedInstaller Host: updates.frescologic.com Connection: Keep-Alive Cache-Control: no-cache Oct 1, 2019 15 IN HTTP/1.1 200 OK 23:41:47.541160107 CEST x-amz-id-2: 2mHk35QrvMo8QrX529LTqWsGjh8w0wlWTQkPorrH9ibr+IBdwDmCm3wM7ks1h6OprISYHwS0Ht8= x-amz-request-id: 072ED7AF4B75252D Date: Tue, 01 Oct 2019 21:41:48 GMT Last-Modified: Thu, 23 Nov 2017 08:11:44 GMT ETag: "54ab87d570346f70eae42abac0cee76b" Accept-Ranges: bytes Content-Type: text/plain Content-Length: 1831 Server: AmazonS3 Oct 1, 2019 18 OUT GET /FL2000/FL2000-2.1.34054.0.exe HTTP/1.1 23:41:55.488755941 CEST Accept: */* User-Agent: AdvancedInstaller Host: updates.frescologic.com Connection: Keep-Alive Cache-Control: no-cache Oct 1, 2019 18 IN HTTP/1.1 200 OK 23:41:55.751820087 CEST x-amz-id-2: 5NNnvGgMIblYHr1JJWLuRCaQ2wcLCiGU9Kr+PyyZy4BBlJfCuxZpno2EtFRrhsB5En8pabUX2tM= x-amz-request-id: F607A3ACE05F00F1 Date: Tue, 01 Oct 2019 21:41:56 GMT Last-Modified: Thu, 23 Nov 2017 08:11:20 GMT ETag: "18b0139ca76e7447bc64f9a812f4a9f2" Accept-Ranges: bytes Content-Type: application/x-msdownload Content-Length: 8058744 Server: AmazonS3

Code Manipulations

Statistics

Behavior

• FL2000-2.1.33676.0.exe • FL2000-2.1.34054.0.exe • msiexec.exe • msiexec.exe • msiexec.exe • msiexec.exe • msiexec.exe • drvinst.exe • drvinst.exe • drvinst.exe • cmd.exe • conhost.exe • xcopy.exe • cmd.exe • powershell.exe • cmd.exe • powershell.exe • flvga_tray.exe • sc.exe • sc.exe • flvga_tray.exe • flvga_tray.exe

Click to jump to process

System Behavior

Copyright Joe Security LLC 2019 Page 33 of 49 Analysis Process: FL2000-2.1.33676.0.exe PID: 772 Parent PID: 3836

General

Start time: 23:41:44 Start date: 01/10/2019 Path: C:\Users\user\Desktop\FL2000-2.1.33676.0.exe Wow64 process (32bit): true Commandline: 'C:\Users\user\Desktop\FL2000-2.1.33676.0.exe' Imagebase: 0x9e0000 File size: 8033240 bytes MD5 hash: 18D9DA8E28B2704AAA5BBA34CBDFC8F8 Has administrator privileges: true Programmed in: C, C++ or other language Reputation: low

File Activities

File Created

Source File Path Access Attributes Options Completion Count Address Symbol C:\Users\user\AppData\Local\Temp\tin8735.tmp read attributes | normal synchronous io success or wait 1 9EB466 GetTempFileNameW synchronize | non alert | non generic read directory file C:\Users read data or list normal directory file | object name collision 1 9EB8EE CreateDirectoryW directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user read data or list normal directory file | object name collision 1 9EB8EE CreateDirectoryW directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData read data or list normal directory file | object name collision 1 9EB8EE CreateDirectoryW directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Local read data or list normal directory file | object name collision 1 9EB8EE CreateDirectoryW directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Local\Temp read data or list normal directory file | object name collision 1 9EB8EE CreateDirectoryW directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Local\Temp\tin8735.tmp.part read attributes | normal synchronous io success or wait 1 A048AD CreateFileW synchronize | non alert | non generic read | directory file generic write C:\Users\user\AppData\Local\Temp\upd8D70.tmp read attributes | normal synchronous io success or wait 1 9EB466 GetTempFileNameW synchronize | non alert | non generic read directory file C:\Users read data or list normal directory file | object name collision 2 9EB8EE CreateDirectoryW directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user read data or list normal directory file | object name collision 2 9EB8EE CreateDirectoryW directory | synchronous io synchronize non alert | open for backup ident | open reparse point

Copyright Joe Security LLC 2019 Page 34 of 49 Source File Path Access Attributes Options Completion Count Address Symbol C:\Users\user\AppData read data or list normal directory file | object name collision 1 9EB8EE CreateDirectoryW directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Local read data or list normal directory file | object name collision 1 9EB8EE CreateDirectoryW directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Local\Temp read data or list normal directory file | object name collision 1 9EB8EE CreateDirectoryW directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Local\Temp\upd8D70.tmp.part read attributes | normal synchronous io success or wait 1 A048AD CreateFileW synchronize | non alert | non generic read | directory file generic write C:\Users\user\Downloads read data or list normal directory file | object name collision 1 9EB8EE CreateDirectoryW directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\Downloads\FL2000-2.1.34054.0.exe.part read attributes | normal synchronous io success or wait 1 A048AD CreateFileW synchronize | non alert | non generic read | directory file generic write

File Deleted

Source File Path Completion Count Address Symbol C:\Users\user\AppData\Local\Temp\tin8735.tmp success or wait 1 9EB3FD DeleteFileW C:\Users\user\AppData\Local\Temp\tin8735.tmp success or wait 1 9FA1DD DeleteFileW C:\Users\user\AppData\Local\Temp\upd8D70.tmp success or wait 1 9EB3FD DeleteFileW C:\Users\user\AppData\Local\Temp\upd8D70.tmp success or wait 1 9F1CEC DeleteFileW

File Moved

Source Old File Path New File Path Completion Count Address Symbol C:\Users\user\AppData\Local\Temp\tin8735.tmp.part C:\Users\user\AppData\Local\Temp\tin8735.tmp success or wait 1 A0468F MoveFileW C:\Users\user\AppData\Local\Temp\upd8D70.tmp.part C:\Users\user\AppData\Local\Temp\upd8D70.tmp success or wait 1 A0468F MoveFileW C:\Users\user\Downloads\FL2000-2.1.34054.0.exe.part C:\Users\user\Downloads\FL2000-2.1.34054.0.exe success or wait 1 A0468F MoveFileW

File Written

Source File Path Offset Length Value Ascii Completion Count Address Symbol

Copyright Joe Security LLC 2019 Page 35 of 49 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Local\Temp\tin8735.tmp.part unknown 279 3c 21 64 6f 63 74 79 61 2e 6f 72 67 2f 57 65

Copyright Joe Security LLC 2019 Page 36 of 49 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\Downloads\FL2000-2.1.34054.0.exe.part unknown 8192 4d 5a 90 00 03 00 00 MZ...... @..... success or wait 1046 A04563 WriteFile 00 04 00 00 00 ff ff 00 ...... 00 b8 00 00 00 00 00 ...... !..L.!This program 00 00 40 00 00 00 00 cannot be run in DOS 00 00 00 00 00 00 00 mode....$...... J...J...J 00 00 00 00 00 00 00 .xJ...J .zJ...J . 00 00 00 00 00 00 00 {J...J...K...J...K 00 00 00 00 00 00 00 ...Jq..K...J...K...J...J...J.. 00 00 00 20 01 00 00 .J...J...J...J...J...J...K...J 0e 1f ba 0e 00 b4 09 ..vJ...J...K... cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d0 ea e7 19 94 8b 89 4a 94 8b 89 4a 94 8b 89 4a 20 17 78 4a 9f 8b 89 4a 20 17 7a 4a 15 8b 89 4a 20 17 7b 4a 8c 8b 89 4a af d5 8a 4b 81 8b 89 4a af d5 8d 4b 80 8b 89 4a 71 d2 8c 4b 97 8b 89 4a af d5 8c 4b a7 8b 89 4a 9d f3 0a 4a 91 8b 89 4a 9d f3 1a 4a 97 8b 89 4a 9d f3 0d 4a 95 8b 89 4a 94 8b 88 4a 1a 8a 89 4a 06 d5 80 4b ca 8b 89 4a 06 d5 76 4a 95 8b 89 4a 06 d5 8b 4b 95 8b 89

File Read

Source File Path Offset Length Completion Count Address Symbol C:\Users\user\Desktop\FL2000-2.1.33676.0.exe unknown 1024 success or wait 9 A02295 ReadFile C:\Users\user\Desktop\FL2000-2.1.33676.0.exe unknown 74 success or wait 1 A0232E ReadFile C:\Users\user\Desktop\FL2000-2.1.33676.0.exe unknown 24 success or wait 8 9EDDB7 ReadFile C:\Users\user\Desktop\FL2000-2.1.33676.0.exe unknown 16 success or wait 8 9EDE09 ReadFile C:\Users\user\Desktop\FL2000-2.1.33676.0.exe unknown 1374 success or wait 1 9F8B8A ReadFile C:\Users\user\AppData\Local\Temp\upd8D70.tmp unknown 4 success or wait 1 9F1A29 ReadFile C:\Users\user\AppData\Local\Temp\upd8D70.tmp unknown 5 success or wait 1 A063D7 ReadFile

Analysis Process: FL2000-2.1.34054.0.exe PID: 1704 Parent PID: 772

General

Start time: 23:42:04 Start date: 01/10/2019 Path: C:\Users\user\Downloads\FL2000-2.1.34054.0.exe Wow64 process (32bit): true Commandline: 'C:\Users\user\Downloads\FL2000-2.1.34054.0.exe' /exenoupdates Imagebase: 0xf20000 File size: 8058744 bytes MD5 hash: 18B0139CA76E7447BC64F9A812F4A9F2 Has administrator privileges: true Programmed in: C, C++ or other language Reputation: low

File Activities

File Created

Copyright Joe Security LLC 2019 Page 37 of 49 Source File Path Access Attributes Options Completion Count Address Symbol C:\Users\user\AppData\Local\Temp\shiD778.tmp read attributes | normal synchronous io success or wait 1 F301A4 GetTempFileNameW synchronize | non alert | non generic read directory file C:\Users read data or list normal directory file | object name collision 1 F2B8EE CreateDirectoryW directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user read data or list normal directory file | object name collision 1 F2B8EE CreateDirectoryW directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData read data or list normal directory file | object name collision 1 F2B8EE CreateDirectoryW directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Roaming read data or list normal directory file | object name collision 1 F2B8EE CreateDirectoryW directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Roaming\Fresco Logic read data or list normal directory file | success or wait 1 F2B8EE CreateDirectoryW directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Roaming\Fresco Logic\Fresco Logic USB Display read data or list normal directory file | success or wait 1 F2B8EE CreateDirectoryW Driver 2.1.34054.0 directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Roaming\Fresco Logic\Fresco Logic USB Display read data or list normal directory file | success or wait 1 F2B8EE CreateDirectoryW Driver 2.1.34054.0\install directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Roaming\Fresco Logic\Fresco Logic USB Display read attributes | normal synchronous io success or wait 1 F2ED43 CreateFileW Driver 2.1.34054.0\install\holder0.aiph synchronize | non alert | non generic write directory file C:\Users read data or list normal directory file | object name collision 4 F2B8EE CreateDirectoryW directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user read data or list normal directory file | object name collision 5 F2B8EE CreateDirectoryW directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData read data or list normal directory file | object name collision 4 F2B8EE CreateDirectoryW directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Roaming read data or list normal directory file | object name collision 5 F2B8EE CreateDirectoryW directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Roaming\Fresco Logic read data or list normal directory file | object name collision 5 F2B8EE CreateDirectoryW directory | synchronous io synchronize non alert | open for backup ident | open reparse point

Copyright Joe Security LLC 2019 Page 38 of 49 Source File Path Access Attributes Options Completion Count Address Symbol C:\Users\user\AppData\Roaming\Fresco Logic\Fresco Logic USB Display read data or list normal directory file | object name collision 5 F2B8EE CreateDirectoryW Driver 2.1.34054.0 directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Roaming\Fresco Logic\Fresco Logic USB Display read data or list normal directory file | object name collision 4 F2B8EE CreateDirectoryW Driver 2.1.34054.0\install directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Roaming\Fresco Logic\Fresco Logic USB Display read attributes | normal synchronous io success or wait 1 F2D94E CreateFileW Driver 2.1.34054.0\install\FL2000.msi synchronize | non alert | non generic write directory file C:\Users\user\AppData\Roaming\Fresco Logic\Fresco Logic USB Display read attributes | normal synchronous io success or wait 1 F2D94E CreateFileW Driver 2.1.34054.0\install\FL2000.x64.msi synchronize | non alert | non generic write directory file C:\Users\user\AppData\Roaming\Fresco Logic\Fresco Logic USB Display read attributes | normal synchronous io success or wait 1 F2D94E CreateFileW Driver 2.1.34054.0\install\1028 synchronize | non alert | non generic write directory file C:\Users\user\AppData\Roaming\Fresco Logic\Fresco Logic USB Display read attributes | normal synchronous io success or wait 1 F2D94E CreateFileW Driver 2.1.34054.0\install\2052 synchronize | non alert | non generic write directory file C:\Users\user\AppData\Roaming\Fresco Logic\Fresco Logic USB Display read attributes | normal synchronous io success or wait 1 F2D94E CreateFileW Driver 2.1.34054.0\install\disk1.cab synchronize | non alert | non generic write directory file

File Deleted

Source File Path Completion Count Address Symbol C:\Users\user\AppData\Local\Temp\shiD778.tmp success or wait 1 F304B0 DeleteFileW C:\Users\user\AppData\Roaming\Fresco Logic\Fresco Logic USB Display Driver 2.1.34054.0\install\holder0.aiph success or wait 1 F2EDEB DeleteFileW C:\Users\user\AppData\Roaming\Fresco Logic\Fresco Logic USB Display Driver 2.1.34054.0\install\FL2000.msi success or wait 1 F2DC91 DeleteFileW C:\Users\user\AppData\Roaming\Fresco Logic\Fresco Logic USB Display Driver 2.1.34054.0\install\FL2000.x64.msi success or wait 1 F2DC91 DeleteFileW C:\Users\user\AppData\Roaming\Fresco Logic\Fresco Logic USB Display Driver 2.1.34054.0\install\1028 success or wait 1 F2DC91 DeleteFileW C:\Users\user\AppData\Roaming\Fresco Logic\Fresco Logic USB Display Driver 2.1.34054.0\install\2052 success or wait 1 F2DC91 DeleteFileW C:\Users\user\AppData\Roaming\Fresco Logic\Fresco Logic USB Display Driver 2.1.34054.0\install\disk1.cab success or wait 1 F2DC91 DeleteFileW

File Written

Source File Path Offset Length Value Ascii Completion Count Address Symbol

Copyright Joe Security LLC 2019 Page 39 of 49 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Local\Temp\shiD778.tmp 0 524288 4d 5a 90 00 03 00 00 MZ...... @..... success or wait 8 F301CE CopyFileW 00 04 00 00 00 ff ff 00 ...... 00 b8 00 00 00 00 00 ...... !..L.!This program 00 00 40 00 00 00 00 cannot be run in DOS 00 00 00 00 00 00 00 mode.... 00 00 00 00 00 00 00 $...... hR...... 00 00 00 00 00 00 00 ...... 00 00 00 00 00 00 00 ...... 00 00 00 f8 00 00 00 ...... Rich...... 0e 1f ba 0e 00 b4 09 ...... PE..d.. cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 ac bd 68 52 e8 dc 06 01 e8 dc 06 01 e8 dc 06 01 87 b8 03 00 e9 dc 06 01 87 b8 02 00 f8 dc 06 01 87 b8 05 00 eb dc 06 01 e8 dc 07 01 0c dd 06 01 87 b8 07 00 ff dc 06 01 87 b8 06 00 e9 dc 06 01 87 b8 08 00 a5 dc 06 01 87 b8 f9 01 e9 dc 06 01 87 b8 04 00 e9 dc 06 01 52 69 63 68 e8 dc 06 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 64 86 06 C:\Users\user\AppData\Roaming\Fresco Logic\Fresco Logic unknown 65536 d0 cf 11 e0 a1 b1 1a ...... >..... success or wait 19 F2DB1D WriteFile USB Display Driver 2.1.34054.0\install\FL2000.msi e1 00 00 00 00 00 00 ...... 00 00 00 00 00 00 00 ...... 00 00 00 3e 00 04 00 ...... fe ff 0c 00 06 00 00 00 ...... 00 00 00 00 03 00 00 ...... 00 01 00 00 00 01 00 ...... 00 00 00 00 00 00 00 ...... 10 00 00 1b 00 00 00 ...... 01 00 00 00 fe ff ff ff 00 00 00 00 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff

Copyright Joe Security LLC 2019 Page 40 of 49 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Roaming\Fresco Logic\Fresco Logic unknown 65536 d0 cf 11 e0 a1 b1 1a ...... >..... success or wait 25 F2DB1D WriteFile USB Display Driver 2.1.34054.0\install\FL2000.x64.msi e1 00 00 00 00 00 00 ...... 00 00 00 00 00 00 00 ...... 00 00 00 3e 00 04 00 ...... fe ff 0c 00 06 00 00 00 ...... 00 00 00 00 03 00 00 ...... 00 01 00 00 00 01 00 ...... 00 00 00 00 00 00 00 ...... 10 00 00 1b 00 00 00 ...... 01 00 00 00 fe ff ff ff 00 00 00 00 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff C:\Users\user\AppData\Roaming\Fresco Logic\Fresco Logic unknown 57344 d0 cf 11 e0 a1 b1 1a ...... >..... success or wait 1 F2DB1D WriteFile USB Display Driver 2.1.34054.0\install\1028 e1 00 00 00 00 00 00 ...... 00 00 00 00 00 00 00 ...... 00 00 00 3e 00 04 00 ...... fe ff 0c 00 06 00 00 00 ...... 00 00 00 00 01 00 00 ...... 00 01 00 00 00 01 00 ...... 00 00 00 00 00 00 00 ...... 10 00 00 08 00 00 00 ...... 01 00 00 00 fe ff ff ff 00 00 00 00 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff C:\Users\user\AppData\Roaming\Fresco Logic\Fresco Logic unknown 57344 d0 cf 11 e0 a1 b1 1a ...... >..... success or wait 1 F2DB1D WriteFile USB Display Driver 2.1.34054.0\install\2052 e1 00 00 00 00 00 00 ...... 00 00 00 00 00 00 00 ...... 00 00 00 3e 00 04 00 ...... fe ff 0c 00 06 00 00 00 ...... 00 00 00 00 01 00 00 ...... 00 01 00 00 00 01 00 ...... 00 00 00 00 00 00 00 ...... 10 00 00 08 00 00 00 ...... 01 00 00 00 fe ff ff ff 00 00 00 00 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff

Copyright Joe Security LLC 2019 Page 41 of 49 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Roaming\Fresco Logic\Fresco Logic unknown 65536 4d 53 43 46 00 00 00 MSCF...... E.....D...... success or wait 70 F2DB1D WriteFile USB Display Driver 2.1.34054.0\install\disk1.cab 00 7f c8 45 00 00 00 ...... E...... 00 00 44 00 00 00 00 ...... wK.l .FL2000 00 00 00 03 01 01 00 .inf_1.x...... wK.l .fl2000. 1b 00 04 00 d2 04 00 sys_2.p...;.....wK.l 00 14 00 00 00 00 00 .WdfCoIns 10 00 7f c8 45 00 08 taller01011.dll_2...... wK 19 00 00 00 00 00 00 .l .flvga_tray.exe_2.x$..+f".. 00 00 00 00 d1 03 00 .wK.l 00 c3 00 01 00 c3 0b .fl2000.sys_3.p.....%...wK.l 00 00 00 00 00 00 00 .WdfCoInst 00 77 4b 0f 6c 20 00 46 4c 32 30 30 30 2e 69 6e 66 5f 31 00 78 c8 02 00 c3 0b 00 00 00 00 77 4b 0f 6c 20 00 66 6c 32 30 30 30 2e 73 79 73 5f 32 00 70 fd 18 00 3b d4 02 00 00 00 77 4b 0f 6c 20 00 57 64 66 43 6f 49 6e 73 74 61 6c 6c 65 72 30 31 30 31 31 2e 64 6c 6c 5f 32 00 80 94 06 00 ab d1 1b 00 00 00 77 4b 0f 6c 20 00 66 6c 76 67 61 5f 74 72 61 79 2e 65 78 65 5f 32 00 78 24 03 00 2b 66 22 00 00 00 77 4b 0f 6c 20 00 66 6c 32 30 30 30 2e 73 79 73 5f 33 00 70 89 1b 00 a3 8a 25 00 00 00 77 4b 0f 6c 20 00 57 64 66 43 6f 49 6e 73 74

File Read

Source File Path Offset Length Completion Count Address Symbol C:\Users\user\Downloads\FL2000-2.1.34054.0.exe unknown 1024 success or wait 7 F42295 ReadFile C:\Users\user\Downloads\FL2000-2.1.34054.0.exe unknown 74 success or wait 1 F4232E ReadFile C:\Users\user\Downloads\FL2000-2.1.34054.0.exe unknown 24 success or wait 8 F2DDB7 ReadFile C:\Users\user\Downloads\FL2000-2.1.34054.0.exe unknown 16 success or wait 8 F2DE09 ReadFile C:\Users\user\Downloads\FL2000-2.1.34054.0.exe unknown 1388 success or wait 1 F38B8A ReadFile C:\Users\user\Downloads\FL2000-2.1.34054.0.exe unknown 65536 success or wait 115 F2DAE6 ReadFile \ToServerAdvinst_Estimate_C:\Users\user\Downloads\FL2000-2.1.34054.0.exe unknown 32656 success or wait 1 F3FB14 ReadFile \ToServerAdvinst_Estimate_C:\Users\user\Downloads\FL2000-2.1.34054.0.exe unknown 32656 success or wait 1 F3FB14 ReadFile \ToServerAdvinst_Estimate_C:\Users\user\Downloads\FL2000-2.1.34054.0.exe unknown 32656 success or wait 1 F3FB14 ReadFile \ToServerAdvinst_Extract_C:\Users\user\Downloads\FL2000-2.1.34054.0.exe unknown 32656 success or wait 1 F3FB14 ReadFile \ToServerAdvinst_Extract_C:\Users\user\Downloads\FL2000-2.1.34054.0.exe unknown 32656 success or wait 1 F3FB14 ReadFile \ToServerAdvinst_Extract_C:\Users\user\Downloads\FL2000-2.1.34054.0.exe unknown 32656 success or wait 1 F3FB14 ReadFile \ToServerAdvinst_Extract_C:\Users\user\Downloads\FL2000-2.1.34054.0.exe unknown 32656 success or wait 1 F3FB14 ReadFile \ToServerAdvinst_Extract_C:\Users\user\Downloads\FL2000-2.1.34054.0.exe unknown 32656 success or wait 1 F3FB14 ReadFile \ToServerAdvinst_Extract_C:\Users\user\Downloads\FL2000-2.1.34054.0.exe unknown 32656 success or wait 1 F3FB14 ReadFile \ToServerAdvinst_Extract_C:\Users\user\Downloads\FL2000-2.1.34054.0.exe unknown 32656 success or wait 1 F3FB14 ReadFile \ToServerAdvinst_Extract_C:\Users\user\Downloads\FL2000-2.1.34054.0.exe unknown 32656 success or wait 1 F3FB14 ReadFile \ToServerAdvinst_Extract_C:\Users\user\Downloads\FL2000-2.1.34054.0.exe unknown 32656 success or wait 70 F3FB14 ReadFile \ToServerAdvinst_Extract_C:\Users\user\Downloads\FL2000-2.1.34054.0.exe unknown 32656 success or wait 70 F3FB14 ReadFile \ToServerAdvinst_Extract_C:\Users\user\Downloads\FL2000-2.1.34054.0.exe unknown 32656 success or wait 70 F3FB14 ReadFile \ToServerAdvinst_Extract_C:\Users\user\Downloads\FL2000-2.1.34054.0.exe unknown 32656 success or wait 1 F3FB14 ReadFile

Registry Activities

Key Created

Source Key Path Completion Count Address Symbol HKEY_CURRENT_USER\Software\Caphyon success or wait 1 F2F543 RegCreateKeyW HKEY_CURRENT_USER\Software\Caphyon\Setups success or wait 1 F2F543 RegCreateKeyW

Key Value Created Copyright Joe Security LLC 2019 Page 42 of 49 Source Key Path Name Type Data Completion Count Address Symbol HKEY_CURRENT_USER\Software\Cap Advinst_33F2BA97D9B6 unicode C:\Users\user\Downloads\FL2000- success or wait 1 F2F561 RegSetValueExW hyon\Setups 41EC8F11D6 2.1.34054.0.exe 656BF35545

Analysis Process: msiexec.exe PID: 4312 Parent PID: 1704

General

Start time: 23:42:06 Start date: 01/10/2019 Path: C:\Windows\System32\msiexec.exe Wow64 process (32bit): false Commandline: /i 'C:\Users\user\AppData\Roaming\Fresco Logic\Fresco Logic USB Display Driver 2.1.34054 .0\install\FL2000.x64.msi' AI_SETUPEXEPATH='C:\Users\user\Downloads\FL2000-2.1. 34054.0.exe' SETUPEXEDIR='C:\Users\user\Downloads\' EXE_CMD_LINE='/exenoupdates /exelang 0 /noprereqs ' Imagebase: 0x7ff65c2e0000 File size: 66048 bytes MD5 hash: 4767B71A318E201188A0D0A420C8B608 Has administrator privileges: true Programmed in: C, C++ or other language Reputation: moderate

File Activities

Source File Path Access Attributes Options Completion Count Address Symbol

Source File Path Completion Count Address Symbol

Source File Path Offset Length Value Ascii Completion Count Address Symbol

Source File Path Offset Length Completion Count Address Symbol

Registry Activities

Source Key Path Name Type Old Data New Data Completion Count Address Symbol

Analysis Process: msiexec.exe PID: 4360 Parent PID: 1712

General

Start time: 23:42:08 Start date: 01/10/2019 Path: C:\Windows\SysWOW64\msiexec.exe Wow64 process (32bit): true Commandline: C:\Windows\syswow64\MsiExec.exe -Embedding C6444D21B09D0365D1AED66B8A4CA67A C Imagebase: 0xc60000 File size: 59904 bytes MD5 hash: 12C17B5A5C2A7B97342C362CA467E9A2 Has administrator privileges: true Programmed in: C, C++ or other language Reputation: moderate

Copyright Joe Security LLC 2019 Page 43 of 49 Analysis Process: msiexec.exe PID: 2212 Parent PID: 1712

General

Start time: 23:42:23 Start date: 01/10/2019 Path: C:\Windows\SysWOW64\msiexec.exe Wow64 process (32bit): true Commandline: C:\Windows\syswow64\MsiExec.exe -Embedding EB421D04152A3CFE105606858778CD06 Imagebase: 0xc60000 File size: 59904 bytes MD5 hash: 12C17B5A5C2A7B97342C362CA467E9A2 Has administrator privileges: true Programmed in: C, C++ or other language Reputation: moderate

File Activities

Source File Path Offset Length Completion Count Address Symbol

Analysis Process: msiexec.exe PID: 396 Parent PID: 1712

General

Start time: 23:42:24 Start date: 01/10/2019 Path: C:\Windows\System32\msiexec.exe Wow64 process (32bit): false Commandline: C:\Windows\System32\MsiExec.exe -Embedding 7A58AD71FC3DD6FEC788BA8C51E6D236 Imagebase: 0x7ff65c2e0000 File size: 66048 bytes MD5 hash: 4767B71A318E201188A0D0A420C8B608 Has administrator privileges: true Programmed in: C, C++ or other language Reputation: moderate

Registry Activities

Source Key Path Completion Count Address Symbol

Analysis Process: msiexec.exe PID: 3828 Parent PID: 1712

General

Start time: 23:42:25 Start date: 01/10/2019 Path: C:\Windows\System32\msiexec.exe Wow64 process (32bit): false Commandline: C:\Windows\System32\MsiExec.exe -Embedding 8569D3FC8CD9EF5D1052ECCA6FEE354C E Global\MSI0000 Imagebase: 0x7ff65c2e0000 File size: 66048 bytes MD5 hash: 4767B71A318E201188A0D0A420C8B608 Has administrator privileges: true Programmed in: C, C++ or other language Reputation: moderate

File Activities

Copyright Joe Security LLC 2019 Page 44 of 49 Source File Path Access Attributes Options Completion Count Address Symbol

Source File Path Offset Length Value Ascii Completion Count Address Symbol

Source File Path Offset Length Completion Count Address Symbol

Registry Activities

Source Key Path Completion Count Address Symbol

Source Key Path Name Type Data Completion Count Address Symbol

Analysis Process: drvinst.exe PID: 4712 Parent PID: 700

General

Start time: 23:42:26 Start date: 01/10/2019 Path: C:\Windows\System32\drvinst.exe Wow64 process (32bit): false Commandline: DrvInst.exe '4' '1' 'C:\Program Files\Fresco Logic\Fresco Logic USB Display Driver\FL2000\ FL2000.inf' '9' '40101c057' '0000000000000968' 'WinSta0\Default' '0000000000000BF8' '208' 'C:\Program Files\Fresco Logic\Fresco Logic USB Display Driver\FL2000' Imagebase: 0x7ff77ae30000 File size: 166912 bytes MD5 hash: 46F5A16FA391AB6EA97C602B4D2E7819 Has administrator privileges: true Programmed in: C, C++ or other language Reputation: moderate

Analysis Process: drvinst.exe PID: 3928 Parent PID: 700

General

Start time: 23:42:30 Start date: 01/10/2019 Path: C:\Windows\System32\drvinst.exe Wow64 process (32bit): false Commandline: DrvInst.exe '4' '1' 'C:\Program Files\Fresco Logic\Fresco Logic USB Display Driver\lci_pro xykmd\lci_proxykmd.inf' '9' '4d9ccbb2f' '0000000000000BF8' 'WinSta0\Default' '000000000000 0610' '208' 'C:\Program Files\Fresco Logic\Fresco Logic USB Display Driver\lci_proxykmd' Imagebase: 0x7ff77ae30000 File size: 166912 bytes MD5 hash: 46F5A16FA391AB6EA97C602B4D2E7819 Has administrator privileges: true Programmed in: C, C++ or other language Reputation: moderate

Analysis Process: drvinst.exe PID: 1196 Parent PID: 700

General

Start time: 23:42:33 Start date: 01/10/2019 Path: C:\Windows\System32\drvinst.exe Wow64 process (32bit): false

Copyright Joe Security LLC 2019 Page 45 of 49 Commandline: DrvInst.exe '4' '1' 'C:\Program Files\Fresco Logic\Fresco Logic USB Display Driver\fresco_ iddcx\fresco_iddcx.inf' '9' '4d7097e0f' '0000000000000610' 'WinSta0\Default' '000000000000 099C' '208' 'C:\Program Files\Fresco Logic\Fresco Logic USB Display Driver\fresco_iddcx' Imagebase: 0x7ff77ae30000 File size: 166912 bytes MD5 hash: 46F5A16FA391AB6EA97C602B4D2E7819 Has administrator privileges: true Programmed in: C, C++ or other language Reputation: moderate

Analysis Process: cmd.exe PID: 4308 Parent PID: 1712

General

Start time: 23:42:36 Start date: 01/10/2019 Path: C:\Windows\System32\cmd.exe Wow64 process (32bit): false Commandline: C:\Windows\system32\cmd.exe /c ''C:\Program Files\Fresco Logic\Fresco Logic USB Display Driver\post_install.cmd'' Imagebase: 0x7ff7e9710000 File size: 273920 bytes MD5 hash: 4E2ACF4F8A396486AB4268C94A6A245F Has administrator privileges: true Programmed in: C, C++ or other language Reputation: moderate

Analysis Process: conhost.exe PID: 4660 Parent PID: 4308

General

Start time: 23:42:36 Start date: 01/10/2019 Path: C:\Windows\System32\conhost.exe Wow64 process (32bit): false Commandline: C:\Windows\system32\conhost.exe 0x4 Imagebase: 0x7ff642e80000 File size: 625664 bytes MD5 hash: EA777DEEA782E8B4D7C7C33BBF8A4496 Has administrator privileges: true Programmed in: C, C++ or other language Reputation: high

Analysis Process: xcopy.exe PID: 4496 Parent PID: 4308

General

Start time: 23:42:37 Start date: 01/10/2019 Path: C:\Windows\System32\xcopy.exe Wow64 process (32bit): false Commandline: xcopy /y /q .\fl2000\x64\flvga_tray.exe C:\Windows\System32\ Imagebase: 0x7ff7ef210000 File size: 47616 bytes MD5 hash: 6BC7DB1465BEB7607CBCBD7F64007219 Has administrator privileges: true Programmed in: C, C++ or other language Reputation: low

Copyright Joe Security LLC 2019 Page 46 of 49 Analysis Process: cmd.exe PID: 4628 Parent PID: 4308

General

Start time: 23:42:37 Start date: 01/10/2019 Path: C:\Windows\System32\cmd.exe Wow64 process (32bit): false Commandline: C:\Windows\system32\cmd.exe /c powershell [environment]::OsVersion.Version.Major Imagebase: 0x7ff7e9710000 File size: 273920 bytes MD5 hash: 4E2ACF4F8A396486AB4268C94A6A245F Has administrator privileges: true Programmed in: C, C++ or other language Reputation: moderate

Analysis Process: powershell.exe PID: 4504 Parent PID: 4628

General

Start time: 23:42:37 Start date: 01/10/2019 Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Wow64 process (32bit): false Commandline: powershell [environment]::OsVersion.Version.Major Imagebase: 0x7ff71c1f0000 File size: 447488 bytes MD5 hash: 95000560239032BC68B4C2FDFCDEF913 Has administrator privileges: true Programmed in: .Net C# or VB.NET Reputation: moderate

Analysis Process: cmd.exe PID: 2352 Parent PID: 4308

General

Start time: 23:42:44 Start date: 01/10/2019 Path: C:\Windows\System32\cmd.exe Wow64 process (32bit): false Commandline: C:\Windows\system32\cmd.exe /c powershell [environment]::OsVersion.Version.Build Imagebase: 0x7ff7e9710000 File size: 273920 bytes MD5 hash: 4E2ACF4F8A396486AB4268C94A6A245F Has administrator privileges: true Programmed in: C, C++ or other language Reputation: moderate

Analysis Process: powershell.exe PID: 5028 Parent PID: 2352

General

Start time: 23:42:44 Start date: 01/10/2019 Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Wow64 process (32bit): false

Copyright Joe Security LLC 2019 Page 47 of 49 Commandline: powershell [environment]::OsVersion.Version.Build Imagebase: 0x7ff71c1f0000 File size: 447488 bytes MD5 hash: 95000560239032BC68B4C2FDFCDEF913 Has administrator privileges: true Programmed in: .Net C# or VB.NET

Analysis Process: flvga_tray.exe PID: 4236 Parent PID: 3040

General

Start time: 23:42:48 Start date: 01/10/2019 Path: C:\Program Files\Fresco Logic\Fresco Logic USB Display Driver\FL2000\x86\flvga_tray.exe Wow64 process (32bit): true Commandline: 'C:\Program Files\Fresco Logic\Fresco Logic USB Display Driver\FL2000\x86\flvga_tray.exe' i Imagebase: 0x10e0000 File size: 431232 bytes MD5 hash: 4D9DE5366E2CB20A68BAEDA9C4A8D05E Has administrator privileges: false Programmed in: C, C++ or other language

Analysis Process: sc.exe PID: 1836 Parent PID: 4308

General

Start time: 23:42:49 Start date: 01/10/2019 Path: C:\Windows\System32\sc.exe Wow64 process (32bit): false Commandline: sc delete flxhciv Imagebase: 0x7ff6d2080000 File size: 69120 bytes MD5 hash: D79784553A9410D15E04766AAAB77CD6 Has administrator privileges: true Programmed in: C, C++ or other language

Analysis Process: sc.exe PID: 4056 Parent PID: 4308

General

Start time: 23:42:50 Start date: 01/10/2019 Path: C:\Windows\System32\sc.exe Wow64 process (32bit): false Commandline: sc query ddmgr Imagebase: 0x7ff6d2080000 File size: 69120 bytes MD5 hash: D79784553A9410D15E04766AAAB77CD6 Has administrator privileges: true Programmed in: C, C++ or other language

Analysis Process: flvga_tray.exe PID: 4212 Parent PID: 4308

General

Copyright Joe Security LLC 2019 Page 48 of 49 Start time: 23:42:50 Start date: 01/10/2019 Path: C:\Windows\System32\flvga_tray.exe Wow64 process (32bit): false Commandline: C:\Windows\System32\flvga_tray.exe i Imagebase: 0x7ff6cf9f0000 File size: 457336 bytes MD5 hash: 7B16174FF4C023F4A9DE26D7A6F678F8 Has administrator privileges: true Programmed in: C, C++ or other language Antivirus matches: Detection: 0%, Virustotal, Browse Detection: 0%, Metadefender, Browse

Analysis Process: flvga_tray.exe PID: 2232 Parent PID: 3040

General

Start time: 23:42:57 Start date: 01/10/2019 Path: C:\Program Files\Fresco Logic\Fresco Logic USB Display Driver\FL2000\x64\flvga_tray.exe Wow64 process (32bit): false Commandline: 'C:\Program Files\Fresco Logic\Fresco Logic USB Display Driver\FL2000\x64\flvga_tray.exe' i Imagebase: 0x7ff749630000 File size: 457336 bytes MD5 hash: 7B16174FF4C023F4A9DE26D7A6F678F8 Has administrator privileges: false Programmed in: C, C++ or other language

Disassembly

Code Analysis

Copyright Joe Security LLC 2019 Page 49 of 49