Malware Analysis Report

2025-03-15 06:52

Sample ID 231220-vsc44scggn
Target f3fc51b81b6e9977c700918fc2d0c3c1
SHA256 32259dd1b952bfd4e7bb672d6d3e894a540a70f331b02cb60dde9b9842017d07
Tags
orcus persistence rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

32259dd1b952bfd4e7bb672d6d3e894a540a70f331b02cb60dde9b9842017d07

Threat Level: Known bad

The file f3fc51b81b6e9977c700918fc2d0c3c1 was found to be: Known bad.

Malicious Activity Summary

orcus persistence rat spyware stealer

Orcus

Orcurs Rat Executable

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-20 17:14

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-20 17:14

Reported

2023-12-21 05:03

Platform

win7-20231129-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f3fc51b81b6e9977c700918fc2d0c3c1.exe"

Signatures

Orcus

rat spyware stealer orcus

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\drivers = "\"C:\\Program Files (x86)\\drivers\\drivers.exe\"" C:\Program Files (x86)\drivers\drivers.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\drivers\drivers.exe C:\Users\Admin\AppData\Local\Temp\f3fc51b81b6e9977c700918fc2d0c3c1.exe N/A
File opened for modification C:\Program Files (x86)\drivers\drivers.exe C:\Users\Admin\AppData\Local\Temp\f3fc51b81b6e9977c700918fc2d0c3c1.exe N/A
File created C:\Program Files (x86)\drivers\drivers.exe.config C:\Users\Admin\AppData\Local\Temp\f3fc51b81b6e9977c700918fc2d0c3c1.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\drivers.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\drivers.exe N/A
N/A N/A C:\Program Files (x86)\drivers\drivers.exe N/A
N/A N/A C:\Program Files (x86)\drivers\drivers.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\drivers.exe N/A
N/A N/A C:\Program Files (x86)\drivers\drivers.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\drivers.exe N/A
N/A N/A C:\Program Files (x86)\drivers\drivers.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\drivers.exe N/A
N/A N/A C:\Program Files (x86)\drivers\drivers.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\drivers.exe N/A
N/A N/A C:\Program Files (x86)\drivers\drivers.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\drivers.exe N/A
N/A N/A C:\Program Files (x86)\drivers\drivers.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\drivers.exe N/A
N/A N/A C:\Program Files (x86)\drivers\drivers.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\drivers.exe N/A
N/A N/A C:\Program Files (x86)\drivers\drivers.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\drivers.exe N/A
N/A N/A C:\Program Files (x86)\drivers\drivers.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\drivers.exe N/A
N/A N/A C:\Program Files (x86)\drivers\drivers.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\drivers.exe N/A
N/A N/A C:\Program Files (x86)\drivers\drivers.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\drivers.exe N/A
N/A N/A C:\Program Files (x86)\drivers\drivers.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\drivers.exe N/A
N/A N/A C:\Program Files (x86)\drivers\drivers.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\drivers.exe N/A
N/A N/A C:\Program Files (x86)\drivers\drivers.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\drivers.exe N/A
N/A N/A C:\Program Files (x86)\drivers\drivers.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\drivers.exe N/A
N/A N/A C:\Program Files (x86)\drivers\drivers.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\drivers.exe N/A
N/A N/A C:\Program Files (x86)\drivers\drivers.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\drivers.exe N/A
N/A N/A C:\Program Files (x86)\drivers\drivers.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\drivers.exe N/A
N/A N/A C:\Program Files (x86)\drivers\drivers.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\drivers.exe N/A
N/A N/A C:\Program Files (x86)\drivers\drivers.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\drivers.exe N/A
N/A N/A C:\Program Files (x86)\drivers\drivers.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\drivers.exe N/A
N/A N/A C:\Program Files (x86)\drivers\drivers.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\drivers.exe N/A
N/A N/A C:\Program Files (x86)\drivers\drivers.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\drivers.exe N/A
N/A N/A C:\Program Files (x86)\drivers\drivers.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\drivers.exe N/A
N/A N/A C:\Program Files (x86)\drivers\drivers.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\drivers.exe N/A
N/A N/A C:\Program Files (x86)\drivers\drivers.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\drivers.exe N/A
N/A N/A C:\Program Files (x86)\drivers\drivers.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\drivers.exe N/A
N/A N/A C:\Program Files (x86)\drivers\drivers.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\drivers.exe N/A
N/A N/A C:\Program Files (x86)\drivers\drivers.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\drivers.exe N/A
N/A N/A C:\Program Files (x86)\drivers\drivers.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\drivers.exe N/A
N/A N/A C:\Program Files (x86)\drivers\drivers.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files (x86)\drivers\drivers.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\drivers.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\drivers.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\drivers\drivers.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\drivers\drivers.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2028 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\f3fc51b81b6e9977c700918fc2d0c3c1.exe C:\Program Files (x86)\drivers\drivers.exe
PID 2028 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\f3fc51b81b6e9977c700918fc2d0c3c1.exe C:\Program Files (x86)\drivers\drivers.exe
PID 2028 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\f3fc51b81b6e9977c700918fc2d0c3c1.exe C:\Program Files (x86)\drivers\drivers.exe
PID 2028 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\f3fc51b81b6e9977c700918fc2d0c3c1.exe C:\Program Files (x86)\drivers\drivers.exe
PID 2304 wrote to memory of 2508 N/A C:\Program Files (x86)\drivers\drivers.exe C:\Users\Admin\AppData\Roaming\drivers.exe
PID 2304 wrote to memory of 2508 N/A C:\Program Files (x86)\drivers\drivers.exe C:\Users\Admin\AppData\Roaming\drivers.exe
PID 2304 wrote to memory of 2508 N/A C:\Program Files (x86)\drivers\drivers.exe C:\Users\Admin\AppData\Roaming\drivers.exe
PID 2304 wrote to memory of 2508 N/A C:\Program Files (x86)\drivers\drivers.exe C:\Users\Admin\AppData\Roaming\drivers.exe
PID 2476 wrote to memory of 2512 N/A C:\Windows\system32\taskeng.exe C:\Program Files (x86)\drivers\drivers.exe
PID 2476 wrote to memory of 2512 N/A C:\Windows\system32\taskeng.exe C:\Program Files (x86)\drivers\drivers.exe
PID 2476 wrote to memory of 2512 N/A C:\Windows\system32\taskeng.exe C:\Program Files (x86)\drivers\drivers.exe
PID 2476 wrote to memory of 2512 N/A C:\Windows\system32\taskeng.exe C:\Program Files (x86)\drivers\drivers.exe
PID 2508 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Roaming\drivers.exe C:\Users\Admin\AppData\Roaming\drivers.exe
PID 2508 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Roaming\drivers.exe C:\Users\Admin\AppData\Roaming\drivers.exe
PID 2508 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Roaming\drivers.exe C:\Users\Admin\AppData\Roaming\drivers.exe
PID 2508 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Roaming\drivers.exe C:\Users\Admin\AppData\Roaming\drivers.exe

Processes

C:\Users\Admin\AppData\Local\Temp\f3fc51b81b6e9977c700918fc2d0c3c1.exe

"C:\Users\Admin\AppData\Local\Temp\f3fc51b81b6e9977c700918fc2d0c3c1.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {CAADF37A-15A3-4AFE-A0F2-B091B635FCF3} S-1-5-21-3627615824-4061627003-3019543961-1000:SCFGBRBT\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\drivers.exe

"C:\Users\Admin\AppData\Roaming\drivers.exe" /watchProcess "C:\Program Files (x86)\drivers\drivers.exe" 2304 "/protectFile"

C:\Program Files (x86)\drivers\drivers.exe

"C:\Program Files (x86)\drivers\drivers.exe"

C:\Users\Admin\AppData\Roaming\drivers.exe

"C:\Users\Admin\AppData\Roaming\drivers.exe" /launchSelfAndExit "C:\Program Files (x86)\drivers\drivers.exe" 2304 /protectFile

C:\Program Files (x86)\drivers\drivers.exe

"C:\Program Files (x86)\drivers\drivers.exe"

Network

Country Destination Domain Proto
N/A 192.168.0.104:10134 tcp
N/A 192.168.0.104:10134 tcp
N/A 192.168.0.104:10134 tcp
N/A 192.168.0.104:10134 tcp
N/A 192.168.0.104:10134 tcp
N/A 192.168.0.104:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 192.168.0.104:10134 tcp

Files

memory/2028-0-0x0000000000AF0000-0x0000000000F40000-memory.dmp

memory/2028-1-0x0000000000AF0000-0x0000000000F40000-memory.dmp

memory/2028-2-0x00000000744D0000-0x0000000074BBE000-memory.dmp

memory/2028-3-0x0000000005780000-0x00000000057C0000-memory.dmp

memory/2028-5-0x0000000005230000-0x000000000528C000-memory.dmp

memory/2028-4-0x0000000002430000-0x000000000243E000-memory.dmp

memory/2028-7-0x0000000002650000-0x0000000002658000-memory.dmp

memory/2028-20-0x0000000000AF0000-0x0000000000F40000-memory.dmp

memory/2028-22-0x00000000744D0000-0x0000000074BBE000-memory.dmp

memory/2304-24-0x00000000001D0000-0x0000000000620000-memory.dmp

memory/2304-26-0x00000000001D0000-0x0000000000620000-memory.dmp

memory/2304-27-0x0000000005920000-0x0000000005960000-memory.dmp

memory/2304-25-0x00000000744D0000-0x0000000074BBE000-memory.dmp

C:\Program Files (x86)\drivers\drivers.exe.config

MD5 a2b76cea3a59fa9af5ea21ff68139c98
SHA1 35d76475e6a54c168f536e30206578babff58274
SHA256 f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839
SHA512 b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

memory/2304-28-0x0000000003020000-0x000000000306E000-memory.dmp

\??\c:\program files (x86)\drivers\drivers.exe

MD5 47a9df877596c4ef5c15c2d8a01fb1d8
SHA1 5716cf5a15e0b0c65895c98ee25b44713c6caed8
SHA256 5ef6b54d2d47a2fb079d63da0e80e22872c457b04ca81e050e256ec0e8155a10
SHA512 2828744528386d4108217d2e69e68e2b0e699bd3a19749b7de4127267d1d4647ec99648f1b3a1d3838b5a2a815ef874ef468437f0459ba5aacc0f44e0a8558d6

memory/2304-19-0x00000000001D0000-0x0000000000620000-memory.dmp

memory/2304-29-0x0000000002EB0000-0x0000000002EC8000-memory.dmp

memory/2304-30-0x0000000003070000-0x0000000003080000-memory.dmp

memory/2508-41-0x0000000000990000-0x0000000000998000-memory.dmp

C:\Users\Admin\AppData\Roaming\drivers.exe

MD5 913967b216326e36a08010fb70f9dba3
SHA1 7b6f8c2eb5b443e03c212b85c2f0edb9c76ad2bf
SHA256 8d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a
SHA512 c6fcb98d9fd509e9834fc3fba143bd36d41869cc104fbce5354951f0a6756156e34a30796baaa130dd45de3ed96e039ec14716716f6da4569915c7ef2d2b6c33

memory/2508-45-0x00000000744D0000-0x0000000074BBE000-memory.dmp

memory/2512-47-0x00000000001D0000-0x0000000000620000-memory.dmp

memory/2512-49-0x0000000000F20000-0x0000000000F60000-memory.dmp

memory/2512-48-0x00000000744D0000-0x0000000074BBE000-memory.dmp

memory/2488-46-0x00000000744D0000-0x0000000074BBE000-memory.dmp

memory/2512-42-0x00000000001D0000-0x0000000000620000-memory.dmp

C:\Program Files (x86)\drivers\drivers.exe

MD5 f03bb21c62e882add43fbe213c6aa017
SHA1 d08c5d0833bd3c84f7ab0ad9c60964581726717c
SHA256 750e210be4a016904c5784fb79d9beb2e4310dd1fa657b42a27bb16eb74a8c5b
SHA512 247f6b4df9d1e322f1dd3d194eb254a11e57e3eafd4d6e756e3e20b7132502b08a8fec4175423045e172fa81ad7f4f0cde2651cc5465b9e071daff49803c8099

memory/2028-18-0x0000000006450000-0x00000000068A0000-memory.dmp

C:\Program Files (x86)\drivers\drivers.exe

MD5 953727cb5b1e3c455d33207ae2c32dd1
SHA1 1630992364d5b062e392d5f70c62b7ad4ffe7e69
SHA256 48deb466e564ae44198d5e1707b5932d3a85f856615285138aefcaed39e0f1ba
SHA512 a817ca44bf7d628823acb10b0fdf599baa4f70086d33aeed0e5282264376f18abfa9fc0dd8c769ace976d19be56de4338c45ece4f9274361b2f2d079b4885edb

C:\Program Files (x86)\drivers\drivers.exe

MD5 c9d79cdf24828d72e70013ab6c8a0d01
SHA1 38e924619af7329edebea93a7baa4dc7a8636bf8
SHA256 97f6e514008a4dfdfeebfe6a673f74a52ab7050b258cd8c60d81e469795af444
SHA512 5f3cc49893c197209f2e6bb073ce70f9bdf8597513897b1673074f1a79c94feae58ee9dad20625b84b73078d2850a6eac178150df9eaba6e5842efd027f74a10

\Program Files (x86)\drivers\drivers.exe

MD5 808beddc27b8ff909a70a5c4d4a66f8b
SHA1 2f477ffbefac2d7183ad69c9d0a119a5c9f639f5
SHA256 5ccc721f2da540d70b1adec40913db367fef5d057b36bffdad25e2cc09e9079d
SHA512 f089f5cba515c32358ecaa688d9e633f5b98dec14067a30e532b8a79fd0b6a0a103e364864df9a268fd31b7326dec230a3630746f42a31a21aa61c0e34eba41b

memory/2028-6-0x0000000002530000-0x0000000002542000-memory.dmp

memory/2512-51-0x00000000001D0000-0x0000000000620000-memory.dmp

memory/2512-52-0x00000000744D0000-0x0000000074BBE000-memory.dmp

memory/2304-53-0x00000000001D0000-0x0000000000620000-memory.dmp

memory/2304-55-0x00000000744D0000-0x0000000074BBE000-memory.dmp

memory/2488-56-0x00000000744D0000-0x0000000074BBE000-memory.dmp

memory/2508-57-0x00000000744D0000-0x0000000074BBE000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-20 17:14

Reported

2023-12-21 05:03

Platform

win10v2004-20231215-en

Max time kernel

150s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f3fc51b81b6e9977c700918fc2d0c3c1.exe"

Signatures

Orcus

rat spyware stealer orcus

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\f3fc51b81b6e9977c700918fc2d0c3c1.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\drivers\drivers.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\drivers.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\drivers = "\"C:\\Program Files (x86)\\drivers\\drivers.exe\"" C:\Program Files (x86)\drivers\drivers.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\drivers\drivers.exe C:\Users\Admin\AppData\Local\Temp\f3fc51b81b6e9977c700918fc2d0c3c1.exe N/A
File opened for modification C:\Program Files (x86)\drivers\drivers.exe C:\Users\Admin\AppData\Local\Temp\f3fc51b81b6e9977c700918fc2d0c3c1.exe N/A
File created C:\Program Files (x86)\drivers\drivers.exe.config C:\Users\Admin\AppData\Local\Temp\f3fc51b81b6e9977c700918fc2d0c3c1.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\drivers.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\drivers.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\drivers.exe N/A
N/A N/A C:\Program Files (x86)\drivers\drivers.exe N/A
N/A N/A C:\Program Files (x86)\drivers\drivers.exe N/A
N/A N/A C:\Program Files (x86)\drivers\drivers.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\drivers.exe N/A
N/A N/A C:\Program Files (x86)\drivers\drivers.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\drivers.exe N/A
N/A N/A C:\Program Files (x86)\drivers\drivers.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\drivers.exe N/A
N/A N/A C:\Program Files (x86)\drivers\drivers.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\drivers.exe N/A
N/A N/A C:\Program Files (x86)\drivers\drivers.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\drivers.exe N/A
N/A N/A C:\Program Files (x86)\drivers\drivers.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\drivers.exe N/A
N/A N/A C:\Program Files (x86)\drivers\drivers.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\drivers.exe N/A
N/A N/A C:\Program Files (x86)\drivers\drivers.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\drivers.exe N/A
N/A N/A C:\Program Files (x86)\drivers\drivers.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\drivers.exe N/A
N/A N/A C:\Program Files (x86)\drivers\drivers.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\drivers.exe N/A
N/A N/A C:\Program Files (x86)\drivers\drivers.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\drivers.exe N/A
N/A N/A C:\Program Files (x86)\drivers\drivers.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\drivers.exe N/A
N/A N/A C:\Program Files (x86)\drivers\drivers.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\drivers.exe N/A
N/A N/A C:\Program Files (x86)\drivers\drivers.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\drivers.exe N/A
N/A N/A C:\Program Files (x86)\drivers\drivers.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\drivers.exe N/A
N/A N/A C:\Program Files (x86)\drivers\drivers.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\drivers.exe N/A
N/A N/A C:\Program Files (x86)\drivers\drivers.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\drivers.exe N/A
N/A N/A C:\Program Files (x86)\drivers\drivers.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\drivers.exe N/A
N/A N/A C:\Program Files (x86)\drivers\drivers.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\drivers.exe N/A
N/A N/A C:\Program Files (x86)\drivers\drivers.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\drivers.exe N/A
N/A N/A C:\Program Files (x86)\drivers\drivers.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\drivers.exe N/A
N/A N/A C:\Program Files (x86)\drivers\drivers.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\drivers.exe N/A
N/A N/A C:\Program Files (x86)\drivers\drivers.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\drivers.exe N/A
N/A N/A C:\Program Files (x86)\drivers\drivers.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\drivers.exe N/A
N/A N/A C:\Program Files (x86)\drivers\drivers.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\drivers.exe N/A
N/A N/A C:\Program Files (x86)\drivers\drivers.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\drivers.exe N/A
N/A N/A C:\Program Files (x86)\drivers\drivers.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\drivers.exe N/A
N/A N/A C:\Program Files (x86)\drivers\drivers.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\drivers.exe N/A
N/A N/A C:\Program Files (x86)\drivers\drivers.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\drivers.exe N/A
N/A N/A C:\Program Files (x86)\drivers\drivers.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files (x86)\drivers\drivers.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\drivers.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\drivers.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\drivers\drivers.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\drivers\drivers.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\f3fc51b81b6e9977c700918fc2d0c3c1.exe

"C:\Users\Admin\AppData\Local\Temp\f3fc51b81b6e9977c700918fc2d0c3c1.exe"

C:\Users\Admin\AppData\Roaming\drivers.exe

"C:\Users\Admin\AppData\Roaming\drivers.exe" /launchSelfAndExit "C:\Program Files (x86)\drivers\drivers.exe" 4288 /protectFile

C:\Users\Admin\AppData\Roaming\drivers.exe

"C:\Users\Admin\AppData\Roaming\drivers.exe" /watchProcess "C:\Program Files (x86)\drivers\drivers.exe" 4288 "/protectFile"

C:\Program Files (x86)\drivers\drivers.exe

"C:\Program Files (x86)\drivers\drivers.exe"

C:\Program Files (x86)\drivers\drivers.exe

"C:\Program Files (x86)\drivers\drivers.exe"

Network

Country Destination Domain Proto
US 138.91.171.81:80 tcp
US 8.8.8.8:53 18.53.126.40.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
N/A 192.168.0.104:10134 tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
N/A 192.168.0.104:10134 tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
N/A 192.168.0.104:10134 tcp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
N/A 192.168.0.104:10134 tcp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 192.168.0.104:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 192.168.0.104:10134 tcp
N/A 127.0.0.1:10134 tcp

Files

memory/4124-0-0x0000000000F20000-0x0000000001370000-memory.dmp

memory/4124-2-0x0000000073F20000-0x00000000746D0000-memory.dmp

memory/4124-1-0x0000000000F20000-0x0000000001370000-memory.dmp

memory/4124-5-0x0000000005E80000-0x0000000005EDC000-memory.dmp

memory/4124-4-0x0000000003B80000-0x0000000003B8E000-memory.dmp

memory/4124-7-0x0000000006040000-0x00000000060D2000-memory.dmp

memory/4124-6-0x0000000006550000-0x0000000006AF4000-memory.dmp

memory/4124-3-0x0000000005F90000-0x0000000005FA0000-memory.dmp

memory/4124-9-0x0000000006020000-0x0000000006028000-memory.dmp

memory/4124-8-0x0000000005F80000-0x0000000005F92000-memory.dmp

C:\Program Files (x86)\drivers\drivers.exe

MD5 bd2ac4f02dfd088493362e52424baf20
SHA1 1da98f0937801507e4e9dec23246f297a2880211
SHA256 f4f5fad77f79257190acc65d24bc53cef01b98c77a47a98f0654a15c4cdaf172
SHA512 0adc68d1286909e0be0b0c8ed164ccc7779b62f2cd5435633ee9adfe9c54f32957463b2ffe479a511ee8c2621c706c71e002011f9bea66ae62424e7dbfce2351

memory/4124-27-0x0000000000F20000-0x0000000001370000-memory.dmp

memory/4288-30-0x0000000000F90000-0x00000000013E0000-memory.dmp

memory/4288-32-0x0000000000F90000-0x00000000013E0000-memory.dmp

memory/4288-31-0x0000000073F20000-0x00000000746D0000-memory.dmp

memory/4288-33-0x00000000062B0000-0x00000000062C0000-memory.dmp

memory/4124-29-0x0000000073F20000-0x00000000746D0000-memory.dmp

memory/4288-35-0x0000000006820000-0x000000000686E000-memory.dmp

memory/4288-34-0x0000000006350000-0x0000000006362000-memory.dmp

memory/4288-37-0x0000000006FD0000-0x0000000006FE8000-memory.dmp

memory/4288-39-0x0000000007160000-0x0000000007170000-memory.dmp

memory/2752-38-0x0000000000F90000-0x00000000013E0000-memory.dmp

memory/4288-40-0x0000000007390000-0x000000000739A000-memory.dmp

memory/4236-55-0x00000000000C0000-0x00000000000C8000-memory.dmp

memory/4236-56-0x0000000073F20000-0x00000000746D0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\drivers.exe.log

MD5 4eaca4566b22b01cd3bc115b9b0b2196
SHA1 e743e0792c19f71740416e7b3c061d9f1336bf94
SHA256 34ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb
SHA512 bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1

memory/4236-60-0x0000000073F20000-0x00000000746D0000-memory.dmp

memory/2752-63-0x0000000000F90000-0x00000000013E0000-memory.dmp

memory/2752-64-0x0000000005770000-0x0000000005780000-memory.dmp

memory/2752-62-0x0000000000F90000-0x00000000013E0000-memory.dmp

memory/2900-61-0x0000000073F20000-0x00000000746D0000-memory.dmp

C:\Users\Admin\AppData\Roaming\drivers.exe

MD5 913967b216326e36a08010fb70f9dba3
SHA1 7b6f8c2eb5b443e03c212b85c2f0edb9c76ad2bf
SHA256 8d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a
SHA512 c6fcb98d9fd509e9834fc3fba143bd36d41869cc104fbce5354951f0a6756156e34a30796baaa130dd45de3ed96e039ec14716716f6da4569915c7ef2d2b6c33

C:\Users\Admin\AppData\Roaming\drivers.exe.config

MD5 a2b76cea3a59fa9af5ea21ff68139c98
SHA1 35d76475e6a54c168f536e30206578babff58274
SHA256 f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839
SHA512 b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

memory/2752-51-0x0000000073F20000-0x00000000746D0000-memory.dmp

C:\Program Files (x86)\drivers\drivers.exe

MD5 121fe06764b82a7bfaf877942359f5b9
SHA1 7f6785accfc03eac8e5b54a5abff2c2784eee051
SHA256 f9ae45c171ea3c3688c1348fc6f1aee63576838f3bd34e5543eed53218cbeca9
SHA512 f2aa83150ad6d004dcea125d3499584b48fa68ad1f7737b9740820ad2412113c6e09a1e2b4b50bbc56c506e6c30b882b87ed8e1ddb53afe3b38abf1fbeb388e9

\??\c:\program files (x86)\drivers\drivers.exe

MD5 c4cf8599b58f48d0d7aeb7beacfb35cb
SHA1 6c6a536fb235f5c29c5de19cce53d6eb38ef82d4
SHA256 d43f5bc5e330e77e07b0abfb7d74ba954cd0823f357ea811af77983d33d2511b
SHA512 dd8f2f647b3cd7b80068d7b513d0d9f686487907a39d8d025c9d9dcaecf9a0205d0d9e1d5de9b87d74c4f77d9445fad31472cb188b5cafeb2ec51f186f0916bc

memory/4288-25-0x0000000000F90000-0x00000000013E0000-memory.dmp

C:\Program Files (x86)\drivers\drivers.exe

MD5 e1cb72510ea79e8323e5b9a6262b0eb4
SHA1 c041525c21a305e0735a5f62bcfe51ad265eff76
SHA256 0e19350313f4ea941adba2b3691ab36a7c6e46daa86c08092599b02443a812ef
SHA512 8f4c19cc43ba70d292df697d95941868a3cf0d969b277dbc34e4b292e55447086355b12a9ae16fd5650914d6bd8f1aadb646939287cabb62476427076c1f4577

memory/2752-66-0x0000000000F90000-0x00000000013E0000-memory.dmp

memory/2752-67-0x0000000073F20000-0x00000000746D0000-memory.dmp

memory/4288-68-0x0000000000F90000-0x00000000013E0000-memory.dmp

memory/4288-70-0x0000000073F20000-0x00000000746D0000-memory.dmp

memory/4288-71-0x00000000062B0000-0x00000000062C0000-memory.dmp

memory/2900-73-0x0000000073F20000-0x00000000746D0000-memory.dmp