blackmoon | cce6d94596c0bf65a1ccc09bd638ffecbd09b433e5417a51f2c3c032766cd213

Analysis

max time kernel
143s
max time network
152s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
12-10-2023 22:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cce6d94596c0bf65a1ccc09bd638ffecbd09b433e5417a51f2c3c032766cd213.dll
Size

15.3MB
MD5

11de1dd85bc2d1d737518c1050b1e5de
SHA1

a6888520e043294c4735e688d2a880cbb0fae84e
SHA256

cce6d94596c0bf65a1ccc09bd638ffecbd09b433e5417a51f2c3c032766cd213
SHA512

28fcc63b7bf44847787f10d4d5a570a2c094bc51183a9621e8bbf5ea1a13471c8435b358d4c404a266a4b317bfb481495a8c73ceebe6a0bc08f541b32fc057df
SSDEEP

196608:0bPx/++HkUuicZHM0w+riPoDLNUMtBMO7NKWPUr9V5jABSuzYvZQaf+H2iIh2IkI:0b9zkPyU+PkrZnyp+8fjimkTVzS

Score

10^/10

blackmoon banker persistence trojan upx vmprotect

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 1 IoCs

resource	yara_rule
behavioral1/memory/2068-32-0x0000000002710000-0x0000000002A7C000-memory.dmp	family_blackmoon

Blocklisted process makes network request 3 IoCs

flow	pid	Process
3	2068	rundll32.exe
4	2068	rundll32.exe
5	2068	rundll32.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	tmp.exe

Sets service image path in registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\33ItC6E1\IMAGEPATH = "\\??\\C:\\Windows\\SysWOW64\\33ItC6E.sys"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\RsdGbZ11\IMAGEPATH = "\\??\\C:\\Windows\\SysWOW64\\RsdGbZ1.sys"	rundll32.exe

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0008000000012020-1.dat	acprotect
behavioral1/files/0x00070000000146ce-30.dat	acprotect

Executes dropped EXE 2 IoCs

pid	Process
2336	tmp.exe
2856	devcon.exe

Loads dropped DLL 6 IoCs

pid	Process
2068	rundll32.exe
2068	rundll32.exe
2336	tmp.exe
2068	rundll32.exe
2068	rundll32.exe
2612	cmd.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0008000000012020-1.dat	upx
behavioral1/memory/2068-5-0x0000000002710000-0x0000000002A7C000-memory.dmp	upx
behavioral1/files/0x00070000000146ce-30.dat	upx
behavioral1/memory/2068-32-0x0000000002710000-0x0000000002A7C000-memory.dmp	upx
behavioral1/memory/2068-35-0x0000000000810000-0x000000000084E000-memory.dmp	upx
behavioral1/memory/2068-43-0x0000000000810000-0x000000000084E000-memory.dmp	upx

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral1/memory/2068-14-0x0000000003FC0000-0x0000000004E25000-memory.dmp	vmprotect
behavioral1/memory/2068-16-0x0000000003FC0000-0x0000000004E25000-memory.dmp	vmprotect
behavioral1/memory/2068-37-0x0000000003FC0000-0x0000000004E25000-memory.dmp	vmprotect

Drops file in System32 directory 14 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\Temp\{0140a352-4835-2b52-94a1-0a4727eb6025}\SETF355.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{0140a352-4835-2b52-94a1-0a4727eb6025}\SETF375.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{0140a352-4835-2b52-94a1-0a4727eb6025}\SETF355.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{0140a352-4835-2b52-94a1-0a4727eb6025}\boothmalthus.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{0140a352-4835-2b52-94a1-0a4727eb6025}\SETF375.tmp	DrvInst.exe
File created	C:\Windows\SysWOW64\SkinH_EL.dll	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\SkinH_EL.dll	rundll32.exe
File created	C:\Windows\SysWOW64\DrvInDll.dll	rundll32.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{0140a352-4835-2b52-94a1-0a4727eb6025}\BoothMalthus.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{0140a352-4835-2b52-94a1-0a4727eb6025}\BoothMalthus.sys	DrvInst.exe
File created	C:\Windows\SysWOW64\33ItC6E.sys	rundll32.exe
File created	C:\Windows\SysWOW64\RsdGbZ1.sys	rundll32.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{0140a352-4835-2b52-94a1-0a4727eb6025}\SETF354.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{0140a352-4835-2b52-94a1-0a4727eb6025}\SETF354.tmp	DrvInst.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.app.log	devcon.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	devcon.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 51 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPublisher\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPublisher\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPublisher\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5	devcon.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c909000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c01400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e52000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	devcon.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 190000000100000010000000d8b5fb368468620275d142ffd2aade370300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e51d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610b000000010000001200000056006500720069005300690067006e0000001400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af33313353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b060105050703030f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c92000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	devcon.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 040000000100000010000000cb17e431673ee209fe455793f30afa1c0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c909000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c01400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e5190000000100000010000000d8b5fb368468620275d142ffd2aade372000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	devcon.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2068	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
844	rundll32.exe

Suspicious behavior: LoadsDriver 3 IoCs

pid	Process
2068	rundll32.exe
2068	rundll32.exe
2068	rundll32.exe

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeSystemtimePrivilege	2068	rundll32.exe
Token: SeDebugPrivilege	2068	rundll32.exe
Token: SeDebugPrivilege	2068	rundll32.exe
Token: SeLoadDriverPrivilege	2068	rundll32.exe
Token: SeLoadDriverPrivilege	2068	rundll32.exe
Token: SeLoadDriverPrivilege	2068	rundll32.exe
Token: SeSystemtimePrivilege	2068	rundll32.exe
Token: SeRestorePrivilege	2856	devcon.exe
Token: SeRestorePrivilege	2856	devcon.exe
Token: SeRestorePrivilege	2856	devcon.exe
Token: SeRestorePrivilege	2856	devcon.exe
Token: SeRestorePrivilege	2856	devcon.exe
Token: SeRestorePrivilege	2856	devcon.exe
Token: SeRestorePrivilege	2856	devcon.exe
Token: SeRestorePrivilege	2856	devcon.exe
Token: SeRestorePrivilege	2856	devcon.exe
Token: SeRestorePrivilege	2856	devcon.exe
Token: SeRestorePrivilege	2856	devcon.exe
Token: SeRestorePrivilege	2856	devcon.exe
Token: SeRestorePrivilege	2856	devcon.exe
Token: SeRestorePrivilege	2856	devcon.exe
Token: SeRestorePrivilege	528	DrvInst.exe
Token: SeRestorePrivilege	528	DrvInst.exe
Token: SeRestorePrivilege	528	DrvInst.exe
Token: SeRestorePrivilege	528	DrvInst.exe
Token: SeRestorePrivilege	528	DrvInst.exe
Token: SeRestorePrivilege	528	DrvInst.exe
Token: SeRestorePrivilege	528	DrvInst.exe
Token: SeRestorePrivilege	528	DrvInst.exe
Token: SeRestorePrivilege	528	DrvInst.exe
Token: SeRestorePrivilege	528	DrvInst.exe
Token: SeRestorePrivilege	528	DrvInst.exe
Token: SeRestorePrivilege	528	DrvInst.exe
Token: SeRestorePrivilege	528	DrvInst.exe
Token: SeRestorePrivilege	528	DrvInst.exe
Token: SeRestorePrivilege	844	rundll32.exe
Token: SeRestorePrivilege	844	rundll32.exe
Token: SeRestorePrivilege	844	rundll32.exe
Token: SeRestorePrivilege	844	rundll32.exe
Token: SeRestorePrivilege	844	rundll32.exe
Token: SeRestorePrivilege	844	rundll32.exe
Token: SeRestorePrivilege	844	rundll32.exe

Suspicious use of SetWindowsHookEx 21 IoCs

pid	Process
2068	rundll32.exe
2068	rundll32.exe
2068	rundll32.exe
2336	tmp.exe
2336	tmp.exe
2068	rundll32.exe
2068	rundll32.exe
2068	rundll32.exe
2068	rundll32.exe
2068	rundll32.exe
2068	rundll32.exe
2068	rundll32.exe
2068	rundll32.exe
2068	rundll32.exe
2068	rundll32.exe
2068	rundll32.exe
2068	rundll32.exe
2068	rundll32.exe
2068	rundll32.exe
2068	rundll32.exe
2068	rundll32.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 2020 wrote to memory of 2068	2020	rundll32.exe	28
PID 2020 wrote to memory of 2068	2020	rundll32.exe	28
PID 2020 wrote to memory of 2068	2020	rundll32.exe	28
PID 2020 wrote to memory of 2068	2020	rundll32.exe	28
PID 2020 wrote to memory of 2068	2020	rundll32.exe	28
PID 2020 wrote to memory of 2068	2020	rundll32.exe	28
PID 2020 wrote to memory of 2068	2020	rundll32.exe	28
PID 2068 wrote to memory of 2336	2068	rundll32.exe	29
PID 2068 wrote to memory of 2336	2068	rundll32.exe	29
PID 2068 wrote to memory of 2336	2068	rundll32.exe	29
PID 2068 wrote to memory of 2336	2068	rundll32.exe	29
PID 2068 wrote to memory of 2612	2068	rundll32.exe	33
PID 2068 wrote to memory of 2612	2068	rundll32.exe	33
PID 2068 wrote to memory of 2612	2068	rundll32.exe	33
PID 2068 wrote to memory of 2612	2068	rundll32.exe	33
PID 2068 wrote to memory of 2612	2068	rundll32.exe	33
PID 2068 wrote to memory of 2612	2068	rundll32.exe	33
PID 2068 wrote to memory of 2612	2068	rundll32.exe	33
PID 2612 wrote to memory of 2856	2612	cmd.exe	35
PID 2612 wrote to memory of 2856	2612	cmd.exe	35
PID 2612 wrote to memory of 2856	2612	cmd.exe	35
PID 2612 wrote to memory of 2856	2612	cmd.exe	35
PID 528 wrote to memory of 844	528	DrvInst.exe	37
PID 528 wrote to memory of 844	528	DrvInst.exe	37
PID 528 wrote to memory of 844	528	DrvInst.exe	37

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\cce6d94596c0bf65a1ccc09bd638ffecbd09b433e5417a51f2c3c032766cd213.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2020
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\cce6d94596c0bf65a1ccc09bd638ffecbd09b433e5417a51f2c3c032766cd213.dll,#1
  2⤵
  - Blocklisted process makes network request
  - Sets service image path in registry
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: LoadsDriver
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2068
- - C:\Users\Admin\AppData\Local\Temp\tmp.exe
    C:\Users\Admin\AppData\Local\Temp\tmp.exe
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:2336
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\FileDef2017F206\x64\Driver_Setup.bat" "
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2612
  - - C:\Users\Admin\AppData\Local\Temp\FileDef2017F206\x64\devcon.exe
      devcon install BoothMalthus.inf "{B7696810-050E-4d2c-8D8F-C99735CB6998}\HID_DEVICE"
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      Modifies system certificate store
      Suspicious use of AdjustPrivilegeToken
      PID:2856

C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{7f40ee13-6330-5613-a60d-23167588bb19}\boothmalthus.inf" "9" "66a102943" "00000000000004A4" "WinSta0\Default" "00000000000004B0" "208" "c:\users\admin\appdata\local\temp\filedef2017f206\x64"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:528
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 20 Global\{564a8467-194c-384c-0e40-205dc2137777} Global\{2e675e38-0eb5-345e-5823-2f21e496ee4e} C:\Windows\System32\DriverStore\Temp\{0140a352-4835-2b52-94a1-0a4727eb6025}\boothmalthus.inf C:\Windows\System32\DriverStore\Temp\{0140a352-4835-2b52-94a1-0a4727eb6025}\BoothMalthus.cat
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  PID:844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CabEE28.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\FileDef2017F206\x64\BoothMalthus.inf

Filesize
3KB

MD5
776f3ea7afee2a21018ec6e46c8f1768

SHA1
761d8bc0bd5c26c2a6b6bf52e1603c95893cd76b

SHA256
fb039a0d4a1a352d53b35572f0e1c5582ddc80736fcdc03197576c7254bd922e

SHA512
671c9f45c9afab432e0b6bbff011d94374ac33c4517fce0216b5de79f6a20c97e6aedcb217c75f70cc89ba17d798e48fa4bbdc28c49cd9b2665e3086b24afe4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\FileDef2017F206\x64\Driver_Setup.bat

Filesize
148B

MD5
97cf8bf0fc3f8f374d5be1252cfe14f2

SHA1
8be0e0eed3da8f9041319a2a9c1aa1093418fadd

SHA256
04b496ad848dc208ba978968540a944aa2f8979a549b8cd4d1a089f356ea16ee

SHA512
1a836b17e24b51ad32f7125cf6f6e4823b4dc7860b01b502b8f9a358f565e764f4ed08cdfd857e4b1b48e4db407282d42c7f2a64813bdbf2cd3f6bcd30f36f3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\FileDef2017F206\x64\Driver_Setup.bat

Filesize
148B

MD5
97cf8bf0fc3f8f374d5be1252cfe14f2

SHA1
8be0e0eed3da8f9041319a2a9c1aa1093418fadd

SHA256
04b496ad848dc208ba978968540a944aa2f8979a549b8cd4d1a089f356ea16ee

SHA512
1a836b17e24b51ad32f7125cf6f6e4823b4dc7860b01b502b8f9a358f565e764f4ed08cdfd857e4b1b48e4db407282d42c7f2a64813bdbf2cd3f6bcd30f36f3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\FileDef2017F206\x64\devcon.exe

Filesize
87KB

MD5
41ba1bbdd9284e49701ee94a3f446c33

SHA1
6d5bd532a0f9a3bf7005edeb53b4aba2d30a0c99

SHA256
c65d9acba88d2c56422ec4aba235b0ae25bb3261bf400cd30efe11de0c4330e4

SHA512
dc55452698966b77c157a81eb458984b17e3e3a0d3ff885479f7c823b847eb739a07782f140ced12eac75fdddd7416f923c885a9d8e8b0a10010fc07bef3da45

Download Submit
C:\Users\Admin\AppData\Local\Temp\HPSocket4C.dll

Filesize
1.8MB

MD5
9c842288aefe97836f56d6b20b078ff8

SHA1
4c28b0112195a5181891022fd999fc8a6236a842

SHA256
8d048151cefb7b07d4b00704fcc858d22c7501d1692902ea363678ad50db603e

SHA512
4e20b932b11b0c5cbce221c1eb947e7b3ddb68d5ad9d5153c713e55d11dde7482ae3164d57b20b7c82015bfcdbcc6c2d579544b324ff3662e207185200172eb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarEEA8.tmp

Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp.exe

Filesize
1.6MB

MD5
8e17399c045f0e397c4611d4c9d33e02

SHA1
aac120429b61430ba2a3f618707cd6110604ceb8

SHA256
78778cc786849a8bbbe5931c7c846bd5d759553a9e2b598eeebe018a81a3dea4

SHA512
a0c75717322a81c20bfc6a8045a80f4943d6b75ad5ba79265acbadbc5e39855592de655058bc895b1c5298ca9f5d3bcf0a573654c69925d0558cf87a957e21c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\{7F40E~1\BoothMalthus.sys

Filesize
30KB

MD5
f8bfa19db73f27dbd2446260367e8ec6

SHA1
077cba2260fec8b5ed78a95e07e42083d4c0e8fb

SHA256
fb1c659f19dadfa4a8f86f45674dc9f20153234d9271a24449997c43007203ac

SHA512
817c4f67bbbc621ee3a3b7686d2f7b3d64701cdfffe23b44cbd63131fa75e1b99bcd3cf8002a43e65ee1f963004c92de9942d507d7db9bc78f8648e12b14f5d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\{7f40ee13-6330-5613-a60d-23167588bb19}\BoothMalthus.cat

Filesize
9KB

MD5
42ed8315f9e8f83ffaf05eff07f2c8cb

SHA1
f64a686f070d4fa771390af0f9588074ad74f7fb

SHA256
fdcf322c6ad729782b4cd954990c502e4b703f24c19146cdd078c2c0d7af764f

SHA512
31c93ef2cd67299073e9478ece83663c1fd2d7b3ebcbff762770e83260ca8951c16872f5f7fedab345ac184bfa5cb50dfd4b2dd93f6bd71a9b55c640cc296a88

Download Submit
C:\Users\Admin\AppData\Local\Temp\{7f40ee13-6330-5613-a60d-23167588bb19}\boothmalthus.inf

Filesize
3KB

MD5
776f3ea7afee2a21018ec6e46c8f1768

SHA1
761d8bc0bd5c26c2a6b6bf52e1603c95893cd76b

SHA256
fb039a0d4a1a352d53b35572f0e1c5582ddc80736fcdc03197576c7254bd922e

SHA512
671c9f45c9afab432e0b6bbff011d94374ac33c4517fce0216b5de79f6a20c97e6aedcb217c75f70cc89ba17d798e48fa4bbdc28c49cd9b2665e3086b24afe4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\{7f40ee13-6330-5613-a60d-23167588bb19}\boothmalthus.inf

Filesize
3KB

MD5
776f3ea7afee2a21018ec6e46c8f1768

SHA1
761d8bc0bd5c26c2a6b6bf52e1603c95893cd76b

SHA256
fb039a0d4a1a352d53b35572f0e1c5582ddc80736fcdc03197576c7254bd922e

SHA512
671c9f45c9afab432e0b6bbff011d94374ac33c4517fce0216b5de79f6a20c97e6aedcb217c75f70cc89ba17d798e48fa4bbdc28c49cd9b2665e3086b24afe4c

Download Submit
C:\Windows\System32\DriverStore\Temp\{0140a352-4835-2b52-94a1-0a4727eb6025}\BoothMalthus.cat

Filesize
9KB

MD5
42ed8315f9e8f83ffaf05eff07f2c8cb

SHA1
f64a686f070d4fa771390af0f9588074ad74f7fb

SHA256
fdcf322c6ad729782b4cd954990c502e4b703f24c19146cdd078c2c0d7af764f

SHA512
31c93ef2cd67299073e9478ece83663c1fd2d7b3ebcbff762770e83260ca8951c16872f5f7fedab345ac184bfa5cb50dfd4b2dd93f6bd71a9b55c640cc296a88

Download Submit
C:\Windows\System32\DriverStore\Temp\{0140a352-4835-2b52-94a1-0a4727eb6025}\SETF354.tmp

Filesize
9KB

MD5
42ed8315f9e8f83ffaf05eff07f2c8cb

SHA1
f64a686f070d4fa771390af0f9588074ad74f7fb

SHA256
fdcf322c6ad729782b4cd954990c502e4b703f24c19146cdd078c2c0d7af764f

SHA512
31c93ef2cd67299073e9478ece83663c1fd2d7b3ebcbff762770e83260ca8951c16872f5f7fedab345ac184bfa5cb50dfd4b2dd93f6bd71a9b55c640cc296a88

Download Submit
C:\Windows\System32\DriverStore\Temp\{0140a352-4835-2b52-94a1-0a4727eb6025}\SETF375.tmp

Filesize
30KB

MD5
f8bfa19db73f27dbd2446260367e8ec6

SHA1
077cba2260fec8b5ed78a95e07e42083d4c0e8fb

SHA256
fb1c659f19dadfa4a8f86f45674dc9f20153234d9271a24449997c43007203ac

SHA512
817c4f67bbbc621ee3a3b7686d2f7b3d64701cdfffe23b44cbd63131fa75e1b99bcd3cf8002a43e65ee1f963004c92de9942d507d7db9bc78f8648e12b14f5d6

Download Submit
C:\Windows\System32\DriverStore\Temp\{0140a352-4835-2b52-94a1-0a4727eb6025}\boothmalthus.inf

Filesize
3KB

MD5
776f3ea7afee2a21018ec6e46c8f1768

SHA1
761d8bc0bd5c26c2a6b6bf52e1603c95893cd76b

SHA256
fb039a0d4a1a352d53b35572f0e1c5582ddc80736fcdc03197576c7254bd922e

SHA512
671c9f45c9afab432e0b6bbff011d94374ac33c4517fce0216b5de79f6a20c97e6aedcb217c75f70cc89ba17d798e48fa4bbdc28c49cd9b2665e3086b24afe4c

Download Submit
C:\Windows\Temp\CabF394.tmp

Filesize
29KB

MD5
d59a6b36c5a94916241a3ead50222b6f

SHA1
e274e9486d318c383bc4b9812844ba56f0cff3c6

SHA256
a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53

SHA512
17012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489

Download Submit
C:\Windows\Temp\TarF3C6.tmp

Filesize
81KB

MD5
b13f51572f55a2d31ed9f266d581e9ea

SHA1
7eef3111b878e159e520f34410ad87adecf0ca92

SHA256
725980edc240c928bec5a5f743fdabeee1692144da7091cf836dc7d0997cef15

SHA512
f437202723b2817f2fef64b53d4eb67f782bdc61884c0c1890b46deca7ca63313ee2ad093428481f94edfcecd9c77da6e72b604998f7d551af959dbd6915809c

Download Submit
\??\c:\users\admin\appdata\local\temp\FILEDE~1\x64\BOOTHM~1.SYS

Filesize
30KB

MD5
f8bfa19db73f27dbd2446260367e8ec6

SHA1
077cba2260fec8b5ed78a95e07e42083d4c0e8fb

SHA256
fb1c659f19dadfa4a8f86f45674dc9f20153234d9271a24449997c43007203ac

SHA512
817c4f67bbbc621ee3a3b7686d2f7b3d64701cdfffe23b44cbd63131fa75e1b99bcd3cf8002a43e65ee1f963004c92de9942d507d7db9bc78f8648e12b14f5d6

Download Submit
\??\c:\users\admin\appdata\local\temp\filedef2017f206\x64\BoothMalthus.cat

Filesize
9KB

MD5
42ed8315f9e8f83ffaf05eff07f2c8cb

SHA1
f64a686f070d4fa771390af0f9588074ad74f7fb

SHA256
fdcf322c6ad729782b4cd954990c502e4b703f24c19146cdd078c2c0d7af764f

SHA512
31c93ef2cd67299073e9478ece83663c1fd2d7b3ebcbff762770e83260ca8951c16872f5f7fedab345ac184bfa5cb50dfd4b2dd93f6bd71a9b55c640cc296a88

Download Submit
\Users\Admin\AppData\Local\Temp\FileDef2017F206\x64\devcon.exe

Filesize
87KB

MD5
41ba1bbdd9284e49701ee94a3f446c33

SHA1
6d5bd532a0f9a3bf7005edeb53b4aba2d30a0c99

SHA256
c65d9acba88d2c56422ec4aba235b0ae25bb3261bf400cd30efe11de0c4330e4

SHA512
dc55452698966b77c157a81eb458984b17e3e3a0d3ff885479f7c823b847eb739a07782f140ced12eac75fdddd7416f923c885a9d8e8b0a10010fc07bef3da45

Download Submit
\Users\Admin\AppData\Local\Temp\HPSocket4C.dll

Filesize
1.8MB

MD5
9c842288aefe97836f56d6b20b078ff8

SHA1
4c28b0112195a5181891022fd999fc8a6236a842

SHA256
8d048151cefb7b07d4b00704fcc858d22c7501d1692902ea363678ad50db603e

SHA512
4e20b932b11b0c5cbce221c1eb947e7b3ddb68d5ad9d5153c713e55d11dde7482ae3164d57b20b7c82015bfcdbcc6c2d579544b324ff3662e207185200172eb0

Download Submit
\Users\Admin\AppData\Local\Temp\load.dll

Filesize
2.2MB

MD5
abde7ddcc7dca86700ccf9fd3fc25b11

SHA1
e2fabf760f8558db2b2cfcd0fda66948e74e7839

SHA256
4caed7de787af5c26e5091a2733888d5af8605b5851c5f177273b452eb7b02c4

SHA512
a5f7e5e7315701e07b64f3e6a5b5623f9eb31de61ca0de53c0456ed202d341ca839f9e3c6eb41dbae5dd5ddba7d28cd263e3c76a48b53591ba2d5573fdca44a5

Download Submit
\Users\Admin\AppData\Local\Temp\tmp.exe

Filesize
1.6MB

MD5
8e17399c045f0e397c4611d4c9d33e02

SHA1
aac120429b61430ba2a3f618707cd6110604ceb8

SHA256
78778cc786849a8bbbe5931c7c846bd5d759553a9e2b598eeebe018a81a3dea4

SHA512
a0c75717322a81c20bfc6a8045a80f4943d6b75ad5ba79265acbadbc5e39855592de655058bc895b1c5298ca9f5d3bcf0a573654c69925d0558cf87a957e21c1

Download Submit
\Windows\SysWOW64\DrvInDll.dll

Filesize
808KB

MD5
49570c3624fb6d1d1244bdd9115fcd52

SHA1
90702b103418c5de54af0cbcd7f1bdd83605b56a

SHA256
ce1860f54f32aa03004d96e72c969f6ca8f76450bf0cb39b62af5bdd554bf92c

SHA512
a7a0ac5fe5f362b171c08112955ed4afa27300926ad7da3fc3be1e0a4175dfea6da07bd9b8f4285b2f58477f26add838c332f81481eca894e25fa3f74111abef

Download Submit
\Windows\SysWOW64\SkinH_EL.dll

Filesize
86KB

MD5
114054313070472cd1a6d7d28f7c5002

SHA1
9a044986e6101df1a126035da7326a50c3fe9a23

SHA256
e15d9e1b772fed3db19e67b8d54533d1a2d46a37f8b12702a5892c6b886e9db1

SHA512
a2ff8481e89698dae4a1c83404105093472e384d7a3debbd7014e010543e08efc8ebb3f67c8a4ce09029e6b2a8fb7779bb402aae7c9987e61389cd8a72c73522

Download Submit
memory/844-202-0x0000000001C60000-0x0000000001C61000-memory.dmp

Filesize
4KB

Download
memory/844-199-0x0000000001C60000-0x0000000001C61000-memory.dmp

Filesize
4KB

Download
memory/2068-27-0x0000000010000000-0x0000000010FA2000-memory.dmp

Filesize
15.6MB

Download
memory/2068-43-0x0000000000810000-0x000000000084E000-memory.dmp

Filesize
248KB

Download
memory/2068-5-0x0000000002710000-0x0000000002A7C000-memory.dmp

Filesize
3.4MB

Download
memory/2068-41-0x0000000010000000-0x0000000010FA2000-memory.dmp

Filesize
15.6MB

Download
memory/2068-39-0x00000000038D0000-0x000000000399B000-memory.dmp

Filesize
812KB

Download
memory/2068-32-0x0000000002710000-0x0000000002A7C000-memory.dmp

Filesize
3.4MB

Download
memory/2068-37-0x0000000003FC0000-0x0000000004E25000-memory.dmp

Filesize
14.4MB

Download
memory/2068-35-0x0000000000810000-0x000000000084E000-memory.dmp

Filesize
248KB

Download
memory/2068-16-0x0000000003FC0000-0x0000000004E25000-memory.dmp

Filesize
14.4MB

Download
memory/2068-14-0x0000000003FC0000-0x0000000004E25000-memory.dmp

Filesize
14.4MB

Download