Analysis Overview
SHA256
cbba1c25ba9360cbc5ffbffc878fc73eb113393f1868b1a65efc7e227913f49f
Threat Level: Known bad
The file f1670cab1f506b29baa4668af746391c_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Banload
Downloads MZ/PE file
Drops file in Drivers directory
Checks BIOS information in registry
Registers COM server for autorun
Executes dropped EXE
Checks computer location settings
Loads dropped DLL
Drops file in System32 directory
Drops file in Program Files directory
Drops file in Windows directory
Unsigned PE
Enumerates physical storage devices
Modifies system certificate store
Checks SCSI registry key(s)
Modifies registry class
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-15 15:38
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-15 15:38
Reported
2024-04-15 15:41
Platform
win10v2004-20240412-en
Max time kernel
124s
Max time network
145s
Command Line
Signatures
Banload
Downloads MZ/PE file
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\DRIVERS\SET5CDC.tmp | C:\Users\Admin\AppData\Local\Temp\setup_x64.exe | N/A |
| File created | C:\Windows\system32\DRIVERS\SET5CDC.tmp | C:\Users\Admin\AppData\Local\Temp\setup_x64.exe | N/A |
| File opened for modification | C:\Windows\system32\DRIVERS\hhdspmc64.sys | C:\Users\Admin\AppData\Local\Temp\setup_x64.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\f1670cab1f506b29baa4668af746391c_JaffaCakes118.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\SpmInstall.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\HANARO_S.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\hinstall.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\setup_x64.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SpmInstall.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\spssetup.exe | N/A |
Loads dropped DLL
Registers COM server for autorun
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F739B22-2DE3-4105-A0CB-1D96BCA9EF61}\InprocServer32\ThreadingModel = "Both" | C:\Users\Admin\AppData\Local\Temp\setup_x64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{98BDF133-27BC-429B-9FAB-EB9C2DEA7D7D}\InprocServer32\ = "C:\\Program Files\\HHD Software\\SPMC_redist\\x64\\hhdspmc.dll" | C:\Users\Admin\AppData\Local\Temp\setup_x64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{98BDF133-27BC-429B-9FAB-EB9C2DEA7D7D}\InprocServer32\ThreadingModel = "Both" | C:\Users\Admin\AppData\Local\Temp\setup_x64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E082005E-65FE-49CB-B948-E0ED7478442F}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\setup_x64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E082005E-65FE-49CB-B948-E0ED7478442F}\InprocServer32\ = "C:\\Program Files\\HHD Software\\SPMC_redist\\x64\\hhdspmc.dll" | C:\Users\Admin\AppData\Local\Temp\setup_x64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E082005E-65FE-49CB-B948-E0ED7478442F}\InprocServer32\ThreadingModel = "Both" | C:\Users\Admin\AppData\Local\Temp\setup_x64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F739B22-2DE3-4105-A0CB-1D96BCA9EF61}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\setup_x64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F739B22-2DE3-4105-A0CB-1D96BCA9EF61}\InprocServer32\ = "C:\\Program Files\\HHD Software\\SPMC_redist\\x64\\hhdspmc.dll" | C:\Users\Admin\AppData\Local\Temp\setup_x64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{98BDF133-27BC-429B-9FAB-EB9C2DEA7D7D}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\setup_x64.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\DRVSTORE\hhdspmc_B91486131616A90DB87DFE023A6642DC1819A89B\hhdspmc64.sys | C:\Users\Admin\AppData\Local\Temp\setup_x64.exe | N/A |
| File opened for modification | C:\Windows\System32\CatRoot2\dberr.txt | C:\Users\Admin\AppData\Local\Temp\setup_x64.exe | N/A |
| File opened for modification | C:\Windows\system32\DRVSTORE | C:\Users\Admin\AppData\Local\Temp\setup_x64.exe | N/A |
| File created | C:\Windows\system32\DRVSTORE\hhdspmc_B91486131616A90DB87DFE023A6642DC1819A89B\hhdspmc.inf | C:\Users\Admin\AppData\Local\Temp\setup_x64.exe | N/A |
| File opened for modification | C:\Windows\system32\DRVSTORE\hhdspmc_B91486131616A90DB87DFE023A6642DC1819A89B\hhdspmc.inf | C:\Users\Admin\AppData\Local\Temp\setup_x64.exe | N/A |
| File created | C:\Windows\system32\DRVSTORE\hhdspmc_B91486131616A90DB87DFE023A6642DC1819A89B\hhdspmc_x64.cat | C:\Users\Admin\AppData\Local\Temp\setup_x64.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\HHD Software\SPMC_redist\drivers\hhdspmc.inf | C:\Users\Admin\AppData\Local\Temp\setup_x64.exe | N/A |
| File opened for modification | C:\Program Files\HHD Software\SPMC_redist\drivers\hhdspmc64.sys | C:\Users\Admin\AppData\Local\Temp\setup_x64.exe | N/A |
| File created | C:\Program Files\HHD Software\SPMC_redist\drivers\hhdspmc64.sys | C:\Users\Admin\AppData\Local\Temp\setup_x64.exe | N/A |
| File opened for modification | C:\Program Files\HHD Software\SPMC_redist\x64\hhdspmc.dll | C:\Users\Admin\AppData\Local\Temp\setup_x64.exe | N/A |
| File opened for modification | C:\Program Files\HHD Software\SPMC_redist\x86\hhdspmc.dll | C:\Users\Admin\AppData\Local\Temp\setup_x64.exe | N/A |
| File created | C:\Program Files\HHD Software\SPMC_redist\x86\hhdspmc.dll | C:\Users\Admin\AppData\Local\Temp\setup_x64.exe | N/A |
| File created | C:\Program Files\HHD Software\SPMC_redist\drivers\hhdspmc.inf | C:\Users\Admin\AppData\Local\Temp\setup_x64.exe | N/A |
| File opened for modification | C:\Program Files\HHD Software\SPMC_redist\drivers\hhdspmc_x64.cat | C:\Users\Admin\AppData\Local\Temp\setup_x64.exe | N/A |
| File created | C:\Program Files\HHD Software\SPMC_redist\drivers\hhdspmc_x64.cat | C:\Users\Admin\AppData\Local\Temp\setup_x64.exe | N/A |
| File opened for modification | C:\Program Files\HHD Software\SPMC_redist\drivers\old_cat\hhdspmc_x64.cat | C:\Users\Admin\AppData\Local\Temp\setup_x64.exe | N/A |
| File created | C:\Program Files\HHD Software\SPMC_redist\drivers\old_cat\hhdspmc_x64.cat | C:\Users\Admin\AppData\Local\Temp\setup_x64.exe | N/A |
| File created | C:\Program Files\HHD Software\SPMC_redist\x64\hhdspmc.dll | C:\Users\Admin\AppData\Local\Temp\setup_x64.exe | N/A |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 | C:\Users\Admin\AppData\Local\Temp\setup_x64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Service | C:\Users\Admin\AppData\Local\Temp\setup_x64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\UpperFilters | C:\Users\Admin\AppData\Local\Temp\setup_x64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service | C:\Users\Admin\AppData\Local\Temp\setup_x64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Filters | C:\Users\Admin\AppData\Local\Temp\setup_x64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\LowerFilters | C:\Users\Admin\AppData\Local\Temp\setup_x64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Filters | C:\Users\Admin\AppData\Local\Temp\setup_x64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\LowerFilters | C:\Users\Admin\AppData\Local\Temp\setup_x64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\UpperFilters | C:\Users\Admin\AppData\Local\Temp\setup_x64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 | C:\Users\Admin\AppData\Local\Temp\setup_x64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\UpperFilters | C:\Users\Admin\AppData\Local\Temp\setup_x64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\LowerFilters | C:\Users\Admin\AppData\Local\Temp\setup_x64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Service | C:\Users\Admin\AppData\Local\Temp\setup_x64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\UpperFilters | C:\Users\Admin\AppData\Local\Temp\setup_x64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Filters | C:\Users\Admin\AppData\Local\Temp\setup_x64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 | C:\Users\Admin\AppData\Local\Temp\setup_x64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Filters | C:\Users\Admin\AppData\Local\Temp\setup_x64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 | C:\Users\Admin\AppData\Local\Temp\setup_x64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Service | C:\Users\Admin\AppData\Local\Temp\setup_x64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\LowerFilters | C:\Users\Admin\AppData\Local\Temp\setup_x64.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\hhdspmc.SerialMonitor.1.2\CLSID | C:\Users\Admin\AppData\Local\Temp\setup_x64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{98BDF133-27BC-429B-9FAB-EB9C2DEA7D7D}\InprocServer32\ = "C:\\Program Files\\HHD Software\\SPMC_redist\\x64\\hhdspmc.dll" | C:\Users\Admin\AppData\Local\Temp\setup_x64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DD962786-3734-4BE3-B375-5E6F3FD37E37}\1.2\0\win64\ = "C:\\Program Files\\HHD Software\\SPMC_redist\\x64\\hhdspmc.dll" | C:\Users\Admin\AppData\Local\Temp\setup_x64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8E2C0C1C-F5DF-38F3-EC24-8167781A08C9}\TreatAs\ = "{F20DA720-C02F-11CE-927B-0800095AE340}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F739B22-2DE3-4105-A0CB-1D96BCA9EF61} | C:\Users\Admin\AppData\Local\Temp\setup_x64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5D32AF2A-8030-44B6-A766-D4ACE641E307}\ = "_ISerialMonitorEvents" | C:\Users\Admin\AppData\Local\Temp\setup_x64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5D32AF2A-8030-44B6-A766-D4ACE641E307}\TypeLib | C:\Users\Admin\AppData\Local\Temp\setup_x64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5D32AF2A-8030-44B6-A766-D4ACE641E307}\TypeLib\ = "{DD962786-3734-4BE3-B375-5E6F3FD37E37}" | C:\Users\Admin\AppData\Local\Temp\setup_x64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F27CF5BF-A82D-4E68-978E-701F346767A5}\TypeLib\ = "{DD962786-3734-4BE3-B375-5E6F3FD37E37}" | C:\Users\Admin\AppData\Local\Temp\setup_x64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D880AF8A-2E88-4D3C-9C06-9EC3DB87E2EF}\TypeLib | C:\Users\Admin\AppData\Local\Temp\setup_x64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D880AF8A-2E88-4D3C-9C06-9EC3DB87E2EF}\TypeLib\Version = "1.2" | C:\Users\Admin\AppData\Local\Temp\setup_x64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{98BDF133-27BC-429B-9FAB-EB9C2DEA7D7D}\InprocServer32\ = "C:\\Program Files\\HHD Software\\SPMC_redist\\x86\\hhdspmc.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D39E5F2E-3DBE-485A-934E-9AE554BF0FC6}\4.0\FLAGS\ = "0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5F513861-EE13-4EA5-AD8F-111D5A612283}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F27CF5BF-A82D-4E68-978E-701F346767A5}\TypeLib\ = "{DD962786-3734-4BE3-B375-5E6F3FD37E37}" | C:\Users\Admin\AppData\Local\Temp\setup_x64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A820E710-F13D-4BEE-9774-20DC6909CC3D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\setup_x64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D880AF8A-2E88-4D3C-9C06-9EC3DB87E2EF}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\setup_x64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{550987AF-776E-4181-939E-73263E1560E2}\TypeLib\ = "{DD962786-3734-4BE3-B375-5E6F3FD37E37}" | C:\Users\Admin\AppData\Local\Temp\setup_x64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F739B22-2DE3-4105-A0CB-1D96BCA9EF61}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F739B22-2DE3-4105-A0CB-1D96BCA9EF61}\VersionIndependentProgID | C:\Users\Admin\AppData\Local\Temp\setup_x64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\hhdspmc.Monitoring | C:\Users\Admin\AppData\Local\Temp\setup_x64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DD962786-3734-4BE3-B375-5E6F3FD37E37}\1.2\HELPDIR | C:\Users\Admin\AppData\Local\Temp\setup_x64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B5034C36-4FD7-44FE-98C7-D45CE7548530}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B5034C36-4FD7-44FE-98C7-D45CE7548530}\TypeLib\Version = "4.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A820E710-F13D-4BEE-9774-20DC6909CC3D}\TypeLib\Version = "1.2" | C:\Users\Admin\AppData\Local\Temp\setup_x64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{724A78C9-BE68-47E9-A252-17EFABC354DE}\TypeLib | C:\Users\Admin\AppData\Local\Temp\setup_x64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{724A78C9-BE68-47E9-A252-17EFABC354DE}\TypeLib\ = "{DD962786-3734-4BE3-B375-5E6F3FD37E37}" | C:\Users\Admin\AppData\Local\Temp\setup_x64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F739B22-2DE3-4105-A0CB-1D96BCA9EF61}\InprocServer32\ = "C:\\Program Files\\HHD Software\\SPMC_redist\\x64\\hhdspmc.dll" | C:\Users\Admin\AppData\Local\Temp\setup_x64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F27CF5BF-A82D-4E68-978E-701F346767A5}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\setup_x64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F27CF5BF-A82D-4E68-978E-701F346767A5} | C:\Users\Admin\AppData\Local\Temp\setup_x64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\hhdspmc.DLL\AppID = "{1B856C34-F6DB-452A-B5E3-8A26C6372074}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5D32AF2A-8030-44B6-A766-D4ACE641E307}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\setup_x64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A820E710-F13D-4BEE-9774-20DC6909CC3D}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\setup_x64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\hhdspmc.Device.2\ = "Device Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\spsniffer.DLL\AppID = "{C8C98BF3-C200-46B6-96E2-FF835CDCC5D6}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\spsniffer.SerialPortMonitorAx.1 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A820E710-F13D-4BEE-9774-20DC6909CC3D}\TypeLib | C:\Users\Admin\AppData\Local\Temp\setup_x64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D880AF8A-2E88-4D3C-9C06-9EC3DB87E2EF}\TypeLib\ = "{DD962786-3734-4BE3-B375-5E6F3FD37E37}" | C:\Users\Admin\AppData\Local\Temp\setup_x64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B27FE486-7B46-40FE-A059-8071469464DE}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B5034C36-4FD7-44FE-98C7-D45CE7548530}\TypeLib\ = "{D39E5F2E-3DBE-485A-934E-9AE554BF0FC6}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E082005E-65FE-49CB-B948-E0ED7478442F}\VersionIndependentProgID\ = "hhdspmc.Monitoring" | C:\Users\Admin\AppData\Local\Temp\setup_x64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{724A78C9-BE68-47E9-A252-17EFABC354DE} | C:\Users\Admin\AppData\Local\Temp\setup_x64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{724A78C9-BE68-47E9-A252-17EFABC354DE}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\setup_x64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{724A78C9-BE68-47E9-A252-17EFABC354DE}\TypeLib | C:\Users\Admin\AppData\Local\Temp\setup_x64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F27CF5BF-A82D-4E68-978E-701F346767A5}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\setup_x64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{550987AF-776E-4181-939E-73263E1560E2}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\setup_x64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{1B856C34-F6DB-452A-B5E3-8A26C6372074}\ = "hhdspmc" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F739B22-2DE3-4105-A0CB-1D96BCA9EF61}\TypeLib\ = "{DD962786-3734-4BE3-B375-5E6F3FD37E37}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8E2C0C1C-F5DF-38F3-EC24-8167781A08C9}\TreatAs | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D39E5F2E-3DBE-485A-934E-9AE554BF0FC6}\4.0\0\win32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5F513861-EE13-4EA5-AD8F-111D5A612283}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\hhdspmc.SerialMonitor\CLSID\ = "{0F739B22-2DE3-4105-A0CB-1D96BCA9EF61}" | C:\Users\Admin\AppData\Local\Temp\setup_x64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{98BDF133-27BC-429B-9FAB-EB9C2DEA7D7D}\VersionIndependentProgID\ = "hhdspmc.Device" | C:\Users\Admin\AppData\Local\Temp\setup_x64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{724A78C9-BE68-47E9-A252-17EFABC354DE}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\setup_x64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{724A78C9-BE68-47E9-A252-17EFABC354DE}\TypeLib\ = "{DD962786-3734-4BE3-B375-5E6F3FD37E37}" | C:\Users\Admin\AppData\Local\Temp\setup_x64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8E2C0C1C-F5DF-38F3-EC24-8167781A08C9} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\hhdspmc.Device\CurVer | C:\Users\Admin\AppData\Local\Temp\setup_x64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{98BDF133-27BC-429B-9FAB-EB9C2DEA7D7D}\VersionIndependentProgID | C:\Users\Admin\AppData\Local\Temp\setup_x64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\hhdspmc.Device\CurVer\ = "hhdspmc.Device.2" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DD962786-3734-4BE3-B375-5E6F3FD37E37}\1.2\FLAGS\ = "0" | C:\Users\Admin\AppData\Local\Temp\setup_x64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{724A78C9-BE68-47E9-A252-17EFABC354DE}\TypeLib\Version = "1.2" | C:\Users\Admin\AppData\Local\Temp\setup_x64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F739B22-2DE3-4105-A0CB-1D96BCA9EF61}\VersionIndependentProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{98BDF133-27BC-429B-9FAB-EB9C2DEA7D7D}\InprocServer32\ThreadingModel = "Both" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\spsniffer.DLL | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Users\Admin\AppData\Local\Temp\HANARO_S.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 5c000000010000000400000000080000190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc36200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Users\Admin\AppData\Local\Temp\HANARO_S.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 | C:\Users\Admin\AppData\Local\Temp\HANARO_S.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f1670cab1f506b29baa4668af746391c_JaffaCakes118.exe | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\f1670cab1f506b29baa4668af746391c_JaffaCakes118.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\HANARO_S.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\f1670cab1f506b29baa4668af746391c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f1670cab1f506b29baa4668af746391c_JaffaCakes118.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3240,i,3624515087451503301,4108549118195267775,262144 --variations-seed-version --mojo-platform-channel-handle=1020 /prefetch:8
C:\Users\Admin\AppData\Local\Temp\HANARO_S.exe
"C:\Users\Admin\AppData\Local\Temp\HANARO_S.exe"
C:\Users\Admin\AppData\Local\Temp\hinstall.exe
"C:\Users\Admin\AppData\Local\Temp\hinstall.exe" /q
C:\Users\Admin\AppData\Local\Temp\setup_x64.exe
"C:\Users\Admin\AppData\Local\Temp\setup_x64.exe" 452
C:\Windows\SYSTEM32\regsvr32.exe
regsvr32.exe /s ..\x86\hhdspmc.dll
C:\Windows\SysWOW64\regsvr32.exe
/s ..\x86\hhdspmc.dll
C:\Users\Admin\AppData\Local\Temp\SpmInstall.exe
"C:\Users\Admin\AppData\Local\Temp\SpmInstall.exe" -p298efhfowh28298dg
C:\Users\Admin\AppData\Local\Temp\spssetup.exe
"C:\Users\Admin\AppData\Local\Temp\spssetup.exe"
C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" spsniffer.dll /s /i:"LEAD CALL#0000XZ-95Z8UP-E3EU91-TF9UPH-40635F-B4M55Y-0611F5-74822F-580BAD-22EFC8-8C7DE2-E3181D"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.114.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | update.leadcall.kr | udp |
| KR | 14.49.36.160:80 | update.leadcall.kr | tcp |
| US | 8.8.8.8:53 | 160.36.49.14.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.121.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 34.56.20.217.in-addr.arpa | udp |
| KR | 14.49.36.160:80 | update.leadcall.kr | tcp |
| US | 8.8.8.8:53 | hbns.com | udp |
| KR | 219.253.141.144:80 | hbns.com | tcp |
| US | 8.8.8.8:53 | 144.141.253.219.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 94.65.42.20.in-addr.arpa | udp |
Files
memory/2952-0-0x0000000075260000-0x0000000075811000-memory.dmp
memory/2952-1-0x0000000075260000-0x0000000075811000-memory.dmp
memory/2952-2-0x00000000016C0000-0x00000000016D0000-memory.dmp
memory/2952-3-0x0000000005470000-0x0000000005471000-memory.dmp
memory/2952-4-0x00000000016C0000-0x00000000016D0000-memory.dmp
memory/2952-5-0x0000000075260000-0x0000000075811000-memory.dmp
memory/2952-6-0x0000000075260000-0x0000000075811000-memory.dmp
memory/2952-7-0x00000000016C0000-0x00000000016D0000-memory.dmp
memory/2952-8-0x00000000016C0000-0x00000000016D0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\HANARO_S.exe
| MD5 | 2e8891d239e49afa86ef275d55b6ee50 |
| SHA1 | f304add4781067033de3a523ddb3768d930ea222 |
| SHA256 | 29e797b0a9b1050872b6d5c319e6ce4a692a42a32e8d9e71cebcf00a95d73082 |
| SHA512 | 476136b6abc009aea453626d8ea71d932cecfbba40f8d729b4c2f6d88b462a5ff39fb9885936ee0ae8a69f0ebd65a4a5a3ed6cd74cb9e2afffec218977086c39 |
memory/2532-20-0x0000000075260000-0x0000000075811000-memory.dmp
memory/2532-21-0x00000000019B0000-0x00000000019C0000-memory.dmp
memory/2532-22-0x0000000075260000-0x0000000075811000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\leadcalls2.dll
| MD5 | 91f84ca6802f3df03602578de976d97e |
| SHA1 | 120faab23f33c1fde75b6746253c3e9103078977 |
| SHA256 | 4bfd526248fc86e9fedc9c9b0ee9b2c3ab561e983d87b77b431b486d04a282aa |
| SHA512 | 67a7eb325554343e2b161010a1dad6273e7e433bac5c481294853edd68fe4f889f14ebc04e37e1fb575142c30592838358212b9a7c15257d9a64c8840d26e395 |
C:\Users\Admin\AppData\Local\Temp\interop.hhdspmcLib.dll
| MD5 | 5cea3723c11b18c5a4c48972b59cdf76 |
| SHA1 | f4d8b431df18b8c3d13022ba1b8dbc1378a83c49 |
| SHA256 | 0b4fbd2b1fa81e8c9a5344f69a953e0a1488f03d2385f4307c18a819822766d6 |
| SHA512 | 1b97ab19d5d3dba3480f1edce147155d76562abd0a0c6947d33dff2d5fa75c2cdf64edd9654c508578ef98103cddceb29dde5188a65f0cedd1fec111608c9a9e |
C:\Users\Admin\AppData\Local\Temp\leadcalls3.dll
| MD5 | b7d094be17126f02027cc4adb256ebe0 |
| SHA1 | 56134af74f1d9569173057353ac722612509c3ec |
| SHA256 | b1abbcbaf2adbaaf2c4d2c5a1de56afd97b2d5569010fbc003abca91001d1775 |
| SHA512 | a3fc2d2ac02d911b0d354309831a0f1da07e554c02acaa01a6e47896aa2550f755fc86a4023accdd436bb81dbc8bea9f17343634e13789316bdf40b11435143a |
memory/2532-55-0x0000000005AD0000-0x0000000005AD1000-memory.dmp
memory/2532-56-0x00000000019B0000-0x00000000019C0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\hinstall.exe
| MD5 | 69e162ea71180cd35116e5b7bc481539 |
| SHA1 | 82b76b080a0999975838c13e0d33269e5d2f2517 |
| SHA256 | 161d70286cb1919de7efab58d8fb623e513b26101251c1082f53514f55139523 |
| SHA512 | 586f3a64788c52f6ce913a0592e812a8ae2e07c8f1380e86f168564daa8fde14aa549a5abf3d9224f9215fe13a9312628fab759b4157b7e4bd9798a34e1017aa |
C:\Users\Admin\AppData\Local\Temp\setup_x64.exe
| MD5 | 18cdf77b73a3596886890262bd699479 |
| SHA1 | 3ab0d43c6b0bd629856adbbbaa3a2690218c314a |
| SHA256 | 2b692b93397abcd6932cbd95c7ee41d5b4c100ebf4c14efa7eb90c579d129e57 |
| SHA512 | 2a80ce972a382fcc35ec281a4ca71d48d36eee5b826bc9d71e46ad51d65c4a420f2b74e5ba14681356bb45c82b79f34d257555849f5abe4729ca90ff9a944849 |
C:\Users\Admin\AppData\Local\Temp\DIFxAPI64.dll
| MD5 | 1a2e5109c2bb5c68d499e17b83acb73a |
| SHA1 | efa15cfa23606dfc355d11580b509e768a50ddbb |
| SHA256 | e70bbcee0d01658ccd201ebe0f0e547b9daff01b7c593a0fdd0c64e5f45d6f11 |
| SHA512 | 47317d24d02c4122fe175bcd7f5b3dd8823063e7ea63f83961e40f10872642d2d6f6e6abaf5fb7630cf0e9d8cec0d112889600b14ecb8698b81597f52d54815b |
C:\Program Files\HHD Software\SPMC_redist\x64\hhdspmc.dll
| MD5 | c4380283b5ebbc4445640d9d8790edfc |
| SHA1 | ae66fdc76021a021a8b17693ae29e436f7a9a74f |
| SHA256 | 4347633a02c81c4138b33495ae4e01b247fc13a72219155ef1ecff55a5c1a3e9 |
| SHA512 | 23966140a79c90fd949b9e25946734c3cc7f98fb93ff22ffed0c5c0e7f3e74ca433132d1bb6bf23a853139df271918ed7489fd045b7ffeca75c4e436c316e5a4 |
C:\Program Files\HHD Software\SPMC_redist\x86\hhdspmc.dll
| MD5 | 4ee6c6aa101578b87178515fbeb0cca2 |
| SHA1 | 14635156050c38f81c4743b70e551967f38964ae |
| SHA256 | 8c80700b47d5114f1ef82d93992669ac25b6bee80481bda31a3d08608006fd21 |
| SHA512 | 9b3ff6b0c0f411820c6cdcef0eced54f74699d0430742daa818748740aec2062fb2d699bcfcf60d80ae72cc516f3d0b4448965e59cda8ae45ac1cc13c0545dc4 |
C:\Program Files\HHD Software\SPMC_redist\drivers\hhdspmc.inf
| MD5 | 8b2048cecb78dbd9688c52944e225282 |
| SHA1 | 2d180688802cde1e4cf0a090f3b3b910ef2460b8 |
| SHA256 | b66b6e9aa2949d3ce94fa8ea4a30c6ba67a47529f2c0dc82d2e53718d66a1677 |
| SHA512 | 4a94cb33d546b7383e076d3e9c2069b28fdc1eb809110c10ca5f18e5be40fd5c58fc720ff36a612be313a375510b623bdc0e5df7987229222fb6c6f51ed5bcdf |
C:\Program Files\HHD Software\SPMC_redist\drivers\hhdspmc_x64.cat
| MD5 | 277559e152c4c0dffbb8ea1aeca70f7c |
| SHA1 | b91486131616a90db87dfe023a6642dc1819a89b |
| SHA256 | 9e316d0907a4b9b4296c87b4c8d3e950a0224cc32d4afb266643da142c1e3bf6 |
| SHA512 | 9a03053f447cb3b25be9aae98ee7cc7c9c9ff36ff5019c0cf30d9851bdc6c187ed8629779ecf43b89449898786cd51b0e569f9b57bcb712234cf5ae4221755a4 |
C:\Windows\System32\DRVSTORE\hhdspmc_B91486131616A90DB87DFE023A6642DC1819A89B\hhdspmc64.sys
| MD5 | fcad9eaadaf03f9c5a5a78f931f568e6 |
| SHA1 | 26763504009218fb0ce52e889d42dbc08df24275 |
| SHA256 | fe20c4a05788ee8ce57d546f54c562d632d9e1c40c327075e70997cca2afd189 |
| SHA512 | 515eb677fde9575f897591ec3f1bb9628d72a6b3b7d6530952d8a59515c27a4f9106ca924acc0a212bbcb78fe2feb6e2b3d577f35a0e9f6141445b955d1ca726 |
memory/2532-144-0x0000000075260000-0x0000000075811000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\SpmInstall.exe
| MD5 | 0d6f72b3de229aa06db316487e5ba953 |
| SHA1 | 544cc273a15fbef956c13ef5ebe30f351442f307 |
| SHA256 | dad74ba223032ca5b52fbbaed806e773b48e5e649c3f95ba36607e3421fa313e |
| SHA512 | 92316056b4b86e78a88e1c3597cf7a8461e77ea8a47d5e471e0fe264b1a1c9359d2383f89383244c3e6af78cde62a0cb99116e7e4cc7be072dfc017881f8fe29 |
memory/2532-166-0x0000000075260000-0x0000000075811000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\spssetup.exe
| MD5 | 61b009e8461522e18df4bcfb69a3db79 |
| SHA1 | a26d5d8492518dca419fcd0eb1c75d0d7ac718e3 |
| SHA256 | 3f07884034b2122d3eb9628966c51fffb9a93a3e3d9c5fd60f67789a88633d53 |
| SHA512 | 59927a530dd8c0aa4e6ee3f39022339d45d09aecfa42509a0de217dd65fb2da6ab6a3fe05e4d503a80ef0c8aa2d7c82032292348cf2d1bed5edc52615bf9be86 |
C:\Users\Admin\AppData\Local\Temp\spsniffer.dll
| MD5 | 6df19a1e6c1f1797c27f1d37b87c1e5b |
| SHA1 | b40ddcdbc3f4b9637d80071c079ac56e9ed55a15 |
| SHA256 | f78e01fb5171a16284edf5eecb8aa4a6f4db27539d1cb1eadf9825c31fb67d21 |
| SHA512 | d1c22fe2fccc536d452d1492842f269ff74ebe82342115833ab5dd0ce32061d857b4e9cd0d04055bc5f9a4363b3b4a5346c1ecc1e891a5ece8a316eedaca54a9 |
memory/1316-182-0x0000000002BF0000-0x0000000002DEC000-memory.dmp
memory/1316-188-0x0000000002BF0000-0x0000000002DEC000-memory.dmp
memory/1316-192-0x0000000010000000-0x00000000103C2000-memory.dmp
memory/1316-193-0x0000000010000000-0x00000000103C2000-memory.dmp
memory/1316-202-0x0000000010000000-0x00000000103C2000-memory.dmp
memory/1316-203-0x0000000002BF0000-0x0000000002DEC000-memory.dmp
memory/2532-204-0x00000000019B0000-0x00000000019C0000-memory.dmp
memory/2952-205-0x0000000075260000-0x0000000075811000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-15 15:38
Reported
2024-04-15 15:41
Platform
win7-20240215-en
Max time kernel
118s
Max time network
127s
Command Line
Signatures
Banload
Downloads MZ/PE file
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\DRIVERS\hhdspmc64.sys | C:\Users\Admin\AppData\Local\Temp\setup_x64.exe | N/A |
| File opened for modification | C:\Windows\system32\DRIVERS\SET4682.tmp | C:\Users\Admin\AppData\Local\Temp\setup_x64.exe | N/A |
| File created | C:\Windows\system32\DRIVERS\SET4682.tmp | C:\Users\Admin\AppData\Local\Temp\setup_x64.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\HANARO_S.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\hinstall.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\setup_x64.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SpmInstall.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\spssetup.exe | N/A |
Loads dropped DLL
Registers COM server for autorun
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E082005E-65FE-49CB-B948-E0ED7478442F}\InprocServer32\ThreadingModel = "Both" | C:\Users\Admin\AppData\Local\Temp\setup_x64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F739B22-2DE3-4105-A0CB-1D96BCA9EF61}\InprocServer32\ = "C:\\Program Files\\HHD Software\\SPMC_redist\\x64\\hhdspmc.dll" | C:\Users\Admin\AppData\Local\Temp\setup_x64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F739B22-2DE3-4105-A0CB-1D96BCA9EF61}\InprocServer32\ThreadingModel = "Both" | C:\Users\Admin\AppData\Local\Temp\setup_x64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{98BDF133-27BC-429B-9FAB-EB9C2DEA7D7D}\InprocServer32\ThreadingModel = "Both" | C:\Users\Admin\AppData\Local\Temp\setup_x64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E082005E-65FE-49CB-B948-E0ED7478442F}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\setup_x64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E082005E-65FE-49CB-B948-E0ED7478442F}\InprocServer32\ = "C:\\Program Files\\HHD Software\\SPMC_redist\\x64\\hhdspmc.dll" | C:\Users\Admin\AppData\Local\Temp\setup_x64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F739B22-2DE3-4105-A0CB-1D96BCA9EF61}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\setup_x64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{98BDF133-27BC-429B-9FAB-EB9C2DEA7D7D}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\setup_x64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{98BDF133-27BC-429B-9FAB-EB9C2DEA7D7D}\InprocServer32\ = "C:\\Program Files\\HHD Software\\SPMC_redist\\x64\\hhdspmc.dll" | C:\Users\Admin\AppData\Local\Temp\setup_x64.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\DRVSTORE | C:\Users\Admin\AppData\Local\Temp\setup_x64.exe | N/A |
| File created | C:\Windows\system32\DRVSTORE\hhdspmc_81A310B98045B462BA1344496B2FF0C8EF241A35\hhdspmc.inf | C:\Users\Admin\AppData\Local\Temp\setup_x64.exe | N/A |
| File created | C:\Windows\system32\DRVSTORE\hhdspmc_81A310B98045B462BA1344496B2FF0C8EF241A35\hhdspmc_x64.cat | C:\Users\Admin\AppData\Local\Temp\setup_x64.exe | N/A |
| File created | C:\Windows\system32\DRVSTORE\hhdspmc_81A310B98045B462BA1344496B2FF0C8EF241A35\hhdspmc64.sys | C:\Users\Admin\AppData\Local\Temp\setup_x64.exe | N/A |
| File opened for modification | C:\Windows\System32\CatRoot2\dberr.txt | C:\Users\Admin\AppData\Local\Temp\setup_x64.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\HHD Software\SPMC_redist\x64\hhdspmc.dll | C:\Users\Admin\AppData\Local\Temp\setup_x64.exe | N/A |
| File created | C:\Program Files\HHD Software\SPMC_redist\drivers\hhdspmc.inf | C:\Users\Admin\AppData\Local\Temp\setup_x64.exe | N/A |
| File opened for modification | C:\Program Files\HHD Software\SPMC_redist\drivers\hhdspmc64.sys | C:\Users\Admin\AppData\Local\Temp\setup_x64.exe | N/A |
| File created | C:\Program Files\HHD Software\SPMC_redist\drivers\hhdspmc64.sys | C:\Users\Admin\AppData\Local\Temp\setup_x64.exe | N/A |
| File opened for modification | C:\Program Files\HHD Software\SPMC_redist\drivers\hhdspmc_x64.cat | C:\Users\Admin\AppData\Local\Temp\setup_x64.exe | N/A |
| File created | C:\Program Files\HHD Software\SPMC_redist\drivers\hhdspmc_x64.cat | C:\Users\Admin\AppData\Local\Temp\setup_x64.exe | N/A |
| File created | C:\Program Files\HHD Software\SPMC_redist\drivers\old_cat\hhdspmc_x64.cat | C:\Users\Admin\AppData\Local\Temp\setup_x64.exe | N/A |
| File opened for modification | C:\Program Files\HHD Software\SPMC_redist\drivers\hhdspmc.inf | C:\Users\Admin\AppData\Local\Temp\setup_x64.exe | N/A |
| File opened for modification | C:\Program Files\HHD Software\SPMC_redist\drivers\old_cat\hhdspmc_x64.cat | C:\Users\Admin\AppData\Local\Temp\setup_x64.exe | N/A |
| File opened for modification | C:\Program Files\HHD Software\SPMC_redist\x64\hhdspmc.dll | C:\Users\Admin\AppData\Local\Temp\setup_x64.exe | N/A |
| File opened for modification | C:\Program Files\HHD Software\SPMC_redist\x86\hhdspmc.dll | C:\Users\Admin\AppData\Local\Temp\setup_x64.exe | N/A |
| File created | C:\Program Files\HHD Software\SPMC_redist\x86\hhdspmc.dll | C:\Users\Admin\AppData\Local\Temp\setup_x64.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\INF\setupapi.app.log | C:\Users\Admin\AppData\Local\Temp\setup_x64.exe | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DD962786-3734-4BE3-B375-5E6F3FD37E37}\1.2\FLAGS | C:\Users\Admin\AppData\Local\Temp\setup_x64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{550987AF-776E-4181-939E-73263E1560E2}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\setup_x64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{98BDF133-27BC-429B-9FAB-EB9C2DEA7D7D}\TypeLib\ = "{DD962786-3734-4BE3-B375-5E6F3FD37E37}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DD962786-3734-4BE3-B375-5E6F3FD37E37}\1.2\0\win32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B5034C36-4FD7-44FE-98C7-D45CE7548530}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\hhdspmc.SerialMonitor\CLSID | C:\Users\Admin\AppData\Local\Temp\setup_x64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DD962786-3734-4BE3-B375-5E6F3FD37E37}\1.2\HELPDIR | C:\Users\Admin\AppData\Local\Temp\setup_x64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\hhdspmc.SerialMonitor\CLSID\ = "{0F739B22-2DE3-4105-A0CB-1D96BCA9EF61}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{98BDF133-27BC-429B-9FAB-EB9C2DEA7D7D}\InprocServer32\ = "C:\\Program Files\\HHD Software\\SPMC_redist\\x86\\hhdspmc.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{C8C98BF3-C200-46B6-96E2-FF835CDCC5D6}\ = "spsniffer" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5D32AF2A-8030-44B6-A766-D4ACE641E307}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\setup_x64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A820E710-F13D-4BEE-9774-20DC6909CC3D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\setup_x64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0F739B22-2DE3-4105-A0CB-1D96BCA9EF61}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{C8C98BF3-C200-46B6-96E2-FF835CDCC5D6} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{98BDF133-27BC-429B-9FAB-EB9C2DEA7D7D}\InprocServer32\ = "C:\\Program Files\\HHD Software\\SPMC_redist\\x64\\hhdspmc.dll" | C:\Users\Admin\AppData\Local\Temp\setup_x64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D880AF8A-2E88-4D3C-9C06-9EC3DB87E2EF}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\setup_x64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{550987AF-776E-4181-939E-73263E1560E2}\TypeLib | C:\Users\Admin\AppData\Local\Temp\setup_x64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0F739B22-2DE3-4105-A0CB-1D96BCA9EF61} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D39E5F2E-3DBE-485A-934E-9AE554BF0FC6}\4.0\FLAGS | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5F513861-EE13-4EA5-AD8F-111D5A612283} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5F513861-EE13-4EA5-AD8F-111D5A612283}\TypeLib\Version = "4.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F739B22-2DE3-4105-A0CB-1D96BCA9EF61}\TypeLib | C:\Users\Admin\AppData\Local\Temp\setup_x64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A820E710-F13D-4BEE-9774-20DC6909CC3D}\TypeLib | C:\Users\Admin\AppData\Local\Temp\setup_x64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E082005E-65FE-49CB-B948-E0ED7478442F}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E082005E-65FE-49CB-B948-E0ED7478442F}\InprocServer32\ = "C:\\Program Files\\HHD Software\\SPMC_redist\\x86\\hhdspmc.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\spsniffer.SerialPortMonitorAx.1\ = "Serial Port Monitor ActiveX Control 4.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F739B22-2DE3-4105-A0CB-1D96BCA9EF61}\VersionIndependentProgID | C:\Users\Admin\AppData\Local\Temp\setup_x64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{98BDF133-27BC-429B-9FAB-EB9C2DEA7D7D}\TypeLib\ = "{DD962786-3734-4BE3-B375-5E6F3FD37E37}" | C:\Users\Admin\AppData\Local\Temp\setup_x64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\hhdspmc.Monitoring\CurVer\ = "hhdspmc.Monitoring.2" | C:\Users\Admin\AppData\Local\Temp\setup_x64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F27CF5BF-A82D-4E68-978E-701F346767A5}\TypeLib\Version = "1.2" | C:\Users\Admin\AppData\Local\Temp\setup_x64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B5034C36-4FD7-44FE-98C7-D45CE7548530}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\hhdspmc.SerialMonitor.1.2\CLSID\ = "{0F739B22-2DE3-4105-A0CB-1D96BCA9EF61}" | C:\Users\Admin\AppData\Local\Temp\setup_x64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{98BDF133-27BC-429B-9FAB-EB9C2DEA7D7D}\VersionIndependentProgID | C:\Users\Admin\AppData\Local\Temp\setup_x64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F27CF5BF-A82D-4E68-978E-701F346767A5}\TypeLib | C:\Users\Admin\AppData\Local\Temp\setup_x64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{550987AF-776E-4181-939E-73263E1560E2}\ = "_IMonitoringEvents" | C:\Users\Admin\AppData\Local\Temp\setup_x64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B27FE486-7B46-40FE-A059-8071469464DE}\ToolboxBitmap32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\spsniffer.dll, 102" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B27FE486-7B46-40FE-A059-8071469464DE}\Version\ = "4.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\hhdspmc.Device\CurVer\ = "hhdspmc.Device.2" | C:\Users\Admin\AppData\Local\Temp\setup_x64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{550987AF-776E-4181-939E-73263E1560E2}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\setup_x64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\spsniffer.DLL | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B27FE486-7B46-40FE-A059-8071469464DE}\MiscStatus\1\ = "132497" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B5034C36-4FD7-44FE-98C7-D45CE7548530}\TypeLib\Version = "4.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5F513861-EE13-4EA5-AD8F-111D5A612283} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\hhdspmc.Monitoring\CLSID\ = "{E082005E-65FE-49CB-B948-E0ED7478442F}" | C:\Users\Admin\AppData\Local\Temp\setup_x64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5D32AF2A-8030-44B6-A766-D4ACE641E307}\ = "_ISerialMonitorEvents" | C:\Users\Admin\AppData\Local\Temp\setup_x64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5D32AF2A-8030-44B6-A766-D4ACE641E307}\TypeLib\Version = "1.2" | C:\Users\Admin\AppData\Local\Temp\setup_x64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D880AF8A-2E88-4D3C-9C06-9EC3DB87E2EF}\TypeLib\ = "{DD962786-3734-4BE3-B375-5E6F3FD37E37}" | C:\Users\Admin\AppData\Local\Temp\setup_x64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{98BDF133-27BC-429B-9FAB-EB9C2DEA7D7D}\VersionIndependentProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\hhdspmc.Device.2\CLSID\ = "{98BDF133-27BC-429B-9FAB-EB9C2DEA7D7D}" | C:\Users\Admin\AppData\Local\Temp\setup_x64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DD962786-3734-4BE3-B375-5E6F3FD37E37}\1.2\ = "hhdspmc 1.2 Type Library" | C:\Users\Admin\AppData\Local\Temp\setup_x64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{724A78C9-BE68-47E9-A252-17EFABC354DE}\TypeLib\ = "{DD962786-3734-4BE3-B375-5E6F3FD37E37}" | C:\Users\Admin\AppData\Local\Temp\setup_x64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5D32AF2A-8030-44B6-A766-D4ACE641E307} | C:\Users\Admin\AppData\Local\Temp\setup_x64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F27CF5BF-A82D-4E68-978E-701F346767A5}\TypeLib | C:\Users\Admin\AppData\Local\Temp\setup_x64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0F739B22-2DE3-4105-A0CB-1D96BCA9EF61}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8E2C0C1C-F5DF-38F3-EC24-8167781A08C9}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B27FE486-7B46-40FE-A059-8071469464DE}\Version | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{1B856C34-F6DB-452A-B5E3-8A26C6372074} | C:\Users\Admin\AppData\Local\Temp\setup_x64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\hhdspmc.SerialMonitor.1.2\CLSID | C:\Users\Admin\AppData\Local\Temp\setup_x64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\hhdspmc.Device\ = "Device Class" | C:\Users\Admin\AppData\Local\Temp\setup_x64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A820E710-F13D-4BEE-9774-20DC6909CC3D}\TypeLib\Version = "1.2" | C:\Users\Admin\AppData\Local\Temp\setup_x64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5F513861-EE13-4EA5-AD8F-111D5A612283}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F739B22-2DE3-4105-A0CB-1D96BCA9EF61}\ProgID\ = "hhdspmc.SerialMonitor.1.2" | C:\Users\Admin\AppData\Local\Temp\setup_x64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E082005E-65FE-49CB-B948-E0ED7478442F}\ProgID | C:\Users\Admin\AppData\Local\Temp\setup_x64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D880AF8A-2E88-4D3C-9C06-9EC3DB87E2EF}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\setup_x64.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 | C:\Users\Admin\AppData\Local\Temp\HANARO_S.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 | C:\Users\Admin\AppData\Local\Temp\HANARO_S.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 | C:\Users\Admin\AppData\Local\Temp\HANARO_S.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Users\Admin\AppData\Local\Temp\HANARO_S.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Users\Admin\AppData\Local\Temp\HANARO_S.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 | C:\Users\Admin\AppData\Local\Temp\HANARO_S.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 | C:\Users\Admin\AppData\Local\Temp\HANARO_S.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Users\Admin\AppData\Local\Temp\HANARO_S.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f1670cab1f506b29baa4668af746391c_JaffaCakes118.exe | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\f1670cab1f506b29baa4668af746391c_JaffaCakes118.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\HANARO_S.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\setup_x64.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\setup_x64.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\setup_x64.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\setup_x64.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\setup_x64.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\setup_x64.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\setup_x64.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\f1670cab1f506b29baa4668af746391c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f1670cab1f506b29baa4668af746391c_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\HANARO_S.exe
"C:\Users\Admin\AppData\Local\Temp\HANARO_S.exe"
C:\Users\Admin\AppData\Local\Temp\hinstall.exe
"C:\Users\Admin\AppData\Local\Temp\hinstall.exe" /q
C:\Users\Admin\AppData\Local\Temp\setup_x64.exe
"C:\Users\Admin\AppData\Local\Temp\setup_x64.exe" 116
C:\Windows\system32\regsvr32.exe
regsvr32.exe /s ..\x86\hhdspmc.dll
C:\Windows\SysWOW64\regsvr32.exe
/s ..\x86\hhdspmc.dll
C:\Users\Admin\AppData\Local\Temp\SpmInstall.exe
"C:\Users\Admin\AppData\Local\Temp\SpmInstall.exe" -p298efhfowh28298dg
C:\Users\Admin\AppData\Local\Temp\spssetup.exe
"C:\Users\Admin\AppData\Local\Temp\spssetup.exe"
C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" spsniffer.dll /s /i:"LEAD CALL#0000XZ-95Z8UP-E3EU91-TF9UPH-40635F-B4M55Y-0611F5-74822F-580BAD-22EFC8-8C7DE2-E3181D"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | update.leadcall.kr | udp |
| KR | 14.49.36.160:80 | update.leadcall.kr | tcp |
| KR | 14.49.36.160:80 | update.leadcall.kr | tcp |
| US | 8.8.8.8:53 | hbns.com | udp |
| KR | 219.253.141.144:80 | hbns.com | tcp |
Files
memory/1568-0-0x00000000745F0000-0x0000000074B9B000-memory.dmp
memory/1568-1-0x00000000029E0000-0x0000000002A20000-memory.dmp
memory/1568-2-0x00000000745F0000-0x0000000074B9B000-memory.dmp
memory/1568-3-0x00000000003D0000-0x00000000003D1000-memory.dmp
memory/1568-4-0x00000000029E0000-0x0000000002A20000-memory.dmp
memory/1568-5-0x00000000745F0000-0x0000000074B9B000-memory.dmp
memory/1568-6-0x00000000029E0000-0x0000000002A20000-memory.dmp
memory/1568-7-0x00000000745F0000-0x0000000074B9B000-memory.dmp
memory/1568-8-0x00000000029E0000-0x0000000002A20000-memory.dmp
memory/1568-9-0x00000000029E0000-0x0000000002A20000-memory.dmp
\Users\Admin\AppData\Local\Temp\HANARO_S.exe
| MD5 | 2e8891d239e49afa86ef275d55b6ee50 |
| SHA1 | f304add4781067033de3a523ddb3768d930ea222 |
| SHA256 | 29e797b0a9b1050872b6d5c319e6ce4a692a42a32e8d9e71cebcf00a95d73082 |
| SHA512 | 476136b6abc009aea453626d8ea71d932cecfbba40f8d729b4c2f6d88b462a5ff39fb9885936ee0ae8a69f0ebd65a4a5a3ed6cd74cb9e2afffec218977086c39 |
memory/1584-17-0x00000000745F0000-0x0000000074B9B000-memory.dmp
memory/1584-18-0x0000000000B30000-0x0000000000B70000-memory.dmp
memory/1584-19-0x00000000745F0000-0x0000000074B9B000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 29f65ba8e88c063813cc50a4ea544e93 |
| SHA1 | 05a7040d5c127e68c25d81cc51271ffb8bef3568 |
| SHA256 | 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184 |
| SHA512 | e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa |
C:\Users\Admin\AppData\Local\Temp\Tar1BD.tmp
| MD5 | 435a9ac180383f9fa094131b173a2f7b |
| SHA1 | 76944ea657a9db94f9a4bef38f88c46ed4166983 |
| SHA256 | 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34 |
| SHA512 | 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a |
memory/1584-79-0x0000000000530000-0x0000000000531000-memory.dmp
memory/1584-80-0x0000000000B30000-0x0000000000B70000-memory.dmp
memory/1584-81-0x0000000000B30000-0x0000000000B70000-memory.dmp
\Users\Admin\AppData\Local\Temp\leadcalls3.dll
| MD5 | b7d094be17126f02027cc4adb256ebe0 |
| SHA1 | 56134af74f1d9569173057353ac722612509c3ec |
| SHA256 | b1abbcbaf2adbaaf2c4d2c5a1de56afd97b2d5569010fbc003abca91001d1775 |
| SHA512 | a3fc2d2ac02d911b0d354309831a0f1da07e554c02acaa01a6e47896aa2550f755fc86a4023accdd436bb81dbc8bea9f17343634e13789316bdf40b11435143a |
\Users\Admin\AppData\Local\Temp\interop.hhdspmcLib.dll
| MD5 | 5cea3723c11b18c5a4c48972b59cdf76 |
| SHA1 | f4d8b431df18b8c3d13022ba1b8dbc1378a83c49 |
| SHA256 | 0b4fbd2b1fa81e8c9a5344f69a953e0a1488f03d2385f4307c18a819822766d6 |
| SHA512 | 1b97ab19d5d3dba3480f1edce147155d76562abd0a0c6947d33dff2d5fa75c2cdf64edd9654c508578ef98103cddceb29dde5188a65f0cedd1fec111608c9a9e |
\Users\Admin\AppData\Local\Temp\leadcalls2.dll
| MD5 | 91f84ca6802f3df03602578de976d97e |
| SHA1 | 120faab23f33c1fde75b6746253c3e9103078977 |
| SHA256 | 4bfd526248fc86e9fedc9c9b0ee9b2c3ab561e983d87b77b431b486d04a282aa |
| SHA512 | 67a7eb325554343e2b161010a1dad6273e7e433bac5c481294853edd68fe4f889f14ebc04e37e1fb575142c30592838358212b9a7c15257d9a64c8840d26e395 |
\Users\Admin\AppData\Local\Temp\hinstall.exe
| MD5 | 69e162ea71180cd35116e5b7bc481539 |
| SHA1 | 82b76b080a0999975838c13e0d33269e5d2f2517 |
| SHA256 | 161d70286cb1919de7efab58d8fb623e513b26101251c1082f53514f55139523 |
| SHA512 | 586f3a64788c52f6ce913a0592e812a8ae2e07c8f1380e86f168564daa8fde14aa549a5abf3d9224f9215fe13a9312628fab759b4157b7e4bd9798a34e1017aa |
\Users\Admin\AppData\Local\Temp\setup_x64.exe
| MD5 | 18cdf77b73a3596886890262bd699479 |
| SHA1 | 3ab0d43c6b0bd629856adbbbaa3a2690218c314a |
| SHA256 | 2b692b93397abcd6932cbd95c7ee41d5b4c100ebf4c14efa7eb90c579d129e57 |
| SHA512 | 2a80ce972a382fcc35ec281a4ca71d48d36eee5b826bc9d71e46ad51d65c4a420f2b74e5ba14681356bb45c82b79f34d257555849f5abe4729ca90ff9a944849 |
C:\Users\Admin\AppData\Local\Temp\DIFxAPI64.dll
| MD5 | 1a2e5109c2bb5c68d499e17b83acb73a |
| SHA1 | efa15cfa23606dfc355d11580b509e768a50ddbb |
| SHA256 | e70bbcee0d01658ccd201ebe0f0e547b9daff01b7c593a0fdd0c64e5f45d6f11 |
| SHA512 | 47317d24d02c4122fe175bcd7f5b3dd8823063e7ea63f83961e40f10872642d2d6f6e6abaf5fb7630cf0e9d8cec0d112889600b14ecb8698b81597f52d54815b |
\Program Files\HHD Software\SPMC_redist\x64\hhdspmc.dll
| MD5 | c4380283b5ebbc4445640d9d8790edfc |
| SHA1 | ae66fdc76021a021a8b17693ae29e436f7a9a74f |
| SHA256 | 4347633a02c81c4138b33495ae4e01b247fc13a72219155ef1ecff55a5c1a3e9 |
| SHA512 | 23966140a79c90fd949b9e25946734c3cc7f98fb93ff22ffed0c5c0e7f3e74ca433132d1bb6bf23a853139df271918ed7489fd045b7ffeca75c4e436c316e5a4 |
C:\Program Files\HHD Software\SPMC_redist\x86\hhdspmc.dll
| MD5 | 4ee6c6aa101578b87178515fbeb0cca2 |
| SHA1 | 14635156050c38f81c4743b70e551967f38964ae |
| SHA256 | 8c80700b47d5114f1ef82d93992669ac25b6bee80481bda31a3d08608006fd21 |
| SHA512 | 9b3ff6b0c0f411820c6cdcef0eced54f74699d0430742daa818748740aec2062fb2d699bcfcf60d80ae72cc516f3d0b4448965e59cda8ae45ac1cc13c0545dc4 |
C:\Program Files\HHD Software\SPMC_redist\drivers\hhdspmc_x64.cat
| MD5 | ff72fa6df7f67176a5559fde07e163fe |
| SHA1 | 81a310b98045b462ba1344496b2ff0c8ef241a35 |
| SHA256 | b961d5dc1ed3e6f0a0e32a5952650b02ab61f8781b547ebe26b485ac357070cd |
| SHA512 | ee791c4355c18e819318133383b89d833c14b8c3696e89afab606b65ecc9f1422325d4e3f882da0d1843680c2f6fa504094a71780113d6979259b788312f3e3c |
C:\Program Files\HHD Software\SPMC_redist\drivers\hhdspmc.inf
| MD5 | 8b2048cecb78dbd9688c52944e225282 |
| SHA1 | 2d180688802cde1e4cf0a090f3b3b910ef2460b8 |
| SHA256 | b66b6e9aa2949d3ce94fa8ea4a30c6ba67a47529f2c0dc82d2e53718d66a1677 |
| SHA512 | 4a94cb33d546b7383e076d3e9c2069b28fdc1eb809110c10ca5f18e5be40fd5c58fc720ff36a612be313a375510b623bdc0e5df7987229222fb6c6f51ed5bcdf |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d022d194cbb010d91f07a24f986502c7 |
| SHA1 | d947401824d2deed8ac87ead9d75d4a915737df5 |
| SHA256 | 26a5e1233c316a8c9d49c84a5f76763781e38379dc72242b2ce501590882f081 |
| SHA512 | e101b5aa2de95c8ed83ac10d11b0568342daa220812a96ac8f6b7937287ad2638b857eba51e339baaf89923bd4f1c610e4a91c5ebf1070214dc607a9a81bd36a |
C:\Windows\System32\DRVSTORE\hhdspmc_81A310B98045B462BA1344496B2FF0C8EF241A35\hhdspmc64.sys
| MD5 | fcad9eaadaf03f9c5a5a78f931f568e6 |
| SHA1 | 26763504009218fb0ce52e889d42dbc08df24275 |
| SHA256 | fe20c4a05788ee8ce57d546f54c562d632d9e1c40c327075e70997cca2afd189 |
| SHA512 | 515eb677fde9575f897591ec3f1bb9628d72a6b3b7d6530952d8a59515c27a4f9106ca924acc0a212bbcb78fe2feb6e2b3d577f35a0e9f6141445b955d1ca726 |
memory/1584-208-0x00000000745F0000-0x0000000074B9B000-memory.dmp
memory/1584-209-0x0000000000B30000-0x0000000000B70000-memory.dmp
memory/1584-217-0x0000000000B30000-0x0000000000B70000-memory.dmp
memory/1584-218-0x0000000000B30000-0x0000000000B70000-memory.dmp
\Users\Admin\AppData\Local\Temp\SpmInstall.exe
| MD5 | 0d6f72b3de229aa06db316487e5ba953 |
| SHA1 | 544cc273a15fbef956c13ef5ebe30f351442f307 |
| SHA256 | dad74ba223032ca5b52fbbaed806e773b48e5e649c3f95ba36607e3421fa313e |
| SHA512 | 92316056b4b86e78a88e1c3597cf7a8461e77ea8a47d5e471e0fe264b1a1c9359d2383f89383244c3e6af78cde62a0cb99116e7e4cc7be072dfc017881f8fe29 |
C:\Users\Admin\AppData\Local\Temp\spssetup.exe
| MD5 | 61b009e8461522e18df4bcfb69a3db79 |
| SHA1 | a26d5d8492518dca419fcd0eb1c75d0d7ac718e3 |
| SHA256 | 3f07884034b2122d3eb9628966c51fffb9a93a3e3d9c5fd60f67789a88633d53 |
| SHA512 | 59927a530dd8c0aa4e6ee3f39022339d45d09aecfa42509a0de217dd65fb2da6ab6a3fe05e4d503a80ef0c8aa2d7c82032292348cf2d1bed5edc52615bf9be86 |
C:\Users\Admin\AppData\Local\Temp\spsniffer.dll
| MD5 | 6df19a1e6c1f1797c27f1d37b87c1e5b |
| SHA1 | b40ddcdbc3f4b9637d80071c079ac56e9ed55a15 |
| SHA256 | f78e01fb5171a16284edf5eecb8aa4a6f4db27539d1cb1eadf9825c31fb67d21 |
| SHA512 | d1c22fe2fccc536d452d1492842f269ff74ebe82342115833ab5dd0ce32061d857b4e9cd0d04055bc5f9a4363b3b4a5346c1ecc1e891a5ece8a316eedaca54a9 |
memory/1664-253-0x00000000028F0000-0x0000000002AEC000-memory.dmp
memory/1664-259-0x00000000028F0000-0x0000000002AEC000-memory.dmp
memory/1664-264-0x0000000010000000-0x00000000103C2000-memory.dmp
memory/1664-263-0x0000000010000000-0x00000000103C2000-memory.dmp
memory/1664-273-0x0000000010000000-0x00000000103C2000-memory.dmp
memory/1664-274-0x00000000028F0000-0x0000000002AEC000-memory.dmp
memory/1568-275-0x00000000745F0000-0x0000000074B9B000-memory.dmp