Malware Analysis Report

2024-10-16 03:33

Sample ID 240415-s287ssaa38
Target f1670cab1f506b29baa4668af746391c_JaffaCakes118
SHA256 cbba1c25ba9360cbc5ffbffc878fc73eb113393f1868b1a65efc7e227913f49f
Tags
banload downloader dropper persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

cbba1c25ba9360cbc5ffbffc878fc73eb113393f1868b1a65efc7e227913f49f

Threat Level: Known bad

The file f1670cab1f506b29baa4668af746391c_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

banload downloader dropper persistence trojan

Banload

Downloads MZ/PE file

Drops file in Drivers directory

Checks BIOS information in registry

Registers COM server for autorun

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Drops file in System32 directory

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Modifies system certificate store

Checks SCSI registry key(s)

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: LoadsDriver

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-15 15:38

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-15 15:38

Reported

2024-04-15 15:41

Platform

win10v2004-20240412-en

Max time kernel

124s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f1670cab1f506b29baa4668af746391c_JaffaCakes118.exe"

Signatures

Banload

trojan dropper downloader banload

Downloads MZ/PE file

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\DRIVERS\SET5CDC.tmp C:\Users\Admin\AppData\Local\Temp\setup_x64.exe N/A
File created C:\Windows\system32\DRIVERS\SET5CDC.tmp C:\Users\Admin\AppData\Local\Temp\setup_x64.exe N/A
File opened for modification C:\Windows\system32\DRIVERS\hhdspmc64.sys C:\Users\Admin\AppData\Local\Temp\setup_x64.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Windows\SysWOW64\regsvr32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Windows\SysWOW64\regsvr32.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\f1670cab1f506b29baa4668af746391c_JaffaCakes118.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\SpmInstall.exe N/A

Registers COM server for autorun

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F739B22-2DE3-4105-A0CB-1D96BCA9EF61}\InprocServer32\ThreadingModel = "Both" C:\Users\Admin\AppData\Local\Temp\setup_x64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{98BDF133-27BC-429B-9FAB-EB9C2DEA7D7D}\InprocServer32\ = "C:\\Program Files\\HHD Software\\SPMC_redist\\x64\\hhdspmc.dll" C:\Users\Admin\AppData\Local\Temp\setup_x64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{98BDF133-27BC-429B-9FAB-EB9C2DEA7D7D}\InprocServer32\ThreadingModel = "Both" C:\Users\Admin\AppData\Local\Temp\setup_x64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E082005E-65FE-49CB-B948-E0ED7478442F}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\setup_x64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E082005E-65FE-49CB-B948-E0ED7478442F}\InprocServer32\ = "C:\\Program Files\\HHD Software\\SPMC_redist\\x64\\hhdspmc.dll" C:\Users\Admin\AppData\Local\Temp\setup_x64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E082005E-65FE-49CB-B948-E0ED7478442F}\InprocServer32\ThreadingModel = "Both" C:\Users\Admin\AppData\Local\Temp\setup_x64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F739B22-2DE3-4105-A0CB-1D96BCA9EF61}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\setup_x64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F739B22-2DE3-4105-A0CB-1D96BCA9EF61}\InprocServer32\ = "C:\\Program Files\\HHD Software\\SPMC_redist\\x64\\hhdspmc.dll" C:\Users\Admin\AppData\Local\Temp\setup_x64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{98BDF133-27BC-429B-9FAB-EB9C2DEA7D7D}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\setup_x64.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\DRVSTORE\hhdspmc_B91486131616A90DB87DFE023A6642DC1819A89B\hhdspmc64.sys C:\Users\Admin\AppData\Local\Temp\setup_x64.exe N/A
File opened for modification C:\Windows\System32\CatRoot2\dberr.txt C:\Users\Admin\AppData\Local\Temp\setup_x64.exe N/A
File opened for modification C:\Windows\system32\DRVSTORE C:\Users\Admin\AppData\Local\Temp\setup_x64.exe N/A
File created C:\Windows\system32\DRVSTORE\hhdspmc_B91486131616A90DB87DFE023A6642DC1819A89B\hhdspmc.inf C:\Users\Admin\AppData\Local\Temp\setup_x64.exe N/A
File opened for modification C:\Windows\system32\DRVSTORE\hhdspmc_B91486131616A90DB87DFE023A6642DC1819A89B\hhdspmc.inf C:\Users\Admin\AppData\Local\Temp\setup_x64.exe N/A
File created C:\Windows\system32\DRVSTORE\hhdspmc_B91486131616A90DB87DFE023A6642DC1819A89B\hhdspmc_x64.cat C:\Users\Admin\AppData\Local\Temp\setup_x64.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\HHD Software\SPMC_redist\drivers\hhdspmc.inf C:\Users\Admin\AppData\Local\Temp\setup_x64.exe N/A
File opened for modification C:\Program Files\HHD Software\SPMC_redist\drivers\hhdspmc64.sys C:\Users\Admin\AppData\Local\Temp\setup_x64.exe N/A
File created C:\Program Files\HHD Software\SPMC_redist\drivers\hhdspmc64.sys C:\Users\Admin\AppData\Local\Temp\setup_x64.exe N/A
File opened for modification C:\Program Files\HHD Software\SPMC_redist\x64\hhdspmc.dll C:\Users\Admin\AppData\Local\Temp\setup_x64.exe N/A
File opened for modification C:\Program Files\HHD Software\SPMC_redist\x86\hhdspmc.dll C:\Users\Admin\AppData\Local\Temp\setup_x64.exe N/A
File created C:\Program Files\HHD Software\SPMC_redist\x86\hhdspmc.dll C:\Users\Admin\AppData\Local\Temp\setup_x64.exe N/A
File created C:\Program Files\HHD Software\SPMC_redist\drivers\hhdspmc.inf C:\Users\Admin\AppData\Local\Temp\setup_x64.exe N/A
File opened for modification C:\Program Files\HHD Software\SPMC_redist\drivers\hhdspmc_x64.cat C:\Users\Admin\AppData\Local\Temp\setup_x64.exe N/A
File created C:\Program Files\HHD Software\SPMC_redist\drivers\hhdspmc_x64.cat C:\Users\Admin\AppData\Local\Temp\setup_x64.exe N/A
File opened for modification C:\Program Files\HHD Software\SPMC_redist\drivers\old_cat\hhdspmc_x64.cat C:\Users\Admin\AppData\Local\Temp\setup_x64.exe N/A
File created C:\Program Files\HHD Software\SPMC_redist\drivers\old_cat\hhdspmc_x64.cat C:\Users\Admin\AppData\Local\Temp\setup_x64.exe N/A
File created C:\Program Files\HHD Software\SPMC_redist\x64\hhdspmc.dll C:\Users\Admin\AppData\Local\Temp\setup_x64.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Users\Admin\AppData\Local\Temp\setup_x64.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Service C:\Users\Admin\AppData\Local\Temp\setup_x64.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\UpperFilters C:\Users\Admin\AppData\Local\Temp\setup_x64.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service C:\Users\Admin\AppData\Local\Temp\setup_x64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Filters C:\Users\Admin\AppData\Local\Temp\setup_x64.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\LowerFilters C:\Users\Admin\AppData\Local\Temp\setup_x64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Filters C:\Users\Admin\AppData\Local\Temp\setup_x64.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\LowerFilters C:\Users\Admin\AppData\Local\Temp\setup_x64.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\UpperFilters C:\Users\Admin\AppData\Local\Temp\setup_x64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Users\Admin\AppData\Local\Temp\setup_x64.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\UpperFilters C:\Users\Admin\AppData\Local\Temp\setup_x64.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\LowerFilters C:\Users\Admin\AppData\Local\Temp\setup_x64.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Service C:\Users\Admin\AppData\Local\Temp\setup_x64.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\UpperFilters C:\Users\Admin\AppData\Local\Temp\setup_x64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Filters C:\Users\Admin\AppData\Local\Temp\setup_x64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Users\Admin\AppData\Local\Temp\setup_x64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Filters C:\Users\Admin\AppData\Local\Temp\setup_x64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 C:\Users\Admin\AppData\Local\Temp\setup_x64.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Service C:\Users\Admin\AppData\Local\Temp\setup_x64.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\LowerFilters C:\Users\Admin\AppData\Local\Temp\setup_x64.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\hhdspmc.SerialMonitor.1.2\CLSID C:\Users\Admin\AppData\Local\Temp\setup_x64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{98BDF133-27BC-429B-9FAB-EB9C2DEA7D7D}\InprocServer32\ = "C:\\Program Files\\HHD Software\\SPMC_redist\\x64\\hhdspmc.dll" C:\Users\Admin\AppData\Local\Temp\setup_x64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DD962786-3734-4BE3-B375-5E6F3FD37E37}\1.2\0\win64\ = "C:\\Program Files\\HHD Software\\SPMC_redist\\x64\\hhdspmc.dll" C:\Users\Admin\AppData\Local\Temp\setup_x64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8E2C0C1C-F5DF-38F3-EC24-8167781A08C9}\TreatAs\ = "{F20DA720-C02F-11CE-927B-0800095AE340}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F739B22-2DE3-4105-A0CB-1D96BCA9EF61} C:\Users\Admin\AppData\Local\Temp\setup_x64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5D32AF2A-8030-44B6-A766-D4ACE641E307}\ = "_ISerialMonitorEvents" C:\Users\Admin\AppData\Local\Temp\setup_x64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5D32AF2A-8030-44B6-A766-D4ACE641E307}\TypeLib C:\Users\Admin\AppData\Local\Temp\setup_x64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5D32AF2A-8030-44B6-A766-D4ACE641E307}\TypeLib\ = "{DD962786-3734-4BE3-B375-5E6F3FD37E37}" C:\Users\Admin\AppData\Local\Temp\setup_x64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F27CF5BF-A82D-4E68-978E-701F346767A5}\TypeLib\ = "{DD962786-3734-4BE3-B375-5E6F3FD37E37}" C:\Users\Admin\AppData\Local\Temp\setup_x64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D880AF8A-2E88-4D3C-9C06-9EC3DB87E2EF}\TypeLib C:\Users\Admin\AppData\Local\Temp\setup_x64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D880AF8A-2E88-4D3C-9C06-9EC3DB87E2EF}\TypeLib\Version = "1.2" C:\Users\Admin\AppData\Local\Temp\setup_x64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{98BDF133-27BC-429B-9FAB-EB9C2DEA7D7D}\InprocServer32\ = "C:\\Program Files\\HHD Software\\SPMC_redist\\x86\\hhdspmc.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D39E5F2E-3DBE-485A-934E-9AE554BF0FC6}\4.0\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5F513861-EE13-4EA5-AD8F-111D5A612283}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F27CF5BF-A82D-4E68-978E-701F346767A5}\TypeLib\ = "{DD962786-3734-4BE3-B375-5E6F3FD37E37}" C:\Users\Admin\AppData\Local\Temp\setup_x64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A820E710-F13D-4BEE-9774-20DC6909CC3D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\setup_x64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D880AF8A-2E88-4D3C-9C06-9EC3DB87E2EF}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\setup_x64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{550987AF-776E-4181-939E-73263E1560E2}\TypeLib\ = "{DD962786-3734-4BE3-B375-5E6F3FD37E37}" C:\Users\Admin\AppData\Local\Temp\setup_x64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F739B22-2DE3-4105-A0CB-1D96BCA9EF61}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F739B22-2DE3-4105-A0CB-1D96BCA9EF61}\VersionIndependentProgID C:\Users\Admin\AppData\Local\Temp\setup_x64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\hhdspmc.Monitoring C:\Users\Admin\AppData\Local\Temp\setup_x64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DD962786-3734-4BE3-B375-5E6F3FD37E37}\1.2\HELPDIR C:\Users\Admin\AppData\Local\Temp\setup_x64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B5034C36-4FD7-44FE-98C7-D45CE7548530}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B5034C36-4FD7-44FE-98C7-D45CE7548530}\TypeLib\Version = "4.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A820E710-F13D-4BEE-9774-20DC6909CC3D}\TypeLib\Version = "1.2" C:\Users\Admin\AppData\Local\Temp\setup_x64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{724A78C9-BE68-47E9-A252-17EFABC354DE}\TypeLib C:\Users\Admin\AppData\Local\Temp\setup_x64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{724A78C9-BE68-47E9-A252-17EFABC354DE}\TypeLib\ = "{DD962786-3734-4BE3-B375-5E6F3FD37E37}" C:\Users\Admin\AppData\Local\Temp\setup_x64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F739B22-2DE3-4105-A0CB-1D96BCA9EF61}\InprocServer32\ = "C:\\Program Files\\HHD Software\\SPMC_redist\\x64\\hhdspmc.dll" C:\Users\Admin\AppData\Local\Temp\setup_x64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F27CF5BF-A82D-4E68-978E-701F346767A5}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\setup_x64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F27CF5BF-A82D-4E68-978E-701F346767A5} C:\Users\Admin\AppData\Local\Temp\setup_x64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\hhdspmc.DLL\AppID = "{1B856C34-F6DB-452A-B5E3-8A26C6372074}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5D32AF2A-8030-44B6-A766-D4ACE641E307}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\setup_x64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A820E710-F13D-4BEE-9774-20DC6909CC3D}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\setup_x64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\hhdspmc.Device.2\ = "Device Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\spsniffer.DLL\AppID = "{C8C98BF3-C200-46B6-96E2-FF835CDCC5D6}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\spsniffer.SerialPortMonitorAx.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A820E710-F13D-4BEE-9774-20DC6909CC3D}\TypeLib C:\Users\Admin\AppData\Local\Temp\setup_x64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D880AF8A-2E88-4D3C-9C06-9EC3DB87E2EF}\TypeLib\ = "{DD962786-3734-4BE3-B375-5E6F3FD37E37}" C:\Users\Admin\AppData\Local\Temp\setup_x64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B27FE486-7B46-40FE-A059-8071469464DE}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B5034C36-4FD7-44FE-98C7-D45CE7548530}\TypeLib\ = "{D39E5F2E-3DBE-485A-934E-9AE554BF0FC6}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E082005E-65FE-49CB-B948-E0ED7478442F}\VersionIndependentProgID\ = "hhdspmc.Monitoring" C:\Users\Admin\AppData\Local\Temp\setup_x64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{724A78C9-BE68-47E9-A252-17EFABC354DE} C:\Users\Admin\AppData\Local\Temp\setup_x64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{724A78C9-BE68-47E9-A252-17EFABC354DE}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\setup_x64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{724A78C9-BE68-47E9-A252-17EFABC354DE}\TypeLib C:\Users\Admin\AppData\Local\Temp\setup_x64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F27CF5BF-A82D-4E68-978E-701F346767A5}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\setup_x64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{550987AF-776E-4181-939E-73263E1560E2}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\setup_x64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{1B856C34-F6DB-452A-B5E3-8A26C6372074}\ = "hhdspmc" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F739B22-2DE3-4105-A0CB-1D96BCA9EF61}\TypeLib\ = "{DD962786-3734-4BE3-B375-5E6F3FD37E37}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8E2C0C1C-F5DF-38F3-EC24-8167781A08C9}\TreatAs C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D39E5F2E-3DBE-485A-934E-9AE554BF0FC6}\4.0\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5F513861-EE13-4EA5-AD8F-111D5A612283}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\hhdspmc.SerialMonitor\CLSID\ = "{0F739B22-2DE3-4105-A0CB-1D96BCA9EF61}" C:\Users\Admin\AppData\Local\Temp\setup_x64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{98BDF133-27BC-429B-9FAB-EB9C2DEA7D7D}\VersionIndependentProgID\ = "hhdspmc.Device" C:\Users\Admin\AppData\Local\Temp\setup_x64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{724A78C9-BE68-47E9-A252-17EFABC354DE}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\setup_x64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{724A78C9-BE68-47E9-A252-17EFABC354DE}\TypeLib\ = "{DD962786-3734-4BE3-B375-5E6F3FD37E37}" C:\Users\Admin\AppData\Local\Temp\setup_x64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8E2C0C1C-F5DF-38F3-EC24-8167781A08C9} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\hhdspmc.Device\CurVer C:\Users\Admin\AppData\Local\Temp\setup_x64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{98BDF133-27BC-429B-9FAB-EB9C2DEA7D7D}\VersionIndependentProgID C:\Users\Admin\AppData\Local\Temp\setup_x64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\hhdspmc.Device\CurVer\ = "hhdspmc.Device.2" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DD962786-3734-4BE3-B375-5E6F3FD37E37}\1.2\FLAGS\ = "0" C:\Users\Admin\AppData\Local\Temp\setup_x64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{724A78C9-BE68-47E9-A252-17EFABC354DE}\TypeLib\Version = "1.2" C:\Users\Admin\AppData\Local\Temp\setup_x64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F739B22-2DE3-4105-A0CB-1D96BCA9EF61}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{98BDF133-27BC-429B-9FAB-EB9C2DEA7D7D}\InprocServer32\ThreadingModel = "Both" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\spsniffer.DLL C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\Temp\HANARO_S.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 5c000000010000000400000000080000190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc36200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\Temp\HANARO_S.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 C:\Users\Admin\AppData\Local\Temp\HANARO_S.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f1670cab1f506b29baa4668af746391c_JaffaCakes118.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f1670cab1f506b29baa4668af746391c_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\HANARO_S.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\regsvr32.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2952 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\f1670cab1f506b29baa4668af746391c_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\HANARO_S.exe
PID 2952 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\f1670cab1f506b29baa4668af746391c_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\HANARO_S.exe
PID 2952 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\f1670cab1f506b29baa4668af746391c_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\HANARO_S.exe
PID 2952 wrote to memory of 3764 N/A C:\Users\Admin\AppData\Local\Temp\f1670cab1f506b29baa4668af746391c_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\hinstall.exe
PID 2952 wrote to memory of 3764 N/A C:\Users\Admin\AppData\Local\Temp\f1670cab1f506b29baa4668af746391c_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\hinstall.exe
PID 2952 wrote to memory of 3764 N/A C:\Users\Admin\AppData\Local\Temp\f1670cab1f506b29baa4668af746391c_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\hinstall.exe
PID 3764 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\hinstall.exe C:\Users\Admin\AppData\Local\Temp\setup_x64.exe
PID 3764 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\hinstall.exe C:\Users\Admin\AppData\Local\Temp\setup_x64.exe
PID 2732 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\setup_x64.exe C:\Windows\SYSTEM32\regsvr32.exe
PID 2732 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\setup_x64.exe C:\Windows\SYSTEM32\regsvr32.exe
PID 2256 wrote to memory of 4076 N/A C:\Windows\SYSTEM32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2256 wrote to memory of 4076 N/A C:\Windows\SYSTEM32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2256 wrote to memory of 4076 N/A C:\Windows\SYSTEM32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2952 wrote to memory of 4768 N/A C:\Users\Admin\AppData\Local\Temp\f1670cab1f506b29baa4668af746391c_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\SpmInstall.exe
PID 2952 wrote to memory of 4768 N/A C:\Users\Admin\AppData\Local\Temp\f1670cab1f506b29baa4668af746391c_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\SpmInstall.exe
PID 2952 wrote to memory of 4768 N/A C:\Users\Admin\AppData\Local\Temp\f1670cab1f506b29baa4668af746391c_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\SpmInstall.exe
PID 4768 wrote to memory of 4596 N/A C:\Users\Admin\AppData\Local\Temp\SpmInstall.exe C:\Users\Admin\AppData\Local\Temp\spssetup.exe
PID 4768 wrote to memory of 4596 N/A C:\Users\Admin\AppData\Local\Temp\SpmInstall.exe C:\Users\Admin\AppData\Local\Temp\spssetup.exe
PID 4768 wrote to memory of 4596 N/A C:\Users\Admin\AppData\Local\Temp\SpmInstall.exe C:\Users\Admin\AppData\Local\Temp\spssetup.exe
PID 4768 wrote to memory of 1316 N/A C:\Users\Admin\AppData\Local\Temp\SpmInstall.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4768 wrote to memory of 1316 N/A C:\Users\Admin\AppData\Local\Temp\SpmInstall.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4768 wrote to memory of 1316 N/A C:\Users\Admin\AppData\Local\Temp\SpmInstall.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\f1670cab1f506b29baa4668af746391c_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\f1670cab1f506b29baa4668af746391c_JaffaCakes118.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3240,i,3624515087451503301,4108549118195267775,262144 --variations-seed-version --mojo-platform-channel-handle=1020 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\HANARO_S.exe

"C:\Users\Admin\AppData\Local\Temp\HANARO_S.exe"

C:\Users\Admin\AppData\Local\Temp\hinstall.exe

"C:\Users\Admin\AppData\Local\Temp\hinstall.exe" /q

C:\Users\Admin\AppData\Local\Temp\setup_x64.exe

"C:\Users\Admin\AppData\Local\Temp\setup_x64.exe" 452

C:\Windows\SYSTEM32\regsvr32.exe

regsvr32.exe /s ..\x86\hhdspmc.dll

C:\Windows\SysWOW64\regsvr32.exe

/s ..\x86\hhdspmc.dll

C:\Users\Admin\AppData\Local\Temp\SpmInstall.exe

"C:\Users\Admin\AppData\Local\Temp\SpmInstall.exe" -p298efhfowh28298dg

C:\Users\Admin\AppData\Local\Temp\spssetup.exe

"C:\Users\Admin\AppData\Local\Temp\spssetup.exe"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" spsniffer.dll /s /i:"LEAD CALL#0000XZ-95Z8UP-E3EU91-TF9UPH-40635F-B4M55Y-0611F5-74822F-580BAD-22EFC8-8C7DE2-E3181D"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 update.leadcall.kr udp
KR 14.49.36.160:80 update.leadcall.kr tcp
US 8.8.8.8:53 160.36.49.14.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 24.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 34.56.20.217.in-addr.arpa udp
KR 14.49.36.160:80 update.leadcall.kr tcp
US 8.8.8.8:53 hbns.com udp
KR 219.253.141.144:80 hbns.com tcp
US 8.8.8.8:53 144.141.253.219.in-addr.arpa udp
US 8.8.8.8:53 94.65.42.20.in-addr.arpa udp

Files

memory/2952-0-0x0000000075260000-0x0000000075811000-memory.dmp

memory/2952-1-0x0000000075260000-0x0000000075811000-memory.dmp

memory/2952-2-0x00000000016C0000-0x00000000016D0000-memory.dmp

memory/2952-3-0x0000000005470000-0x0000000005471000-memory.dmp

memory/2952-4-0x00000000016C0000-0x00000000016D0000-memory.dmp

memory/2952-5-0x0000000075260000-0x0000000075811000-memory.dmp

memory/2952-6-0x0000000075260000-0x0000000075811000-memory.dmp

memory/2952-7-0x00000000016C0000-0x00000000016D0000-memory.dmp

memory/2952-8-0x00000000016C0000-0x00000000016D0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\HANARO_S.exe

MD5 2e8891d239e49afa86ef275d55b6ee50
SHA1 f304add4781067033de3a523ddb3768d930ea222
SHA256 29e797b0a9b1050872b6d5c319e6ce4a692a42a32e8d9e71cebcf00a95d73082
SHA512 476136b6abc009aea453626d8ea71d932cecfbba40f8d729b4c2f6d88b462a5ff39fb9885936ee0ae8a69f0ebd65a4a5a3ed6cd74cb9e2afffec218977086c39

memory/2532-20-0x0000000075260000-0x0000000075811000-memory.dmp

memory/2532-21-0x00000000019B0000-0x00000000019C0000-memory.dmp

memory/2532-22-0x0000000075260000-0x0000000075811000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\leadcalls2.dll

MD5 91f84ca6802f3df03602578de976d97e
SHA1 120faab23f33c1fde75b6746253c3e9103078977
SHA256 4bfd526248fc86e9fedc9c9b0ee9b2c3ab561e983d87b77b431b486d04a282aa
SHA512 67a7eb325554343e2b161010a1dad6273e7e433bac5c481294853edd68fe4f889f14ebc04e37e1fb575142c30592838358212b9a7c15257d9a64c8840d26e395

C:\Users\Admin\AppData\Local\Temp\interop.hhdspmcLib.dll

MD5 5cea3723c11b18c5a4c48972b59cdf76
SHA1 f4d8b431df18b8c3d13022ba1b8dbc1378a83c49
SHA256 0b4fbd2b1fa81e8c9a5344f69a953e0a1488f03d2385f4307c18a819822766d6
SHA512 1b97ab19d5d3dba3480f1edce147155d76562abd0a0c6947d33dff2d5fa75c2cdf64edd9654c508578ef98103cddceb29dde5188a65f0cedd1fec111608c9a9e

C:\Users\Admin\AppData\Local\Temp\leadcalls3.dll

MD5 b7d094be17126f02027cc4adb256ebe0
SHA1 56134af74f1d9569173057353ac722612509c3ec
SHA256 b1abbcbaf2adbaaf2c4d2c5a1de56afd97b2d5569010fbc003abca91001d1775
SHA512 a3fc2d2ac02d911b0d354309831a0f1da07e554c02acaa01a6e47896aa2550f755fc86a4023accdd436bb81dbc8bea9f17343634e13789316bdf40b11435143a

memory/2532-55-0x0000000005AD0000-0x0000000005AD1000-memory.dmp

memory/2532-56-0x00000000019B0000-0x00000000019C0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\hinstall.exe

MD5 69e162ea71180cd35116e5b7bc481539
SHA1 82b76b080a0999975838c13e0d33269e5d2f2517
SHA256 161d70286cb1919de7efab58d8fb623e513b26101251c1082f53514f55139523
SHA512 586f3a64788c52f6ce913a0592e812a8ae2e07c8f1380e86f168564daa8fde14aa549a5abf3d9224f9215fe13a9312628fab759b4157b7e4bd9798a34e1017aa

C:\Users\Admin\AppData\Local\Temp\setup_x64.exe

MD5 18cdf77b73a3596886890262bd699479
SHA1 3ab0d43c6b0bd629856adbbbaa3a2690218c314a
SHA256 2b692b93397abcd6932cbd95c7ee41d5b4c100ebf4c14efa7eb90c579d129e57
SHA512 2a80ce972a382fcc35ec281a4ca71d48d36eee5b826bc9d71e46ad51d65c4a420f2b74e5ba14681356bb45c82b79f34d257555849f5abe4729ca90ff9a944849

C:\Users\Admin\AppData\Local\Temp\DIFxAPI64.dll

MD5 1a2e5109c2bb5c68d499e17b83acb73a
SHA1 efa15cfa23606dfc355d11580b509e768a50ddbb
SHA256 e70bbcee0d01658ccd201ebe0f0e547b9daff01b7c593a0fdd0c64e5f45d6f11
SHA512 47317d24d02c4122fe175bcd7f5b3dd8823063e7ea63f83961e40f10872642d2d6f6e6abaf5fb7630cf0e9d8cec0d112889600b14ecb8698b81597f52d54815b

C:\Program Files\HHD Software\SPMC_redist\x64\hhdspmc.dll

MD5 c4380283b5ebbc4445640d9d8790edfc
SHA1 ae66fdc76021a021a8b17693ae29e436f7a9a74f
SHA256 4347633a02c81c4138b33495ae4e01b247fc13a72219155ef1ecff55a5c1a3e9
SHA512 23966140a79c90fd949b9e25946734c3cc7f98fb93ff22ffed0c5c0e7f3e74ca433132d1bb6bf23a853139df271918ed7489fd045b7ffeca75c4e436c316e5a4

C:\Program Files\HHD Software\SPMC_redist\x86\hhdspmc.dll

MD5 4ee6c6aa101578b87178515fbeb0cca2
SHA1 14635156050c38f81c4743b70e551967f38964ae
SHA256 8c80700b47d5114f1ef82d93992669ac25b6bee80481bda31a3d08608006fd21
SHA512 9b3ff6b0c0f411820c6cdcef0eced54f74699d0430742daa818748740aec2062fb2d699bcfcf60d80ae72cc516f3d0b4448965e59cda8ae45ac1cc13c0545dc4

C:\Program Files\HHD Software\SPMC_redist\drivers\hhdspmc.inf

MD5 8b2048cecb78dbd9688c52944e225282
SHA1 2d180688802cde1e4cf0a090f3b3b910ef2460b8
SHA256 b66b6e9aa2949d3ce94fa8ea4a30c6ba67a47529f2c0dc82d2e53718d66a1677
SHA512 4a94cb33d546b7383e076d3e9c2069b28fdc1eb809110c10ca5f18e5be40fd5c58fc720ff36a612be313a375510b623bdc0e5df7987229222fb6c6f51ed5bcdf

C:\Program Files\HHD Software\SPMC_redist\drivers\hhdspmc_x64.cat

MD5 277559e152c4c0dffbb8ea1aeca70f7c
SHA1 b91486131616a90db87dfe023a6642dc1819a89b
SHA256 9e316d0907a4b9b4296c87b4c8d3e950a0224cc32d4afb266643da142c1e3bf6
SHA512 9a03053f447cb3b25be9aae98ee7cc7c9c9ff36ff5019c0cf30d9851bdc6c187ed8629779ecf43b89449898786cd51b0e569f9b57bcb712234cf5ae4221755a4

C:\Windows\System32\DRVSTORE\hhdspmc_B91486131616A90DB87DFE023A6642DC1819A89B\hhdspmc64.sys

MD5 fcad9eaadaf03f9c5a5a78f931f568e6
SHA1 26763504009218fb0ce52e889d42dbc08df24275
SHA256 fe20c4a05788ee8ce57d546f54c562d632d9e1c40c327075e70997cca2afd189
SHA512 515eb677fde9575f897591ec3f1bb9628d72a6b3b7d6530952d8a59515c27a4f9106ca924acc0a212bbcb78fe2feb6e2b3d577f35a0e9f6141445b955d1ca726

memory/2532-144-0x0000000075260000-0x0000000075811000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\SpmInstall.exe

MD5 0d6f72b3de229aa06db316487e5ba953
SHA1 544cc273a15fbef956c13ef5ebe30f351442f307
SHA256 dad74ba223032ca5b52fbbaed806e773b48e5e649c3f95ba36607e3421fa313e
SHA512 92316056b4b86e78a88e1c3597cf7a8461e77ea8a47d5e471e0fe264b1a1c9359d2383f89383244c3e6af78cde62a0cb99116e7e4cc7be072dfc017881f8fe29

memory/2532-166-0x0000000075260000-0x0000000075811000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\spssetup.exe

MD5 61b009e8461522e18df4bcfb69a3db79
SHA1 a26d5d8492518dca419fcd0eb1c75d0d7ac718e3
SHA256 3f07884034b2122d3eb9628966c51fffb9a93a3e3d9c5fd60f67789a88633d53
SHA512 59927a530dd8c0aa4e6ee3f39022339d45d09aecfa42509a0de217dd65fb2da6ab6a3fe05e4d503a80ef0c8aa2d7c82032292348cf2d1bed5edc52615bf9be86

C:\Users\Admin\AppData\Local\Temp\spsniffer.dll

MD5 6df19a1e6c1f1797c27f1d37b87c1e5b
SHA1 b40ddcdbc3f4b9637d80071c079ac56e9ed55a15
SHA256 f78e01fb5171a16284edf5eecb8aa4a6f4db27539d1cb1eadf9825c31fb67d21
SHA512 d1c22fe2fccc536d452d1492842f269ff74ebe82342115833ab5dd0ce32061d857b4e9cd0d04055bc5f9a4363b3b4a5346c1ecc1e891a5ece8a316eedaca54a9

memory/1316-182-0x0000000002BF0000-0x0000000002DEC000-memory.dmp

memory/1316-188-0x0000000002BF0000-0x0000000002DEC000-memory.dmp

memory/1316-192-0x0000000010000000-0x00000000103C2000-memory.dmp

memory/1316-193-0x0000000010000000-0x00000000103C2000-memory.dmp

memory/1316-202-0x0000000010000000-0x00000000103C2000-memory.dmp

memory/1316-203-0x0000000002BF0000-0x0000000002DEC000-memory.dmp

memory/2532-204-0x00000000019B0000-0x00000000019C0000-memory.dmp

memory/2952-205-0x0000000075260000-0x0000000075811000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-15 15:38

Reported

2024-04-15 15:41

Platform

win7-20240215-en

Max time kernel

118s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f1670cab1f506b29baa4668af746391c_JaffaCakes118.exe"

Signatures

Banload

trojan dropper downloader banload

Downloads MZ/PE file

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\DRIVERS\hhdspmc64.sys C:\Users\Admin\AppData\Local\Temp\setup_x64.exe N/A
File opened for modification C:\Windows\system32\DRIVERS\SET4682.tmp C:\Users\Admin\AppData\Local\Temp\setup_x64.exe N/A
File created C:\Windows\system32\DRIVERS\SET4682.tmp C:\Users\Admin\AppData\Local\Temp\setup_x64.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Windows\SysWOW64\regsvr32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Windows\SysWOW64\regsvr32.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f1670cab1f506b29baa4668af746391c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f1670cab1f506b29baa4668af746391c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f1670cab1f506b29baa4668af746391c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f1670cab1f506b29baa4668af746391c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f1670cab1f506b29baa4668af746391c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f1670cab1f506b29baa4668af746391c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f1670cab1f506b29baa4668af746391c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f1670cab1f506b29baa4668af746391c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f1670cab1f506b29baa4668af746391c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f1670cab1f506b29baa4668af746391c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f1670cab1f506b29baa4668af746391c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hinstall.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_x64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_x64.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f1670cab1f506b29baa4668af746391c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpmInstall.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpmInstall.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpmInstall.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\spssetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\spssetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\spssetup.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Registers COM server for autorun

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E082005E-65FE-49CB-B948-E0ED7478442F}\InprocServer32\ThreadingModel = "Both" C:\Users\Admin\AppData\Local\Temp\setup_x64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F739B22-2DE3-4105-A0CB-1D96BCA9EF61}\InprocServer32\ = "C:\\Program Files\\HHD Software\\SPMC_redist\\x64\\hhdspmc.dll" C:\Users\Admin\AppData\Local\Temp\setup_x64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F739B22-2DE3-4105-A0CB-1D96BCA9EF61}\InprocServer32\ThreadingModel = "Both" C:\Users\Admin\AppData\Local\Temp\setup_x64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{98BDF133-27BC-429B-9FAB-EB9C2DEA7D7D}\InprocServer32\ThreadingModel = "Both" C:\Users\Admin\AppData\Local\Temp\setup_x64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E082005E-65FE-49CB-B948-E0ED7478442F}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\setup_x64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E082005E-65FE-49CB-B948-E0ED7478442F}\InprocServer32\ = "C:\\Program Files\\HHD Software\\SPMC_redist\\x64\\hhdspmc.dll" C:\Users\Admin\AppData\Local\Temp\setup_x64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F739B22-2DE3-4105-A0CB-1D96BCA9EF61}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\setup_x64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{98BDF133-27BC-429B-9FAB-EB9C2DEA7D7D}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\setup_x64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{98BDF133-27BC-429B-9FAB-EB9C2DEA7D7D}\InprocServer32\ = "C:\\Program Files\\HHD Software\\SPMC_redist\\x64\\hhdspmc.dll" C:\Users\Admin\AppData\Local\Temp\setup_x64.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\DRVSTORE C:\Users\Admin\AppData\Local\Temp\setup_x64.exe N/A
File created C:\Windows\system32\DRVSTORE\hhdspmc_81A310B98045B462BA1344496B2FF0C8EF241A35\hhdspmc.inf C:\Users\Admin\AppData\Local\Temp\setup_x64.exe N/A
File created C:\Windows\system32\DRVSTORE\hhdspmc_81A310B98045B462BA1344496B2FF0C8EF241A35\hhdspmc_x64.cat C:\Users\Admin\AppData\Local\Temp\setup_x64.exe N/A
File created C:\Windows\system32\DRVSTORE\hhdspmc_81A310B98045B462BA1344496B2FF0C8EF241A35\hhdspmc64.sys C:\Users\Admin\AppData\Local\Temp\setup_x64.exe N/A
File opened for modification C:\Windows\System32\CatRoot2\dberr.txt C:\Users\Admin\AppData\Local\Temp\setup_x64.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\HHD Software\SPMC_redist\x64\hhdspmc.dll C:\Users\Admin\AppData\Local\Temp\setup_x64.exe N/A
File created C:\Program Files\HHD Software\SPMC_redist\drivers\hhdspmc.inf C:\Users\Admin\AppData\Local\Temp\setup_x64.exe N/A
File opened for modification C:\Program Files\HHD Software\SPMC_redist\drivers\hhdspmc64.sys C:\Users\Admin\AppData\Local\Temp\setup_x64.exe N/A
File created C:\Program Files\HHD Software\SPMC_redist\drivers\hhdspmc64.sys C:\Users\Admin\AppData\Local\Temp\setup_x64.exe N/A
File opened for modification C:\Program Files\HHD Software\SPMC_redist\drivers\hhdspmc_x64.cat C:\Users\Admin\AppData\Local\Temp\setup_x64.exe N/A
File created C:\Program Files\HHD Software\SPMC_redist\drivers\hhdspmc_x64.cat C:\Users\Admin\AppData\Local\Temp\setup_x64.exe N/A
File created C:\Program Files\HHD Software\SPMC_redist\drivers\old_cat\hhdspmc_x64.cat C:\Users\Admin\AppData\Local\Temp\setup_x64.exe N/A
File opened for modification C:\Program Files\HHD Software\SPMC_redist\drivers\hhdspmc.inf C:\Users\Admin\AppData\Local\Temp\setup_x64.exe N/A
File opened for modification C:\Program Files\HHD Software\SPMC_redist\drivers\old_cat\hhdspmc_x64.cat C:\Users\Admin\AppData\Local\Temp\setup_x64.exe N/A
File opened for modification C:\Program Files\HHD Software\SPMC_redist\x64\hhdspmc.dll C:\Users\Admin\AppData\Local\Temp\setup_x64.exe N/A
File opened for modification C:\Program Files\HHD Software\SPMC_redist\x86\hhdspmc.dll C:\Users\Admin\AppData\Local\Temp\setup_x64.exe N/A
File created C:\Program Files\HHD Software\SPMC_redist\x86\hhdspmc.dll C:\Users\Admin\AppData\Local\Temp\setup_x64.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\INF\setupapi.app.log C:\Users\Admin\AppData\Local\Temp\setup_x64.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DD962786-3734-4BE3-B375-5E6F3FD37E37}\1.2\FLAGS C:\Users\Admin\AppData\Local\Temp\setup_x64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{550987AF-776E-4181-939E-73263E1560E2}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\setup_x64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{98BDF133-27BC-429B-9FAB-EB9C2DEA7D7D}\TypeLib\ = "{DD962786-3734-4BE3-B375-5E6F3FD37E37}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DD962786-3734-4BE3-B375-5E6F3FD37E37}\1.2\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B5034C36-4FD7-44FE-98C7-D45CE7548530}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\hhdspmc.SerialMonitor\CLSID C:\Users\Admin\AppData\Local\Temp\setup_x64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DD962786-3734-4BE3-B375-5E6F3FD37E37}\1.2\HELPDIR C:\Users\Admin\AppData\Local\Temp\setup_x64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\hhdspmc.SerialMonitor\CLSID\ = "{0F739B22-2DE3-4105-A0CB-1D96BCA9EF61}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{98BDF133-27BC-429B-9FAB-EB9C2DEA7D7D}\InprocServer32\ = "C:\\Program Files\\HHD Software\\SPMC_redist\\x86\\hhdspmc.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{C8C98BF3-C200-46B6-96E2-FF835CDCC5D6}\ = "spsniffer" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5D32AF2A-8030-44B6-A766-D4ACE641E307}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\setup_x64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A820E710-F13D-4BEE-9774-20DC6909CC3D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\setup_x64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0F739B22-2DE3-4105-A0CB-1D96BCA9EF61}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{C8C98BF3-C200-46B6-96E2-FF835CDCC5D6} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{98BDF133-27BC-429B-9FAB-EB9C2DEA7D7D}\InprocServer32\ = "C:\\Program Files\\HHD Software\\SPMC_redist\\x64\\hhdspmc.dll" C:\Users\Admin\AppData\Local\Temp\setup_x64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D880AF8A-2E88-4D3C-9C06-9EC3DB87E2EF}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\setup_x64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{550987AF-776E-4181-939E-73263E1560E2}\TypeLib C:\Users\Admin\AppData\Local\Temp\setup_x64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0F739B22-2DE3-4105-A0CB-1D96BCA9EF61} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D39E5F2E-3DBE-485A-934E-9AE554BF0FC6}\4.0\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5F513861-EE13-4EA5-AD8F-111D5A612283} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5F513861-EE13-4EA5-AD8F-111D5A612283}\TypeLib\Version = "4.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F739B22-2DE3-4105-A0CB-1D96BCA9EF61}\TypeLib C:\Users\Admin\AppData\Local\Temp\setup_x64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A820E710-F13D-4BEE-9774-20DC6909CC3D}\TypeLib C:\Users\Admin\AppData\Local\Temp\setup_x64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E082005E-65FE-49CB-B948-E0ED7478442F}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E082005E-65FE-49CB-B948-E0ED7478442F}\InprocServer32\ = "C:\\Program Files\\HHD Software\\SPMC_redist\\x86\\hhdspmc.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\spsniffer.SerialPortMonitorAx.1\ = "Serial Port Monitor ActiveX Control 4.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F739B22-2DE3-4105-A0CB-1D96BCA9EF61}\VersionIndependentProgID C:\Users\Admin\AppData\Local\Temp\setup_x64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{98BDF133-27BC-429B-9FAB-EB9C2DEA7D7D}\TypeLib\ = "{DD962786-3734-4BE3-B375-5E6F3FD37E37}" C:\Users\Admin\AppData\Local\Temp\setup_x64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\hhdspmc.Monitoring\CurVer\ = "hhdspmc.Monitoring.2" C:\Users\Admin\AppData\Local\Temp\setup_x64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F27CF5BF-A82D-4E68-978E-701F346767A5}\TypeLib\Version = "1.2" C:\Users\Admin\AppData\Local\Temp\setup_x64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B5034C36-4FD7-44FE-98C7-D45CE7548530}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\hhdspmc.SerialMonitor.1.2\CLSID\ = "{0F739B22-2DE3-4105-A0CB-1D96BCA9EF61}" C:\Users\Admin\AppData\Local\Temp\setup_x64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{98BDF133-27BC-429B-9FAB-EB9C2DEA7D7D}\VersionIndependentProgID C:\Users\Admin\AppData\Local\Temp\setup_x64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F27CF5BF-A82D-4E68-978E-701F346767A5}\TypeLib C:\Users\Admin\AppData\Local\Temp\setup_x64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{550987AF-776E-4181-939E-73263E1560E2}\ = "_IMonitoringEvents" C:\Users\Admin\AppData\Local\Temp\setup_x64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B27FE486-7B46-40FE-A059-8071469464DE}\ToolboxBitmap32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\spsniffer.dll, 102" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B27FE486-7B46-40FE-A059-8071469464DE}\Version\ = "4.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\hhdspmc.Device\CurVer\ = "hhdspmc.Device.2" C:\Users\Admin\AppData\Local\Temp\setup_x64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{550987AF-776E-4181-939E-73263E1560E2}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\setup_x64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\spsniffer.DLL C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B27FE486-7B46-40FE-A059-8071469464DE}\MiscStatus\1\ = "132497" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B5034C36-4FD7-44FE-98C7-D45CE7548530}\TypeLib\Version = "4.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5F513861-EE13-4EA5-AD8F-111D5A612283} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\hhdspmc.Monitoring\CLSID\ = "{E082005E-65FE-49CB-B948-E0ED7478442F}" C:\Users\Admin\AppData\Local\Temp\setup_x64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5D32AF2A-8030-44B6-A766-D4ACE641E307}\ = "_ISerialMonitorEvents" C:\Users\Admin\AppData\Local\Temp\setup_x64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5D32AF2A-8030-44B6-A766-D4ACE641E307}\TypeLib\Version = "1.2" C:\Users\Admin\AppData\Local\Temp\setup_x64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D880AF8A-2E88-4D3C-9C06-9EC3DB87E2EF}\TypeLib\ = "{DD962786-3734-4BE3-B375-5E6F3FD37E37}" C:\Users\Admin\AppData\Local\Temp\setup_x64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{98BDF133-27BC-429B-9FAB-EB9C2DEA7D7D}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\hhdspmc.Device.2\CLSID\ = "{98BDF133-27BC-429B-9FAB-EB9C2DEA7D7D}" C:\Users\Admin\AppData\Local\Temp\setup_x64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DD962786-3734-4BE3-B375-5E6F3FD37E37}\1.2\ = "hhdspmc 1.2 Type Library" C:\Users\Admin\AppData\Local\Temp\setup_x64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{724A78C9-BE68-47E9-A252-17EFABC354DE}\TypeLib\ = "{DD962786-3734-4BE3-B375-5E6F3FD37E37}" C:\Users\Admin\AppData\Local\Temp\setup_x64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5D32AF2A-8030-44B6-A766-D4ACE641E307} C:\Users\Admin\AppData\Local\Temp\setup_x64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F27CF5BF-A82D-4E68-978E-701F346767A5}\TypeLib C:\Users\Admin\AppData\Local\Temp\setup_x64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0F739B22-2DE3-4105-A0CB-1D96BCA9EF61}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8E2C0C1C-F5DF-38F3-EC24-8167781A08C9}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B27FE486-7B46-40FE-A059-8071469464DE}\Version C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{1B856C34-F6DB-452A-B5E3-8A26C6372074} C:\Users\Admin\AppData\Local\Temp\setup_x64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\hhdspmc.SerialMonitor.1.2\CLSID C:\Users\Admin\AppData\Local\Temp\setup_x64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\hhdspmc.Device\ = "Device Class" C:\Users\Admin\AppData\Local\Temp\setup_x64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A820E710-F13D-4BEE-9774-20DC6909CC3D}\TypeLib\Version = "1.2" C:\Users\Admin\AppData\Local\Temp\setup_x64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5F513861-EE13-4EA5-AD8F-111D5A612283}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F739B22-2DE3-4105-A0CB-1D96BCA9EF61}\ProgID\ = "hhdspmc.SerialMonitor.1.2" C:\Users\Admin\AppData\Local\Temp\setup_x64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E082005E-65FE-49CB-B948-E0ED7478442F}\ProgID C:\Users\Admin\AppData\Local\Temp\setup_x64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D880AF8A-2E88-4D3C-9C06-9EC3DB87E2EF}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\setup_x64.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 C:\Users\Admin\AppData\Local\Temp\HANARO_S.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 C:\Users\Admin\AppData\Local\Temp\HANARO_S.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 C:\Users\Admin\AppData\Local\Temp\HANARO_S.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\Temp\HANARO_S.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\Temp\HANARO_S.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 C:\Users\Admin\AppData\Local\Temp\HANARO_S.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 C:\Users\Admin\AppData\Local\Temp\HANARO_S.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\Temp\HANARO_S.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f1670cab1f506b29baa4668af746391c_JaffaCakes118.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f1670cab1f506b29baa4668af746391c_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\HANARO_S.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\setup_x64.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\setup_x64.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\setup_x64.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\setup_x64.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\setup_x64.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\setup_x64.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\setup_x64.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\regsvr32.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1568 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\f1670cab1f506b29baa4668af746391c_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\HANARO_S.exe
PID 1568 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\f1670cab1f506b29baa4668af746391c_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\HANARO_S.exe
PID 1568 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\f1670cab1f506b29baa4668af746391c_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\HANARO_S.exe
PID 1568 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\f1670cab1f506b29baa4668af746391c_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\HANARO_S.exe
PID 1568 wrote to memory of 1004 N/A C:\Users\Admin\AppData\Local\Temp\f1670cab1f506b29baa4668af746391c_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\hinstall.exe
PID 1568 wrote to memory of 1004 N/A C:\Users\Admin\AppData\Local\Temp\f1670cab1f506b29baa4668af746391c_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\hinstall.exe
PID 1568 wrote to memory of 1004 N/A C:\Users\Admin\AppData\Local\Temp\f1670cab1f506b29baa4668af746391c_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\hinstall.exe
PID 1568 wrote to memory of 1004 N/A C:\Users\Admin\AppData\Local\Temp\f1670cab1f506b29baa4668af746391c_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\hinstall.exe
PID 1568 wrote to memory of 1004 N/A C:\Users\Admin\AppData\Local\Temp\f1670cab1f506b29baa4668af746391c_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\hinstall.exe
PID 1568 wrote to memory of 1004 N/A C:\Users\Admin\AppData\Local\Temp\f1670cab1f506b29baa4668af746391c_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\hinstall.exe
PID 1568 wrote to memory of 1004 N/A C:\Users\Admin\AppData\Local\Temp\f1670cab1f506b29baa4668af746391c_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\hinstall.exe
PID 1004 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\hinstall.exe C:\Users\Admin\AppData\Local\Temp\setup_x64.exe
PID 1004 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\hinstall.exe C:\Users\Admin\AppData\Local\Temp\setup_x64.exe
PID 1004 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\hinstall.exe C:\Users\Admin\AppData\Local\Temp\setup_x64.exe
PID 1004 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\hinstall.exe C:\Users\Admin\AppData\Local\Temp\setup_x64.exe
PID 2824 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\setup_x64.exe C:\Windows\system32\regsvr32.exe
PID 2824 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\setup_x64.exe C:\Windows\system32\regsvr32.exe
PID 2824 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\setup_x64.exe C:\Windows\system32\regsvr32.exe
PID 2824 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\setup_x64.exe C:\Windows\system32\regsvr32.exe
PID 2824 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\setup_x64.exe C:\Windows\system32\regsvr32.exe
PID 3000 wrote to memory of 3008 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3000 wrote to memory of 3008 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3000 wrote to memory of 3008 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3000 wrote to memory of 3008 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3000 wrote to memory of 3008 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3000 wrote to memory of 3008 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3000 wrote to memory of 3008 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1568 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\f1670cab1f506b29baa4668af746391c_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\SpmInstall.exe
PID 1568 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\f1670cab1f506b29baa4668af746391c_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\SpmInstall.exe
PID 1568 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\f1670cab1f506b29baa4668af746391c_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\SpmInstall.exe
PID 1568 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\f1670cab1f506b29baa4668af746391c_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\SpmInstall.exe
PID 1568 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\f1670cab1f506b29baa4668af746391c_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\SpmInstall.exe
PID 1568 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\f1670cab1f506b29baa4668af746391c_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\SpmInstall.exe
PID 1568 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\f1670cab1f506b29baa4668af746391c_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\SpmInstall.exe
PID 2792 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\SpmInstall.exe C:\Users\Admin\AppData\Local\Temp\spssetup.exe
PID 2792 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\SpmInstall.exe C:\Users\Admin\AppData\Local\Temp\spssetup.exe
PID 2792 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\SpmInstall.exe C:\Users\Admin\AppData\Local\Temp\spssetup.exe
PID 2792 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\SpmInstall.exe C:\Users\Admin\AppData\Local\Temp\spssetup.exe
PID 2792 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\SpmInstall.exe C:\Users\Admin\AppData\Local\Temp\spssetup.exe
PID 2792 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\SpmInstall.exe C:\Users\Admin\AppData\Local\Temp\spssetup.exe
PID 2792 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\SpmInstall.exe C:\Users\Admin\AppData\Local\Temp\spssetup.exe
PID 2792 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\SpmInstall.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2792 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\SpmInstall.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2792 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\SpmInstall.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2792 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\SpmInstall.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2792 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\SpmInstall.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2792 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\SpmInstall.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2792 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\SpmInstall.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\f1670cab1f506b29baa4668af746391c_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\f1670cab1f506b29baa4668af746391c_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\HANARO_S.exe

"C:\Users\Admin\AppData\Local\Temp\HANARO_S.exe"

C:\Users\Admin\AppData\Local\Temp\hinstall.exe

"C:\Users\Admin\AppData\Local\Temp\hinstall.exe" /q

C:\Users\Admin\AppData\Local\Temp\setup_x64.exe

"C:\Users\Admin\AppData\Local\Temp\setup_x64.exe" 116

C:\Windows\system32\regsvr32.exe

regsvr32.exe /s ..\x86\hhdspmc.dll

C:\Windows\SysWOW64\regsvr32.exe

/s ..\x86\hhdspmc.dll

C:\Users\Admin\AppData\Local\Temp\SpmInstall.exe

"C:\Users\Admin\AppData\Local\Temp\SpmInstall.exe" -p298efhfowh28298dg

C:\Users\Admin\AppData\Local\Temp\spssetup.exe

"C:\Users\Admin\AppData\Local\Temp\spssetup.exe"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" spsniffer.dll /s /i:"LEAD CALL#0000XZ-95Z8UP-E3EU91-TF9UPH-40635F-B4M55Y-0611F5-74822F-580BAD-22EFC8-8C7DE2-E3181D"

Network

Country Destination Domain Proto
US 8.8.8.8:53 update.leadcall.kr udp
KR 14.49.36.160:80 update.leadcall.kr tcp
KR 14.49.36.160:80 update.leadcall.kr tcp
US 8.8.8.8:53 hbns.com udp
KR 219.253.141.144:80 hbns.com tcp

Files

memory/1568-0-0x00000000745F0000-0x0000000074B9B000-memory.dmp

memory/1568-1-0x00000000029E0000-0x0000000002A20000-memory.dmp

memory/1568-2-0x00000000745F0000-0x0000000074B9B000-memory.dmp

memory/1568-3-0x00000000003D0000-0x00000000003D1000-memory.dmp

memory/1568-4-0x00000000029E0000-0x0000000002A20000-memory.dmp

memory/1568-5-0x00000000745F0000-0x0000000074B9B000-memory.dmp

memory/1568-6-0x00000000029E0000-0x0000000002A20000-memory.dmp

memory/1568-7-0x00000000745F0000-0x0000000074B9B000-memory.dmp

memory/1568-8-0x00000000029E0000-0x0000000002A20000-memory.dmp

memory/1568-9-0x00000000029E0000-0x0000000002A20000-memory.dmp

\Users\Admin\AppData\Local\Temp\HANARO_S.exe

MD5 2e8891d239e49afa86ef275d55b6ee50
SHA1 f304add4781067033de3a523ddb3768d930ea222
SHA256 29e797b0a9b1050872b6d5c319e6ce4a692a42a32e8d9e71cebcf00a95d73082
SHA512 476136b6abc009aea453626d8ea71d932cecfbba40f8d729b4c2f6d88b462a5ff39fb9885936ee0ae8a69f0ebd65a4a5a3ed6cd74cb9e2afffec218977086c39

memory/1584-17-0x00000000745F0000-0x0000000074B9B000-memory.dmp

memory/1584-18-0x0000000000B30000-0x0000000000B70000-memory.dmp

memory/1584-19-0x00000000745F0000-0x0000000074B9B000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\Local\Temp\Tar1BD.tmp

MD5 435a9ac180383f9fa094131b173a2f7b
SHA1 76944ea657a9db94f9a4bef38f88c46ed4166983
SHA256 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA512 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

memory/1584-79-0x0000000000530000-0x0000000000531000-memory.dmp

memory/1584-80-0x0000000000B30000-0x0000000000B70000-memory.dmp

memory/1584-81-0x0000000000B30000-0x0000000000B70000-memory.dmp

\Users\Admin\AppData\Local\Temp\leadcalls3.dll

MD5 b7d094be17126f02027cc4adb256ebe0
SHA1 56134af74f1d9569173057353ac722612509c3ec
SHA256 b1abbcbaf2adbaaf2c4d2c5a1de56afd97b2d5569010fbc003abca91001d1775
SHA512 a3fc2d2ac02d911b0d354309831a0f1da07e554c02acaa01a6e47896aa2550f755fc86a4023accdd436bb81dbc8bea9f17343634e13789316bdf40b11435143a

\Users\Admin\AppData\Local\Temp\interop.hhdspmcLib.dll

MD5 5cea3723c11b18c5a4c48972b59cdf76
SHA1 f4d8b431df18b8c3d13022ba1b8dbc1378a83c49
SHA256 0b4fbd2b1fa81e8c9a5344f69a953e0a1488f03d2385f4307c18a819822766d6
SHA512 1b97ab19d5d3dba3480f1edce147155d76562abd0a0c6947d33dff2d5fa75c2cdf64edd9654c508578ef98103cddceb29dde5188a65f0cedd1fec111608c9a9e

\Users\Admin\AppData\Local\Temp\leadcalls2.dll

MD5 91f84ca6802f3df03602578de976d97e
SHA1 120faab23f33c1fde75b6746253c3e9103078977
SHA256 4bfd526248fc86e9fedc9c9b0ee9b2c3ab561e983d87b77b431b486d04a282aa
SHA512 67a7eb325554343e2b161010a1dad6273e7e433bac5c481294853edd68fe4f889f14ebc04e37e1fb575142c30592838358212b9a7c15257d9a64c8840d26e395

\Users\Admin\AppData\Local\Temp\hinstall.exe

MD5 69e162ea71180cd35116e5b7bc481539
SHA1 82b76b080a0999975838c13e0d33269e5d2f2517
SHA256 161d70286cb1919de7efab58d8fb623e513b26101251c1082f53514f55139523
SHA512 586f3a64788c52f6ce913a0592e812a8ae2e07c8f1380e86f168564daa8fde14aa549a5abf3d9224f9215fe13a9312628fab759b4157b7e4bd9798a34e1017aa

\Users\Admin\AppData\Local\Temp\setup_x64.exe

MD5 18cdf77b73a3596886890262bd699479
SHA1 3ab0d43c6b0bd629856adbbbaa3a2690218c314a
SHA256 2b692b93397abcd6932cbd95c7ee41d5b4c100ebf4c14efa7eb90c579d129e57
SHA512 2a80ce972a382fcc35ec281a4ca71d48d36eee5b826bc9d71e46ad51d65c4a420f2b74e5ba14681356bb45c82b79f34d257555849f5abe4729ca90ff9a944849

C:\Users\Admin\AppData\Local\Temp\DIFxAPI64.dll

MD5 1a2e5109c2bb5c68d499e17b83acb73a
SHA1 efa15cfa23606dfc355d11580b509e768a50ddbb
SHA256 e70bbcee0d01658ccd201ebe0f0e547b9daff01b7c593a0fdd0c64e5f45d6f11
SHA512 47317d24d02c4122fe175bcd7f5b3dd8823063e7ea63f83961e40f10872642d2d6f6e6abaf5fb7630cf0e9d8cec0d112889600b14ecb8698b81597f52d54815b

\Program Files\HHD Software\SPMC_redist\x64\hhdspmc.dll

MD5 c4380283b5ebbc4445640d9d8790edfc
SHA1 ae66fdc76021a021a8b17693ae29e436f7a9a74f
SHA256 4347633a02c81c4138b33495ae4e01b247fc13a72219155ef1ecff55a5c1a3e9
SHA512 23966140a79c90fd949b9e25946734c3cc7f98fb93ff22ffed0c5c0e7f3e74ca433132d1bb6bf23a853139df271918ed7489fd045b7ffeca75c4e436c316e5a4

C:\Program Files\HHD Software\SPMC_redist\x86\hhdspmc.dll

MD5 4ee6c6aa101578b87178515fbeb0cca2
SHA1 14635156050c38f81c4743b70e551967f38964ae
SHA256 8c80700b47d5114f1ef82d93992669ac25b6bee80481bda31a3d08608006fd21
SHA512 9b3ff6b0c0f411820c6cdcef0eced54f74699d0430742daa818748740aec2062fb2d699bcfcf60d80ae72cc516f3d0b4448965e59cda8ae45ac1cc13c0545dc4

C:\Program Files\HHD Software\SPMC_redist\drivers\hhdspmc_x64.cat

MD5 ff72fa6df7f67176a5559fde07e163fe
SHA1 81a310b98045b462ba1344496b2ff0c8ef241a35
SHA256 b961d5dc1ed3e6f0a0e32a5952650b02ab61f8781b547ebe26b485ac357070cd
SHA512 ee791c4355c18e819318133383b89d833c14b8c3696e89afab606b65ecc9f1422325d4e3f882da0d1843680c2f6fa504094a71780113d6979259b788312f3e3c

C:\Program Files\HHD Software\SPMC_redist\drivers\hhdspmc.inf

MD5 8b2048cecb78dbd9688c52944e225282
SHA1 2d180688802cde1e4cf0a090f3b3b910ef2460b8
SHA256 b66b6e9aa2949d3ce94fa8ea4a30c6ba67a47529f2c0dc82d2e53718d66a1677
SHA512 4a94cb33d546b7383e076d3e9c2069b28fdc1eb809110c10ca5f18e5be40fd5c58fc720ff36a612be313a375510b623bdc0e5df7987229222fb6c6f51ed5bcdf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d022d194cbb010d91f07a24f986502c7
SHA1 d947401824d2deed8ac87ead9d75d4a915737df5
SHA256 26a5e1233c316a8c9d49c84a5f76763781e38379dc72242b2ce501590882f081
SHA512 e101b5aa2de95c8ed83ac10d11b0568342daa220812a96ac8f6b7937287ad2638b857eba51e339baaf89923bd4f1c610e4a91c5ebf1070214dc607a9a81bd36a

C:\Windows\System32\DRVSTORE\hhdspmc_81A310B98045B462BA1344496B2FF0C8EF241A35\hhdspmc64.sys

MD5 fcad9eaadaf03f9c5a5a78f931f568e6
SHA1 26763504009218fb0ce52e889d42dbc08df24275
SHA256 fe20c4a05788ee8ce57d546f54c562d632d9e1c40c327075e70997cca2afd189
SHA512 515eb677fde9575f897591ec3f1bb9628d72a6b3b7d6530952d8a59515c27a4f9106ca924acc0a212bbcb78fe2feb6e2b3d577f35a0e9f6141445b955d1ca726

memory/1584-208-0x00000000745F0000-0x0000000074B9B000-memory.dmp

memory/1584-209-0x0000000000B30000-0x0000000000B70000-memory.dmp

memory/1584-217-0x0000000000B30000-0x0000000000B70000-memory.dmp

memory/1584-218-0x0000000000B30000-0x0000000000B70000-memory.dmp

\Users\Admin\AppData\Local\Temp\SpmInstall.exe

MD5 0d6f72b3de229aa06db316487e5ba953
SHA1 544cc273a15fbef956c13ef5ebe30f351442f307
SHA256 dad74ba223032ca5b52fbbaed806e773b48e5e649c3f95ba36607e3421fa313e
SHA512 92316056b4b86e78a88e1c3597cf7a8461e77ea8a47d5e471e0fe264b1a1c9359d2383f89383244c3e6af78cde62a0cb99116e7e4cc7be072dfc017881f8fe29

C:\Users\Admin\AppData\Local\Temp\spssetup.exe

MD5 61b009e8461522e18df4bcfb69a3db79
SHA1 a26d5d8492518dca419fcd0eb1c75d0d7ac718e3
SHA256 3f07884034b2122d3eb9628966c51fffb9a93a3e3d9c5fd60f67789a88633d53
SHA512 59927a530dd8c0aa4e6ee3f39022339d45d09aecfa42509a0de217dd65fb2da6ab6a3fe05e4d503a80ef0c8aa2d7c82032292348cf2d1bed5edc52615bf9be86

C:\Users\Admin\AppData\Local\Temp\spsniffer.dll

MD5 6df19a1e6c1f1797c27f1d37b87c1e5b
SHA1 b40ddcdbc3f4b9637d80071c079ac56e9ed55a15
SHA256 f78e01fb5171a16284edf5eecb8aa4a6f4db27539d1cb1eadf9825c31fb67d21
SHA512 d1c22fe2fccc536d452d1492842f269ff74ebe82342115833ab5dd0ce32061d857b4e9cd0d04055bc5f9a4363b3b4a5346c1ecc1e891a5ece8a316eedaca54a9

memory/1664-253-0x00000000028F0000-0x0000000002AEC000-memory.dmp

memory/1664-259-0x00000000028F0000-0x0000000002AEC000-memory.dmp

memory/1664-264-0x0000000010000000-0x00000000103C2000-memory.dmp

memory/1664-263-0x0000000010000000-0x00000000103C2000-memory.dmp

memory/1664-273-0x0000000010000000-0x00000000103C2000-memory.dmp

memory/1664-274-0x00000000028F0000-0x0000000002AEC000-memory.dmp

memory/1568-275-0x00000000745F0000-0x0000000074B9B000-memory.dmp