Malware Analysis Report

2025-08-06 04:07

Sample ID 240509-n2dzfaah25
Target ASPack.exe
SHA256 1df4d6648753095803f0fdffaffc39edfc908ffa66d4dca33a1b1d689175a3f0
Tags
bootkit persistence
score
6/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
6/10

SHA256

1df4d6648753095803f0fdffaffc39edfc908ffa66d4dca33a1b1d689175a3f0

Threat Level: Shows suspicious behavior

The file ASPack.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

bootkit persistence

Writes to the Master Boot Record (MBR)

Enumerates physical storage devices

Unsigned PE

Modifies registry class

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-09 11:53

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-09 11:53

Reported

2024-05-09 11:55

Platform

win10v2004-20240508-en

Max time kernel

141s

Max time network

101s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ASPack.exe"

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1AE5BC9D-9290-21E5-E5C7-EBFC9F2012C0}\1.1\0\ C:\Users\Admin\AppData\Local\Temp\ASPack.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Users\Admin\AppData\Local\Temp\ASPack.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Users\Admin\AppData\Local\Temp\ASPack.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BECC57F0-B4FF-44B6-3DB9-B9CD217ED7D1}\ = "Imasi" C:\Users\Admin\AppData\Local\Temp\ASPack.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1AE5BC9D-9290-21E5-E5C7-EBFC9F2012C0}\1.1\0\win32 C:\Users\Admin\AppData\Local\Temp\ASPack.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BECC57F0-B4FF-44B6-3DB9-B9CD217ED7D1}\TypeLib\ C:\Users\Admin\AppData\Local\Temp\ASPack.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff C:\Users\Admin\AppData\Local\Temp\ASPack.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1AE5BC9D-9290-21E5-E5C7-EBFC9F2012C0}\1.1\0\win64 C:\Users\Admin\AppData\Local\Temp\ASPack.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1AE5BC9D-9290-21E5-E5C7-EBFC9F2012C0}\1.1\FLAGS C:\Users\Admin\AppData\Local\Temp\ASPack.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\ASPack.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff C:\Users\Admin\AppData\Local\Temp\ASPack.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1AE5BC9D-9290-21E5-E5C7-EBFC9F2012C0}\1.1\0\win64\ = "C:\\Windows\\SysWow64\\tdc.ocx" C:\Users\Admin\AppData\Local\Temp\ASPack.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BECC57F0-B4FF-44B6-3DB9-B9CD217ED7D1}\Version\ = "1.0" C:\Users\Admin\AppData\Local\Temp\ASPack.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1" C:\Users\Admin\AppData\Local\Temp\ASPack.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BECC57F0-B4FF-44B6-3DB9-B9CD217ED7D1}\ProgID\ C:\Users\Admin\AppData\Local\Temp\ASPack.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1AE5BC9D-9290-21E5-E5C7-EBFC9F2012C0}\1.1\0\win32\ C:\Users\Admin\AppData\Local\Temp\ASPack.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1AE5BC9D-9290-21E5-E5C7-EBFC9F2012C0}\1.1\FLAGS\ = "0" C:\Users\Admin\AppData\Local\Temp\ASPack.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 820074001c00434653461600310000000000a858c653120041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f400009000400efbea858c653a958ae5e2e0000007ae10100000001000000000000000000000000000000d329c9004100700070004400610074006100000042000000 C:\Users\Admin\AppData\Local\Temp\ASPack.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 5000310000000000a858e45510004c6f63616c003c0009000400efbea858c653a958ae5e2e0000008de1010000000100000000000000000000000000000099fab8004c006f00630061006c00000014000000 C:\Users\Admin\AppData\Local\Temp\ASPack.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell C:\Users\Admin\AppData\Local\Temp\ASPack.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000 C:\Users\Admin\AppData\Local\Temp\ASPack.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1AE5BC9D-9290-21E5-E5C7-EBFC9F2012C0}\1.1\0\win64\ C:\Users\Admin\AppData\Local\Temp\ASPack.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BECC57F0-B4FF-44B6-3DB9-B9CD217ED7D1}\Version C:\Users\Admin\AppData\Local\Temp\ASPack.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 C:\Users\Admin\AppData\Local\Temp\ASPack.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff C:\Users\Admin\AppData\Local\Temp\ASPack.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BECC57F0-B4FF-44B6-3DB9-B9CD217ED7D1}\Version\ C:\Users\Admin\AppData\Local\Temp\ASPack.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Users\Admin\AppData\Local\Temp\ASPack.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4e00310000000000a958ad5e100054656d7000003a0009000400efbea858c653a958ad5e2e0000008ee10100000001000000000000000000000000000000f3878e00540065006d007000000014000000 C:\Users\Admin\AppData\Local\Temp\ASPack.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 C:\Users\Admin\AppData\Local\Temp\ASPack.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BECC57F0-B4FF-44B6-3DB9-B9CD217ED7D1}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\ASPack.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BECC57F0-B4FF-44B6-3DB9-B9CD217ED7D1}\ProgID C:\Users\Admin\AppData\Local\Temp\ASPack.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1AE5BC9D-9290-21E5-E5C7-EBFC9F2012C0}\1.1\0 C:\Users\Admin\AppData\Local\Temp\ASPack.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BECC57F0-B4FF-44B6-3DB9-B9CD217ED7D1}\TypeLib C:\Users\Admin\AppData\Local\Temp\ASPack.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 C:\Users\Admin\AppData\Local\Temp\ASPack.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BECC57F0-B4FF-44B6-3DB9-B9CD217ED7D1} C:\Users\Admin\AppData\Local\Temp\ASPack.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 C:\Users\Admin\AppData\Local\Temp\ASPack.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell C:\Users\Admin\AppData\Local\Temp\ASPack.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1AE5BC9D-9290-21E5-E5C7-EBFC9F2012C0} C:\Users\Admin\AppData\Local\Temp\ASPack.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1AE5BC9D-9290-21E5-E5C7-EBFC9F2012C0}\ C:\Users\Admin\AppData\Local\Temp\ASPack.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1AE5BC9D-9290-21E5-E5C7-EBFC9F2012C0}\1.1\0\win32\ = "C:\\Windows\\SysWOW64\\tdc.ocx" C:\Users\Admin\AppData\Local\Temp\ASPack.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1AE5BC9D-9290-21E5-E5C7-EBFC9F2012C0}\1.1\FLAGS\ C:\Users\Admin\AppData\Local\Temp\ASPack.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BECC57F0-B4FF-44B6-3DB9-B9CD217ED7D1}\InprocServer32\ C:\Users\Admin\AppData\Local\Temp\ASPack.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1AE5BC9D-9290-21E5-E5C7-EBFC9F2012C0}\1.1\ C:\Users\Admin\AppData\Local\Temp\ASPack.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1AE5BC9D-9290-21E5-E5C7-EBFC9F2012C0}\1.1\ = "Tabular Data Control 1.1 Type Library" C:\Users\Admin\AppData\Local\Temp\ASPack.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BECC57F0-B4FF-44B6-3DB9-B9CD217ED7D1}\TypeLib\ = "{1AE5BC9D-9290-21E5-E5C7-EBFC9F2012C0}" C:\Users\Admin\AppData\Local\Temp\ASPack.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 C:\Users\Admin\AppData\Local\Temp\ASPack.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff C:\Users\Admin\AppData\Local\Temp\ASPack.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags C:\Users\Admin\AppData\Local\Temp\ASPack.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key C:\Users\Admin\AppData\Local\Temp\ASPack.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" C:\Users\Admin\AppData\Local\Temp\ASPack.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff C:\Users\Admin\AppData\Local\Temp\ASPack.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic" C:\Users\Admin\AppData\Local\Temp\ASPack.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BECC57F0-B4FF-44B6-3DB9-B9CD217ED7D1}\InprocServer32\ = "%SystemRoot%\\SysWow64\\activeds.dll" C:\Users\Admin\AppData\Local\Temp\ASPack.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ C:\Users\Admin\AppData\Local\Temp\ASPack.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 C:\Users\Admin\AppData\Local\Temp\ASPack.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BECC57F0-B4FF-44B6-3DB9-B9CD217ED7D1}\ProgID\ = "PropertyEntry" C:\Users\Admin\AppData\Local\Temp\ASPack.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1AE5BC9D-9290-21E5-E5C7-EBFC9F2012C0}\1.1 C:\Users\Admin\AppData\Local\Temp\ASPack.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ASPack.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ASPack.exe

"C:\Users\Admin\AppData\Local\Temp\ASPack.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
BE 88.221.83.192:443 www.bing.com tcp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
BE 88.221.83.192:443 www.bing.com tcp
US 8.8.8.8:53 192.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

memory/4364-0-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/4364-2-0x0000000076C90000-0x0000000076D80000-memory.dmp

memory/4364-1-0x0000000076CAF000-0x0000000076CB0000-memory.dmp

memory/4364-3-0x0000000076C90000-0x0000000076D80000-memory.dmp

memory/4364-4-0x0000000076C90000-0x0000000076D80000-memory.dmp

memory/4364-8-0x0000000076C90000-0x0000000076D80000-memory.dmp

memory/4364-11-0x0000000076C90000-0x0000000076D80000-memory.dmp

memory/4364-13-0x0000000076C90000-0x0000000076D80000-memory.dmp

memory/4364-10-0x0000000076C90000-0x0000000076D80000-memory.dmp

memory/4364-9-0x0000000076C90000-0x0000000076D80000-memory.dmp

memory/4364-14-0x0000000076C90000-0x0000000076D80000-memory.dmp

memory/4364-12-0x0000000076C90000-0x0000000076D80000-memory.dmp

memory/4364-7-0x0000000076C90000-0x0000000076D80000-memory.dmp

memory/4364-6-0x0000000076C90000-0x0000000076D80000-memory.dmp

memory/4364-5-0x0000000076C90000-0x0000000076D80000-memory.dmp

memory/4364-15-0x0000000076C90000-0x0000000076D80000-memory.dmp

memory/4364-16-0x0000000076C90000-0x0000000076D80000-memory.dmp

memory/4364-17-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/4364-20-0x0000000076C90000-0x0000000076D80000-memory.dmp

memory/4364-19-0x0000000076C90000-0x0000000076D80000-memory.dmp

memory/4364-18-0x0000000076C90000-0x0000000076D80000-memory.dmp

memory/4364-27-0x0000000076C90000-0x0000000076D80000-memory.dmp

memory/4364-26-0x0000000076C90000-0x0000000076D80000-memory.dmp

memory/4364-25-0x0000000076C90000-0x0000000076D80000-memory.dmp

memory/4364-24-0x0000000076C90000-0x0000000076D80000-memory.dmp

memory/4364-23-0x0000000076C90000-0x0000000076D80000-memory.dmp

memory/4364-22-0x0000000076C90000-0x0000000076D80000-memory.dmp

memory/4364-29-0x0000000076C90000-0x0000000076D80000-memory.dmp

memory/4364-28-0x0000000076C90000-0x0000000076D80000-memory.dmp

memory/4364-30-0x0000000076C90000-0x0000000076D80000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-09 11:53

Reported

2024-05-09 11:55

Platform

win7-20231129-en

Max time kernel

141s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ASPack.exe"

Signatures

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\ASPack.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1A7C0DCB-7E87-1C10-693A-00AF448E148F}\2.0\FLAGS\ = "0" C:\Users\Admin\AppData\Local\Temp\ASPack.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 7e0074001c004346534616003100000000007d573388122041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f3c0008000400efbe7d5733887d5733882a000000eb0100000000020000000000000000000000000000004100700070004400610074006100000042000000 C:\Users\Admin\AppData\Local\Temp\ASPack.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff C:\Users\Admin\AppData\Local\Temp\ASPack.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1A7C0DCB-7E87-1C10-693A-00AF448E148F}\2.0\0 C:\Users\Admin\AppData\Local\Temp\ASPack.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1A7C0DCB-7E87-1C10-693A-00AF448E148F}\2.0\FLAGS C:\Users\Admin\AppData\Local\Temp\ASPack.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3AF96771-4887-4673-F092-38A8F8D9CFD0}\TypeLib C:\Users\Admin\AppData\Local\Temp\ASPack.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3AF96771-4887-4673-F092-38A8F8D9CFD0}\Version C:\Users\Admin\AppData\Local\Temp\ASPack.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff C:\Users\Admin\AppData\Local\Temp\ASPack.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags C:\Users\Admin\AppData\Local\Temp\ASPack.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3AF96771-4887-4673-F092-38A8F8D9CFD0} C:\Users\Admin\AppData\Local\Temp\ASPack.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1A7C0DCB-7E87-1C10-693A-00AF448E148F}\ C:\Users\Admin\AppData\Local\Temp\ASPack.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3AF96771-4887-4673-F092-38A8F8D9CFD0}\VersionIndependentProgID\ C:\Users\Admin\AppData\Local\Temp\ASPack.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1A7C0DCB-7E87-1C10-693A-00AF448E148F}\2.0\0\win32\ C:\Users\Admin\AppData\Local\Temp\ASPack.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Users\Admin\AppData\Local\Temp\ASPack.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Users\Admin\AppData\Local\Temp\ASPack.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3AF96771-4887-4673-F092-38A8F8D9CFD0}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\ASPack.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1A7C0DCB-7E87-1C10-693A-00AF448E148F} C:\Users\Admin\AppData\Local\Temp\ASPack.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3AF96771-4887-4673-F092-38A8F8D9CFD0}\Version\ C:\Users\Admin\AppData\Local\Temp\ASPack.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key C:\Users\Admin\AppData\Local\Temp\ASPack.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" C:\Users\Admin\AppData\Local\Temp\ASPack.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\ASPack.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1" C:\Users\Admin\AppData\Local\Temp\ASPack.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3AF96771-4887-4673-F092-38A8F8D9CFD0}\InprocServer32\ = "C:\\Windows\\SysWOW64\\imapi2.dll" C:\Users\Admin\AppData\Local\Temp\ASPack.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3AF96771-4887-4673-F092-38A8F8D9CFD0}\TypeLib\ C:\Users\Admin\AppData\Local\Temp\ASPack.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000 C:\Users\Admin\AppData\Local\Temp\ASPack.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1A7C0DCB-7E87-1C10-693A-00AF448E148F}\2.0\0\ C:\Users\Admin\AppData\Local\Temp\ASPack.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1A7C0DCB-7E87-1C10-693A-00AF448E148F}\2.0\0\win32 C:\Users\Admin\AppData\Local\Temp\ASPack.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Users\Admin\AppData\Local\Temp\ASPack.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1A7C0DCB-7E87-1C10-693A-00AF448E148F}\2.0\ C:\Users\Admin\AppData\Local\Temp\ASPack.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1A7C0DCB-7E87-1C10-693A-00AF448E148F}\2.0\ = "Microsoft ActiveMovie Control" C:\Users\Admin\AppData\Local\Temp\ASPack.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1A7C0DCB-7E87-1C10-693A-00AF448E148F}\2.0\0\win32\ = "C:\\Windows\\SysWow64\\amcompat.tlb" C:\Users\Admin\AppData\Local\Temp\ASPack.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3AF96771-4887-4673-F092-38A8F8D9CFD0}\VersionIndependentProgID\ = "IMAPI2.MsftDiscFormat2TrackAtOnce" C:\Users\Admin\AppData\Local\Temp\ASPack.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell C:\Users\Admin\AppData\Local\Temp\ASPack.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4a00310000000000a958aa5e102054656d700000360008000400efbe7d573388a958aa5e2a000000ff010000000002000000000000000000000000000000540065006d007000000014000000 C:\Users\Admin\AppData\Local\Temp\ASPack.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell C:\Users\Admin\AppData\Local\Temp\ASPack.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3AF96771-4887-4673-F092-38A8F8D9CFD0}\ProgID\ = "IMAPI2.MsftDiscFormat2TrackAtOnce.1" C:\Users\Admin\AppData\Local\Temp\ASPack.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1A7C0DCB-7E87-1C10-693A-00AF448E148F}\2.0 C:\Users\Admin\AppData\Local\Temp\ASPack.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff C:\Users\Admin\AppData\Local\Temp\ASPack.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff C:\Users\Admin\AppData\Local\Temp\ASPack.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3AF96771-4887-4673-F092-38A8F8D9CFD0}\InprocServer32\ C:\Users\Admin\AppData\Local\Temp\ASPack.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 C:\Users\Admin\AppData\Local\Temp\ASPack.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 4c003100000000007d57c48b10204c6f63616c00380008000400efbe7d5733887d57c48b2a000000fe0100000000020000000000000000000000000000004c006f00630061006c00000014000000 C:\Users\Admin\AppData\Local\Temp\ASPack.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3AF96771-4887-4673-F092-38A8F8D9CFD0}\ProgID\ C:\Users\Admin\AppData\Local\Temp\ASPack.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ C:\Users\Admin\AppData\Local\Temp\ASPack.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff C:\Users\Admin\AppData\Local\Temp\ASPack.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 C:\Users\Admin\AppData\Local\Temp\ASPack.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 C:\Users\Admin\AppData\Local\Temp\ASPack.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3AF96771-4887-4673-F092-38A8F8D9CFD0}\Programmable\ C:\Users\Admin\AppData\Local\Temp\ASPack.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3AF96771-4887-4673-F092-38A8F8D9CFD0}\TypeLib\ = "{1A7C0DCB-7E87-1C10-693A-00AF448E148F}" C:\Users\Admin\AppData\Local\Temp\ASPack.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3AF96771-4887-4673-F092-38A8F8D9CFD0}\Version\ = "1.0" C:\Users\Admin\AppData\Local\Temp\ASPack.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 C:\Users\Admin\AppData\Local\Temp\ASPack.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic" C:\Users\Admin\AppData\Local\Temp\ASPack.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3AF96771-4887-4673-F092-38A8F8D9CFD0}\ProgID C:\Users\Admin\AppData\Local\Temp\ASPack.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3AF96771-4887-4673-F092-38A8F8D9CFD0}\Programmable C:\Users\Admin\AppData\Local\Temp\ASPack.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3AF96771-4887-4673-F092-38A8F8D9CFD0}\VersionIndependentProgID C:\Users\Admin\AppData\Local\Temp\ASPack.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 C:\Users\Admin\AppData\Local\Temp\ASPack.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}" C:\Users\Admin\AppData\Local\Temp\ASPack.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 C:\Users\Admin\AppData\Local\Temp\ASPack.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3AF96771-4887-4673-F092-38A8F8D9CFD0}\ = "Avaca" C:\Users\Admin\AppData\Local\Temp\ASPack.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1A7C0DCB-7E87-1C10-693A-00AF448E148F}\2.0\FLAGS\ C:\Users\Admin\AppData\Local\Temp\ASPack.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ASPack.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ASPack.exe

"C:\Users\Admin\AppData\Local\Temp\ASPack.exe"

Network

N/A

Files

memory/1372-0-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/1372-1-0x00000000762F1000-0x00000000762F2000-memory.dmp

memory/1372-3-0x00000000762E0000-0x00000000763F0000-memory.dmp

memory/1372-4-0x00000000762E0000-0x00000000763F0000-memory.dmp

memory/1372-10-0x00000000762E0000-0x00000000763F0000-memory.dmp

memory/1372-12-0x00000000762E0000-0x00000000763F0000-memory.dmp

memory/1372-15-0x00000000762E0000-0x00000000763F0000-memory.dmp

memory/1372-14-0x00000000762E0000-0x00000000763F0000-memory.dmp

memory/1372-13-0x00000000762E0000-0x00000000763F0000-memory.dmp

memory/1372-23-0x00000000762E0000-0x00000000763F0000-memory.dmp

memory/1372-26-0x00000000762E0000-0x00000000763F0000-memory.dmp

memory/1372-28-0x00000000762E0000-0x00000000763F0000-memory.dmp

memory/1372-30-0x00000000762E0000-0x00000000763F0000-memory.dmp

memory/1372-32-0x00000000762E0000-0x00000000763F0000-memory.dmp

memory/1372-49-0x00000000762E0000-0x00000000763F0000-memory.dmp

memory/1372-51-0x00000000762E0000-0x00000000763F0000-memory.dmp

memory/1372-50-0x00000000762E0000-0x00000000763F0000-memory.dmp

memory/1372-21-0x00000000762E0000-0x00000000763F0000-memory.dmp

memory/1372-56-0x00000000762E0000-0x00000000763F0000-memory.dmp

memory/1372-55-0x00000000762E0000-0x00000000763F0000-memory.dmp

memory/1372-59-0x00000000762E0000-0x00000000763F0000-memory.dmp

memory/1372-58-0x00000000762E0000-0x00000000763F0000-memory.dmp

memory/1372-57-0x00000000762E0000-0x00000000763F0000-memory.dmp

memory/1372-54-0x00000000762E0000-0x00000000763F0000-memory.dmp

memory/1372-53-0x00000000762E0000-0x00000000763F0000-memory.dmp

memory/1372-52-0x00000000762E0000-0x00000000763F0000-memory.dmp

memory/1372-20-0x00000000762E0000-0x00000000763F0000-memory.dmp

memory/1372-19-0x00000000762E0000-0x00000000763F0000-memory.dmp

memory/1372-18-0x00000000762E0000-0x00000000763F0000-memory.dmp

memory/1372-17-0x00000000762E0000-0x00000000763F0000-memory.dmp

memory/1372-16-0x00000000762E0000-0x00000000763F0000-memory.dmp

memory/1372-48-0x00000000762E0000-0x00000000763F0000-memory.dmp

memory/1372-47-0x00000000762E0000-0x00000000763F0000-memory.dmp

memory/1372-46-0x00000000762E0000-0x00000000763F0000-memory.dmp

memory/1372-60-0x00000000048B0000-0x00000000048B2000-memory.dmp

memory/1372-45-0x00000000762E0000-0x00000000763F0000-memory.dmp

memory/1372-44-0x00000000762E0000-0x00000000763F0000-memory.dmp

memory/1372-43-0x00000000762E0000-0x00000000763F0000-memory.dmp

memory/1372-42-0x00000000762E0000-0x00000000763F0000-memory.dmp

memory/1372-41-0x00000000762E0000-0x00000000763F0000-memory.dmp

memory/1372-40-0x00000000762E0000-0x00000000763F0000-memory.dmp

memory/1372-39-0x00000000762E0000-0x00000000763F0000-memory.dmp

memory/1372-38-0x00000000762E0000-0x00000000763F0000-memory.dmp

memory/1372-37-0x00000000762E0000-0x00000000763F0000-memory.dmp

memory/1372-36-0x00000000762E0000-0x00000000763F0000-memory.dmp

memory/1372-35-0x00000000762E0000-0x00000000763F0000-memory.dmp

memory/1372-34-0x00000000762E0000-0x00000000763F0000-memory.dmp

memory/1372-33-0x00000000762E0000-0x00000000763F0000-memory.dmp

memory/1372-31-0x00000000762E0000-0x00000000763F0000-memory.dmp

memory/1372-29-0x00000000762E0000-0x00000000763F0000-memory.dmp

memory/1372-27-0x00000000762E0000-0x00000000763F0000-memory.dmp

memory/1372-25-0x00000000762E0000-0x00000000763F0000-memory.dmp

memory/1372-24-0x00000000762E0000-0x00000000763F0000-memory.dmp

memory/1372-22-0x00000000762E0000-0x00000000763F0000-memory.dmp

memory/1372-11-0x00000000762E0000-0x00000000763F0000-memory.dmp

memory/1372-9-0x00000000762E0000-0x00000000763F0000-memory.dmp

memory/1372-8-0x00000000762E0000-0x00000000763F0000-memory.dmp

memory/1372-7-0x00000000762E0000-0x00000000763F0000-memory.dmp

memory/1372-6-0x00000000762E0000-0x00000000763F0000-memory.dmp

memory/1372-5-0x00000000762E0000-0x00000000763F0000-memory.dmp

memory/1372-2-0x00000000762E0000-0x00000000763F0000-memory.dmp

memory/1372-61-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/1372-64-0x00000000762E0000-0x00000000763F0000-memory.dmp

memory/1372-63-0x00000000762E0000-0x00000000763F0000-memory.dmp

memory/1372-62-0x00000000762E0000-0x00000000763F0000-memory.dmp

memory/1372-65-0x00000000762E0000-0x00000000763F0000-memory.dmp

memory/1372-66-0x00000000762E0000-0x00000000763F0000-memory.dmp