Analysis Overview
SHA256
1df4d6648753095803f0fdffaffc39edfc908ffa66d4dca33a1b1d689175a3f0
Threat Level: Shows suspicious behavior
The file ASPack.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Writes to the Master Boot Record (MBR)
Enumerates physical storage devices
Unsigned PE
Modifies registry class
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-09 11:53
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-09 11:53
Reported
2024-05-09 11:55
Platform
win10v2004-20240508-en
Max time kernel
141s
Max time network
101s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1AE5BC9D-9290-21E5-E5C7-EBFC9F2012C0}\1.1\0\ | C:\Users\Admin\AppData\Local\Temp\ASPack.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | C:\Users\Admin\AppData\Local\Temp\ASPack.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff | C:\Users\Admin\AppData\Local\Temp\ASPack.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BECC57F0-B4FF-44B6-3DB9-B9CD217ED7D1}\ = "Imasi" | C:\Users\Admin\AppData\Local\Temp\ASPack.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1AE5BC9D-9290-21E5-E5C7-EBFC9F2012C0}\1.1\0\win32 | C:\Users\Admin\AppData\Local\Temp\ASPack.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BECC57F0-B4FF-44B6-3DB9-B9CD217ED7D1}\TypeLib\ | C:\Users\Admin\AppData\Local\Temp\ASPack.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff | C:\Users\Admin\AppData\Local\Temp\ASPack.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1AE5BC9D-9290-21E5-E5C7-EBFC9F2012C0}\1.1\0\win64 | C:\Users\Admin\AppData\Local\Temp\ASPack.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1AE5BC9D-9290-21E5-E5C7-EBFC9F2012C0}\1.1\FLAGS | C:\Users\Admin\AppData\Local\Temp\ASPack.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\ASPack.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff | C:\Users\Admin\AppData\Local\Temp\ASPack.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1AE5BC9D-9290-21E5-E5C7-EBFC9F2012C0}\1.1\0\win64\ = "C:\\Windows\\SysWow64\\tdc.ocx" | C:\Users\Admin\AppData\Local\Temp\ASPack.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BECC57F0-B4FF-44B6-3DB9-B9CD217ED7D1}\Version\ = "1.0" | C:\Users\Admin\AppData\Local\Temp\ASPack.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1" | C:\Users\Admin\AppData\Local\Temp\ASPack.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BECC57F0-B4FF-44B6-3DB9-B9CD217ED7D1}\ProgID\ | C:\Users\Admin\AppData\Local\Temp\ASPack.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1AE5BC9D-9290-21E5-E5C7-EBFC9F2012C0}\1.1\0\win32\ | C:\Users\Admin\AppData\Local\Temp\ASPack.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1AE5BC9D-9290-21E5-E5C7-EBFC9F2012C0}\1.1\FLAGS\ = "0" | C:\Users\Admin\AppData\Local\Temp\ASPack.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 820074001c00434653461600310000000000a858c653120041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f400009000400efbea858c653a958ae5e2e0000007ae10100000001000000000000000000000000000000d329c9004100700070004400610074006100000042000000 | C:\Users\Admin\AppData\Local\Temp\ASPack.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 5000310000000000a858e45510004c6f63616c003c0009000400efbea858c653a958ae5e2e0000008de1010000000100000000000000000000000000000099fab8004c006f00630061006c00000014000000 | C:\Users\Admin\AppData\Local\Temp\ASPack.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell | C:\Users\Admin\AppData\Local\Temp\ASPack.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000 | C:\Users\Admin\AppData\Local\Temp\ASPack.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1AE5BC9D-9290-21E5-E5C7-EBFC9F2012C0}\1.1\0\win64\ | C:\Users\Admin\AppData\Local\Temp\ASPack.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BECC57F0-B4FF-44B6-3DB9-B9CD217ED7D1}\Version | C:\Users\Admin\AppData\Local\Temp\ASPack.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 | C:\Users\Admin\AppData\Local\Temp\ASPack.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff | C:\Users\Admin\AppData\Local\Temp\ASPack.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BECC57F0-B4FF-44B6-3DB9-B9CD217ED7D1}\Version\ | C:\Users\Admin\AppData\Local\Temp\ASPack.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots | C:\Users\Admin\AppData\Local\Temp\ASPack.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4e00310000000000a958ad5e100054656d7000003a0009000400efbea858c653a958ad5e2e0000008ee10100000001000000000000000000000000000000f3878e00540065006d007000000014000000 | C:\Users\Admin\AppData\Local\Temp\ASPack.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 | C:\Users\Admin\AppData\Local\Temp\ASPack.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BECC57F0-B4FF-44B6-3DB9-B9CD217ED7D1}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\ASPack.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BECC57F0-B4FF-44B6-3DB9-B9CD217ED7D1}\ProgID | C:\Users\Admin\AppData\Local\Temp\ASPack.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1AE5BC9D-9290-21E5-E5C7-EBFC9F2012C0}\1.1\0 | C:\Users\Admin\AppData\Local\Temp\ASPack.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BECC57F0-B4FF-44B6-3DB9-B9CD217ED7D1}\TypeLib | C:\Users\Admin\AppData\Local\Temp\ASPack.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 | C:\Users\Admin\AppData\Local\Temp\ASPack.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BECC57F0-B4FF-44B6-3DB9-B9CD217ED7D1} | C:\Users\Admin\AppData\Local\Temp\ASPack.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 | C:\Users\Admin\AppData\Local\Temp\ASPack.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell | C:\Users\Admin\AppData\Local\Temp\ASPack.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1AE5BC9D-9290-21E5-E5C7-EBFC9F2012C0} | C:\Users\Admin\AppData\Local\Temp\ASPack.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1AE5BC9D-9290-21E5-E5C7-EBFC9F2012C0}\ | C:\Users\Admin\AppData\Local\Temp\ASPack.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1AE5BC9D-9290-21E5-E5C7-EBFC9F2012C0}\1.1\0\win32\ = "C:\\Windows\\SysWOW64\\tdc.ocx" | C:\Users\Admin\AppData\Local\Temp\ASPack.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1AE5BC9D-9290-21E5-E5C7-EBFC9F2012C0}\1.1\FLAGS\ | C:\Users\Admin\AppData\Local\Temp\ASPack.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BECC57F0-B4FF-44B6-3DB9-B9CD217ED7D1}\InprocServer32\ | C:\Users\Admin\AppData\Local\Temp\ASPack.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1AE5BC9D-9290-21E5-E5C7-EBFC9F2012C0}\1.1\ | C:\Users\Admin\AppData\Local\Temp\ASPack.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1AE5BC9D-9290-21E5-E5C7-EBFC9F2012C0}\1.1\ = "Tabular Data Control 1.1 Type Library" | C:\Users\Admin\AppData\Local\Temp\ASPack.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BECC57F0-B4FF-44B6-3DB9-B9CD217ED7D1}\TypeLib\ = "{1AE5BC9D-9290-21E5-E5C7-EBFC9F2012C0}" | C:\Users\Admin\AppData\Local\Temp\ASPack.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 | C:\Users\Admin\AppData\Local\Temp\ASPack.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff | C:\Users\Admin\AppData\Local\Temp\ASPack.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags | C:\Users\Admin\AppData\Local\Temp\ASPack.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.key | C:\Users\Admin\AppData\Local\Temp\ASPack.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" | C:\Users\Admin\AppData\Local\Temp\ASPack.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff | C:\Users\Admin\AppData\Local\Temp\ASPack.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic" | C:\Users\Admin\AppData\Local\Temp\ASPack.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BECC57F0-B4FF-44B6-3DB9-B9CD217ED7D1}\InprocServer32\ = "%SystemRoot%\\SysWow64\\activeds.dll" | C:\Users\Admin\AppData\Local\Temp\ASPack.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ | C:\Users\Admin\AppData\Local\Temp\ASPack.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 | C:\Users\Admin\AppData\Local\Temp\ASPack.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BECC57F0-B4FF-44B6-3DB9-B9CD217ED7D1}\ProgID\ = "PropertyEntry" | C:\Users\Admin\AppData\Local\Temp\ASPack.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1AE5BC9D-9290-21E5-E5C7-EBFC9F2012C0}\1.1 | C:\Users\Admin\AppData\Local\Temp\ASPack.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ASPack.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\ASPack.exe
"C:\Users\Admin\AppData\Local\Temp\ASPack.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| BE | 88.221.83.192:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| BE | 88.221.83.192:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 192.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
Files
memory/4364-0-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/4364-2-0x0000000076C90000-0x0000000076D80000-memory.dmp
memory/4364-1-0x0000000076CAF000-0x0000000076CB0000-memory.dmp
memory/4364-3-0x0000000076C90000-0x0000000076D80000-memory.dmp
memory/4364-4-0x0000000076C90000-0x0000000076D80000-memory.dmp
memory/4364-8-0x0000000076C90000-0x0000000076D80000-memory.dmp
memory/4364-11-0x0000000076C90000-0x0000000076D80000-memory.dmp
memory/4364-13-0x0000000076C90000-0x0000000076D80000-memory.dmp
memory/4364-10-0x0000000076C90000-0x0000000076D80000-memory.dmp
memory/4364-9-0x0000000076C90000-0x0000000076D80000-memory.dmp
memory/4364-14-0x0000000076C90000-0x0000000076D80000-memory.dmp
memory/4364-12-0x0000000076C90000-0x0000000076D80000-memory.dmp
memory/4364-7-0x0000000076C90000-0x0000000076D80000-memory.dmp
memory/4364-6-0x0000000076C90000-0x0000000076D80000-memory.dmp
memory/4364-5-0x0000000076C90000-0x0000000076D80000-memory.dmp
memory/4364-15-0x0000000076C90000-0x0000000076D80000-memory.dmp
memory/4364-16-0x0000000076C90000-0x0000000076D80000-memory.dmp
memory/4364-17-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/4364-20-0x0000000076C90000-0x0000000076D80000-memory.dmp
memory/4364-19-0x0000000076C90000-0x0000000076D80000-memory.dmp
memory/4364-18-0x0000000076C90000-0x0000000076D80000-memory.dmp
memory/4364-27-0x0000000076C90000-0x0000000076D80000-memory.dmp
memory/4364-26-0x0000000076C90000-0x0000000076D80000-memory.dmp
memory/4364-25-0x0000000076C90000-0x0000000076D80000-memory.dmp
memory/4364-24-0x0000000076C90000-0x0000000076D80000-memory.dmp
memory/4364-23-0x0000000076C90000-0x0000000076D80000-memory.dmp
memory/4364-22-0x0000000076C90000-0x0000000076D80000-memory.dmp
memory/4364-29-0x0000000076C90000-0x0000000076D80000-memory.dmp
memory/4364-28-0x0000000076C90000-0x0000000076D80000-memory.dmp
memory/4364-30-0x0000000076C90000-0x0000000076D80000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-09 11:53
Reported
2024-05-09 11:55
Platform
win7-20231129-en
Max time kernel
141s
Max time network
121s
Command Line
Signatures
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\ASPack.exe | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1A7C0DCB-7E87-1C10-693A-00AF448E148F}\2.0\FLAGS\ = "0" | C:\Users\Admin\AppData\Local\Temp\ASPack.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 7e0074001c004346534616003100000000007d573388122041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f3c0008000400efbe7d5733887d5733882a000000eb0100000000020000000000000000000000000000004100700070004400610074006100000042000000 | C:\Users\Admin\AppData\Local\Temp\ASPack.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff | C:\Users\Admin\AppData\Local\Temp\ASPack.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1A7C0DCB-7E87-1C10-693A-00AF448E148F}\2.0\0 | C:\Users\Admin\AppData\Local\Temp\ASPack.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1A7C0DCB-7E87-1C10-693A-00AF448E148F}\2.0\FLAGS | C:\Users\Admin\AppData\Local\Temp\ASPack.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3AF96771-4887-4673-F092-38A8F8D9CFD0}\TypeLib | C:\Users\Admin\AppData\Local\Temp\ASPack.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3AF96771-4887-4673-F092-38A8F8D9CFD0}\Version | C:\Users\Admin\AppData\Local\Temp\ASPack.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff | C:\Users\Admin\AppData\Local\Temp\ASPack.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags | C:\Users\Admin\AppData\Local\Temp\ASPack.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3AF96771-4887-4673-F092-38A8F8D9CFD0} | C:\Users\Admin\AppData\Local\Temp\ASPack.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1A7C0DCB-7E87-1C10-693A-00AF448E148F}\ | C:\Users\Admin\AppData\Local\Temp\ASPack.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3AF96771-4887-4673-F092-38A8F8D9CFD0}\VersionIndependentProgID\ | C:\Users\Admin\AppData\Local\Temp\ASPack.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1A7C0DCB-7E87-1C10-693A-00AF448E148F}\2.0\0\win32\ | C:\Users\Admin\AppData\Local\Temp\ASPack.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff | C:\Users\Admin\AppData\Local\Temp\ASPack.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots | C:\Users\Admin\AppData\Local\Temp\ASPack.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3AF96771-4887-4673-F092-38A8F8D9CFD0}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\ASPack.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1A7C0DCB-7E87-1C10-693A-00AF448E148F} | C:\Users\Admin\AppData\Local\Temp\ASPack.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3AF96771-4887-4673-F092-38A8F8D9CFD0}\Version\ | C:\Users\Admin\AppData\Local\Temp\ASPack.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.key | C:\Users\Admin\AppData\Local\Temp\ASPack.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" | C:\Users\Admin\AppData\Local\Temp\ASPack.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\ASPack.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1" | C:\Users\Admin\AppData\Local\Temp\ASPack.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3AF96771-4887-4673-F092-38A8F8D9CFD0}\InprocServer32\ = "C:\\Windows\\SysWOW64\\imapi2.dll" | C:\Users\Admin\AppData\Local\Temp\ASPack.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3AF96771-4887-4673-F092-38A8F8D9CFD0}\TypeLib\ | C:\Users\Admin\AppData\Local\Temp\ASPack.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000 | C:\Users\Admin\AppData\Local\Temp\ASPack.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1A7C0DCB-7E87-1C10-693A-00AF448E148F}\2.0\0\ | C:\Users\Admin\AppData\Local\Temp\ASPack.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1A7C0DCB-7E87-1C10-693A-00AF448E148F}\2.0\0\win32 | C:\Users\Admin\AppData\Local\Temp\ASPack.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | C:\Users\Admin\AppData\Local\Temp\ASPack.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1A7C0DCB-7E87-1C10-693A-00AF448E148F}\2.0\ | C:\Users\Admin\AppData\Local\Temp\ASPack.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1A7C0DCB-7E87-1C10-693A-00AF448E148F}\2.0\ = "Microsoft ActiveMovie Control" | C:\Users\Admin\AppData\Local\Temp\ASPack.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1A7C0DCB-7E87-1C10-693A-00AF448E148F}\2.0\0\win32\ = "C:\\Windows\\SysWow64\\amcompat.tlb" | C:\Users\Admin\AppData\Local\Temp\ASPack.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3AF96771-4887-4673-F092-38A8F8D9CFD0}\VersionIndependentProgID\ = "IMAPI2.MsftDiscFormat2TrackAtOnce" | C:\Users\Admin\AppData\Local\Temp\ASPack.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell | C:\Users\Admin\AppData\Local\Temp\ASPack.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4a00310000000000a958aa5e102054656d700000360008000400efbe7d573388a958aa5e2a000000ff010000000002000000000000000000000000000000540065006d007000000014000000 | C:\Users\Admin\AppData\Local\Temp\ASPack.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell | C:\Users\Admin\AppData\Local\Temp\ASPack.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3AF96771-4887-4673-F092-38A8F8D9CFD0}\ProgID\ = "IMAPI2.MsftDiscFormat2TrackAtOnce.1" | C:\Users\Admin\AppData\Local\Temp\ASPack.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1A7C0DCB-7E87-1C10-693A-00AF448E148F}\2.0 | C:\Users\Admin\AppData\Local\Temp\ASPack.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff | C:\Users\Admin\AppData\Local\Temp\ASPack.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff | C:\Users\Admin\AppData\Local\Temp\ASPack.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3AF96771-4887-4673-F092-38A8F8D9CFD0}\InprocServer32\ | C:\Users\Admin\AppData\Local\Temp\ASPack.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 | C:\Users\Admin\AppData\Local\Temp\ASPack.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 4c003100000000007d57c48b10204c6f63616c00380008000400efbe7d5733887d57c48b2a000000fe0100000000020000000000000000000000000000004c006f00630061006c00000014000000 | C:\Users\Admin\AppData\Local\Temp\ASPack.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3AF96771-4887-4673-F092-38A8F8D9CFD0}\ProgID\ | C:\Users\Admin\AppData\Local\Temp\ASPack.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ | C:\Users\Admin\AppData\Local\Temp\ASPack.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff | C:\Users\Admin\AppData\Local\Temp\ASPack.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 | C:\Users\Admin\AppData\Local\Temp\ASPack.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 | C:\Users\Admin\AppData\Local\Temp\ASPack.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3AF96771-4887-4673-F092-38A8F8D9CFD0}\Programmable\ | C:\Users\Admin\AppData\Local\Temp\ASPack.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3AF96771-4887-4673-F092-38A8F8D9CFD0}\TypeLib\ = "{1A7C0DCB-7E87-1C10-693A-00AF448E148F}" | C:\Users\Admin\AppData\Local\Temp\ASPack.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3AF96771-4887-4673-F092-38A8F8D9CFD0}\Version\ = "1.0" | C:\Users\Admin\AppData\Local\Temp\ASPack.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 | C:\Users\Admin\AppData\Local\Temp\ASPack.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic" | C:\Users\Admin\AppData\Local\Temp\ASPack.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3AF96771-4887-4673-F092-38A8F8D9CFD0}\ProgID | C:\Users\Admin\AppData\Local\Temp\ASPack.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3AF96771-4887-4673-F092-38A8F8D9CFD0}\Programmable | C:\Users\Admin\AppData\Local\Temp\ASPack.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3AF96771-4887-4673-F092-38A8F8D9CFD0}\VersionIndependentProgID | C:\Users\Admin\AppData\Local\Temp\ASPack.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 | C:\Users\Admin\AppData\Local\Temp\ASPack.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}" | C:\Users\Admin\AppData\Local\Temp\ASPack.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 | C:\Users\Admin\AppData\Local\Temp\ASPack.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3AF96771-4887-4673-F092-38A8F8D9CFD0}\ = "Avaca" | C:\Users\Admin\AppData\Local\Temp\ASPack.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1A7C0DCB-7E87-1C10-693A-00AF448E148F}\2.0\FLAGS\ | C:\Users\Admin\AppData\Local\Temp\ASPack.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ASPack.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\ASPack.exe
"C:\Users\Admin\AppData\Local\Temp\ASPack.exe"
Network
Files
memory/1372-0-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/1372-1-0x00000000762F1000-0x00000000762F2000-memory.dmp
memory/1372-3-0x00000000762E0000-0x00000000763F0000-memory.dmp
memory/1372-4-0x00000000762E0000-0x00000000763F0000-memory.dmp
memory/1372-10-0x00000000762E0000-0x00000000763F0000-memory.dmp
memory/1372-12-0x00000000762E0000-0x00000000763F0000-memory.dmp
memory/1372-15-0x00000000762E0000-0x00000000763F0000-memory.dmp
memory/1372-14-0x00000000762E0000-0x00000000763F0000-memory.dmp
memory/1372-13-0x00000000762E0000-0x00000000763F0000-memory.dmp
memory/1372-23-0x00000000762E0000-0x00000000763F0000-memory.dmp
memory/1372-26-0x00000000762E0000-0x00000000763F0000-memory.dmp
memory/1372-28-0x00000000762E0000-0x00000000763F0000-memory.dmp
memory/1372-30-0x00000000762E0000-0x00000000763F0000-memory.dmp
memory/1372-32-0x00000000762E0000-0x00000000763F0000-memory.dmp
memory/1372-49-0x00000000762E0000-0x00000000763F0000-memory.dmp
memory/1372-51-0x00000000762E0000-0x00000000763F0000-memory.dmp
memory/1372-50-0x00000000762E0000-0x00000000763F0000-memory.dmp
memory/1372-21-0x00000000762E0000-0x00000000763F0000-memory.dmp
memory/1372-56-0x00000000762E0000-0x00000000763F0000-memory.dmp
memory/1372-55-0x00000000762E0000-0x00000000763F0000-memory.dmp
memory/1372-59-0x00000000762E0000-0x00000000763F0000-memory.dmp
memory/1372-58-0x00000000762E0000-0x00000000763F0000-memory.dmp
memory/1372-57-0x00000000762E0000-0x00000000763F0000-memory.dmp
memory/1372-54-0x00000000762E0000-0x00000000763F0000-memory.dmp
memory/1372-53-0x00000000762E0000-0x00000000763F0000-memory.dmp
memory/1372-52-0x00000000762E0000-0x00000000763F0000-memory.dmp
memory/1372-20-0x00000000762E0000-0x00000000763F0000-memory.dmp
memory/1372-19-0x00000000762E0000-0x00000000763F0000-memory.dmp
memory/1372-18-0x00000000762E0000-0x00000000763F0000-memory.dmp
memory/1372-17-0x00000000762E0000-0x00000000763F0000-memory.dmp
memory/1372-16-0x00000000762E0000-0x00000000763F0000-memory.dmp
memory/1372-48-0x00000000762E0000-0x00000000763F0000-memory.dmp
memory/1372-47-0x00000000762E0000-0x00000000763F0000-memory.dmp
memory/1372-46-0x00000000762E0000-0x00000000763F0000-memory.dmp
memory/1372-60-0x00000000048B0000-0x00000000048B2000-memory.dmp
memory/1372-45-0x00000000762E0000-0x00000000763F0000-memory.dmp
memory/1372-44-0x00000000762E0000-0x00000000763F0000-memory.dmp
memory/1372-43-0x00000000762E0000-0x00000000763F0000-memory.dmp
memory/1372-42-0x00000000762E0000-0x00000000763F0000-memory.dmp
memory/1372-41-0x00000000762E0000-0x00000000763F0000-memory.dmp
memory/1372-40-0x00000000762E0000-0x00000000763F0000-memory.dmp
memory/1372-39-0x00000000762E0000-0x00000000763F0000-memory.dmp
memory/1372-38-0x00000000762E0000-0x00000000763F0000-memory.dmp
memory/1372-37-0x00000000762E0000-0x00000000763F0000-memory.dmp
memory/1372-36-0x00000000762E0000-0x00000000763F0000-memory.dmp
memory/1372-35-0x00000000762E0000-0x00000000763F0000-memory.dmp
memory/1372-34-0x00000000762E0000-0x00000000763F0000-memory.dmp
memory/1372-33-0x00000000762E0000-0x00000000763F0000-memory.dmp
memory/1372-31-0x00000000762E0000-0x00000000763F0000-memory.dmp
memory/1372-29-0x00000000762E0000-0x00000000763F0000-memory.dmp
memory/1372-27-0x00000000762E0000-0x00000000763F0000-memory.dmp
memory/1372-25-0x00000000762E0000-0x00000000763F0000-memory.dmp
memory/1372-24-0x00000000762E0000-0x00000000763F0000-memory.dmp
memory/1372-22-0x00000000762E0000-0x00000000763F0000-memory.dmp
memory/1372-11-0x00000000762E0000-0x00000000763F0000-memory.dmp
memory/1372-9-0x00000000762E0000-0x00000000763F0000-memory.dmp
memory/1372-8-0x00000000762E0000-0x00000000763F0000-memory.dmp
memory/1372-7-0x00000000762E0000-0x00000000763F0000-memory.dmp
memory/1372-6-0x00000000762E0000-0x00000000763F0000-memory.dmp
memory/1372-5-0x00000000762E0000-0x00000000763F0000-memory.dmp
memory/1372-2-0x00000000762E0000-0x00000000763F0000-memory.dmp
memory/1372-61-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/1372-64-0x00000000762E0000-0x00000000763F0000-memory.dmp
memory/1372-63-0x00000000762E0000-0x00000000763F0000-memory.dmp
memory/1372-62-0x00000000762E0000-0x00000000763F0000-memory.dmp
memory/1372-65-0x00000000762E0000-0x00000000763F0000-memory.dmp
memory/1372-66-0x00000000762E0000-0x00000000763F0000-memory.dmp