Malware Analysis Report

2025-08-05 18:14

Sample ID 241117-sf4p7a1qht
Target ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe
SHA256 ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017
Tags
aspackv2 discovery evasion persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017

Threat Level: Known bad

The file ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe was found to be: Known bad.

Malicious Activity Summary

aspackv2 discovery evasion persistence

Modifies visiblity of hidden/system files in Explorer

Modifies WinLogon for persistence

Disables RegEdit via registry modification

Executes dropped EXE

ASPack v2.12-2.42

Modifies system executable filetype association

Adds Run key to start application

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of WriteProcessMemory

Modifies data under HKEY_USERS

Modifies registry class

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-17 15:04

Signatures

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-17 15:04

Reported

2024-11-17 15:07

Platform

win7-20240729-en

Max time kernel

119s

Max time network

21s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe SMSSox.exe" C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe SMSSox.exe" C:\Windows\SMSSox.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe SMSSox.exe" C:\Windows\SMSSox.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SMSSox.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SMSSox.exe N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SMSSox.exe N/A
N/A N/A C:\Windows\SMSSox.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\Shell\open\command C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.exe \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\Shell\open\command C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "C:\\Windows\\svchost.exe \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\Shell\open\command C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "C:\\Windows\\svchost.exe \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\Shell\open\command C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "C:\\Windows\\svchost.exe \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Service Host = "C:\\Windows\\SMSSox.exe" C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsVersion1Warning.htm C:\Windows\SMSSox.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsPrintTemplateRTL.html C:\Windows\SMSSox.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\1033\QuickStyles\Default.dotx C:\Windows\SMSSox.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsBrowserUpgrade.html C:\Windows\SMSSox.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsPrintTemplate.html C:\Windows\SMSSox.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms\FormsBrowserUpgrade.html C:\Windows\SMSSox.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsPreviewTemplate.html C:\Windows\SMSSox.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsImageTemplate.html C:\Windows\SMSSox.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsPrintTemplate.html C:\Windows\SMSSox.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\JFONT.DAT C:\Windows\SMSSox.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\1033\QuickStyles\DefaultBlackAndWhite.dotx C:\Windows\SMSSox.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\1033\QuickStyles\Distinctive.dotx C:\Windows\SMSSox.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\1033\PSRCHKEY.DAT C:\Windows\SMSSox.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsFormTemplate.html C:\Windows\SMSSox.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsViewFrame.html C:\Windows\SMSSox.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\ENGIDX.DAT C:\Windows\SMSSox.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\1033\QuickStyles\Newsprint.dotx C:\Windows\SMSSox.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\1033\QuickStyles\Thatch.dotx C:\Windows\SMSSox.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsBlankPage.html C:\Windows\SMSSox.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsHomePage.html C:\Windows\SMSSox.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsImageTemplate.html C:\Windows\SMSSox.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsBrowserUpgrade.html C:\Windows\SMSSox.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsColorChart.html C:\Windows\SMSSox.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms\FormsPrintTemplate.html C:\Windows\SMSSox.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsImageTemplate.html C:\Windows\SMSSox.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsFormTemplate.html C:\Windows\SMSSox.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\OSPP.HTM C:\Windows\SMSSox.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\1033\QuickStyles\Classic.dotx C:\Windows\SMSSox.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\1033\QuickStyles\Traditional.dotx C:\Windows\SMSSox.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsPreviewTemplate.html C:\Windows\SMSSox.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\AccessWeb\CLNTWRAP.HTM C:\Windows\SMSSox.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms\FormsHomePage.html C:\Windows\SMSSox.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsFormTemplateRTL.html C:\Windows\SMSSox.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsPrintTemplate.html C:\Windows\SMSSox.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms\FormsVersion1Warning.htm C:\Windows\SMSSox.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsBlankPage.html C:\Windows\SMSSox.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsPreviewTemplate.html C:\Windows\SMSSox.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms\FormsViewFrame.html C:\Windows\SMSSox.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsMacroTemplate.html C:\Windows\SMSSox.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsMacroTemplate.html C:\Windows\SMSSox.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\OCRHC.DAT C:\Windows\SMSSox.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\OUTLFLTR.DAT C:\Windows\SMSSox.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\1033\PROTTPLV.DOC C:\Windows\SMSSox.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsViewTemplate.html C:\Windows\SMSSox.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsColorChart.html C:\Windows\SMSSox.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\1033\PROTTPLN.DOC C:\Windows\SMSSox.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\Document Parts\1033\14\Built-In Building Blocks.dotx C:\Windows\SMSSox.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms\FormsDoNotTrust.html C:\Windows\SMSSox.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsHomePage.html C:\Windows\SMSSox.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\ENGDIC.DAT C:\Windows\SMSSox.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\1033\QuickStyles\Elegant.dotx C:\Windows\SMSSox.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\1033\QuickStyles\Manuscript.dotx C:\Windows\SMSSox.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\1033\OUTFORM.DAT C:\Windows\SMSSox.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms\FormsBlankPage.html C:\Windows\SMSSox.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsBrowserUpgrade.html C:\Windows\SMSSox.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsVersion1Warning.htm C:\Windows\SMSSox.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsBlankPage.html C:\Windows\SMSSox.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsViewTemplate.html C:\Windows\SMSSox.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\LOOKUP.DAT C:\Windows\SMSSox.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\OCRVC.DAT C:\Windows\SMSSox.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\1033\QuickStyles\Perspective.dotx C:\Windows\SMSSox.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\1033\PSRCHPHN.DAT C:\Windows\SMSSox.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms\FormsPreviewTemplate.html C:\Windows\SMSSox.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsColorChart.html C:\Windows\SMSSox.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\ C:\Windows\SMSSox.exe N/A
File opened for modification C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\McAfee Personal Firewall Plus 2004 Crack.exe C:\Windows\SMSSox.exe N/A
File created C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\Norton Antispam 2004 Crack.exe C:\Windows\SMSSox.exe N/A
File created C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsDoNotTrust.html C:\Windows\SMSSox.exe N/A
File created C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsPrintTemplate.html C:\Windows\SMSSox.exe N/A
File opened for modification C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsVersion1Warning.htm C:\Windows\SMSSox.exe N/A
File created C:\Windows\SMSSox.exe C:\Windows\SMSSox.exe N/A
File created C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsBrowserUpgrade.html C:\Windows\SMSSox.exe N/A
File created C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\OSPP.HTM C:\Windows\SMSSox.exe N/A
File created C:\Windows\message.dat C:\Windows\SMSSox.exe N/A
File opened for modification C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsViewFrame.html C:\Windows\SMSSox.exe N/A
File opened for modification C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsMacroTemplate.html C:\Windows\SMSSox.exe N/A
File opened for modification C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\ C:\Windows\SMSSox.exe N/A
File created C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\McAfee VirusScan Home Edition 2004 Crack.exe C:\Windows\SMSSox.exe N/A
File opened for modification C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsViewTemplate.html C:\Windows\SMSSox.exe N/A
File opened for modification C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\ C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe N/A
File opened for modification C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsBrowserUpgrade.html C:\Windows\SMSSox.exe N/A
File created C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsFormTemplateRTL.html C:\Windows\SMSSox.exe N/A
File created C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\McAfee SpamKiller 2004 Crack.exe C:\Windows\SMSSox.exe N/A
File created C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsViewFrame.html C:\Windows\SMSSox.exe N/A
File opened for modification C:\Windows\svchost.exe C:\Windows\SMSSox.exe N/A
File created C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsColorChart.html C:\Windows\SMSSox.exe N/A
File created C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsImageTemplate.html C:\Windows\SMSSox.exe N/A
File opened for modification C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsPrintTemplate.html C:\Windows\SMSSox.exe N/A
File opened for modification C:\Windows\SMSSox.exe C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe N/A
File created C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\Norton SystemWorks 2004 Keygen.exe C:\Windows\SMSSox.exe N/A
File opened for modification C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\Norton Antispam 2004 Crack.exe C:\Windows\SMSSox.exe N/A
File opened for modification C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsHomePage.html C:\Windows\SMSSox.exe N/A
File created C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsPreviewTemplateRTL.html C:\Windows\SMSSox.exe N/A
File opened for modification C:\Windows\svchost.exe C:\Windows\SMSSox.exe N/A
File opened for modification C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\McAfee SpamKiller 2004 Crack.exe C:\Windows\SMSSox.exe N/A
File created C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\Dragon NaturallySpeaking 8 ISO Multilanguage Crack.exe C:\Windows\SMSSox.exe N/A
File opened for modification C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\Norton Antispam 2004 Keygen.exe C:\Windows\SMSSox.exe N/A
File opened for modification C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\Norton SystemWorks 2004 Keygen.exe C:\Windows\SMSSox.exe N/A
File created C:\Windows\svchost.exe C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe N/A
File opened for modification C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\Dragon NaturallySpeaking 8 ISO Multilanguage Crack.exe C:\Windows\SMSSox.exe N/A
File opened for modification C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\Halo Crack.exe C:\Windows\SMSSox.exe N/A
File created C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\CLNTWRAP.HTM C:\Windows\SMSSox.exe N/A
File opened for modification C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsColorChart.html C:\Windows\SMSSox.exe N/A
File created C:\Windows\SMSSox.exe C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe N/A
File created C:\Windows\message.htm C:\Windows\SMSSox.exe N/A
File opened for modification C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\McAfee VirusScan Home Edition 2004 Crack.exe C:\Windows\SMSSox.exe N/A
File created C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\Borland C++ BuilderX 1.0 Enterprise Edition Crack.exe C:\Windows\SMSSox.exe N/A
File opened for modification C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\Borland C++ BuilderX 1.0 Enterprise Edition Crack.exe C:\Windows\SMSSox.exe N/A
File opened for modification C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsBlankPage.html C:\Windows\SMSSox.exe N/A
File created C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsVersion1Warning.htm C:\Windows\SMSSox.exe N/A
File created C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsMacroTemplate.html C:\Windows\SMSSox.exe N/A
File opened for modification C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsPreviewTemplate.html C:\Windows\SMSSox.exe N/A
File created C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsViewTemplate.html C:\Windows\SMSSox.exe N/A
File opened for modification C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsFormTemplate.html C:\Windows\SMSSox.exe N/A
File opened for modification C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsImageTemplate.html C:\Windows\SMSSox.exe N/A
File created C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsPreviewTemplate.html C:\Windows\SMSSox.exe N/A
File created C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\Half Life 2 Keygen.exe C:\Windows\SMSSox.exe N/A
File opened for modification C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\Half Life 2 Keygen.exe C:\Windows\SMSSox.exe N/A
File created C:\Windows\SMSSox.exe C:\Windows\SMSSox.exe N/A
File created C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsFormTemplate.html C:\Windows\SMSSox.exe N/A
File created C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\McAfee Personal Firewall Plus 2004 Crack.exe C:\Windows\SMSSox.exe N/A
File created C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\Norton Antispam 2004 Keygen.exe C:\Windows\SMSSox.exe N/A
File created C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsBlankPage.html C:\Windows\SMSSox.exe N/A
File created C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\Halo Crack.exe C:\Windows\SMSSox.exe N/A
File created C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsHomePage.html C:\Windows\SMSSox.exe N/A
File created C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsPrintTemplateRTL.html C:\Windows\SMSSox.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SMSSox.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\LanguageResources\XLChangeInstallLanguage = "No" C:\Windows\SMSSox.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\LanguageResources\AccessChangeInstallLanguage = "No" C:\Windows\SMSSox.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\LanguageResources\OneNoteChangeInstallLanguage = "No" C:\Windows\SMSSox.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\LanguageResources\WebDesignerChangeInstallLanguage = "No" C:\Windows\SMSSox.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced C:\Windows\SMSSox.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SMSSox.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Windows\SMSSox.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0 C:\Windows\SMSSox.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Shared\OfficeUILanguage = "1033" C:\Windows\SMSSox.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft C:\Windows\SMSSox.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion C:\Windows\SMSSox.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\LanguageResources\PreviousInstallLanguage = "1033" C:\Windows\SMSSox.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles C:\Windows\SMSSox.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\LanguageResources\PublisherChangeInstallLanguage = "No" C:\Windows\SMSSox.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages C:\Windows\SMSSox.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows NT\CurrentVersion C:\Windows\SMSSox.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles C:\Windows\SMSSox.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SMSSox.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\LanguageResources\UIFallback = 30003b0031003000330033000000 C:\Windows\SMSSox.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\LanguageResources\OutlookChangeInstallLanguage = "No" C:\Windows\SMSSox.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\LanguageResources\SharePointDesignerChangeInstallLanguage = "No" C:\Windows\SMSSox.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages\1033 = "On" C:\Windows\SMSSox.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\LanguageResources C:\Windows\SMSSox.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\LanguageResources\UISnapshot = 31003000330033000000 C:\Windows\SMSSox.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\LanguageResources\UILanguage = "1033" C:\Windows\SMSSox.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\LanguageResources\WordMailChangeInstallLanguage = "No" C:\Windows\SMSSox.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem C:\Windows\SMSSox.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows C:\Windows\SMSSox.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached C:\Windows\SMSSox.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\LanguageResources\LangTuneUp = "OfficeCompleted" C:\Windows\SMSSox.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows NT C:\Windows\SMSSox.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies C:\Windows\SMSSox.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\14.0\Common\LanguageResources C:\Windows\SMSSox.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\LanguageResources\PPTChangeInstallLanguage = "No" C:\Windows\SMSSox.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Shared C:\Windows\SMSSox.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\LanguageResources\HelpLanguage = "1033" C:\Windows\SMSSox.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\LanguageResources\WordChangeInstallLanguage = "No" C:\Windows\SMSSox.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\LanguageResources\ProjectChangeInstallLanguage = "No" C:\Windows\SMSSox.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SMSSox.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{40DD6E20-7C17-11CE-A804-00AA003CA9F6} {000214FC-0000-0000-C000-000000000046} 0xFFFF = 0100000000000000f08b7d160239db01 C:\Windows\SMSSox.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office C:\Windows\SMSSox.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\LanguageResources\HelpFallback = 30003b0031003000330033000000 C:\Windows\SMSSox.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\LanguageResources\InfoPathChangeInstallLanguage = "No" C:\Windows\SMSSox.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SMSSox.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common C:\Windows\SMSSox.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\LanguageResources\WinXPLanguagePatch = "1" C:\Windows\SMSSox.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\LanguageResources\InstallLanguage = "1033" C:\Windows\SMSSox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\cmdfile\Shell\open\command C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\cmdfile\shell\open\command\ = "C:\\Windows\\svchost.exe \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "C:\\Windows\\svchost.exe \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\Shell\open\command C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\Shell\open\command C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\Shell\open\command C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\Shell\open\command C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.exe \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\Shell\open\command C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "C:\\Windows\\svchost.exe \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "C:\\Windows\\svchost.exe \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command\ = "C:\\Windows\\svchost.exe \"%1\" /S" C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SMSSox.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe

"C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe"

C:\Windows\SMSSox.exe

"C:\Windows\SMSSox.exe" -xInstallOurNiceServicesYes

C:\Windows\SMSSox.exe

C:\Windows\SMSSox.exe -xStartOurNiceServicesYes

Network

N/A

Files

C:\Windows\SMSSox.exe

MD5 4a76a4e930bec401bea9deb37512c9e0
SHA1 ddd938da715326a366b97d800698edac2fae4749
SHA256 ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017
SHA512 db6d5d9408eedc99f796173a6e4fc938810746b15e6176af780041fd74b39f119c127a21b4631230e59a695ccdfddca3aa57392bb1af9383b22716b8ac0c6200

memory/2568-10-0x0000000000400000-0x000000000051F000-memory.dmp

memory/2136-45-0x0000000000400000-0x000000000051F000-memory.dmp

memory/1612-46-0x0000000000400000-0x000000000051F000-memory.dmp

C:\Windows\Temp\nlFGnxAT.iHy\message.htm

MD5 84b61b37074a65e5aa03f387be522d59
SHA1 02f623ef7a8be858b7921a173c2ec53635b879cb
SHA256 6f585632c22adfaf37952a7adcef260014f72bfdcb69e729ca568e6fb6691f3b
SHA512 264b390be497ff44deec22f081cc772d57c5f85c8d6ecbf08f04a2ae3ecf3b86a83c30085cd32ff99d445a9bf76c106a7f308c3b631afed8427c1d70d70948a1

C:\Windows\message.dat

MD5 3500da4b2317ad36ceeae88ebba98f47
SHA1 16303f881930b076717c6ca78ddcc9fcb8891901
SHA256 4e2398f6744cb560a9c848604fc2c51695702e6f746435245fcd0f5a3313a0ba
SHA512 bdb2b4e5ceff9bedeb68c403095fa7f6830eff2e314577e7fc75649d86b6eb596c23bd070b3177749963904b6268e429cd6a667fc3b9b8d3bec42cd64ea3f29f

memory/2136-86-0x0000000000400000-0x000000000051F000-memory.dmp

memory/1612-95-0x0000000000400000-0x000000000051F000-memory.dmp

memory/2136-184-0x0000000000400000-0x000000000051F000-memory.dmp

memory/1612-185-0x0000000000400000-0x000000000051F000-memory.dmp

memory/1612-284-0x0000000000400000-0x000000000051F000-memory.dmp

memory/2136-283-0x0000000000400000-0x000000000051F000-memory.dmp

memory/2136-397-0x0000000000400000-0x000000000051F000-memory.dmp

memory/1612-398-0x0000000000400000-0x000000000051F000-memory.dmp

memory/2136-416-0x0000000000400000-0x000000000051F000-memory.dmp

memory/1612-417-0x0000000000400000-0x000000000051F000-memory.dmp

memory/2136-418-0x0000000000400000-0x000000000051F000-memory.dmp

memory/2136-420-0x0000000000400000-0x000000000051F000-memory.dmp

memory/2136-422-0x0000000000400000-0x000000000051F000-memory.dmp

memory/1612-423-0x0000000000400000-0x000000000051F000-memory.dmp

memory/2136-424-0x0000000000400000-0x000000000051F000-memory.dmp

memory/2136-426-0x0000000000400000-0x000000000051F000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-17 15:04

Reported

2024-11-17 15:07

Platform

win10v2004-20241007-en

Max time kernel

111s

Max time network

113s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe spoolun.exe" C:\Windows\spoolun.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe spoolun.exe" C:\Windows\spoolun.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe spoolun.exe" C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\spoolun.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\spoolun.exe N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\spoolun.exe N/A
N/A N/A C:\Windows\spoolun.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\Shell\open\command C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.exe \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\Shell\open\command C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "C:\\Windows\\svchost.exe \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\Shell\open\command C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "C:\\Windows\\svchost.exe \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\Shell\open\command C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "C:\\Windows\\svchost.exe \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Service Host = "C:\\Windows\\spoolun.exe" C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\ C:\Windows\spoolun.exe N/A
File opened for modification C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\ C:\Windows\spoolun.exe N/A
File created C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\BearShare Pro 4.3.0 Crack.exe C:\Windows\spoolun.exe N/A
File opened for modification C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\BearShare Pro 4.3.0 Crack.exe C:\Windows\spoolun.exe N/A
File opened for modification C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\Sophos AntiVirus v3.74 Crack.exe C:\Windows\spoolun.exe N/A
File created C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\Dragon NaturallySpeaking 8 ISO Multilanguage Crack.exe C:\Windows\spoolun.exe N/A
File created C:\Windows\svchost.exe C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe N/A
File opened for modification C:\Windows\svchost.exe C:\Windows\spoolun.exe N/A
File opened for modification C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\McAfee Personal Firewall Plus 2004 Crack.exe C:\Windows\spoolun.exe N/A
File created C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\Norton AntiVirus 2004 Crack.exe C:\Windows\spoolun.exe N/A
File opened for modification C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\iMesh 4.2 Ad Remover Crack.exe C:\Windows\spoolun.exe N/A
File created C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\McAfee SpamKiller 2004 Crack.exe C:\Windows\spoolun.exe N/A
File opened for modification C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\McAfee SpamKiller 2004 Crack.exe C:\Windows\spoolun.exe N/A
File created C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\McAfee Personal Firewall Plus 2004 Crack.exe C:\Windows\spoolun.exe N/A
File created C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\McAfee SpamKiller 2004 Keygen.exe C:\Windows\spoolun.exe N/A
File created C:\Windows\message.dat C:\Windows\spoolun.exe N/A
File opened for modification C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\NetObjects Fusion v7.5 Keygen.exe C:\Windows\spoolun.exe N/A
File created C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\Norton SystemWorks 2004 Crack.exe C:\Windows\spoolun.exe N/A
File created C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\NetObjects Fusion v7.5 Keygen.exe C:\Windows\spoolun.exe N/A
File opened for modification C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\Dragon NaturallySpeaking 8 ISO Multilanguage Crack.exe C:\Windows\spoolun.exe N/A
File created C:\Windows\spoolun.exe C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe N/A
File opened for modification C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\ C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe N/A
File opened for modification C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\Half Life 2 beta patch2 Crack.exe C:\Windows\spoolun.exe N/A
File opened for modification C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\McAfee SpamKiller 2004 Keygen.exe C:\Windows\spoolun.exe N/A
File opened for modification C:\Windows\svchost.exe C:\Windows\spoolun.exe N/A
File opened for modification C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\Norton SystemWorks 2004 Crack.exe C:\Windows\spoolun.exe N/A
File created C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\Halo Crack.exe C:\Windows\spoolun.exe N/A
File created C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\Macromedia Studio MX 2004 AllApps Crack.exe C:\Windows\spoolun.exe N/A
File created C:\Windows\message.htm C:\Windows\spoolun.exe N/A
File created C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\Half Life 2 beta patch2 Crack.exe C:\Windows\spoolun.exe N/A
File created C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\Sophos AntiVirus v3.74 Crack.exe C:\Windows\spoolun.exe N/A
File created C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\iMesh 4.2 Ad Remover Crack.exe C:\Windows\spoolun.exe N/A
File opened for modification C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\BearShare Pro 4.3.0 Keygen.exe C:\Windows\spoolun.exe N/A
File opened for modification C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\Borland C++ BuilderX 1.0 Enterprise Edition Keygen.exe C:\Windows\spoolun.exe N/A
File opened for modification C:\Windows\spoolun.exe C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe N/A
File created C:\Windows\spoolun.exe C:\Windows\spoolun.exe N/A
File opened for modification C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\TVTool v8.31 Crack.exe C:\Windows\spoolun.exe N/A
File opened for modification C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\Norton AntiVirus 2004 Crack.exe C:\Windows\spoolun.exe N/A
File created C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\BearShare Pro 4.3.0 Keygen.exe C:\Windows\spoolun.exe N/A
File created C:\Windows\spoolun.exe C:\Windows\spoolun.exe N/A
File opened for modification C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\Halo Crack.exe C:\Windows\spoolun.exe N/A
File created C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\Borland C++ BuilderX 1.0 Enterprise Edition Keygen.exe C:\Windows\spoolun.exe N/A
File created C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\TVTool v8.31 Crack.exe C:\Windows\spoolun.exe N/A
File opened for modification C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\Macromedia Studio MX 2004 AllApps Crack.exe C:\Windows\spoolun.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\spoolun.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\spoolun.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\spoolun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer C:\Windows\spoolun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\spoolun.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\spoolun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Windows\spoolun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft C:\Windows\spoolun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows C:\Windows\spoolun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion C:\Windows\spoolun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies C:\Windows\spoolun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached C:\Windows\spoolun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced C:\Windows\spoolun.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\TelemetrySalt = "3" C:\Windows\spoolun.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{40DD6E20-7C17-11CE-A804-00AA003CA9F6} {000214FC-0000-0000-C000-000000000046} 0xFFFF = 0100000000000000e69af5170239db01 C:\Windows\spoolun.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.exe \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\Shell\open\command C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "C:\\Windows\\svchost.exe \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\Shell\open\command C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\Shell\open\command C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\Shell\open\command C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\cmdfile\shell\open\command\ = "C:\\Windows\\svchost.exe \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\Shell\open\command C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "C:\\Windows\\svchost.exe \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "C:\\Windows\\svchost.exe \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command\ = "C:\\Windows\\svchost.exe \"%1\" /S" C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\cmdfile\Shell\open\command C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\spoolun.exe N/A
N/A N/A C:\Windows\spoolun.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe

"C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe"

C:\Windows\spoolun.exe

"C:\Windows\spoolun.exe" -xInstallOurNiceServicesYes

C:\Windows\spoolun.exe

C:\Windows\spoolun.exe -xStartOurNiceServicesYes

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp

Files

C:\Windows\spoolun.exe

MD5 4a76a4e930bec401bea9deb37512c9e0
SHA1 ddd938da715326a366b97d800698edac2fae4749
SHA256 ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017
SHA512 db6d5d9408eedc99f796173a6e4fc938810746b15e6176af780041fd74b39f119c127a21b4631230e59a695ccdfddca3aa57392bb1af9383b22716b8ac0c6200

memory/3996-7-0x0000000000400000-0x000000000051F000-memory.dmp

memory/316-45-0x0000000000400000-0x000000000051F000-memory.dmp

memory/2924-46-0x0000000000400000-0x000000000051F000-memory.dmp

memory/316-47-0x0000000000400000-0x000000000051F000-memory.dmp

memory/316-49-0x0000000000400000-0x000000000051F000-memory.dmp

memory/316-51-0x0000000000400000-0x000000000051F000-memory.dmp

memory/316-53-0x0000000000400000-0x000000000051F000-memory.dmp

memory/2924-54-0x0000000000400000-0x000000000051F000-memory.dmp

memory/316-55-0x0000000000400000-0x000000000051F000-memory.dmp

memory/316-58-0x0000000000400000-0x000000000051F000-memory.dmp

memory/316-78-0x0000000000400000-0x000000000051F000-memory.dmp

memory/2924-79-0x0000000000400000-0x000000000051F000-memory.dmp

memory/316-80-0x0000000000400000-0x000000000051F000-memory.dmp

memory/316-82-0x0000000000400000-0x000000000051F000-memory.dmp

memory/316-84-0x0000000000400000-0x000000000051F000-memory.dmp