Malware Analysis Report

2025-08-05 17:36

Sample ID 241117-sljbfaxkbq
Target ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe
SHA256 ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017
Tags
aspackv2 discovery evasion persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017

Threat Level: Known bad

The file ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe was found to be: Known bad.

Malicious Activity Summary

aspackv2 discovery evasion persistence

Modifies visiblity of hidden/system files in Explorer

Modifies WinLogon for persistence

Disables RegEdit via registry modification

Modifies system executable filetype association

ASPack v2.12-2.42

Executes dropped EXE

Adds Run key to start application

Drops file in Program Files directory

Drops file in Windows directory

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Unsigned PE

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Modifies data under HKEY_USERS

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-17 15:12

Signatures

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-17 15:12

Reported

2024-11-17 15:15

Platform

win7-20240729-en

Max time kernel

141s

Max time network

21s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe SMSSlm.exe" C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe SMSSlm.exe" C:\Windows\SMSSlm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe SMSSlm.exe" C:\Windows\SMSSlm.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SMSSlm.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SMSSlm.exe N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SMSSlm.exe N/A
N/A N/A C:\Windows\SMSSlm.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\Shell\open\command C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "C:\\Windows\\svchost.exe \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\Shell\open\command C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.exe \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\Shell\open\command C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "C:\\Windows\\svchost.exe \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\Shell\open\command C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "C:\\Windows\\svchost.exe \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Service Host = "C:\\Windows\\SMSSlm.exe" C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsFormTemplate.html C:\Windows\SMSSlm.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\LOOKUP.DAT C:\Windows\SMSSlm.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\1033\PSRCHLEX.DAT C:\Windows\SMSSlm.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms\FormsBlankPage.html C:\Windows\SMSSlm.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms\FormsPreviewTemplate.html C:\Windows\SMSSlm.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms\FormsViewFrame.html C:\Windows\SMSSlm.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\1033\PSRCHSRN.DAT C:\Windows\SMSSlm.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\1033\QuickStyles\Fancy.dotx C:\Windows\SMSSlm.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\1033\QuickStyles\Thatch.dotx C:\Windows\SMSSlm.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\1033\QuickStyles\Traditional.dotx C:\Windows\SMSSlm.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\1033\PROTTPLN.DOC C:\Windows\SMSSlm.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsImageTemplate.html C:\Windows\SMSSlm.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsMacroTemplate.html C:\Windows\SMSSlm.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsPreviewTemplate.html C:\Windows\SMSSlm.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\1033\QuickStyles\Classic.dotx C:\Windows\SMSSlm.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\1033\PSRCHKEY.DAT C:\Windows\SMSSlm.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\Document Parts\1033\14\Built-In Building Blocks.dotx C:\Windows\SMSSlm.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsBlankPage.html C:\Windows\SMSSlm.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsPrintTemplate.html C:\Windows\SMSSlm.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\OCRVC.DAT C:\Windows\SMSSlm.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsBrowserUpgrade.html C:\Windows\SMSSlm.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsViewTemplate.html C:\Windows\SMSSlm.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsBrowserUpgrade.html C:\Windows\SMSSlm.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsPreviewTemplate.html C:\Windows\SMSSlm.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\1033\PSRCHLTS.DAT C:\Windows\SMSSlm.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsFormTemplate.html C:\Windows\SMSSlm.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsViewFrame.html C:\Windows\SMSSlm.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsColorChart.html C:\Windows\SMSSlm.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsMacroTemplate.html C:\Windows\SMSSlm.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms\FormsDoNotTrust.html C:\Windows\SMSSlm.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsImageTemplate.html C:\Windows\SMSSlm.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsFormTemplateRTL.html C:\Windows\SMSSlm.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsImageTemplate.html C:\Windows\SMSSlm.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\ENGIDX.DAT C:\Windows\SMSSlm.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\1033\QuickStyles\DefaultBlackAndWhite.dotx C:\Windows\SMSSlm.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\1033\PSRCHPHN.DAT C:\Windows\SMSSlm.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsFormTemplate.html C:\Windows\SMSSlm.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsPrintTemplateRTL.html C:\Windows\SMSSlm.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\1033\QuickStyles\Perspective.dotx C:\Windows\SMSSlm.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsPrintTemplate.html C:\Windows\SMSSlm.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsBlankPage.html C:\Windows\SMSSlm.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsVersion1Warning.htm C:\Windows\SMSSlm.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsColorChart.html C:\Windows\SMSSlm.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsHomePage.html C:\Windows\SMSSlm.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\OUTLFLTR.DAT C:\Windows\SMSSlm.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\AccessWeb\CLNTWRAP.HTM C:\Windows\SMSSlm.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms\FormsPrintTemplate.html C:\Windows\SMSSlm.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsVersion1Warning.htm C:\Windows\SMSSlm.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\OSPP.HTM C:\Windows\SMSSlm.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\1033\QuickStyles\Distinctive.dotx C:\Windows\SMSSlm.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\1033\QuickStyles\Simple.dotx C:\Windows\SMSSlm.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\1033\OUTFORM.DAT C:\Windows\SMSSlm.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\1033\PROTTPLV.DOC C:\Windows\SMSSlm.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\1033\QuickStyles\Elegant.dotx C:\Windows\SMSSlm.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsHomePage.html C:\Windows\SMSSlm.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsViewTemplate.html C:\Windows\SMSSlm.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\JFONT.DAT C:\Windows\SMSSlm.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\OCRHC.DAT C:\Windows\SMSSlm.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsPreviewTemplate.html C:\Windows\SMSSlm.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsBlankPage.html C:\Windows\SMSSlm.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsBrowserUpgrade.html C:\Windows\SMSSlm.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\ENGDIC.DAT C:\Windows\SMSSlm.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\1033\QuickStyles\Default.dotx C:\Windows\SMSSlm.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms\FormsVersion1Warning.htm C:\Windows\SMSSlm.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsViewFrame.html C:\Windows\SMSSlm.exe N/A
File created C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsColorChart.html C:\Windows\SMSSlm.exe N/A
File opened for modification C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\ C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe N/A
File opened for modification C:\Windows\svchost.exe C:\Windows\SMSSlm.exe N/A
File created C:\Windows\message.htm C:\Windows\SMSSlm.exe N/A
File opened for modification C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\Halo Crack.exe C:\Windows\SMSSlm.exe N/A
File opened for modification C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\NHL 2004 Crack.exe C:\Windows\SMSSlm.exe N/A
File created C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsMacroTemplate.html C:\Windows\SMSSlm.exe N/A
File opened for modification C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsFormTemplate.html C:\Windows\SMSSlm.exe N/A
File created C:\Windows\SMSSlm.exe C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe N/A
File opened for modification C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsPrintTemplate.html C:\Windows\SMSSlm.exe N/A
File created C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsFormTemplateRTL.html C:\Windows\SMSSlm.exe N/A
File created C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\TVTool v8.31 Crack.exe C:\Windows\SMSSlm.exe N/A
File created C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\NHL 2004 Crack.exe C:\Windows\SMSSlm.exe N/A
File created C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\BearShare Pro 4.3.0 Keygen.exe C:\Windows\SMSSlm.exe N/A
File created C:\Windows\SMSSlm.exe C:\Windows\SMSSlm.exe N/A
File created C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsPrintTemplate.html C:\Windows\SMSSlm.exe N/A
File created C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsVersion1Warning.htm C:\Windows\SMSSlm.exe N/A
File created C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\Halo Crack.exe C:\Windows\SMSSlm.exe N/A
File opened for modification C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\McAfee VirusScan Home Edition 2004 Keygen.exe C:\Windows\SMSSlm.exe N/A
File opened for modification C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\ C:\Windows\SMSSlm.exe N/A
File opened for modification C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\Norton AntiVirus 2004 Crack.exe C:\Windows\SMSSlm.exe N/A
File opened for modification C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsBlankPage.html C:\Windows\SMSSlm.exe N/A
File opened for modification C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsBrowserUpgrade.html C:\Windows\SMSSlm.exe N/A
File opened for modification C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsMacroTemplate.html C:\Windows\SMSSlm.exe N/A
File created C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsPrintTemplateRTL.html C:\Windows\SMSSlm.exe N/A
File created C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\Norton AntiVirus 2004 Crack.exe C:\Windows\SMSSlm.exe N/A
File opened for modification C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsColorChart.html C:\Windows\SMSSlm.exe N/A
File opened for modification C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsViewTemplate.html C:\Windows\SMSSlm.exe N/A
File created C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\McAfee Personal Firewall Plus 2004 Crack.exe C:\Windows\SMSSlm.exe N/A
File opened for modification C:\Windows\SMSSlm.exe C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe N/A
File opened for modification C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\ C:\Windows\SMSSlm.exe N/A
File created C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\Norton Antispam 2004 Crack.exe C:\Windows\SMSSlm.exe N/A
File created C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\CLNTWRAP.HTM C:\Windows\SMSSlm.exe N/A
File created C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsDoNotTrust.html C:\Windows\SMSSlm.exe N/A
File created C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\OSPP.HTM C:\Windows\SMSSlm.exe N/A
File created C:\Windows\svchost.exe C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe N/A
File created C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsPreviewTemplateRTL.html C:\Windows\SMSSlm.exe N/A
File created C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\iMesh 4.2 Ad Remover Crack.exe C:\Windows\SMSSlm.exe N/A
File opened for modification C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\McAfee Personal Firewall Plus 2004 Crack.exe C:\Windows\SMSSlm.exe N/A
File created C:\Windows\SMSSlm.exe C:\Windows\SMSSlm.exe N/A
File created C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsImageTemplate.html C:\Windows\SMSSlm.exe N/A
File opened for modification C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsVersion1Warning.htm C:\Windows\SMSSlm.exe N/A
File created C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\McAfee Personal Firewall Plus 2004 Keygen.exe C:\Windows\SMSSlm.exe N/A
File created C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\Borland C++ BuilderX 1.0 Enterprise Edition Keygen.exe C:\Windows\SMSSlm.exe N/A
File opened for modification C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\Norton Antispam 2004 Crack.exe C:\Windows\SMSSlm.exe N/A
File opened for modification C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\BearShare Pro 4.3.0 Keygen.exe C:\Windows\SMSSlm.exe N/A
File created C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsPreviewTemplate.html C:\Windows\SMSSlm.exe N/A
File created C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsHomePage.html C:\Windows\SMSSlm.exe N/A
File opened for modification C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsImageTemplate.html C:\Windows\SMSSlm.exe N/A
File opened for modification C:\Windows\svchost.exe C:\Windows\SMSSlm.exe N/A
File created C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsBlankPage.html C:\Windows\SMSSlm.exe N/A
File created C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsBrowserUpgrade.html C:\Windows\SMSSlm.exe N/A
File created C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsFormTemplate.html C:\Windows\SMSSlm.exe N/A
File opened for modification C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsPreviewTemplate.html C:\Windows\SMSSlm.exe N/A
File opened for modification C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\TVTool v8.31 Crack.exe C:\Windows\SMSSlm.exe N/A
File opened for modification C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\iMesh 4.2 Ad Remover Crack.exe C:\Windows\SMSSlm.exe N/A
File created C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\McAfee VirusScan Home Edition 2004 Keygen.exe C:\Windows\SMSSlm.exe N/A
File created C:\Windows\message.dat C:\Windows\SMSSlm.exe N/A
File opened for modification C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsHomePage.html C:\Windows\SMSSlm.exe N/A
File opened for modification C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsViewFrame.html C:\Windows\SMSSlm.exe N/A
File created C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsViewTemplate.html C:\Windows\SMSSlm.exe N/A
File opened for modification C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\McAfee Personal Firewall Plus 2004 Keygen.exe C:\Windows\SMSSlm.exe N/A
File opened for modification C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\Borland C++ BuilderX 1.0 Enterprise Edition Keygen.exe C:\Windows\SMSSlm.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SMSSlm.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SMSSlm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft C:\Windows\SMSSlm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office C:\Windows\SMSSlm.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\14.0\Common\LanguageResources\LangTuneUp = "OfficeCompleted" C:\Windows\SMSSlm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows C:\Windows\SMSSlm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\14.0 C:\Windows\SMSSlm.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\14.0\Common\LanguageResources\WinXPLanguagePatch = "1" C:\Windows\SMSSlm.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\14.0\Common\LanguageResources\InstallLanguage = "1033" C:\Windows\SMSSlm.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\14.0\Common\LanguageResources\SharePointDesignerChangeInstallLanguage = "No" C:\Windows\SMSSlm.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\14.0\Common\LanguageResources\ProjectChangeInstallLanguage = "No" C:\Windows\SMSSlm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SMSSlm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Windows\SMSSlm.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\14.0\Common\LanguageResources\HelpLanguage = "1033" C:\Windows\SMSSlm.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\14.0\Common\LanguageResources\WordChangeInstallLanguage = "No" C:\Windows\SMSSlm.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\14.0\Common\LanguageResources\PPTChangeInstallLanguage = "No" C:\Windows\SMSSlm.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\14.0\Common\LanguageResources\InfoPathChangeInstallLanguage = "No" C:\Windows\SMSSlm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\14.0\Common C:\Windows\SMSSlm.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages\1033 = "On" C:\Windows\SMSSlm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT C:\Windows\SMSSlm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\14.0\Common\LanguageResources C:\Windows\SMSSlm.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\14.0\Common\LanguageResources\UISnapshot = 31003000330033000000 C:\Windows\SMSSlm.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\14.0\Common\LanguageResources\OneNoteChangeInstallLanguage = "No" C:\Windows\SMSSlm.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\14.0\Common\LanguageResources\WebDesignerChangeInstallLanguage = "No" C:\Windows\SMSSlm.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\14.0\Common\LanguageResources\UILanguage = "1033" C:\Windows\SMSSlm.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\14.0\Common\LanguageResources\PreviousInstallLanguage = "1033" C:\Windows\SMSSlm.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\14.0\Common\LanguageResources\PublisherChangeInstallLanguage = "No" C:\Windows\SMSSlm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages C:\Windows\SMSSlm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles C:\Windows\SMSSlm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem C:\Windows\SMSSlm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced C:\Windows\SMSSlm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion C:\Windows\SMSSlm.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SMSSlm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached C:\Windows\SMSSlm.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{40DD6E20-7C17-11CE-A804-00AA003CA9F6} {000214FC-0000-0000-C000-000000000046} 0xFFFF = 01000000000000007000d9290339db01 C:\Windows\SMSSlm.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\14.0\Common\LanguageResources\WordMailChangeInstallLanguage = "No" C:\Windows\SMSSlm.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\14.0\Common\LanguageResources\XLChangeInstallLanguage = "No" C:\Windows\SMSSlm.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\14.0\Common\LanguageResources\OutlookChangeInstallLanguage = "No" C:\Windows\SMSSlm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies C:\Windows\SMSSlm.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\14.0\Common\LanguageResources\UIFallback = 30003b0031003000330033000000 C:\Windows\SMSSlm.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\14.0\Common\LanguageResources\HelpFallback = 30003b0031003000330033000000 C:\Windows\SMSSlm.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\14.0\Common\LanguageResources\AccessChangeInstallLanguage = "No" C:\Windows\SMSSlm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Shared C:\Windows\SMSSlm.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Shared\OfficeUILanguage = "1033" C:\Windows\SMSSlm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion C:\Windows\SMSSlm.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.exe \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\cmdfile\Shell\open\command C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\Shell\open\command C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\Shell\open\command C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "C:\\Windows\\svchost.exe \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command\ = "C:\\Windows\\svchost.exe \"%1\" /S" C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\Shell\open\command C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\cmdfile\shell\open\command\ = "C:\\Windows\\svchost.exe \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "C:\\Windows\\svchost.exe \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\Shell\open\command C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "C:\\Windows\\svchost.exe \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\Shell\open\command C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SMSSlm.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe

"C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe"

C:\Windows\SMSSlm.exe

"C:\Windows\SMSSlm.exe" -xInstallOurNiceServicesYes

C:\Windows\SMSSlm.exe

C:\Windows\SMSSlm.exe -xStartOurNiceServicesYes

Network

N/A

Files

C:\Windows\SMSSlm.exe

MD5 4a76a4e930bec401bea9deb37512c9e0
SHA1 ddd938da715326a366b97d800698edac2fae4749
SHA256 ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017
SHA512 db6d5d9408eedc99f796173a6e4fc938810746b15e6176af780041fd74b39f119c127a21b4631230e59a695ccdfddca3aa57392bb1af9383b22716b8ac0c6200

memory/1156-10-0x0000000000400000-0x000000000051F000-memory.dmp

C:\Windows\svchost.exe

MD5 4c0f811440f10527601a6e7a7b99833e
SHA1 58057ca967d63250ae3b0888a6f01ec5da031bca
SHA256 17f0d109fd57d3ce2a21e5c541ebb9e66c441c25892e875f609bb6648bb15728
SHA512 2dfb5bbfca13fca4fb22c28a623795b7c4ddc89e6bde24ff2dcac3418fbc13949fa02779e529d6654dd94ec256a199a140b0d56daa971a3cdaf16b721ace01d6

memory/2004-27-0x0000000000400000-0x000000000051F000-memory.dmp

memory/2180-28-0x0000000000400000-0x000000000051F000-memory.dmp

C:\Windows\Temp\tYtHgdna.UbK\message.htm

MD5 84b61b37074a65e5aa03f387be522d59
SHA1 02f623ef7a8be858b7921a173c2ec53635b879cb
SHA256 6f585632c22adfaf37952a7adcef260014f72bfdcb69e729ca568e6fb6691f3b
SHA512 264b390be497ff44deec22f081cc772d57c5f85c8d6ecbf08f04a2ae3ecf3b86a83c30085cd32ff99d445a9bf76c106a7f308c3b631afed8427c1d70d70948a1

C:\Windows\message.dat

MD5 3500da4b2317ad36ceeae88ebba98f47
SHA1 16303f881930b076717c6ca78ddcc9fcb8891901
SHA256 4e2398f6744cb560a9c848604fc2c51695702e6f746435245fcd0f5a3313a0ba
SHA512 bdb2b4e5ceff9bedeb68c403095fa7f6830eff2e314577e7fc75649d86b6eb596c23bd070b3177749963904b6268e429cd6a667fc3b9b8d3bec42cd64ea3f29f

memory/2004-52-0x0000000000400000-0x000000000051F000-memory.dmp

memory/2180-69-0x0000000000400000-0x000000000051F000-memory.dmp

memory/2004-150-0x0000000000400000-0x000000000051F000-memory.dmp

memory/2180-151-0x0000000000400000-0x000000000051F000-memory.dmp

memory/2004-257-0x0000000000400000-0x000000000051F000-memory.dmp

memory/2180-258-0x0000000000400000-0x000000000051F000-memory.dmp

memory/2004-355-0x0000000000400000-0x000000000051F000-memory.dmp

memory/2180-356-0x0000000000400000-0x000000000051F000-memory.dmp

memory/2004-398-0x0000000000400000-0x000000000051F000-memory.dmp

memory/2180-399-0x0000000000400000-0x000000000051F000-memory.dmp

memory/2004-400-0x0000000000400000-0x000000000051F000-memory.dmp

memory/2180-401-0x0000000000400000-0x000000000051F000-memory.dmp

memory/2004-402-0x0000000000400000-0x000000000051F000-memory.dmp

memory/2004-404-0x0000000000400000-0x000000000051F000-memory.dmp

memory/2004-406-0x0000000000400000-0x000000000051F000-memory.dmp

memory/2180-407-0x0000000000400000-0x000000000051F000-memory.dmp

memory/2004-408-0x0000000000400000-0x000000000051F000-memory.dmp

memory/2004-410-0x0000000000400000-0x000000000051F000-memory.dmp

memory/2004-412-0x0000000000400000-0x000000000051F000-memory.dmp

memory/2004-436-0x0000000000400000-0x000000000051F000-memory.dmp

memory/2180-437-0x0000000000400000-0x000000000051F000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-17 15:12

Reported

2024-11-17 15:15

Platform

win10v2004-20241007-en

Max time kernel

142s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe spoolug.exe" C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe spoolug.exe" C:\Windows\spoolug.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe spoolug.exe" C:\Windows\spoolug.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\spoolug.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\spoolug.exe N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\spoolug.exe N/A
N/A N/A C:\Windows\spoolug.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\Shell\open\command C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "C:\\Windows\\svchost.exe \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\Shell\open\command C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "C:\\Windows\\svchost.exe \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\Shell\open\command C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.exe \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\Shell\open\command C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "C:\\Windows\\svchost.exe \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Service Host = "C:\\Windows\\spoolug.exe" C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\ C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe N/A
File created C:\Windows\spoolug.exe C:\Windows\spoolug.exe N/A
File opened for modification C:\Windows\svchost.exe C:\Windows\spoolug.exe N/A
File created C:\Windows\message.dat C:\Windows\spoolug.exe N/A
File opened for modification C:\Windows\svchost.exe C:\Windows\spoolug.exe N/A
File created C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\Macromedia Contribute 2 Crack.exe C:\Windows\spoolug.exe N/A
File opened for modification C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\Macromedia Contribute 2 Crack.exe C:\Windows\spoolug.exe N/A
File opened for modification C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\McAfee Personal Firewall Plus 2004 Crack.exe C:\Windows\spoolug.exe N/A
File created C:\Windows\svchost.exe C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe N/A
File opened for modification C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\ C:\Windows\spoolug.exe N/A
File created C:\Windows\spoolug.exe C:\Windows\spoolug.exe N/A
File opened for modification C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\ C:\Windows\spoolug.exe N/A
File created C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\Norton AntiVirus 2004 Crack.exe C:\Windows\spoolug.exe N/A
File opened for modification C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\Norton AntiVirus 2004 Crack.exe C:\Windows\spoolug.exe N/A
File created C:\Windows\spoolug.exe C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe N/A
File opened for modification C:\Windows\spoolug.exe C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe N/A
File created C:\Windows\message.htm C:\Windows\spoolug.exe N/A
File created C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\McAfee Personal Firewall Plus 2004 Crack.exe C:\Windows\spoolug.exe N/A
File created C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\NetObjects Fusion v7.5 Keygen.exe C:\Windows\spoolug.exe N/A
File opened for modification C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\NetObjects Fusion v7.5 Keygen.exe C:\Windows\spoolug.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\spoolug.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\spoolug.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion C:\Windows\spoolug.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{40DD6E20-7C17-11CE-A804-00AA003CA9F6} {000214FC-0000-0000-C000-000000000046} 0xFFFF = 010000000000000069568a3f0339db01 C:\Windows\spoolug.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\spoolug.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Windows\spoolug.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft C:\Windows\spoolug.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows C:\Windows\spoolug.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached C:\Windows\spoolug.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer C:\Windows\spoolug.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\TelemetrySalt = "4" C:\Windows\spoolug.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced C:\Windows\spoolug.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\spoolug.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies C:\Windows\spoolug.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\spoolug.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\Shell\open\command C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.exe \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\cmdfile\Shell\open\command C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\cmdfile\shell\open\command\ = "C:\\Windows\\svchost.exe \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\Shell\open\command C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command\ = "C:\\Windows\\svchost.exe \"%1\" /S" C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\Shell\open\command C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "C:\\Windows\\svchost.exe \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\Shell\open\command C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "C:\\Windows\\svchost.exe \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "C:\\Windows\\svchost.exe \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\Shell\open\command C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\spoolug.exe N/A
N/A N/A C:\Windows\spoolug.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe

"C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe"

C:\Windows\spoolug.exe

"C:\Windows\spoolug.exe" -xInstallOurNiceServicesYes

C:\Windows\spoolug.exe

C:\Windows\spoolug.exe -xStartOurNiceServicesYes

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 news.savvis.net udp
US 8.8.8.8:53 news.corvis.ru udp
FR 176.31.176.81:119 news.corvis.ru tcp

Files

C:\Windows\spoolug.exe

MD5 4a76a4e930bec401bea9deb37512c9e0
SHA1 ddd938da715326a366b97d800698edac2fae4749
SHA256 ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017
SHA512 db6d5d9408eedc99f796173a6e4fc938810746b15e6176af780041fd74b39f119c127a21b4631230e59a695ccdfddca3aa57392bb1af9383b22716b8ac0c6200

memory/3216-7-0x0000000000400000-0x000000000051F000-memory.dmp

memory/4168-26-0x0000000000400000-0x000000000051F000-memory.dmp

memory/4504-25-0x0000000000400000-0x000000000051F000-memory.dmp

memory/4504-27-0x0000000000400000-0x000000000051F000-memory.dmp

memory/4504-29-0x0000000000400000-0x000000000051F000-memory.dmp

memory/4504-31-0x0000000000400000-0x000000000051F000-memory.dmp

memory/4504-33-0x0000000000400000-0x000000000051F000-memory.dmp

memory/4168-34-0x0000000000400000-0x000000000051F000-memory.dmp

memory/4504-35-0x0000000000400000-0x000000000051F000-memory.dmp

memory/4504-38-0x0000000000400000-0x000000000051F000-memory.dmp

memory/4504-40-0x0000000000400000-0x000000000051F000-memory.dmp

memory/4504-44-0x0000000000400000-0x000000000051F000-memory.dmp

memory/4168-45-0x0000000000400000-0x000000000051F000-memory.dmp

memory/4504-46-0x0000000000400000-0x000000000051F000-memory.dmp

memory/4504-48-0x0000000000400000-0x000000000051F000-memory.dmp

memory/4168-49-0x0000000000400000-0x000000000051F000-memory.dmp

memory/4504-50-0x0000000000400000-0x000000000051F000-memory.dmp

memory/4168-51-0x0000000000400000-0x000000000051F000-memory.dmp

memory/4504-52-0x0000000000400000-0x000000000051F000-memory.dmp

memory/4504-54-0x0000000000400000-0x000000000051F000-memory.dmp