Analysis Overview
SHA256
ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017
Threat Level: Known bad
The file ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe was found to be: Known bad.
Malicious Activity Summary
Modifies visiblity of hidden/system files in Explorer
Modifies WinLogon for persistence
Disables RegEdit via registry modification
Modifies system executable filetype association
ASPack v2.12-2.42
Executes dropped EXE
Adds Run key to start application
Drops file in Program Files directory
Drops file in Windows directory
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Unsigned PE
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Modifies data under HKEY_USERS
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-17 15:12
Signatures
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-17 15:12
Reported
2024-11-17 15:15
Platform
win7-20240729-en
Max time kernel
141s
Max time network
21s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe SMSSlm.exe" | C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe SMSSlm.exe" | C:\Windows\SMSSlm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe SMSSlm.exe" | C:\Windows\SMSSlm.exe | N/A |
Modifies visiblity of hidden/system files in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Windows\SMSSlm.exe | N/A |
Disables RegEdit via registry modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Windows\SMSSlm.exe | N/A |
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SMSSlm.exe | N/A |
| N/A | N/A | C:\Windows\SMSSlm.exe | N/A |
Modifies system executable filetype association
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\Shell\open\command | C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "C:\\Windows\\svchost.exe \"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\Shell\open\command | C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.exe \"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\Shell\open\command | C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "C:\\Windows\\svchost.exe \"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\Shell\open\command | C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "C:\\Windows\\svchost.exe \"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Service Host = "C:\\Windows\\SMSSlm.exe" | C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsFormTemplate.html | C:\Windows\SMSSlm.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\LOOKUP.DAT | C:\Windows\SMSSlm.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\1033\PSRCHLEX.DAT | C:\Windows\SMSSlm.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms\FormsBlankPage.html | C:\Windows\SMSSlm.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms\FormsPreviewTemplate.html | C:\Windows\SMSSlm.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms\FormsViewFrame.html | C:\Windows\SMSSlm.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\1033\PSRCHSRN.DAT | C:\Windows\SMSSlm.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\1033\QuickStyles\Fancy.dotx | C:\Windows\SMSSlm.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\1033\QuickStyles\Thatch.dotx | C:\Windows\SMSSlm.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\1033\QuickStyles\Traditional.dotx | C:\Windows\SMSSlm.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\1033\PROTTPLN.DOC | C:\Windows\SMSSlm.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsImageTemplate.html | C:\Windows\SMSSlm.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsMacroTemplate.html | C:\Windows\SMSSlm.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsPreviewTemplate.html | C:\Windows\SMSSlm.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\1033\QuickStyles\Classic.dotx | C:\Windows\SMSSlm.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\1033\PSRCHKEY.DAT | C:\Windows\SMSSlm.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\Document Parts\1033\14\Built-In Building Blocks.dotx | C:\Windows\SMSSlm.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsBlankPage.html | C:\Windows\SMSSlm.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsPrintTemplate.html | C:\Windows\SMSSlm.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\OCRVC.DAT | C:\Windows\SMSSlm.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsBrowserUpgrade.html | C:\Windows\SMSSlm.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsViewTemplate.html | C:\Windows\SMSSlm.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsBrowserUpgrade.html | C:\Windows\SMSSlm.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsPreviewTemplate.html | C:\Windows\SMSSlm.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\1033\PSRCHLTS.DAT | C:\Windows\SMSSlm.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsFormTemplate.html | C:\Windows\SMSSlm.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsViewFrame.html | C:\Windows\SMSSlm.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsColorChart.html | C:\Windows\SMSSlm.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsMacroTemplate.html | C:\Windows\SMSSlm.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms\FormsDoNotTrust.html | C:\Windows\SMSSlm.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsImageTemplate.html | C:\Windows\SMSSlm.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsFormTemplateRTL.html | C:\Windows\SMSSlm.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsImageTemplate.html | C:\Windows\SMSSlm.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\ENGIDX.DAT | C:\Windows\SMSSlm.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\1033\QuickStyles\DefaultBlackAndWhite.dotx | C:\Windows\SMSSlm.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\1033\PSRCHPHN.DAT | C:\Windows\SMSSlm.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsFormTemplate.html | C:\Windows\SMSSlm.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsPrintTemplateRTL.html | C:\Windows\SMSSlm.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\1033\QuickStyles\Perspective.dotx | C:\Windows\SMSSlm.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsPrintTemplate.html | C:\Windows\SMSSlm.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsBlankPage.html | C:\Windows\SMSSlm.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsVersion1Warning.htm | C:\Windows\SMSSlm.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsColorChart.html | C:\Windows\SMSSlm.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsHomePage.html | C:\Windows\SMSSlm.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\OUTLFLTR.DAT | C:\Windows\SMSSlm.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\AccessWeb\CLNTWRAP.HTM | C:\Windows\SMSSlm.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms\FormsPrintTemplate.html | C:\Windows\SMSSlm.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsVersion1Warning.htm | C:\Windows\SMSSlm.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\OSPP.HTM | C:\Windows\SMSSlm.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\1033\QuickStyles\Distinctive.dotx | C:\Windows\SMSSlm.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\1033\QuickStyles\Simple.dotx | C:\Windows\SMSSlm.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\1033\OUTFORM.DAT | C:\Windows\SMSSlm.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\1033\PROTTPLV.DOC | C:\Windows\SMSSlm.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\1033\QuickStyles\Elegant.dotx | C:\Windows\SMSSlm.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsHomePage.html | C:\Windows\SMSSlm.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsViewTemplate.html | C:\Windows\SMSSlm.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\JFONT.DAT | C:\Windows\SMSSlm.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\OCRHC.DAT | C:\Windows\SMSSlm.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsPreviewTemplate.html | C:\Windows\SMSSlm.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsBlankPage.html | C:\Windows\SMSSlm.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsBrowserUpgrade.html | C:\Windows\SMSSlm.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\ENGDIC.DAT | C:\Windows\SMSSlm.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\1033\QuickStyles\Default.dotx | C:\Windows\SMSSlm.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms\FormsVersion1Warning.htm | C:\Windows\SMSSlm.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsViewFrame.html | C:\Windows\SMSSlm.exe | N/A |
| File created | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsColorChart.html | C:\Windows\SMSSlm.exe | N/A |
| File opened for modification | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\ | C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe | N/A |
| File opened for modification | C:\Windows\svchost.exe | C:\Windows\SMSSlm.exe | N/A |
| File created | C:\Windows\message.htm | C:\Windows\SMSSlm.exe | N/A |
| File opened for modification | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\Halo Crack.exe | C:\Windows\SMSSlm.exe | N/A |
| File opened for modification | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\NHL 2004 Crack.exe | C:\Windows\SMSSlm.exe | N/A |
| File created | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsMacroTemplate.html | C:\Windows\SMSSlm.exe | N/A |
| File opened for modification | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsFormTemplate.html | C:\Windows\SMSSlm.exe | N/A |
| File created | C:\Windows\SMSSlm.exe | C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe | N/A |
| File opened for modification | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsPrintTemplate.html | C:\Windows\SMSSlm.exe | N/A |
| File created | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsFormTemplateRTL.html | C:\Windows\SMSSlm.exe | N/A |
| File created | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\TVTool v8.31 Crack.exe | C:\Windows\SMSSlm.exe | N/A |
| File created | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\NHL 2004 Crack.exe | C:\Windows\SMSSlm.exe | N/A |
| File created | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\BearShare Pro 4.3.0 Keygen.exe | C:\Windows\SMSSlm.exe | N/A |
| File created | C:\Windows\SMSSlm.exe | C:\Windows\SMSSlm.exe | N/A |
| File created | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsPrintTemplate.html | C:\Windows\SMSSlm.exe | N/A |
| File created | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsVersion1Warning.htm | C:\Windows\SMSSlm.exe | N/A |
| File created | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\Halo Crack.exe | C:\Windows\SMSSlm.exe | N/A |
| File opened for modification | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\McAfee VirusScan Home Edition 2004 Keygen.exe | C:\Windows\SMSSlm.exe | N/A |
| File opened for modification | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\ | C:\Windows\SMSSlm.exe | N/A |
| File opened for modification | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\Norton AntiVirus 2004 Crack.exe | C:\Windows\SMSSlm.exe | N/A |
| File opened for modification | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsBlankPage.html | C:\Windows\SMSSlm.exe | N/A |
| File opened for modification | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsBrowserUpgrade.html | C:\Windows\SMSSlm.exe | N/A |
| File opened for modification | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsMacroTemplate.html | C:\Windows\SMSSlm.exe | N/A |
| File created | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsPrintTemplateRTL.html | C:\Windows\SMSSlm.exe | N/A |
| File created | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\Norton AntiVirus 2004 Crack.exe | C:\Windows\SMSSlm.exe | N/A |
| File opened for modification | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsColorChart.html | C:\Windows\SMSSlm.exe | N/A |
| File opened for modification | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsViewTemplate.html | C:\Windows\SMSSlm.exe | N/A |
| File created | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\McAfee Personal Firewall Plus 2004 Crack.exe | C:\Windows\SMSSlm.exe | N/A |
| File opened for modification | C:\Windows\SMSSlm.exe | C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe | N/A |
| File opened for modification | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\ | C:\Windows\SMSSlm.exe | N/A |
| File created | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\Norton Antispam 2004 Crack.exe | C:\Windows\SMSSlm.exe | N/A |
| File created | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\CLNTWRAP.HTM | C:\Windows\SMSSlm.exe | N/A |
| File created | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsDoNotTrust.html | C:\Windows\SMSSlm.exe | N/A |
| File created | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\OSPP.HTM | C:\Windows\SMSSlm.exe | N/A |
| File created | C:\Windows\svchost.exe | C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe | N/A |
| File created | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsPreviewTemplateRTL.html | C:\Windows\SMSSlm.exe | N/A |
| File created | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\iMesh 4.2 Ad Remover Crack.exe | C:\Windows\SMSSlm.exe | N/A |
| File opened for modification | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\McAfee Personal Firewall Plus 2004 Crack.exe | C:\Windows\SMSSlm.exe | N/A |
| File created | C:\Windows\SMSSlm.exe | C:\Windows\SMSSlm.exe | N/A |
| File created | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsImageTemplate.html | C:\Windows\SMSSlm.exe | N/A |
| File opened for modification | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsVersion1Warning.htm | C:\Windows\SMSSlm.exe | N/A |
| File created | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\McAfee Personal Firewall Plus 2004 Keygen.exe | C:\Windows\SMSSlm.exe | N/A |
| File created | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\Borland C++ BuilderX 1.0 Enterprise Edition Keygen.exe | C:\Windows\SMSSlm.exe | N/A |
| File opened for modification | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\Norton Antispam 2004 Crack.exe | C:\Windows\SMSSlm.exe | N/A |
| File opened for modification | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\BearShare Pro 4.3.0 Keygen.exe | C:\Windows\SMSSlm.exe | N/A |
| File created | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsPreviewTemplate.html | C:\Windows\SMSSlm.exe | N/A |
| File created | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsHomePage.html | C:\Windows\SMSSlm.exe | N/A |
| File opened for modification | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsImageTemplate.html | C:\Windows\SMSSlm.exe | N/A |
| File opened for modification | C:\Windows\svchost.exe | C:\Windows\SMSSlm.exe | N/A |
| File created | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsBlankPage.html | C:\Windows\SMSSlm.exe | N/A |
| File created | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsBrowserUpgrade.html | C:\Windows\SMSSlm.exe | N/A |
| File created | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsFormTemplate.html | C:\Windows\SMSSlm.exe | N/A |
| File opened for modification | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsPreviewTemplate.html | C:\Windows\SMSSlm.exe | N/A |
| File opened for modification | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\TVTool v8.31 Crack.exe | C:\Windows\SMSSlm.exe | N/A |
| File opened for modification | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\iMesh 4.2 Ad Remover Crack.exe | C:\Windows\SMSSlm.exe | N/A |
| File created | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\McAfee VirusScan Home Edition 2004 Keygen.exe | C:\Windows\SMSSlm.exe | N/A |
| File created | C:\Windows\message.dat | C:\Windows\SMSSlm.exe | N/A |
| File opened for modification | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsHomePage.html | C:\Windows\SMSSlm.exe | N/A |
| File opened for modification | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsViewFrame.html | C:\Windows\SMSSlm.exe | N/A |
| File created | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsViewTemplate.html | C:\Windows\SMSSlm.exe | N/A |
| File opened for modification | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\McAfee Personal Firewall Plus 2004 Keygen.exe | C:\Windows\SMSSlm.exe | N/A |
| File opened for modification | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\Borland C++ BuilderX 1.0 Enterprise Edition Keygen.exe | C:\Windows\SMSSlm.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SMSSlm.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Windows\SMSSlm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft | C:\Windows\SMSSlm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office | C:\Windows\SMSSlm.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\14.0\Common\LanguageResources\LangTuneUp = "OfficeCompleted" | C:\Windows\SMSSlm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows | C:\Windows\SMSSlm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\14.0 | C:\Windows\SMSSlm.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\14.0\Common\LanguageResources\WinXPLanguagePatch = "1" | C:\Windows\SMSSlm.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\14.0\Common\LanguageResources\InstallLanguage = "1033" | C:\Windows\SMSSlm.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\14.0\Common\LanguageResources\SharePointDesignerChangeInstallLanguage = "No" | C:\Windows\SMSSlm.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\14.0\Common\LanguageResources\ProjectChangeInstallLanguage = "No" | C:\Windows\SMSSlm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System | C:\Windows\SMSSlm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software | C:\Windows\SMSSlm.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\14.0\Common\LanguageResources\HelpLanguage = "1033" | C:\Windows\SMSSlm.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\14.0\Common\LanguageResources\WordChangeInstallLanguage = "No" | C:\Windows\SMSSlm.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\14.0\Common\LanguageResources\PPTChangeInstallLanguage = "No" | C:\Windows\SMSSlm.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\14.0\Common\LanguageResources\InfoPathChangeInstallLanguage = "No" | C:\Windows\SMSSlm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\14.0\Common | C:\Windows\SMSSlm.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages\1033 = "On" | C:\Windows\SMSSlm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT | C:\Windows\SMSSlm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\14.0\Common\LanguageResources | C:\Windows\SMSSlm.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\14.0\Common\LanguageResources\UISnapshot = 31003000330033000000 | C:\Windows\SMSSlm.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\14.0\Common\LanguageResources\OneNoteChangeInstallLanguage = "No" | C:\Windows\SMSSlm.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\14.0\Common\LanguageResources\WebDesignerChangeInstallLanguage = "No" | C:\Windows\SMSSlm.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\14.0\Common\LanguageResources\UILanguage = "1033" | C:\Windows\SMSSlm.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\14.0\Common\LanguageResources\PreviousInstallLanguage = "1033" | C:\Windows\SMSSlm.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\14.0\Common\LanguageResources\PublisherChangeInstallLanguage = "No" | C:\Windows\SMSSlm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages | C:\Windows\SMSSlm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles | C:\Windows\SMSSlm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem | C:\Windows\SMSSlm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | C:\Windows\SMSSlm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion | C:\Windows\SMSSlm.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Windows\SMSSlm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached | C:\Windows\SMSSlm.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{40DD6E20-7C17-11CE-A804-00AA003CA9F6} {000214FC-0000-0000-C000-000000000046} 0xFFFF = 01000000000000007000d9290339db01 | C:\Windows\SMSSlm.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\14.0\Common\LanguageResources\WordMailChangeInstallLanguage = "No" | C:\Windows\SMSSlm.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\14.0\Common\LanguageResources\XLChangeInstallLanguage = "No" | C:\Windows\SMSSlm.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\14.0\Common\LanguageResources\OutlookChangeInstallLanguage = "No" | C:\Windows\SMSSlm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies | C:\Windows\SMSSlm.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\14.0\Common\LanguageResources\UIFallback = 30003b0031003000330033000000 | C:\Windows\SMSSlm.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\14.0\Common\LanguageResources\HelpFallback = 30003b0031003000330033000000 | C:\Windows\SMSSlm.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\14.0\Common\LanguageResources\AccessChangeInstallLanguage = "No" | C:\Windows\SMSSlm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Shared | C:\Windows\SMSSlm.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Shared\OfficeUILanguage = "1033" | C:\Windows\SMSSlm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion | C:\Windows\SMSSlm.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.exe \"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\cmdfile\Shell\open\command | C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\Shell\open\command | C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\Shell\open\command | C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "C:\\Windows\\svchost.exe \"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command\ = "C:\\Windows\\svchost.exe \"%1\" /S" | C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\Shell\open\command | C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\cmdfile\shell\open\command\ = "C:\\Windows\\svchost.exe \"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "C:\\Windows\\svchost.exe \"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\Shell\open\command | C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "C:\\Windows\\svchost.exe \"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\Shell\open\command | C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SMSSlm.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2004 wrote to memory of 1156 | N/A | C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe | C:\Windows\SMSSlm.exe |
| PID 2004 wrote to memory of 1156 | N/A | C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe | C:\Windows\SMSSlm.exe |
| PID 2004 wrote to memory of 1156 | N/A | C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe | C:\Windows\SMSSlm.exe |
| PID 2004 wrote to memory of 1156 | N/A | C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe | C:\Windows\SMSSlm.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe
"C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe"
C:\Windows\SMSSlm.exe
"C:\Windows\SMSSlm.exe" -xInstallOurNiceServicesYes
C:\Windows\SMSSlm.exe
C:\Windows\SMSSlm.exe -xStartOurNiceServicesYes
Network
Files
C:\Windows\SMSSlm.exe
| MD5 | 4a76a4e930bec401bea9deb37512c9e0 |
| SHA1 | ddd938da715326a366b97d800698edac2fae4749 |
| SHA256 | ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017 |
| SHA512 | db6d5d9408eedc99f796173a6e4fc938810746b15e6176af780041fd74b39f119c127a21b4631230e59a695ccdfddca3aa57392bb1af9383b22716b8ac0c6200 |
memory/1156-10-0x0000000000400000-0x000000000051F000-memory.dmp
C:\Windows\svchost.exe
| MD5 | 4c0f811440f10527601a6e7a7b99833e |
| SHA1 | 58057ca967d63250ae3b0888a6f01ec5da031bca |
| SHA256 | 17f0d109fd57d3ce2a21e5c541ebb9e66c441c25892e875f609bb6648bb15728 |
| SHA512 | 2dfb5bbfca13fca4fb22c28a623795b7c4ddc89e6bde24ff2dcac3418fbc13949fa02779e529d6654dd94ec256a199a140b0d56daa971a3cdaf16b721ace01d6 |
memory/2004-27-0x0000000000400000-0x000000000051F000-memory.dmp
memory/2180-28-0x0000000000400000-0x000000000051F000-memory.dmp
C:\Windows\Temp\tYtHgdna.UbK\message.htm
| MD5 | 84b61b37074a65e5aa03f387be522d59 |
| SHA1 | 02f623ef7a8be858b7921a173c2ec53635b879cb |
| SHA256 | 6f585632c22adfaf37952a7adcef260014f72bfdcb69e729ca568e6fb6691f3b |
| SHA512 | 264b390be497ff44deec22f081cc772d57c5f85c8d6ecbf08f04a2ae3ecf3b86a83c30085cd32ff99d445a9bf76c106a7f308c3b631afed8427c1d70d70948a1 |
C:\Windows\message.dat
| MD5 | 3500da4b2317ad36ceeae88ebba98f47 |
| SHA1 | 16303f881930b076717c6ca78ddcc9fcb8891901 |
| SHA256 | 4e2398f6744cb560a9c848604fc2c51695702e6f746435245fcd0f5a3313a0ba |
| SHA512 | bdb2b4e5ceff9bedeb68c403095fa7f6830eff2e314577e7fc75649d86b6eb596c23bd070b3177749963904b6268e429cd6a667fc3b9b8d3bec42cd64ea3f29f |
memory/2004-52-0x0000000000400000-0x000000000051F000-memory.dmp
memory/2180-69-0x0000000000400000-0x000000000051F000-memory.dmp
memory/2004-150-0x0000000000400000-0x000000000051F000-memory.dmp
memory/2180-151-0x0000000000400000-0x000000000051F000-memory.dmp
memory/2004-257-0x0000000000400000-0x000000000051F000-memory.dmp
memory/2180-258-0x0000000000400000-0x000000000051F000-memory.dmp
memory/2004-355-0x0000000000400000-0x000000000051F000-memory.dmp
memory/2180-356-0x0000000000400000-0x000000000051F000-memory.dmp
memory/2004-398-0x0000000000400000-0x000000000051F000-memory.dmp
memory/2180-399-0x0000000000400000-0x000000000051F000-memory.dmp
memory/2004-400-0x0000000000400000-0x000000000051F000-memory.dmp
memory/2180-401-0x0000000000400000-0x000000000051F000-memory.dmp
memory/2004-402-0x0000000000400000-0x000000000051F000-memory.dmp
memory/2004-404-0x0000000000400000-0x000000000051F000-memory.dmp
memory/2004-406-0x0000000000400000-0x000000000051F000-memory.dmp
memory/2180-407-0x0000000000400000-0x000000000051F000-memory.dmp
memory/2004-408-0x0000000000400000-0x000000000051F000-memory.dmp
memory/2004-410-0x0000000000400000-0x000000000051F000-memory.dmp
memory/2004-412-0x0000000000400000-0x000000000051F000-memory.dmp
memory/2004-436-0x0000000000400000-0x000000000051F000-memory.dmp
memory/2180-437-0x0000000000400000-0x000000000051F000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-17 15:12
Reported
2024-11-17 15:15
Platform
win10v2004-20241007-en
Max time kernel
142s
Max time network
153s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe spoolug.exe" | C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe spoolug.exe" | C:\Windows\spoolug.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe spoolug.exe" | C:\Windows\spoolug.exe | N/A |
Modifies visiblity of hidden/system files in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Windows\spoolug.exe | N/A |
Disables RegEdit via registry modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Windows\spoolug.exe | N/A |
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\spoolug.exe | N/A |
| N/A | N/A | C:\Windows\spoolug.exe | N/A |
Modifies system executable filetype association
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\Shell\open\command | C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "C:\\Windows\\svchost.exe \"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\Shell\open\command | C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "C:\\Windows\\svchost.exe \"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\Shell\open\command | C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.exe \"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\Shell\open\command | C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "C:\\Windows\\svchost.exe \"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Service Host = "C:\\Windows\\spoolug.exe" | C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\ | C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe | N/A |
| File created | C:\Windows\spoolug.exe | C:\Windows\spoolug.exe | N/A |
| File opened for modification | C:\Windows\svchost.exe | C:\Windows\spoolug.exe | N/A |
| File created | C:\Windows\message.dat | C:\Windows\spoolug.exe | N/A |
| File opened for modification | C:\Windows\svchost.exe | C:\Windows\spoolug.exe | N/A |
| File created | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\Macromedia Contribute 2 Crack.exe | C:\Windows\spoolug.exe | N/A |
| File opened for modification | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\Macromedia Contribute 2 Crack.exe | C:\Windows\spoolug.exe | N/A |
| File opened for modification | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\McAfee Personal Firewall Plus 2004 Crack.exe | C:\Windows\spoolug.exe | N/A |
| File created | C:\Windows\svchost.exe | C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe | N/A |
| File opened for modification | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\ | C:\Windows\spoolug.exe | N/A |
| File created | C:\Windows\spoolug.exe | C:\Windows\spoolug.exe | N/A |
| File opened for modification | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\ | C:\Windows\spoolug.exe | N/A |
| File created | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\Norton AntiVirus 2004 Crack.exe | C:\Windows\spoolug.exe | N/A |
| File opened for modification | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\Norton AntiVirus 2004 Crack.exe | C:\Windows\spoolug.exe | N/A |
| File created | C:\Windows\spoolug.exe | C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe | N/A |
| File opened for modification | C:\Windows\spoolug.exe | C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe | N/A |
| File created | C:\Windows\message.htm | C:\Windows\spoolug.exe | N/A |
| File created | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\McAfee Personal Firewall Plus 2004 Crack.exe | C:\Windows\spoolug.exe | N/A |
| File created | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\NetObjects Fusion v7.5 Keygen.exe | C:\Windows\spoolug.exe | N/A |
| File opened for modification | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\NetObjects Fusion v7.5 Keygen.exe | C:\Windows\spoolug.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\spoolug.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\spoolug.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion | C:\Windows\spoolug.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{40DD6E20-7C17-11CE-A804-00AA003CA9F6} {000214FC-0000-0000-C000-000000000046} 0xFFFF = 010000000000000069568a3f0339db01 | C:\Windows\spoolug.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Windows\spoolug.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software | C:\Windows\spoolug.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft | C:\Windows\spoolug.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows | C:\Windows\spoolug.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached | C:\Windows\spoolug.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer | C:\Windows\spoolug.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\TelemetrySalt = "4" | C:\Windows\spoolug.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | C:\Windows\spoolug.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System | C:\Windows\spoolug.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies | C:\Windows\spoolug.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Windows\spoolug.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\Shell\open\command | C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.exe \"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\cmdfile\Shell\open\command | C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\cmdfile\shell\open\command\ = "C:\\Windows\\svchost.exe \"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\Shell\open\command | C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command\ = "C:\\Windows\\svchost.exe \"%1\" /S" | C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\Shell\open\command | C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "C:\\Windows\\svchost.exe \"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\Shell\open\command | C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "C:\\Windows\\svchost.exe \"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "C:\\Windows\\svchost.exe \"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\Shell\open\command | C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\spoolug.exe | N/A |
| N/A | N/A | C:\Windows\spoolug.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4504 wrote to memory of 3216 | N/A | C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe | C:\Windows\spoolug.exe |
| PID 4504 wrote to memory of 3216 | N/A | C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe | C:\Windows\spoolug.exe |
| PID 4504 wrote to memory of 3216 | N/A | C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe | C:\Windows\spoolug.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe
"C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe"
C:\Windows\spoolug.exe
"C:\Windows\spoolug.exe" -xInstallOurNiceServicesYes
C:\Windows\spoolug.exe
C:\Windows\spoolug.exe -xStartOurNiceServicesYes
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.12.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | news.savvis.net | udp |
| US | 8.8.8.8:53 | news.corvis.ru | udp |
| FR | 176.31.176.81:119 | news.corvis.ru | tcp |
Files
C:\Windows\spoolug.exe
| MD5 | 4a76a4e930bec401bea9deb37512c9e0 |
| SHA1 | ddd938da715326a366b97d800698edac2fae4749 |
| SHA256 | ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017 |
| SHA512 | db6d5d9408eedc99f796173a6e4fc938810746b15e6176af780041fd74b39f119c127a21b4631230e59a695ccdfddca3aa57392bb1af9383b22716b8ac0c6200 |
memory/3216-7-0x0000000000400000-0x000000000051F000-memory.dmp
memory/4168-26-0x0000000000400000-0x000000000051F000-memory.dmp
memory/4504-25-0x0000000000400000-0x000000000051F000-memory.dmp
memory/4504-27-0x0000000000400000-0x000000000051F000-memory.dmp
memory/4504-29-0x0000000000400000-0x000000000051F000-memory.dmp
memory/4504-31-0x0000000000400000-0x000000000051F000-memory.dmp
memory/4504-33-0x0000000000400000-0x000000000051F000-memory.dmp
memory/4168-34-0x0000000000400000-0x000000000051F000-memory.dmp
memory/4504-35-0x0000000000400000-0x000000000051F000-memory.dmp
memory/4504-38-0x0000000000400000-0x000000000051F000-memory.dmp
memory/4504-40-0x0000000000400000-0x000000000051F000-memory.dmp
memory/4504-44-0x0000000000400000-0x000000000051F000-memory.dmp
memory/4168-45-0x0000000000400000-0x000000000051F000-memory.dmp
memory/4504-46-0x0000000000400000-0x000000000051F000-memory.dmp
memory/4504-48-0x0000000000400000-0x000000000051F000-memory.dmp
memory/4168-49-0x0000000000400000-0x000000000051F000-memory.dmp
memory/4504-50-0x0000000000400000-0x000000000051F000-memory.dmp
memory/4168-51-0x0000000000400000-0x000000000051F000-memory.dmp
memory/4504-52-0x0000000000400000-0x000000000051F000-memory.dmp
memory/4504-54-0x0000000000400000-0x000000000051F000-memory.dmp