Trojan.DownLoader26.2600

Technical Information

To ensure autorun and distribution:

Creates the following services:

[<HKLM>\SYSTEM\ControlSet001\Services\ampa] 'ImagePath' = '<SYSTEM32>\ampa.sys'

Modifies file system:

Creates the following files:

%TEMP%\SPOON\CACHE\0x056B6DD7C6D89185\sxs\x86_Microsoft.VC80.CRT@8.0.50727.762\msvcm80.dll.__tmp__
%TEMP%\SPOON\CACHE\0x056B6DD7C6D89185\sxs\x86_Microsoft.VC80.CRT@8.0.50727.762\msvcp80.dll.__tmp__
%TEMP%\SPOON\CACHE\0x056B6DD7C6D89185\sxs\x86_Microsoft.VC80.CRT@8.0.50727.762\Microsoft.VC80.CRT.manifest.__tmp__
%TEMP%\SPOON\CACHE\0x056B6DD7C6D89185\sxs\x86_JR.Inno.Setup@1.0.0.0\JR.Inno.Setup.manifest.__tmp__
%TEMP%\SPOON\CACHE\0x056B6DD7C6D89185\sxs\x86_JR.Inno.Setup@1.0.0.0\x86_JR.Inno.Setup@1.0.0.0.manifest.__tmp__
%TEMP%\SPOON\CACHE\0x056B6DD7C6D89185\sxs\x86_Microsoft.VC80.MFC@8.0.50727.762\mfc80u.dll.__tmp__
%TEMP%\SPOON\CACHE\0x056B6DD7C6D89185\sxs\x86_Microsoft.VC80.MFC@8.0.50727.762\mfcm80.dll.__tmp__
%TEMP%\SPOON\CACHE\0x056B6DD7C6D89185\sxs\x86_Microsoft.VC80.MFC@8.0.50727.762\mfc80.dll.__tmp__
%TEMP%\SPOON\CACHE\0x056B6DD7C6D89185\sxs\x86_Microsoft.VC80.CRT@8.0.50727.762\msvcr80.dll.__tmp__
%TEMP%\SPOON\CACHE\0x056B6DD7C6D89185\sxs\x86_Microsoft.VC80.CRT@8.0.50727.762\x86_Microsoft.VC80.CRT@8.0.50727.762.manifest.__tmp__
%TEMP%\SPOON\CACHE\0x056B6DD7C6D89185\sxs\Manifests\SetupGreen64.exe_0x786aaa59fc273e0a0d2d6a1b21af2025.1.manifest.__tmp__
%TEMP%\SPOON\CACHE\0x056B6DD7C6D89185\sxs\Manifests\SSDSecurityErase.dll_0x808dc8e93eb8eb428c20d2f3999de244.2.manifest.__tmp__
%TEMP%\SPOON\CACHE\0x056B6DD7C6D89185\sxs\Manifests\SetupGreen32.exe_0xdff084a7451d4d7b1adae34d578d781b.1.manifest.__tmp__
%TEMP%\SPOON\CACHE\0x056B6DD7C6D89185\sxs\Manifests\ScanPartition.dll_0x1fa3b13683a010c94de6cd1dc462dc9d.2.manifest.__tmp__
%TEMP%\SPOON\CACHE\0x056B6DD7C6D89185\sxs\Manifests\ScanPartition.dll_0x56643a64937901fefcdfd64cb5b00a30.2.manifest.__tmp__
%TEMP%\SPOON\CACHE\0x056B6DD7C6D89185\sxs\Manifests\Winchk.exe_0xd620418b13aedfc8a6fc942c08babdfd.1.manifest.__tmp__
%TEMP%\SPOON\CACHE\0x056B6DD7C6D89185\sxs\Manifests\Winchk.exe_0xdc67840cce7415643dbed358d34ee961.1.manifest.__tmp__
%TEMP%\SPOON\CACHE\0x056B6DD7C6D89185\sxs\Manifests\WimMgr.dll_0xd76e9cf4549de45cd5cf74723277dca1.2.manifest.__tmp__
%TEMP%\SPOON\CACHE\0x056B6DD7C6D89185\sxs\Manifests\unins000.exe_0x6b8f1b91cdd063699399d701a6e82c64.1.manifest.__tmp__
%TEMP%\SPOON\CACHE\0x056B6DD7C6D89185\sxs\Manifests\WimMgr.dll_0xabca4a4eaab3b1cda3395ece95a7d5c6.2.manifest.__tmp__
<Current directory>\Data\roaming\modified\@PROGRAMFILESX86@\AOMEI Partition Assistant Unlimited Edition 6.6\log\ampa0.log
<Current directory>\Data\local\stubexe\0xE39EB5B6046300D8\SetupGreen32.exe.__tmp__
<Current directory>\Data\roaming\modified\@SYSWOW64@\ampa.sys
<Current directory>\Data\local\temp\@SYSWOW64@\ampa.sys
<Current directory>\Data\roaming\meta\@SYSWOW64@\ampa.sys.__meta__.__tmp__
%WINDIR%\ampa.exe
<SYSTEM32>\ampa.sys
<Current directory>\Data\local\stubexe\0xB86C71833351A7F7\LoadDrv_Win32.exe.manifest.__tmp__
<Current directory>\Data\local\stubexe\0xE39EB5B6046300D8\SetupGreen32.exe.manifest.__tmp__
<Current directory>\Data\local\stubexe\0xB86C71833351A7F7\LoadDrv_Win32.exe.__tmp__
%TEMP%\SPOON\CACHE\0x056B6DD7C6D89185\sxs\x86_Microsoft.Windows.OSLoader.BcdBoot@5.1.0.0\Microsoft.Windows.OSLoader.BcdBoot.manifest.__tmp__
%TEMP%\SPOON\CACHE\0x056B6DD7C6D89185\sxs\x86_Microsoft.Windows.OSLoader.BcdBoot@5.1.0.0\x86_Microsoft.Windows.OSLoader.BcdBoot@5.1.0.0.manifest.__tmp__
%TEMP%\SPOON\CACHE\0x056B6DD7C6D89185\sxs\x86_Microsoft.VC80.MFC@8.0.50727.762\x86_Microsoft.VC80.MFC@8.0.50727.762.manifest.__tmp__
%TEMP%\SPOON\CACHE\0x056B6DD7C6D89185\sxs\x86_Microsoft.VC80.MFC@8.0.50727.762\mfcm80u.dll.__tmp__
%TEMP%\SPOON\CACHE\0x056B6DD7C6D89185\sxs\x86_Microsoft.VC80.MFC@8.0.50727.762\Microsoft.VC80.MFC.manifest.__tmp__
<Current directory>\Data\roaming\meta\@WINDIR@\ampa.exe.__meta__.__tmp__
<Current directory>\Data\roaming\modified\@WINDIR@\ampa.exe
<Current directory>\Data\local\temp\@WINDIR@\ampa.exe
<Current directory>\Data\local\temp\@PROGRAMFILESX86@\AOMEI Partition Assistant Unlimited Edition 6.6\language.ini
<Current directory>\Data\roaming\meta\@PROGRAMFILESX86@\AOMEI Partition Assistant Unlimited Edition 6.6\language.ini.__meta__.__tmp__
%TEMP%\SPOON\CACHE\0x056B6DD7C6D89185\sxs\Manifests\PE.dll_0xd748929b29daa555f5bf0454c0e0b707.2.manifest.__tmp__
%TEMP%\SPOON\CACHE\0x056B6DD7C6D89185\sxs\amd64_Microsoft.VC80.MFC@8.0.50727.762\Microsoft.VC80.MFC.manifest.__tmp__
%TEMP%\SPOON\CACHE\0x056B6DD7C6D89185\sxs\amd64_Microsoft.Windows.OSLoader.BcdBoot@5.1.0.0\amd64_Microsoft.Windows.OSLoader.BcdBoot@5.1.0.0.manifest.__tmp__
%TEMP%\SPOON\CACHE\0x056B6DD7C6D89185\sxs\amd64_Microsoft.VC80.MFC@8.0.50727.762\mfcm80u.dll.__tmp__
%TEMP%\SPOON\CACHE\0x056B6DD7C6D89185\sxs\amd64_Microsoft.VC80.MFC@8.0.50727.762\mfc80u.dll.__tmp__
%TEMP%\SPOON\CACHE\0x056B6DD7C6D89185\sxs\amd64_Microsoft.VC80.MFC@8.0.50727.762\mfcm80.dll.__tmp__
%TEMP%\SPOON\CACHE\0x056B6DD7C6D89185\sxs\Manifests\bcdboot.exe_0x94294c3d1c41e6207c7e5d0cd0f80b2f.1.manifest.__tmp__
%TEMP%\SPOON\CACHE\0x056B6DD7C6D89185\sxs\Manifests\bcdboot.exe_0xc78d8faa496f82160d221ef2056fbdec.1.manifest.__tmp__
%TEMP%\SPOON\CACHE\0x056B6DD7C6D89185\sxs\Manifests\AMBooter.exe_0x5a18f046b54ed6691f219da8b7fc7065.1.manifest.__tmp__
%TEMP%\SPOON\CACHE\0x056B6DD7C6D89185\sxs\amd64_Microsoft.Windows.OSLoader.BcdBoot@5.1.0.0\Microsoft.Windows.OSLoader.BcdBoot.manifest.__tmp__
%TEMP%\SPOON\CACHE\0x056B6DD7C6D89185\sxs\Manifests\AMBooter.exe_0x2077dc04b4f532cfc930696bfcc46334.1.manifest.__tmp__
%TEMP%\SPOON\CACHE\0x056B6DD7C6D89185\sxs\amd64_Microsoft.VC80.CRT@8.0.50727.762\amd64_Microsoft.VC80.CRT@8.0.50727.762.manifest.__tmp__
%TEMP%\SPOON\CACHE\0x056B6DD7C6D89185\sxs\amd64_Microsoft.VC80.CRT@8.0.50727.762\Microsoft.VC80.CRT.manifest.__tmp__
<Current directory>\Data\local\stubexe\0xB9A63C47883A180A\PartAssist.exe.manifest.__tmp__
<Current directory>\Data\xsandbox.bin.__tmp__
<Current directory>\Data\local\stubexe\0xB9A63C47883A180A\PartAssist.exe.__tmp__
%TEMP%\SPOON\CACHE\0x056B6DD7C6D89185\sxs\amd64_Microsoft.VC80.MFC@8.0.50727.762\amd64_Microsoft.VC80.MFC@8.0.50727.762.manifest.__tmp__
%TEMP%\SPOON\CACHE\0x056B6DD7C6D89185\sxs\amd64_Microsoft.VC80.MFC@8.0.50727.762\mfc80.dll.__tmp__
%TEMP%\SPOON\CACHE\0x056B6DD7C6D89185\sxs\amd64_Microsoft.VC80.CRT@8.0.50727.762\msvcr80.dll.__tmp__
%TEMP%\SPOON\CACHE\0x056B6DD7C6D89185\sxs\amd64_Microsoft.VC80.CRT@8.0.50727.762\msvcm80.dll.__tmp__
%TEMP%\SPOON\CACHE\0x056B6DD7C6D89185\sxs\amd64_Microsoft.VC80.CRT@8.0.50727.762\msvcp80.dll.__tmp__
%TEMP%\SPOON\CACHE\0x056B6DD7C6D89185\sxs\Manifests\Microsoft.VC80.CRT.manifest_0xa72dde00d763aeef1eb04534f8672967.manifest.__tmp__
%TEMP%\SPOON\CACHE\0x056B6DD7C6D89185\sxs\Manifests\Microsoft.VC80.MFC.manifest_0x7dc52d085a05db8a72fed96bb342412b.manifest.__tmp__
%TEMP%\SPOON\CACHE\0x056B6DD7C6D89185\sxs\Manifests\Microsoft.VC80.CRT.manifest_0x541423a06efdcd4e4554c719061f82cf.manifest.__tmp__
%TEMP%\SPOON\CACHE\0x056B6DD7C6D89185\sxs\Manifests\mfc80u.dll_0x21ee912784a013dc44071ecc4f932388.1000.manifest.__tmp__
%TEMP%\SPOON\CACHE\0x056B6DD7C6D89185\sxs\Manifests\mfc80u.dll_0xccc2e312486ae6b80970211da472268b.1000.manifest.__tmp__
%TEMP%\SPOON\CACHE\0x056B6DD7C6D89185\sxs\Manifests\PartAssist.exe_0x5d3c69a936af380ec54a611fcdc4637e.1.manifest.__tmp__
%TEMP%\SPOON\CACHE\0x056B6DD7C6D89185\sxs\Manifests\PE.dll_0x034e8863d97bddaff9db2a178b6695fc.2.manifest.__tmp__
%TEMP%\SPOON\CACHE\0x056B6DD7C6D89185\sxs\Manifests\PartAssist.exe_0x38b98176c5ffce2073a035c4fd595c3a.1.manifest.__tmp__
%TEMP%\SPOON\CACHE\0x056B6DD7C6D89185\sxs\Manifests\Microsoft.VC80.MFC.manifest_0x97b859f11538bbe20f17dfb9c0979a1c.manifest.__tmp__
%TEMP%\SPOON\CACHE\0x056B6DD7C6D89185\sxs\Manifests\Ntfs2Fat32.exe_0xc1a93bba7976c7581ce054aa4cfb7b67.1.manifest.__tmp__
%TEMP%\SPOON\CACHE\0x056B6DD7C6D89185\sxs\Manifests\exfat.dll_0xccf8272044920fb76bfcfa8ae2a2d850.2.manifest.__tmp__
%TEMP%\SPOON\CACHE\0x056B6DD7C6D89185\sxs\Manifests\Help.exe_0x3d62b7d3079341e59e1c776035e7b3a9.1.manifest.__tmp__
%TEMP%\SPOON\CACHE\0x056B6DD7C6D89185\sxs\Manifests\exfat.dll_0x8619d813f8ffe440c1e2c13a838437d7.2.manifest.__tmp__
%TEMP%\SPOON\CACHE\0x056B6DD7C6D89185\sxs\Manifests\DyndiskConverter.exe_0xfea6bc6df7a348c31456a150b993d4d6.1.manifest.__tmp__
%TEMP%\SPOON\CACHE\0x056B6DD7C6D89185\sxs\Manifests\EPW.exe_0x722680ebe0408684843c14081bcc07d8.1.manifest.__tmp__
%TEMP%\SPOON\CACHE\0x056B6DD7C6D89185\sxs\Manifests\mfc80.dll_0x1b7524806d0270b81360c63a2fa047cb.1000.manifest.__tmp__
%TEMP%\SPOON\CACHE\0x056B6DD7C6D89185\sxs\Manifests\mfc80.dll_0x9173f70af60c0a864eecdfb3342dc789.1000.manifest.__tmp__
%TEMP%\SPOON\CACHE\0x056B6DD7C6D89185\sxs\Manifests\LoadDrv_x64.exe_0x2266bb132b8318b7d1ced34c58312d35.1.manifest.__tmp__
%TEMP%\SPOON\CACHE\0x056B6DD7C6D89185\sxs\Manifests\loaddrv.exe_0x2266bb132b8318b7d1ced34c58312d35.1.manifest.__tmp__
%TEMP%\SPOON\CACHE\0x056B6DD7C6D89185\sxs\Manifests\LoadDrv_Win32.exe_0x54386df19aa88572e10421917bc8c2f7.1.manifest.__tmp__

Deletes the following files:

<Current directory>\Data\roaming\modified\@SYSWOW64@\ampa.sys
<Current directory>\Data\roaming\meta\@SYSWOW64@\ampa.sys.__meta__
<Current directory>\Data\roaming\modified\@WINDIR@\ampa.exe
<Current directory>\Data\roaming\meta\@WINDIR@\ampa.exe.__meta__

Moves the following files:

from %TEMP%\SPOON\CACHE\0x056B6DD7C6D89185\sxs\Manifests\Winchk.exe_0xdc67840cce7415643dbed358d34ee961.1.manifest.__tmp__ to %TEMP%\SPOON\CACHE\0x056B6DD7C6D89185\sxs\Manifests\Winchk.exe_0xdc67840cce7415643dbed358d34ee961.1.manifest
from %TEMP%\SPOON\CACHE\0x056B6DD7C6D89185\sxs\x86_JR.Inno.Setup@1.0.0.0\JR.Inno.Setup.manifest.__tmp__ to %TEMP%\SPOON\CACHE\0x056B6DD7C6D89185\sxs\x86_JR.Inno.Setup@1.0.0.0\JR.Inno.Setup.manifest
from %TEMP%\SPOON\CACHE\0x056B6DD7C6D89185\sxs\Manifests\WimMgr.dll_0xd76e9cf4549de45cd5cf74723277dca1.2.manifest.__tmp__ to %TEMP%\SPOON\CACHE\0x056B6DD7C6D89185\sxs\Manifests\WimMgr.dll_0xd76e9cf4549de45cd5cf74723277dca1.2.manifest
from %TEMP%\SPOON\CACHE\0x056B6DD7C6D89185\sxs\Manifests\Winchk.exe_0xd620418b13aedfc8a6fc942c08babdfd.1.manifest.__tmp__ to %TEMP%\SPOON\CACHE\0x056B6DD7C6D89185\sxs\Manifests\Winchk.exe_0xd620418b13aedfc8a6fc942c08babdfd.1.manifest
from %TEMP%\SPOON\CACHE\0x056B6DD7C6D89185\sxs\x86_JR.Inno.Setup@1.0.0.0\x86_JR.Inno.Setup@1.0.0.0.manifest.__tmp__ to %TEMP%\SPOON\CACHE\0x056B6DD7C6D89185\sxs\x86_JR.Inno.Setup@1.0.0.0\x86_JR.Inno.Setup@1.0.0.0.manifest
from %TEMP%\SPOON\CACHE\0x056B6DD7C6D89185\sxs\x86_Microsoft.VC80.CRT@8.0.50727.762\msvcp80.dll.__tmp__ to %TEMP%\SPOON\CACHE\0x056B6DD7C6D89185\sxs\x86_Microsoft.VC80.CRT@8.0.50727.762\msvcp80.dll
from %TEMP%\SPOON\CACHE\0x056B6DD7C6D89185\sxs\x86_Microsoft.VC80.CRT@8.0.50727.762\msvcr80.dll.__tmp__ to %TEMP%\SPOON\CACHE\0x056B6DD7C6D89185\sxs\x86_Microsoft.VC80.CRT@8.0.50727.762\msvcr80.dll
from %TEMP%\SPOON\CACHE\0x056B6DD7C6D89185\sxs\x86_Microsoft.VC80.CRT@8.0.50727.762\Microsoft.VC80.CRT.manifest.__tmp__ to %TEMP%\SPOON\CACHE\0x056B6DD7C6D89185\sxs\x86_Microsoft.VC80.CRT@8.0.50727.762\Microsoft.VC80.CRT.manifest
from %TEMP%\SPOON\CACHE\0x056B6DD7C6D89185\sxs\x86_Microsoft.VC80.CRT@8.0.50727.762\msvcm80.dll.__tmp__ to %TEMP%\SPOON\CACHE\0x056B6DD7C6D89185\sxs\x86_Microsoft.VC80.CRT@8.0.50727.762\msvcm80.dll
from %TEMP%\SPOON\CACHE\0x056B6DD7C6D89185\sxs\Manifests\WimMgr.dll_0xabca4a4eaab3b1cda3395ece95a7d5c6.2.manifest.__tmp__ to %TEMP%\SPOON\CACHE\0x056B6DD7C6D89185\sxs\Manifests\WimMgr.dll_0xabca4a4eaab3b1cda3395ece95a7d5c6.2.manifest
from %TEMP%\SPOON\CACHE\0x056B6DD7C6D89185\sxs\Manifests\PE.dll_0xd748929b29daa555f5bf0454c0e0b707.2.manifest.__tmp__ to %TEMP%\SPOON\CACHE\0x056B6DD7C6D89185\sxs\Manifests\PE.dll_0xd748929b29daa555f5bf0454c0e0b707.2.manifest
from %TEMP%\SPOON\CACHE\0x056B6DD7C6D89185\sxs\Manifests\ScanPartition.dll_0x1fa3b13683a010c94de6cd1dc462dc9d.2.manifest.__tmp__ to %TEMP%\SPOON\CACHE\0x056B6DD7C6D89185\sxs\Manifests\ScanPartition.dll_0x1fa3b13683a010c94de6cd1dc462dc9d.2.manifest
from %TEMP%\SPOON\CACHE\0x056B6DD7C6D89185\sxs\Manifests\PartAssist.exe_0x5d3c69a936af380ec54a611fcdc4637e.1.manifest.__tmp__ to %TEMP%\SPOON\CACHE\0x056B6DD7C6D89185\sxs\Manifests\PartAssist.exe_0x5d3c69a936af380ec54a611fcdc4637e.1.manifest
from %TEMP%\SPOON\CACHE\0x056B6DD7C6D89185\sxs\Manifests\PE.dll_0x034e8863d97bddaff9db2a178b6695fc.2.manifest.__tmp__ to %TEMP%\SPOON\CACHE\0x056B6DD7C6D89185\sxs\Manifests\PE.dll_0x034e8863d97bddaff9db2a178b6695fc.2.manifest
from %TEMP%\SPOON\CACHE\0x056B6DD7C6D89185\sxs\Manifests\ScanPartition.dll_0x56643a64937901fefcdfd64cb5b00a30.2.manifest.__tmp__ to %TEMP%\SPOON\CACHE\0x056B6DD7C6D89185\sxs\Manifests\ScanPartition.dll_0x56643a64937901fefcdfd64cb5b00a30.2.manifest
from %TEMP%\SPOON\CACHE\0x056B6DD7C6D89185\sxs\Manifests\SSDSecurityErase.dll_0x808dc8e93eb8eb428c20d2f3999de244.2.manifest.__tmp__ to %TEMP%\SPOON\CACHE\0x056B6DD7C6D89185\sxs\Manifests\SSDSecurityErase.dll_0x808dc8e93eb8eb428c20d2f3999de244.2.manifest
from %TEMP%\SPOON\CACHE\0x056B6DD7C6D89185\sxs\Manifests\unins000.exe_0x6b8f1b91cdd063699399d701a6e82c64.1.manifest.__tmp__ to %TEMP%\SPOON\CACHE\0x056B6DD7C6D89185\sxs\Manifests\unins000.exe_0x6b8f1b91cdd063699399d701a6e82c64.1.manifest
from %TEMP%\SPOON\CACHE\0x056B6DD7C6D89185\sxs\Manifests\SetupGreen32.exe_0xdff084a7451d4d7b1adae34d578d781b.1.manifest.__tmp__ to %TEMP%\SPOON\CACHE\0x056B6DD7C6D89185\sxs\Manifests\SetupGreen32.exe_0xdff084a7451d4d7b1adae34d578d781b.1.manifest
from %TEMP%\SPOON\CACHE\0x056B6DD7C6D89185\sxs\Manifests\SetupGreen64.exe_0x786aaa59fc273e0a0d2d6a1b21af2025.1.manifest.__tmp__ to %TEMP%\SPOON\CACHE\0x056B6DD7C6D89185\sxs\Manifests\SetupGreen64.exe_0x786aaa59fc273e0a0d2d6a1b21af2025.1.manifest
from <Current directory>\Data\roaming\meta\@WINDIR@\ampa.exe.__meta__.__tmp__ to <Current directory>\Data\roaming\meta\@WINDIR@\ampa.exe.__meta__
from <Current directory>\Data\local\temp\@SYSWOW64@\ampa.sys to <Current directory>\Data\roaming\modified\@SYSWOW64@\ampa.sys
from <Current directory>\Data\roaming\meta\@PROGRAMFILESX86@\AOMEI Partition Assistant Unlimited Edition 6.6\language.ini.__meta__.__tmp__ to <Current directory>\Data\roaming\meta\@PROGRAMFILESX86@\AOMEI Partition Assistant Unlimited Edition 6.6\language.ini.__meta__
from <Current directory>\Data\local\temp\@WINDIR@\ampa.exe to <Current directory>\Data\roaming\modified\@WINDIR@\ampa.exe
from <Current directory>\Data\roaming\meta\@SYSWOW64@\ampa.sys.__meta__.__tmp__ to <Current directory>\Data\roaming\meta\@SYSWOW64@\ampa.sys.__meta__
from <Current directory>\Data\local\stubexe\0xB86C71833351A7F7\LoadDrv_Win32.exe.__tmp__ to <Current directory>\Data\local\stubexe\0xB86C71833351A7F7\LoadDrv_Win32.exe
from <Current directory>\Data\local\stubexe\0xB86C71833351A7F7\LoadDrv_Win32.exe.manifest.__tmp__ to <Current directory>\Data\local\stubexe\0xB86C71833351A7F7\LoadDrv_Win32.exe.manifest
from <Current directory>\Data\local\stubexe\0xE39EB5B6046300D8\SetupGreen32.exe.__tmp__ to <Current directory>\Data\local\stubexe\0xE39EB5B6046300D8\SetupGreen32.exe
from <Current directory>\Data\local\stubexe\0xE39EB5B6046300D8\SetupGreen32.exe.manifest.__tmp__ to <Current directory>\Data\local\stubexe\0xE39EB5B6046300D8\SetupGreen32.exe.manifest
from <Current directory>\Data\local\temp\@PROGRAMFILESX86@\AOMEI Partition Assistant Unlimited Edition 6.6\language.ini to <Current directory>\Data\roaming\modified\@PROGRAMFILESX86@\AOMEI Partition Assistant Unlimited Edition 6.6\language.ini
from %TEMP%\SPOON\CACHE\0x056B6DD7C6D89185\sxs\x86_Microsoft.VC80.MFC@8.0.50727.762\mfc80u.dll.__tmp__ to %TEMP%\SPOON\CACHE\0x056B6DD7C6D89185\sxs\x86_Microsoft.VC80.MFC@8.0.50727.762\mfc80u.dll
from %TEMP%\SPOON\CACHE\0x056B6DD7C6D89185\sxs\x86_Microsoft.VC80.MFC@8.0.50727.762\mfcm80.dll.__tmp__ to %TEMP%\SPOON\CACHE\0x056B6DD7C6D89185\sxs\x86_Microsoft.VC80.MFC@8.0.50727.762\mfcm80.dll
from %TEMP%\SPOON\CACHE\0x056B6DD7C6D89185\sxs\x86_Microsoft.VC80.CRT@8.0.50727.762\x86_Microsoft.VC80.CRT@8.0.50727.762.manifest.__tmp__ to %TEMP%\SPOON\CACHE\0x056B6DD7C6D89185\sxs\x86_Microsoft.VC80.CRT@8.0.50727.762\x86_Microsoft.VC80.CRT@8.0.50727.762.manifest
from %TEMP%\SPOON\CACHE\0x056B6DD7C6D89185\sxs\x86_Microsoft.VC80.MFC@8.0.50727.762\mfc80.dll.__tmp__ to %TEMP%\SPOON\CACHE\0x056B6DD7C6D89185\sxs\x86_Microsoft.VC80.MFC@8.0.50727.762\mfc80.dll
from %TEMP%\SPOON\CACHE\0x056B6DD7C6D89185\sxs\x86_Microsoft.VC80.MFC@8.0.50727.762\mfcm80u.dll.__tmp__ to %TEMP%\SPOON\CACHE\0x056B6DD7C6D89185\sxs\x86_Microsoft.VC80.MFC@8.0.50727.762\mfcm80u.dll
from %TEMP%\SPOON\CACHE\0x056B6DD7C6D89185\sxs\x86_Microsoft.Windows.OSLoader.BcdBoot@5.1.0.0\Microsoft.Windows.OSLoader.BcdBoot.manifest.__tmp__ to %TEMP%\SPOON\CACHE\0x056B6DD7C6D89185\sxs\x86_Microsoft.Windows.OSLoader.BcdBoot@5.1.0.0\Microsoft.Windows.OSLoader.BcdBoot.manifest
from %TEMP%\SPOON\CACHE\0x056B6DD7C6D89185\sxs\x86_Microsoft.Windows.OSLoader.BcdBoot@5.1.0.0\x86_Microsoft.Windows.OSLoader.BcdBoot@5.1.0.0.manifest.__tmp__ to %TEMP%\SPOON\CACHE\0x056B6DD7C6D89185\sxs\x86_Microsoft.Windows.OSLoader.BcdBoot@5.1.0.0\x86_Microsoft.Windows.OSLoader.BcdBoot@5.1.0.0.manifest
from %TEMP%\SPOON\CACHE\0x056B6DD7C6D89185\sxs\x86_Microsoft.VC80.MFC@8.0.50727.762\Microsoft.VC80.MFC.manifest.__tmp__ to %TEMP%\SPOON\CACHE\0x056B6DD7C6D89185\sxs\x86_Microsoft.VC80.MFC@8.0.50727.762\Microsoft.VC80.MFC.manifest
from %TEMP%\SPOON\CACHE\0x056B6DD7C6D89185\sxs\x86_Microsoft.VC80.MFC@8.0.50727.762\x86_Microsoft.VC80.MFC@8.0.50727.762.manifest.__tmp__ to %TEMP%\SPOON\CACHE\0x056B6DD7C6D89185\sxs\x86_Microsoft.VC80.MFC@8.0.50727.762\x86_Microsoft.VC80.MFC@8.0.50727.762.manifest
from %TEMP%\SPOON\CACHE\0x056B6DD7C6D89185\sxs\amd64_Microsoft.VC80.MFC@8.0.50727.762\mfcm80u.dll.__tmp__ to %TEMP%\SPOON\CACHE\0x056B6DD7C6D89185\sxs\amd64_Microsoft.VC80.MFC@8.0.50727.762\mfcm80u.dll
from %TEMP%\SPOON\CACHE\0x056B6DD7C6D89185\sxs\amd64_Microsoft.VC80.MFC@8.0.50727.762\Microsoft.VC80.MFC.manifest.__tmp__ to %TEMP%\SPOON\CACHE\0x056B6DD7C6D89185\sxs\amd64_Microsoft.VC80.MFC@8.0.50727.762\Microsoft.VC80.MFC.manifest
from %TEMP%\SPOON\CACHE\0x056B6DD7C6D89185\sxs\amd64_Microsoft.VC80.MFC@8.0.50727.762\mfc80u.dll.__tmp__ to %TEMP%\SPOON\CACHE\0x056B6DD7C6D89185\sxs\amd64_Microsoft.VC80.MFC@8.0.50727.762\mfc80u.dll
from %TEMP%\SPOON\CACHE\0x056B6DD7C6D89185\sxs\amd64_Microsoft.VC80.MFC@8.0.50727.762\mfcm80.dll.__tmp__ to %TEMP%\SPOON\CACHE\0x056B6DD7C6D89185\sxs\amd64_Microsoft.VC80.MFC@8.0.50727.762\mfcm80.dll
from %TEMP%\SPOON\CACHE\0x056B6DD7C6D89185\sxs\amd64_Microsoft.Windows.OSLoader.BcdBoot@5.1.0.0\amd64_Microsoft.Windows.OSLoader.BcdBoot@5.1.0.0.manifest.__tmp__ to %TEMP%\SPOON\CACHE\0x056B6DD7C6D89185\sxs\amd64_Microsoft.Windows.OSLoader.BcdBoot@5.1.0.0\amd64_Microsoft.Windows.OSLoader.BcdBoot@5.1.0.0.manifest
from %TEMP%\SPOON\CACHE\0x056B6DD7C6D89185\sxs\Manifests\AMBooter.exe_0x5a18f046b54ed6691f219da8b7fc7065.1.manifest.__tmp__ to %TEMP%\SPOON\CACHE\0x056B6DD7C6D89185\sxs\Manifests\AMBooter.exe_0x5a18f046b54ed6691f219da8b7fc7065.1.manifest
from %TEMP%\SPOON\CACHE\0x056B6DD7C6D89185\sxs\Manifests\bcdboot.exe_0x94294c3d1c41e6207c7e5d0cd0f80b2f.1.manifest.__tmp__ to %TEMP%\SPOON\CACHE\0x056B6DD7C6D89185\sxs\Manifests\bcdboot.exe_0x94294c3d1c41e6207c7e5d0cd0f80b2f.1.manifest
from %TEMP%\SPOON\CACHE\0x056B6DD7C6D89185\sxs\amd64_Microsoft.Windows.OSLoader.BcdBoot@5.1.0.0\Microsoft.Windows.OSLoader.BcdBoot.manifest.__tmp__ to %TEMP%\SPOON\CACHE\0x056B6DD7C6D89185\sxs\amd64_Microsoft.Windows.OSLoader.BcdBoot@5.1.0.0\Microsoft.Windows.OSLoader.BcdBoot.manifest
from %TEMP%\SPOON\CACHE\0x056B6DD7C6D89185\sxs\Manifests\AMBooter.exe_0x2077dc04b4f532cfc930696bfcc46334.1.manifest.__tmp__ to %TEMP%\SPOON\CACHE\0x056B6DD7C6D89185\sxs\Manifests\AMBooter.exe_0x2077dc04b4f532cfc930696bfcc46334.1.manifest
from %TEMP%\SPOON\CACHE\0x056B6DD7C6D89185\sxs\amd64_Microsoft.VC80.MFC@8.0.50727.762\mfc80.dll.__tmp__ to %TEMP%\SPOON\CACHE\0x056B6DD7C6D89185\sxs\amd64_Microsoft.VC80.MFC@8.0.50727.762\mfc80.dll
from <Current directory>\Data\local\stubexe\0xB9A63C47883A180A\PartAssist.exe.manifest.__tmp__ to <Current directory>\Data\local\stubexe\0xB9A63C47883A180A\PartAssist.exe.manifest
from %TEMP%\SPOON\CACHE\0x056B6DD7C6D89185\sxs\amd64_Microsoft.VC80.CRT@8.0.50727.762\amd64_Microsoft.VC80.CRT@8.0.50727.762.manifest.__tmp__ to %TEMP%\SPOON\CACHE\0x056B6DD7C6D89185\sxs\amd64_Microsoft.VC80.CRT@8.0.50727.762\amd64_Microsoft.VC80.CRT@8.0.50727.762.manifest
from <Current directory>\Data\xsandbox.bin.__tmp__ to <Current directory>\Data\xsandbox.bin
from <Current directory>\Data\local\stubexe\0xB9A63C47883A180A\PartAssist.exe.__tmp__ to <Current directory>\Data\local\stubexe\0xB9A63C47883A180A\PartAssist.exe
from %TEMP%\SPOON\CACHE\0x056B6DD7C6D89185\sxs\amd64_Microsoft.VC80.CRT@8.0.50727.762\Microsoft.VC80.CRT.manifest.__tmp__ to %TEMP%\SPOON\CACHE\0x056B6DD7C6D89185\sxs\amd64_Microsoft.VC80.CRT@8.0.50727.762\Microsoft.VC80.CRT.manifest
from %TEMP%\SPOON\CACHE\0x056B6DD7C6D89185\sxs\amd64_Microsoft.VC80.CRT@8.0.50727.762\msvcr80.dll.__tmp__ to %TEMP%\SPOON\CACHE\0x056B6DD7C6D89185\sxs\amd64_Microsoft.VC80.CRT@8.0.50727.762\msvcr80.dll
from %TEMP%\SPOON\CACHE\0x056B6DD7C6D89185\sxs\amd64_Microsoft.VC80.MFC@8.0.50727.762\amd64_Microsoft.VC80.MFC@8.0.50727.762.manifest.__tmp__ to %TEMP%\SPOON\CACHE\0x056B6DD7C6D89185\sxs\amd64_Microsoft.VC80.MFC@8.0.50727.762\amd64_Microsoft.VC80.MFC@8.0.50727.762.manifest
from %TEMP%\SPOON\CACHE\0x056B6DD7C6D89185\sxs\amd64_Microsoft.VC80.CRT@8.0.50727.762\msvcm80.dll.__tmp__ to %TEMP%\SPOON\CACHE\0x056B6DD7C6D89185\sxs\amd64_Microsoft.VC80.CRT@8.0.50727.762\msvcm80.dll
from %TEMP%\SPOON\CACHE\0x056B6DD7C6D89185\sxs\amd64_Microsoft.VC80.CRT@8.0.50727.762\msvcp80.dll.__tmp__ to %TEMP%\SPOON\CACHE\0x056B6DD7C6D89185\sxs\amd64_Microsoft.VC80.CRT@8.0.50727.762\msvcp80.dll
from %TEMP%\SPOON\CACHE\0x056B6DD7C6D89185\sxs\Manifests\mfc80u.dll_0xccc2e312486ae6b80970211da472268b.1000.manifest.__tmp__ to %TEMP%\SPOON\CACHE\0x056B6DD7C6D89185\sxs\Manifests\mfc80u.dll_0xccc2e312486ae6b80970211da472268b.1000.manifest
from %TEMP%\SPOON\CACHE\0x056B6DD7C6D89185\sxs\Manifests\Microsoft.VC80.CRT.manifest_0x541423a06efdcd4e4554c719061f82cf.manifest.__tmp__ to %TEMP%\SPOON\CACHE\0x056B6DD7C6D89185\sxs\Manifests\Microsoft.VC80.CRT.manifest_0x541423a06efdcd4e4554c719061f82cf.manifest
from %TEMP%\SPOON\CACHE\0x056B6DD7C6D89185\sxs\Manifests\mfc80.dll_0x9173f70af60c0a864eecdfb3342dc789.1000.manifest.__tmp__ to %TEMP%\SPOON\CACHE\0x056B6DD7C6D89185\sxs\Manifests\mfc80.dll_0x9173f70af60c0a864eecdfb3342dc789.1000.manifest
from %TEMP%\SPOON\CACHE\0x056B6DD7C6D89185\sxs\Manifests\mfc80u.dll_0x21ee912784a013dc44071ecc4f932388.1000.manifest.__tmp__ to %TEMP%\SPOON\CACHE\0x056B6DD7C6D89185\sxs\Manifests\mfc80u.dll_0x21ee912784a013dc44071ecc4f932388.1000.manifest
from %TEMP%\SPOON\CACHE\0x056B6DD7C6D89185\sxs\Manifests\Microsoft.VC80.CRT.manifest_0xa72dde00d763aeef1eb04534f8672967.manifest.__tmp__ to %TEMP%\SPOON\CACHE\0x056B6DD7C6D89185\sxs\Manifests\Microsoft.VC80.CRT.manifest_0xa72dde00d763aeef1eb04534f8672967.manifest
from %TEMP%\SPOON\CACHE\0x056B6DD7C6D89185\sxs\Manifests\Ntfs2Fat32.exe_0xc1a93bba7976c7581ce054aa4cfb7b67.1.manifest.__tmp__ to %TEMP%\SPOON\CACHE\0x056B6DD7C6D89185\sxs\Manifests\Ntfs2Fat32.exe_0xc1a93bba7976c7581ce054aa4cfb7b67.1.manifest
from %TEMP%\SPOON\CACHE\0x056B6DD7C6D89185\sxs\Manifests\PartAssist.exe_0x38b98176c5ffce2073a035c4fd595c3a.1.manifest.__tmp__ to %TEMP%\SPOON\CACHE\0x056B6DD7C6D89185\sxs\Manifests\PartAssist.exe_0x38b98176c5ffce2073a035c4fd595c3a.1.manifest
from %TEMP%\SPOON\CACHE\0x056B6DD7C6D89185\sxs\Manifests\Microsoft.VC80.MFC.manifest_0x7dc52d085a05db8a72fed96bb342412b.manifest.__tmp__ to %TEMP%\SPOON\CACHE\0x056B6DD7C6D89185\sxs\Manifests\Microsoft.VC80.MFC.manifest_0x7dc52d085a05db8a72fed96bb342412b.manifest
from %TEMP%\SPOON\CACHE\0x056B6DD7C6D89185\sxs\Manifests\Microsoft.VC80.MFC.manifest_0x97b859f11538bbe20f17dfb9c0979a1c.manifest.__tmp__ to %TEMP%\SPOON\CACHE\0x056B6DD7C6D89185\sxs\Manifests\Microsoft.VC80.MFC.manifest_0x97b859f11538bbe20f17dfb9c0979a1c.manifest
from %TEMP%\SPOON\CACHE\0x056B6DD7C6D89185\sxs\Manifests\mfc80.dll_0x1b7524806d0270b81360c63a2fa047cb.1000.manifest.__tmp__ to %TEMP%\SPOON\CACHE\0x056B6DD7C6D89185\sxs\Manifests\mfc80.dll_0x1b7524806d0270b81360c63a2fa047cb.1000.manifest
from %TEMP%\SPOON\CACHE\0x056B6DD7C6D89185\sxs\Manifests\EPW.exe_0x722680ebe0408684843c14081bcc07d8.1.manifest.__tmp__ to %TEMP%\SPOON\CACHE\0x056B6DD7C6D89185\sxs\Manifests\EPW.exe_0x722680ebe0408684843c14081bcc07d8.1.manifest
from %TEMP%\SPOON\CACHE\0x056B6DD7C6D89185\sxs\Manifests\exfat.dll_0x8619d813f8ffe440c1e2c13a838437d7.2.manifest.__tmp__ to %TEMP%\SPOON\CACHE\0x056B6DD7C6D89185\sxs\Manifests\exfat.dll_0x8619d813f8ffe440c1e2c13a838437d7.2.manifest
from %TEMP%\SPOON\CACHE\0x056B6DD7C6D89185\sxs\Manifests\bcdboot.exe_0xc78d8faa496f82160d221ef2056fbdec.1.manifest.__tmp__ to %TEMP%\SPOON\CACHE\0x056B6DD7C6D89185\sxs\Manifests\bcdboot.exe_0xc78d8faa496f82160d221ef2056fbdec.1.manifest
from %TEMP%\SPOON\CACHE\0x056B6DD7C6D89185\sxs\Manifests\DyndiskConverter.exe_0xfea6bc6df7a348c31456a150b993d4d6.1.manifest.__tmp__ to %TEMP%\SPOON\CACHE\0x056B6DD7C6D89185\sxs\Manifests\DyndiskConverter.exe_0xfea6bc6df7a348c31456a150b993d4d6.1.manifest
from %TEMP%\SPOON\CACHE\0x056B6DD7C6D89185\sxs\Manifests\exfat.dll_0xccf8272044920fb76bfcfa8ae2a2d850.2.manifest.__tmp__ to %TEMP%\SPOON\CACHE\0x056B6DD7C6D89185\sxs\Manifests\exfat.dll_0xccf8272044920fb76bfcfa8ae2a2d850.2.manifest
from %TEMP%\SPOON\CACHE\0x056B6DD7C6D89185\sxs\Manifests\LoadDrv_Win32.exe_0x54386df19aa88572e10421917bc8c2f7.1.manifest.__tmp__ to %TEMP%\SPOON\CACHE\0x056B6DD7C6D89185\sxs\Manifests\LoadDrv_Win32.exe_0x54386df19aa88572e10421917bc8c2f7.1.manifest
from %TEMP%\SPOON\CACHE\0x056B6DD7C6D89185\sxs\Manifests\LoadDrv_x64.exe_0x2266bb132b8318b7d1ced34c58312d35.1.manifest.__tmp__ to %TEMP%\SPOON\CACHE\0x056B6DD7C6D89185\sxs\Manifests\LoadDrv_x64.exe_0x2266bb132b8318b7d1ced34c58312d35.1.manifest
from %TEMP%\SPOON\CACHE\0x056B6DD7C6D89185\sxs\Manifests\Help.exe_0x3d62b7d3079341e59e1c776035e7b3a9.1.manifest.__tmp__ to %TEMP%\SPOON\CACHE\0x056B6DD7C6D89185\sxs\Manifests\Help.exe_0x3d62b7d3079341e59e1c776035e7b3a9.1.manifest
from %TEMP%\SPOON\CACHE\0x056B6DD7C6D89185\sxs\Manifests\loaddrv.exe_0x2266bb132b8318b7d1ced34c58312d35.1.manifest.__tmp__ to %TEMP%\SPOON\CACHE\0x056B6DD7C6D89185\sxs\Manifests\loaddrv.exe_0x2266bb132b8318b7d1ced34c58312d35.1.manifest

Network activity:

Connects to:

'st###.spoon.net':443

UDP:

DNS ASK st###.spoon.net

Miscellaneous:

Creates and executes the following:

'<Current directory>\Data\local\stubexe\0xE39EB5B6046300D8\SetupGreen32.exe'
'<Current directory>\Data\local\stubexe\0xB86C71833351A7F7\LoadDrv_Win32.exe'
'<Current directory>\Data\local\stubexe\0xB86C71833351A7F7\LoadDrv_Win32.exe' -u
'<Current directory>\Data\local\stubexe\0xB9A63C47883A180A\PartAssist.exe'
'<Current directory>\Data\local\stubexe\0xE39EB5B6046300D8\SetupGreen32.exe' -u

Технологии

Термины

Обучение и просвещение

Мифы

Technical Information

Рекомендации по лечению

Демо бесплатно на 14 дней