Technical Information
To ensure autorun and distribution:
Creates or modifies the following files:
- %WINDIR%\Tasks\NUAutoUpdate.job
Malicious functions:
Executes the following:
- '<Current directory>\Portable\local\stubexe\0x36B4BEAFD4AC5AC0\nu.exe'
- '<Current directory>\Portable\local\stubexe\0x3153000F8F9F0C3B\StartManSvc.exe'
Searches for windows to
detect analytical utilities:
- ClassName: 'PROCMON_WINDOW_CLASS', WindowName: ''
- ClassName: 'RegMonClass', WindowName: ''
- ClassName: 'FileMonClass', WindowName: ''
Modifies file system:
Creates the following files:
- %TEMP%\SPOON\CACHE\0x85F71CD99CAD3656\sxs\Manifests\UploadPing.exe_0xc4c8f5a07d3f590b6a8bbbf23f5d911d.1.manifest.__tmp__
- %TEMP%\SPOON\CACHE\0x85F71CD99CAD3656\sxs\x86_JR.Inno.Setup@1.0.0.0\JR.Inno.Setup.manifest.__tmp__
- %TEMP%\SPOON\CACHE\0x85F71CD99CAD3656\sxs\Manifests\Update.exe_0xd33814d067e19d1e5a02aae6c236c431.1.manifest.__tmp__
- %TEMP%\SPOON\CACHE\0x85F71CD99CAD3656\sxs\Manifests\StartManSvc.exe_0x383b4f3f0556ad2a57823dcd7d9a8bf6.1.manifest.__tmp__
- %TEMP%\SPOON\CACHE\0x85F71CD99CAD3656\sxs\Manifests\unins000.exe_0x97988438c79f0e18ce7d765017ff7ff2.1.manifest.__tmp__
- <Current directory>\Portable\local\temp\@PROGRAMFILESX86@\Symantec\Norton Utilities 16\sMonitor\SMSvc.txt
- <Current directory>\Portable\roaming\meta\@PROGRAMFILESX86@\Symantec\Norton Utilities 16\sMonitor\SMSvc.txt.__meta__.__tmp__
- %TEMP%\SPOON\CACHE\0x85F71CD99CAD3656\sxs\X86_Smart Update@1.0.0.0\X86_Smart Update@1.0.0.0.manifest.__tmp__
- %TEMP%\SPOON\CACHE\0x85F71CD99CAD3656\sxs\x86_JR.Inno.Setup@1.0.0.0\x86_JR.Inno.Setup@1.0.0.0.manifest.__tmp__
- %TEMP%\SPOON\CACHE\0x85F71CD99CAD3656\sxs\X86_Smart Update@1.0.0.0\Smart Update.manifest.__tmp__
- %TEMP%\SPOON\CACHE\0x85F71CD99CAD3656\sxs\Manifests\SSDMonitor.exe_0xc91a38667b4b9e4967d5a6cef9df2805.1.manifest.__tmp__
- %TEMP%\SPOON\CACHE\0x85F71CD99CAD3656\sxs\Manifests\SpeedDisk_CoreTrace.dll_0x8fa91842e0a1e3ba8d5fd5400b8dcd50.2.manifest.__tmp__
- %TEMP%\SPOON\CACHE\0x85F71CD99CAD3656\sxs\Manifests\SpeedDisk_DefragAPI.dll_0x1dc33a8a5889c8d18cdabc941973ab25.2.manifest.__tmp__
- %TEMP%\SPOON\CACHE\0x85F71CD99CAD3656\sxs\Manifests\SpeedDisk_ClientApi.dll_0xdfe44e5dfb62a027a92f588f1fae8e97.2.manifest.__tmp__
- %TEMP%\SPOON\CACHE\0x85F71CD99CAD3656\sxs\Manifests\SetupHelper.dll_0xf9ac7efff672976f57cbc4624671ff7b.2.manifest.__tmp__
- %TEMP%\SPOON\CACHE\0x85F71CD99CAD3656\sxs\Manifests\Shredder.dll_0x9e8b218aadd70f0bdb61becc5d58fd82.2.manifest.__tmp__
- %TEMP%\SPOON\CACHE\0x85F71CD99CAD3656\sxs\Manifests\SpeedDisk_Utils.dll_0x38ad0fe12fb7c0105525a63c49761686.2.manifest.__tmp__
- %TEMP%\SPOON\CACHE\0x85F71CD99CAD3656\sxs\Manifests\SpeedDiskSrv.exe_0x7741a356801a9751658858f3ff191f39.1.manifest.__tmp__
- %TEMP%\SPOON\CACHE\0x85F71CD99CAD3656\sxs\Manifests\SpeedDisk_SchedulerClient.dll_0x73015a10a955f1dba3d2c58bc57b690e.2.manifest.__tmp__
- %TEMP%\SPOON\CACHE\0x85F71CD99CAD3656\sxs\Manifests\SpeedDisk_DefragClient.dll_0xcbed4ce7672509bb624dbb85368dbd89.2.manifest.__tmp__
- %TEMP%\SPOON\CACHE\0x85F71CD99CAD3656\sxs\Manifests\SpeedDisk_HistoryClient.dll_0xa11d6a657cc3a576669329f97deb9749.2.manifest.__tmp__
- <Current directory>\Portable\local\temp\@PROGRAMFILESX86@\Symantec\Norton Utilities 16\Update.exe
- <Current directory>\Portable\roaming\meta\@PROGRAMFILESX86@\Symantec\Norton Utilities 16\Update.exe.__meta__.__tmp__
- <Current directory>\Portable\roaming\modified\@APPDATA@\Norton Utilities 16\metrics.dat
- <Current directory>\Portable\roaming\meta\@APPDATA@\Norton Utilities 16\metrics.dat.__meta__.__tmp__
- <Current directory>\Portable\roaming\modified\@APPDATA@\Norton Utilities 16\metrics.dat-journal
- %APPDATA%\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
- <Current directory>\Portable\roaming\modified\@PROGRAMFILESX86@\Symantec\Norton Utilities 16\sMonitor\PCTProcess.txt
- %APPDATA%\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
- %APPDATA%\Microsoft\CryptnetUrlCache\MetaData\2BF68F4714092295550497DD56F57004
- %APPDATA%\Microsoft\CryptnetUrlCache\Content\2BF68F4714092295550497DD56F57004
- <Current directory>\Portable\local\temp\@APPDATA@\Norton Utilities 16\metrics.dat
- %ALLUSERSPROFILE%\Application Data\TEMP:792D4CF1
- <Current directory>\Portable\roaming\meta\@PROGRAMFILESX86@\Symantec\Norton Utilities 16\ref.__meta__.__tmp__
- <Current directory>\Portable\local\stubexe\0x36B4BEAFD4AC5AC0\nu.exe.manifest.__tmp__
- <Current directory>\Portable\roaming\modified\@PROGRAMFILESX86@\Symantec\Norton Utilities 16\sMonitor\SMSvc.txt
- <Current directory>\Portable\local\stubexe\0x36B4BEAFD4AC5AC0\nu.exe.__tmp__
- <Current directory>\Portable\local\temp\@PROGRAMFILESX86@\Symantec\Norton Utilities 16\AppLog.log
- <Current directory>\Portable\roaming\meta\@PROGRAMFILESX86@\Symantec\Norton Utilities 16\AppLog.log.__meta__.__tmp__
- <Current directory>\Portable\roaming\meta\@PROGRAMFILESX86@\Symantec\Norton Utilities 16\backup.__meta__.__tmp__
- <Current directory>\Portable\roaming\meta\@PROGRAMFILESX86@\Symantec\Norton Utilities 16\log.__meta__.__tmp__
- <Current directory>\Portable\roaming\meta\@PROGRAMFILESX86@\Symantec\Norton Utilities 16\Data.__meta__.__tmp__
- %TEMP%\SPOON\CACHE\0x85F71CD99CAD3656\sxs\Manifests\DiskDoctor_ClientApi.dll_0x537da1ad3265b2ba9b39e96e2c4dafab.2.manifest.__tmp__
- %TEMP%\SPOON\CACHE\0x85F71CD99CAD3656\sxs\Manifests\DiskDoctor_CoreTrace.dll_0x8adabf0d37a11bdded208c55fcf9d5de.2.manifest.__tmp__
- %TEMP%\SPOON\CACHE\0x85F71CD99CAD3656\sxs\Manifests\Cookies.dll_0x0edef9e46aa115a60a9b9ac850ea4805.2.manifest.__tmp__
- %TEMP%\SPOON\CACHE\0x85F71CD99CAD3656\sxs\Manifests\aSpeedDisk.dll_0xda88575ccb4d0306dd44e3a9e85467f1.2.manifest.__tmp__
- %TEMP%\SPOON\CACHE\0x85F71CD99CAD3656\sxs\Manifests\configurationmanager.dll_0x83d5eebbce3b57f0fa055007cbc773c1.2.manifest.__tmp__
- %TEMP%\SPOON\CACHE\0x85F71CD99CAD3656\sxs\Manifests\DiskDoctor_SchedulerClient.dll_0xedf0fcc8cd62b1f14cc72c8af51c7140.2.manifest.__tmp__
- %TEMP%\SPOON\CACHE\0x85F71CD99CAD3656\sxs\Manifests\DiskDoctor_Utils.dll_0x9844cfee3c1aab76d653144b2777e32a.2.manifest.__tmp__
- %TEMP%\SPOON\CACHE\0x85F71CD99CAD3656\sxs\Manifests\DiskDoctor_RepairClient.dll_0x30f4f5a9f4279333c9a672ca3cc3eb92.2.manifest.__tmp__
- %TEMP%\SPOON\CACHE\0x85F71CD99CAD3656\sxs\Manifests\DiskDoctor_HistoryClient.dll_0x218031e188ea5468ed273c78d10cf783.2.manifest.__tmp__
- %TEMP%\SPOON\CACHE\0x85F71CD99CAD3656\sxs\Manifests\DiskDoctor_RepairAPI.dll_0x59cec5ba7d4eb62ce6e28401005dab3f.2.manifest.__tmp__
- %TEMP%\SPOON\CACHE\0x85F71CD99CAD3656\sxs\Manifests\Alert.exe_0x5622935c4ed94733ba48301a89159366.1.manifest.__tmp__
- %TEMP%\SPOON\CACHE\0x85F71CD99CAD3656\sxs\Manifests\aCheckDisk.exe_0xef352af763aeb0755a9e0e48594dfac9.1.manifest.__tmp__
- %TEMP%\SPOON\CACHE\0x85F71CD99CAD3656\sxs\Manifests\aDSBatch.exe_0x8a5a580517b73d78af9885d8a9440e05.1.manifest.__tmp__
- <Current directory>\Portable\local\stubexe\0x3153000F8F9F0C3B\StartManSvc.exe.manifest.__tmp__
- <Current directory>\Portable\xsandbox.bin.__tmp__
- <Current directory>\Portable\local\stubexe\0x3153000F8F9F0C3B\StartManSvc.exe.__tmp__
- %TEMP%\SPOON\CACHE\0x85F71CD99CAD3656\sxs\Manifests\aDSStartup.exe_0x2256cb7fd436de871cda5a612a84dd40.1.manifest.__tmp__
- %TEMP%\SPOON\CACHE\0x85F71CD99CAD3656\sxs\Manifests\aDSStartup.exe_0xe670445c4e138aaa3bb573f170ebc97b.1.manifest.__tmp__
- %TEMP%\SPOON\CACHE\0x85F71CD99CAD3656\sxs\Manifests\aDSReboot.exe_0xc01205ed125f1179b2f8d1f88989330f.1.manifest.__tmp__
- %TEMP%\SPOON\CACHE\0x85F71CD99CAD3656\sxs\Manifests\aDSBatch.exe_0xe8ecd207b2e321b0f94ccb4a34fa0636.1.manifest.__tmp__
- %TEMP%\SPOON\CACHE\0x85F71CD99CAD3656\sxs\Manifests\aDSReboot.exe_0x51f109c31fd157a470195b92db0e2559.1.manifest.__tmp__
- %TEMP%\SPOON\CACHE\0x85F71CD99CAD3656\sxs\Manifests\PgHist.exe_0x83d638a19c594f2732bef63872ff0f7f.1.manifest.__tmp__
- %TEMP%\SPOON\CACHE\0x85F71CD99CAD3656\sxs\Manifests\PingLogger.dll_0x95a451df40a42a08b3ca664df898ca54.2.manifest.__tmp__
- %TEMP%\SPOON\CACHE\0x85F71CD99CAD3656\sxs\Manifests\PCTLogon.dll_0xa25ed954bc4bede0b2c77837ae3416e6.2.manifest.__tmp__
- %TEMP%\SPOON\CACHE\0x85F71CD99CAD3656\sxs\Manifests\nu.exe_0x6c4117321c2ccbb9bdd795c3cb07ff2e.1.manifest.__tmp__
- %TEMP%\SPOON\CACHE\0x85F71CD99CAD3656\sxs\Manifests\PCTLNty.dll_0x85b77a157114efbe6d130a622c48949b.2.manifest.__tmp__
- %TEMP%\SPOON\CACHE\0x85F71CD99CAD3656\sxs\Manifests\Scheduler.dll_0xc3c35feb5969c7bae0f7057e49298c92.2.manifest.__tmp__
- %TEMP%\SPOON\CACHE\0x85F71CD99CAD3656\sxs\Manifests\SecUtility.dll_0x6ead83be3136906bc3837b6ea908d784.2.manifest.__tmp__
- %TEMP%\SPOON\CACHE\0x85F71CD99CAD3656\sxs\Manifests\ScheduledDefrag.exe_0x82e9e7701ea40b6312cf27339deaaf7e.1.manifest.__tmp__
- %TEMP%\SPOON\CACHE\0x85F71CD99CAD3656\sxs\Manifests\PrivacyHelper.dll_0xc62219cb5c9f6693489ca0c23adf8163.2.manifest.__tmp__
- %TEMP%\SPOON\CACHE\0x85F71CD99CAD3656\sxs\Manifests\RMEngine.dll_0xcead24e6d22ff01f122093ed0264ea4b.2.manifest.__tmp__
- %TEMP%\SPOON\CACHE\0x85F71CD99CAD3656\sxs\Manifests\LogonDetect.exe_0x895909012f27ea4e40c7ef2a18aefe8a.1.manifest.__tmp__
- %TEMP%\SPOON\CACHE\0x85F71CD99CAD3656\sxs\Manifests\EventLoggerDLL.dll_0xc581b3c25de9d00abfe72c0862eed48b.2.manifest.__tmp__
- %TEMP%\SPOON\CACHE\0x85F71CD99CAD3656\sxs\Manifests\FileLoggerDLL.dll_0x99305ef20e351cb6d9d8e91da2c2e62a.2.manifest.__tmp__
- %TEMP%\SPOON\CACHE\0x85F71CD99CAD3656\sxs\Manifests\DSProcessor.dll_0xc05329c87a718a9ed56ee16a11f2953b.2.manifest.__tmp__
- %TEMP%\SPOON\CACHE\0x85F71CD99CAD3656\sxs\Manifests\DiskDoctorSrv.exe_0xb3b05be151cb7e0ddfb7061af84b2759.1.manifest.__tmp__
- %TEMP%\SPOON\CACHE\0x85F71CD99CAD3656\sxs\Manifests\DSProcessor.dll_0x0ea61fd1823790d9d7334ae24410badc.2.manifest.__tmp__
- %TEMP%\SPOON\CACHE\0x85F71CD99CAD3656\sxs\Manifests\InstalledPrograms.dll_0x0ad5e937aadbce654752095e30a80b7a.2.manifest.__tmp__
- %TEMP%\SPOON\CACHE\0x85F71CD99CAD3656\sxs\Manifests\LicHelper.dll_0x0f68bc502dc6bda27ddb9fa633c90a18.2.manifest.__tmp__
- %TEMP%\SPOON\CACHE\0x85F71CD99CAD3656\sxs\Manifests\InnoHelpers.dll_0x6b3e5d89e80aece8c85aafcfaa0ec43c.2.manifest.__tmp__
- %TEMP%\SPOON\CACHE\0x85F71CD99CAD3656\sxs\Manifests\FindDuplicatesDLL.dll_0x57766f618039d536076b4739b530d19e.2.manifest.__tmp__
- %TEMP%\SPOON\CACHE\0x85F71CD99CAD3656\sxs\Manifests\FRSimpleAPI.dll_0x249cf47aafdcf87b3b24df4fbe7c09b5.2.manifest.__tmp__
Deletes the following files:
- %TEMP%\Cab3B.tmp
- %TEMP%\Cab39.tmp
- %TEMP%\Cab37.tmp
- %TEMP%\Cab41.tmp
- %TEMP%\Cab3F.tmp
- %TEMP%\Cab3D.tmp
- %TEMP%\Cab2F.tmp
- %TEMP%\Cab2D.tmp
- %TEMP%\Cab2B.tmp
- %TEMP%\Cab35.tmp
- %TEMP%\Cab33.tmp
- %TEMP%\Cab31.tmp
- %TEMP%\Cab53.tmp
- %TEMP%\Cab51.tmp
- %TEMP%\Cab4F.tmp
- %TEMP%\Cab59.tmp
- %TEMP%\Cab57.tmp
- %TEMP%\Cab55.tmp
- %TEMP%\Cab47.tmp
- %TEMP%\Cab45.tmp
- %TEMP%\Cab43.tmp
- %TEMP%\Cab4D.tmp
- %TEMP%\Cab4B.tmp
- %TEMP%\Cab49.tmp
- %TEMP%\CabB.tmp
- %TEMP%\Cab9.tmp
- %TEMP%\Cab7.tmp
- %TEMP%\Cab11.tmp
- %TEMP%\CabF.tmp
- %TEMP%\CabD.tmp
- <Current directory>\Portable\roaming\modified\@APPDATA@\Norton Utilities 16\metrics.dat-journal
- <Current directory>\Portable\roaming\meta\@PROGRAMFILESX86@\Symantec\Norton Utilities 16\AppLog.log.__meta__
- <Current directory>\Portable\roaming\modified\@PROGRAMFILESX86@\Symantec\Norton Utilities 16\AppLog.log
- %TEMP%\Cab5.tmp
- %TEMP%\Cab3.tmp
- %TEMP%\Cab1.tmp
- %TEMP%\Cab23.tmp
- %TEMP%\Cab21.tmp
- %TEMP%\Cab1F.tmp
- %TEMP%\Cab29.tmp
- %TEMP%\Cab27.tmp
- %TEMP%\Cab25.tmp
- %TEMP%\Cab17.tmp
- %TEMP%\Cab15.tmp
- %TEMP%\Cab13.tmp
- %TEMP%\Cab1D.tmp
- %TEMP%\Cab1B.tmp
- %TEMP%\Cab19.tmp
Moves the following files:
- from %TEMP%\SPOON\CACHE\0x85F71CD99CAD3656\sxs\Manifests\SpeedDisk_SchedulerClient.dll_0x73015a10a955f1dba3d2c58bc57b690e.2.manifest.__tmp__ to %TEMP%\SPOON\CACHE\0x85F71CD99CAD3656\sxs\Manifests\SpeedDisk_SchedulerClient.dll_0x73015a10a955f1dba3d2c58bc57b690e.2.manifest
- from %TEMP%\SPOON\CACHE\0x85F71CD99CAD3656\sxs\Manifests\SpeedDisk_Utils.dll_0x38ad0fe12fb7c0105525a63c49761686.2.manifest.__tmp__ to %TEMP%\SPOON\CACHE\0x85F71CD99CAD3656\sxs\Manifests\SpeedDisk_Utils.dll_0x38ad0fe12fb7c0105525a63c49761686.2.manifest
- from %TEMP%\SPOON\CACHE\0x85F71CD99CAD3656\sxs\Manifests\SpeedDisk_DefragClient.dll_0xcbed4ce7672509bb624dbb85368dbd89.2.manifest.__tmp__ to %TEMP%\SPOON\CACHE\0x85F71CD99CAD3656\sxs\Manifests\SpeedDisk_DefragClient.dll_0xcbed4ce7672509bb624dbb85368dbd89.2.manifest
- from %TEMP%\SPOON\CACHE\0x85F71CD99CAD3656\sxs\Manifests\SpeedDisk_HistoryClient.dll_0xa11d6a657cc3a576669329f97deb9749.2.manifest.__tmp__ to %TEMP%\SPOON\CACHE\0x85F71CD99CAD3656\sxs\Manifests\SpeedDisk_HistoryClient.dll_0xa11d6a657cc3a576669329f97deb9749.2.manifest
- from %TEMP%\SPOON\CACHE\0x85F71CD99CAD3656\sxs\Manifests\SpeedDiskSrv.exe_0x7741a356801a9751658858f3ff191f39.1.manifest.__tmp__ to %TEMP%\SPOON\CACHE\0x85F71CD99CAD3656\sxs\Manifests\SpeedDiskSrv.exe_0x7741a356801a9751658858f3ff191f39.1.manifest
- from %TEMP%\SPOON\CACHE\0x85F71CD99CAD3656\sxs\Manifests\unins000.exe_0x97988438c79f0e18ce7d765017ff7ff2.1.manifest.__tmp__ to %TEMP%\SPOON\CACHE\0x85F71CD99CAD3656\sxs\Manifests\unins000.exe_0x97988438c79f0e18ce7d765017ff7ff2.1.manifest
- from %TEMP%\SPOON\CACHE\0x85F71CD99CAD3656\sxs\Manifests\Update.exe_0xd33814d067e19d1e5a02aae6c236c431.1.manifest.__tmp__ to %TEMP%\SPOON\CACHE\0x85F71CD99CAD3656\sxs\Manifests\Update.exe_0xd33814d067e19d1e5a02aae6c236c431.1.manifest
- from %TEMP%\SPOON\CACHE\0x85F71CD99CAD3656\sxs\Manifests\SSDMonitor.exe_0xc91a38667b4b9e4967d5a6cef9df2805.1.manifest.__tmp__ to %TEMP%\SPOON\CACHE\0x85F71CD99CAD3656\sxs\Manifests\SSDMonitor.exe_0xc91a38667b4b9e4967d5a6cef9df2805.1.manifest
- from %TEMP%\SPOON\CACHE\0x85F71CD99CAD3656\sxs\Manifests\StartManSvc.exe_0x383b4f3f0556ad2a57823dcd7d9a8bf6.1.manifest.__tmp__ to %TEMP%\SPOON\CACHE\0x85F71CD99CAD3656\sxs\Manifests\StartManSvc.exe_0x383b4f3f0556ad2a57823dcd7d9a8bf6.1.manifest
- from %TEMP%\SPOON\CACHE\0x85F71CD99CAD3656\sxs\Manifests\Scheduler.dll_0xc3c35feb5969c7bae0f7057e49298c92.2.manifest.__tmp__ to %TEMP%\SPOON\CACHE\0x85F71CD99CAD3656\sxs\Manifests\Scheduler.dll_0xc3c35feb5969c7bae0f7057e49298c92.2.manifest
- from %TEMP%\SPOON\CACHE\0x85F71CD99CAD3656\sxs\Manifests\SecUtility.dll_0x6ead83be3136906bc3837b6ea908d784.2.manifest.__tmp__ to %TEMP%\SPOON\CACHE\0x85F71CD99CAD3656\sxs\Manifests\SecUtility.dll_0x6ead83be3136906bc3837b6ea908d784.2.manifest
- from %TEMP%\SPOON\CACHE\0x85F71CD99CAD3656\sxs\Manifests\RMEngine.dll_0xcead24e6d22ff01f122093ed0264ea4b.2.manifest.__tmp__ to %TEMP%\SPOON\CACHE\0x85F71CD99CAD3656\sxs\Manifests\RMEngine.dll_0xcead24e6d22ff01f122093ed0264ea4b.2.manifest
- from %TEMP%\SPOON\CACHE\0x85F71CD99CAD3656\sxs\Manifests\ScheduledDefrag.exe_0x82e9e7701ea40b6312cf27339deaaf7e.1.manifest.__tmp__ to %TEMP%\SPOON\CACHE\0x85F71CD99CAD3656\sxs\Manifests\ScheduledDefrag.exe_0x82e9e7701ea40b6312cf27339deaaf7e.1.manifest
- from %TEMP%\SPOON\CACHE\0x85F71CD99CAD3656\sxs\Manifests\SetupHelper.dll_0xf9ac7efff672976f57cbc4624671ff7b.2.manifest.__tmp__ to %TEMP%\SPOON\CACHE\0x85F71CD99CAD3656\sxs\Manifests\SetupHelper.dll_0xf9ac7efff672976f57cbc4624671ff7b.2.manifest
- from %TEMP%\SPOON\CACHE\0x85F71CD99CAD3656\sxs\Manifests\SpeedDisk_CoreTrace.dll_0x8fa91842e0a1e3ba8d5fd5400b8dcd50.2.manifest.__tmp__ to %TEMP%\SPOON\CACHE\0x85F71CD99CAD3656\sxs\Manifests\SpeedDisk_CoreTrace.dll_0x8fa91842e0a1e3ba8d5fd5400b8dcd50.2.manifest
- from %TEMP%\SPOON\CACHE\0x85F71CD99CAD3656\sxs\Manifests\SpeedDisk_DefragAPI.dll_0x1dc33a8a5889c8d18cdabc941973ab25.2.manifest.__tmp__ to %TEMP%\SPOON\CACHE\0x85F71CD99CAD3656\sxs\Manifests\SpeedDisk_DefragAPI.dll_0x1dc33a8a5889c8d18cdabc941973ab25.2.manifest
- from %TEMP%\SPOON\CACHE\0x85F71CD99CAD3656\sxs\Manifests\Shredder.dll_0x9e8b218aadd70f0bdb61becc5d58fd82.2.manifest.__tmp__ to %TEMP%\SPOON\CACHE\0x85F71CD99CAD3656\sxs\Manifests\Shredder.dll_0x9e8b218aadd70f0bdb61becc5d58fd82.2.manifest
- from %TEMP%\SPOON\CACHE\0x85F71CD99CAD3656\sxs\Manifests\SpeedDisk_ClientApi.dll_0xdfe44e5dfb62a027a92f588f1fae8e97.2.manifest.__tmp__ to %TEMP%\SPOON\CACHE\0x85F71CD99CAD3656\sxs\Manifests\SpeedDisk_ClientApi.dll_0xdfe44e5dfb62a027a92f588f1fae8e97.2.manifest
- from %TEMP%\SPOON\CACHE\0x85F71CD99CAD3656\sxs\Manifests\UploadPing.exe_0xc4c8f5a07d3f590b6a8bbbf23f5d911d.1.manifest.__tmp__ to %TEMP%\SPOON\CACHE\0x85F71CD99CAD3656\sxs\Manifests\UploadPing.exe_0xc4c8f5a07d3f590b6a8bbbf23f5d911d.1.manifest
- from <Current directory>\Portable\roaming\meta\@PROGRAMFILESX86@\Symantec\Norton Utilities 16\backup.__meta__.__tmp__ to <Current directory>\Portable\roaming\meta\@PROGRAMFILESX86@\Symantec\Norton Utilities 16\backup.__meta__
- from <Current directory>\Portable\local\temp\@PROGRAMFILESX86@\Symantec\Norton Utilities 16\AppLog.log to <Current directory>\Portable\roaming\modified\@PROGRAMFILESX86@\Symantec\Norton Utilities 16\AppLog.log
- from <Current directory>\Portable\roaming\meta\@PROGRAMFILESX86@\Symantec\Norton Utilities 16\log.__meta__.__tmp__ to <Current directory>\Portable\roaming\meta\@PROGRAMFILESX86@\Symantec\Norton Utilities 16\log.__meta__
- from <Current directory>\Portable\roaming\meta\@PROGRAMFILESX86@\Symantec\Norton Utilities 16\Data.__meta__.__tmp__ to <Current directory>\Portable\roaming\meta\@PROGRAMFILESX86@\Symantec\Norton Utilities 16\Data.__meta__
- from <Current directory>\Portable\roaming\meta\@PROGRAMFILESX86@\Symantec\Norton Utilities 16\AppLog.log.__meta__.__tmp__ to <Current directory>\Portable\roaming\meta\@PROGRAMFILESX86@\Symantec\Norton Utilities 16\AppLog.log.__meta__
- from <Current directory>\Portable\local\temp\@PROGRAMFILESX86@\Symantec\Norton Utilities 16\Update.exe to <Current directory>\Portable\roaming\modified\@PROGRAMFILESX86@\Symantec\Norton Utilities 16\Update.exe
- from <Current directory>\Portable\roaming\meta\@PROGRAMFILESX86@\Symantec\Norton Utilities 16\Update.exe.__meta__.__tmp__ to <Current directory>\Portable\roaming\meta\@PROGRAMFILESX86@\Symantec\Norton Utilities 16\Update.exe.__meta__
- from <Current directory>\Portable\local\temp\@APPDATA@\Norton Utilities 16\metrics.dat to <Current directory>\Portable\roaming\modified\@APPDATA@\Norton Utilities 16\metrics.dat
- from <Current directory>\Portable\roaming\meta\@APPDATA@\Norton Utilities 16\metrics.dat.__meta__.__tmp__ to <Current directory>\Portable\roaming\meta\@APPDATA@\Norton Utilities 16\metrics.dat.__meta__
- from %TEMP%\SPOON\CACHE\0x85F71CD99CAD3656\sxs\X86_Smart Update@1.0.0.0\Smart Update.manifest.__tmp__ to %TEMP%\SPOON\CACHE\0x85F71CD99CAD3656\sxs\X86_Smart Update@1.0.0.0\Smart Update.manifest
- from %TEMP%\SPOON\CACHE\0x85F71CD99CAD3656\sxs\X86_Smart Update@1.0.0.0\X86_Smart Update@1.0.0.0.manifest.__tmp__ to %TEMP%\SPOON\CACHE\0x85F71CD99CAD3656\sxs\X86_Smart Update@1.0.0.0\X86_Smart Update@1.0.0.0.manifest
- from %TEMP%\SPOON\CACHE\0x85F71CD99CAD3656\sxs\x86_JR.Inno.Setup@1.0.0.0\JR.Inno.Setup.manifest.__tmp__ to %TEMP%\SPOON\CACHE\0x85F71CD99CAD3656\sxs\x86_JR.Inno.Setup@1.0.0.0\JR.Inno.Setup.manifest
- from %TEMP%\SPOON\CACHE\0x85F71CD99CAD3656\sxs\x86_JR.Inno.Setup@1.0.0.0\x86_JR.Inno.Setup@1.0.0.0.manifest.__tmp__ to %TEMP%\SPOON\CACHE\0x85F71CD99CAD3656\sxs\x86_JR.Inno.Setup@1.0.0.0\x86_JR.Inno.Setup@1.0.0.0.manifest
- from <Current directory>\Portable\local\temp\@PROGRAMFILESX86@\Symantec\Norton Utilities 16\sMonitor\SMSvc.txt to <Current directory>\Portable\roaming\modified\@PROGRAMFILESX86@\Symantec\Norton Utilities 16\sMonitor\SMSvc.txt
- from <Current directory>\Portable\local\stubexe\0x36B4BEAFD4AC5AC0\nu.exe.manifest.__tmp__ to <Current directory>\Portable\local\stubexe\0x36B4BEAFD4AC5AC0\nu.exe.manifest
- from <Current directory>\Portable\roaming\meta\@PROGRAMFILESX86@\Symantec\Norton Utilities 16\ref.__meta__.__tmp__ to <Current directory>\Portable\roaming\meta\@PROGRAMFILESX86@\Symantec\Norton Utilities 16\ref.__meta__
- from <Current directory>\Portable\roaming\meta\@PROGRAMFILESX86@\Symantec\Norton Utilities 16\sMonitor\SMSvc.txt.__meta__.__tmp__ to <Current directory>\Portable\roaming\meta\@PROGRAMFILESX86@\Symantec\Norton Utilities 16\sMonitor\SMSvc.txt.__meta__
- from <Current directory>\Portable\local\stubexe\0x36B4BEAFD4AC5AC0\nu.exe.__tmp__ to <Current directory>\Portable\local\stubexe\0x36B4BEAFD4AC5AC0\nu.exe
- from %TEMP%\SPOON\CACHE\0x85F71CD99CAD3656\sxs\Manifests\PrivacyHelper.dll_0xc62219cb5c9f6693489ca0c23adf8163.2.manifest.__tmp__ to %TEMP%\SPOON\CACHE\0x85F71CD99CAD3656\sxs\Manifests\PrivacyHelper.dll_0xc62219cb5c9f6693489ca0c23adf8163.2.manifest
- from %TEMP%\SPOON\CACHE\0x85F71CD99CAD3656\sxs\Manifests\aSpeedDisk.dll_0xda88575ccb4d0306dd44e3a9e85467f1.2.manifest.__tmp__ to %TEMP%\SPOON\CACHE\0x85F71CD99CAD3656\sxs\Manifests\aSpeedDisk.dll_0xda88575ccb4d0306dd44e3a9e85467f1.2.manifest
- from %TEMP%\SPOON\CACHE\0x85F71CD99CAD3656\sxs\Manifests\configurationmanager.dll_0x83d5eebbce3b57f0fa055007cbc773c1.2.manifest.__tmp__ to %TEMP%\SPOON\CACHE\0x85F71CD99CAD3656\sxs\Manifests\configurationmanager.dll_0x83d5eebbce3b57f0fa055007cbc773c1.2.manifest
- from %TEMP%\SPOON\CACHE\0x85F71CD99CAD3656\sxs\Manifests\aDSStartup.exe_0xe670445c4e138aaa3bb573f170ebc97b.1.manifest.__tmp__ to %TEMP%\SPOON\CACHE\0x85F71CD99CAD3656\sxs\Manifests\aDSStartup.exe_0xe670445c4e138aaa3bb573f170ebc97b.1.manifest
- from %TEMP%\SPOON\CACHE\0x85F71CD99CAD3656\sxs\Manifests\Alert.exe_0x5622935c4ed94733ba48301a89159366.1.manifest.__tmp__ to %TEMP%\SPOON\CACHE\0x85F71CD99CAD3656\sxs\Manifests\Alert.exe_0x5622935c4ed94733ba48301a89159366.1.manifest
- from %TEMP%\SPOON\CACHE\0x85F71CD99CAD3656\sxs\Manifests\Cookies.dll_0x0edef9e46aa115a60a9b9ac850ea4805.2.manifest.__tmp__ to %TEMP%\SPOON\CACHE\0x85F71CD99CAD3656\sxs\Manifests\Cookies.dll_0x0edef9e46aa115a60a9b9ac850ea4805.2.manifest
- from %TEMP%\SPOON\CACHE\0x85F71CD99CAD3656\sxs\Manifests\DiskDoctor_HistoryClient.dll_0x218031e188ea5468ed273c78d10cf783.2.manifest.__tmp__ to %TEMP%\SPOON\CACHE\0x85F71CD99CAD3656\sxs\Manifests\DiskDoctor_HistoryClient.dll_0x218031e188ea5468ed273c78d10cf783.2.manifest
- from %TEMP%\SPOON\CACHE\0x85F71CD99CAD3656\sxs\Manifests\DiskDoctor_RepairAPI.dll_0x59cec5ba7d4eb62ce6e28401005dab3f.2.manifest.__tmp__ to %TEMP%\SPOON\CACHE\0x85F71CD99CAD3656\sxs\Manifests\DiskDoctor_RepairAPI.dll_0x59cec5ba7d4eb62ce6e28401005dab3f.2.manifest
- from %TEMP%\SPOON\CACHE\0x85F71CD99CAD3656\sxs\Manifests\DiskDoctor_ClientApi.dll_0x537da1ad3265b2ba9b39e96e2c4dafab.2.manifest.__tmp__ to %TEMP%\SPOON\CACHE\0x85F71CD99CAD3656\sxs\Manifests\DiskDoctor_ClientApi.dll_0x537da1ad3265b2ba9b39e96e2c4dafab.2.manifest
- from %TEMP%\SPOON\CACHE\0x85F71CD99CAD3656\sxs\Manifests\DiskDoctor_CoreTrace.dll_0x8adabf0d37a11bdded208c55fcf9d5de.2.manifest.__tmp__ to %TEMP%\SPOON\CACHE\0x85F71CD99CAD3656\sxs\Manifests\DiskDoctor_CoreTrace.dll_0x8adabf0d37a11bdded208c55fcf9d5de.2.manifest
- from <Current directory>\Portable\local\stubexe\0x3153000F8F9F0C3B\StartManSvc.exe.manifest.__tmp__ to <Current directory>\Portable\local\stubexe\0x3153000F8F9F0C3B\StartManSvc.exe.manifest
- from %TEMP%\SPOON\CACHE\0x85F71CD99CAD3656\sxs\Manifests\aCheckDisk.exe_0xef352af763aeb0755a9e0e48594dfac9.1.manifest.__tmp__ to %TEMP%\SPOON\CACHE\0x85F71CD99CAD3656\sxs\Manifests\aCheckDisk.exe_0xef352af763aeb0755a9e0e48594dfac9.1.manifest
- from <Current directory>\Portable\xsandbox.bin.__tmp__ to <Current directory>\Portable\xsandbox.bin
- from <Current directory>\Portable\local\stubexe\0x3153000F8F9F0C3B\StartManSvc.exe.__tmp__ to <Current directory>\Portable\local\stubexe\0x3153000F8F9F0C3B\StartManSvc.exe
- from %TEMP%\SPOON\CACHE\0x85F71CD99CAD3656\sxs\Manifests\aDSBatch.exe_0x8a5a580517b73d78af9885d8a9440e05.1.manifest.__tmp__ to %TEMP%\SPOON\CACHE\0x85F71CD99CAD3656\sxs\Manifests\aDSBatch.exe_0x8a5a580517b73d78af9885d8a9440e05.1.manifest
- from %TEMP%\SPOON\CACHE\0x85F71CD99CAD3656\sxs\Manifests\aDSReboot.exe_0xc01205ed125f1179b2f8d1f88989330f.1.manifest.__tmp__ to %TEMP%\SPOON\CACHE\0x85F71CD99CAD3656\sxs\Manifests\aDSReboot.exe_0xc01205ed125f1179b2f8d1f88989330f.1.manifest
- from %TEMP%\SPOON\CACHE\0x85F71CD99CAD3656\sxs\Manifests\aDSStartup.exe_0x2256cb7fd436de871cda5a612a84dd40.1.manifest.__tmp__ to %TEMP%\SPOON\CACHE\0x85F71CD99CAD3656\sxs\Manifests\aDSStartup.exe_0x2256cb7fd436de871cda5a612a84dd40.1.manifest
- from %TEMP%\SPOON\CACHE\0x85F71CD99CAD3656\sxs\Manifests\aDSBatch.exe_0xe8ecd207b2e321b0f94ccb4a34fa0636.1.manifest.__tmp__ to %TEMP%\SPOON\CACHE\0x85F71CD99CAD3656\sxs\Manifests\aDSBatch.exe_0xe8ecd207b2e321b0f94ccb4a34fa0636.1.manifest
- from %TEMP%\SPOON\CACHE\0x85F71CD99CAD3656\sxs\Manifests\aDSReboot.exe_0x51f109c31fd157a470195b92db0e2559.1.manifest.__tmp__ to %TEMP%\SPOON\CACHE\0x85F71CD99CAD3656\sxs\Manifests\aDSReboot.exe_0x51f109c31fd157a470195b92db0e2559.1.manifest
- from %TEMP%\SPOON\CACHE\0x85F71CD99CAD3656\sxs\Manifests\DiskDoctor_RepairClient.dll_0x30f4f5a9f4279333c9a672ca3cc3eb92.2.manifest.__tmp__ to %TEMP%\SPOON\CACHE\0x85F71CD99CAD3656\sxs\Manifests\DiskDoctor_RepairClient.dll_0x30f4f5a9f4279333c9a672ca3cc3eb92.2.manifest
- from %TEMP%\SPOON\CACHE\0x85F71CD99CAD3656\sxs\Manifests\LicHelper.dll_0x0f68bc502dc6bda27ddb9fa633c90a18.2.manifest.__tmp__ to %TEMP%\SPOON\CACHE\0x85F71CD99CAD3656\sxs\Manifests\LicHelper.dll_0x0f68bc502dc6bda27ddb9fa633c90a18.2.manifest
- from %TEMP%\SPOON\CACHE\0x85F71CD99CAD3656\sxs\Manifests\LogonDetect.exe_0x895909012f27ea4e40c7ef2a18aefe8a.1.manifest.__tmp__ to %TEMP%\SPOON\CACHE\0x85F71CD99CAD3656\sxs\Manifests\LogonDetect.exe_0x895909012f27ea4e40c7ef2a18aefe8a.1.manifest
- from %TEMP%\SPOON\CACHE\0x85F71CD99CAD3656\sxs\Manifests\InnoHelpers.dll_0x6b3e5d89e80aece8c85aafcfaa0ec43c.2.manifest.__tmp__ to %TEMP%\SPOON\CACHE\0x85F71CD99CAD3656\sxs\Manifests\InnoHelpers.dll_0x6b3e5d89e80aece8c85aafcfaa0ec43c.2.manifest
- from %TEMP%\SPOON\CACHE\0x85F71CD99CAD3656\sxs\Manifests\InstalledPrograms.dll_0x0ad5e937aadbce654752095e30a80b7a.2.manifest.__tmp__ to %TEMP%\SPOON\CACHE\0x85F71CD99CAD3656\sxs\Manifests\InstalledPrograms.dll_0x0ad5e937aadbce654752095e30a80b7a.2.manifest
- from %TEMP%\SPOON\CACHE\0x85F71CD99CAD3656\sxs\Manifests\nu.exe_0x6c4117321c2ccbb9bdd795c3cb07ff2e.1.manifest.__tmp__ to %TEMP%\SPOON\CACHE\0x85F71CD99CAD3656\sxs\Manifests\nu.exe_0x6c4117321c2ccbb9bdd795c3cb07ff2e.1.manifest
- from %TEMP%\SPOON\CACHE\0x85F71CD99CAD3656\sxs\Manifests\PgHist.exe_0x83d638a19c594f2732bef63872ff0f7f.1.manifest.__tmp__ to %TEMP%\SPOON\CACHE\0x85F71CD99CAD3656\sxs\Manifests\PgHist.exe_0x83d638a19c594f2732bef63872ff0f7f.1.manifest
- from %TEMP%\SPOON\CACHE\0x85F71CD99CAD3656\sxs\Manifests\PingLogger.dll_0x95a451df40a42a08b3ca664df898ca54.2.manifest.__tmp__ to %TEMP%\SPOON\CACHE\0x85F71CD99CAD3656\sxs\Manifests\PingLogger.dll_0x95a451df40a42a08b3ca664df898ca54.2.manifest
- from %TEMP%\SPOON\CACHE\0x85F71CD99CAD3656\sxs\Manifests\PCTLNty.dll_0x85b77a157114efbe6d130a622c48949b.2.manifest.__tmp__ to %TEMP%\SPOON\CACHE\0x85F71CD99CAD3656\sxs\Manifests\PCTLNty.dll_0x85b77a157114efbe6d130a622c48949b.2.manifest
- from %TEMP%\SPOON\CACHE\0x85F71CD99CAD3656\sxs\Manifests\PCTLogon.dll_0xa25ed954bc4bede0b2c77837ae3416e6.2.manifest.__tmp__ to %TEMP%\SPOON\CACHE\0x85F71CD99CAD3656\sxs\Manifests\PCTLogon.dll_0xa25ed954bc4bede0b2c77837ae3416e6.2.manifest
- from %TEMP%\SPOON\CACHE\0x85F71CD99CAD3656\sxs\Manifests\DiskDoctorSrv.exe_0xb3b05be151cb7e0ddfb7061af84b2759.1.manifest.__tmp__ to %TEMP%\SPOON\CACHE\0x85F71CD99CAD3656\sxs\Manifests\DiskDoctorSrv.exe_0xb3b05be151cb7e0ddfb7061af84b2759.1.manifest
- from %TEMP%\SPOON\CACHE\0x85F71CD99CAD3656\sxs\Manifests\DSProcessor.dll_0x0ea61fd1823790d9d7334ae24410badc.2.manifest.__tmp__ to %TEMP%\SPOON\CACHE\0x85F71CD99CAD3656\sxs\Manifests\DSProcessor.dll_0x0ea61fd1823790d9d7334ae24410badc.2.manifest
- from %TEMP%\SPOON\CACHE\0x85F71CD99CAD3656\sxs\Manifests\DiskDoctor_SchedulerClient.dll_0xedf0fcc8cd62b1f14cc72c8af51c7140.2.manifest.__tmp__ to %TEMP%\SPOON\CACHE\0x85F71CD99CAD3656\sxs\Manifests\DiskDoctor_SchedulerClient.dll_0xedf0fcc8cd62b1f14cc72c8af51c7140.2.manifest
- from %TEMP%\SPOON\CACHE\0x85F71CD99CAD3656\sxs\Manifests\DiskDoctor_Utils.dll_0x9844cfee3c1aab76d653144b2777e32a.2.manifest.__tmp__ to %TEMP%\SPOON\CACHE\0x85F71CD99CAD3656\sxs\Manifests\DiskDoctor_Utils.dll_0x9844cfee3c1aab76d653144b2777e32a.2.manifest
- from %TEMP%\SPOON\CACHE\0x85F71CD99CAD3656\sxs\Manifests\DSProcessor.dll_0xc05329c87a718a9ed56ee16a11f2953b.2.manifest.__tmp__ to %TEMP%\SPOON\CACHE\0x85F71CD99CAD3656\sxs\Manifests\DSProcessor.dll_0xc05329c87a718a9ed56ee16a11f2953b.2.manifest
- from %TEMP%\SPOON\CACHE\0x85F71CD99CAD3656\sxs\Manifests\FindDuplicatesDLL.dll_0x57766f618039d536076b4739b530d19e.2.manifest.__tmp__ to %TEMP%\SPOON\CACHE\0x85F71CD99CAD3656\sxs\Manifests\FindDuplicatesDLL.dll_0x57766f618039d536076b4739b530d19e.2.manifest
- from %TEMP%\SPOON\CACHE\0x85F71CD99CAD3656\sxs\Manifests\FRSimpleAPI.dll_0x249cf47aafdcf87b3b24df4fbe7c09b5.2.manifest.__tmp__ to %TEMP%\SPOON\CACHE\0x85F71CD99CAD3656\sxs\Manifests\FRSimpleAPI.dll_0x249cf47aafdcf87b3b24df4fbe7c09b5.2.manifest
- from %TEMP%\SPOON\CACHE\0x85F71CD99CAD3656\sxs\Manifests\EventLoggerDLL.dll_0xc581b3c25de9d00abfe72c0862eed48b.2.manifest.__tmp__ to %TEMP%\SPOON\CACHE\0x85F71CD99CAD3656\sxs\Manifests\EventLoggerDLL.dll_0xc581b3c25de9d00abfe72c0862eed48b.2.manifest
- from %TEMP%\SPOON\CACHE\0x85F71CD99CAD3656\sxs\Manifests\FileLoggerDLL.dll_0x99305ef20e351cb6d9d8e91da2c2e62a.2.manifest.__tmp__ to %TEMP%\SPOON\CACHE\0x85F71CD99CAD3656\sxs\Manifests\FileLoggerDLL.dll_0x99305ef20e351cb6d9d8e91da2c2e62a.2.manifest
Network activity:
Connects to:
- 'sf.##mcb.com':80
- 'www.download.windowsupdate.com':80
- 'st###.spoon.net':443
- 'wp#d':80
TCP:
HTTP GET requests:
- http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt
- http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
- http://11#.#11.111.2/wpad.dat via wp#d
- http://sf.##mcb.com/sf.crt
UDP:
- DNS ASK sf.##mcb.com
- DNS ASK www.download.windowsupdate.com
- DNS ASK st###.spoon.net
- DNS ASK wp#d
Miscellaneous:
Searches for the following windows:
- ClassName: 'ThunderRT6FormDC' WindowName: ''
- ClassName: 'ThunderRT6FormDC' WindowName: 'Shareware Cheater v 3.0'
