Analysis Overview
SHA256
765b88014a27c1b599270503d07692277cf865a8bf24ddd6d7b8f6d9b9b7ea03
Threat Level: Known bad
The file 765b88014a27c1b599270503d07692277cf865a8bf24ddd6d7b8f6d9b9b7ea03.exe was found to be: Known bad.
Malicious Activity Summary
Modifies WinLogon for persistence
Modifies visiblity of hidden/system files in Explorer
Disables RegEdit via registry modification
ASPack v2.12-2.42
Executes dropped EXE
Modifies system executable filetype association
Adds Run key to start application
Drops file in Windows directory
Drops file in Program Files directory
Enumerates physical storage devices
Unsigned PE
System Location Discovery: System Language Discovery
Modifies registry class
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 17:16
Signatures
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 17:16
Reported
2024-11-13 17:18
Platform
win7-20240903-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe SMSSpq.exe" | C:\Users\Admin\AppData\Local\Temp\765b88014a27c1b599270503d07692277cf865a8bf24ddd6d7b8f6d9b9b7ea03.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe SMSSpq.exe" | C:\Windows\SMSSpq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe SMSSpq.exe" | C:\Windows\SMSSpq.exe | N/A |
Modifies visiblity of hidden/system files in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\AppData\Local\Temp\765b88014a27c1b599270503d07692277cf865a8bf24ddd6d7b8f6d9b9b7ea03.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Windows\SMSSpq.exe | N/A |
Disables RegEdit via registry modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\765b88014a27c1b599270503d07692277cf865a8bf24ddd6d7b8f6d9b9b7ea03.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Windows\SMSSpq.exe | N/A |
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SMSSpq.exe | N/A |
| N/A | N/A | C:\Windows\SMSSpq.exe | N/A |
Modifies system executable filetype association
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\Shell\open\command | C:\Users\Admin\AppData\Local\Temp\765b88014a27c1b599270503d07692277cf865a8bf24ddd6d7b8f6d9b9b7ea03.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "C:\\Windows\\svchost.exe \"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\765b88014a27c1b599270503d07692277cf865a8bf24ddd6d7b8f6d9b9b7ea03.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\Shell\open\command | C:\Users\Admin\AppData\Local\Temp\765b88014a27c1b599270503d07692277cf865a8bf24ddd6d7b8f6d9b9b7ea03.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "C:\\Windows\\svchost.exe \"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\765b88014a27c1b599270503d07692277cf865a8bf24ddd6d7b8f6d9b9b7ea03.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\Shell\open\command | C:\Users\Admin\AppData\Local\Temp\765b88014a27c1b599270503d07692277cf865a8bf24ddd6d7b8f6d9b9b7ea03.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.exe \"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\765b88014a27c1b599270503d07692277cf865a8bf24ddd6d7b8f6d9b9b7ea03.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\Shell\open\command | C:\Users\Admin\AppData\Local\Temp\765b88014a27c1b599270503d07692277cf865a8bf24ddd6d7b8f6d9b9b7ea03.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "C:\\Windows\\svchost.exe \"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\765b88014a27c1b599270503d07692277cf865a8bf24ddd6d7b8f6d9b9b7ea03.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Service Host = "C:\\Windows\\SMSSpq.exe" | C:\Users\Admin\AppData\Local\Temp\765b88014a27c1b599270503d07692277cf865a8bf24ddd6d7b8f6d9b9b7ea03.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\1033\PSRCHSRN.DAT | C:\Windows\SMSSpq.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsImageTemplate.html | C:\Windows\SMSSpq.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\JFONT.DAT | C:\Windows\SMSSpq.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\OSPP.HTM | C:\Windows\SMSSpq.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\1033\QuickStyles\Perspective.dotx | C:\Windows\SMSSpq.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms\FormsDoNotTrust.html | C:\Windows\SMSSpq.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsBlankPage.html | C:\Windows\SMSSpq.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsVersion1Warning.htm | C:\Windows\SMSSpq.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsMacroTemplate.html | C:\Windows\SMSSpq.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\1033\QuickStyles\Modern.dotx | C:\Windows\SMSSpq.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsBrowserUpgrade.html | C:\Windows\SMSSpq.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsViewFrame.html | C:\Windows\SMSSpq.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\ENGIDX.DAT | C:\Windows\SMSSpq.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\1033\QuickStyles\Formal.dotx | C:\Windows\SMSSpq.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\1033\OUTFORM.DAT | C:\Windows\SMSSpq.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsVersion1Warning.htm | C:\Windows\SMSSpq.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsColorChart.html | C:\Windows\SMSSpq.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\1033\QuickStyles\Manuscript.dotx | C:\Windows\SMSSpq.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsBrowserUpgrade.html | C:\Windows\SMSSpq.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms\FormsHomePage.html | C:\Windows\SMSSpq.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsHomePage.html | C:\Windows\SMSSpq.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsPreviewTemplate.html | C:\Windows\SMSSpq.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms\FormsPreviewTemplate.html | C:\Windows\SMSSpq.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms\FormsViewFrame.html | C:\Windows\SMSSpq.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\1033\QuickStyles\Classic.dotx | C:\Windows\SMSSpq.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsBlankPage.html | C:\Windows\SMSSpq.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsFormTemplateRTL.html | C:\Windows\SMSSpq.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsPreviewTemplate.html | C:\Windows\SMSSpq.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsImageTemplate.html | C:\Windows\SMSSpq.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\1033\PSRCHLEX.DAT | C:\Windows\SMSSpq.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsFormTemplate.html | C:\Windows\SMSSpq.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsHomePage.html | C:\Windows\SMSSpq.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\1033\QuickStyles\Fancy.dotx | C:\Windows\SMSSpq.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\1033\PROTTPLV.DOC | C:\Windows\SMSSpq.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsMacroTemplate.html | C:\Windows\SMSSpq.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsMacroTemplate.html | C:\Windows\SMSSpq.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsPrintTemplate.html | C:\Windows\SMSSpq.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\LOOKUP.DAT | C:\Windows\SMSSpq.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\1033\QuickStyles\Newsprint.dotx | C:\Windows\SMSSpq.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\Document Parts\1033\14\Built-In Building Blocks.dotx | C:\Windows\SMSSpq.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsPrintTemplate.html | C:\Windows\SMSSpq.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsFormTemplate.html | C:\Windows\SMSSpq.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsPrintTemplate.html | C:\Windows\SMSSpq.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsImageTemplate.html | C:\Windows\SMSSpq.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\1033\PROTTPLN.DOC | C:\Windows\SMSSpq.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\1033\QuickStyles\Simple.dotx | C:\Windows\SMSSpq.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\1033\PSRCHKEY.DAT | C:\Windows\SMSSpq.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\1033\PSRCHLTS.DAT | C:\Windows\SMSSpq.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms\FormsBrowserUpgrade.html | C:\Windows\SMSSpq.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsColorChart.html | C:\Windows\SMSSpq.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsBlankPage.html | C:\Windows\SMSSpq.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsBrowserUpgrade.html | C:\Windows\SMSSpq.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\1033\QuickStyles\Distinctive.dotx | C:\Windows\SMSSpq.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsPrintTemplateRTL.html | C:\Windows\SMSSpq.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsColorChart.html | C:\Windows\SMSSpq.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\1033\QuickStyles\Thatch.dotx | C:\Windows\SMSSpq.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\1033\QuickStyles\Traditional.dotx | C:\Windows\SMSSpq.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsViewTemplate.html | C:\Windows\SMSSpq.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\OUTLFLTR.DAT | C:\Windows\SMSSpq.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\1033\QuickStyles\Elegant.dotx | C:\Windows\SMSSpq.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\AccessWeb\CLNTWRAP.HTM | C:\Windows\SMSSpq.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms\FormsBlankPage.html | C:\Windows\SMSSpq.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms\FormsVersion1Warning.htm | C:\Windows\SMSSpq.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsPreviewTemplate.html | C:\Windows\SMSSpq.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\Borland C++ BuilderX 1.0 Enterprise Edition Crack.exe | C:\Windows\SMSSpq.exe | N/A |
| File created | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\McAfee SpamKiller 2004 Crack.exe | C:\Windows\SMSSpq.exe | N/A |
| File created | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsPreviewTemplateRTL.html | C:\Windows\SMSSpq.exe | N/A |
| File created | C:\Windows\message.dat | C:\Windows\SMSSpq.exe | N/A |
| File created | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\Borland C++ BuilderX 1.0 Enterprise Edition Crack.exe | C:\Windows\SMSSpq.exe | N/A |
| File opened for modification | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\Dragon NaturallySpeaking 8 ISO Multilanguage Keygen.exe | C:\Windows\SMSSpq.exe | N/A |
| File created | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsHomePage.html | C:\Windows\SMSSpq.exe | N/A |
| File created | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\Dragon NaturallySpeaking 8 ISO Multilanguage Keygen.exe | C:\Windows\SMSSpq.exe | N/A |
| File opened for modification | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsVersion1Warning.htm | C:\Windows\SMSSpq.exe | N/A |
| File created | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsViewTemplate.html | C:\Windows\SMSSpq.exe | N/A |
| File created | C:\Windows\svchost.exe | C:\Users\Admin\AppData\Local\Temp\765b88014a27c1b599270503d07692277cf865a8bf24ddd6d7b8f6d9b9b7ea03.exe | N/A |
| File created | C:\Windows\SMSSpq.exe | C:\Windows\SMSSpq.exe | N/A |
| File opened for modification | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsPrintTemplate.html | C:\Windows\SMSSpq.exe | N/A |
| File opened for modification | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsImageTemplate.html | C:\Windows\SMSSpq.exe | N/A |
| File opened for modification | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsMacroTemplate.html | C:\Windows\SMSSpq.exe | N/A |
| File created | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsPreviewTemplate.html | C:\Windows\SMSSpq.exe | N/A |
| File opened for modification | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsBrowserUpgrade.html | C:\Windows\SMSSpq.exe | N/A |
| File created | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\OSPP.HTM | C:\Windows\SMSSpq.exe | N/A |
| File opened for modification | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\McAfee SpamKiller 2004 Crack.exe | C:\Windows\SMSSpq.exe | N/A |
| File opened for modification | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsColorChart.html | C:\Windows\SMSSpq.exe | N/A |
| File opened for modification | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\Half Life 2 beta patch2 Crack.exe | C:\Windows\SMSSpq.exe | N/A |
| File created | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsVersion1Warning.htm | C:\Windows\SMSSpq.exe | N/A |
| File opened for modification | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsViewFrame.html | C:\Windows\SMSSpq.exe | N/A |
| File opened for modification | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsViewTemplate.html | C:\Windows\SMSSpq.exe | N/A |
| File created | C:\Windows\SMSSpq.exe | C:\Users\Admin\AppData\Local\Temp\765b88014a27c1b599270503d07692277cf865a8bf24ddd6d7b8f6d9b9b7ea03.exe | N/A |
| File opened for modification | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\ | C:\Users\Admin\AppData\Local\Temp\765b88014a27c1b599270503d07692277cf865a8bf24ddd6d7b8f6d9b9b7ea03.exe | N/A |
| File opened for modification | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\Macromedia Studio MX 2004 AllApps Crack.exe | C:\Windows\SMSSpq.exe | N/A |
| File created | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\Nero Burning ROM v6.0.0.19 Ultra Edition Keygen.exe | C:\Windows\SMSSpq.exe | N/A |
| File created | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsBlankPage.html | C:\Windows\SMSSpq.exe | N/A |
| File created | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsDoNotTrust.html | C:\Windows\SMSSpq.exe | N/A |
| File opened for modification | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\ | C:\Windows\SMSSpq.exe | N/A |
| File created | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\BearShare Pro 4.3.0 Crack.exe | C:\Windows\SMSSpq.exe | N/A |
| File created | C:\Windows\message.htm | C:\Windows\SMSSpq.exe | N/A |
| File created | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\Half Life 2 beta patch2 Crack.exe | C:\Windows\SMSSpq.exe | N/A |
| File created | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsPrintTemplate.html | C:\Windows\SMSSpq.exe | N/A |
| File created | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsFormTemplateRTL.html | C:\Windows\SMSSpq.exe | N/A |
| File created | C:\Windows\SMSSpq.exe | C:\Windows\SMSSpq.exe | N/A |
| File opened for modification | C:\Windows\svchost.exe | C:\Windows\SMSSpq.exe | N/A |
| File created | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsFormTemplate.html | C:\Windows\SMSSpq.exe | N/A |
| File created | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\Dragon NaturallySpeaking 8 ISO Multilanguage Crack.exe | C:\Windows\SMSSpq.exe | N/A |
| File opened for modification | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsBlankPage.html | C:\Windows\SMSSpq.exe | N/A |
| File opened for modification | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsHomePage.html | C:\Windows\SMSSpq.exe | N/A |
| File created | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\Half Life 2 Crack.exe | C:\Windows\SMSSpq.exe | N/A |
| File opened for modification | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\Nero Burning ROM v6.0.0.19 Ultra Edition Keygen.exe | C:\Windows\SMSSpq.exe | N/A |
| File created | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\CLNTWRAP.HTM | C:\Windows\SMSSpq.exe | N/A |
| File opened for modification | C:\Windows\SMSSpq.exe | C:\Users\Admin\AppData\Local\Temp\765b88014a27c1b599270503d07692277cf865a8bf24ddd6d7b8f6d9b9b7ea03.exe | N/A |
| File opened for modification | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\Half Life 2 Crack.exe | C:\Windows\SMSSpq.exe | N/A |
| File created | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\Macromedia Studio MX 2004 AllApps Crack.exe | C:\Windows\SMSSpq.exe | N/A |
| File created | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsColorChart.html | C:\Windows\SMSSpq.exe | N/A |
| File opened for modification | C:\Windows\svchost.exe | C:\Windows\SMSSpq.exe | N/A |
| File opened for modification | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\Dragon NaturallySpeaking 8 ISO Multilanguage Crack.exe | C:\Windows\SMSSpq.exe | N/A |
| File created | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsImageTemplate.html | C:\Windows\SMSSpq.exe | N/A |
| File opened for modification | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsPreviewTemplate.html | C:\Windows\SMSSpq.exe | N/A |
| File created | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsBrowserUpgrade.html | C:\Windows\SMSSpq.exe | N/A |
| File created | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsViewFrame.html | C:\Windows\SMSSpq.exe | N/A |
| File opened for modification | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\ | C:\Windows\SMSSpq.exe | N/A |
| File opened for modification | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsFormTemplate.html | C:\Windows\SMSSpq.exe | N/A |
| File opened for modification | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\BearShare Pro 4.3.0 Crack.exe | C:\Windows\SMSSpq.exe | N/A |
| File created | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsPrintTemplateRTL.html | C:\Windows\SMSSpq.exe | N/A |
| File created | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsMacroTemplate.html | C:\Windows\SMSSpq.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\765b88014a27c1b599270503d07692277cf865a8bf24ddd6d7b8f6d9b9b7ea03.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SMSSpq.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | C:\Windows\SMSSpq.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System | C:\Windows\SMSSpq.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0 | C:\Windows\SMSSpq.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\LanguageResources\PPTChangeInstallLanguage = "No" | C:\Windows\SMSSpq.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Windows\SMSSpq.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion | C:\Windows\SMSSpq.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Windows\SMSSpq.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\LanguageResources\UILanguage = "1033" | C:\Windows\SMSSpq.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\LanguageResources\ProjectChangeInstallLanguage = "No" | C:\Windows\SMSSpq.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\14.0\Common\LanguageResources | C:\Windows\SMSSpq.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\LanguageResources\InfoPathChangeInstallLanguage = "No" | C:\Windows\SMSSpq.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\LanguageResources\OneNoteChangeInstallLanguage = "No" | C:\Windows\SMSSpq.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Shared\OfficeUILanguage = "1033" | C:\Windows\SMSSpq.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached | C:\Windows\SMSSpq.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\LanguageResources\HelpFallback = 30003b0031003000330033000000 | C:\Windows\SMSSpq.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\LanguageResources\WordChangeInstallLanguage = "No" | C:\Windows\SMSSpq.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\LanguageResources\XLChangeInstallLanguage = "No" | C:\Windows\SMSSpq.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages | C:\Windows\SMSSpq.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\LanguageResources\WinXPLanguagePatch = "1" | C:\Windows\SMSSpq.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\LanguageResources\PreviousInstallLanguage = "1033" | C:\Windows\SMSSpq.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\LanguageResources\OutlookChangeInstallLanguage = "No" | C:\Windows\SMSSpq.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows | C:\Windows\SMSSpq.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies | C:\Windows\SMSSpq.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common | C:\Windows\SMSSpq.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\LanguageResources\UIFallback = 30003b0031003000330033000000 | C:\Windows\SMSSpq.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\LanguageResources\HelpLanguage = "1033" | C:\Windows\SMSSpq.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages\1033 = "On" | C:\Windows\SMSSpq.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles | C:\Windows\SMSSpq.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{40DD6E20-7C17-11CE-A804-00AA003CA9F6} {000214FC-0000-0000-C000-000000000046} 0xFFFF = 0100000000000000e0ad8ec2ef35db01 | C:\Windows\SMSSpq.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\LanguageResources\PublisherChangeInstallLanguage = "No" | C:\Windows\SMSSpq.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\LanguageResources\LangTuneUp = "OfficeCompleted" | C:\Windows\SMSSpq.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows NT | C:\Windows\SMSSpq.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem | C:\Windows\SMSSpq.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\LanguageResources\SharePointDesignerChangeInstallLanguage = "No" | C:\Windows\SMSSpq.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Shared | C:\Windows\SMSSpq.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows NT\CurrentVersion | C:\Windows\SMSSpq.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Windows\SMSSpq.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\LanguageResources | C:\Windows\SMSSpq.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\LanguageResources\UISnapshot = 31003000330033000000 | C:\Windows\SMSSpq.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\LanguageResources\InstallLanguage = "1033" | C:\Windows\SMSSpq.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\LanguageResources\WordMailChangeInstallLanguage = "No" | C:\Windows\SMSSpq.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles | C:\Windows\SMSSpq.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software | C:\Windows\SMSSpq.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft | C:\Windows\SMSSpq.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office | C:\Windows\SMSSpq.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\LanguageResources\AccessChangeInstallLanguage = "No" | C:\Windows\SMSSpq.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\LanguageResources\WebDesignerChangeInstallLanguage = "No" | C:\Windows\SMSSpq.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.exe \"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\765b88014a27c1b599270503d07692277cf865a8bf24ddd6d7b8f6d9b9b7ea03.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\Shell\open\command | C:\Users\Admin\AppData\Local\Temp\765b88014a27c1b599270503d07692277cf865a8bf24ddd6d7b8f6d9b9b7ea03.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "C:\\Windows\\svchost.exe \"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\765b88014a27c1b599270503d07692277cf865a8bf24ddd6d7b8f6d9b9b7ea03.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\Shell\open\command | C:\Users\Admin\AppData\Local\Temp\765b88014a27c1b599270503d07692277cf865a8bf24ddd6d7b8f6d9b9b7ea03.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "C:\\Windows\\svchost.exe \"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\765b88014a27c1b599270503d07692277cf865a8bf24ddd6d7b8f6d9b9b7ea03.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\Shell\open\command | C:\Users\Admin\AppData\Local\Temp\765b88014a27c1b599270503d07692277cf865a8bf24ddd6d7b8f6d9b9b7ea03.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "C:\\Windows\\svchost.exe \"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\765b88014a27c1b599270503d07692277cf865a8bf24ddd6d7b8f6d9b9b7ea03.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\Shell\open\command | C:\Users\Admin\AppData\Local\Temp\765b88014a27c1b599270503d07692277cf865a8bf24ddd6d7b8f6d9b9b7ea03.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command\ = "C:\\Windows\\svchost.exe \"%1\" /S" | C:\Users\Admin\AppData\Local\Temp\765b88014a27c1b599270503d07692277cf865a8bf24ddd6d7b8f6d9b9b7ea03.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\Shell\open\command | C:\Users\Admin\AppData\Local\Temp\765b88014a27c1b599270503d07692277cf865a8bf24ddd6d7b8f6d9b9b7ea03.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\cmdfile\shell\open\command\ = "C:\\Windows\\svchost.exe \"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\765b88014a27c1b599270503d07692277cf865a8bf24ddd6d7b8f6d9b9b7ea03.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\cmdfile\Shell\open\command | C:\Users\Admin\AppData\Local\Temp\765b88014a27c1b599270503d07692277cf865a8bf24ddd6d7b8f6d9b9b7ea03.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SMSSpq.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2644 wrote to memory of 2692 | N/A | C:\Users\Admin\AppData\Local\Temp\765b88014a27c1b599270503d07692277cf865a8bf24ddd6d7b8f6d9b9b7ea03.exe | C:\Windows\SMSSpq.exe |
| PID 2644 wrote to memory of 2692 | N/A | C:\Users\Admin\AppData\Local\Temp\765b88014a27c1b599270503d07692277cf865a8bf24ddd6d7b8f6d9b9b7ea03.exe | C:\Windows\SMSSpq.exe |
| PID 2644 wrote to memory of 2692 | N/A | C:\Users\Admin\AppData\Local\Temp\765b88014a27c1b599270503d07692277cf865a8bf24ddd6d7b8f6d9b9b7ea03.exe | C:\Windows\SMSSpq.exe |
| PID 2644 wrote to memory of 2692 | N/A | C:\Users\Admin\AppData\Local\Temp\765b88014a27c1b599270503d07692277cf865a8bf24ddd6d7b8f6d9b9b7ea03.exe | C:\Windows\SMSSpq.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\765b88014a27c1b599270503d07692277cf865a8bf24ddd6d7b8f6d9b9b7ea03.exe
"C:\Users\Admin\AppData\Local\Temp\765b88014a27c1b599270503d07692277cf865a8bf24ddd6d7b8f6d9b9b7ea03.exe"
C:\Windows\SMSSpq.exe
"C:\Windows\SMSSpq.exe" -xInstallOurNiceServicesYes
C:\Windows\SMSSpq.exe
C:\Windows\SMSSpq.exe -xStartOurNiceServicesYes
Network
Files
C:\Windows\SMSSpq.exe
| MD5 | 60b23c04a141b8fa35fafa75a42f6ab0 |
| SHA1 | 7158429d377700b55b87ab9c3e808257e12118ad |
| SHA256 | 765b88014a27c1b599270503d07692277cf865a8bf24ddd6d7b8f6d9b9b7ea03 |
| SHA512 | 94f1908a6c106e9e6b3f7f3ea2c4128b936fac612da693fe75ceba74c9649ede0dd3b18e6d50739cb0c84e2e7048aba6b3b4858ec1cdac35b4b79cd2e7b1e6e7 |
memory/2692-10-0x0000000000400000-0x000000000051F000-memory.dmp
memory/2644-39-0x0000000000400000-0x000000000051F000-memory.dmp
memory/2820-40-0x0000000000400000-0x000000000051F000-memory.dmp
C:\Windows\Temp\QKEUsdKk.lHS\message.htm
| MD5 | 343ee4427155a9303a7917c7622eb617 |
| SHA1 | 2428bb72f948247c5a80435b0d85c9444daca183 |
| SHA256 | 358ffb3e12f96443e7e4d1a6e7ba6cd4da48daa76ec24512425a5b1bf380d351 |
| SHA512 | bea11b93af0f6746a4151767340b42871a4881b7f6c9b6e232d39d5ccc05e048e5a98c87a99c9a8fd306d3a26ad5fa993fa6e8c64ded13ed617f19015a4b8a6c |
C:\Windows\message.dat
| MD5 | 34174457f45fcc04eac948c67001ace8 |
| SHA1 | e9e2c6095b5639d88d8d6a91de04b93af14dcd13 |
| SHA256 | ec85280195a483a085f1278088d4a8483f4895bc159bfac6ac8d273d31966a84 |
| SHA512 | 93eb54cc16d1288bc28d7422d104a844f6eee81c4ab997563864bec29fa41d4cb95a642179185fd20a80a2b2c72b490d78ad413aaf3dbf5f2004692750c8cace |
memory/2644-88-0x0000000000400000-0x000000000051F000-memory.dmp
memory/2820-97-0x0000000000400000-0x000000000051F000-memory.dmp
memory/2644-187-0x0000000000400000-0x000000000051F000-memory.dmp
memory/2820-188-0x0000000000400000-0x000000000051F000-memory.dmp
memory/2644-285-0x0000000000400000-0x000000000051F000-memory.dmp
memory/2820-286-0x0000000000400000-0x000000000051F000-memory.dmp
memory/2644-391-0x0000000000400000-0x000000000051F000-memory.dmp
memory/2820-392-0x0000000000400000-0x000000000051F000-memory.dmp
memory/2644-410-0x0000000000400000-0x000000000051F000-memory.dmp
memory/2820-411-0x0000000000400000-0x000000000051F000-memory.dmp
memory/2644-412-0x0000000000400000-0x000000000051F000-memory.dmp
memory/2644-414-0x0000000000400000-0x000000000051F000-memory.dmp
memory/2644-416-0x0000000000400000-0x000000000051F000-memory.dmp
memory/2644-418-0x0000000000400000-0x000000000051F000-memory.dmp
memory/2644-420-0x0000000000400000-0x000000000051F000-memory.dmp
memory/2820-421-0x0000000000400000-0x000000000051F000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 17:16
Reported
2024-11-13 17:18
Platform
win10v2004-20241007-en
Max time kernel
110s
Max time network
106s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe SMSSls.exe" | C:\Users\Admin\AppData\Local\Temp\765b88014a27c1b599270503d07692277cf865a8bf24ddd6d7b8f6d9b9b7ea03.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe SMSSls.exe" | C:\Windows\SMSSls.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe SMSSls.exe" | C:\Windows\SMSSls.exe | N/A |
Modifies visiblity of hidden/system files in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\AppData\Local\Temp\765b88014a27c1b599270503d07692277cf865a8bf24ddd6d7b8f6d9b9b7ea03.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Windows\SMSSls.exe | N/A |
Disables RegEdit via registry modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Windows\SMSSls.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\765b88014a27c1b599270503d07692277cf865a8bf24ddd6d7b8f6d9b9b7ea03.exe | N/A |
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SMSSls.exe | N/A |
| N/A | N/A | C:\Windows\SMSSls.exe | N/A |
Modifies system executable filetype association
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\Shell\open\command | C:\Users\Admin\AppData\Local\Temp\765b88014a27c1b599270503d07692277cf865a8bf24ddd6d7b8f6d9b9b7ea03.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.exe \"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\765b88014a27c1b599270503d07692277cf865a8bf24ddd6d7b8f6d9b9b7ea03.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\Shell\open\command | C:\Users\Admin\AppData\Local\Temp\765b88014a27c1b599270503d07692277cf865a8bf24ddd6d7b8f6d9b9b7ea03.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "C:\\Windows\\svchost.exe \"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\765b88014a27c1b599270503d07692277cf865a8bf24ddd6d7b8f6d9b9b7ea03.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\Shell\open\command | C:\Users\Admin\AppData\Local\Temp\765b88014a27c1b599270503d07692277cf865a8bf24ddd6d7b8f6d9b9b7ea03.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "C:\\Windows\\svchost.exe \"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\765b88014a27c1b599270503d07692277cf865a8bf24ddd6d7b8f6d9b9b7ea03.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\Shell\open\command | C:\Users\Admin\AppData\Local\Temp\765b88014a27c1b599270503d07692277cf865a8bf24ddd6d7b8f6d9b9b7ea03.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "C:\\Windows\\svchost.exe \"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\765b88014a27c1b599270503d07692277cf865a8bf24ddd6d7b8f6d9b9b7ea03.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Service Host = "C:\\Windows\\SMSSls.exe" | C:\Users\Admin\AppData\Local\Temp\765b88014a27c1b599270503d07692277cf865a8bf24ddd6d7b8f6d9b9b7ea03.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\ | C:\Users\Admin\AppData\Local\Temp\765b88014a27c1b599270503d07692277cf865a8bf24ddd6d7b8f6d9b9b7ea03.exe | N/A |
| File created | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\Dragon NaturallySpeaking 8 ISO Multilanguage Crack.exe | C:\Windows\SMSSls.exe | N/A |
| File created | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\Norton SystemWorks 2004 Keygen.exe | C:\Windows\SMSSls.exe | N/A |
| File opened for modification | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\Macromedia Contribute 2 Crack.exe | C:\Windows\SMSSls.exe | N/A |
| File created | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\BearShare Pro 4.3.0 Crack.exe | C:\Windows\SMSSls.exe | N/A |
| File created | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\Macromedia Studio MX 2004 AllApps Crack.exe | C:\Windows\SMSSls.exe | N/A |
| File created | C:\Windows\SMSSls.exe | C:\Windows\SMSSls.exe | N/A |
| File opened for modification | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\Dragon NaturallySpeaking 8 ISO Multilanguage Crack.exe | C:\Windows\SMSSls.exe | N/A |
| File opened for modification | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\NetObjects Fusion v7.5 Crack.exe | C:\Windows\SMSSls.exe | N/A |
| File created | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\BearShare Pro 4.3.0 Keygen.exe | C:\Windows\SMSSls.exe | N/A |
| File created | C:\Windows\SMSSls.exe | C:\Users\Admin\AppData\Local\Temp\765b88014a27c1b599270503d07692277cf865a8bf24ddd6d7b8f6d9b9b7ea03.exe | N/A |
| File opened for modification | C:\Windows\SMSSls.exe | C:\Users\Admin\AppData\Local\Temp\765b88014a27c1b599270503d07692277cf865a8bf24ddd6d7b8f6d9b9b7ea03.exe | N/A |
| File opened for modification | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\TVTool v8.31 Crack.exe | C:\Windows\SMSSls.exe | N/A |
| File opened for modification | C:\Windows\svchost.exe | C:\Windows\SMSSls.exe | N/A |
| File created | C:\Windows\message.dat | C:\Windows\SMSSls.exe | N/A |
| File created | C:\Windows\message.htm | C:\Windows\SMSSls.exe | N/A |
| File opened for modification | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\Norton SystemWorks 2004 Keygen.exe | C:\Windows\SMSSls.exe | N/A |
| File created | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\McAfee VirusScan Home Edition 2004 Crack.exe | C:\Windows\SMSSls.exe | N/A |
| File opened for modification | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\BearShare Pro 4.3.0 Crack.exe | C:\Windows\SMSSls.exe | N/A |
| File opened for modification | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\Norton SystemWorks 2004 Crack.exe | C:\Windows\SMSSls.exe | N/A |
| File created | C:\Windows\svchost.exe | C:\Users\Admin\AppData\Local\Temp\765b88014a27c1b599270503d07692277cf865a8bf24ddd6d7b8f6d9b9b7ea03.exe | N/A |
| File opened for modification | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\Halo Crack.exe | C:\Windows\SMSSls.exe | N/A |
| File opened for modification | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\Macromedia Studio MX 2004 AllApps Keygen.exe | C:\Windows\SMSSls.exe | N/A |
| File created | C:\Windows\SMSSls.exe | C:\Windows\SMSSls.exe | N/A |
| File opened for modification | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\BearShare Pro 4.3.0 Keygen.exe | C:\Windows\SMSSls.exe | N/A |
| File created | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\Halo Crack.exe | C:\Windows\SMSSls.exe | N/A |
| File opened for modification | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\ | C:\Windows\SMSSls.exe | N/A |
| File opened for modification | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\ | C:\Windows\SMSSls.exe | N/A |
| File opened for modification | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\McAfee VirusScan Home Edition 2004 Crack.exe | C:\Windows\SMSSls.exe | N/A |
| File opened for modification | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\Macromedia Studio MX 2004 AllApps Crack.exe | C:\Windows\SMSSls.exe | N/A |
| File created | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\Norton SystemWorks 2004 Crack.exe | C:\Windows\SMSSls.exe | N/A |
| File created | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\TVTool v8.31 Crack.exe | C:\Windows\SMSSls.exe | N/A |
| File opened for modification | C:\Windows\svchost.exe | C:\Windows\SMSSls.exe | N/A |
| File created | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\NetObjects Fusion v7.5 Crack.exe | C:\Windows\SMSSls.exe | N/A |
| File created | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\Macromedia Contribute 2 Crack.exe | C:\Windows\SMSSls.exe | N/A |
| File created | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\Macromedia Studio MX 2004 AllApps Keygen.exe | C:\Windows\SMSSls.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\765b88014a27c1b599270503d07692277cf865a8bf24ddd6d7b8f6d9b9b7ea03.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SMSSls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SMSSls.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Windows\SMSSls.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer | C:\Windows\SMSSls.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\TelemetrySalt = "1" | C:\Windows\SMSSls.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System | C:\Windows\SMSSls.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft | C:\Windows\SMSSls.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies | C:\Windows\SMSSls.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows | C:\Windows\SMSSls.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion | C:\Windows\SMSSls.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached | C:\Windows\SMSSls.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{40DD6E20-7C17-11CE-A804-00AA003CA9F6} {000214FC-0000-0000-C000-000000000046} 0xFFFF = 0100000000000000b6dd3dc3ef35db01 | C:\Windows\SMSSls.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | C:\Windows\SMSSls.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Windows\SMSSls.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software | C:\Windows\SMSSls.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "C:\\Windows\\svchost.exe \"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\765b88014a27c1b599270503d07692277cf865a8bf24ddd6d7b8f6d9b9b7ea03.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\Shell\open\command | C:\Users\Admin\AppData\Local\Temp\765b88014a27c1b599270503d07692277cf865a8bf24ddd6d7b8f6d9b9b7ea03.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\Shell\open\command | C:\Users\Admin\AppData\Local\Temp\765b88014a27c1b599270503d07692277cf865a8bf24ddd6d7b8f6d9b9b7ea03.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "C:\\Windows\\svchost.exe \"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\765b88014a27c1b599270503d07692277cf865a8bf24ddd6d7b8f6d9b9b7ea03.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\Shell\open\command | C:\Users\Admin\AppData\Local\Temp\765b88014a27c1b599270503d07692277cf865a8bf24ddd6d7b8f6d9b9b7ea03.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.exe \"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\765b88014a27c1b599270503d07692277cf865a8bf24ddd6d7b8f6d9b9b7ea03.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\cmdfile\Shell\open\command | C:\Users\Admin\AppData\Local\Temp\765b88014a27c1b599270503d07692277cf865a8bf24ddd6d7b8f6d9b9b7ea03.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\Shell\open\command | C:\Users\Admin\AppData\Local\Temp\765b88014a27c1b599270503d07692277cf865a8bf24ddd6d7b8f6d9b9b7ea03.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\Shell\open\command | C:\Users\Admin\AppData\Local\Temp\765b88014a27c1b599270503d07692277cf865a8bf24ddd6d7b8f6d9b9b7ea03.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command\ = "C:\\Windows\\svchost.exe \"%1\" /S" | C:\Users\Admin\AppData\Local\Temp\765b88014a27c1b599270503d07692277cf865a8bf24ddd6d7b8f6d9b9b7ea03.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\cmdfile\shell\open\command\ = "C:\\Windows\\svchost.exe \"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\765b88014a27c1b599270503d07692277cf865a8bf24ddd6d7b8f6d9b9b7ea03.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "C:\\Windows\\svchost.exe \"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\765b88014a27c1b599270503d07692277cf865a8bf24ddd6d7b8f6d9b9b7ea03.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SMSSls.exe | N/A |
| N/A | N/A | C:\Windows\SMSSls.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4916 wrote to memory of 2432 | N/A | C:\Users\Admin\AppData\Local\Temp\765b88014a27c1b599270503d07692277cf865a8bf24ddd6d7b8f6d9b9b7ea03.exe | C:\Windows\SMSSls.exe |
| PID 4916 wrote to memory of 2432 | N/A | C:\Users\Admin\AppData\Local\Temp\765b88014a27c1b599270503d07692277cf865a8bf24ddd6d7b8f6d9b9b7ea03.exe | C:\Windows\SMSSls.exe |
| PID 4916 wrote to memory of 2432 | N/A | C:\Users\Admin\AppData\Local\Temp\765b88014a27c1b599270503d07692277cf865a8bf24ddd6d7b8f6d9b9b7ea03.exe | C:\Windows\SMSSls.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\765b88014a27c1b599270503d07692277cf865a8bf24ddd6d7b8f6d9b9b7ea03.exe
"C:\Users\Admin\AppData\Local\Temp\765b88014a27c1b599270503d07692277cf865a8bf24ddd6d7b8f6d9b9b7ea03.exe"
C:\Windows\SMSSls.exe
"C:\Windows\SMSSls.exe" -xInstallOurNiceServicesYes
C:\Windows\SMSSls.exe
C:\Windows\SMSSls.exe -xStartOurNiceServicesYes
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 66.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp |
Files
C:\Windows\SMSSls.exe
| MD5 | 60b23c04a141b8fa35fafa75a42f6ab0 |
| SHA1 | 7158429d377700b55b87ab9c3e808257e12118ad |
| SHA256 | 765b88014a27c1b599270503d07692277cf865a8bf24ddd6d7b8f6d9b9b7ea03 |
| SHA512 | 94f1908a6c106e9e6b3f7f3ea2c4128b936fac612da693fe75ceba74c9649ede0dd3b18e6d50739cb0c84e2e7048aba6b3b4858ec1cdac35b4b79cd2e7b1e6e7 |
memory/2432-7-0x0000000000400000-0x000000000051F000-memory.dmp
memory/4916-33-0x0000000000400000-0x000000000051F000-memory.dmp
memory/3892-34-0x0000000000400000-0x000000000051F000-memory.dmp
memory/4916-35-0x0000000000400000-0x000000000051F000-memory.dmp
memory/4916-37-0x0000000000400000-0x000000000051F000-memory.dmp
memory/4916-39-0x0000000000400000-0x000000000051F000-memory.dmp
memory/3892-40-0x0000000000400000-0x000000000051F000-memory.dmp
memory/4916-41-0x0000000000400000-0x000000000051F000-memory.dmp
memory/4916-43-0x0000000000400000-0x000000000051F000-memory.dmp
memory/4916-46-0x0000000000400000-0x000000000051F000-memory.dmp
memory/4916-70-0x0000000000400000-0x000000000051F000-memory.dmp
memory/3892-71-0x0000000000400000-0x000000000051F000-memory.dmp
memory/4916-72-0x0000000000400000-0x000000000051F000-memory.dmp
memory/4916-74-0x0000000000400000-0x000000000051F000-memory.dmp
memory/4916-76-0x0000000000400000-0x000000000051F000-memory.dmp
memory/3892-77-0x0000000000400000-0x000000000051F000-memory.dmp