Malware Analysis Report

2024-12-07 12:58

Sample ID 241113-vs9hbawerm
Target 765b88014a27c1b599270503d07692277cf865a8bf24ddd6d7b8f6d9b9b7ea03.exe
SHA256 765b88014a27c1b599270503d07692277cf865a8bf24ddd6d7b8f6d9b9b7ea03
Tags
aspackv2 discovery evasion persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

765b88014a27c1b599270503d07692277cf865a8bf24ddd6d7b8f6d9b9b7ea03

Threat Level: Known bad

The file 765b88014a27c1b599270503d07692277cf865a8bf24ddd6d7b8f6d9b9b7ea03.exe was found to be: Known bad.

Malicious Activity Summary

aspackv2 discovery evasion persistence

Modifies WinLogon for persistence

Modifies visiblity of hidden/system files in Explorer

Disables RegEdit via registry modification

ASPack v2.12-2.42

Executes dropped EXE

Modifies system executable filetype association

Adds Run key to start application

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

System Location Discovery: System Language Discovery

Modifies registry class

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-13 17:16

Signatures

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-13 17:16

Reported

2024-11-13 17:18

Platform

win7-20240903-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\765b88014a27c1b599270503d07692277cf865a8bf24ddd6d7b8f6d9b9b7ea03.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe SMSSpq.exe" C:\Users\Admin\AppData\Local\Temp\765b88014a27c1b599270503d07692277cf865a8bf24ddd6d7b8f6d9b9b7ea03.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe SMSSpq.exe" C:\Windows\SMSSpq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe SMSSpq.exe" C:\Windows\SMSSpq.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\765b88014a27c1b599270503d07692277cf865a8bf24ddd6d7b8f6d9b9b7ea03.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SMSSpq.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\765b88014a27c1b599270503d07692277cf865a8bf24ddd6d7b8f6d9b9b7ea03.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SMSSpq.exe N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SMSSpq.exe N/A
N/A N/A C:\Windows\SMSSpq.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\Shell\open\command C:\Users\Admin\AppData\Local\Temp\765b88014a27c1b599270503d07692277cf865a8bf24ddd6d7b8f6d9b9b7ea03.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "C:\\Windows\\svchost.exe \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\765b88014a27c1b599270503d07692277cf865a8bf24ddd6d7b8f6d9b9b7ea03.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\Shell\open\command C:\Users\Admin\AppData\Local\Temp\765b88014a27c1b599270503d07692277cf865a8bf24ddd6d7b8f6d9b9b7ea03.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "C:\\Windows\\svchost.exe \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\765b88014a27c1b599270503d07692277cf865a8bf24ddd6d7b8f6d9b9b7ea03.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\Shell\open\command C:\Users\Admin\AppData\Local\Temp\765b88014a27c1b599270503d07692277cf865a8bf24ddd6d7b8f6d9b9b7ea03.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.exe \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\765b88014a27c1b599270503d07692277cf865a8bf24ddd6d7b8f6d9b9b7ea03.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\Shell\open\command C:\Users\Admin\AppData\Local\Temp\765b88014a27c1b599270503d07692277cf865a8bf24ddd6d7b8f6d9b9b7ea03.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "C:\\Windows\\svchost.exe \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\765b88014a27c1b599270503d07692277cf865a8bf24ddd6d7b8f6d9b9b7ea03.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Service Host = "C:\\Windows\\SMSSpq.exe" C:\Users\Admin\AppData\Local\Temp\765b88014a27c1b599270503d07692277cf865a8bf24ddd6d7b8f6d9b9b7ea03.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\PROGRA~2\MICROS~1\Office14\1033\PSRCHSRN.DAT C:\Windows\SMSSpq.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsImageTemplate.html C:\Windows\SMSSpq.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\JFONT.DAT C:\Windows\SMSSpq.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\OSPP.HTM C:\Windows\SMSSpq.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\1033\QuickStyles\Perspective.dotx C:\Windows\SMSSpq.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms\FormsDoNotTrust.html C:\Windows\SMSSpq.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsBlankPage.html C:\Windows\SMSSpq.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsVersion1Warning.htm C:\Windows\SMSSpq.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsMacroTemplate.html C:\Windows\SMSSpq.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\1033\QuickStyles\Modern.dotx C:\Windows\SMSSpq.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsBrowserUpgrade.html C:\Windows\SMSSpq.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsViewFrame.html C:\Windows\SMSSpq.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\ENGIDX.DAT C:\Windows\SMSSpq.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\1033\QuickStyles\Formal.dotx C:\Windows\SMSSpq.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\1033\OUTFORM.DAT C:\Windows\SMSSpq.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsVersion1Warning.htm C:\Windows\SMSSpq.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsColorChart.html C:\Windows\SMSSpq.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\1033\QuickStyles\Manuscript.dotx C:\Windows\SMSSpq.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsBrowserUpgrade.html C:\Windows\SMSSpq.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms\FormsHomePage.html C:\Windows\SMSSpq.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsHomePage.html C:\Windows\SMSSpq.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsPreviewTemplate.html C:\Windows\SMSSpq.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms\FormsPreviewTemplate.html C:\Windows\SMSSpq.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms\FormsViewFrame.html C:\Windows\SMSSpq.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\1033\QuickStyles\Classic.dotx C:\Windows\SMSSpq.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsBlankPage.html C:\Windows\SMSSpq.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsFormTemplateRTL.html C:\Windows\SMSSpq.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsPreviewTemplate.html C:\Windows\SMSSpq.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsImageTemplate.html C:\Windows\SMSSpq.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\1033\PSRCHLEX.DAT C:\Windows\SMSSpq.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsFormTemplate.html C:\Windows\SMSSpq.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsHomePage.html C:\Windows\SMSSpq.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\1033\QuickStyles\Fancy.dotx C:\Windows\SMSSpq.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\1033\PROTTPLV.DOC C:\Windows\SMSSpq.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsMacroTemplate.html C:\Windows\SMSSpq.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsMacroTemplate.html C:\Windows\SMSSpq.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsPrintTemplate.html C:\Windows\SMSSpq.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\LOOKUP.DAT C:\Windows\SMSSpq.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\1033\QuickStyles\Newsprint.dotx C:\Windows\SMSSpq.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\Document Parts\1033\14\Built-In Building Blocks.dotx C:\Windows\SMSSpq.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsPrintTemplate.html C:\Windows\SMSSpq.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsFormTemplate.html C:\Windows\SMSSpq.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsPrintTemplate.html C:\Windows\SMSSpq.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsImageTemplate.html C:\Windows\SMSSpq.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\1033\PROTTPLN.DOC C:\Windows\SMSSpq.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\1033\QuickStyles\Simple.dotx C:\Windows\SMSSpq.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\1033\PSRCHKEY.DAT C:\Windows\SMSSpq.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\1033\PSRCHLTS.DAT C:\Windows\SMSSpq.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms\FormsBrowserUpgrade.html C:\Windows\SMSSpq.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsColorChart.html C:\Windows\SMSSpq.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsBlankPage.html C:\Windows\SMSSpq.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsBrowserUpgrade.html C:\Windows\SMSSpq.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\1033\QuickStyles\Distinctive.dotx C:\Windows\SMSSpq.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsPrintTemplateRTL.html C:\Windows\SMSSpq.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsColorChart.html C:\Windows\SMSSpq.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\1033\QuickStyles\Thatch.dotx C:\Windows\SMSSpq.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\1033\QuickStyles\Traditional.dotx C:\Windows\SMSSpq.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsViewTemplate.html C:\Windows\SMSSpq.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\OUTLFLTR.DAT C:\Windows\SMSSpq.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\1033\QuickStyles\Elegant.dotx C:\Windows\SMSSpq.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\AccessWeb\CLNTWRAP.HTM C:\Windows\SMSSpq.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms\FormsBlankPage.html C:\Windows\SMSSpq.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms\FormsVersion1Warning.htm C:\Windows\SMSSpq.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsPreviewTemplate.html C:\Windows\SMSSpq.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\Borland C++ BuilderX 1.0 Enterprise Edition Crack.exe C:\Windows\SMSSpq.exe N/A
File created C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\McAfee SpamKiller 2004 Crack.exe C:\Windows\SMSSpq.exe N/A
File created C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsPreviewTemplateRTL.html C:\Windows\SMSSpq.exe N/A
File created C:\Windows\message.dat C:\Windows\SMSSpq.exe N/A
File created C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\Borland C++ BuilderX 1.0 Enterprise Edition Crack.exe C:\Windows\SMSSpq.exe N/A
File opened for modification C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\Dragon NaturallySpeaking 8 ISO Multilanguage Keygen.exe C:\Windows\SMSSpq.exe N/A
File created C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsHomePage.html C:\Windows\SMSSpq.exe N/A
File created C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\Dragon NaturallySpeaking 8 ISO Multilanguage Keygen.exe C:\Windows\SMSSpq.exe N/A
File opened for modification C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsVersion1Warning.htm C:\Windows\SMSSpq.exe N/A
File created C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsViewTemplate.html C:\Windows\SMSSpq.exe N/A
File created C:\Windows\svchost.exe C:\Users\Admin\AppData\Local\Temp\765b88014a27c1b599270503d07692277cf865a8bf24ddd6d7b8f6d9b9b7ea03.exe N/A
File created C:\Windows\SMSSpq.exe C:\Windows\SMSSpq.exe N/A
File opened for modification C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsPrintTemplate.html C:\Windows\SMSSpq.exe N/A
File opened for modification C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsImageTemplate.html C:\Windows\SMSSpq.exe N/A
File opened for modification C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsMacroTemplate.html C:\Windows\SMSSpq.exe N/A
File created C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsPreviewTemplate.html C:\Windows\SMSSpq.exe N/A
File opened for modification C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsBrowserUpgrade.html C:\Windows\SMSSpq.exe N/A
File created C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\OSPP.HTM C:\Windows\SMSSpq.exe N/A
File opened for modification C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\McAfee SpamKiller 2004 Crack.exe C:\Windows\SMSSpq.exe N/A
File opened for modification C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsColorChart.html C:\Windows\SMSSpq.exe N/A
File opened for modification C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\Half Life 2 beta patch2 Crack.exe C:\Windows\SMSSpq.exe N/A
File created C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsVersion1Warning.htm C:\Windows\SMSSpq.exe N/A
File opened for modification C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsViewFrame.html C:\Windows\SMSSpq.exe N/A
File opened for modification C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsViewTemplate.html C:\Windows\SMSSpq.exe N/A
File created C:\Windows\SMSSpq.exe C:\Users\Admin\AppData\Local\Temp\765b88014a27c1b599270503d07692277cf865a8bf24ddd6d7b8f6d9b9b7ea03.exe N/A
File opened for modification C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\ C:\Users\Admin\AppData\Local\Temp\765b88014a27c1b599270503d07692277cf865a8bf24ddd6d7b8f6d9b9b7ea03.exe N/A
File opened for modification C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\Macromedia Studio MX 2004 AllApps Crack.exe C:\Windows\SMSSpq.exe N/A
File created C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\Nero Burning ROM v6.0.0.19 Ultra Edition Keygen.exe C:\Windows\SMSSpq.exe N/A
File created C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsBlankPage.html C:\Windows\SMSSpq.exe N/A
File created C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsDoNotTrust.html C:\Windows\SMSSpq.exe N/A
File opened for modification C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\ C:\Windows\SMSSpq.exe N/A
File created C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\BearShare Pro 4.3.0 Crack.exe C:\Windows\SMSSpq.exe N/A
File created C:\Windows\message.htm C:\Windows\SMSSpq.exe N/A
File created C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\Half Life 2 beta patch2 Crack.exe C:\Windows\SMSSpq.exe N/A
File created C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsPrintTemplate.html C:\Windows\SMSSpq.exe N/A
File created C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsFormTemplateRTL.html C:\Windows\SMSSpq.exe N/A
File created C:\Windows\SMSSpq.exe C:\Windows\SMSSpq.exe N/A
File opened for modification C:\Windows\svchost.exe C:\Windows\SMSSpq.exe N/A
File created C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsFormTemplate.html C:\Windows\SMSSpq.exe N/A
File created C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\Dragon NaturallySpeaking 8 ISO Multilanguage Crack.exe C:\Windows\SMSSpq.exe N/A
File opened for modification C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsBlankPage.html C:\Windows\SMSSpq.exe N/A
File opened for modification C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsHomePage.html C:\Windows\SMSSpq.exe N/A
File created C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\Half Life 2 Crack.exe C:\Windows\SMSSpq.exe N/A
File opened for modification C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\Nero Burning ROM v6.0.0.19 Ultra Edition Keygen.exe C:\Windows\SMSSpq.exe N/A
File created C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\CLNTWRAP.HTM C:\Windows\SMSSpq.exe N/A
File opened for modification C:\Windows\SMSSpq.exe C:\Users\Admin\AppData\Local\Temp\765b88014a27c1b599270503d07692277cf865a8bf24ddd6d7b8f6d9b9b7ea03.exe N/A
File opened for modification C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\Half Life 2 Crack.exe C:\Windows\SMSSpq.exe N/A
File created C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\Macromedia Studio MX 2004 AllApps Crack.exe C:\Windows\SMSSpq.exe N/A
File created C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsColorChart.html C:\Windows\SMSSpq.exe N/A
File opened for modification C:\Windows\svchost.exe C:\Windows\SMSSpq.exe N/A
File opened for modification C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\Dragon NaturallySpeaking 8 ISO Multilanguage Crack.exe C:\Windows\SMSSpq.exe N/A
File created C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsImageTemplate.html C:\Windows\SMSSpq.exe N/A
File opened for modification C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsPreviewTemplate.html C:\Windows\SMSSpq.exe N/A
File created C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsBrowserUpgrade.html C:\Windows\SMSSpq.exe N/A
File created C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsViewFrame.html C:\Windows\SMSSpq.exe N/A
File opened for modification C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\ C:\Windows\SMSSpq.exe N/A
File opened for modification C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsFormTemplate.html C:\Windows\SMSSpq.exe N/A
File opened for modification C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\BearShare Pro 4.3.0 Crack.exe C:\Windows\SMSSpq.exe N/A
File created C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsPrintTemplateRTL.html C:\Windows\SMSSpq.exe N/A
File created C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsMacroTemplate.html C:\Windows\SMSSpq.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\765b88014a27c1b599270503d07692277cf865a8bf24ddd6d7b8f6d9b9b7ea03.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SMSSpq.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced C:\Windows\SMSSpq.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SMSSpq.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0 C:\Windows\SMSSpq.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\LanguageResources\PPTChangeInstallLanguage = "No" C:\Windows\SMSSpq.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SMSSpq.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion C:\Windows\SMSSpq.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SMSSpq.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\LanguageResources\UILanguage = "1033" C:\Windows\SMSSpq.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\LanguageResources\ProjectChangeInstallLanguage = "No" C:\Windows\SMSSpq.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\14.0\Common\LanguageResources C:\Windows\SMSSpq.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\LanguageResources\InfoPathChangeInstallLanguage = "No" C:\Windows\SMSSpq.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\LanguageResources\OneNoteChangeInstallLanguage = "No" C:\Windows\SMSSpq.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Shared\OfficeUILanguage = "1033" C:\Windows\SMSSpq.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached C:\Windows\SMSSpq.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\LanguageResources\HelpFallback = 30003b0031003000330033000000 C:\Windows\SMSSpq.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\LanguageResources\WordChangeInstallLanguage = "No" C:\Windows\SMSSpq.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\LanguageResources\XLChangeInstallLanguage = "No" C:\Windows\SMSSpq.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages C:\Windows\SMSSpq.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\LanguageResources\WinXPLanguagePatch = "1" C:\Windows\SMSSpq.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\LanguageResources\PreviousInstallLanguage = "1033" C:\Windows\SMSSpq.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\LanguageResources\OutlookChangeInstallLanguage = "No" C:\Windows\SMSSpq.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows C:\Windows\SMSSpq.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies C:\Windows\SMSSpq.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common C:\Windows\SMSSpq.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\LanguageResources\UIFallback = 30003b0031003000330033000000 C:\Windows\SMSSpq.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\LanguageResources\HelpLanguage = "1033" C:\Windows\SMSSpq.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages\1033 = "On" C:\Windows\SMSSpq.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles C:\Windows\SMSSpq.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{40DD6E20-7C17-11CE-A804-00AA003CA9F6} {000214FC-0000-0000-C000-000000000046} 0xFFFF = 0100000000000000e0ad8ec2ef35db01 C:\Windows\SMSSpq.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\LanguageResources\PublisherChangeInstallLanguage = "No" C:\Windows\SMSSpq.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\LanguageResources\LangTuneUp = "OfficeCompleted" C:\Windows\SMSSpq.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows NT C:\Windows\SMSSpq.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem C:\Windows\SMSSpq.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\LanguageResources\SharePointDesignerChangeInstallLanguage = "No" C:\Windows\SMSSpq.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Shared C:\Windows\SMSSpq.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows NT\CurrentVersion C:\Windows\SMSSpq.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SMSSpq.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\LanguageResources C:\Windows\SMSSpq.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\LanguageResources\UISnapshot = 31003000330033000000 C:\Windows\SMSSpq.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\LanguageResources\InstallLanguage = "1033" C:\Windows\SMSSpq.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\LanguageResources\WordMailChangeInstallLanguage = "No" C:\Windows\SMSSpq.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles C:\Windows\SMSSpq.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Windows\SMSSpq.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft C:\Windows\SMSSpq.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office C:\Windows\SMSSpq.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\LanguageResources\AccessChangeInstallLanguage = "No" C:\Windows\SMSSpq.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\LanguageResources\WebDesignerChangeInstallLanguage = "No" C:\Windows\SMSSpq.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.exe \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\765b88014a27c1b599270503d07692277cf865a8bf24ddd6d7b8f6d9b9b7ea03.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\Shell\open\command C:\Users\Admin\AppData\Local\Temp\765b88014a27c1b599270503d07692277cf865a8bf24ddd6d7b8f6d9b9b7ea03.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "C:\\Windows\\svchost.exe \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\765b88014a27c1b599270503d07692277cf865a8bf24ddd6d7b8f6d9b9b7ea03.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\Shell\open\command C:\Users\Admin\AppData\Local\Temp\765b88014a27c1b599270503d07692277cf865a8bf24ddd6d7b8f6d9b9b7ea03.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "C:\\Windows\\svchost.exe \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\765b88014a27c1b599270503d07692277cf865a8bf24ddd6d7b8f6d9b9b7ea03.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\Shell\open\command C:\Users\Admin\AppData\Local\Temp\765b88014a27c1b599270503d07692277cf865a8bf24ddd6d7b8f6d9b9b7ea03.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "C:\\Windows\\svchost.exe \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\765b88014a27c1b599270503d07692277cf865a8bf24ddd6d7b8f6d9b9b7ea03.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\Shell\open\command C:\Users\Admin\AppData\Local\Temp\765b88014a27c1b599270503d07692277cf865a8bf24ddd6d7b8f6d9b9b7ea03.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command\ = "C:\\Windows\\svchost.exe \"%1\" /S" C:\Users\Admin\AppData\Local\Temp\765b88014a27c1b599270503d07692277cf865a8bf24ddd6d7b8f6d9b9b7ea03.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\Shell\open\command C:\Users\Admin\AppData\Local\Temp\765b88014a27c1b599270503d07692277cf865a8bf24ddd6d7b8f6d9b9b7ea03.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\cmdfile\shell\open\command\ = "C:\\Windows\\svchost.exe \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\765b88014a27c1b599270503d07692277cf865a8bf24ddd6d7b8f6d9b9b7ea03.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\cmdfile\Shell\open\command C:\Users\Admin\AppData\Local\Temp\765b88014a27c1b599270503d07692277cf865a8bf24ddd6d7b8f6d9b9b7ea03.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SMSSpq.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\765b88014a27c1b599270503d07692277cf865a8bf24ddd6d7b8f6d9b9b7ea03.exe

"C:\Users\Admin\AppData\Local\Temp\765b88014a27c1b599270503d07692277cf865a8bf24ddd6d7b8f6d9b9b7ea03.exe"

C:\Windows\SMSSpq.exe

"C:\Windows\SMSSpq.exe" -xInstallOurNiceServicesYes

C:\Windows\SMSSpq.exe

C:\Windows\SMSSpq.exe -xStartOurNiceServicesYes

Network

N/A

Files

C:\Windows\SMSSpq.exe

MD5 60b23c04a141b8fa35fafa75a42f6ab0
SHA1 7158429d377700b55b87ab9c3e808257e12118ad
SHA256 765b88014a27c1b599270503d07692277cf865a8bf24ddd6d7b8f6d9b9b7ea03
SHA512 94f1908a6c106e9e6b3f7f3ea2c4128b936fac612da693fe75ceba74c9649ede0dd3b18e6d50739cb0c84e2e7048aba6b3b4858ec1cdac35b4b79cd2e7b1e6e7

memory/2692-10-0x0000000000400000-0x000000000051F000-memory.dmp

memory/2644-39-0x0000000000400000-0x000000000051F000-memory.dmp

memory/2820-40-0x0000000000400000-0x000000000051F000-memory.dmp

C:\Windows\Temp\QKEUsdKk.lHS\message.htm

MD5 343ee4427155a9303a7917c7622eb617
SHA1 2428bb72f948247c5a80435b0d85c9444daca183
SHA256 358ffb3e12f96443e7e4d1a6e7ba6cd4da48daa76ec24512425a5b1bf380d351
SHA512 bea11b93af0f6746a4151767340b42871a4881b7f6c9b6e232d39d5ccc05e048e5a98c87a99c9a8fd306d3a26ad5fa993fa6e8c64ded13ed617f19015a4b8a6c

C:\Windows\message.dat

MD5 34174457f45fcc04eac948c67001ace8
SHA1 e9e2c6095b5639d88d8d6a91de04b93af14dcd13
SHA256 ec85280195a483a085f1278088d4a8483f4895bc159bfac6ac8d273d31966a84
SHA512 93eb54cc16d1288bc28d7422d104a844f6eee81c4ab997563864bec29fa41d4cb95a642179185fd20a80a2b2c72b490d78ad413aaf3dbf5f2004692750c8cace

memory/2644-88-0x0000000000400000-0x000000000051F000-memory.dmp

memory/2820-97-0x0000000000400000-0x000000000051F000-memory.dmp

memory/2644-187-0x0000000000400000-0x000000000051F000-memory.dmp

memory/2820-188-0x0000000000400000-0x000000000051F000-memory.dmp

memory/2644-285-0x0000000000400000-0x000000000051F000-memory.dmp

memory/2820-286-0x0000000000400000-0x000000000051F000-memory.dmp

memory/2644-391-0x0000000000400000-0x000000000051F000-memory.dmp

memory/2820-392-0x0000000000400000-0x000000000051F000-memory.dmp

memory/2644-410-0x0000000000400000-0x000000000051F000-memory.dmp

memory/2820-411-0x0000000000400000-0x000000000051F000-memory.dmp

memory/2644-412-0x0000000000400000-0x000000000051F000-memory.dmp

memory/2644-414-0x0000000000400000-0x000000000051F000-memory.dmp

memory/2644-416-0x0000000000400000-0x000000000051F000-memory.dmp

memory/2644-418-0x0000000000400000-0x000000000051F000-memory.dmp

memory/2644-420-0x0000000000400000-0x000000000051F000-memory.dmp

memory/2820-421-0x0000000000400000-0x000000000051F000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-13 17:16

Reported

2024-11-13 17:18

Platform

win10v2004-20241007-en

Max time kernel

110s

Max time network

106s

Command Line

"C:\Users\Admin\AppData\Local\Temp\765b88014a27c1b599270503d07692277cf865a8bf24ddd6d7b8f6d9b9b7ea03.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe SMSSls.exe" C:\Users\Admin\AppData\Local\Temp\765b88014a27c1b599270503d07692277cf865a8bf24ddd6d7b8f6d9b9b7ea03.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe SMSSls.exe" C:\Windows\SMSSls.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe SMSSls.exe" C:\Windows\SMSSls.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\765b88014a27c1b599270503d07692277cf865a8bf24ddd6d7b8f6d9b9b7ea03.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SMSSls.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SMSSls.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\765b88014a27c1b599270503d07692277cf865a8bf24ddd6d7b8f6d9b9b7ea03.exe N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SMSSls.exe N/A
N/A N/A C:\Windows\SMSSls.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\Shell\open\command C:\Users\Admin\AppData\Local\Temp\765b88014a27c1b599270503d07692277cf865a8bf24ddd6d7b8f6d9b9b7ea03.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.exe \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\765b88014a27c1b599270503d07692277cf865a8bf24ddd6d7b8f6d9b9b7ea03.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\Shell\open\command C:\Users\Admin\AppData\Local\Temp\765b88014a27c1b599270503d07692277cf865a8bf24ddd6d7b8f6d9b9b7ea03.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "C:\\Windows\\svchost.exe \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\765b88014a27c1b599270503d07692277cf865a8bf24ddd6d7b8f6d9b9b7ea03.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\Shell\open\command C:\Users\Admin\AppData\Local\Temp\765b88014a27c1b599270503d07692277cf865a8bf24ddd6d7b8f6d9b9b7ea03.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "C:\\Windows\\svchost.exe \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\765b88014a27c1b599270503d07692277cf865a8bf24ddd6d7b8f6d9b9b7ea03.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\Shell\open\command C:\Users\Admin\AppData\Local\Temp\765b88014a27c1b599270503d07692277cf865a8bf24ddd6d7b8f6d9b9b7ea03.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "C:\\Windows\\svchost.exe \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\765b88014a27c1b599270503d07692277cf865a8bf24ddd6d7b8f6d9b9b7ea03.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Service Host = "C:\\Windows\\SMSSls.exe" C:\Users\Admin\AppData\Local\Temp\765b88014a27c1b599270503d07692277cf865a8bf24ddd6d7b8f6d9b9b7ea03.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\ C:\Users\Admin\AppData\Local\Temp\765b88014a27c1b599270503d07692277cf865a8bf24ddd6d7b8f6d9b9b7ea03.exe N/A
File created C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\Dragon NaturallySpeaking 8 ISO Multilanguage Crack.exe C:\Windows\SMSSls.exe N/A
File created C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\Norton SystemWorks 2004 Keygen.exe C:\Windows\SMSSls.exe N/A
File opened for modification C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\Macromedia Contribute 2 Crack.exe C:\Windows\SMSSls.exe N/A
File created C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\BearShare Pro 4.3.0 Crack.exe C:\Windows\SMSSls.exe N/A
File created C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\Macromedia Studio MX 2004 AllApps Crack.exe C:\Windows\SMSSls.exe N/A
File created C:\Windows\SMSSls.exe C:\Windows\SMSSls.exe N/A
File opened for modification C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\Dragon NaturallySpeaking 8 ISO Multilanguage Crack.exe C:\Windows\SMSSls.exe N/A
File opened for modification C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\NetObjects Fusion v7.5 Crack.exe C:\Windows\SMSSls.exe N/A
File created C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\BearShare Pro 4.3.0 Keygen.exe C:\Windows\SMSSls.exe N/A
File created C:\Windows\SMSSls.exe C:\Users\Admin\AppData\Local\Temp\765b88014a27c1b599270503d07692277cf865a8bf24ddd6d7b8f6d9b9b7ea03.exe N/A
File opened for modification C:\Windows\SMSSls.exe C:\Users\Admin\AppData\Local\Temp\765b88014a27c1b599270503d07692277cf865a8bf24ddd6d7b8f6d9b9b7ea03.exe N/A
File opened for modification C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\TVTool v8.31 Crack.exe C:\Windows\SMSSls.exe N/A
File opened for modification C:\Windows\svchost.exe C:\Windows\SMSSls.exe N/A
File created C:\Windows\message.dat C:\Windows\SMSSls.exe N/A
File created C:\Windows\message.htm C:\Windows\SMSSls.exe N/A
File opened for modification C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\Norton SystemWorks 2004 Keygen.exe C:\Windows\SMSSls.exe N/A
File created C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\McAfee VirusScan Home Edition 2004 Crack.exe C:\Windows\SMSSls.exe N/A
File opened for modification C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\BearShare Pro 4.3.0 Crack.exe C:\Windows\SMSSls.exe N/A
File opened for modification C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\Norton SystemWorks 2004 Crack.exe C:\Windows\SMSSls.exe N/A
File created C:\Windows\svchost.exe C:\Users\Admin\AppData\Local\Temp\765b88014a27c1b599270503d07692277cf865a8bf24ddd6d7b8f6d9b9b7ea03.exe N/A
File opened for modification C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\Halo Crack.exe C:\Windows\SMSSls.exe N/A
File opened for modification C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\Macromedia Studio MX 2004 AllApps Keygen.exe C:\Windows\SMSSls.exe N/A
File created C:\Windows\SMSSls.exe C:\Windows\SMSSls.exe N/A
File opened for modification C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\BearShare Pro 4.3.0 Keygen.exe C:\Windows\SMSSls.exe N/A
File created C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\Halo Crack.exe C:\Windows\SMSSls.exe N/A
File opened for modification C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\ C:\Windows\SMSSls.exe N/A
File opened for modification C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\ C:\Windows\SMSSls.exe N/A
File opened for modification C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\McAfee VirusScan Home Edition 2004 Crack.exe C:\Windows\SMSSls.exe N/A
File opened for modification C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\Macromedia Studio MX 2004 AllApps Crack.exe C:\Windows\SMSSls.exe N/A
File created C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\Norton SystemWorks 2004 Crack.exe C:\Windows\SMSSls.exe N/A
File created C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\TVTool v8.31 Crack.exe C:\Windows\SMSSls.exe N/A
File opened for modification C:\Windows\svchost.exe C:\Windows\SMSSls.exe N/A
File created C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\NetObjects Fusion v7.5 Crack.exe C:\Windows\SMSSls.exe N/A
File created C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\Macromedia Contribute 2 Crack.exe C:\Windows\SMSSls.exe N/A
File created C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\Macromedia Studio MX 2004 AllApps Keygen.exe C:\Windows\SMSSls.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\765b88014a27c1b599270503d07692277cf865a8bf24ddd6d7b8f6d9b9b7ea03.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SMSSls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SMSSls.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SMSSls.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer C:\Windows\SMSSls.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\TelemetrySalt = "1" C:\Windows\SMSSls.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SMSSls.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft C:\Windows\SMSSls.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies C:\Windows\SMSSls.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows C:\Windows\SMSSls.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion C:\Windows\SMSSls.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached C:\Windows\SMSSls.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{40DD6E20-7C17-11CE-A804-00AA003CA9F6} {000214FC-0000-0000-C000-000000000046} 0xFFFF = 0100000000000000b6dd3dc3ef35db01 C:\Windows\SMSSls.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced C:\Windows\SMSSls.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SMSSls.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Windows\SMSSls.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "C:\\Windows\\svchost.exe \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\765b88014a27c1b599270503d07692277cf865a8bf24ddd6d7b8f6d9b9b7ea03.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\Shell\open\command C:\Users\Admin\AppData\Local\Temp\765b88014a27c1b599270503d07692277cf865a8bf24ddd6d7b8f6d9b9b7ea03.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\Shell\open\command C:\Users\Admin\AppData\Local\Temp\765b88014a27c1b599270503d07692277cf865a8bf24ddd6d7b8f6d9b9b7ea03.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "C:\\Windows\\svchost.exe \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\765b88014a27c1b599270503d07692277cf865a8bf24ddd6d7b8f6d9b9b7ea03.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\Shell\open\command C:\Users\Admin\AppData\Local\Temp\765b88014a27c1b599270503d07692277cf865a8bf24ddd6d7b8f6d9b9b7ea03.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.exe \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\765b88014a27c1b599270503d07692277cf865a8bf24ddd6d7b8f6d9b9b7ea03.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\cmdfile\Shell\open\command C:\Users\Admin\AppData\Local\Temp\765b88014a27c1b599270503d07692277cf865a8bf24ddd6d7b8f6d9b9b7ea03.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\Shell\open\command C:\Users\Admin\AppData\Local\Temp\765b88014a27c1b599270503d07692277cf865a8bf24ddd6d7b8f6d9b9b7ea03.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\Shell\open\command C:\Users\Admin\AppData\Local\Temp\765b88014a27c1b599270503d07692277cf865a8bf24ddd6d7b8f6d9b9b7ea03.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command\ = "C:\\Windows\\svchost.exe \"%1\" /S" C:\Users\Admin\AppData\Local\Temp\765b88014a27c1b599270503d07692277cf865a8bf24ddd6d7b8f6d9b9b7ea03.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\cmdfile\shell\open\command\ = "C:\\Windows\\svchost.exe \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\765b88014a27c1b599270503d07692277cf865a8bf24ddd6d7b8f6d9b9b7ea03.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "C:\\Windows\\svchost.exe \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\765b88014a27c1b599270503d07692277cf865a8bf24ddd6d7b8f6d9b9b7ea03.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SMSSls.exe N/A
N/A N/A C:\Windows\SMSSls.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\765b88014a27c1b599270503d07692277cf865a8bf24ddd6d7b8f6d9b9b7ea03.exe

"C:\Users\Admin\AppData\Local\Temp\765b88014a27c1b599270503d07692277cf865a8bf24ddd6d7b8f6d9b9b7ea03.exe"

C:\Windows\SMSSls.exe

"C:\Windows\SMSSls.exe" -xInstallOurNiceServicesYes

C:\Windows\SMSSls.exe

C:\Windows\SMSSls.exe -xStartOurNiceServicesYes

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 66.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

C:\Windows\SMSSls.exe

MD5 60b23c04a141b8fa35fafa75a42f6ab0
SHA1 7158429d377700b55b87ab9c3e808257e12118ad
SHA256 765b88014a27c1b599270503d07692277cf865a8bf24ddd6d7b8f6d9b9b7ea03
SHA512 94f1908a6c106e9e6b3f7f3ea2c4128b936fac612da693fe75ceba74c9649ede0dd3b18e6d50739cb0c84e2e7048aba6b3b4858ec1cdac35b4b79cd2e7b1e6e7

memory/2432-7-0x0000000000400000-0x000000000051F000-memory.dmp

memory/4916-33-0x0000000000400000-0x000000000051F000-memory.dmp

memory/3892-34-0x0000000000400000-0x000000000051F000-memory.dmp

memory/4916-35-0x0000000000400000-0x000000000051F000-memory.dmp

memory/4916-37-0x0000000000400000-0x000000000051F000-memory.dmp

memory/4916-39-0x0000000000400000-0x000000000051F000-memory.dmp

memory/3892-40-0x0000000000400000-0x000000000051F000-memory.dmp

memory/4916-41-0x0000000000400000-0x000000000051F000-memory.dmp

memory/4916-43-0x0000000000400000-0x000000000051F000-memory.dmp

memory/4916-46-0x0000000000400000-0x000000000051F000-memory.dmp

memory/4916-70-0x0000000000400000-0x000000000051F000-memory.dmp

memory/3892-71-0x0000000000400000-0x000000000051F000-memory.dmp

memory/4916-72-0x0000000000400000-0x000000000051F000-memory.dmp

memory/4916-74-0x0000000000400000-0x000000000051F000-memory.dmp

memory/4916-76-0x0000000000400000-0x000000000051F000-memory.dmp

memory/3892-77-0x0000000000400000-0x000000000051F000-memory.dmp