Analysis Overview
SHA256
ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017
Threat Level: Known bad
The file ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe was found to be: Known bad.
Malicious Activity Summary
Modifies visiblity of hidden/system files in Explorer
Modifies WinLogon for persistence
Disables RegEdit via registry modification
Executes dropped EXE
ASPack v2.12-2.42
Modifies system executable filetype association
Adds Run key to start application
Drops file in Windows directory
Drops file in Program Files directory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of WriteProcessMemory
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-17 15:04
Signatures
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-17 15:04
Reported
2024-11-17 15:07
Platform
win7-20240729-en
Max time kernel
119s
Max time network
21s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe SMSSox.exe" | C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe SMSSox.exe" | C:\Windows\SMSSox.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe SMSSox.exe" | C:\Windows\SMSSox.exe | N/A |
Modifies visiblity of hidden/system files in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Windows\SMSSox.exe | N/A |
Disables RegEdit via registry modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Windows\SMSSox.exe | N/A |
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SMSSox.exe | N/A |
| N/A | N/A | C:\Windows\SMSSox.exe | N/A |
Modifies system executable filetype association
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\Shell\open\command | C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.exe \"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\Shell\open\command | C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "C:\\Windows\\svchost.exe \"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\Shell\open\command | C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "C:\\Windows\\svchost.exe \"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\Shell\open\command | C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "C:\\Windows\\svchost.exe \"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Service Host = "C:\\Windows\\SMSSox.exe" | C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsVersion1Warning.htm | C:\Windows\SMSSox.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsPrintTemplateRTL.html | C:\Windows\SMSSox.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\1033\QuickStyles\Default.dotx | C:\Windows\SMSSox.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsBrowserUpgrade.html | C:\Windows\SMSSox.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsPrintTemplate.html | C:\Windows\SMSSox.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms\FormsBrowserUpgrade.html | C:\Windows\SMSSox.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsPreviewTemplate.html | C:\Windows\SMSSox.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsImageTemplate.html | C:\Windows\SMSSox.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsPrintTemplate.html | C:\Windows\SMSSox.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\JFONT.DAT | C:\Windows\SMSSox.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\1033\QuickStyles\DefaultBlackAndWhite.dotx | C:\Windows\SMSSox.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\1033\QuickStyles\Distinctive.dotx | C:\Windows\SMSSox.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\1033\PSRCHKEY.DAT | C:\Windows\SMSSox.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsFormTemplate.html | C:\Windows\SMSSox.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsViewFrame.html | C:\Windows\SMSSox.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\ENGIDX.DAT | C:\Windows\SMSSox.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\1033\QuickStyles\Newsprint.dotx | C:\Windows\SMSSox.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\1033\QuickStyles\Thatch.dotx | C:\Windows\SMSSox.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsBlankPage.html | C:\Windows\SMSSox.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsHomePage.html | C:\Windows\SMSSox.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsImageTemplate.html | C:\Windows\SMSSox.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsBrowserUpgrade.html | C:\Windows\SMSSox.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsColorChart.html | C:\Windows\SMSSox.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms\FormsPrintTemplate.html | C:\Windows\SMSSox.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsImageTemplate.html | C:\Windows\SMSSox.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsFormTemplate.html | C:\Windows\SMSSox.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\OSPP.HTM | C:\Windows\SMSSox.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\1033\QuickStyles\Classic.dotx | C:\Windows\SMSSox.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\1033\QuickStyles\Traditional.dotx | C:\Windows\SMSSox.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsPreviewTemplate.html | C:\Windows\SMSSox.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\AccessWeb\CLNTWRAP.HTM | C:\Windows\SMSSox.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms\FormsHomePage.html | C:\Windows\SMSSox.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsFormTemplateRTL.html | C:\Windows\SMSSox.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsPrintTemplate.html | C:\Windows\SMSSox.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms\FormsVersion1Warning.htm | C:\Windows\SMSSox.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsBlankPage.html | C:\Windows\SMSSox.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsPreviewTemplate.html | C:\Windows\SMSSox.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms\FormsViewFrame.html | C:\Windows\SMSSox.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsMacroTemplate.html | C:\Windows\SMSSox.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsMacroTemplate.html | C:\Windows\SMSSox.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\OCRHC.DAT | C:\Windows\SMSSox.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\OUTLFLTR.DAT | C:\Windows\SMSSox.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\1033\PROTTPLV.DOC | C:\Windows\SMSSox.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsViewTemplate.html | C:\Windows\SMSSox.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsColorChart.html | C:\Windows\SMSSox.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\1033\PROTTPLN.DOC | C:\Windows\SMSSox.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\Document Parts\1033\14\Built-In Building Blocks.dotx | C:\Windows\SMSSox.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms\FormsDoNotTrust.html | C:\Windows\SMSSox.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsHomePage.html | C:\Windows\SMSSox.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\ENGDIC.DAT | C:\Windows\SMSSox.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\1033\QuickStyles\Elegant.dotx | C:\Windows\SMSSox.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\1033\QuickStyles\Manuscript.dotx | C:\Windows\SMSSox.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\1033\OUTFORM.DAT | C:\Windows\SMSSox.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms\FormsBlankPage.html | C:\Windows\SMSSox.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsBrowserUpgrade.html | C:\Windows\SMSSox.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsVersion1Warning.htm | C:\Windows\SMSSox.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsBlankPage.html | C:\Windows\SMSSox.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsViewTemplate.html | C:\Windows\SMSSox.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\LOOKUP.DAT | C:\Windows\SMSSox.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\OCRVC.DAT | C:\Windows\SMSSox.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\1033\QuickStyles\Perspective.dotx | C:\Windows\SMSSox.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\1033\PSRCHPHN.DAT | C:\Windows\SMSSox.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms\FormsPreviewTemplate.html | C:\Windows\SMSSox.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsColorChart.html | C:\Windows\SMSSox.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\ | C:\Windows\SMSSox.exe | N/A |
| File opened for modification | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\McAfee Personal Firewall Plus 2004 Crack.exe | C:\Windows\SMSSox.exe | N/A |
| File created | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\Norton Antispam 2004 Crack.exe | C:\Windows\SMSSox.exe | N/A |
| File created | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsDoNotTrust.html | C:\Windows\SMSSox.exe | N/A |
| File created | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsPrintTemplate.html | C:\Windows\SMSSox.exe | N/A |
| File opened for modification | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsVersion1Warning.htm | C:\Windows\SMSSox.exe | N/A |
| File created | C:\Windows\SMSSox.exe | C:\Windows\SMSSox.exe | N/A |
| File created | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsBrowserUpgrade.html | C:\Windows\SMSSox.exe | N/A |
| File created | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\OSPP.HTM | C:\Windows\SMSSox.exe | N/A |
| File created | C:\Windows\message.dat | C:\Windows\SMSSox.exe | N/A |
| File opened for modification | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsViewFrame.html | C:\Windows\SMSSox.exe | N/A |
| File opened for modification | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsMacroTemplate.html | C:\Windows\SMSSox.exe | N/A |
| File opened for modification | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\ | C:\Windows\SMSSox.exe | N/A |
| File created | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\McAfee VirusScan Home Edition 2004 Crack.exe | C:\Windows\SMSSox.exe | N/A |
| File opened for modification | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsViewTemplate.html | C:\Windows\SMSSox.exe | N/A |
| File opened for modification | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\ | C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe | N/A |
| File opened for modification | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsBrowserUpgrade.html | C:\Windows\SMSSox.exe | N/A |
| File created | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsFormTemplateRTL.html | C:\Windows\SMSSox.exe | N/A |
| File created | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\McAfee SpamKiller 2004 Crack.exe | C:\Windows\SMSSox.exe | N/A |
| File created | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsViewFrame.html | C:\Windows\SMSSox.exe | N/A |
| File opened for modification | C:\Windows\svchost.exe | C:\Windows\SMSSox.exe | N/A |
| File created | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsColorChart.html | C:\Windows\SMSSox.exe | N/A |
| File created | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsImageTemplate.html | C:\Windows\SMSSox.exe | N/A |
| File opened for modification | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsPrintTemplate.html | C:\Windows\SMSSox.exe | N/A |
| File opened for modification | C:\Windows\SMSSox.exe | C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe | N/A |
| File created | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\Norton SystemWorks 2004 Keygen.exe | C:\Windows\SMSSox.exe | N/A |
| File opened for modification | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\Norton Antispam 2004 Crack.exe | C:\Windows\SMSSox.exe | N/A |
| File opened for modification | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsHomePage.html | C:\Windows\SMSSox.exe | N/A |
| File created | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsPreviewTemplateRTL.html | C:\Windows\SMSSox.exe | N/A |
| File opened for modification | C:\Windows\svchost.exe | C:\Windows\SMSSox.exe | N/A |
| File opened for modification | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\McAfee SpamKiller 2004 Crack.exe | C:\Windows\SMSSox.exe | N/A |
| File created | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\Dragon NaturallySpeaking 8 ISO Multilanguage Crack.exe | C:\Windows\SMSSox.exe | N/A |
| File opened for modification | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\Norton Antispam 2004 Keygen.exe | C:\Windows\SMSSox.exe | N/A |
| File opened for modification | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\Norton SystemWorks 2004 Keygen.exe | C:\Windows\SMSSox.exe | N/A |
| File created | C:\Windows\svchost.exe | C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe | N/A |
| File opened for modification | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\Dragon NaturallySpeaking 8 ISO Multilanguage Crack.exe | C:\Windows\SMSSox.exe | N/A |
| File opened for modification | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\Halo Crack.exe | C:\Windows\SMSSox.exe | N/A |
| File created | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\CLNTWRAP.HTM | C:\Windows\SMSSox.exe | N/A |
| File opened for modification | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsColorChart.html | C:\Windows\SMSSox.exe | N/A |
| File created | C:\Windows\SMSSox.exe | C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe | N/A |
| File created | C:\Windows\message.htm | C:\Windows\SMSSox.exe | N/A |
| File opened for modification | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\McAfee VirusScan Home Edition 2004 Crack.exe | C:\Windows\SMSSox.exe | N/A |
| File created | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\Borland C++ BuilderX 1.0 Enterprise Edition Crack.exe | C:\Windows\SMSSox.exe | N/A |
| File opened for modification | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\Borland C++ BuilderX 1.0 Enterprise Edition Crack.exe | C:\Windows\SMSSox.exe | N/A |
| File opened for modification | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsBlankPage.html | C:\Windows\SMSSox.exe | N/A |
| File created | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsVersion1Warning.htm | C:\Windows\SMSSox.exe | N/A |
| File created | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsMacroTemplate.html | C:\Windows\SMSSox.exe | N/A |
| File opened for modification | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsPreviewTemplate.html | C:\Windows\SMSSox.exe | N/A |
| File created | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsViewTemplate.html | C:\Windows\SMSSox.exe | N/A |
| File opened for modification | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsFormTemplate.html | C:\Windows\SMSSox.exe | N/A |
| File opened for modification | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsImageTemplate.html | C:\Windows\SMSSox.exe | N/A |
| File created | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsPreviewTemplate.html | C:\Windows\SMSSox.exe | N/A |
| File created | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\Half Life 2 Keygen.exe | C:\Windows\SMSSox.exe | N/A |
| File opened for modification | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\Half Life 2 Keygen.exe | C:\Windows\SMSSox.exe | N/A |
| File created | C:\Windows\SMSSox.exe | C:\Windows\SMSSox.exe | N/A |
| File created | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsFormTemplate.html | C:\Windows\SMSSox.exe | N/A |
| File created | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\McAfee Personal Firewall Plus 2004 Crack.exe | C:\Windows\SMSSox.exe | N/A |
| File created | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\Norton Antispam 2004 Keygen.exe | C:\Windows\SMSSox.exe | N/A |
| File created | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsBlankPage.html | C:\Windows\SMSSox.exe | N/A |
| File created | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\Halo Crack.exe | C:\Windows\SMSSox.exe | N/A |
| File created | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsHomePage.html | C:\Windows\SMSSox.exe | N/A |
| File created | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsPrintTemplateRTL.html | C:\Windows\SMSSox.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SMSSox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\LanguageResources\XLChangeInstallLanguage = "No" | C:\Windows\SMSSox.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\LanguageResources\AccessChangeInstallLanguage = "No" | C:\Windows\SMSSox.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\LanguageResources\OneNoteChangeInstallLanguage = "No" | C:\Windows\SMSSox.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\LanguageResources\WebDesignerChangeInstallLanguage = "No" | C:\Windows\SMSSox.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | C:\Windows\SMSSox.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Windows\SMSSox.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software | C:\Windows\SMSSox.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0 | C:\Windows\SMSSox.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Shared\OfficeUILanguage = "1033" | C:\Windows\SMSSox.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft | C:\Windows\SMSSox.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion | C:\Windows\SMSSox.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\LanguageResources\PreviousInstallLanguage = "1033" | C:\Windows\SMSSox.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles | C:\Windows\SMSSox.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\LanguageResources\PublisherChangeInstallLanguage = "No" | C:\Windows\SMSSox.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages | C:\Windows\SMSSox.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows NT\CurrentVersion | C:\Windows\SMSSox.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles | C:\Windows\SMSSox.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Windows\SMSSox.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\LanguageResources\UIFallback = 30003b0031003000330033000000 | C:\Windows\SMSSox.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\LanguageResources\OutlookChangeInstallLanguage = "No" | C:\Windows\SMSSox.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\LanguageResources\SharePointDesignerChangeInstallLanguage = "No" | C:\Windows\SMSSox.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages\1033 = "On" | C:\Windows\SMSSox.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\LanguageResources | C:\Windows\SMSSox.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\LanguageResources\UISnapshot = 31003000330033000000 | C:\Windows\SMSSox.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\LanguageResources\UILanguage = "1033" | C:\Windows\SMSSox.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\LanguageResources\WordMailChangeInstallLanguage = "No" | C:\Windows\SMSSox.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem | C:\Windows\SMSSox.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows | C:\Windows\SMSSox.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached | C:\Windows\SMSSox.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\LanguageResources\LangTuneUp = "OfficeCompleted" | C:\Windows\SMSSox.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows NT | C:\Windows\SMSSox.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies | C:\Windows\SMSSox.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\14.0\Common\LanguageResources | C:\Windows\SMSSox.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\LanguageResources\PPTChangeInstallLanguage = "No" | C:\Windows\SMSSox.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Shared | C:\Windows\SMSSox.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\LanguageResources\HelpLanguage = "1033" | C:\Windows\SMSSox.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\LanguageResources\WordChangeInstallLanguage = "No" | C:\Windows\SMSSox.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\LanguageResources\ProjectChangeInstallLanguage = "No" | C:\Windows\SMSSox.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Windows\SMSSox.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{40DD6E20-7C17-11CE-A804-00AA003CA9F6} {000214FC-0000-0000-C000-000000000046} 0xFFFF = 0100000000000000f08b7d160239db01 | C:\Windows\SMSSox.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office | C:\Windows\SMSSox.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\LanguageResources\HelpFallback = 30003b0031003000330033000000 | C:\Windows\SMSSox.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\LanguageResources\InfoPathChangeInstallLanguage = "No" | C:\Windows\SMSSox.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System | C:\Windows\SMSSox.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common | C:\Windows\SMSSox.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\LanguageResources\WinXPLanguagePatch = "1" | C:\Windows\SMSSox.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\LanguageResources\InstallLanguage = "1033" | C:\Windows\SMSSox.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\cmdfile\Shell\open\command | C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\cmdfile\shell\open\command\ = "C:\\Windows\\svchost.exe \"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "C:\\Windows\\svchost.exe \"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\Shell\open\command | C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\Shell\open\command | C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\Shell\open\command | C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\Shell\open\command | C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.exe \"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\Shell\open\command | C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "C:\\Windows\\svchost.exe \"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "C:\\Windows\\svchost.exe \"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command\ = "C:\\Windows\\svchost.exe \"%1\" /S" | C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SMSSox.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2136 wrote to memory of 2568 | N/A | C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe | C:\Windows\SMSSox.exe |
| PID 2136 wrote to memory of 2568 | N/A | C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe | C:\Windows\SMSSox.exe |
| PID 2136 wrote to memory of 2568 | N/A | C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe | C:\Windows\SMSSox.exe |
| PID 2136 wrote to memory of 2568 | N/A | C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe | C:\Windows\SMSSox.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe
"C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe"
C:\Windows\SMSSox.exe
"C:\Windows\SMSSox.exe" -xInstallOurNiceServicesYes
C:\Windows\SMSSox.exe
C:\Windows\SMSSox.exe -xStartOurNiceServicesYes
Network
Files
C:\Windows\SMSSox.exe
| MD5 | 4a76a4e930bec401bea9deb37512c9e0 |
| SHA1 | ddd938da715326a366b97d800698edac2fae4749 |
| SHA256 | ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017 |
| SHA512 | db6d5d9408eedc99f796173a6e4fc938810746b15e6176af780041fd74b39f119c127a21b4631230e59a695ccdfddca3aa57392bb1af9383b22716b8ac0c6200 |
memory/2568-10-0x0000000000400000-0x000000000051F000-memory.dmp
memory/2136-45-0x0000000000400000-0x000000000051F000-memory.dmp
memory/1612-46-0x0000000000400000-0x000000000051F000-memory.dmp
C:\Windows\Temp\nlFGnxAT.iHy\message.htm
| MD5 | 84b61b37074a65e5aa03f387be522d59 |
| SHA1 | 02f623ef7a8be858b7921a173c2ec53635b879cb |
| SHA256 | 6f585632c22adfaf37952a7adcef260014f72bfdcb69e729ca568e6fb6691f3b |
| SHA512 | 264b390be497ff44deec22f081cc772d57c5f85c8d6ecbf08f04a2ae3ecf3b86a83c30085cd32ff99d445a9bf76c106a7f308c3b631afed8427c1d70d70948a1 |
C:\Windows\message.dat
| MD5 | 3500da4b2317ad36ceeae88ebba98f47 |
| SHA1 | 16303f881930b076717c6ca78ddcc9fcb8891901 |
| SHA256 | 4e2398f6744cb560a9c848604fc2c51695702e6f746435245fcd0f5a3313a0ba |
| SHA512 | bdb2b4e5ceff9bedeb68c403095fa7f6830eff2e314577e7fc75649d86b6eb596c23bd070b3177749963904b6268e429cd6a667fc3b9b8d3bec42cd64ea3f29f |
memory/2136-86-0x0000000000400000-0x000000000051F000-memory.dmp
memory/1612-95-0x0000000000400000-0x000000000051F000-memory.dmp
memory/2136-184-0x0000000000400000-0x000000000051F000-memory.dmp
memory/1612-185-0x0000000000400000-0x000000000051F000-memory.dmp
memory/1612-284-0x0000000000400000-0x000000000051F000-memory.dmp
memory/2136-283-0x0000000000400000-0x000000000051F000-memory.dmp
memory/2136-397-0x0000000000400000-0x000000000051F000-memory.dmp
memory/1612-398-0x0000000000400000-0x000000000051F000-memory.dmp
memory/2136-416-0x0000000000400000-0x000000000051F000-memory.dmp
memory/1612-417-0x0000000000400000-0x000000000051F000-memory.dmp
memory/2136-418-0x0000000000400000-0x000000000051F000-memory.dmp
memory/2136-420-0x0000000000400000-0x000000000051F000-memory.dmp
memory/2136-422-0x0000000000400000-0x000000000051F000-memory.dmp
memory/1612-423-0x0000000000400000-0x000000000051F000-memory.dmp
memory/2136-424-0x0000000000400000-0x000000000051F000-memory.dmp
memory/2136-426-0x0000000000400000-0x000000000051F000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-17 15:04
Reported
2024-11-17 15:07
Platform
win10v2004-20241007-en
Max time kernel
111s
Max time network
113s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe spoolun.exe" | C:\Windows\spoolun.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe spoolun.exe" | C:\Windows\spoolun.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe spoolun.exe" | C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe | N/A |
Modifies visiblity of hidden/system files in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Windows\spoolun.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe | N/A |
Disables RegEdit via registry modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Windows\spoolun.exe | N/A |
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\spoolun.exe | N/A |
| N/A | N/A | C:\Windows\spoolun.exe | N/A |
Modifies system executable filetype association
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\Shell\open\command | C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.exe \"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\Shell\open\command | C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "C:\\Windows\\svchost.exe \"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\Shell\open\command | C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "C:\\Windows\\svchost.exe \"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\Shell\open\command | C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "C:\\Windows\\svchost.exe \"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Service Host = "C:\\Windows\\spoolun.exe" | C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\ | C:\Windows\spoolun.exe | N/A |
| File opened for modification | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\ | C:\Windows\spoolun.exe | N/A |
| File created | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\BearShare Pro 4.3.0 Crack.exe | C:\Windows\spoolun.exe | N/A |
| File opened for modification | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\BearShare Pro 4.3.0 Crack.exe | C:\Windows\spoolun.exe | N/A |
| File opened for modification | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\Sophos AntiVirus v3.74 Crack.exe | C:\Windows\spoolun.exe | N/A |
| File created | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\Dragon NaturallySpeaking 8 ISO Multilanguage Crack.exe | C:\Windows\spoolun.exe | N/A |
| File created | C:\Windows\svchost.exe | C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe | N/A |
| File opened for modification | C:\Windows\svchost.exe | C:\Windows\spoolun.exe | N/A |
| File opened for modification | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\McAfee Personal Firewall Plus 2004 Crack.exe | C:\Windows\spoolun.exe | N/A |
| File created | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\Norton AntiVirus 2004 Crack.exe | C:\Windows\spoolun.exe | N/A |
| File opened for modification | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\iMesh 4.2 Ad Remover Crack.exe | C:\Windows\spoolun.exe | N/A |
| File created | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\McAfee SpamKiller 2004 Crack.exe | C:\Windows\spoolun.exe | N/A |
| File opened for modification | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\McAfee SpamKiller 2004 Crack.exe | C:\Windows\spoolun.exe | N/A |
| File created | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\McAfee Personal Firewall Plus 2004 Crack.exe | C:\Windows\spoolun.exe | N/A |
| File created | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\McAfee SpamKiller 2004 Keygen.exe | C:\Windows\spoolun.exe | N/A |
| File created | C:\Windows\message.dat | C:\Windows\spoolun.exe | N/A |
| File opened for modification | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\NetObjects Fusion v7.5 Keygen.exe | C:\Windows\spoolun.exe | N/A |
| File created | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\Norton SystemWorks 2004 Crack.exe | C:\Windows\spoolun.exe | N/A |
| File created | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\NetObjects Fusion v7.5 Keygen.exe | C:\Windows\spoolun.exe | N/A |
| File opened for modification | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\Dragon NaturallySpeaking 8 ISO Multilanguage Crack.exe | C:\Windows\spoolun.exe | N/A |
| File created | C:\Windows\spoolun.exe | C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe | N/A |
| File opened for modification | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\ | C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe | N/A |
| File opened for modification | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\Half Life 2 beta patch2 Crack.exe | C:\Windows\spoolun.exe | N/A |
| File opened for modification | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\McAfee SpamKiller 2004 Keygen.exe | C:\Windows\spoolun.exe | N/A |
| File opened for modification | C:\Windows\svchost.exe | C:\Windows\spoolun.exe | N/A |
| File opened for modification | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\Norton SystemWorks 2004 Crack.exe | C:\Windows\spoolun.exe | N/A |
| File created | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\Halo Crack.exe | C:\Windows\spoolun.exe | N/A |
| File created | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\Macromedia Studio MX 2004 AllApps Crack.exe | C:\Windows\spoolun.exe | N/A |
| File created | C:\Windows\message.htm | C:\Windows\spoolun.exe | N/A |
| File created | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\Half Life 2 beta patch2 Crack.exe | C:\Windows\spoolun.exe | N/A |
| File created | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\Sophos AntiVirus v3.74 Crack.exe | C:\Windows\spoolun.exe | N/A |
| File created | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\iMesh 4.2 Ad Remover Crack.exe | C:\Windows\spoolun.exe | N/A |
| File opened for modification | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\BearShare Pro 4.3.0 Keygen.exe | C:\Windows\spoolun.exe | N/A |
| File opened for modification | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\Borland C++ BuilderX 1.0 Enterprise Edition Keygen.exe | C:\Windows\spoolun.exe | N/A |
| File opened for modification | C:\Windows\spoolun.exe | C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe | N/A |
| File created | C:\Windows\spoolun.exe | C:\Windows\spoolun.exe | N/A |
| File opened for modification | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\TVTool v8.31 Crack.exe | C:\Windows\spoolun.exe | N/A |
| File opened for modification | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\Norton AntiVirus 2004 Crack.exe | C:\Windows\spoolun.exe | N/A |
| File created | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\BearShare Pro 4.3.0 Keygen.exe | C:\Windows\spoolun.exe | N/A |
| File created | C:\Windows\spoolun.exe | C:\Windows\spoolun.exe | N/A |
| File opened for modification | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\Halo Crack.exe | C:\Windows\spoolun.exe | N/A |
| File created | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\Borland C++ BuilderX 1.0 Enterprise Edition Keygen.exe | C:\Windows\spoolun.exe | N/A |
| File created | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\TVTool v8.31 Crack.exe | C:\Windows\spoolun.exe | N/A |
| File opened for modification | C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\Macromedia Studio MX 2004 AllApps Crack.exe | C:\Windows\spoolun.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\spoolun.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\spoolun.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Windows\spoolun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer | C:\Windows\spoolun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System | C:\Windows\spoolun.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Windows\spoolun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software | C:\Windows\spoolun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft | C:\Windows\spoolun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows | C:\Windows\spoolun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion | C:\Windows\spoolun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies | C:\Windows\spoolun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached | C:\Windows\spoolun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | C:\Windows\spoolun.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\TelemetrySalt = "3" | C:\Windows\spoolun.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{40DD6E20-7C17-11CE-A804-00AA003CA9F6} {000214FC-0000-0000-C000-000000000046} 0xFFFF = 0100000000000000e69af5170239db01 | C:\Windows\spoolun.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.exe \"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\Shell\open\command | C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "C:\\Windows\\svchost.exe \"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\Shell\open\command | C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\Shell\open\command | C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\Shell\open\command | C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\cmdfile\shell\open\command\ = "C:\\Windows\\svchost.exe \"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\Shell\open\command | C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "C:\\Windows\\svchost.exe \"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "C:\\Windows\\svchost.exe \"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command\ = "C:\\Windows\\svchost.exe \"%1\" /S" | C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\cmdfile\Shell\open\command | C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\spoolun.exe | N/A |
| N/A | N/A | C:\Windows\spoolun.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 316 wrote to memory of 3996 | N/A | C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe | C:\Windows\spoolun.exe |
| PID 316 wrote to memory of 3996 | N/A | C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe | C:\Windows\spoolun.exe |
| PID 316 wrote to memory of 3996 | N/A | C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe | C:\Windows\spoolun.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe
"C:\Users\Admin\AppData\Local\Temp\ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017N.exe"
C:\Windows\spoolun.exe
"C:\Windows\spoolun.exe" -xInstallOurNiceServicesYes
C:\Windows\spoolun.exe
C:\Windows\spoolun.exe -xStartOurNiceServicesYes
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
Files
C:\Windows\spoolun.exe
| MD5 | 4a76a4e930bec401bea9deb37512c9e0 |
| SHA1 | ddd938da715326a366b97d800698edac2fae4749 |
| SHA256 | ad42757c8047eb19d63802fe648dab5ed361d0541d397febf33b8b47a1309017 |
| SHA512 | db6d5d9408eedc99f796173a6e4fc938810746b15e6176af780041fd74b39f119c127a21b4631230e59a695ccdfddca3aa57392bb1af9383b22716b8ac0c6200 |
memory/3996-7-0x0000000000400000-0x000000000051F000-memory.dmp
memory/316-45-0x0000000000400000-0x000000000051F000-memory.dmp
memory/2924-46-0x0000000000400000-0x000000000051F000-memory.dmp
memory/316-47-0x0000000000400000-0x000000000051F000-memory.dmp
memory/316-49-0x0000000000400000-0x000000000051F000-memory.dmp
memory/316-51-0x0000000000400000-0x000000000051F000-memory.dmp
memory/316-53-0x0000000000400000-0x000000000051F000-memory.dmp
memory/2924-54-0x0000000000400000-0x000000000051F000-memory.dmp
memory/316-55-0x0000000000400000-0x000000000051F000-memory.dmp
memory/316-58-0x0000000000400000-0x000000000051F000-memory.dmp
memory/316-78-0x0000000000400000-0x000000000051F000-memory.dmp
memory/2924-79-0x0000000000400000-0x000000000051F000-memory.dmp
memory/316-80-0x0000000000400000-0x000000000051F000-memory.dmp
memory/316-82-0x0000000000400000-0x000000000051F000-memory.dmp
memory/316-84-0x0000000000400000-0x000000000051F000-memory.dmp