Malware Analysis Report

2025-03-14 22:52

Sample ID 240406-1hwrcscd98
Target 61f51ef133f57f47246d29b175828af1b4b0ec801bee4afed10ec140c1a449fb
SHA256 61f51ef133f57f47246d29b175828af1b4b0ec801bee4afed10ec140c1a449fb
Tags
persistence spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

61f51ef133f57f47246d29b175828af1b4b0ec801bee4afed10ec140c1a449fb

Threat Level: Known bad

The file 61f51ef133f57f47246d29b175828af1b4b0ec801bee4afed10ec140c1a449fb was found to be: Known bad.

Malicious Activity Summary

persistence spyware stealer

UPX dump on OEP (original entry point)

UPX dump on OEP (original entry point)

Drops file in Drivers directory

ACProtect 1.3x - 1.4x DLL software

Loads dropped DLL

Executes dropped EXE

Reads user/profile data of web browsers

Adds Run key to start application

Enumerates connected drives

Maps connected drives based on registry

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-06 21:39

Signatures

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-06 21:39

Reported

2024-04-06 21:42

Platform

win7-20240221-en

Max time kernel

149s

Max time network

158s

Command Line

"C:\Users\Admin\AppData\Local\Temp\61f51ef133f57f47246d29b175828af1b4b0ec801bee4afed10ec140c1a449fb.exe"

Signatures

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\drivers\gmreadme.txt C:\Windows\SysWOW64\smnss.exe N/A

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\ctfmen.exe N/A
N/A N/A C:\Windows\SysWOW64\smnss.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe" C:\Users\Admin\AppData\Local\Temp\61f51ef133f57f47246d29b175828af1b4b0ec801bee4afed10ec140c1a449fb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe" C:\Windows\SysWOW64\smnss.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\T: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\smnss.exe N/A

Maps connected drives based on registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\1 C:\Windows\SysWOW64\smnss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Users\Admin\AppData\Local\Temp\61f51ef133f57f47246d29b175828af1b4b0ec801bee4afed10ec140c1a449fb.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Users\Admin\AppData\Local\Temp\61f51ef133f57f47246d29b175828af1b4b0ec801bee4afed10ec140c1a449fb.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\1 C:\Users\Admin\AppData\Local\Temp\61f51ef133f57f47246d29b175828af1b4b0ec801bee4afed10ec140c1a449fb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\smnss.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Windows\SysWOW64\smnss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpc5200t.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpd5300t.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\icsxml\cmnicfg.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_remote_FAQ.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_scopes.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_Command_Syntax.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpj5700t.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\Microsoft.PowerShell.Commands.Utility.dll-Help.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_If.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_scopes.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\Amd64\HPOGDS3L.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_profiles.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_Session_Configurations.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_Windows_PowerShell_ISE.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpb8300t.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp005.inf_amd64_neutral_914d6c300207814f\Amd64\hp8500at.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnky008.inf_amd64_neutral_9f6abc54cbf095f2\Amd64\KYW7QUR7.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_debuggers.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\Microsoft.PowerShell.Commands.Diagnostics.dll-Help.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_Core_Commands.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\Microsoft.PowerShell.Commands.Utility.dll-Help.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_Reserved_Words.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_While.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_PSSnapins.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\Amd64\HPC5201F.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpc3100t.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpc4300t.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_WMI_Cmdlets.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_Core_Commands.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\Microsoft.PowerShell.Commands.Diagnostics.dll-Help.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_Command_Syntax.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_join.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\Amd64\HPO3200T.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpc8100t.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpoa610t.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_prompts.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_WMI_Cmdlets.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_aliases.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_Special_Characters.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_locations.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_profiles.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_pssessions.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_WS-Management_Cmdlets.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_properties.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\Amd64\hpmcpbp6.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp005.inf_amd64_neutral_914d6c300207814f\Amd64\hpc4600t.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpf4100t.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_functions_advanced_parameters.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_prompts.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_Continue.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_Line_Editing.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_split.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_Language_Keywords.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\Amd64\HPO2600T.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpj4660t.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_script_internationalization.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_functions_advanced_methods.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_remote.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_Reserved_Words.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_split.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_format.ps1xml.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_trap.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\Amd64\HPP8100T.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_Assignment_Operators.help.txt C:\Windows\SysWOW64\smnss.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\weather.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proof.es\Proof.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\da.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\yo.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\settings.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\license.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\AccessWeb\CLNTWRAP.HTM C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN001.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\PROGRAM.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\WORDREP.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\license.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1250.TXT C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Adjacency.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN044.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGBARBLL.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGWEBREF.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-editor-mimelookup-impl.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Windows NT\TableTextService\TableTextServiceAmharic.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsMacroTemplate.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.flightrecorder_5.5.0.165303\feature.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL102.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\plugin.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\about.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Windows Media Player\Media Renderer\connectionmanager_dmr.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Hardcover.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGACCBOX.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\zh-cn.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\feature.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\about.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\fr-FR\gadget.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\gadget.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-snaptracer.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\dialogs\create_stream.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\ja-JP\gadget.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL090.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft.NET\RedistList\AssemblyList_4_client.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\bn.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\sa.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Hand Prints.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\de-DE\settings.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.update\platform.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Solstice.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.COM.VN.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL110.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\mng2.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\dialogs\equalizer_window.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\vlm.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\oskmenubase.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipssrl.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-application-views.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\requests\browse.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\RSSFeeds.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Perspective.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\gadget.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL087.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\uk.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\epl-v10.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEIRM.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL093.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-swing-tabcontrol.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-options.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\THIRDPARTYLICENSEREADME-JAVAFX.txt C:\Windows\SysWOW64\smnss.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\PLA\Rules\en-US\Rules.System.Wired.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\PLA\Rules\ja-JP\Rules.System.Memory.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-g..howgadget.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_f86c44a49a61f132\settings.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_es-es_b8490213a810a8a5\404-11.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_it-it_aa520d2885499112\about_environment_variables.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-w..svc-extra.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_fdbed0629f061767\Rules.System.Wireless.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_27fbee50ef7f6588\about_Break.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ca7ec133e2786d8f\Microsoft.Wsman.Management.dll-Help.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_it-it_b4a6b77ab9aa530d\about_remote_output.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\PLA\Reports\ja-JP\Report.System.Wireless.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b87da52fa7e9b700\403-12.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b87da52fa7e9b700\404-13.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_es-es_b8490213a810a8a5\404-9.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_it-it_45286e597214a485\500.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_it-it_aa520d2885499112\Microsoft.PowerShell.ConsoleHost.dll-Help.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-tabletpc-softkeyboard_31bf3856ad364e35_6.1.7601.17514_none_2fd7b56967fc5c76\oskmenubase.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\PLA\Reports\fr-FR\Report.System.Network.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_1da743febb1ea38d\about_jobs.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_it-it_aa520d2885499112\about_remote_troubleshooting.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_4c778c357864a2ed\about_modules.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-tabletpc-softkeyboard_31bf3856ad364e35_6.1.7601.17514_none_2fd7b56967fc5c76\kor-kor.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_7f0b185800a159c3\about_scripts.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\x86_microsoft-windows-g..-currency.resources_31bf3856ad364e35_6.1.7600.16385_de-de_2867d8179890f1a8\gadget.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_1d72a0e2bb459532\about_jobs.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_it-it_aa520d2885499112\about_For.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-t..nputpersonalization_31bf3856ad364e35_6.1.7600.16385_none_9ba1049ce0053bef\ipskor.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\x86_microsoft-windows-g..edsgadget.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_cd9932e5aaee1f78\settings.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b87da52fa7e9b700\403-13.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_4c778c357864a2ed\about_Assignment_Operators.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_4c778c357864a2ed\about_functions_advanced_methods.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-i..lprovider.resources_31bf3856ad364e35_6.1.7600.16385_it-it_83af6cfe9dc7084e\Microsoft.IIS.Powershell.Provider.dll-Help.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_27fbee50ef7f6588\about_execution_policies.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_27fbee50ef7f6588\System.Management.Automation.dll-Help.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_27c74b34efa6572d\about_profiles.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\x86_microsoft-windows-audio-mmecore-other_31bf3856ad364e35_6.1.7600.16385_none_8cd41e2771e37717\gmreadme.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b87da52fa7e9b700\403-7.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_e74ded66652fb660\500-19.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..econsumer.resources_31bf3856ad364e35_6.1.7600.16385_it-it_9e5b45457e71d50c\Report.System.Summary.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_74b66e05cc4097c8\about_Path_Syntax.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_prnhp003.inf_31bf3856ad364e35_6.1.7600.16385_none_2fd781a76c9dcc13\Amd64\hpc5100t.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_prnhp003.inf_31bf3856ad364e35_6.1.7600.16385_none_2fd781a76c9dcc13\Amd64\hpd7400t.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_27fbee50ef7f6588\about_Language_Keywords.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_27fbee50ef7f6588\about_Return.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_56cc3687acc564e8\about_Core_Commands.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\PLA\Reports\ja-JP\Report.System.Disk.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_5b0078129ae2bf07\500-14.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7601.17514_none_4f7e32f76654bd3c\Green Bubbles.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_74b66e05cc4097c8\about_Return.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_prnhp002.inf_31bf3856ad364e35_6.1.7600.16385_none_2f4e6f72537f8faa\Amd64\HPC3052F.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_7f0b185800a159c3\about_methods.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_it-it_b4a6b77ab9aa530d\about_providers.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_it-it_b4a6b77ab9aa530d\about_Quoting_Rules.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_56cc3687acc564e8\about_Ref.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\x86_microsoft-windows-g..edsgadget.resources_31bf3856ad364e35_6.1.7600.16385_es-es_2ae1bce6b81c0916\settings.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\x86_microsoft-windows-g..ets-clock.resources_31bf3856ad364e35_6.1.7600.16385_es-es_7fa92a4e1adcf67f\gadget.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_e74ded66652fb660\404.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_4c778c357864a2ed\about_hash_tables.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_7f0b185800a159c3\about_execution_policies.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ca7ec133e2786d8f\about_Special_Characters.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\PLA\Reports\de-DE\Report.System.Disk.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-g..-currency.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_5c4791cafd126e03\currency.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_1d72a0e2bb459532\about_locations.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\x86_microsoft-windows-g..edsgadget.resources_31bf3856ad364e35_6.1.7600.16385_es-es_2ae1bce6b81c0916\RSSFeeds.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\x86_microsoft-windows-g..edsgadget.resources_31bf3856ad364e35_6.1.7600.16385_it-it_b7c1292c822004f6\RSSFeeds.html C:\Windows\SysWOW64\smnss.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED} C:\Users\Admin\AppData\Local\Temp\61f51ef133f57f47246d29b175828af1b4b0ec801bee4afed10ec140c1a449fb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll" C:\Users\Admin\AppData\Local\Temp\61f51ef133f57f47246d29b175828af1b4b0ec801bee4afed10ec140c1a449fb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll" C:\Windows\SysWOW64\smnss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\61f51ef133f57f47246d29b175828af1b4b0ec801bee4afed10ec140c1a449fb.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node C:\Users\Admin\AppData\Local\Temp\61f51ef133f57f47246d29b175828af1b4b0ec801bee4afed10ec140c1a449fb.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID C:\Users\Admin\AppData\Local\Temp\61f51ef133f57f47246d29b175828af1b4b0ec801bee4afed10ec140c1a449fb.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\smnss.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\61f51ef133f57f47246d29b175828af1b4b0ec801bee4afed10ec140c1a449fb.exe

"C:\Users\Admin\AppData\Local\Temp\61f51ef133f57f47246d29b175828af1b4b0ec801bee4afed10ec140c1a449fb.exe"

C:\Windows\SysWOW64\ctfmen.exe

ctfmen.exe

C:\Windows\SysWOW64\smnss.exe

C:\Windows\system32\smnss.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 spqmnasprn.biz udp
US 76.223.67.189:80 spqmnasprn.biz tcp
US 8.8.8.8:53 gzip.org udp
US 8.8.8.8:53 gzip.org udp
US 8.8.8.8:53 alumni.caltech.edu udp
US 85.187.148.2:25 gzip.org tcp
US 8.8.8.8:53 alumni-caltech-edu.mail.protection.outlook.com udp
US 52.101.42.13:25 alumni-caltech-edu.mail.protection.outlook.com tcp
US 8.8.8.8:53 megginson.com udp
US 8.8.8.8:53 alt1.aspmx.l.google.com udp
US 8.8.8.8:53 alt1.aspmx.l.google.com udp
NL 142.250.153.26:25 alt1.aspmx.l.google.com tcp
NL 142.250.153.26:25 alt1.aspmx.l.google.com tcp
US 8.8.8.8:53 jk.uni-linz.ac.at udp
US 8.8.8.8:53 mail3.edvz.uni-linz.ac.at udp
US 8.8.8.8:53 mail4.edvz.uni-linz.ac.at udp
US 8.8.8.8:53 cdata.tvnet.hu udp
US 8.8.8.8:53 attbi.com udp
US 8.8.8.8:53 cdata.tvnet.hu udp
US 8.8.8.8:53 courtesan.com udp
US 8.8.8.8:53 millert.dev udp
US 65.102.237.118:25 millert.dev tcp
US 8.8.8.8:53 bigelowandholmes.com udp
US 8.8.8.8:53 mail1.edvz.uni-linz.ac.at udp
AT 140.78.3.68:25 mail1.edvz.uni-linz.ac.at tcp
US 85.187.148.2:25 gzip.org tcp
US 52.101.42.13:25 alumni-caltech-edu.mail.protection.outlook.com tcp
US 8.8.8.8:53 gnu.org udp
US 8.8.8.8:53 eggs.gnu.org udp
US 209.51.188.92:25 eggs.gnu.org tcp
US 85.187.148.2:25 gzip.org tcp
US 8.8.8.8:53 alumni-caltech-edu.mail.protection.outlook.com udp
US 52.101.11.9:25 alumni-caltech-edu.mail.protection.outlook.com tcp
NL 142.250.153.26:25 alt1.aspmx.l.google.com tcp
NL 142.250.153.26:25 alt1.aspmx.l.google.com tcp
US 8.8.8.8:53 mail3.edvz.uni-linz.ac.at udp
US 8.8.8.8:53 mail4.edvz.uni-linz.ac.at udp
AT 140.78.3.68:25 mail1.edvz.uni-linz.ac.at tcp
US 65.102.237.118:25 millert.dev tcp
US 8.8.8.8:53 alt2.aspmx.l.google.com udp
NL 142.251.9.26:25 alt2.aspmx.l.google.com tcp
NL 142.251.9.26:25 alt2.aspmx.l.google.com tcp
US 85.187.148.2:25 gzip.org tcp
US 52.101.11.9:25 alumni-caltech-edu.mail.protection.outlook.com tcp
US 85.187.148.2:25 gzip.org tcp
US 8.8.8.8:53 alumni-caltech-edu.mail.protection.outlook.com udp
US 52.101.41.3:25 alumni-caltech-edu.mail.protection.outlook.com tcp
US 8.8.8.8:53 mail2.edvz.uni-linz.ac.at udp
NL 142.250.153.26:25 alt1.aspmx.l.google.com tcp
NL 142.250.153.26:25 alt1.aspmx.l.google.com tcp
US 8.8.8.8:53 mail3.edvz.uni-linz.ac.at udp
AT 140.78.3.69:25 mail2.edvz.uni-linz.ac.at tcp
US 8.8.8.8:53 mail4.edvz.uni-linz.ac.at udp
AT 140.78.3.68:25 mail1.edvz.uni-linz.ac.at tcp
US 65.102.237.118:25 millert.dev tcp
US 85.187.148.2:25 gzip.org tcp
NL 142.251.9.26:25 alt2.aspmx.l.google.com tcp
NL 142.251.9.26:25 alt2.aspmx.l.google.com tcp
US 8.8.8.8:53 alumni-caltech-edu.mail.protection.outlook.com udp
US 52.101.42.10:25 alumni-caltech-edu.mail.protection.outlook.com tcp
AT 140.78.3.69:25 mail2.edvz.uni-linz.ac.at tcp
US 8.8.8.8:53 coin.mpg udp
US 8.8.8.8:53 domain.com udp
US 8.8.8.8:53 domain-com.mail.protection.outlook.com udp
US 52.101.10.2:25 domain-com.mail.protection.outlook.com tcp
US 8.8.8.8:53 aspmx.l.google.com udp
BE 64.233.167.26:25 aspmx.l.google.com tcp
BE 64.233.167.26:25 aspmx.l.google.com tcp
NL 142.251.9.26:25 alt2.aspmx.l.google.com tcp
NL 142.251.9.26:25 alt2.aspmx.l.google.com tcp
AT 140.78.3.69:25 mail2.edvz.uni-linz.ac.at tcp
BE 64.233.167.26:25 aspmx.l.google.com tcp
BE 64.233.167.26:25 aspmx.l.google.com tcp
US 8.8.8.8:53 aspmx2.googlemail.com udp
NL 142.250.153.27:25 aspmx2.googlemail.com tcp
NL 142.250.153.27:25 aspmx2.googlemail.com tcp
BE 64.233.167.26:25 aspmx.l.google.com tcp
BE 64.233.167.26:25 aspmx.l.google.com tcp
US 8.8.8.8:53 rqseserhhs.org udp
US 76.223.67.189:80 rqseserhhs.org tcp
NL 142.250.153.27:25 aspmx2.googlemail.com tcp
NL 142.250.153.27:25 aspmx2.googlemail.com tcp
US 8.8.8.8:53 aspmx3.googlemail.com udp
US 8.8.8.8:53 aspmx3.googlemail.com udp
NL 142.251.9.27:25 aspmx3.googlemail.com tcp
NL 142.251.9.26:25 aspmx3.googlemail.com tcp
NL 142.250.153.27:25 aspmx2.googlemail.com tcp
NL 142.250.153.27:25 aspmx2.googlemail.com tcp
NL 142.251.9.26:25 aspmx3.googlemail.com tcp
NL 142.251.9.26:25 aspmx3.googlemail.com tcp
US 8.8.8.8:53 aspmx4.googlemail.com udp
FI 142.250.150.27:25 aspmx4.googlemail.com tcp
FI 142.250.150.27:25 aspmx4.googlemail.com tcp
NL 142.251.9.26:25 aspmx3.googlemail.com tcp
NL 142.251.9.26:25 aspmx3.googlemail.com tcp
FI 142.250.150.27:25 aspmx4.googlemail.com tcp
FI 142.250.150.27:25 aspmx4.googlemail.com tcp
US 8.8.8.8:53 aspmx5.googlemail.com udp
SG 74.125.200.26:25 aspmx5.googlemail.com tcp
SG 74.125.200.26:25 aspmx5.googlemail.com tcp
FI 142.250.150.27:25 aspmx4.googlemail.com tcp
FI 142.250.150.27:25 aspmx4.googlemail.com tcp
SG 74.125.200.26:25 aspmx5.googlemail.com tcp
SG 74.125.200.26:25 aspmx5.googlemail.com tcp

Files

memory/1976-0-0x0000000000400000-0x000000000041F000-memory.dmp

\Windows\SysWOW64\shervans.dll

MD5 43902d0d06342afd39a12ec766bd0907
SHA1 9c09ebea35192433b51f79914df539811d857b09
SHA256 239733f11652f3db3638d19f588477fd9e0fb2598b0c4bb0da9e4145c6186153
SHA512 36757d33ce3d7c4b29139fe01e32ba08578d931e5892aec4c4532cb2fcd94443d6beb3740f72418b8bdc0d42212d86469b2e0f4ca41db99e96b81461625694f4

memory/1976-12-0x0000000010000000-0x000000001000D000-memory.dmp

\Windows\SysWOW64\ctfmen.exe

MD5 a53b271b9ce609b8d4de6f318e2cf4b4
SHA1 f742446b8d793e2a7768e70a370c1df3b562e0ed
SHA256 a90f7dc54788a3e08e02a3f8b3a87c0f0bf7b043f77fdbf3768a481800f3e0d7
SHA512 7772801b25c3f6418c2535dc735402943c3f916aee98f943857705475a5490828736ee7fd9a07889c387b3caab4ff96138990994c32e7ca20fd982ea63d3c7d5

memory/1976-18-0x00000000002B0000-0x00000000002B9000-memory.dmp

C:\Windows\SysWOW64\smnss.exe

MD5 9a615726dfe36cb23522e63e9de6eaf5
SHA1 82b2e4fbfe7cfdc11aa8a97f2849a28a3fb165f4
SHA256 cb0b27b3f95d1ec1162879ba309fccf8dc68db73cffb86075aa34c68acc874fb
SHA512 ce718b74c6cfc6d907cce517a1d5bd549743eb7e9e30d975dd93d22d4368b7b78fc6202ce3c720ea3eff642dad0c046620767afe9a619eb09022f9c6f595d7dc

memory/2860-34-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1976-31-0x0000000010000000-0x000000001000D000-memory.dmp

memory/1976-30-0x00000000002B0000-0x00000000002B9000-memory.dmp

memory/1976-25-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2520-29-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Windows\SysWOW64\satornas.dll

MD5 dbcbd299bcd93cd1640a50753e807aea
SHA1 b140418ff4b1ebd7909e0e3df6747a87cb04b606
SHA256 14ec0acb50e47344c9b0861a2a3c0b6a0717573296b38175f34332e848a2c818
SHA512 ca79edf943cdf3be693ffada8ff09359ddc7d70abe7dd052b1e5332cc9c5500bc6c1e801b5001cc3b3c3e16581de21b6e4f626b187105f2c06f359ea620d76c3

memory/2860-40-0x0000000010000000-0x000000001000D000-memory.dmp

memory/2860-42-0x0000000010000000-0x000000001000D000-memory.dmp

memory/2860-41-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2860-43-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2860-45-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2860-47-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2860-49-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2860-55-0x0000000000400000-0x000000000041F000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-06 21:39

Reported

2024-04-06 21:42

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\61f51ef133f57f47246d29b175828af1b4b0ec801bee4afed10ec140c1a449fb.exe"

Signatures

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\drivers\gmreadme.txt C:\Windows\SysWOW64\smnss.exe N/A

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\ctfmen.exe N/A
N/A N/A C:\Windows\SysWOW64\smnss.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe" C:\Users\Admin\AppData\Local\Temp\61f51ef133f57f47246d29b175828af1b4b0ec801bee4afed10ec140c1a449fb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe" C:\Windows\SysWOW64\smnss.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\H: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\smnss.exe N/A

Maps connected drives based on registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\1 C:\Users\Admin\AppData\Local\Temp\61f51ef133f57f47246d29b175828af1b4b0ec801bee4afed10ec140c1a449fb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\smnss.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Windows\SysWOW64\smnss.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\1 C:\Windows\SysWOW64\smnss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Users\Admin\AppData\Local\Temp\61f51ef133f57f47246d29b175828af1b4b0ec801bee4afed10ec140c1a449fb.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Users\Admin\AppData\Local\Temp\61f51ef133f57f47246d29b175828af1b4b0ec801bee4afed10ec140c1a449fb.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\default.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms008.inf_amd64_69b5e0c918eab9a6\Amd64\unishare3d-pipelineconfig.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\default.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\Speech_OneCore\Common\en-US\tokens_TTS_en-US.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\tcpbidi.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\ctfmen.exe C:\Users\Admin\AppData\Local\Temp\61f51ef133f57f47246d29b175828af1b4b0ec801bee4afed10ec140c1a449fb.exe N/A
File opened for modification C:\Windows\SysWOW64\shervans.dll C:\Users\Admin\AppData\Local\Temp\61f51ef133f57f47246d29b175828af1b4b0ec801bee4afed10ec140c1a449fb.exe N/A
File created C:\Windows\SysWOW64\satornas.dll C:\Users\Admin\AppData\Local\Temp\61f51ef133f57f47246d29b175828af1b4b0ec801bee4afed10ec140c1a449fb.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms005.inf_amd64_add71423ba73e797\Amd64\MSxpsPCL6-pipelineconfig.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\Speech_OneCore\Common\en-US\tokens_TTS_en-US_david.xml C:\Windows\SysWOW64\smnss.exe N/A
File created C:\Windows\SysWOW64\ctfmen.exe C:\Users\Admin\AppData\Local\Temp\61f51ef133f57f47246d29b175828af1b4b0ec801bee4afed10ec140c1a449fb.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms007.inf_amd64_8bbf44975c626ac5\Amd64\MSPassthrough-pipelineconfig.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms010.inf_amd64_9e410195c3b236c9\Amd64\MSECP-pipelineconfig.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\default.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\default.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\wsmanconfig_schema.xml C:\Windows\SysWOW64\smnss.exe N/A
File created C:\Windows\SysWOW64\smnss.exe C:\Users\Admin\AppData\Local\Temp\61f51ef133f57f47246d29b175828af1b4b0ec801bee4afed10ec140c1a449fb.exe N/A
File opened for modification C:\Windows\SysWOW64\satornas.dll C:\Users\Admin\AppData\Local\Temp\61f51ef133f57f47246d29b175828af1b4b0ec801bee4afed10ec140c1a449fb.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms006.inf_amd64_c3bdcb6fc975b614\SendToOneNote-pipelineconfig.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms009.inf_amd64_a7412a554c9bc1fd\MPDW-PDC.xml C:\Windows\SysWOW64\smnss.exe N/A
File created C:\Windows\SysWOW64\shervans.dll C:\Users\Admin\AppData\Local\Temp\61f51ef133f57f47246d29b175828af1b4b0ec801bee4afed10ec140c1a449fb.exe N/A
File opened for modification C:\Windows\SysWOW64\AppxProvisioning.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms007.inf_amd64_8bbf44975c626ac5\Amd64\MSXPS2.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms014.inf_amd64_faec3fc366f8e1fa\Amd64\MSMPS-pipelineconfig.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\icsxml\potscfg.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\Recovery\ReAgent.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms005.inf_amd64_add71423ba73e797\Amd64\MSxpsXPS-pipelineconfig.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\NdfEventView.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms003.inf_amd64_0e2452f597790e95\Amd64\unishare-pipelineconfig.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms005.inf_amd64_add71423ba73e797\Amd64\MSxpsPS-pipelineconfig.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\icsxml\ipcfg.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\IME\IMEJP\APPLETS\IMJPCLST.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\Speech_OneCore\Common\tokens.xml C:\Windows\SysWOW64\smnss.exe N/A
File created C:\Windows\SysWOW64\smnss.exe C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms011.inf_amd64_f83138380f5fb6ab\Amd64\MSAppMon.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms012.inf_amd64_707d3849370b9d23\Amd64\MSIPP-pipelineconfig.xml C:\Windows\SysWOW64\smnss.exe N/A
File created C:\Windows\SysWOW64\grcopy.dll C:\Users\Admin\AppData\Local\Temp\61f51ef133f57f47246d29b175828af1b4b0ec801bee4afed10ec140c1a449fb.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms001.inf_amd64_8bc1bda6cf47380c\MXDW-pipelineconfig.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\MailContactsCalendarSync\LiveDomainList.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms007.inf_amd64_8bbf44975c626ac5\Amd64\MSPWGR-pipelineconfig.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\Speech_OneCore\Common\en-US\Tokens_SR_en-US-N.xml C:\Windows\SysWOW64\smnss.exe N/A
File created C:\Windows\SysWOW64\zipfiaq.dll C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\ntprint4.inf_amd64_0958c7cad3cd6075\Amd64\V3HostingFilter-pipelineconfig.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms007.inf_amd64_8bbf44975c626ac5\Amd64\MSPWGR.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms009.inf_amd64_a7412a554c9bc1fd\MPDW-pipelineconfig.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms009.inf_amd64_a7412a554c9bc1fd\MPDW_devmode_map.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\icsxml\pppcfg.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsCodecsRaw.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms004.inf_amd64_c28ee88ec1bd4178\Amd64\unisharev4-pipelineconfig.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms010.inf_amd64_9e410195c3b236c9\Amd64\MSECP.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\F12\Timeline.cpu.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\icsxml\cmnicfg.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\icsxml\osinfo.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\grcopy.dll C:\Users\Admin\AppData\Local\Temp\61f51ef133f57f47246d29b175828af1b4b0ec801bee4afed10ec140c1a449fb.exe N/A
File created C:\Windows\SysWOW64\zipfi.dll C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms012.inf_amd64_707d3849370b9d23\Amd64\MSIPP.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\tsprint.inf_amd64_6066bc96a5f28b44\tsprint-PipelineConfig.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms003.inf_x86_360f6f3a7c4b3433\I386\unishare-pipelineconfig.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms011.inf_amd64_f83138380f5fb6ab\Amd64\MSAppMon-pipelineconfig.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms014.inf_amd64_faec3fc366f8e1fa\Amd64\MSMPS.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\wbem\xsl-mappings.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\default.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\default.help.txt C:\Windows\SysWOW64\smnss.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\7-Zip\Lang\yo.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL120.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\sq-AL\View3d\3DViewerProductDescription-universal.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\kab.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL107.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\kaa.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL117.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipsplk.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipsptb.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Paper.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\manifest.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\dialogs\error_window.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-125_kzf8qxf38zg5c\AppxManifest.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\an.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\el.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Windows NT\TableTextService\TableTextServiceDaYi.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\ml-IN\View3d\3DViewerProductDescription-universal.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\notetagsUI\index.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\MLModels\autofill_labeling_features.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\EXCEL_WHATSNEW.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\LISTS\1033\PHONE.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxManifest.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipshrv.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL026.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxManifest.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Xbox.TCUI_1.23.28002.0_x64__8wekyb3d8bbwe\AppxManifest.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\uz.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL012.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Windows Media Player\Media Renderer\RenderingControl.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipssrl.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Times New Roman-Arial.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\COPYING.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_GB\affDescription.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Integration\C2RManifest.proofing.msi.16.en-us.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\WacLangPack2019Eula.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Integration\C2RManifest.osmmui.msi.16.en-us.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Windows NT\TableTextService\TableTextServiceYi.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL077.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL112.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_US\README_en_US.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\nn.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\sr-spc.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\uz-Latn-UZ\View3d\3DViewerProductDescription-universal.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\Welcome.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsSoundRecorder_10.1906.1972.0_neutral_split.scale-200_8wekyb3d8bbwe\AppxBlockMap.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\eu-ES\View3d\3DViewerProductDescription-universal.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\manifests\BuiltinLearningTools.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Windows Media Player\Media Renderer\avtransport.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\en-US\about_Mocking.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\ClientARMRefer2019_eula.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\ExcelMessageDismissal.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftEdge.Stable_92.0.902.67_neutral__8wekyb3d8bbwe\AppxBlockMap.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00E1-0000-1000-0000000FF1CE.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Aspect.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\CROATIAN.TXT C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft.NET\RedistList\AssemblyList_4_extended.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\jvm.hprof.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN110.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxManifest.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\SYMBOL.TXT C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\gl-ES\View3d\3DViewerProductDescription-universal.xml C:\Windows\SysWOW64\smnss.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..settings-searchdata_31bf3856ad364e35_10.0.19041.1266_none_02712bcc4c459e88\r\AllSystemSettings_{253E530E-387D-4BC2-959D-E6F86122E5F2}.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_dual_prnms007.inf_31bf3856ad364e35_10.0.19041.1_none_70cec824c55a4876\Amd64\MSPassthrough-pipelineconfig.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-service-shared_31bf3856ad364e35_10.0.19041.1_none_3cfd44d351b1a8ab\HvsiMachinePolicies_ContainerRealtime.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_de-de_6988eb133eb82b0f\403-7.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_b4fc93ef208f3edb\403-9.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_414a0942eadc3634\403-16.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-p..econsumer.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_0e2f6adb2cec6f62\Rules.System.Diagnostics.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_b4fc93ef208f3edb\401-4.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-p..lcontrols.appxsetup_31bf3856ad364e35_10.0.19041.1_none_81c96d975e2daf7a\AppxBlockMap.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..p.desktop.appxsetup_31bf3856ad364e35_10.0.19041.1023_none_278c03d4cb0b9781\AppxManifest.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-srh_31bf3856ad364e35_10.0.19041.1266_none_1e3229580ff745d0\NarratorControlTemplates.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-userexperience-desktop_31bf3856ad364e35_10.0.19041.1266_none_fb76f6fb7e78a373\AppxManifest.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-w..wsupdateclient-core_31bf3856ad364e35_10.0.19041.1288_none_23aa03725ec9354a\f\14a3f9e824793931d34f7f786a538bbc9ef1f0d6.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-winre-recoveryagent_31bf3856ad364e35_10.0.19041.964_none_98ae4c10cec4be4f\ReAgent.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\PLA\Reports\ja-JP\Report.System.Disk.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\inclusiveOobe\view\oobeprovisioningentry-main.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.117_none_e0d32848ac56114e\common-header-template.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-d..ore-files.resources_31bf3856ad364e35_10.0.19041.1_en-us_7f49f6de1f3c8a9f\Rules.AD.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-p..econsumer.resources_31bf3856ad364e35_10.0.19041.1_de-de_c2bbc1ff4b155b96\Rules.System.Network.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-p..econsumer.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_0e2f6adb2cec6f62\Rules.System.Configuration.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\servicing\Editions\IoTEnterpriseEdition.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..osoftedge.resources_31bf3856ad364e35_10.0.19041.1_it-it_2fceb6f1060351fa\http_gen.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-w..wsupdateclient-core_31bf3856ad364e35_10.0.19041.207_none_8d07de31084775c6\f\14a3f9e824793931d34f7f786a538bbc9ef1f0d6.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-c..iencehost.appxsetup_31bf3856ad364e35_10.0.19041.1266_none_12ea08a0c4f345b0\r\AppxBlockMap.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-d..ore-files.resources_31bf3856ad364e35_10.0.19041.1_es-es_7f1553c21f637c44\Report.AD.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-editions-professional_31bf3856ad364e35_10.0.19041.1288_none_51444fcfcf940a66\EditionMappings.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_es-es_12451df02dbd2879\401-2.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-p..iondialog.appxsetup_31bf3856ad364e35_10.0.19041.1023_none_5f1081b1c1cd1c92\f\AppxBlockMap.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-wlansvc.resources_31bf3856ad364e35_10.0.19041.1_en-us_f3b6977e3578692c\Rules.System.Wireless.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\de-DE\assets\ErrorPages\PhishSiteEdge.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.117_none_e0d32848ac56114e\oobeeula-main.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-ecapp.appxsetup_31bf3856ad364e35_10.0.19041.1023_none_6d4be35dd691e117\f\AppxBlockMap.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_b4fc93ef208f3edb\401-1.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-n..uickstart.appxsetup_31bf3856ad364e35_10.0.19041.1023_none_c81408a27d1805ca\f\AppxManifest.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-ui-pcshell_31bf3856ad364e35_10.0.19041.746_none_f297ff1a159e7f05\f\DefaultLayouts.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\RedistList\FrameworkList.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.1266_none_777e4c5802d14c18\test.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-service-shared_31bf3856ad364e35_10.0.19041.1151_none_fbdc4c5f677dc2ec\f\HvsiMachinePolicies_ContainerCreate.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-p..econsumer.resources_31bf3856ad364e35_10.0.19041.1_it-it_f8576122041e54e0\Rules.System.Disk.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-printdialog.appxsetup_31bf3856ad364e35_10.0.19041.1023_none_a682193ea7614721\f\appxmanifest.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-t..nputpersonalization_31bf3856ad364e35_10.0.19041.1_none_f59d207965b1bbc3\ipscat.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\inclusiveOobe\view\oobeenterpriseprovisioning-main.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\AppxBlockMap.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.1266_none_777e4c5802d14c18\oobe-listview-template.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.1266_none_777e4c5802d14c18\oobelocalaccount-main.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-d..view-host-appxsetup_31bf3856ad364e35_10.0.19041.1023_none_bc2fe801d2277712\appxblockmap.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..osoftedge.resources_31bf3856ad364e35_10.0.19041.1_es-es_a2ef4aab3bff561a\pdferrorunknownerror.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\PLA\Rules\de-DE\Rules.System.Diagnostics.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\it-IT\assets\ErrorPages\WpcBlockFrame.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.117_none_e0d32848ac56114e\retailDemoAdvancedInclusive.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-n..uickstart.appxsetup_31bf3856ad364e35_10.0.19041.1023_none_c81408a27d1805ca\r\AppxManifest.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-p..rastructureconsumer_31bf3856ad364e35_10.0.19041.1_none_69cd9c22cfcf9358\Rules.System.Summary.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\ja-JP\assets\ErrorPages\pdferror.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\RetailDemo\retailDemoSecurity.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-lockapp.appxsetup_31bf3856ad364e35_10.0.19041.1023_none_73bddbc9c1fb11b2\AppxBlockMap.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-tabletpc-softkeyboard_31bf3856ad364e35_10.0.19041.746_none_afaafac6b02c16fa\kor-kor.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\speech\0410\tokens_itIT.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-a..gement-uevtemplates_31bf3856ad364e35_10.0.19041.1_none_0d66b54875835a49\ThemeSettings2013.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-iana-tzdb-timezones_31bf3856ad364e35_10.0.19041.1081_none_7844725cf8ddff9b\f\timezones.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..osoftedge.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_d1f435fdf91e63d5\pdferrorrepurchasecontent.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-o..documents.resources_31bf3856ad364e35_10.0.19041.1_de-de_1f727312db940011\oobe_learn_more_activity_history.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-p..lcontrols.appxsetup_31bf3856ad364e35_10.0.19041.1023_none_40b016a173f49507\r\AppxBlockMap.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.ConfigCI.Commands\v4.0_10.0.0.0__31bf3856ad364e35\AllowAll_EnableHVCI.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\NetFx45_IIS_schema_update.xml C:\Windows\SysWOW64\smnss.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\61f51ef133f57f47246d29b175828af1b4b0ec801bee4afed10ec140c1a449fb.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node C:\Users\Admin\AppData\Local\Temp\61f51ef133f57f47246d29b175828af1b4b0ec801bee4afed10ec140c1a449fb.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID C:\Users\Admin\AppData\Local\Temp\61f51ef133f57f47246d29b175828af1b4b0ec801bee4afed10ec140c1a449fb.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED} C:\Users\Admin\AppData\Local\Temp\61f51ef133f57f47246d29b175828af1b4b0ec801bee4afed10ec140c1a449fb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll" C:\Users\Admin\AppData\Local\Temp\61f51ef133f57f47246d29b175828af1b4b0ec801bee4afed10ec140c1a449fb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll" C:\Windows\SysWOW64\smnss.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\smnss.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\61f51ef133f57f47246d29b175828af1b4b0ec801bee4afed10ec140c1a449fb.exe

"C:\Users\Admin\AppData\Local\Temp\61f51ef133f57f47246d29b175828af1b4b0ec801bee4afed10ec140c1a449fb.exe"

C:\Windows\SysWOW64\ctfmen.exe

ctfmen.exe

C:\Windows\SysWOW64\smnss.exe

C:\Windows\system32\smnss.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 spqmnasprn.biz udp
US 76.223.67.189:80 spqmnasprn.biz tcp
US 8.8.8.8:53 gzip.org udp
US 8.8.8.8:53 alumni.caltech.edu udp
US 8.8.8.8:53 gzip.org udp
US 8.8.8.8:53 alumni-caltech-edu.mail.protection.outlook.com udp
US 8.8.8.8:53 cs.stanford.edu udp
US 85.187.148.2:25 gzip.org tcp
US 8.8.8.8:53 cs.stanford.edu udp
US 52.101.42.14:25 alumni-caltech-edu.mail.protection.outlook.com tcp
US 171.64.64.64:25 cs.stanford.edu tcp
US 171.64.64.64:25 cs.stanford.edu tcp
US 8.8.8.8:53 acm.org udp
US 8.8.8.8:53 mail.mailroute.net udp
US 199.89.1.120:25 mail.mailroute.net tcp
US 8.8.8.8:53 189.67.223.76.in-addr.arpa udp
US 8.8.8.8:53 gmail.com udp
US 8.8.8.8:53 alt3.gmail-smtp-in.l.google.com udp
US 8.8.8.8:53 m-ou.se udp
FI 142.250.150.26:25 alt3.gmail-smtp-in.l.google.com tcp
FI 142.250.150.26:25 alt3.gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 aspmx.l.google.com udp
BE 142.251.173.27:25 aspmx.l.google.com tcp
FI 142.250.150.26:25 alt3.gmail-smtp-in.l.google.com tcp
FI 142.250.150.26:25 alt3.gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 2.1.0 udp
US 8.8.8.8:53 4.0.1 udp
US 8.8.8.8:53 nocorp.me udp
US 8.8.8.8:53 in1-smtp.messagingengine.com udp
US 103.168.172.219:25 in1-smtp.messagingengine.com tcp
FI 142.250.150.26:25 alt3.gmail-smtp-in.l.google.com tcp
FI 142.250.150.26:25 alt3.gmail-smtp-in.l.google.com tcp
FI 142.250.150.26:25 alt3.gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 outlook.com udp
US 8.8.8.8:53 outlook-com.olc.protection.outlook.com udp
US 52.101.10.4:25 outlook-com.olc.protection.outlook.com tcp
FI 142.250.150.26:25 alt3.gmail-smtp-in.l.google.com tcp
FI 142.250.150.26:25 alt3.gmail-smtp-in.l.google.com tcp
FI 142.250.150.26:25 alt3.gmail-smtp-in.l.google.com tcp
FI 142.250.150.26:25 alt3.gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 smtp1.cs.stanford.edu udp
US 171.64.64.25:25 smtp1.cs.stanford.edu tcp
US 171.64.64.25:25 smtp1.cs.stanford.edu tcp
US 171.64.64.64:25 cs.stanford.edu tcp
FI 142.250.150.26:25 alt3.gmail-smtp-in.l.google.com tcp
FI 142.250.150.26:25 alt3.gmail-smtp-in.l.google.com tcp
US 85.187.148.2:25 gzip.org tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 gmail-smtp-in.l.google.com udp
BE 74.125.71.26:25 gmail-smtp-in.l.google.com tcp
BE 74.125.71.26:25 gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 alt1.aspmx.l.google.com udp
NL 142.250.153.26:25 alt1.aspmx.l.google.com tcp
US 8.8.8.8:53 alumni-caltech-edu.mail.protection.outlook.com udp
US 52.101.194.12:25 alumni-caltech-edu.mail.protection.outlook.com tcp
BE 74.125.71.26:25 gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 44.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 coin.mpg udp
US 8.8.8.8:53 apple.com udp
US 8.8.8.8:53 mx-in.g.apple.com udp
US 8.8.8.8:53 pobox.com udp
NL 17.57.165.2:25 mx-in.g.apple.com tcp
US 8.8.8.8:53 pb-mx11.pobox.com udp
US 64.147.108.52:25 pb-mx11.pobox.com tcp
BE 74.125.71.26:25 gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 in2-smtp.messagingengine.com udp
US 64.147.123.52:25 in2-smtp.messagingengine.com tcp
US 8.8.8.8:53 netcom.com udp
US 8.8.8.8:53 mx01.earthlink-vadesecure.net udp
US 8.8.8.8:53 northcoast.com udp
US 51.81.61.70:25 mx01.earthlink-vadesecure.net tcp
US 8.8.8.8:53 cl.cam.ac.uk udp
US 8.8.8.8:53 src.dec.com udp
US 8.8.8.8:53 mx.cam.ac.uk udp
US 8.8.8.8:53 mxb-00377f03.gslb.pphosted.com udp
GB 131.111.8.147:25 mx.cam.ac.uk tcp
US 205.220.164.130:25 mxb-00377f03.gslb.pphosted.com tcp
BE 74.125.71.26:25 gmail-smtp-in.l.google.com tcp
BE 74.125.71.26:25 gmail-smtp-in.l.google.com tcp
BE 74.125.71.26:25 gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 theriver.com udp
US 8.8.8.8:53 bryson.demon.co.uk udp
US 8.8.8.8:53 onlineconnections.com.au udp
US 8.8.8.8:53 ismtp.sitestar.everyone.net udp
US 8.8.8.8:53 onlineconnections.com.au udp
US 8.8.8.8:53 openoffice.org udp
US 64.29.151.236:25 ismtp.sitestar.everyone.net tcp
US 192.254.190.168:25 onlineconnections.com.au tcp
US 8.8.8.8:53 mx1-lw-eu.apache.org udp
US 8.8.8.8:53 mx1-lw-us.apache.org udp
US 8.8.8.8:53 mx2-lw-eu.apache.org udp
US 8.8.8.8:53 mx2-lw-us.apache.org udp
BE 74.125.71.26:25 gmail-smtp-in.l.google.com tcp
BE 74.125.71.26:25 gmail-smtp-in.l.google.com tcp
BE 74.125.71.26:25 gmail-smtp-in.l.google.com tcp
BE 74.125.71.26:25 gmail-smtp-in.l.google.com tcp
US 85.187.148.2:25 gzip.org tcp
US 8.8.8.8:53 alumni-caltech-edu.mail.protection.outlook.com udp
US 8.8.8.8:53 nongnu.org udp
US 52.101.8.42:25 alumni-caltech-edu.mail.protection.outlook.com tcp
US 8.8.8.8:53 eggs.gnu.org udp
US 209.51.188.92:25 eggs.gnu.org tcp
US 209.51.188.92:25 eggs.gnu.org tcp
US 8.8.8.8:53 smtp2.cs.stanford.edu udp
US 171.64.64.26:25 smtp2.cs.stanford.edu tcp
US 171.64.64.26:25 smtp2.cs.stanford.edu tcp
US 171.64.64.25:25 smtp1.cs.stanford.edu tcp
BE 74.125.71.26:25 gmail-smtp-in.l.google.com tcp
BE 74.125.71.26:25 gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 kinoho.net udp
FI 142.250.150.26:25 alt3.gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 alt2.aspmx.l.google.com udp
US 8.8.8.8:53 riseup.net udp
FI 142.250.150.26:25 alt3.gmail-smtp-in.l.google.com tcp
NL 142.251.9.26:25 alt2.aspmx.l.google.com tcp
US 8.8.8.8:53 mx1.riseup.net udp
US 198.252.153.129:25 mx1.riseup.net tcp
US 8.8.8.8:53 alt4.gmail-smtp-in.l.google.com udp
SG 74.125.200.27:25 alt4.gmail-smtp-in.l.google.com tcp
SG 74.125.200.27:25 alt4.gmail-smtp-in.l.google.com tcp
NL 142.251.9.26:25 alt2.aspmx.l.google.com tcp
SG 74.125.200.27:25 alt4.gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 mx-in-vib.apple.com udp
US 17.57.170.2:25 mx-in-vib.apple.com tcp
US 8.8.8.8:53 pb-mx20.pobox.com udp
US 8.8.8.8:53 mail.ru udp
US 8.8.8.8:53 bog.msu.ru udp
US 173.228.157.39:25 pb-mx20.pobox.com tcp
SG 74.125.200.27:25 alt4.gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 mxs.mail.ru udp
RU 217.69.139.150:25 mxs.mail.ru tcp
US 8.8.8.8:53 mx02.earthlink-vadesecure.net udp
US 51.81.61.71:25 mx02.earthlink-vadesecure.net tcp
US 8.8.8.8:53 mxb-00377f01.gslb.pphosted.com udp
NL 185.183.28.235:25 mxb-00377f01.gslb.pphosted.com tcp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
SG 74.125.200.27:25 alt4.gmail-smtp-in.l.google.com tcp
SG 74.125.200.27:25 alt4.gmail-smtp-in.l.google.com tcp
SG 74.125.200.27:25 alt4.gmail-smtp-in.l.google.com tcp
SG 74.125.200.27:25 alt4.gmail-smtp-in.l.google.com tcp
SG 74.125.200.27:25 alt4.gmail-smtp-in.l.google.com tcp
SG 74.125.200.27:25 alt4.gmail-smtp-in.l.google.com tcp
SG 74.125.200.27:25 alt4.gmail-smtp-in.l.google.com tcp
US 171.64.64.26:25 smtp2.cs.stanford.edu tcp
SG 74.125.200.27:25 alt4.gmail-smtp-in.l.google.com tcp
SG 74.125.200.27:25 alt4.gmail-smtp-in.l.google.com tcp
BE 74.125.71.26:25 gmail-smtp-in.l.google.com tcp
BE 74.125.71.26:25 gmail-smtp-in.l.google.com tcp
BE 142.251.173.27:25 aspmx.l.google.com tcp
US 8.8.8.8:53 alt1.gmail-smtp-in.l.google.com udp
US 8.8.8.8:53 aspmx2.googlemail.com udp
NL 142.250.153.26:25 aspmx2.googlemail.com tcp
NL 142.250.153.27:25 alt1.gmail-smtp-in.l.google.com tcp
NL 142.250.153.27:25 alt1.gmail-smtp-in.l.google.com tcp
NL 142.250.153.27:25 alt1.gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 mx-in-mdn.apple.com udp
US 17.32.222.242:25 mx-in-mdn.apple.com tcp
US 8.8.8.8:53 pb-mx10.pobox.com udp
US 64.147.108.51:25 pb-mx10.pobox.com tcp
NL 142.250.153.27:25 alt1.gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 mx03.earthlink-vadesecure.net udp
US 8.8.8.8:53 rqseserhhs.org udp
US 51.81.232.218:25 mx03.earthlink-vadesecure.net tcp
US 76.223.67.189:80 rqseserhhs.org tcp
US 8.8.8.8:53 mxa-00377f01.gslb.pphosted.com udp
DE 185.132.181.97:25 mxa-00377f01.gslb.pphosted.com tcp
NL 142.250.153.27:25 alt1.gmail-smtp-in.l.google.com tcp
NL 142.250.153.27:25 alt1.gmail-smtp-in.l.google.com tcp
NL 142.250.153.27:25 alt1.gmail-smtp-in.l.google.com tcp
NL 142.250.153.27:25 alt1.gmail-smtp-in.l.google.com tcp
NL 142.250.153.27:25 alt1.gmail-smtp-in.l.google.com tcp
NL 142.250.153.27:25 alt1.gmail-smtp-in.l.google.com tcp
NL 142.250.153.27:25 alt1.gmail-smtp-in.l.google.com tcp
NL 142.250.153.27:25 alt1.gmail-smtp-in.l.google.com tcp
NL 142.250.153.27:25 alt1.gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
SG 74.125.200.27:25 alt4.gmail-smtp-in.l.google.com tcp
SG 74.125.200.27:25 alt4.gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 aspmx3.googlemail.com udp
NL 142.251.9.26:25 aspmx3.googlemail.com tcp
US 8.8.8.8:53 alt2.gmail-smtp-in.l.google.com udp
NL 142.251.9.26:25 alt2.gmail-smtp-in.l.google.com tcp
NL 142.251.9.26:25 alt2.gmail-smtp-in.l.google.com tcp
NL 142.251.9.26:25 alt2.gmail-smtp-in.l.google.com tcp
NL 142.251.9.26:25 alt2.gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 mx-in-rno.apple.com udp
US 17.179.253.242:25 mx-in-rno.apple.com tcp
US 8.8.8.8:53 pb-mx14.pobox.com udp
US 64.147.108.55:25 pb-mx14.pobox.com tcp
NL 142.251.9.26:25 alt2.gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 mx04.earthlink-vadesecure.net udp
US 147.135.98.120:25 mx04.earthlink-vadesecure.net tcp
US 8.8.8.8:53 mxa-00377f03.gslb.pphosted.com udp
US 205.220.164.130:25 mxa-00377f03.gslb.pphosted.com tcp
NL 142.251.9.26:25 alt2.gmail-smtp-in.l.google.com tcp
NL 142.251.9.26:25 alt2.gmail-smtp-in.l.google.com tcp
NL 142.251.9.26:25 alt2.gmail-smtp-in.l.google.com tcp
NL 142.251.9.26:25 alt2.gmail-smtp-in.l.google.com tcp
NL 142.251.9.26:25 alt2.gmail-smtp-in.l.google.com tcp
NL 142.251.9.26:25 alt2.gmail-smtp-in.l.google.com tcp
NL 142.251.9.26:25 alt2.gmail-smtp-in.l.google.com tcp
NL 142.251.9.26:25 alt2.gmail-smtp-in.l.google.com tcp
NL 142.251.9.26:25 alt2.gmail-smtp-in.l.google.com tcp
NL 142.250.153.27:25 alt1.gmail-smtp-in.l.google.com tcp
NL 142.250.153.27:25 alt1.gmail-smtp-in.l.google.com tcp
NL 142.250.153.26:25 aspmx2.googlemail.com tcp
US 8.8.8.8:53 aspmx4.googlemail.com udp
FI 142.250.150.26:25 aspmx4.googlemail.com tcp
US 8.8.8.8:53 mx-in-hfd.apple.com udp
NL 17.57.165.2:25 mx-in-hfd.apple.com tcp
US 8.8.8.8:53 pb-mx23.pobox.com udp
US 173.228.157.42:25 pb-mx23.pobox.com tcp
NL 142.251.9.26:25 alt2.gmail-smtp-in.l.google.com tcp
NL 142.251.9.26:25 alt2.gmail-smtp-in.l.google.com tcp
NL 142.250.153.26:25 aspmx2.googlemail.com tcp
US 8.8.8.8:53 aspmx5.googlemail.com udp
SG 74.125.200.26:25 aspmx5.googlemail.com tcp
US 8.8.8.8:53 pb-mx9.pobox.com udp
US 64.147.108.50:25 pb-mx9.pobox.com tcp
US 8.8.8.8:53 131.72.42.20.in-addr.arpa udp

Files

memory/4760-0-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Windows\SysWOW64\shervans.dll

MD5 bb493278408dfd74589f4032804adf5a
SHA1 b522d5f7109fcdc212ffa393d6cc5c2d9c09b8d6
SHA256 99c8b1401a44c4fc60b0d424811afbe10718f26d512e00dfe1a1ba85fbc39a9a
SHA512 7d2460228c2b6c872c644e923c6c26e3304322fd096d9126e3e7f56bd92564397c9b1573dfdc6479c348df5fb68656bf44fa1c1d769fc032a3ece98bf5d38d6d

C:\Windows\SysWOW64\grcopy.dll

MD5 3659e54ee91ddc86b44bc1bf52bebe51
SHA1 e7a94a06c931c7c6f5e20d99758002ad81404f2b
SHA256 c5219c4d6bec2b10e9b8f586838b706dc85f29877bfaaae4f74bd94b89faf57e
SHA512 6de18df7ae89b62f1e24b6260e10f4515434d63b1362a9bcef7f33842aa52a4499fc71f6ad1500881d005a8256362f69e3b38d9d24d16559c2458c9de3ff6bf6

memory/4760-18-0x0000000010000000-0x000000001000D000-memory.dmp

C:\Windows\SysWOW64\ctfmen.exe

MD5 3507f16f17047d57a8bb8b83330b86d8
SHA1 5610bf405dbec5b98b20d202fcfae7b55b65a207
SHA256 6305bb90f5055a66f30bab1e9ce94e0be9944089e8e339ffa6d21b6e7263fcfc
SHA512 bad0effa2b7409bb85ad107c422406bfa1ce816d27bc2f663e88941ce63c2d3ecc8b61e3eb80ac605949d67fbadbe1cbb08bc795022bdc39efd6961561c6f25f

memory/4944-28-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2696-26-0x0000000000400000-0x0000000000409000-memory.dmp

memory/4760-24-0x0000000010000000-0x000000001000D000-memory.dmp

memory/4760-21-0x0000000000400000-0x000000000041F000-memory.dmp

memory/4944-35-0x0000000010000000-0x000000001000D000-memory.dmp

C:\Windows\SysWOW64\satornas.dll

MD5 ae2be29a7b2060242edd864d1e60d8da
SHA1 a6fe7bb7d97bc81f5a86cd093406abfd87c839d0
SHA256 96eef8cbee44882d7abe85a318e7d1c5cafc3f5db417727732ba9051b08dbd7b
SHA512 44c00c5596dc3455b993d82a4d491fc566a834a9f197eb26730b71c527125c94cb644ddf186de9a1d02f1932d13c278029b808501d19bba3fe4585439cb88904

memory/4944-37-0x0000000000400000-0x000000000041F000-memory.dmp

memory/4944-38-0x0000000010000000-0x000000001000D000-memory.dmp

memory/4944-39-0x0000000000400000-0x000000000041F000-memory.dmp

memory/4944-41-0x0000000000400000-0x000000000041F000-memory.dmp

memory/4944-43-0x0000000000400000-0x000000000041F000-memory.dmp

memory/4944-45-0x0000000000400000-0x000000000041F000-memory.dmp

memory/4944-47-0x0000000000400000-0x000000000041F000-memory.dmp

memory/4944-51-0x0000000000400000-0x000000000041F000-memory.dmp