Malware Analysis Report

2025-04-13 22:08

Sample ID 240825-lv2e2sxglg
Target 58233f2f22c36c5f9a3857021508e210N.exe
SHA256 a523b34da30cf4b7825db652e71c1ce04c57020c69e56177fbdc35df89ab8e6d
Tags
discovery persistence spyware stealer
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

a523b34da30cf4b7825db652e71c1ce04c57020c69e56177fbdc35df89ab8e6d

Threat Level: Likely malicious

The file 58233f2f22c36c5f9a3857021508e210N.exe was found to be: Likely malicious.

Malicious Activity Summary

discovery persistence spyware stealer

Drops file in Drivers directory

ACProtect 1.3x - 1.4x DLL software

Reads user/profile data of web browsers

Executes dropped EXE

Loads dropped DLL

Enumerates connected drives

Maps connected drives based on registry

Adds Run key to start application

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-25 09:52

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-25 09:52

Reported

2024-08-25 09:54

Platform

win7-20240708-en

Max time kernel

118s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\58233f2f22c36c5f9a3857021508e210N.exe"

Signatures

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\drivers\gmreadme.txt C:\Windows\SysWOW64\smnss.exe N/A

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\ctfmen.exe N/A
N/A N/A C:\Windows\SysWOW64\smnss.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe" C:\Windows\SysWOW64\smnss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe" C:\Users\Admin\AppData\Local\Temp\58233f2f22c36c5f9a3857021508e210N.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\L: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\smnss.exe N/A

Maps connected drives based on registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Users\Admin\AppData\Local\Temp\58233f2f22c36c5f9a3857021508e210N.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\1 C:\Users\Admin\AppData\Local\Temp\58233f2f22c36c5f9a3857021508e210N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\smnss.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Windows\SysWOW64\smnss.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\1 C:\Windows\SysWOW64\smnss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Users\Admin\AppData\Local\Temp\58233f2f22c36c5f9a3857021508e210N.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\Amd64\HPC3390F.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_jobs.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_trap.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_arrays.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_script_internationalization.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpj6400t.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp005.inf_amd64_neutral_914d6c300207814f\Amd64\hpf4400t.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\default.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_locations.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_functions_advanced_parameters.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpj3600t.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_script_blocks.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_Continue.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_remote_requirements.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_modules.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpd4200t.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_Comment_Based_Help.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_eventlogs.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_Continue.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_split.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_Quoting_Rules.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_Switch.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnkm003.inf_amd64_neutral_48652cda3bb15180\Amd64\koc353X.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_modules.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Return.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_WMI_Cmdlets.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp005.inf_amd64_neutral_914d6c300207814f\Amd64\hpd2600t.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_remote_requirements.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_PSSnapins.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_wildcards.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_parameters.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\Amd64\HPC3052F.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpj4660t.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_If.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_For.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_Automatic_Variables.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_Language_Keywords.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_script_internationalization.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\Amd64\HPO3300T.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\Amd64\HPWK550T.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_Session_Configurations.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_pssession_details.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_remote_FAQ.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_remote_output.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_hash_tables.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_remote_requirements.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_Assignment_Operators.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\System.Management.Automation.dll-Help.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\grcopy.dll C:\Users\Admin\AppData\Local\Temp\58233f2f22c36c5f9a3857021508e210N.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_scopes.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_pssession_details.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_remote_requirements.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp005.inf_amd64_neutral_914d6c300207814f\Amd64\hp6500nt.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_Throw.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_remote_troubleshooting.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_Session_Configurations.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_remote_troubleshooting.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_WS-Management_Cmdlets.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_profiles.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_Reserved_Words.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\Microsoft.PowerShell.Commands.Management.dll-Help.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_methods.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_functions.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File created C:\Windows\SysWOW64\shervans.dll C:\Users\Admin\AppData\Local\Temp\58233f2f22c36c5f9a3857021508e210N.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-compat.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\VERSION.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\cpu.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\LISTS\1033\DATES.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Technic.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\cpu.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\license.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-options-keymap.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-execution.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\THIRDPARTYLICENSEREADME-JAVAFX.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGTOC.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\license.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-explorer.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\settings.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\gadget.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\SIGN.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-bootstrap.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1254.TXT C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Grayscale.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN011.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGWEBREF.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\settings.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\README-JDK.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-autoupdate-ui.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\epl-v10.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-api.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Access.en-us\AccessMUISet.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proofing.en-us\SETUP.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Paper.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Windows Media Player\Media Renderer\avtransport.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\auxbase.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\baseAltGr_rtl.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\settings.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\settings.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.rcp.product_5.5.0.165303\feature.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\gadget.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\it-IT\picturePuzzle.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\PROPLUS\SETUP.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\SNET.NET.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-keyring.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\es-ES\gadget.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Stationery\1033\NOTEBOOK.HTM C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\RELEASE-NOTES.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\README.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\clock.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\settings.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\IPIRM.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\PACBELL.NET.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGWEBCAL.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\WORDIRM.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipsjpn.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-api-search.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\settings.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipskor.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Metro.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\flyout.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proof.en\Proof.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsBrowserUpgrade.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\settings.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\en-US\gadget.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\gadget.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\currency.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-options-keymap.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Angles.xml C:\Windows\SysWOW64\smnss.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_4c778c357864a2ed\default.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ca7ec133e2786d8f\about_parameters.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_es-es_b8490213a810a8a5\406.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_5b0078129ae2bf07\404-12.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_74b66e05cc4097c8\about_While.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_27c74b34efa6572d\about_jobs.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_27c74b34efa6572d\about_Throw.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_it-it_b4a6b77ab9aa530d\System.Management.Automation.dll-Help.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\PLA\Reports\ja-JP\Report.System.Network.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b87da52fa7e9b700\500-19.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_1da743febb1ea38d\Microsoft.PowerShell.ConsoleHost.dll-Help.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-netfx3-core_31bf3856ad364e35_6.1.7601.17514_none_c5c6d478f0c06fa1\FrameworkList.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-w..owsupdatediagnostic_31bf3856ad364e35_6.1.7600.16385_none_d8bc9f93971275e0\WindowsUpdateDiagnostic.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_it-it_b4a6b77ab9aa530d\about_providers.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\x86_microsoft-windows-g..s-weather.resources_31bf3856ad364e35_6.1.7600.16385_it-it_c3672adaf7f9b591\gadget.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..econsumer.resources_31bf3856ad364e35_6.1.7600.16385_de-de_68bfa622c568dbc2\Rules.System.CPU.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_c02a16e1ae17ab94\about_Quoting_Rules.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..rastructureconsumer_31bf3856ad364e35_6.1.7601.17514_none_1202940e4711971e\Report.System.Performance.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-t..nputpersonalization_31bf3856ad364e35_6.1.7600.16385_none_9ba1049ce0053bef\ipsdeu.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-sharedaccess_31bf3856ad364e35_6.1.7600.16385_none_6b16fa9f975e1109\potscfg.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\PLA\Rules\it-IT\Rules.System.Performance.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b87da52fa7e9b700\403-14.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_1d72a0e2bb459532\about_Foreach.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_c02a16e1ae17ab94\about_job_details.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_7f0b185800a159c3\about_Variables.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-dot3svc.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_91dde3f80ea85a5a\Report.System.Wired.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_c02a16e1ae17ab94\about_remote_FAQ.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ca7ec133e2786d8f\about_eventlogs.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_c02a16e1ae17ab94\about_Session_Configurations.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\PLA\Reports\en-US\Report.System.Wired.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\PLA\Reports\Report.System.Performance.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\PLA\Rules\en-US\Rules.System.Memory.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-gadgets-cpu.resources_31bf3856ad364e35_6.1.7600.16385_it-it_363407ad8b3bebcb\gadget.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_de-de_0f8ccf36b90bab3b\500-16.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7601.17514_none_4f7e32f76654bd3c\Peacock.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..econsumer.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_4080c452718ce6e7\Report.System.Common.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_7f0b185800a159c3\about_functions_cmdletbindingattribute.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_27fbee50ef7f6588\about_debuggers.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\x86_microsoft-windows-g..s-weather.resources_31bf3856ad364e35_6.1.7600.16385_en-us_36bc61b12dcec80c\gadget.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\PLA\Reports\de-DE\Report.System.Memory.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_74b66e05cc4097c8\about_remote_requirements.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_c02a16e1ae17ab94\about_functions_advanced.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_56cc3687acc564e8\about_wildcards.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\PLA\Reports\it-IT\Report.System.Memory.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-e..eady_eula.resources_31bf3856ad364e35_6.1.7600.16385_it-it_227e33fb04382aa3\playready_eula.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-g..-currency.resources_31bf3856ad364e35_6.1.7600.16385_en-us_2d7749943fcc6ea3\currency.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_74b66e05cc4097c8\about_aliases.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_it-it_aa520d2885499112\about_environment_variables.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_it-it_b4a6b77ab9aa530d\about_wildcards.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\x86_microsoft-windows-g..edsgadget.resources_31bf3856ad364e35_6.1.7600.16385_en-us_2b166002b7f51771\flyout.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\servicing\Sessions\31117625_3130100000.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_de-de_0f8ccf36b90bab3b\403-1.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-n..sh-helper.resources_31bf3856ad364e35_6.1.7600.16385_de-de_9b3b900d1741a8cd\Rules.System.NetTrace.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-tabletpc-softkeyboard_31bf3856ad364e35_6.1.7601.17514_none_2fd7b56967fc5c76\base.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-tabletpc-softkeyboard_31bf3856ad364e35_6.1.7601.17514_none_2fd7b56967fc5c76\base_ca.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-tabletpc-softkeyboard_31bf3856ad364e35_6.1.7601.17514_none_2fd7b56967fc5c76\osknumpad.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-sharedaccess_31bf3856ad364e35_6.1.7600.16385_none_6b16fa9f975e1109\pppcfg.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_27c74b34efa6572d\about_Variables.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\x86_microsoft-windows-gadgets-cpu.resources_31bf3856ad364e35_6.1.7600.16385_it-it_da156c29d2de7a95\cpu.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\PLA\Rules\Rules.System.Disk.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_prnhp004.inf_31bf3856ad364e35_6.1.7600.16385_none_306093dc85bc087c\Amd64\hpd7500t.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_7f0b185800a159c3\about_Automatic_Variables.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_7f0b185800a159c3\about_parameters.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_7f0b185800a159c3\about_Reserved_Words.help.txt C:\Windows\SysWOW64\smnss.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\58233f2f22c36c5f9a3857021508e210N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ctfmen.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\smnss.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll" C:\Windows\SysWOW64\smnss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\58233f2f22c36c5f9a3857021508e210N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node C:\Users\Admin\AppData\Local\Temp\58233f2f22c36c5f9a3857021508e210N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID C:\Users\Admin\AppData\Local\Temp\58233f2f22c36c5f9a3857021508e210N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED} C:\Users\Admin\AppData\Local\Temp\58233f2f22c36c5f9a3857021508e210N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll" C:\Users\Admin\AppData\Local\Temp\58233f2f22c36c5f9a3857021508e210N.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\smnss.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\58233f2f22c36c5f9a3857021508e210N.exe

"C:\Users\Admin\AppData\Local\Temp\58233f2f22c36c5f9a3857021508e210N.exe"

C:\Windows\SysWOW64\ctfmen.exe

ctfmen.exe

C:\Windows\SysWOW64\smnss.exe

C:\Windows\system32\smnss.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 qewhshmsen.info udp
US 34.218.204.173:80 qewhshmsen.info tcp
US 8.8.8.8:53 wpwhpqraws.in udp
US 8.8.8.8:53 gzip.org udp
US 8.8.8.8:53 alumni.caltech.edu udp
US 8.8.8.8:53 gzip.org udp
US 8.8.8.8:53 megginson.com udp
US 8.8.8.8:53 alumni-caltech-edu.mail.protection.outlook.com udp
US 8.8.8.8:53 megginson.com udp
US 8.8.8.8:53 alt2.aspmx.l.google.com udp
US 52.101.10.5:25 alumni-caltech-edu.mail.protection.outlook.com tcp
US 8.8.8.8:53 jk.uni-linz.ac.at udp
US 8.8.8.8:53 aspmx5.googlemail.com udp
NL 142.250.153.26:25 alt2.aspmx.l.google.com tcp
US 8.8.8.8:53 mail1.edvz.uni-linz.ac.at udp
FI 142.250.150.26:25 aspmx5.googlemail.com tcp
AT 140.78.3.68:25 mail1.edvz.uni-linz.ac.at tcp
US 85.187.148.2:25 gzip.org tcp
US 8.8.8.8:53 rsppprawrn.org udp
US 18.208.156.248:80 rsppprawrn.org tcp
US 8.8.8.8:53 cdata.tvnet.hu udp
US 8.8.8.8:53 attbi.com udp
US 8.8.8.8:53 courtesan.com udp
US 8.8.8.8:53 cdata.tvnet.hu udp
US 8.8.8.8:53 bigelowandholmes.com udp
US 8.8.8.8:53 millert.dev udp
US 65.102.237.118:25 millert.dev tcp
US 8.8.8.8:53 mrsqwnmhwa.in udp
US 8.8.8.8:53 apaqwweesn.com udp
US 85.187.148.2:25 gzip.org tcp
US 52.101.10.5:25 alumni-caltech-edu.mail.protection.outlook.com tcp
US 8.8.8.8:53 gnu.org udp
US 85.187.148.2:25 gzip.org tcp
US 8.8.8.8:53 eggs.gnu.org udp
US 209.51.188.92:25 eggs.gnu.org tcp
US 8.8.8.8:53 wnhhwpqman.in udp
US 8.8.8.8:53 amamqheaen.com udp
US 8.8.8.8:53 alumni-caltech-edu.mail.protection.outlook.com udp
FI 142.250.150.26:25 aspmx5.googlemail.com tcp
US 52.101.40.2:25 alumni-caltech-edu.mail.protection.outlook.com tcp
FI 142.250.150.26:25 aspmx5.googlemail.com tcp
AT 140.78.3.68:25 mail1.edvz.uni-linz.ac.at tcp
US 8.8.8.8:53 snwwwwnqra.biz udp
US 65.102.237.118:25 millert.dev tcp
US 8.8.8.8:53 prsrsreswh.in udp
US 8.8.8.8:53 emsnpqmnaa.ws udp
US 64.70.19.203:80 emsnpqmnaa.ws tcp
US 8.8.8.8:53 aswahwaqwn.com udp
US 85.187.148.2:25 gzip.org tcp
US 52.101.40.2:25 alumni-caltech-edu.mail.protection.outlook.com tcp
US 8.8.8.8:53 aspmx2.googlemail.com udp
US 8.8.8.8:53 aspmx2.googlemail.com udp
NL 142.250.27.27:25 aspmx2.googlemail.com tcp
US 8.8.8.8:53 mail2.edvz.uni-linz.ac.at udp
US 85.187.148.2:25 gzip.org tcp
NL 142.250.27.26:25 aspmx2.googlemail.com tcp
US 52.101.40.2:25 alumni-caltech-edu.mail.protection.outlook.com tcp
AT 140.78.3.69:25 mail2.edvz.uni-linz.ac.at tcp
US 8.8.8.8:53 epnnmpmnea.ws udp
US 64.70.19.203:80 epnnmpmnea.ws tcp
US 8.8.8.8:53 nmmmswamss.us udp
FI 142.250.150.26:25 aspmx5.googlemail.com tcp
FI 142.250.150.26:25 aspmx5.googlemail.com tcp
AT 140.78.3.68:25 mail1.edvz.uni-linz.ac.at tcp
US 8.8.8.8:53 wpanwhahpn.in udp
US 8.8.8.8:53 qqrsmeawrh.info udp
US 65.102.237.118:25 millert.dev tcp
US 85.187.148.2:25 gzip.org tcp
US 8.8.8.8:53 wsneamsrqs.in udp
US 8.8.8.8:53 alumni-caltech-edu.mail.protection.outlook.com udp
NL 142.250.27.26:25 aspmx2.googlemail.com tcp
US 52.101.41.58:25 alumni-caltech-edu.mail.protection.outlook.com tcp
NL 142.250.27.26:25 aspmx2.googlemail.com tcp
US 8.8.8.8:53 coin.mpg udp
AT 140.78.3.69:25 mail2.edvz.uni-linz.ac.at tcp
US 8.8.8.8:53 domain.com udp
US 8.8.8.8:53 domain-com.mail.protection.outlook.com udp
US 52.101.9.20:25 domain-com.mail.protection.outlook.com tcp
US 8.8.8.8:53 rrnsweenen.org udp
US 162.249.65.106:80 rrnsweenen.org tcp
US 8.8.8.8:53 wpsranresn.in udp
US 8.8.8.8:53 qqwaqwqwns.info udp
US 8.8.8.8:53 wshmnneqsr.in udp
US 8.8.8.8:53 aspmx4.googlemail.com udp
DE 142.251.9.27:25 aspmx4.googlemail.com tcp
US 8.8.8.8:53 mail4.edvz.uni-linz.ac.at udp
US 8.8.8.8:53 alt1.aspmx.l.google.com udp
NL 142.250.27.27:25 alt1.aspmx.l.google.com tcp
AT 140.78.3.82:25 mail4.edvz.uni-linz.ac.at tcp
US 8.8.8.8:53 rnrmsaeesr.org udp
US 162.249.65.106:80 rnrmsaeesr.org tcp
NL 142.250.27.26:25 aspmx2.googlemail.com tcp
NL 142.250.27.26:25 aspmx2.googlemail.com tcp
AT 140.78.3.69:25 mail2.edvz.uni-linz.ac.at tcp
US 8.8.8.8:53 eweqmrhnra.ws udp
US 64.70.19.203:80 eweqmrhnra.ws tcp
US 8.8.8.8:53 qaeesahees.info udp
US 8.8.8.8:53 hwpprwwawa.net udp
US 8.8.8.8:53 pawrsswnsa.in udp
US 8.8.8.8:53 ewaehhmrqh.ws udp
NL 142.250.27.27:25 alt1.aspmx.l.google.com tcp
NL 142.250.27.27:25 alt1.aspmx.l.google.com tcp
AT 140.78.3.82:25 mail4.edvz.uni-linz.ac.at tcp
US 64.70.19.203:80 ewaehhmrqh.ws tcp
US 8.8.8.8:53 ahrwrshwph.com udp
US 8.8.8.8:53 sqaqqaeqmh.biz udp
US 8.8.8.8:53 nhqpwhmama.us udp
US 8.8.8.8:53 sesawnwqea.biz udp
FI 142.250.150.26:25 aspmx5.googlemail.com tcp
US 8.8.8.8:53 mail3.edvz.uni-linz.ac.at udp
NL 142.250.153.26:25 alt2.aspmx.l.google.com tcp
AT 140.78.3.83:25 mail3.edvz.uni-linz.ac.at tcp
US 8.8.8.8:53 qpwhwpqpqa.info udp
NL 142.250.27.27:25 alt1.aspmx.l.google.com tcp
NL 142.250.27.27:25 alt1.aspmx.l.google.com tcp
AT 140.78.3.82:25 mail4.edvz.uni-linz.ac.at tcp
US 8.8.8.8:53 mqmwshhaqh.in udp
US 8.8.8.8:53 rrqmheqmqh.org udp
US 162.249.65.106:80 rrqmheqmqh.org tcp
NL 142.250.153.26:25 alt2.aspmx.l.google.com tcp
NL 142.250.153.26:25 alt2.aspmx.l.google.com tcp
AT 140.78.3.83:25 mail3.edvz.uni-linz.ac.at tcp
US 8.8.8.8:53 aspmx3.googlemail.com udp
NL 142.250.153.26:25 aspmx3.googlemail.com tcp
DE 142.251.9.27:25 aspmx4.googlemail.com tcp
US 8.8.8.8:53 ehpspqshqa.ws udp
US 64.70.19.203:80 ehpspqshqa.ws tcp
US 8.8.8.8:53 phphweqwna.in udp
NL 142.250.153.26:25 aspmx3.googlemail.com tcp
AT 140.78.3.83:25 mail3.edvz.uni-linz.ac.at tcp
NL 142.250.153.26:25 aspmx3.googlemail.com tcp
US 8.8.8.8:53 snprrannra.biz udp
US 8.8.8.8:53 rahqwwphsh.org udp
US 162.249.65.106:80 rahqwwphsh.org tcp
DE 142.251.9.27:25 aspmx4.googlemail.com tcp
DE 142.251.9.27:25 aspmx4.googlemail.com tcp
US 8.8.8.8:53 aspmx.l.google.com udp
IE 172.253.116.27:25 aspmx.l.google.com tcp
US 8.8.8.8:53 hpehwwhnqn.net udp
IE 172.253.116.27:25 aspmx.l.google.com tcp
US 8.8.8.8:53 pmqmannrna.in udp
DE 142.251.9.27:25 aspmx4.googlemail.com tcp
DE 142.251.9.27:25 aspmx4.googlemail.com tcp
US 8.8.8.8:53 mrrmehqnpa.in udp

Files

memory/1328-0-0x0000000000400000-0x000000000041F000-memory.dmp

\Windows\SysWOW64\shervans.dll

MD5 a2ff14d03b4b9807982d8598cb477b0a
SHA1 91eced4392c13f058848e86b497300ab90e8a06c
SHA256 985e70f0aa5c289ba95439e95ac35fccb7e650be7efc13d469d338616a8ad6df
SHA512 2c46e022fafdbed07ed498a530632e952a9d653f83cff29fa67c5d26b5f60d80d00bb15fa32ec0ce0492d0dd359e5ceadecd296bfbaf29d16056163c3f2810ab

memory/1328-12-0x0000000010000000-0x000000001000D000-memory.dmp

\Windows\SysWOW64\ctfmen.exe

MD5 38687b6f3b2291e9d28e846a41113312
SHA1 24e6d62cf27a351a3d572d353b74c03a2b5b480b
SHA256 f846291ff19ac96f854115798e6e0c5ff450cb0af999f1aca9cb0be98b622f51
SHA512 72f722159f6fed8e047e023d2c1f00d3839ec7da70f4b215a4b8746ba3158e59e4cd2e7fa18fb9605d5a666eb321bc62f389636d9a78ee61a983e7aea5954ff6

memory/1328-19-0x00000000003D0000-0x00000000003D9000-memory.dmp

memory/1328-27-0x0000000010000000-0x000000001000D000-memory.dmp

memory/1328-26-0x0000000000400000-0x000000000041F000-memory.dmp

\Windows\SysWOW64\smnss.exe

MD5 bae3a695826cf807175140b2b137411b
SHA1 32f716ee73a4a02d7c439ae6eb9e012c0e858768
SHA256 090764e2c74563ddb785e569266883e0f6c258ec4d256a186fced0ac8a964363
SHA512 19c2117c89da3abcdc7f724d6591e3ca98cc17a20387feb029bc66052e8eb1e5b6af39b40da750e191e301e4409aa60167e69e6bca373788acd9f75f69af8a92

memory/2028-29-0x00000000003A0000-0x00000000003BF000-memory.dmp

memory/2920-35-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2028-34-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Windows\SysWOW64\satornas.dll

MD5 d879063b30321810e8b1797f9d4835b0
SHA1 f4ae9dab926e18f53d18b22572deb2e30bed8f4b
SHA256 05d3a998249e2e55a6ec8660ca2ba0dd84c50f03f8540a9a25496448e8d40f74
SHA512 136a231ab768a7cbf7fdd69f52295ef4a18665bf466b3ed6572b2a51615daa825c875ca2aa4c5a2adbfea260530867ff0b89f81dc09b3967556efac7f4bfdfeb

memory/2920-42-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2920-43-0x0000000010000000-0x000000001000D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-25 09:52

Reported

2024-08-25 09:54

Platform

win10v2004-20240802-en

Max time kernel

120s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\58233f2f22c36c5f9a3857021508e210N.exe"

Signatures

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\drivers\gmreadme.txt C:\Windows\SysWOW64\smnss.exe N/A

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\ctfmen.exe N/A
N/A N/A C:\Windows\SysWOW64\smnss.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\58233f2f22c36c5f9a3857021508e210N.exe N/A
N/A N/A C:\Windows\SysWOW64\smnss.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe" C:\Users\Admin\AppData\Local\Temp\58233f2f22c36c5f9a3857021508e210N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe" C:\Windows\SysWOW64\smnss.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\K: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\smnss.exe N/A

Maps connected drives based on registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\1 C:\Users\Admin\AppData\Local\Temp\58233f2f22c36c5f9a3857021508e210N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\smnss.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Windows\SysWOW64\smnss.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\1 C:\Windows\SysWOW64\smnss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Users\Admin\AppData\Local\Temp\58233f2f22c36c5f9a3857021508e210N.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Users\Admin\AppData\Local\Temp\58233f2f22c36c5f9a3857021508e210N.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\shervans.dll C:\Users\Admin\AppData\Local\Temp\58233f2f22c36c5f9a3857021508e210N.exe N/A
File opened for modification C:\Windows\SysWOW64\AppxProvisioning.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms001.inf_amd64_8bc1bda6cf47380c\MXDW-pipelineconfig.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\icsxml\cmnicfg.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\default.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\default.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\grcopy.dll C:\Users\Admin\AppData\Local\Temp\58233f2f22c36c5f9a3857021508e210N.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\ntprint4.inf_amd64_0958c7cad3cd6075\Amd64\V3HostingFilter-pipelineconfig.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms005.inf_amd64_add71423ba73e797\Amd64\MSxpsPCL6-pipelineconfig.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\F12\Timeline.cpu.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\icsxml\ipcfg.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\icsxml\osinfo.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\default.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\ctfmen.exe C:\Users\Admin\AppData\Local\Temp\58233f2f22c36c5f9a3857021508e210N.exe N/A
File created C:\Windows\SysWOW64\satornas.dll C:\Users\Admin\AppData\Local\Temp\58233f2f22c36c5f9a3857021508e210N.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms004.inf_amd64_c28ee88ec1bd4178\Amd64\unisharev4-pipelineconfig.xml C:\Windows\SysWOW64\smnss.exe N/A
File created C:\Windows\SysWOW64\smnss.exe C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms009.inf_amd64_a7412a554c9bc1fd\MPDW_devmode_map.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\icsxml\pppcfg.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\IME\IMEJP\APPLETS\IMJPCLST.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\NdfEventView.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsCodecsRaw.txt C:\Windows\SysWOW64\smnss.exe N/A
File created C:\Windows\SysWOW64\zipfi.dll C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms014.inf_amd64_faec3fc366f8e1fa\Amd64\MSMPS-pipelineconfig.xml C:\Windows\SysWOW64\smnss.exe N/A
File created C:\Windows\SysWOW64\grcopy.dll C:\Users\Admin\AppData\Local\Temp\58233f2f22c36c5f9a3857021508e210N.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms007.inf_amd64_8bbf44975c626ac5\Amd64\MSXPS2.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms008.inf_amd64_69b5e0c918eab9a6\Amd64\unishare3d-pipelineconfig.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms009.inf_amd64_a7412a554c9bc1fd\MPDW-pipelineconfig.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms010.inf_amd64_9e410195c3b236c9\Amd64\MSECP.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms012.inf_amd64_707d3849370b9d23\Amd64\MSIPP-pipelineconfig.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms012.inf_amd64_707d3849370b9d23\Amd64\MSIPP.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms014.inf_amd64_faec3fc366f8e1fa\Amd64\MSMPS.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\Speech_OneCore\Common\en-US\tokens_TTS_en-US.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\satornas.dll C:\Users\Admin\AppData\Local\Temp\58233f2f22c36c5f9a3857021508e210N.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms003.inf_x86_360f6f3a7c4b3433\I386\unishare-pipelineconfig.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms010.inf_amd64_9e410195c3b236c9\Amd64\MSECP-pipelineconfig.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\Speech_OneCore\Common\en-US\tokens_TTS_en-US_david.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms005.inf_amd64_add71423ba73e797\Amd64\MSxpsPS-pipelineconfig.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms005.inf_amd64_add71423ba73e797\Amd64\MSxpsXPS-pipelineconfig.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms007.inf_amd64_8bbf44975c626ac5\Amd64\MSPWGR.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\tcpbidi.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\default.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File created C:\Windows\SysWOW64\ctfmen.exe C:\Users\Admin\AppData\Local\Temp\58233f2f22c36c5f9a3857021508e210N.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms011.inf_amd64_f83138380f5fb6ab\Amd64\MSAppMon.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\default.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\Speech_OneCore\Common\en-US\Tokens_SR_en-US-N.xml C:\Windows\SysWOW64\smnss.exe N/A
File created C:\Windows\SysWOW64\smnss.exe C:\Users\Admin\AppData\Local\Temp\58233f2f22c36c5f9a3857021508e210N.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms003.inf_amd64_0e2452f597790e95\Amd64\unishare-pipelineconfig.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms007.inf_amd64_8bbf44975c626ac5\Amd64\MSPassthrough-pipelineconfig.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms009.inf_amd64_a7412a554c9bc1fd\MPDW-PDC.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\icsxml\potscfg.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\Recovery\ReAgent.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\wsmanconfig_schema.xml C:\Windows\SysWOW64\smnss.exe N/A
File created C:\Windows\SysWOW64\zipfiaq.dll C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms006.inf_amd64_c3bdcb6fc975b614\SendToOneNote-pipelineconfig.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms007.inf_amd64_8bbf44975c626ac5\Amd64\MSPWGR-pipelineconfig.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms011.inf_amd64_f83138380f5fb6ab\Amd64\MSAppMon-pipelineconfig.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\tsprint.inf_amd64_6066bc96a5f28b44\tsprint-PipelineConfig.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\Speech_OneCore\Common\tokens.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\default.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\MailContactsCalendarSync\LiveDomainList.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\wbem\xsl-mappings.xml C:\Windows\SysWOW64\smnss.exe N/A
File created C:\Windows\SysWOW64\shervans.dll C:\Users\Admin\AppData\Local\Temp\58233f2f22c36c5f9a3857021508e210N.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\7-Zip\Lang\mng.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\ClientOSub2019_eula.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL095.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\requests\status.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_neutral_split.scale-150_8wekyb3d8bbwe\AppxManifest.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\te-IN\View3d\3DViewerProductDescription-universal.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\am-ET\View3d\3DViewerProductDescription-universal.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Microsoft.Membership.MeControl\Assets\OfflinePages\WebviewOffline.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\AppxManifest.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\kk-KZ\View3d\3DViewerProductDescription-universal.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PG_INDEX.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\README.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Cambria.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxIdentityProvider_12.50.6001.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_2019.19071.19011.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Franklin Gothic.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\notificationsUI\notificationCenter.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ext.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\SkypeForBusinessBasic2019_eula.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxBlockMap.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-3101-0000-1000-0000000FF1CE.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN010.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Windows Media Player\Media Renderer\RenderingControl_DMP.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00A1-0409-1000-0000000FF1CE.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\client_eula.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\ar-SA\View3d\3DViewerProductDescription-universal.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxManifest.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\CENTEURO.TXT C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-100_kzf8qxf38zg5c\AppxManifest.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\gl-ES\View3d\3DViewerProductDescription-universal.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.NET.Native.Framework.1.7_1.7.25531.0_x64__8wekyb3d8bbwe\AppxManifest.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.VCLibs.140.00.UWPDesktop_14.0.27629.0_x64__8wekyb3d8bbwe\AppxManifest.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ca.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\ClientARMRefer2019_eula.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\ClientARMRefer_eula.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxBlockMap.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\km-KH\View3d\3DViewerProductDescription-universal.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Velocity\FeatureStaging-SnipAndSketch.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\TURKISH.TXT C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_GB\affDescription.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_US\README_en_US.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Median.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Slipstream.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_rtl.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSIPC\ThirdPartyNotices.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL083.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_2019.125.2243.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\sr-Latn-RS\View3d\3DViewerProductDescription-universal.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxManifest.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxBlockMap.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.1813.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL001.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Adobe\symbol.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\he.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ne.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\WacLangPackEula.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml C:\Windows\SysWOW64\smnss.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-i..raries-servercommon_31bf3856ad364e35_10.0.19041.264_none_91c1d6c40350b1b6\appcmd.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\inclusiveOobe\view\templates\oobe-listview-template.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.117_none_e0d32848ac56114e\default-contentview-template.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..osoftedge.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_d1f435fdf91e63d5\forbidframingedge.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-o..tiveportal.appxmain_31bf3856ad364e35_10.0.19041.423_none_204af7ff19532470\tokens_enUS.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..osoftedge.resources_31bf3856ad364e35_10.0.19041.1_en-us_a323edc73bd86475\pdferrorrenewrentallicense.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\PLA\Reports\en-US\Report.System.Performance.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\PLA\Reports\Report.System.NetDiagFramework.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-c..gshellapp.appxsetup_31bf3856ad364e35_10.0.19041.1023_none_b4c98345579ad387\f\AppxBlockMap.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-lockapp.appxsetup_31bf3856ad364e35_10.0.19041.1023_none_73bddbc9c1fb11b2\AppxBlockMap.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft.powershell.pester_31bf3856ad364e35_10.0.19041.1_none_8a237828132e61da\about_Pester.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-t..-coreinkrecognition_31bf3856ad364e35_10.0.19041.1_none_adddf97aceb0fb8a\ThirdPartyNotices.MSHWLatin.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.1266_none_777e4c5802d14c18\common-toggle-template.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-editions-professional_31bf3856ad364e35_10.0.19041.1288_none_51444fcfcf940a66\EducationEdition.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_b4fc93ef208f3edb\403.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-lockapp.appxsetup_31bf3856ad364e35_10.0.19041.1023_none_73bddbc9c1fb11b2\f\AppxBlockMap.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_414a0942eadc3634\403-6.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..osoftedge.resources_31bf3856ad364e35_10.0.19041.1_es-es_a2ef4aab3bff561a\tlserror.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-management-oobe_31bf3856ad364e35_10.0.19041.1266_none_e6ebbe2a02425392\oobeenterpriseprovisioning-main.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-t..riventextservice-yi_31bf3856ad364e35_10.0.19041.1_none_f76e81415e04d416\TableTextServiceYi.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\es-ES\assets\ErrorPages\repost.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\BingConfiguration\BingConfiguration_en-IN.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-service-shared_31bf3856ad364e35_10.0.19041.1_none_3cfd44d351b1a8ab\HvsiMachinePolicies_ContainerRealtime.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_de-de_6988eb133eb82b0f\413-1.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-tabletpc-softkeyboard_31bf3856ad364e35_10.0.19041.746_none_afaafac6b02c16fa\osknav.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_en-us_1279c10c2d9636d4\500-15.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..osoftedge.resources_31bf3856ad364e35_10.0.19041.1_en-us_a323edc73bd86475\http_406.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-p..econsumer.resources_31bf3856ad364e35_10.0.19041.1_it-it_f8576122041e54e0\Report.System.Disk.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-t..riventextservice-yi_31bf3856ad364e35_10.0.19041.1_none_01c32b9392659611\TableTextServiceYi.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.117_none_e0d32848ac56114e\localAccount.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.1266_none_777e4c5802d14c18\oobeeula-hololens.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_de-de_6988eb133eb82b0f\403-17.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_de-de_6988eb133eb82b0f\500-13.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_dual_prnms007.inf_31bf3856ad364e35_10.0.19041.1_none_70cec824c55a4876\Amd64\MSXPS2.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.1266_none_777e4c5802d14c18\main.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.1266_none_777e4c5802d14c18\test.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-o..tiveportal.appxmain_31bf3856ad364e35_10.0.19041.423_none_204af7ff19532470\tokens_esMX.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\PLA\Rules\ja-JP\Rules.System.Finale.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\de-DE\assets\ErrorPages\startfresh.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\unifiedEnrollment\views\unifiedEnrollment.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\speech\0c09\tokens_enAU.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-p..econsumer.resources_31bf3856ad364e35_10.0.19041.1_es-es_6b77f4dc3a1a5900\Report.System.Summary.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..e.desktop.searchapp_31bf3856ad364e35_10.0.19041.1_none_43fe9f4e368e081f\7.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-tabletpc-softkeyboard_31bf3856ad364e35_10.0.19041.746_none_afaafac6b02c16fa\ko-kr.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.117_none_e0d32848ac56114e\oobeactivitysyncconsent-main.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_windows-defender-service_31bf3856ad364e35_10.0.19041.746_none_a39f6d9ab59bd8b7\ThirdPartyNotices.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-i..raries-servercommon_31bf3856ad364e35_10.0.19041.906_none_9204c42a031e28cf\appcmd.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\core\view\oobe-light-contentview-template.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-service-shared_31bf3856ad364e35_10.0.19041.1151_none_fbdc4c5f677dc2ec\AuditPol_ContainerRealtime.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..osoftedge.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_cd2d1cde69f392b4\defaultbrowser.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_netfx4-netfx40_iis_schema_update_xml_b03f5f7f11d50a3a_4.0.15805.0_none_75d6696d58523dee\NetFx40_IIS_schema_update.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\IdentityCRL\production\wlidsvcconfig.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\PLA\Rules\ja-JP\Rules.System.CPU.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\cache\Desktop\27.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-management-oobe_31bf3856ad364e35_10.0.19041.1266_none_e6ebbe2a02425392\oobeautopilotreboot-main.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..e.desktop.searchapp_31bf3856ad364e35_10.0.19041.1_none_43fe9f4e368e081f\1.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\Temp\PendingDeletes\b4c1984536e5d701139b00001815341f.WebDAV_schema.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\PLA\Rules\fr-FR\Rules.System.Common.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\servicing\Editions\ProfessionalEdition.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy\AppxManifest.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..nents-mdac-msdadiag_31bf3856ad364e35_10.0.19041.1_none_148d7181d1977196\WDAC_Diagnostics.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..osoftedge.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_cd2d1cde69f392b4\BlockSite.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-tabletpc-softkeyboard_31bf3856ad364e35_10.0.19041.173_none_af877ec0b0472fde\main.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_es-es_12451df02dbd2879\404-9.htm C:\Windows\SysWOW64\smnss.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\58233f2f22c36c5f9a3857021508e210N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ctfmen.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\smnss.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node C:\Users\Admin\AppData\Local\Temp\58233f2f22c36c5f9a3857021508e210N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID C:\Users\Admin\AppData\Local\Temp\58233f2f22c36c5f9a3857021508e210N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED} C:\Users\Admin\AppData\Local\Temp\58233f2f22c36c5f9a3857021508e210N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll" C:\Users\Admin\AppData\Local\Temp\58233f2f22c36c5f9a3857021508e210N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll" C:\Windows\SysWOW64\smnss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\58233f2f22c36c5f9a3857021508e210N.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\smnss.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\58233f2f22c36c5f9a3857021508e210N.exe

"C:\Users\Admin\AppData\Local\Temp\58233f2f22c36c5f9a3857021508e210N.exe"

C:\Windows\SysWOW64\ctfmen.exe

ctfmen.exe

C:\Windows\SysWOW64\smnss.exe

C:\Windows\system32\smnss.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 qewhshmsen.info udp
US 34.218.204.173:80 qewhshmsen.info tcp
US 8.8.8.8:53 wpwhpqraws.in udp
US 8.8.8.8:53 rsppprawrn.org udp
US 18.208.156.248:80 rsppprawrn.org tcp
US 8.8.8.8:53 gzip.org udp
US 8.8.8.8:53 gzip.org udp
US 8.8.8.8:53 alumni.caltech.edu udp
US 85.187.148.2:25 gzip.org tcp
US 8.8.8.8:53 alumni-caltech-edu.mail.protection.outlook.com udp
US 8.8.8.8:53 cs.stanford.edu udp
US 52.101.9.11:25 alumni-caltech-edu.mail.protection.outlook.com tcp
US 8.8.8.8:53 smtp1.cs.stanford.edu udp
US 171.64.64.25:25 smtp1.cs.stanford.edu tcp
US 171.64.64.25:25 smtp1.cs.stanford.edu tcp
US 8.8.8.8:53 acm.org udp
US 8.8.8.8:53 mail.mailroute.net udp
US 199.89.1.120:25 mail.mailroute.net tcp
US 8.8.8.8:53 173.204.218.34.in-addr.arpa udp
US 8.8.8.8:53 248.156.208.18.in-addr.arpa udp
US 8.8.8.8:53 mrsqwnmhwa.in udp
US 8.8.8.8:53 apaqwweesn.com udp
US 8.8.8.8:53 wnhhwpqman.in udp
US 8.8.8.8:53 amamqheaen.com udp
US 8.8.8.8:53 snwwwwnqra.biz udp
US 8.8.8.8:53 prsrsreswh.in udp
US 8.8.8.8:53 emsnpqmnaa.ws udp
US 64.70.19.203:80 emsnpqmnaa.ws tcp
US 8.8.8.8:53 aswahwaqwn.com udp
US 8.8.8.8:53 epnnmpmnea.ws udp
US 8.8.8.8:53 203.19.70.64.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 64.70.19.203:80 epnnmpmnea.ws tcp
US 8.8.8.8:53 nmmmswamss.us udp
US 8.8.8.8:53 wpanwhahpn.in udp
US 8.8.8.8:53 qqrsmeawrh.info udp
US 8.8.8.8:53 wsneamsrqs.in udp
US 8.8.8.8:53 gmail.com udp
US 8.8.8.8:53 alt1.gmail-smtp-in.l.google.com udp
US 8.8.8.8:53 rrnsweenen.org udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
NL 142.250.27.26:25 alt1.gmail-smtp-in.l.google.com tcp
NL 142.250.27.26:25 alt1.gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 m-ou.se udp
US 8.8.8.8:53 aspmx2.googlemail.com udp
NL 142.250.27.26:25 aspmx2.googlemail.com tcp
US 162.249.65.106:80 rrnsweenen.org tcp
NL 142.250.27.26:25 aspmx2.googlemail.com tcp
US 8.8.8.8:53 wpsranresn.in udp
US 8.8.8.8:53 qqwaqwqwns.info udp
US 8.8.8.8:53 rnrmsaeesr.org udp
US 162.249.65.106:80 rnrmsaeesr.org tcp
NL 142.250.27.26:25 aspmx2.googlemail.com tcp
US 8.8.8.8:53 2.1.0 udp
US 8.8.8.8:53 4.0.1 udp
US 8.8.8.8:53 nocorp.me udp
US 8.8.8.8:53 in2-smtp.messagingengine.com udp
US 202.12.124.216:25 in2-smtp.messagingengine.com tcp
US 8.8.8.8:53 eweqmrhnra.ws udp
US 64.70.19.203:80 eweqmrhnra.ws tcp
US 8.8.8.8:53 qaeesahees.info udp
US 8.8.8.8:53 hwpprwwawa.net udp
US 8.8.8.8:53 pawrsswnsa.in udp
US 8.8.8.8:53 ewaehhmrqh.ws udp
US 64.70.19.203:80 ewaehhmrqh.ws tcp
US 8.8.8.8:53 ahrwrshwph.com udp
US 8.8.8.8:53 sqaqqaeqmh.biz udp
US 8.8.8.8:53 nhqpwhmama.us udp
US 8.8.8.8:53 sesawnwqea.biz udp
US 8.8.8.8:53 qpwhwpqpqa.info udp
US 8.8.8.8:53 mqmwshhaqh.in udp
US 8.8.8.8:53 rrqmheqmqh.org udp
US 162.249.65.106:80 rrqmheqmqh.org tcp
NL 142.250.27.26:25 aspmx2.googlemail.com tcp
NL 142.250.27.26:25 aspmx2.googlemail.com tcp
NL 142.250.27.26:25 aspmx2.googlemail.com tcp
US 8.8.8.8:53 outlook.com udp
US 8.8.8.8:53 outlook-com.olc.protection.outlook.com udp
US 52.101.42.15:25 outlook-com.olc.protection.outlook.com tcp
NL 142.250.27.26:25 aspmx2.googlemail.com tcp
NL 142.250.27.26:25 aspmx2.googlemail.com tcp
NL 142.250.27.26:25 aspmx2.googlemail.com tcp
NL 142.250.27.26:25 aspmx2.googlemail.com tcp
US 8.8.8.8:53 smtp2.cs.stanford.edu udp
US 171.64.64.26:25 smtp2.cs.stanford.edu tcp
US 171.64.64.26:25 smtp2.cs.stanford.edu tcp
US 8.8.8.8:53 ehpspqshqa.ws udp
US 64.70.19.203:80 ehpspqshqa.ws tcp
US 171.64.64.25:25 smtp1.cs.stanford.edu tcp
NL 142.250.27.26:25 aspmx2.googlemail.com tcp
NL 142.250.27.26:25 aspmx2.googlemail.com tcp
US 85.187.148.2:25 gzip.org tcp
US 8.8.8.8:53 phphweqwna.in udp
US 8.8.8.8:53 snprrannra.biz udp
US 8.8.8.8:53 rahqwwphsh.org udp
US 162.249.65.106:80 rahqwwphsh.org tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 gmail-smtp-in.l.google.com udp
IE 209.85.203.26:25 gmail-smtp-in.l.google.com tcp
IE 209.85.203.26:25 gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 hpehwwhnqn.net udp
US 8.8.8.8:53 pmqmannrna.in udp
US 8.8.8.8:53 mrrmehqnpa.in udp
US 8.8.8.8:53 aspmx.l.google.com udp
US 8.8.8.8:53 qwpehrrhqh.info udp
IE 209.85.202.27:25 aspmx.l.google.com tcp
US 8.8.8.8:53 meammaenmn.in udp
US 8.8.8.8:53 rsampnrran.org udp
US 162.249.65.106:80 rsampnrran.org tcp
US 8.8.8.8:53 alumni-caltech-edu.mail.protection.outlook.com udp
US 52.101.194.13:25 alumni-caltech-edu.mail.protection.outlook.com tcp
IE 209.85.203.26:25 gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 coin.mpg udp
US 8.8.8.8:53 apple.com udp
US 8.8.8.8:53 mx-in-rno.apple.com udp
US 17.179.253.242:25 mx-in-rno.apple.com tcp
US 8.8.8.8:53 pobox.com udp
US 8.8.8.8:53 pb-mx14.pobox.com udp
US 64.147.108.55:25 pb-mx14.pobox.com tcp
US 8.8.8.8:53 mrmwmnarws.in udp
US 8.8.8.8:53 nwrnwprmmh.us udp
US 8.8.8.8:53 sshnsrpenh.biz udp
US 8.8.8.8:53 psnqrqmpeh.in udp
US 8.8.8.8:53 wwearmsqrs.in udp
US 8.8.8.8:53 aqanannwqh.com udp
US 8.8.8.8:53 wasasnqrna.in udp
US 8.8.8.8:53 wnshehamhh.in udp
US 8.8.8.8:53 remrpqpseh.org udp
US 162.249.65.106:80 remrpqpseh.org tcp
IE 209.85.203.26:25 gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 in1-smtp.messagingengine.com udp
US 103.168.172.220:25 in1-smtp.messagingengine.com tcp
US 8.8.8.8:53 netcom.com udp
US 8.8.8.8:53 mx02.earthlink-vadesecure.net udp
US 8.8.8.8:53 northcoast.com udp
US 51.81.61.71:25 mx02.earthlink-vadesecure.net tcp
US 8.8.8.8:53 cl.cam.ac.uk udp
US 8.8.8.8:53 mx.cam.ac.uk udp
US 8.8.8.8:53 src.dec.com udp
GB 131.111.8.146:25 mx.cam.ac.uk tcp
US 8.8.8.8:53 mxa-00377f03.gslb.pphosted.com udp
US 8.8.8.8:53 hwnppemeea.net udp
US 8.8.8.8:53 pnaqheqnsa.in udp
US 8.8.8.8:53 mwhnpqrmrn.in udp
US 8.8.8.8:53 pwramqmsms.in udp
US 8.8.8.8:53 hmamsmwhar.net udp
US 205.220.164.130:25 mxa-00377f03.gslb.pphosted.com tcp
US 8.8.8.8:53 pqshhpemrn.in udp
US 8.8.8.8:53 wpqqhhspps.in udp
SG 13.251.16.150:80 wpqqhhspps.in tcp
US 8.8.8.8:53 150.16.251.13.in-addr.arpa udp
US 8.8.8.8:53 nqenrpwpeh.us udp
US 8.8.8.8:53 spawwehsrs.biz udp
US 8.8.8.8:53 ppeseaqmms.in udp
IE 209.85.203.26:25 gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 msarphnewh.in udp
US 8.8.8.8:53 pwqpewwahh.in udp
US 8.8.8.8:53 hmparqsaqa.net udp
IE 209.85.203.26:25 gmail-smtp-in.l.google.com tcp
IE 209.85.203.26:25 gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 qsqpspspqn.info udp
US 8.8.8.8:53 haearrsqhn.net udp
US 8.8.8.8:53 qnrnwnwaas.info udp
US 8.8.8.8:53 weaeprawra.in udp
US 8.8.8.8:53 qmhqeesawh.info udp
US 8.8.8.8:53 ssnsphrnws.biz udp
US 8.8.8.8:53 aewrhprres.com udp
NL 77.247.183.154:80 aewrhprres.com tcp
US 8.8.8.8:53 mpehqsqwmn.in udp
US 8.8.8.8:53 154.183.247.77.in-addr.arpa udp
US 8.8.8.8:53 rnrmmnpnpn.org udp
US 162.249.65.106:80 rnrmmnpnpn.org tcp
US 8.8.8.8:53 theriver.com udp
US 8.8.8.8:53 bryson.demon.co.uk udp
US 8.8.8.8:53 onlineconnections.com.au udp
US 8.8.8.8:53 ismtp.sitestar.everyone.net udp
US 8.8.8.8:53 onlineconnections.com.au udp
US 8.8.8.8:53 openoffice.org udp
US 8.8.8.8:53 mx1-lw-us.apache.org udp
US 8.8.8.8:53 mx1-lw-eu.apache.org udp
US 64.29.151.236:25 ismtp.sitestar.everyone.net tcp
US 8.8.8.8:53 mx2-lw-eu.apache.org udp
US 8.8.8.8:53 mx2-lw-us.apache.org udp
US 192.254.190.168:25 onlineconnections.com.au tcp
IE 209.85.203.26:25 gmail-smtp-in.l.google.com tcp
IE 209.85.203.26:25 gmail-smtp-in.l.google.com tcp
IE 209.85.203.26:25 gmail-smtp-in.l.google.com tcp
IE 209.85.203.26:25 gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 mwaaemmnhn.in udp
US 8.8.8.8:53 asnrrsamsa.com udp
US 23.82.12.29:80 asnrrsamsa.com tcp
US 8.8.8.8:53 whmrraawha.in udp
US 8.8.8.8:53 qmsaspnsna.info udp
US 8.8.8.8:53 hnehqqwwrs.net udp
US 8.8.8.8:53 qppamspwhs.info udp
US 8.8.8.8:53 weeqshswms.in udp
US 8.8.8.8:53 aanparshnh.com udp
NL 77.247.183.152:80 aanparshnh.com tcp
US 8.8.8.8:53 hpeqherars.net udp
US 8.8.8.8:53 nnhhneqnrh.us udp
US 8.8.8.8:53 saanqmaqpn.biz udp
US 8.8.8.8:53 armahmrsaa.com udp
US 8.8.8.8:53 wqahhaqenh.in udp
US 8.8.8.8:53 aharwhphnh.com udp
US 23.82.12.29:80 aharwhphnh.com tcp
US 8.8.8.8:53 29.12.82.23.in-addr.arpa udp
US 8.8.8.8:53 152.183.247.77.in-addr.arpa udp
US 8.8.8.8:53 mnrepmepar.in udp
SG 13.251.16.150:80 mnrepmepar.in tcp
NL 52.178.17.2:443 tcp
US 85.187.148.2:25 gzip.org tcp
US 8.8.8.8:53 alumni-caltech-edu.mail.protection.outlook.com udp
US 8.8.8.8:53 nongnu.org udp
US 52.101.194.13:25 alumni-caltech-edu.mail.protection.outlook.com tcp
US 8.8.8.8:53 eggs.gnu.org udp
US 209.51.188.92:25 eggs.gnu.org tcp
US 209.51.188.92:25 eggs.gnu.org tcp
US 8.8.8.8:53 apqhwmnqrh.com udp
US 8.8.8.8:53 mehsnsamha.in udp
US 8.8.8.8:53 qqpqwehwah.info udp
US 8.8.8.8:53 sqmswpnqws.biz udp
US 8.8.8.8:53 pqarnhhhhn.in udp
US 8.8.8.8:53 hqepnmqewn.net udp
US 8.8.8.8:53 rsrsemnren.org udp
NL 77.247.183.153:80 rsrsemnren.org tcp
US 8.8.8.8:53 spewqmspma.biz udp
US 8.8.8.8:53 rahhhqwqqa.org udp
US 162.249.65.106:80 rahhhqwqqa.org tcp
US 8.8.8.8:53 153.183.247.77.in-addr.arpa udp
US 8.8.8.8:53 cs.stanford.edu udp
US 171.64.64.64:25 cs.stanford.edu tcp
US 171.64.64.64:25 cs.stanford.edu tcp
US 171.64.64.26:25 smtp2.cs.stanford.edu tcp
IE 209.85.203.26:25 gmail-smtp-in.l.google.com tcp
IE 209.85.203.26:25 gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 kinoho.net udp
NL 142.250.27.26:25 aspmx2.googlemail.com tcp
NL 142.250.153.27:25 alt2.aspmx.l.google.com tcp
US 8.8.8.8:53 riseup.net udp
US 8.8.8.8:53 mx1.riseup.net udp
NL 142.250.27.26:25 aspmx2.googlemail.com tcp
US 198.252.153.129:25 mx1.riseup.net tcp
US 8.8.8.8:53 empewsqsqa.ws udp
US 64.70.19.203:80 empewsqsqa.ws tcp
US 8.8.8.8:53 pmnrrneaah.in udp
US 8.8.8.8:53 mnwsnarssr.in udp
US 8.8.8.8:53 rrpnmeawrs.org udp
US 162.249.65.106:80 rrpnmeawrs.org tcp
US 8.8.8.8:53 alt2.gmail-smtp-in.l.google.com udp
NL 142.250.153.27:25 alt2.gmail-smtp-in.l.google.com tcp
NL 142.250.153.27:25 alt2.gmail-smtp-in.l.google.com tcp
NL 142.250.153.27:25 alt2.gmail-smtp-in.l.google.com tcp
NL 142.250.153.27:25 alt2.gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 mx-in-sg.apple.com udp
SG 17.23.14.18:25 mx-in-sg.apple.com tcp
US 8.8.8.8:53 pb-mx20.pobox.com udp
US 173.228.157.39:25 pb-mx20.pobox.com tcp
US 8.8.8.8:53 mail.ru udp
US 8.8.8.8:53 mxs.mail.ru udp
US 8.8.8.8:53 bog.msu.ru udp
RU 217.69.139.150:25 mxs.mail.ru tcp
US 8.8.8.8:53 sermsqqqna.biz udp
US 8.8.8.8:53 rsqsepmwas.org udp
US 162.249.65.106:80 rsqsepmwas.org tcp
NL 142.250.153.27:25 alt2.gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 mqpppnhaes.in udp
US 8.8.8.8:53 aqmrnawpan.com udp
US 8.8.8.8:53 wrnwernreh.in udp
US 8.8.8.8:53 aeaqmpsaqa.com udp
US 8.8.8.8:53 whwsqnemsn.in udp
US 8.8.8.8:53 rqeaqeewas.org udp
US 162.249.65.106:80 rqeaqeewas.org tcp
US 8.8.8.8:53 mx04.earthlink-vadesecure.net udp
US 147.135.98.120:25 mx04.earthlink-vadesecure.net tcp
US 8.8.8.8:53 mxa-00377f01.gslb.pphosted.com udp
NL 185.183.28.235:25 mxa-00377f01.gslb.pphosted.com tcp
US 8.8.8.8:53 wqpaamhwrs.in udp
NL 142.250.153.27:25 alt2.gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 reaaheeara.org udp
US 162.249.65.106:80 reaaheeara.org tcp
NL 142.250.153.27:25 alt2.gmail-smtp-in.l.google.com tcp
NL 142.250.153.27:25 alt2.gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 mnaahmqpqs.in udp
US 8.8.8.8:53 rrhaerswna.org udp
US 162.249.65.106:80 rrhaerswna.org tcp
NL 142.250.153.27:25 alt2.gmail-smtp-in.l.google.com tcp
NL 142.250.153.27:25 alt2.gmail-smtp-in.l.google.com tcp
NL 142.250.153.27:25 alt2.gmail-smtp-in.l.google.com tcp
NL 142.250.153.27:25 alt2.gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 wnhrrnhran.in udp
US 8.8.8.8:53 resrnrrmnn.org udp
US 162.249.65.106:80 resrnrrmnn.org tcp
US 171.64.64.64:25 cs.stanford.edu tcp
NL 142.250.153.27:25 alt2.gmail-smtp-in.l.google.com tcp
NL 142.250.153.27:25 alt2.gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 mannheraph.in udp
US 8.8.8.8:53 pqnqqqrpmh.in udp
US 8.8.8.8:53 smprehnwhs.biz udp
US 8.8.8.8:53 rhwnqwwnah.org udp
US 162.249.65.106:80 rhwnqwwnah.org tcp
IE 209.85.203.26:25 gmail-smtp-in.l.google.com tcp
NL 142.250.27.26:25 aspmx2.googlemail.com tcp
IE 209.85.203.26:25 gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 srsersmhsa.biz udp
SG 47.129.31.212:80 srsersmhsa.biz tcp
US 8.8.8.8:53 alt4.gmail-smtp-in.l.google.com udp
FI 142.250.150.26:25 alt4.gmail-smtp-in.l.google.com tcp
FI 142.250.150.26:25 alt4.gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 alt1.aspmx.l.google.com udp
NL 142.250.27.26:25 alt1.aspmx.l.google.com tcp
FI 142.250.150.26:25 alt4.gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 neshnhhwss.us udp
US 8.8.8.8:53 212.31.129.47.in-addr.arpa udp
US 8.8.8.8:53 mswapwrnan.in udp
US 8.8.8.8:53 ahsppnhrmh.com udp
US 8.8.8.8:53 wmamewnnea.in udp
US 8.8.8.8:53 nhwwheearh.us udp
US 8.8.8.8:53 msqepwamwn.in udp
US 8.8.8.8:53 pmmpmshmsr.in udp
US 8.8.8.8:53 aaawpshran.com udp
US 216.245.214.85:80 aaawpshran.com tcp
US 8.8.8.8:53 smmmwrsqhs.biz udp
US 8.8.8.8:53 pweenawwra.in udp
US 8.8.8.8:53 sqepwsanpn.biz udp
US 8.8.8.8:53 qseerensns.info udp
US 8.8.8.8:53 hnhsehnhpa.net udp
US 8.8.8.8:53 psswwrmraa.in udp
US 8.8.8.8:53 hwhnrpesma.net udp
US 8.8.8.8:53 qmqspqnhwa.info udp
US 8.8.8.8:53 shprahaqrh.biz udp
US 8.8.8.8:53 85.214.245.216.in-addr.arpa udp
US 8.8.8.8:53 rmmamheshh.org udp
US 162.249.65.106:80 rmmamheshh.org tcp
US 8.8.8.8:53 mx-in.g.apple.com udp
NL 17.57.165.2:25 mx-in.g.apple.com tcp
US 8.8.8.8:53 pb-mx23.pobox.com udp
US 173.228.157.42:25 pb-mx23.pobox.com tcp
US 8.8.8.8:53 ennmqsmqna.ws udp
US 64.70.19.203:80 ennmqsmqna.ws tcp
FI 142.250.150.26:25 alt4.gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 qseahwrsps.info udp
US 8.8.8.8:53 ehrawpsrms.ws udp
US 64.70.19.203:80 ehrawpsrms.ws tcp
US 8.8.8.8:53 naspqmsmeh.us udp
US 8.8.8.8:53 wwnmhhenpa.in udp
US 8.8.8.8:53 qmrmswrran.info udp
US 8.8.8.8:53 wqeasppnas.in udp
US 8.8.8.8:53 awhhsqness.com udp
US 8.8.8.8:53 eqprsrnprs.ws udp
US 64.70.19.203:80 eqprsrnprs.ws tcp
US 8.8.8.8:53 aaesrmawah.com udp
NL 212.32.237.92:80 aaesrmawah.com tcp
US 8.8.8.8:53 wnaampsmna.in udp
US 8.8.8.8:53 qpnphqawmh.info udp
US 8.8.8.8:53 mx01.earthlink-vadesecure.net udp
US 51.81.61.70:25 mx01.earthlink-vadesecure.net tcp
US 8.8.8.8:53 92.237.32.212.in-addr.arpa udp
US 8.8.8.8:53 mxb-00377f01.gslb.pphosted.com udp
US 8.8.8.8:53 hmqrapnpsh.net udp
US 8.8.8.8:53 aqsnaasemh.com udp
US 8.8.8.8:53 haswmnsqah.net udp
US 8.8.8.8:53 aeaqnwmhes.com udp
DE 185.132.181.97:25 mxb-00377f01.gslb.pphosted.com tcp
US 8.8.8.8:53 mqsnrenerh.in udp
US 8.8.8.8:53 nspseanhrs.us udp
US 8.8.8.8:53 haaahpspqs.net udp
US 8.8.8.8:53 qppqsasahn.info udp
US 8.8.8.8:53 mnnhnhahmh.in udp
US 8.8.8.8:53 nwrrpeshhn.us udp
US 8.8.8.8:53 wqsrephqms.in udp
US 8.8.8.8:53 nprhssnrmn.us udp
US 8.8.8.8:53 eqnhphnqms.ws udp
US 64.70.19.203:80 eqnhphnqms.ws tcp
US 8.8.8.8:53 neqanhanwn.us udp
SG 13.251.16.150:80 neqanhanwn.us tcp
US 8.8.8.8:53 smrnnmaqra.biz udp
US 8.8.8.8:53 nnnrpsanwh.us udp
US 8.8.8.8:53 wharrewhpn.in udp
FI 142.250.150.26:25 alt4.gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 qhhnpesehs.info udp
US 8.8.8.8:53 mesrphwwas.in udp
FI 142.250.150.26:25 alt4.gmail-smtp-in.l.google.com tcp
FI 142.250.150.26:25 alt4.gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 awmmprseha.com udp
US 8.8.8.8:53 weaamsqssa.in udp
US 8.8.8.8:53 rqeaqsqpsr.org udp
US 162.249.65.106:80 rqeaqsqpsr.org tcp
US 8.8.8.8:53 wrmqnnrqmh.in udp
US 8.8.8.8:53 npmpsewraa.us udp
US 8.8.8.8:53 whqrmqmnrs.in udp
US 8.8.8.8:53 nwqsnneawh.us udp
US 8.8.8.8:53 smwrehrsph.biz udp
US 8.8.8.8:53 qrmhwrwwmn.info udp
US 8.8.8.8:53 sprpmpqasn.biz udp
US 8.8.8.8:53 apmeppqwqh.com udp
US 8.8.8.8:53 wqpeaenphs.in udp
US 8.8.8.8:53 awqqrwmwsh.com udp
US 8.8.8.8:53 erphseshhh.ws udp
US 64.70.19.203:80 erphseshhh.ws tcp
US 8.8.8.8:53 nmerqanann.us udp
US 8.8.8.8:53 hpswpmhqah.net udp
US 8.8.8.8:53 psqesnmpph.in udp
US 8.8.8.8:53 hwnwwhmapa.net udp
US 8.8.8.8:53 nerrawwees.us udp
US 8.8.8.8:53 smqnsaanqs.biz udp
US 8.8.8.8:53 pehawnswha.in udp
US 8.8.8.8:53 wsmsannrsr.in udp
US 8.8.8.8:53 pnmhpsaqwn.in udp
US 8.8.8.8:53 wpraeqahma.in udp
US 8.8.8.8:53 napenhsmha.us udp
US 8.8.8.8:53 manrhhmrsn.in udp
FI 142.250.150.26:25 alt4.gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 rqsepprwmh.org udp
FI 142.250.150.26:25 alt4.gmail-smtp-in.l.google.com tcp
FI 142.250.150.26:25 alt4.gmail-smtp-in.l.google.com tcp
FI 142.250.150.26:25 alt4.gmail-smtp-in.l.google.com tcp
US 162.249.65.106:80 rqsepprwmh.org tcp
US 8.8.8.8:53 wnrphnsawn.in udp
US 8.8.8.8:53 npeewrpmsh.us udp
US 8.8.8.8:53 spmpesqama.biz udp
US 8.8.8.8:53 rpwrwpqmrs.org udp
US 162.249.65.106:80 rpwrwpqmrs.org tcp
FI 142.250.150.26:25 alt4.gmail-smtp-in.l.google.com tcp
FI 142.250.150.26:25 alt4.gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 smspppawmn.biz udp
US 8.8.8.8:53 pmrqmemawa.in udp
US 8.8.8.8:53 wmphheprha.in udp
NL 142.250.153.27:25 alt2.gmail-smtp-in.l.google.com tcp
NL 142.250.27.26:25 alt1.aspmx.l.google.com tcp
US 8.8.8.8:53 prmaahsmqs.in udp
NL 142.250.153.27:25 alt2.gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 emhmmwaasa.ws udp
US 64.70.19.203:80 emhmmwaasa.ws tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 alt3.gmail-smtp-in.l.google.com udp
DE 142.251.9.27:25 alt3.gmail-smtp-in.l.google.com tcp
DE 142.251.9.27:25 alt3.gmail-smtp-in.l.google.com tcp
DE 142.251.9.26:25 aspmx4.googlemail.com tcp
DE 142.251.9.27:25 alt3.gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 mx-in-ma.apple.com udp
US 17.171.208.6:25 mx-in-ma.apple.com tcp
US 8.8.8.8:53 pb-mx11.pobox.com udp
US 64.147.108.52:25 pb-mx11.pobox.com tcp
US 8.8.8.8:53 pehprrmnns.in udp
US 8.8.8.8:53 hwenrqmmmh.net udp
US 8.8.8.8:53 nhamrnqsps.us udp
US 8.8.8.8:53 wpnermpasr.in udp
US 8.8.8.8:53 nnhssqsasr.us udp
US 8.8.8.8:53 mnmrweahpn.in udp
US 8.8.8.8:53 nhseewhaps.us udp
US 8.8.8.8:53 aewnhwwpwa.com udp
US 8.8.8.8:53 qsaqhnrwwn.info udp
US 8.8.8.8:53 swqrheamea.biz udp
US 8.8.8.8:53 aeaqppqhqs.com udp
US 8.8.8.8:53 mpnssapaws.in udp
US 8.8.8.8:53 rnehrmnwqa.org udp
US 162.249.65.106:80 rnehrmnwqa.org tcp
DE 142.251.9.27:25 alt3.gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 wnnqnrwqea.in udp
US 8.8.8.8:53 qnmmhnspwn.info udp
US 8.8.8.8:53 mx03.earthlink-vadesecure.net udp
US 51.81.232.218:25 mx03.earthlink-vadesecure.net tcp
US 8.8.8.8:53 mxb-00377f03.gslb.pphosted.com udp
US 205.220.176.130:25 mxb-00377f03.gslb.pphosted.com tcp
US 8.8.8.8:53 wwaqpenhnn.in udp
US 8.8.8.8:53 rnrnqqawqs.org udp
US 162.249.65.106:80 rnrnqqawqs.org tcp
DE 142.251.9.27:25 alt3.gmail-smtp-in.l.google.com tcp
DE 142.251.9.27:25 alt3.gmail-smtp-in.l.google.com tcp
DE 142.251.9.27:25 alt3.gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 mmmphaeann.in udp
US 8.8.8.8:53 aweqaesrms.com udp
US 8.8.8.8:53 hswwqmmseh.net udp
US 8.8.8.8:53 qhqqqnerss.info udp
US 8.8.8.8:53 wnnempshra.in udp
US 8.8.8.8:53 qnhwpqaans.info udp
US 8.8.8.8:53 mpmhhhprnn.in udp
US 8.8.8.8:53 qhwqwrpwnn.info udp
US 8.8.8.8:53 mhaewrqnps.in udp
US 8.8.8.8:53 psqeppnaha.in udp
US 8.8.8.8:53 maanhsqens.in udp
US 8.8.8.8:53 qsspraneas.info udp
US 8.8.8.8:53 msprmhpesa.in udp
US 8.8.8.8:53 nrmwqewpnn.us udp
US 8.8.8.8:53 sphpehqmsh.biz udp
US 8.8.8.8:53 nwrrsharmn.us udp
US 8.8.8.8:53 wnhpqrweas.in udp
US 8.8.8.8:53 rmmwpwhapn.org udp
US 162.249.65.106:80 rmmwpwhapn.org tcp
DE 142.251.9.27:25 alt3.gmail-smtp-in.l.google.com tcp
DE 142.251.9.27:25 alt3.gmail-smtp-in.l.google.com tcp
DE 142.251.9.27:25 alt3.gmail-smtp-in.l.google.com tcp
DE 142.251.9.27:25 alt3.gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 hharwnqhha.net udp
US 8.8.8.8:53 rrqmmwahna.org udp
US 162.249.65.106:80 rrqmmwahna.org tcp
US 8.8.8.8:53 ssapaqsepa.biz udp
US 8.8.8.8:53 qqewasnrnr.info udp
US 8.8.8.8:53 mnpsepswhs.in udp
US 8.8.8.8:53 rammaswpsh.org udp
US 162.249.65.106:80 rammaswpsh.org tcp
DE 142.251.9.27:25 alt3.gmail-smtp-in.l.google.com tcp
DE 142.251.9.27:25 alt3.gmail-smtp-in.l.google.com tcp
FI 142.250.150.26:25 alt4.gmail-smtp-in.l.google.com tcp
IE 209.85.202.27:25 aspmx.l.google.com tcp
FI 142.250.150.26:25 alt4.gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 ssmrnmspws.biz udp
US 8.8.8.8:53 resmarqarn.org udp
US 162.249.65.106:80 resmarqarn.org tcp
US 8.8.8.8:53 aspmx5.googlemail.com udp
FI 142.250.150.26:25 aspmx5.googlemail.com tcp
US 8.8.8.8:53 mx-in-hfd.apple.com udp
NL 17.57.165.2:25 mx-in-hfd.apple.com tcp
US 8.8.8.8:53 pb-mx21.pobox.com udp
US 173.228.157.40:25 pb-mx21.pobox.com tcp

Files

memory/3332-0-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Windows\SysWOW64\shervans.dll

MD5 68c47e5f6cc0662081be5dfe12cddb42
SHA1 31acf71c702e9d9bf4ae70da555ca81e1d532fcb
SHA256 1d8e8132ee4d00011bfd8c36847bc082b47c89cce6ca792437fcaa143baffc36
SHA512 53c6684e526774421bc252e7446a3345f53b27c7108455f234c83ad241a3ed5b582a3e41ae5ddea15350bedaf50baf8a18fa74b3328880dcf131bfedac8b0359

memory/3332-12-0x0000000010000000-0x000000001000D000-memory.dmp

C:\Windows\SysWOW64\grcopy.dll

MD5 2c7f6d9e230d95368ce6ae4ea03d8382
SHA1 2c6ba30de1a1a40b653f47bf1788f285fdc3f985
SHA256 5a402eaf7bc2108b86809c28f5f097bb9972e8d92148ce64c0c8153cc1cc1f0b
SHA512 320646bb6f18004dc1dfa9f7b0152211fe1d7ac253a9a7b4356bfb8404d0a3a547d91c25a911b4d0f5e9b0beef9bdc649e8e71aebe4940fc1ddbd891085f40f2

C:\Windows\SysWOW64\ctfmen.exe

MD5 a121fa663fdedcf5a592e0c7b766ed80
SHA1 b34345af5c39d72f7fec8345aa8ab7dc98989e7e
SHA256 fa7dfe06de722f219c5cadb4975a171ec49cc90fe99187aa195e101061b96bae
SHA512 119809d3b44c9bca82803c9933b678b6ef85050d2c14a987fef1975962b0244b4c7e941698165520e61d9953b7dda57ae5a25b30e6136ca4aaa4672d8cf615a3

memory/4888-21-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3332-24-0x0000000010000000-0x000000001000D000-memory.dmp

memory/3332-23-0x0000000000400000-0x000000000041F000-memory.dmp

memory/4480-30-0x0000000000400000-0x000000000041F000-memory.dmp

memory/4888-29-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Windows\SysWOW64\satornas.dll

MD5 5e59b5e88103db48edc65ccd92ec0bff
SHA1 aeca08ab9d5b328ea789d44ba5c23be848be36a5
SHA256 6b795ebaee7f7d889c4af478673c37986d3a4df1db2457a09742a655acaf5fba
SHA512 897d5373b5c726fd837e88f71863b3fffb3ae5712662907fe0f13975f32951be91de8effe272c9c542df765a6f2079d02a14f593f761938665fd2af0a8005b68

memory/4480-37-0x0000000010000000-0x000000001000D000-memory.dmp

memory/4480-39-0x0000000000400000-0x000000000041F000-memory.dmp

memory/4480-40-0x0000000010000000-0x000000001000D000-memory.dmp