Malware Analysis Report

2025-01-22 08:51

Sample ID 241027-s4rqjaygjh
Target 84a7bb7391d98455afe704d802984efbd9733bf40636ed76d3239d0076e41fbdN
SHA256 84a7bb7391d98455afe704d802984efbd9733bf40636ed76d3239d0076e41fbd
Tags
discovery persistence spyware stealer
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

84a7bb7391d98455afe704d802984efbd9733bf40636ed76d3239d0076e41fbd

Threat Level: Likely malicious

The file 84a7bb7391d98455afe704d802984efbd9733bf40636ed76d3239d0076e41fbdN was found to be: Likely malicious.

Malicious Activity Summary

discovery persistence spyware stealer

Drops file in Drivers directory

Loads dropped DLL

Executes dropped EXE

ACProtect 1.3x - 1.4x DLL software

Reads user/profile data of web browsers

Enumerates connected drives

Adds Run key to start application

Maps connected drives based on registry

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Unsigned PE

Program crash

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-27 15:41

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-27 15:41

Reported

2024-10-27 15:43

Platform

win10v2004-20241007-en

Max time kernel

99s

Max time network

101s

Command Line

"C:\Users\Admin\AppData\Local\Temp\84a7bb7391d98455afe704d802984efbd9733bf40636ed76d3239d0076e41fbdN.exe"

Signatures

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\ctfmen.exe N/A
N/A N/A C:\Windows\SysWOW64\smnss.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe" C:\Users\Admin\AppData\Local\Temp\84a7bb7391d98455afe704d802984efbd9733bf40636ed76d3239d0076e41fbdN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe" C:\Windows\SysWOW64\smnss.exe N/A

Maps connected drives based on registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Users\Admin\AppData\Local\Temp\84a7bb7391d98455afe704d802984efbd9733bf40636ed76d3239d0076e41fbdN.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Users\Admin\AppData\Local\Temp\84a7bb7391d98455afe704d802984efbd9733bf40636ed76d3239d0076e41fbdN.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\1 C:\Users\Admin\AppData\Local\Temp\84a7bb7391d98455afe704d802984efbd9733bf40636ed76d3239d0076e41fbdN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\smnss.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Windows\SysWOW64\smnss.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\1 C:\Windows\SysWOW64\smnss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\ctfmen.exe C:\Users\Admin\AppData\Local\Temp\84a7bb7391d98455afe704d802984efbd9733bf40636ed76d3239d0076e41fbdN.exe N/A
File created C:\Windows\SysWOW64\shervans.dll C:\Users\Admin\AppData\Local\Temp\84a7bb7391d98455afe704d802984efbd9733bf40636ed76d3239d0076e41fbdN.exe N/A
File created C:\Windows\SysWOW64\grcopy.dll C:\Users\Admin\AppData\Local\Temp\84a7bb7391d98455afe704d802984efbd9733bf40636ed76d3239d0076e41fbdN.exe N/A
File opened for modification C:\Windows\SysWOW64\shervans.dll C:\Users\Admin\AppData\Local\Temp\84a7bb7391d98455afe704d802984efbd9733bf40636ed76d3239d0076e41fbdN.exe N/A
File created C:\Windows\SysWOW64\smnss.exe C:\Windows\SysWOW64\smnss.exe N/A
File created C:\Windows\SysWOW64\ctfmen.exe C:\Users\Admin\AppData\Local\Temp\84a7bb7391d98455afe704d802984efbd9733bf40636ed76d3239d0076e41fbdN.exe N/A
File created C:\Windows\SysWOW64\smnss.exe C:\Users\Admin\AppData\Local\Temp\84a7bb7391d98455afe704d802984efbd9733bf40636ed76d3239d0076e41fbdN.exe N/A
File created C:\Windows\SysWOW64\satornas.dll C:\Users\Admin\AppData\Local\Temp\84a7bb7391d98455afe704d802984efbd9733bf40636ed76d3239d0076e41fbdN.exe N/A
File opened for modification C:\Windows\SysWOW64\satornas.dll C:\Users\Admin\AppData\Local\Temp\84a7bb7391d98455afe704d802984efbd9733bf40636ed76d3239d0076e41fbdN.exe N/A
File created C:\Windows\SysWOW64\zipfi.dll C:\Windows\SysWOW64\smnss.exe N/A
File created C:\Windows\SysWOW64\zipfiaq.dll C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\grcopy.dll C:\Users\Admin\AppData\Local\Temp\84a7bb7391d98455afe704d802984efbd9733bf40636ed76d3239d0076e41fbdN.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\7-Zip\Lang\hu.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\pt-br.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\uz-cyrl.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipsfra.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipssve.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\io.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_altgr.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipsar.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipsesp.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\hy.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipsptb.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ThirdPartyNotices.ja-jp.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\cs.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ext.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\fa.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipschs.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\dotnet\ThirdPartyNotices.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\eo.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\fy.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\he.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\lv.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\sv.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipshrv.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\es.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\hr.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\nn.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\readme.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\ServiceWatcherSchedule.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipsdeu.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ca.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\el.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\it.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipsen.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipsfin.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipsrus.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RHeartbeatConfig.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_heb.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipsnor.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ka.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\sq.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\License.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\zh-changjei.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ku-ckb.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\keypadbase.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\zh-dayi.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipsplk.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ga.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\kab.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\mng.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_ca.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipssrl.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\ea-sym.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipsel.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\mng2.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\nl.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\auxbase.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\oskclearuibase.xml C:\Windows\SysWOW64\smnss.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\smnss.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\84a7bb7391d98455afe704d802984efbd9733bf40636ed76d3239d0076e41fbdN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ctfmen.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\smnss.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll" C:\Windows\SysWOW64\smnss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\84a7bb7391d98455afe704d802984efbd9733bf40636ed76d3239d0076e41fbdN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node C:\Users\Admin\AppData\Local\Temp\84a7bb7391d98455afe704d802984efbd9733bf40636ed76d3239d0076e41fbdN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID C:\Users\Admin\AppData\Local\Temp\84a7bb7391d98455afe704d802984efbd9733bf40636ed76d3239d0076e41fbdN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED} C:\Users\Admin\AppData\Local\Temp\84a7bb7391d98455afe704d802984efbd9733bf40636ed76d3239d0076e41fbdN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll" C:\Users\Admin\AppData\Local\Temp\84a7bb7391d98455afe704d802984efbd9733bf40636ed76d3239d0076e41fbdN.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\smnss.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\84a7bb7391d98455afe704d802984efbd9733bf40636ed76d3239d0076e41fbdN.exe

"C:\Users\Admin\AppData\Local\Temp\84a7bb7391d98455afe704d802984efbd9733bf40636ed76d3239d0076e41fbdN.exe"

C:\Windows\SysWOW64\ctfmen.exe

ctfmen.exe

C:\Windows\SysWOW64\smnss.exe

C:\Windows\system32\smnss.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2512 -ip 2512

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2512 -s 1504

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 qepswmenen.info udp
US 8.8.8.8:53 waqnqmnqnh.in udp
US 8.8.8.8:53 rwrepwprhs.org udp
US 162.249.65.106:80 rwrepwprhs.org tcp
US 8.8.8.8:53 gzip.org udp
US 8.8.8.8:53 gzip.org udp
US 85.187.148.2:25 gzip.org tcp
US 8.8.8.8:53 alumni.caltech.edu udp
US 8.8.8.8:53 alumni-caltech-edu.mail.protection.outlook.com udp
US 8.8.8.8:53 cs.stanford.edu udp
US 52.101.11.13:25 alumni-caltech-edu.mail.protection.outlook.com tcp
US 8.8.8.8:53 smtp2.cs.stanford.edu udp
US 171.64.64.26:25 smtp2.cs.stanford.edu tcp
US 171.64.64.26:25 smtp2.cs.stanford.edu tcp
US 8.8.8.8:53 acm.org udp
US 8.8.8.8:53 mail.mailroute.net udp
US 199.89.1.120:25 mail.mailroute.net tcp
US 8.8.8.8:53 hwrnsnewhs.net udp
US 8.8.8.8:53 qshwwqanwa.info udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 hnhqrewean.net udp
US 8.8.8.8:53 qnhrmeanhs.info udp
US 8.8.8.8:53 mqphqnwshh.in udp
US 8.8.8.8:53 aaamhseqph.com udp
US 8.8.8.8:53 mmwmhqqsas.in udp
US 8.8.8.8:53 narhrweqms.us udp
US 8.8.8.8:53 epssrmrawh.ws udp
US 64.70.19.203:80 epssrmrawh.ws tcp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 203.19.70.64.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 69.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 102.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp

Files

memory/2552-0-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Windows\SysWOW64\shervans.dll

MD5 516b64c7b922e3e6aa75c3a719739b3f
SHA1 2013d82e531670f429a4e051410a530e97c33477
SHA256 246c6785b29f5f2aa77dabfbd4abb2a5cabfbd7c4c2abebc2a9ece5ba0d6b89e
SHA512 fa5304d2313df84a16e5336fe378f43fb09a7cd86cfaddf84a6248c682a43039ae5bf42153fe495e2e1ff26e407f07e8d391cb784956f3b017d45da727606450

memory/2552-13-0x0000000010000000-0x000000001000D000-memory.dmp

C:\Windows\SysWOW64\grcopy.dll

MD5 641b7380e9c64de2deb98b28b17481ff
SHA1 c2bf10661bb4926184d9830f2d17cad576e674c7
SHA256 d4fe3553cf2387ab560fac88c8c570a98f0f5fd4112ed0f845285df570ae5c80
SHA512 dca9fd7de18de24b1e0ff10959406db2425a2411f86930e6c1b5ab36612fb54d915a5997cc129ba9fe847a34d9f5e91d54f8252df5cc2ef474c1e51a459f1036

C:\Windows\SysWOW64\ctfmen.exe

MD5 e146b773bcc137a3d7bd0b9fda308f58
SHA1 0619ae8c6625abfc93944979d656f9cace2f5478
SHA256 47799294fa7caf80d35ec8f21d94bd55d22c0dcdfa2a27371c2336a47665a360
SHA512 bd9ce229d29b41c50848f085427b0c833dcd3f2a997bd95880e8bf242d47356ccb5e69f4be9401c0131f32fba9d808e71edd5ece2ca0e4eb05e877da3043d654

memory/4404-21-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2552-24-0x0000000010000000-0x000000001000D000-memory.dmp

memory/2552-23-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2512-29-0x0000000000400000-0x0000000000420000-memory.dmp

memory/4404-31-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2512-37-0x0000000010000000-0x000000001000D000-memory.dmp

C:\Windows\SysWOW64\satornas.dll

MD5 77d913f398b748bad46a2d1356a112a6
SHA1 a2119ea0e50c0e49a7dfa4b8ca7bf4593ce204ed
SHA256 cc029f6a937b02c4cddddcb8423e10bbf2c2e918f61e839626115a76aa1807cc
SHA512 a5613d8415f5ec4c1f721a19980ffa3072db1ed934bf0a9e279a19c0e2f98262021a21c20c59e47f2da2df372d3580f6fb58387f92548606b6ee4be19f7643e3

memory/2512-39-0x0000000010000000-0x000000001000D000-memory.dmp

memory/2512-40-0x0000000000400000-0x0000000000420000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-27 15:41

Reported

2024-10-27 15:43

Platform

win7-20240903-en

Max time kernel

118s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\84a7bb7391d98455afe704d802984efbd9733bf40636ed76d3239d0076e41fbdN.exe"

Signatures

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\drivers\gmreadme.txt C:\Windows\SysWOW64\smnss.exe N/A

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\ctfmen.exe N/A
N/A N/A C:\Windows\SysWOW64\smnss.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe" C:\Users\Admin\AppData\Local\Temp\84a7bb7391d98455afe704d802984efbd9733bf40636ed76d3239d0076e41fbdN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe" C:\Windows\SysWOW64\smnss.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\J: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\smnss.exe N/A

Maps connected drives based on registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Users\Admin\AppData\Local\Temp\84a7bb7391d98455afe704d802984efbd9733bf40636ed76d3239d0076e41fbdN.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\1 C:\Users\Admin\AppData\Local\Temp\84a7bb7391d98455afe704d802984efbd9733bf40636ed76d3239d0076e41fbdN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\smnss.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Windows\SysWOW64\smnss.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\1 C:\Windows\SysWOW64\smnss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Users\Admin\AppData\Local\Temp\84a7bb7391d98455afe704d802984efbd9733bf40636ed76d3239d0076e41fbdN.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\Microsoft.PowerShell.ConsoleHost.dll-Help.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_Switch.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_logical_operators.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_While.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\Amd64\HPO5600T.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\Amd64\HPW1200T.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_CommonParameters.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\Microsoft.PowerShell.Security.dll-Help.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Continue.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_eventlogs.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_Redirection.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_Automatic_Variables.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_Foreach.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_PSSnapins.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_profiles.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_objects.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File created C:\Windows\SysWOW64\satornas.dll C:\Users\Admin\AppData\Local\Temp\84a7bb7391d98455afe704d802984efbd9733bf40636ed76d3239d0076e41fbdN.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpah470t.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpc5200t.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_script_blocks.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_WS-Management_Cmdlets.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_pssessions.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\Microsoft.PowerShell.Commands.Diagnostics.dll-Help.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_job_details.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_scopes.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_requires.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnkm003.inf_amd64_neutral_48652cda3bb15180\Amd64\koc650X.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnky309.inf_amd64_ja-jp_afbb421e3dc1cb6b\Amd64\kyw7qur8.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\NdfEventView.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_For.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_Signing.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_Variables.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_scopes.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpoa520t.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnsa002.inf_amd64_neutral_d9df1d04d8cbe336\Amd64\smc770u.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Reserved_Words.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_Command_Syntax.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_pipelines.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\Microsoft.PowerShell.Security.dll-Help.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_Path_Syntax.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_Redirection.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnca00g.inf_amd64_neutral_6f76b14b2912fa55\Amd64\CNBX4PIPELINECONFIG.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpk7100t.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_command_precedence.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_remote_FAQ.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_objects.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_remote_troubleshooting.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_While.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_arrays.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpk8600t.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnkm003.inf_amd64_neutral_48652cda3bb15180\Amd64\kop4650X.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_modules.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_For.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_If.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp005.inf_amd64_neutral_914d6c300207814f\Amd64\hp6500at.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_arrays.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\Microsoft.PowerShell.Commands.Utility.dll-Help.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_script_internationalization.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_Automatic_Variables.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_jobs.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_remote_requirements.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\Amd64\HPO2600T.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\icsxml\cmnicfg.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_remote_troubleshooting.help.txt C:\Windows\SysWOW64\smnss.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\en-US\gadget.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\es-ES\cpu.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\FrameworkList.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Windows Media Player\Media Renderer\avtransport.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\gadget.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-uihandler.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGBOXES.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\requests\status.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\gadget.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Windows NT\TableTextService\TableTextServiceSimplifiedShuangPin.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipsnor.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\asl-v20.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Garden.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsColorChart.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN075.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGCHKBRD.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGMARQ.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\fr-FR\cpu.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\ko-kr.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.core_5.5.0.165303\feature.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\gadget.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\weather.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\1033\README.HTM C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\LISTS\1033\TIME.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Windows NT\TableTextService\TableTextServiceAmharic.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\picturePuzzle.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\fy.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core-windows.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Angles.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN092.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\COPYING.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\epl-v10.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ROMANIAN.TXT C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Composite.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Waveform.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\chrome.VisualElementsManifest.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\README-JDK.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\it-IT\gadget.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\settings.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN054.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\slideShow.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\feature.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\es-ES\calendar.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-jvm.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-coredump.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsBlankPage.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\en-US\cpu.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\el.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\en-US\gadget.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Technic.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Microsoft.Office.BusinessData.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL086.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\gadget.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\asl-v20.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\currency.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.CO.ID.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Windows Media Player\Media Renderer\connectionmanager_dmr.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsVersion1Warning.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Windows NT\TableTextService\TableTextServiceSimplifiedQuanPin.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\gadget.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\picturePuzzle.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN002.XML C:\Windows\SysWOW64\smnss.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_e74ded66652fb660\403-14.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..econsumer.resources_31bf3856ad364e35_6.1.7600.16385_en-us_11b07c1bb446e787\Report.System.Performance.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_74b66e05cc4097c8\about_History.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_1d72a0e2bb459532\about_prompts.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_4c778c357864a2ed\Microsoft.PowerShell.Commands.Diagnostics.dll-Help.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-t..nputpersonalization_31bf3856ad364e35_6.1.7600.16385_none_9ba1049ce0053bef\ipscsy.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ca7ec133e2786d8f\about_modules.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\diagnostics\index\WindowsUpdateDiagnostic.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-nettrace-netsh-helper_31bf3856ad364e35_6.1.7600.16385_none_f72251fe8a04e1e5\NetTrace.PLA.Diagnostics.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_1d72a0e2bb459532\about_functions.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_4c778c357864a2ed\about_Arithmetic_Operators.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-tabletpc-softkeyboard_31bf3856ad364e35_6.1.7601.17514_none_2fd7b56967fc5c76\base_rtl.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_prnhp003.inf_31bf3856ad364e35_6.1.7600.16385_none_2fd781a76c9dcc13\Amd64\hpah470t.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_27fbee50ef7f6588\about_functions.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_27c74b34efa6572d\System.Management.Automation.dll-Help.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\servicing\Sessions\31129025_491039600.back.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_56cc3687acc564e8\about_Quoting_Rules.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-sharedaccess_31bf3856ad364e35_6.1.7600.16385_none_6b16fa9f975e1109\potscfg.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\x86_microsoft-windows-g..-currency.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_0028f64744b4fccd\currency.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_it-it_b4a6b77ab9aa530d\about_Return.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7601.17514_none_4f7e32f76654bd3c\Green Bubbles.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_1da743febb1ea38d\about_Switch.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_1d72a0e2bb459532\about_type_operators.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_it-it_aa520d2885499112\about_split.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..rastructureconsumer_31bf3856ad364e35_6.1.7601.17514_none_1202940e4711971e\Rules.System.Common.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\PLA\Reports\es-ES\Report.System.Common.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_4c778c357864a2ed\about_remote_troubleshooting.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_27c74b34efa6572d\about_Ref.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_1da743febb1ea38d\about_operators.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-e..rtingcore.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_018b4fa043769680\erofflps.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-n..sh-helper.resources_31bf3856ad364e35_6.1.7600.16385_it-it_d0d72f2fd04aa217\Rules.System.NetTrace.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_c02a16e1ae17ab94\about_methods.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\PLA\Reports\fr-FR\Report.System.Diagnostics.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_prnhp003.inf_31bf3856ad364e35_6.1.7600.16385_none_2fd781a76c9dcc13\Amd64\hpj4660t.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_7f0b185800a159c3\about_wildcards.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b87da52fa7e9b700\404.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..rastructureconsumer_31bf3856ad364e35_6.1.7601.17514_none_1202940e4711971e\Report.System.Summary.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_27fbee50ef7f6588\about_pssession_details.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ca7ec133e2786d8f\about_pssessions.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_56cc3687acc564e8\Microsoft.PowerShell.Commands.Management.dll-Help.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\PLA\Rules\Rules.System.Configuration.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_27c74b34efa6572d\about_prompts.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\x86_microsoft-windows-g..-calendar.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_8018a00683b41fc3\calendar.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_1d72a0e2bb459532\about_remote_jobs.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_it-it_aa520d2885499112\about_Windows_PowerShell_ISE.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_4c778c357864a2ed\about_types.ps1xml.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\wow64_microsoft.backgroun..nt.module.resources_31bf3856ad364e35_6.1.7600.16385_en-us_eb3c5b6953d3caeb\about_BITS_Cmdlets.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\PLA\Reports\Report.System.Network.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ca7ec133e2786d8f\about_If.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ca7ec133e2786d8f\about_script_internationalization.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_56cc3687acc564e8\about_Comment_Based_Help.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\PLA\Rules\fr-FR\Rules.System.Network.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b87da52fa7e9b700\404-3.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-t..nputpersonalization_31bf3856ad364e35_6.1.7600.16385_none_9ba1049ce0053bef\ipsnld.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_prnhp003.inf_31bf3856ad364e35_6.1.7600.16385_none_2fd781a76c9dcc13\Amd64\hphp915t.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_prnhp003.inf_31bf3856ad364e35_6.1.7600.16385_none_2fd781a76c9dcc13\Amd64\hptf735t.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_27fbee50ef7f6588\about_command_precedence.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\NetFx45_IIS_schema_update.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\servicing\Sessions\31129025_425207600.back.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_c02a16e1ae17ab94\Microsoft.PowerShell.ConsoleHost.dll-Help.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_it-it_aa520d2885499112\about_hash_tables.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-w..svc-extra.resources_31bf3856ad364e35_6.1.7600.16385_es-es_ceb9e50fe1e709ac\Report.System.Wireless.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_27fbee50ef7f6588\about_Continue.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\PLA\Rules\Rules.System.Wireless.xml C:\Windows\SysWOW64\smnss.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\84a7bb7391d98455afe704d802984efbd9733bf40636ed76d3239d0076e41fbdN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ctfmen.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\smnss.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll" C:\Windows\SysWOW64\smnss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\84a7bb7391d98455afe704d802984efbd9733bf40636ed76d3239d0076e41fbdN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node C:\Users\Admin\AppData\Local\Temp\84a7bb7391d98455afe704d802984efbd9733bf40636ed76d3239d0076e41fbdN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID C:\Users\Admin\AppData\Local\Temp\84a7bb7391d98455afe704d802984efbd9733bf40636ed76d3239d0076e41fbdN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED} C:\Users\Admin\AppData\Local\Temp\84a7bb7391d98455afe704d802984efbd9733bf40636ed76d3239d0076e41fbdN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll" C:\Users\Admin\AppData\Local\Temp\84a7bb7391d98455afe704d802984efbd9733bf40636ed76d3239d0076e41fbdN.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\smnss.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\84a7bb7391d98455afe704d802984efbd9733bf40636ed76d3239d0076e41fbdN.exe

"C:\Users\Admin\AppData\Local\Temp\84a7bb7391d98455afe704d802984efbd9733bf40636ed76d3239d0076e41fbdN.exe"

C:\Windows\SysWOW64\ctfmen.exe

ctfmen.exe

C:\Windows\SysWOW64\smnss.exe

C:\Windows\system32\smnss.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 qepswmenen.info udp
US 8.8.8.8:53 gzip.org udp
US 8.8.8.8:53 gzip.org udp
US 85.187.148.2:25 gzip.org tcp
US 8.8.8.8:53 alumni.caltech.edu udp
US 8.8.8.8:53 alumni-caltech-edu.mail.protection.outlook.com udp
US 8.8.8.8:53 megginson.com udp
US 52.101.41.58:25 alumni-caltech-edu.mail.protection.outlook.com tcp
US 8.8.8.8:53 aspmx.l.google.com udp
US 8.8.8.8:53 aspmx.l.google.com udp
NL 172.217.218.26:25 aspmx.l.google.com tcp
NL 142.251.31.26:25 aspmx.l.google.com tcp
US 8.8.8.8:53 jk.uni-linz.ac.at udp
US 8.8.8.8:53 mail3.edvz.uni-linz.ac.at udp
AT 140.78.3.83:25 mail3.edvz.uni-linz.ac.at tcp
US 8.8.8.8:53 waqnqmnqnh.in udp
US 8.8.8.8:53 rwrepwprhs.org udp
US 162.249.65.106:80 rwrepwprhs.org tcp
US 8.8.8.8:53 cdata.tvnet.hu udp
US 8.8.8.8:53 attbi.com udp
US 8.8.8.8:53 cdata.tvnet.hu udp
US 8.8.8.8:53 courtesan.com udp
US 8.8.8.8:53 millert.dev udp
US 8.8.8.8:53 bigelowandholmes.com udp
US 65.102.237.118:25 millert.dev tcp
US 8.8.8.8:53 hwrnsnewhs.net udp
US 8.8.8.8:53 qshwwqanwa.info udp
US 85.187.148.2:25 gzip.org tcp
US 52.101.41.58:25 alumni-caltech-edu.mail.protection.outlook.com tcp
US 8.8.8.8:53 gnu.org udp
US 85.187.148.2:25 gzip.org tcp
US 8.8.8.8:53 eggs.gnu.org udp
US 209.51.188.92:25 eggs.gnu.org tcp
US 8.8.8.8:53 hnhqrewean.net udp
US 8.8.8.8:53 qnhrmeanhs.info udp
US 8.8.8.8:53 alumni-caltech-edu.mail.protection.outlook.com udp
US 52.101.9.2:25 alumni-caltech-edu.mail.protection.outlook.com tcp
NL 142.251.31.26:25 aspmx.l.google.com tcp
NL 142.251.31.26:25 aspmx.l.google.com tcp
AT 140.78.3.83:25 mail3.edvz.uni-linz.ac.at tcp
US 8.8.8.8:53 mqphqnwshh.in udp
US 8.8.8.8:53 aaamhseqph.com udp
US 65.102.237.118:25 millert.dev tcp
US 8.8.8.8:53 mmwmhqqsas.in udp
US 8.8.8.8:53 aspmx5.googlemail.com udp
US 173.194.202.26:25 aspmx5.googlemail.com tcp
US 173.194.202.26:25 aspmx5.googlemail.com tcp
US 85.187.148.2:25 gzip.org tcp
US 8.8.8.8:53 alumni-caltech-edu.mail.protection.outlook.com udp
US 8.8.8.8:53 mail2.edvz.uni-linz.ac.at udp
US 52.101.41.22:25 alumni-caltech-edu.mail.protection.outlook.com tcp
AT 140.78.3.69:25 mail2.edvz.uni-linz.ac.at tcp
US 85.187.148.2:25 gzip.org tcp
US 52.101.41.22:25 alumni-caltech-edu.mail.protection.outlook.com tcp
US 8.8.8.8:53 narhrweqms.us udp
US 8.8.8.8:53 epssrmrawh.ws udp
US 64.70.19.203:80 epssrmrawh.ws tcp
US 8.8.8.8:53 rpammshmwa.org udp
US 162.249.65.106:80 rpammshmwa.org tcp
NL 142.251.31.26:25 aspmx.l.google.com tcp
NL 142.251.31.26:25 aspmx.l.google.com tcp
AT 140.78.3.83:25 mail3.edvz.uni-linz.ac.at tcp
US 8.8.8.8:53 wrseaqnaan.in udp
US 8.8.8.8:53 reqqrnpmah.org udp
US 162.249.65.106:80 reqqrnpmah.org tcp
US 65.102.237.118:25 millert.dev tcp
US 8.8.8.8:53 eaqenrmeas.ws udp
US 85.187.148.2:25 gzip.org tcp
US 64.70.19.203:80 eaqenrmeas.ws tcp
US 8.8.8.8:53 apnhwwsqpa.com udp
US 8.8.8.8:53 seehrhesrn.biz udp
US 8.8.8.8:53 alumni-caltech-edu.mail.protection.outlook.com udp
US 52.101.194.19:25 alumni-caltech-edu.mail.protection.outlook.com tcp
US 173.194.202.26:25 aspmx5.googlemail.com tcp
US 173.194.202.26:25 aspmx5.googlemail.com tcp
US 8.8.8.8:53 coin.mpg udp
AT 140.78.3.69:25 mail2.edvz.uni-linz.ac.at tcp
US 8.8.8.8:53 domain.com udp
US 8.8.8.8:53 domain-com.mail.protection.outlook.com udp
US 52.101.40.24:25 domain-com.mail.protection.outlook.com tcp
US 8.8.8.8:53 qpsshrsssn.info udp
US 8.8.8.8:53 hhawhsannn.net udp
US 8.8.8.8:53 rnesamnrsh.org udp
US 162.249.65.106:80 rnesamnrsh.org tcp
US 8.8.8.8:53 mwwwppnaes.in udp
US 8.8.8.8:53 aspmx4.googlemail.com udp
US 8.8.8.8:53 aspmx4.googlemail.com udp
TW 142.250.157.26:25 aspmx4.googlemail.com tcp
TW 142.250.157.26:25 aspmx4.googlemail.com tcp
US 8.8.8.8:53 mail1.edvz.uni-linz.ac.at udp
AT 140.78.3.68:25 mail1.edvz.uni-linz.ac.at tcp
US 8.8.8.8:53 amehnqnpsa.com udp
US 8.8.8.8:53 wwnwawmhms.in udp
US 173.194.202.26:25 aspmx5.googlemail.com tcp
AT 140.78.3.69:25 mail2.edvz.uni-linz.ac.at tcp
US 173.194.202.26:25 aspmx5.googlemail.com tcp
US 8.8.8.8:53 aannmmhrsn.com udp
US 8.8.8.8:53 mesweqmrqn.in udp
US 8.8.8.8:53 nnmraqrpns.us udp
TW 142.250.157.26:25 aspmx4.googlemail.com tcp
TW 142.250.157.26:25 aspmx4.googlemail.com tcp
AT 140.78.3.68:25 mail1.edvz.uni-linz.ac.at tcp
US 8.8.8.8:53 wwhesrpenr.in udp
US 8.8.8.8:53 rpperqwhms.org udp
US 162.249.65.106:80 rpperqwhms.org tcp
US 8.8.8.8:53 mwhpwqnpen.in udp
US 8.8.8.8:53 ammrmpsmsn.com udp
US 8.8.8.8:53 alt1.aspmx.l.google.com udp
US 8.8.8.8:53 alt1.aspmx.l.google.com udp
FI 142.251.1.27:25 alt1.aspmx.l.google.com tcp
FI 142.251.1.27:25 alt1.aspmx.l.google.com tcp
US 8.8.8.8:53 mail4.edvz.uni-linz.ac.at udp
AT 140.78.3.82:25 mail4.edvz.uni-linz.ac.at tcp
US 8.8.8.8:53 mqqshhhwms.in udp
US 8.8.8.8:53 rnpsenqqah.org udp
US 162.249.65.106:80 rnpsenqqah.org tcp
AT 140.78.3.68:25 mail1.edvz.uni-linz.ac.at tcp
TW 142.250.157.26:25 aspmx4.googlemail.com tcp
TW 142.250.157.26:25 aspmx4.googlemail.com tcp
US 8.8.8.8:53 eenamrmern.ws udp
US 64.70.19.203:80 eenamrmern.ws tcp
US 8.8.8.8:53 nnemhrpapn.us udp
US 8.8.8.8:53 srpaepmphh.biz udp
US 8.8.8.8:53 pnnqhwrwqa.in udp
FI 142.251.1.27:25 alt1.aspmx.l.google.com tcp
FI 142.251.1.27:25 alt1.aspmx.l.google.com tcp
AT 140.78.3.82:25 mail4.edvz.uni-linz.ac.at tcp
US 8.8.8.8:53 qqsqaenmwn.info udp
US 8.8.8.8:53 srwwaehrhh.biz udp
US 8.8.8.8:53 rpsnsphhhh.org udp
US 162.249.65.106:80 rpsnsphhhh.org tcp
US 8.8.8.8:53 shpwnmpnas.biz udp
US 8.8.8.8:53 aspmx3.googlemail.com udp
SG 74.125.200.27:25 aspmx3.googlemail.com tcp
SG 74.125.200.27:25 aspmx3.googlemail.com tcp
US 8.8.8.8:53 aeqrrmwqah.com udp
AT 140.78.3.82:25 mail4.edvz.uni-linz.ac.at tcp
FI 142.251.1.27:25 alt1.aspmx.l.google.com tcp
FI 142.251.1.27:25 alt1.aspmx.l.google.com tcp
US 8.8.8.8:53 mnwsrsnswn.in udp
US 8.8.8.8:53 qhnrrreprs.info udp
US 8.8.8.8:53 swwmmahrnh.biz udp
US 8.8.8.8:53 npswhmmsps.us udp
SG 74.125.200.27:25 aspmx3.googlemail.com tcp
SG 74.125.200.27:25 aspmx3.googlemail.com tcp
US 8.8.8.8:53 wewamehnhs.in udp
US 8.8.8.8:53 nmsqwemmsa.us udp
US 8.8.8.8:53 waqqsrrhan.in udp
US 8.8.8.8:53 aspmx2.googlemail.com udp
US 8.8.8.8:53 aspmx2.googlemail.com udp
FI 142.251.1.26:25 aspmx2.googlemail.com tcp
FI 142.251.1.27:25 aspmx2.googlemail.com tcp
US 8.8.8.8:53 wnshehamhh.in udp
US 8.8.8.8:53 remrpqpseh.org udp
US 162.249.65.106:80 remrpqpseh.org tcp
SG 74.125.200.27:25 aspmx3.googlemail.com tcp
SG 74.125.200.27:25 aspmx3.googlemail.com tcp
US 8.8.8.8:53 hwnppemeea.net udp

Files

memory/2364-0-0x0000000000400000-0x0000000000420000-memory.dmp

\Windows\SysWOW64\shervans.dll

MD5 55772e37c10fc02fa04d0f98fccf1a29
SHA1 699f73851d1be371312fa8bc81c75112a2b89f35
SHA256 075db6793f42b82b6223654e9e829cb06361fc5b4f3fa45e79681f993eaedf2c
SHA512 6c914a96ba41c00da5ec09cccbaceda06610472b364d661171fe9c6ba49b8238d112a32bd3e9bc37ab9792eeb79dba1c6860b7967f9b8756f4f9d71f6239e93e

memory/2364-12-0x0000000010000000-0x000000001000D000-memory.dmp

memory/2184-27-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Windows\SysWOW64\ctfmen.exe

MD5 bc953dee8d4cee19b496d15019d85375
SHA1 2ed046cfde25de3a7e3786115b31ddb97f9643cc
SHA256 2e70705cc013958e36f8ebb93509fba196adae0dfe5a316021a8d43be4497559
SHA512 b0043a357d821b8fa77445b28ea3bcdc9bc9204c7fa04ec57bdfad5501a520c7d146709554274ef8ad16a46d4810de38dc6bede0fbe22269402bb13c3199e720

memory/2364-25-0x0000000010000000-0x000000001000D000-memory.dmp

memory/2364-24-0x0000000000400000-0x0000000000420000-memory.dmp

\Windows\SysWOW64\smnss.exe

MD5 4b75e0554ff13627a7c272ffe8c7d421
SHA1 25b58785b5bc214b39f37ac87c62e31eb392ec2b
SHA256 1fc542e1f6d755aa86d9ae4d6d478997168c8a2369bc15a384fff15fe17219ee
SHA512 e761e56f700b1e27eba2357ffa4be69f3af723bc155678db308b1f629fdc67b1dff07110ef6cd5413077072d57cdf88fcb70f3d60f4c39fd75b25325c33aa1b4

memory/2476-34-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2184-32-0x0000000000320000-0x0000000000340000-memory.dmp

memory/2476-40-0x0000000010000000-0x000000001000D000-memory.dmp

C:\Windows\SysWOW64\satornas.dll

MD5 52d1713c10b9f0def3d4896247e5a7e0
SHA1 639ad36028d378fe96cbd4ea166292b91199e02f
SHA256 a32bd6c5eabe470c61ca88be79d4bd4b52f98240846411d3a577ea30a48b326c
SHA512 a76febd3d491271767b1ce2bddc071931423ed1910812a430d3c268a690cabd9270da10f43f29e15097d2f0d170100179c83dd9f339086f7f35c79ad4ddfdd9e

memory/2476-42-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2476-43-0x0000000010000000-0x000000001000D000-memory.dmp