Malware Analysis Report

2025-08-11 07:45

Sample ID 241108-qn5aksslfz
Target f799f0e3e91fcacf2227083e2611601956f171328a3e51a21c2e5f21e4671cc8N
SHA256 f799f0e3e91fcacf2227083e2611601956f171328a3e51a21c2e5f21e4671cc8
Tags
discovery persistence spyware stealer
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

f799f0e3e91fcacf2227083e2611601956f171328a3e51a21c2e5f21e4671cc8

Threat Level: Likely malicious

The file f799f0e3e91fcacf2227083e2611601956f171328a3e51a21c2e5f21e4671cc8N was found to be: Likely malicious.

Malicious Activity Summary

discovery persistence spyware stealer

Drops file in Drivers directory

ACProtect 1.3x - 1.4x DLL software

Reads user/profile data of web browsers

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Maps connected drives based on registry

Enumerates connected drives

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Modifies registry class

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-08 13:25

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-08 13:25

Reported

2024-11-08 13:27

Platform

win7-20241010-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f799f0e3e91fcacf2227083e2611601956f171328a3e51a21c2e5f21e4671cc8N.exe"

Signatures

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\drivers\gmreadme.txt C:\Windows\SysWOW64\smnss.exe N/A

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\ctfmen.exe N/A
N/A N/A C:\Windows\SysWOW64\smnss.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe" C:\Users\Admin\AppData\Local\Temp\f799f0e3e91fcacf2227083e2611601956f171328a3e51a21c2e5f21e4671cc8N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe" C:\Windows\SysWOW64\smnss.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\E: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\smnss.exe N/A

Maps connected drives based on registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Windows\SysWOW64\smnss.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\1 C:\Windows\SysWOW64\smnss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Users\Admin\AppData\Local\Temp\f799f0e3e91fcacf2227083e2611601956f171328a3e51a21c2e5f21e4671cc8N.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Users\Admin\AppData\Local\Temp\f799f0e3e91fcacf2227083e2611601956f171328a3e51a21c2e5f21e4671cc8N.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\1 C:\Users\Admin\AppData\Local\Temp\f799f0e3e91fcacf2227083e2611601956f171328a3e51a21c2e5f21e4671cc8N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\smnss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_Language_Keywords.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_remote_FAQ.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_types.ps1xml.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_command_precedence.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_try_catch_finally.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\Amd64\HPMCPDP5.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_remote_jobs.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Variables.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_profiles.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_job_details.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_debuggers.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_Quoting_Rules.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\Amd64\hpmcpcp6.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpsd730t.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp004.inf_amd64_neutral_53f688945cfc24cc\Amd64\hpc4500t.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_hash_tables.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_data_sections.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_Comment_Based_Help.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_Special_Characters.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\TroubleshootingPack\es-ES\Microsoft.Windows.Diagnosis.TroubleshootingPack.dll-Help.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpl7600t.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp005.inf_amd64_neutral_914d6c300207814f\Amd64\hpc4600t.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnky002.inf_amd64_neutral_525d9740c77e325f\Amd64\KYW7QURY.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpc5200t.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp005.inf_amd64_neutral_914d6c300207814f\Amd64\hp6000at.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\Microsoft.PowerShell.Commands.Utility.dll-Help.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_split.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_Path_Syntax.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File created C:\Windows\SysWOW64\zipfiaq.dll C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\Amd64\HPC3050F.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\Amd64\HPC9500S.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_Switch.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_WS-Management_Cmdlets.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_pssession_details.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnky006.inf_amd64_neutral_522043c34551b0c0\Amd64\KYW7QUR5.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnsa002.inf_amd64_neutral_d9df1d04d8cbe336\Amd64\smc610u.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_logical_operators.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_regular_expressions.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Assignment_Operators.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_modules.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Parsing.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_profiles.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\Amd64\HPC5200F.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\icsxml\cmnicfg.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_do.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_aliases.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_WS-Management_Cmdlets.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\TroubleshootingPack\it-IT\Microsoft.Windows.Diagnosis.TroubleshootingPack.dll-Help.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\icsxml\potscfg.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_remote.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_preference_variables.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_remote.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_Foreach.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpl7300t.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpoa440t.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp005.inf_amd64_neutral_914d6c300207814f\Amd64\hp6000nt.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_remote_troubleshooting.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_scripts.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\Microsoft.Wsman.Management.dll-Help.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_escape_characters.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_remote_FAQ.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_trap.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_remote_output.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_functions.help.txt C:\Windows\SysWOW64\smnss.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-spi-quicksearch.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\weather.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\METCONV.TXT C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\NL.ROGERS.COM.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN096.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\de-DE\calendar.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\calendar.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\gadget.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN086.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGPUNCT.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\en-US\cpu.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\flyout.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ko.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Orange Circles.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL002.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\fr-FR\calendar.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\settings.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\oskmenubase.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-keyring.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-host-views.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\README.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\gadget.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-nodes.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\settings.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipsdan.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\firefox.VisualElementsManifest.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\settings.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\WEBPAGE.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-oql.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-lib-profiler-common.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\flyout.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.CO.JP.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.COM.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGTOC.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\af.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_jpn.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\settings.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Newsprint.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\cy.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.zh_CN_5.5.0.165303\feature.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-io-ui.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-io.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\requests\status.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEIRM.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.CO.ID.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL026.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL095.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGWEBPQT.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-autoupdate-cli.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\gadget.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Technic.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL078.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\mng.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.VisualElementsManifest.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\gadget.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Angles.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\uz-cyrl.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\ja-jp.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\epl-v10.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office64.en-us\SETUP.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\slideShow.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\kaa.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-awt.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\settings.html C:\Windows\SysWOW64\smnss.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_it-it_aa520d2885499112\about_WMI_Cmdlets.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-tabletpc-softkeyboard_31bf3856ad364e35_6.1.7601.17514_none_2fd7b56967fc5c76\kor-kor.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_27fbee50ef7f6588\about_eventlogs.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_27c74b34efa6572d\about_remote_FAQ.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_56cc3687acc564e8\about_join.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\PLA\Reports\ja-JP\Report.System.Wireless.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\PLA\Rules\it-IT\Rules.System.Wireless.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_1d72a0e2bb459532\about_Assignment_Operators.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\wow64_microsoft.backgroun..nt.module.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_8dbf2e4c46ccd2f2\Microsoft.BackgroundIntelligentTransfer.Management.dll-Help.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_1da743febb1ea38d\about_job_details.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_it-it_aa520d2885499112\about_Language_Keywords.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft.backgroun..nt.module.resources_31bf3856ad364e35_6.1.7600.16385_de-de_37f6db1e3094fd2b\about_BITS_Cmdlets.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft.backgroun..nt.module.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_836a83fa126c10f7\about_BITS_Cmdlets.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_prnhp003.inf_31bf3856ad364e35_6.1.7600.16385_none_2fd781a76c9dcc13\Amd64\hpoa320t.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\PLA\Rules\it-IT\Rules.System.Performance.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-dot3svc.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_91dde3f80ea85a5a\Report.System.Wired.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-gadgets-cpu.resources_31bf3856ad364e35_6.1.7600.16385_de-de_0098688ad232f281\cpu.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\wow64_microsoft.windows.d..ackmodule.resources_31bf3856ad364e35_6.1.7600.16385_es-es_c0b45804490d366e\Microsoft.Windows.Diagnosis.TroubleshootingPack.dll-Help.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ca7ec133e2786d8f\about_logical_operators.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_56cc3687acc564e8\about_Command_Syntax.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7601.17514_none_4f7e32f76654bd3c\Hand Prints.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_74b66e05cc4097c8\about_do.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_1d72a0e2bb459532\about_History.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_56cc3687acc564e8\about_format.ps1xml.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\wow64_microsoft.backgroun..nt.module.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_1a0ca3a01119ca4b\Microsoft.BackgroundIntelligentTransfer.Management.dll-Help.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\1040\LocalizedData.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-tabletpc-softkeyboard_31bf3856ad364e35_6.1.7601.17514_none_2fd7b56967fc5c76\auxbase.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_27c74b34efa6572d\System.Management.Automation.dll-Help.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_1d72a0e2bb459532\about_aliases.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_it-it_aa520d2885499112\Microsoft.PowerShell.Security.dll-Help.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_prnhp004.inf_31bf3856ad364e35_6.1.7600.16385_none_306093dc85bc087c\Amd64\hpc5500t.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_27fbee50ef7f6588\about_Quoting_Rules.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_it-it_b4a6b77ab9aa530d\about_modules.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\diagnostics\index\NetworkDiagnostics_1_Web.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_es-es_b8490213a810a8a5\404-12.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_74b66e05cc4097c8\about_Signing.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\x86_microsoft-windows-g..zlegadget.resources_31bf3856ad364e35_6.1.7600.16385_it-it_32d323ec6e85d609\settings.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\x86_microsoft-windows-g..s-weather.resources_31bf3856ad364e35_6.1.7600.16385_de-de_8dcb8bb83ef0bc47\settings.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\PLA\Rules\fr-FR\Rules.System.Wireless.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_es-es_b8490213a810a8a5\403.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..rastructureconsumer_31bf3856ad364e35_6.1.7601.17514_none_1202940e4711971e\Report.System.Network.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_56cc3687acc564e8\about_transactions.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\PLA\Reports\ja-JP\Report.System.Performance.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b87da52fa7e9b700\404-13.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windowsdx..xperience.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ea71b0ed2aff4b15\resource.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-netfx3-core_31bf3856ad364e35_6.1.7601.17514_none_c5c6d478f0c06fa1\FrameworkList.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-m..onwizardapplication_31bf3856ad364e35_6.1.7601.17514_none_22f5c6aadf559287\HardwareVendors.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\x86_microsoft-windows-g..-calendar.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_0c66155a4e01171c\gadget.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\x86_microsoft-windows-g..howgadget.resources_31bf3856ad364e35_6.1.7600.16385_es-es_6d48bdce24e57241\gadget.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\PLA\Reports\fr-FR\Report.System.Summary.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\PLA\Rules\es-ES\Rules.System.Wired.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_e74ded66652fb660\501.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_prnhp002.inf_31bf3856ad364e35_6.1.7600.16385_none_2f4e6f72537f8faa\Amd64\HPO3100T.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_it-it_b4a6b77ab9aa530d\about_Comment_Based_Help.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_es-es_b8490213a810a8a5\500-17.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_1d72a0e2bb459532\about_Parsing.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-t..nputpersonalization_31bf3856ad364e35_6.1.7600.16385_none_9ba1049ce0053bef\ipsplk.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_4c778c357864a2ed\about_arrays.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_7f0b185800a159c3\about_functions.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\x86_microsoft-windows-t..ional-chinese-array_31bf3856ad364e35_6.1.7600.16385_none_64b02463c341f83d\TableTextServiceArray.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-g..-calendar.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_6884b0de065e8852\calendar.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_de-de_0f8ccf36b90bab3b\500-18.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b87da52fa7e9b700\403-9.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_e74ded66652fb660\403-2.htm C:\Windows\SysWOW64\smnss.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f799f0e3e91fcacf2227083e2611601956f171328a3e51a21c2e5f21e4671cc8N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ctfmen.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\smnss.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll" C:\Windows\SysWOW64\smnss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\f799f0e3e91fcacf2227083e2611601956f171328a3e51a21c2e5f21e4671cc8N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node C:\Users\Admin\AppData\Local\Temp\f799f0e3e91fcacf2227083e2611601956f171328a3e51a21c2e5f21e4671cc8N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID C:\Users\Admin\AppData\Local\Temp\f799f0e3e91fcacf2227083e2611601956f171328a3e51a21c2e5f21e4671cc8N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED} C:\Users\Admin\AppData\Local\Temp\f799f0e3e91fcacf2227083e2611601956f171328a3e51a21c2e5f21e4671cc8N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll" C:\Users\Admin\AppData\Local\Temp\f799f0e3e91fcacf2227083e2611601956f171328a3e51a21c2e5f21e4671cc8N.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\smnss.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\f799f0e3e91fcacf2227083e2611601956f171328a3e51a21c2e5f21e4671cc8N.exe

"C:\Users\Admin\AppData\Local\Temp\f799f0e3e91fcacf2227083e2611601956f171328a3e51a21c2e5f21e4671cc8N.exe"

C:\Windows\SysWOW64\ctfmen.exe

ctfmen.exe

C:\Windows\SysWOW64\smnss.exe

C:\Windows\system32\smnss.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 qarasaqmrn.info udp
US 8.8.8.8:53 gzip.org udp
US 8.8.8.8:53 gzip.org udp
US 8.8.8.8:53 alumni.caltech.edu udp
US 85.187.148.2:25 gzip.org tcp
US 8.8.8.8:53 alumni-caltech-edu.mail.protection.outlook.com udp
US 8.8.8.8:53 megginson.com udp
US 8.8.8.8:53 megginson.com udp
US 8.8.8.8:53 aspmx2.googlemail.com udp
US 52.101.10.8:25 alumni-caltech-edu.mail.protection.outlook.com tcp
US 8.8.8.8:53 jk.uni-linz.ac.at udp
FI 142.250.150.27:25 aspmx2.googlemail.com tcp
US 8.8.8.8:53 alt2.aspmx.l.google.com udp
SG 74.125.200.27:25 alt2.aspmx.l.google.com tcp
US 8.8.8.8:53 mail4.edvz.uni-linz.ac.at udp
AT 140.78.3.82:25 mail4.edvz.uni-linz.ac.at tcp
US 8.8.8.8:53 hsnewqerea.net udp
US 8.8.8.8:53 qepqqmprnr.info udp
US 13.248.169.48:80 qepqqmprnr.info tcp
US 8.8.8.8:53 cdata.tvnet.hu udp
US 8.8.8.8:53 attbi.com udp
US 8.8.8.8:53 cdata.tvnet.hu udp
US 8.8.8.8:53 courtesan.com udp
US 8.8.8.8:53 bigelowandholmes.com udp
US 8.8.8.8:53 millert.dev udp
US 65.102.237.118:25 millert.dev tcp
US 85.187.148.2:25 gzip.org tcp
US 52.101.10.8:25 alumni-caltech-edu.mail.protection.outlook.com tcp
US 8.8.8.8:53 gnu.org udp
US 8.8.8.8:53 eggs.gnu.org udp
US 209.51.188.92:25 eggs.gnu.org tcp
US 85.187.148.2:25 gzip.org tcp
US 8.8.8.8:53 alumni-caltech-edu.mail.protection.outlook.com udp
SG 74.125.200.27:25 alt2.aspmx.l.google.com tcp
US 52.101.40.2:25 alumni-caltech-edu.mail.protection.outlook.com tcp
SG 74.125.200.27:25 alt2.aspmx.l.google.com tcp
AT 140.78.3.82:25 mail4.edvz.uni-linz.ac.at tcp
US 65.102.237.118:25 millert.dev tcp
US 8.8.8.8:53 aspmx3.googlemail.com udp
SG 74.125.200.26:25 aspmx3.googlemail.com tcp
US 85.187.148.2:25 gzip.org tcp
SG 74.125.200.26:25 aspmx3.googlemail.com tcp
US 52.101.40.2:25 alumni-caltech-edu.mail.protection.outlook.com tcp
US 8.8.8.8:53 mail3.edvz.uni-linz.ac.at udp
US 85.187.148.2:25 gzip.org tcp
US 52.101.40.2:25 alumni-caltech-edu.mail.protection.outlook.com tcp
AT 140.78.3.83:25 mail3.edvz.uni-linz.ac.at tcp
SG 74.125.200.27:25 alt2.aspmx.l.google.com tcp
SG 74.125.200.27:25 alt2.aspmx.l.google.com tcp
AT 140.78.3.82:25 mail4.edvz.uni-linz.ac.at tcp
US 65.102.237.118:25 millert.dev tcp
US 85.187.148.2:25 gzip.org tcp
US 8.8.8.8:53 alumni-caltech-edu.mail.protection.outlook.com udp
US 52.101.194.13:25 alumni-caltech-edu.mail.protection.outlook.com tcp
SG 74.125.200.26:25 aspmx3.googlemail.com tcp
SG 74.125.200.26:25 aspmx3.googlemail.com tcp
AT 140.78.3.83:25 mail3.edvz.uni-linz.ac.at tcp
US 8.8.8.8:53 coin.mpg udp
US 8.8.8.8:53 domain.com udp
US 8.8.8.8:53 domain-com.mail.protection.outlook.com udp
US 52.101.10.8:25 domain-com.mail.protection.outlook.com tcp
US 8.8.8.8:53 aspmx.l.google.com udp
NL 142.250.145.26:25 aspmx.l.google.com tcp
FI 142.250.150.27:25 aspmx2.googlemail.com tcp
US 8.8.8.8:53 mail1.edvz.uni-linz.ac.at udp
AT 140.78.3.68:25 mail1.edvz.uni-linz.ac.at tcp
SG 74.125.200.26:25 aspmx3.googlemail.com tcp
AT 140.78.3.83:25 mail3.edvz.uni-linz.ac.at tcp
SG 74.125.200.26:25 aspmx3.googlemail.com tcp
FI 142.250.150.27:25 aspmx2.googlemail.com tcp
FI 142.250.150.27:25 aspmx2.googlemail.com tcp
AT 140.78.3.68:25 mail1.edvz.uni-linz.ac.at tcp
US 8.8.8.8:53 alt1.aspmx.l.google.com udp
FI 142.250.150.26:25 alt1.aspmx.l.google.com tcp
US 8.8.8.8:53 mail2.edvz.uni-linz.ac.at udp
NL 142.250.145.26:25 aspmx.l.google.com tcp
AT 140.78.3.69:25 mail2.edvz.uni-linz.ac.at tcp
FI 142.250.150.27:25 aspmx2.googlemail.com tcp
FI 142.250.150.27:25 aspmx2.googlemail.com tcp
AT 140.78.3.68:25 mail1.edvz.uni-linz.ac.at tcp
NL 142.250.145.26:25 aspmx.l.google.com tcp
NL 142.250.145.26:25 aspmx.l.google.com tcp
AT 140.78.3.69:25 mail2.edvz.uni-linz.ac.at tcp
US 8.8.8.8:53 sshqqrpapn.biz udp
US 8.8.8.8:53 aspawsqhwa.com udp
US 8.8.8.8:53 hmsrhawpaa.net udp
SG 74.125.200.27:25 alt2.aspmx.l.google.com tcp
FI 142.250.150.26:25 alt1.aspmx.l.google.com tcp
US 8.8.8.8:53 pqrhsswehn.in udp
US 8.8.8.8:53 hrrrmrmans.net udp
NL 142.250.145.26:25 aspmx.l.google.com tcp
NL 142.250.145.26:25 aspmx.l.google.com tcp
AT 140.78.3.69:25 mail2.edvz.uni-linz.ac.at tcp
US 8.8.8.8:53 qqswwhsmsh.info udp
IE 34.246.200.160:80 qqswwhsmsh.info tcp
US 8.8.8.8:53 wwpwmnawpa.in udp
US 8.8.8.8:53 nmmpsnprns.us udp
US 8.8.8.8:53 hnahnsnahn.net udp
FI 142.250.150.26:25 alt1.aspmx.l.google.com tcp
FI 142.250.150.26:25 alt1.aspmx.l.google.com tcp
US 8.8.8.8:53 awshranpen.com udp
US 8.8.8.8:53 spampenhrs.biz udp
US 8.8.8.8:53 aqqrshqnqn.com udp
US 8.8.8.8:53 aspmx4.googlemail.com udp
TW 142.250.157.26:25 aspmx4.googlemail.com tcp
US 8.8.8.8:53 aspmx5.googlemail.com udp
US 173.194.202.27:25 aspmx5.googlemail.com tcp
US 8.8.8.8:53 mephpeapqh.in udp
US 44.221.84.105:80 mephpeapqh.in tcp
US 8.8.8.8:53 rwshsrqams.org udp
NL 85.17.31.82:80 rwshsrqams.org tcp
US 8.8.8.8:53 hsrqsnarns.net udp
US 8.8.8.8:53 rrmwmpnaea.org udp
NL 85.17.31.82:80 rrmwmpnaea.org tcp
FI 142.250.150.26:25 alt1.aspmx.l.google.com tcp
FI 142.250.150.26:25 alt1.aspmx.l.google.com tcp
US 8.8.8.8:53 mswwsshphn.in udp

Files

memory/2036-0-0x0000000000400000-0x000000000041F000-memory.dmp

\Windows\SysWOW64\shervans.dll

MD5 1351ff5c0b105a1b7a13c06304e3f550
SHA1 a81755c89a0557faee56d6d8cce68eb1923f2e78
SHA256 ec4fafb645d5712415d16df67ed04ce59d87a6a131f8a41e081a67de3215b5f9
SHA512 7b98d0906b50988b113173c776208ed52311b74a5ed56e2d1110be1a1c39a0ff808e5bf19a8ac24e8b890e86d84efe7839a95d2e52c2b2bc9abce00aae4915b2

memory/2036-12-0x0000000010000000-0x000000001000D000-memory.dmp

memory/2036-24-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2036-25-0x0000000010000000-0x000000001000D000-memory.dmp

C:\Windows\SysWOW64\ctfmen.exe

MD5 9bb8301dbf50b22a0551638e51839adf
SHA1 59dbe8e7319ec7187612d79b49f067306ac16b64
SHA256 bb5007004f267d11f916d053b68bcf8eb559125a1f20f54125a68ce08bf877d9
SHA512 ce6b05ea7d5d79974ca6cad43457b377fe290c9ed294dd064ab4682b308baa5f47adde4ad1a4e7bea6d774e673f1bebe9c75ee03a9525abfe3f4f85751f58c52

memory/1680-27-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Windows\SysWOW64\smnss.exe

MD5 c57d1ab57b86a646079ca448d5b05b06
SHA1 77ce2e8d5cb734a9e74f60289fe26c6e9c6f3007
SHA256 a4bb272eab4d4f8ceda81f4a746cffe298bdf18dba3740e263a75054c68ab45d
SHA512 5fec67d300d86fdefe987ef8a95a45f1f22a9f242a528abc60f02adb30eefb024209f5b03ec3bb3fed38777acd75958a0d2980b687c8c0d2a559a01615c52b7e

memory/1680-29-0x0000000000320000-0x000000000033F000-memory.dmp

memory/2232-36-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1680-34-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2232-41-0x0000000010000000-0x000000001000D000-memory.dmp

C:\Windows\SysWOW64\satornas.dll

MD5 866d5a0283c3c92bb61ad38158f562f5
SHA1 e1207e602ef2a71fe13b659928afe66c17725b24
SHA256 998c6c3479ed9f302385f30251954f455eaca05571d415fab0b4189c5b11aaee
SHA512 66b7a5304826a562ac548b5916396cca1c4f636ca88bc5d92492fb8b1a46f0099eafa9b4f0705f312b07aefe8f9133db3ac5181e2f9b6afbcfe27eef2cf57187

memory/2232-43-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2232-44-0x0000000010000000-0x000000001000D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-08 13:25

Reported

2024-11-08 13:27

Platform

win10v2004-20241007-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f799f0e3e91fcacf2227083e2611601956f171328a3e51a21c2e5f21e4671cc8N.exe"

Signatures

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\drivers\gmreadme.txt C:\Windows\SysWOW64\smnss.exe N/A

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\ctfmen.exe N/A
N/A N/A C:\Windows\SysWOW64\smnss.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe" C:\Users\Admin\AppData\Local\Temp\f799f0e3e91fcacf2227083e2611601956f171328a3e51a21c2e5f21e4671cc8N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe" C:\Windows\SysWOW64\smnss.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\O: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\smnss.exe N/A

Maps connected drives based on registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\1 C:\Windows\SysWOW64\smnss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Users\Admin\AppData\Local\Temp\f799f0e3e91fcacf2227083e2611601956f171328a3e51a21c2e5f21e4671cc8N.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Users\Admin\AppData\Local\Temp\f799f0e3e91fcacf2227083e2611601956f171328a3e51a21c2e5f21e4671cc8N.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\1 C:\Users\Admin\AppData\Local\Temp\f799f0e3e91fcacf2227083e2611601956f171328a3e51a21c2e5f21e4671cc8N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\smnss.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Windows\SysWOW64\smnss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\zipfiaq.dll C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms012.inf_amd64_707d3849370b9d23\Amd64\MSIPP.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\Speech_OneCore\Common\es-ES\tokens_TTS_es-ES.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\Speech_OneCore\Common\fr-FR\tokens_TTS_fr-FR.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\Speech_OneCore\Common\it-IT\Tokens_SR_it-IT-N.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\wsmanconfig_schema.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms007.inf_amd64_8bbf44975c626ac5\Amd64\MSPWGR.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\NdfEventView.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\Speech_OneCore\Common\en-US\Tokens_SR_en-US-N.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\Speech_OneCore\Common\es-ES\Tokens_SR_es-ES-N.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\wbem\xsl-mappings.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\default.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\AppxProvisioning.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\tcpbidi.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\ctfmen.exe C:\Users\Admin\AppData\Local\Temp\f799f0e3e91fcacf2227083e2611601956f171328a3e51a21c2e5f21e4671cc8N.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms001.inf_amd64_8bc1bda6cf47380c\MXDW-pipelineconfig.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms005.inf_amd64_add71423ba73e797\Amd64\MSxpsPCL6-pipelineconfig.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms014.inf_amd64_faec3fc366f8e1fa\Amd64\MSMPS-pipelineconfig.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\default.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms003.inf_x86_360f6f3a7c4b3433\I386\unishare-pipelineconfig.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms006.inf_amd64_c3bdcb6fc975b614\SendToOneNote-pipelineconfig.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms011.inf_amd64_f83138380f5fb6ab\Amd64\MSAppMon-pipelineconfig.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\icsxml\ipcfg.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\MailContactsCalendarSync\LiveDomainList.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\Speech_OneCore\Common\de-DE\tokens_TTS_de-DE_hedda.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\Speech_OneCore\Common\en-US\tokens_TTS_en-US.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\Speech_OneCore\Common\fr-FR\tokens_TTS_fr-FR_hortense.xml C:\Windows\SysWOW64\smnss.exe N/A
File created C:\Windows\SysWOW64\grcopy.dll C:\Users\Admin\AppData\Local\Temp\f799f0e3e91fcacf2227083e2611601956f171328a3e51a21c2e5f21e4671cc8N.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\tsprint.inf_amd64_6066bc96a5f28b44\tsprint-PipelineConfig.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\default.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File created C:\Windows\SysWOW64\zipfi.dll C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\F12\Timeline.cpu.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\icsxml\cmnicfg.xml C:\Windows\SysWOW64\smnss.exe N/A
File created C:\Windows\SysWOW64\smnss.exe C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms004.inf_amd64_c28ee88ec1bd4178\Amd64\unisharev4-pipelineconfig.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms008.inf_amd64_69b5e0c918eab9a6\Amd64\unishare3d-pipelineconfig.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms009.inf_amd64_a7412a554c9bc1fd\MPDW-PDC.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\Recovery\ReAgent.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\Speech_OneCore\Common\en-US\tokens_TTS_en-US_david.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\Speech_OneCore\Common\it-IT\tokens_TTS-it-IT.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms007.inf_amd64_8bbf44975c626ac5\Amd64\MSPassthrough-pipelineconfig.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms007.inf_amd64_8bbf44975c626ac5\Amd64\MSPWGR-pipelineconfig.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\Speech_OneCore\Common\ja-JP\Tokens_SR_ja-JP-N.xml C:\Windows\SysWOW64\smnss.exe N/A
File created C:\Windows\SysWOW64\satornas.dll C:\Users\Admin\AppData\Local\Temp\f799f0e3e91fcacf2227083e2611601956f171328a3e51a21c2e5f21e4671cc8N.exe N/A
File opened for modification C:\Windows\SysWOW64\satornas.dll C:\Users\Admin\AppData\Local\Temp\f799f0e3e91fcacf2227083e2611601956f171328a3e51a21c2e5f21e4671cc8N.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\ntprint4.inf_amd64_0958c7cad3cd6075\Amd64\V3HostingFilter-pipelineconfig.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\Speech_OneCore\Common\tokens.xml C:\Windows\SysWOW64\smnss.exe N/A
File created C:\Windows\SysWOW64\ctfmen.exe C:\Users\Admin\AppData\Local\Temp\f799f0e3e91fcacf2227083e2611601956f171328a3e51a21c2e5f21e4671cc8N.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms005.inf_amd64_add71423ba73e797\Amd64\MSxpsXPS-pipelineconfig.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsCodecsRaw.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\default.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File created C:\Windows\SysWOW64\shervans.dll C:\Users\Admin\AppData\Local\Temp\f799f0e3e91fcacf2227083e2611601956f171328a3e51a21c2e5f21e4671cc8N.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms005.inf_amd64_add71423ba73e797\Amd64\MSxpsPS-pipelineconfig.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms009.inf_amd64_a7412a554c9bc1fd\MPDW_devmode_map.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\icsxml\osinfo.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\Speech_OneCore\Common\ja-JP\tokens_TTS_ja-JP.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\default.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\shervans.dll C:\Users\Admin\AppData\Local\Temp\f799f0e3e91fcacf2227083e2611601956f171328a3e51a21c2e5f21e4671cc8N.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms007.inf_amd64_8bbf44975c626ac5\Amd64\MSXPS2.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms009.inf_amd64_a7412a554c9bc1fd\MPDW-pipelineconfig.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms010.inf_amd64_9e410195c3b236c9\Amd64\MSECP-pipelineconfig.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms010.inf_amd64_9e410195c3b236c9\Amd64\MSECP.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms011.inf_amd64_f83138380f5fb6ab\Amd64\MSAppMon.xml C:\Windows\SysWOW64\smnss.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\7-Zip\Lang\ar.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipsnor.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipsrus.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-125_kzf8qxf38zg5c\AppxBlockMap.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxManifest.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxBlockMap.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxBlockMap.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL016.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN002.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ast.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\SkypeForBusinessBasic2019_eula.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxManifest.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_2019.1111.2029.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\ea.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Windows NT\TableTextService\TableTextServiceYi.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-006E-0409-1000-0000000FF1CE.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0090-0409-1000-0000000FF1CE.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\OneNote\SendToOneNote-PipelineConfig.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2018.826.98.0_neutral_split.scale-200_8wekyb3d8bbwe\AppxBlockMap.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxGamingOverlay_2.34.28001.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxBlockMap.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_GB\affDescription.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\ink\ThirdPartyNotices.ja-jp.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\requests\vlm_cmd.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Advertising.Xaml_10.1808.3.0_x64__8wekyb3d8bbwe\AppxManifest.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\af-ZA\View3d\3DViewerProductDescription-universal.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_x64__8wekyb3d8bbwe\_Resources\index.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\AppxManifest.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\ROMANIAN.TXT C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\io.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\tk.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PersonaSpy\notice.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Windows Media Player\Network Sharing\MediaReceiverRegistrar.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxBlockMap.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Integration\C2RManifest.excelmui.msi.16.en-us.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxManifest.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_2020.1906.55.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\DisplayLanguageNames.en_US.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\en-US\about_TestDrive.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Microsoft Office\AppXManifest.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\fr-CA\View3d\3DViewerProductDescription-universal.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipshe.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\1033\ODBCMESSAGES.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL022.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\OsfInstallerConfig.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL020.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxManifest.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe\index.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\AppCore\Location\Shifter\Relicensing Statement.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxManifest.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\sq-AL\View3d\3DViewerProductDescription-universal.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\en-us\outlook_whatsnew.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-002C-0409-1000-0000000FF1CE.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\ExcelMessageDismissal.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\AppxManifest.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\km-KH\View3d\3DViewerProductDescription-universal.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\FrameworkList.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Windows Media Player\Media Renderer\avtransport.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ps.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\sl.txt C:\Windows\SysWOW64\smnss.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\servicing\Sessions\31135899_1855489586.back.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\fr-FR\assets\ErrorPages\pdferrorunknownerror.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AppxManifest.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_es-es_12451df02dbd2879\401.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-sharedaccess_31bf3856ad364e35_10.0.19041.1_none_c513167c1d0a90dd\osinfo.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-tabletpc-softkeyboard_31bf3856ad364e35_10.0.19041.173_none_af877ec0b0472fde\oskmenubase.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\AntiTheft\views\OobeAntiTheft-main.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.117_none_e0d32848ac56114e\tokenManagerErrorHandler.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.1266_none_777e4c5802d14c18\unifiedEnrollmentProgress.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-d..view-host-appxsetup_31bf3856ad364e35_10.0.19041.1023_none_bc2fe801d2277712\r\appxblockmap.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_it-it_9f248a35f7c12459\500-19.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\PLA\Reports\en-US\Report.System.Configuration.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\servicing\Sessions\31135899_3993375388.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\uk-UA\assets\ErrorPages\acr_error.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-p..iondialog.appxsetup_31bf3856ad364e35_10.0.19041.1_none_a029d8a7ac063705\AppxManifest.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-userexperience-desktop_31bf3856ad364e35_10.0.19041.173_none_6486f23c2831aaf3\f\AppxManifest.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-provisioning-core_31bf3856ad364e35_10.0.19041.844_none_95c651508e565d13\categories.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\servicing\Sessions\31135899_3960059729.back.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\inclusiveOobe\view\oobeoemregistration-main.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WaaS\tasks\5ffea6126f02e78b9099eb4614d2d339f03ca5a8.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_414a0942eadc3634\500-17.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..osoftedge.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_45a6c0aa2ed16c7c\servbusy.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\NetFx40_IIS_schema_update.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_de-de_6988eb133eb82b0f\404-9.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..osoftedge.resources_31bf3856ad364e35_10.0.19041.1_es-es_a2ef4aab3bff561a\PhishSiteEdge.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-o..ectionflow.appxmain_31bf3856ad364e35_10.0.19041.1_none_e2e6c013142b9760\tokens_zhCN.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.1266_none_777e4c5802d14c18\sqsaLocalAccount.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-i..raries-servercommon_31bf3856ad364e35_10.0.19041.906_none_87b019d7cebd66d4\f\IIS_schema.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_es-es_12451df02dbd2879\413-1.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-p..econsumer.resources_31bf3856ad364e35_10.0.19041.1_es-es_6b77f4dc3a1a5900\Rules.System.Configuration.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..iguration.searchapp_31bf3856ad364e35_10.0.19041.1_none_6a5e909ee80bfce7\BingConfiguration_it-IT.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..osoftedge.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_cd2d1cde69f392b4\WpcBlockFrame.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-provisioning-core_31bf3856ad364e35_10.0.19041.844_none_95c651508e565d13\CountryTable.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-wmpnss-service_31bf3856ad364e35_10.0.19041.1_none_b977d9566df127e9\MediaReceiverRegistrar.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\PLA\Rules\es-ES\Rules.System.NetDiagFramework.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\servicing\Editions\ProfessionalEdition.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.117_none_e0d32848ac56114e\oobe-button-template.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_b4fc93ef208f3edb\403-10.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_b4fc93ef208f3edb\413-1.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\Logs\MoSetup\DeviceInventory.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_it-it_9f248a35f7c12459\401.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-pcwdiagnostic_31bf3856ad364e35_10.0.19041.1266_none_69f1a169b4d96a7c\PCWDiagnostic.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-tabletpc-softkeyboard_31bf3856ad364e35_10.0.19041.746_none_afaafac6b02c16fa\kor-kor.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-p..econsumer.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_9a7ce02ef73966bb\Rules.System.Diagnostics.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..e.desktop.searchapp_31bf3856ad364e35_10.0.19041.1_none_43fe9f4e368e081f\14.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..e.desktop.searchapp_31bf3856ad364e35_10.0.19041.1_none_43fe9f4e368e081f\8.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\PLA\Reports\de-DE\Report.System.Memory.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\DefaultSettings.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-a..gement-uevtemplates_31bf3856ad364e35_10.0.19041.1_none_0d66b54875835a49\MicrosoftNotepad.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-c..iser-inboxdatafiles_31bf3856ad364e35_10.0.19041.1_none_276764d7804d3bad\Appraiser_TelemetryRunList.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.1266_none_777e4c5802d14c18\cortana.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.117_none_e0d32848ac56114e\oobenetworklossaversion-main.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_b4fc93ef208f3edb\403-4.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..ervice-winrt-client_31bf3856ad364e35_10.0.19041.1266_none_cf053b35227a090b\EnrollmentStatusTrackingDDF.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\PLA\Reports\de-DE\Report.System.CPU.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\servicing\Sessions\31135899_1915331388.back.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\it-IT\assets\ErrorPages\pdferrorneedcontentlocally.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\inclusiveOobe\view\oobelanguage-main.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.117_none_e0d32848ac56114e\common-textinput-template.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..l.desktop.searchapp_31bf3856ad364e35_10.0.19041.1_none_37a8fc596f462cbc\2.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-tabletpc-softkeyboard_31bf3856ad364e35_10.0.19041.746_none_afaafac6b02c16fa\ja-jp.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\es-ES\assets\ApplicationGuard\LearnMore.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-ecapp.appxsetup_31bf3856ad364e35_10.0.19041.1023_none_6d4be35dd691e117\f\AppxManifest.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_en-us_1279c10c2d9636d4\403-12.htm C:\Windows\SysWOW64\smnss.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f799f0e3e91fcacf2227083e2611601956f171328a3e51a21c2e5f21e4671cc8N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ctfmen.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\smnss.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll" C:\Windows\SysWOW64\smnss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\f799f0e3e91fcacf2227083e2611601956f171328a3e51a21c2e5f21e4671cc8N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node C:\Users\Admin\AppData\Local\Temp\f799f0e3e91fcacf2227083e2611601956f171328a3e51a21c2e5f21e4671cc8N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID C:\Users\Admin\AppData\Local\Temp\f799f0e3e91fcacf2227083e2611601956f171328a3e51a21c2e5f21e4671cc8N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED} C:\Users\Admin\AppData\Local\Temp\f799f0e3e91fcacf2227083e2611601956f171328a3e51a21c2e5f21e4671cc8N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll" C:\Users\Admin\AppData\Local\Temp\f799f0e3e91fcacf2227083e2611601956f171328a3e51a21c2e5f21e4671cc8N.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\smnss.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\f799f0e3e91fcacf2227083e2611601956f171328a3e51a21c2e5f21e4671cc8N.exe

"C:\Users\Admin\AppData\Local\Temp\f799f0e3e91fcacf2227083e2611601956f171328a3e51a21c2e5f21e4671cc8N.exe"

C:\Windows\SysWOW64\ctfmen.exe

ctfmen.exe

C:\Windows\SysWOW64\smnss.exe

C:\Windows\system32\smnss.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 qarasaqmrn.info udp
US 8.8.8.8:53 hsnewqerea.net udp
US 8.8.8.8:53 qepqqmprnr.info udp
US 13.248.169.48:80 qepqqmprnr.info tcp
US 8.8.8.8:53 gzip.org udp
US 8.8.8.8:53 gzip.org udp
US 8.8.8.8:53 alumni.caltech.edu udp
US 85.187.148.2:25 gzip.org tcp
US 8.8.8.8:53 alumni-caltech-edu.mail.protection.outlook.com udp
US 8.8.8.8:53 cs.stanford.edu udp
US 52.101.9.21:25 alumni-caltech-edu.mail.protection.outlook.com tcp
US 8.8.8.8:53 smtp1.cs.stanford.edu udp
US 171.64.64.25:25 smtp1.cs.stanford.edu tcp
US 171.64.64.25:25 smtp1.cs.stanford.edu tcp
US 8.8.8.8:53 acm.org udp
US 8.8.8.8:53 mail.mailroute.net udp
US 199.89.3.120:25 mail.mailroute.net tcp
US 8.8.8.8:53 48.169.248.13.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 gmail.com udp
US 8.8.8.8:53 alt1.gmail-smtp-in.l.google.com udp
FI 142.250.150.26:25 alt1.gmail-smtp-in.l.google.com tcp
FI 142.250.150.26:25 alt1.gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 m-ou.se udp
US 8.8.8.8:53 alt2.aspmx.l.google.com udp
SG 74.125.200.27:25 alt2.aspmx.l.google.com tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
FI 142.250.150.26:25 alt1.gmail-smtp-in.l.google.com tcp
FI 142.250.150.26:25 alt1.gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 2.1.0 udp
US 8.8.8.8:53 4.0.1 udp
US 8.8.8.8:53 nocorp.me udp
US 8.8.8.8:53 in1-smtp.messagingengine.com udp
US 103.168.172.217:25 in1-smtp.messagingengine.com tcp
FI 142.250.150.26:25 alt1.gmail-smtp-in.l.google.com tcp
FI 142.250.150.26:25 alt1.gmail-smtp-in.l.google.com tcp
FI 142.250.150.26:25 alt1.gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 outlook.com udp
US 8.8.8.8:53 outlook-com.olc.protection.outlook.com udp
US 52.101.41.59:25 outlook-com.olc.protection.outlook.com tcp
FI 142.250.150.26:25 alt1.gmail-smtp-in.l.google.com tcp
FI 142.250.150.26:25 alt1.gmail-smtp-in.l.google.com tcp
FI 142.250.150.26:25 alt1.gmail-smtp-in.l.google.com tcp
FI 142.250.150.26:25 alt1.gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 smtp2.cs.stanford.edu udp
US 171.64.64.26:25 smtp2.cs.stanford.edu tcp
US 171.64.64.26:25 smtp2.cs.stanford.edu tcp
US 171.64.64.25:25 smtp1.cs.stanford.edu tcp
FI 142.250.150.26:25 alt1.gmail-smtp-in.l.google.com tcp
FI 142.250.150.26:25 alt1.gmail-smtp-in.l.google.com tcp
US 85.187.148.2:25 gzip.org tcp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 alt4.gmail-smtp-in.l.google.com udp
US 173.194.202.26:25 alt4.gmail-smtp-in.l.google.com tcp
US 173.194.202.26:25 alt4.gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 aspmx2.googlemail.com udp
FI 142.250.150.27:25 aspmx2.googlemail.com tcp
US 8.8.8.8:53 alumni-caltech-edu.mail.protection.outlook.com udp
US 52.101.41.56:25 alumni-caltech-edu.mail.protection.outlook.com tcp
US 173.194.202.26:25 alt4.gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 coin.mpg udp
US 8.8.8.8:53 apple.com udp
US 8.8.8.8:53 mx-in-sg.apple.com udp
SG 17.23.14.18:25 mx-in-sg.apple.com tcp
US 8.8.8.8:53 pobox.com udp
US 8.8.8.8:53 mx-1.rightbox.com udp
US 64.147.108.50:25 mx-1.rightbox.com tcp
US 173.194.202.26:25 alt4.gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 in2-smtp.messagingengine.com udp
US 202.12.124.216:25 in2-smtp.messagingengine.com tcp
US 8.8.8.8:53 netcom.com udp
US 8.8.8.8:53 mx04.earthlink-vadesecure.net udp
US 8.8.8.8:53 northcoast.com udp
US 147.135.98.120:25 mx04.earthlink-vadesecure.net tcp
US 8.8.8.8:53 cl.cam.ac.uk udp
US 8.8.8.8:53 mx.cam.ac.uk udp
GB 131.111.8.147:25 mx.cam.ac.uk tcp
US 8.8.8.8:53 src.dec.com udp
US 8.8.8.8:53 mxb-00377f01.gslb.pphosted.com udp
US 8.8.8.8:53 mxb-00377f03.gslb.pphosted.com udp
US 8.8.8.8:53 de-smtp-inbound-2.mimecast.com udp
DE 194.104.108.22:25 de-smtp-inbound-2.mimecast.com tcp
US 173.194.202.26:25 alt4.gmail-smtp-in.l.google.com tcp
US 173.194.202.26:25 alt4.gmail-smtp-in.l.google.com tcp
US 173.194.202.26:25 alt4.gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 theriver.com udp
US 8.8.8.8:53 bryson.demon.co.uk udp
US 8.8.8.8:53 ismtp.sitestar.everyone.net udp
US 64.29.151.236:25 ismtp.sitestar.everyone.net tcp
US 8.8.8.8:53 onlineconnections.com.au udp
US 8.8.8.8:53 onlineconnections.com.au udp
US 192.254.190.168:25 onlineconnections.com.au tcp
US 8.8.8.8:53 openoffice.org udp
US 8.8.8.8:53 mx1-lw-eu.apache.org udp
US 8.8.8.8:53 mx2-lw-us.apache.org udp
US 8.8.8.8:53 mx2-lw-eu.apache.org udp
US 8.8.8.8:53 mx1-lw-us.apache.org udp
US 173.194.202.26:25 alt4.gmail-smtp-in.l.google.com tcp
US 173.194.202.26:25 alt4.gmail-smtp-in.l.google.com tcp
US 173.194.202.26:25 alt4.gmail-smtp-in.l.google.com tcp
US 173.194.202.26:25 alt4.gmail-smtp-in.l.google.com tcp
US 85.187.148.2:25 gzip.org tcp
US 8.8.8.8:53 alumni-caltech-edu.mail.protection.outlook.com udp
US 52.101.41.22:25 alumni-caltech-edu.mail.protection.outlook.com tcp
US 8.8.8.8:53 nongnu.org udp
US 8.8.8.8:53 eggs.gnu.org udp
US 209.51.188.92:25 eggs.gnu.org tcp
US 209.51.188.92:25 eggs.gnu.org tcp
US 8.8.8.8:53 cs.stanford.edu udp
US 171.64.64.64:25 cs.stanford.edu tcp
US 171.64.64.64:25 cs.stanford.edu tcp
US 171.64.64.26:25 smtp2.cs.stanford.edu tcp
US 173.194.202.26:25 alt4.gmail-smtp-in.l.google.com tcp
US 173.194.202.26:25 alt4.gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 kinoho.net udp
US 8.8.8.8:53 aspmx3.googlemail.com udp
FI 142.250.150.26:25 alt1.gmail-smtp-in.l.google.com tcp
SG 74.125.200.27:25 aspmx3.googlemail.com tcp
US 8.8.8.8:53 riseup.net udp
US 8.8.8.8:53 mx1.riseup.net udp
FI 142.250.150.26:25 alt1.gmail-smtp-in.l.google.com tcp
US 198.252.153.129:25 mx1.riseup.net tcp
US 8.8.8.8:53 alt3.gmail-smtp-in.l.google.com udp
TW 142.250.157.27:25 alt3.gmail-smtp-in.l.google.com tcp
TW 142.250.157.27:25 alt3.gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 alt1.aspmx.l.google.com udp
FI 142.250.150.27:25 alt1.aspmx.l.google.com tcp
TW 142.250.157.27:25 alt3.gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 mx-in-vib.apple.com udp
DK 17.57.170.2:25 mx-in-vib.apple.com tcp
US 8.8.8.8:53 mx-2.rightbox.com udp
US 64.147.108.51:25 mx-2.rightbox.com tcp
US 8.8.8.8:53 mail.ru udp
US 8.8.8.8:53 mxs.mail.ru udp
US 8.8.8.8:53 bog.msu.ru udp
RU 94.100.180.31:25 mxs.mail.ru tcp
TW 142.250.157.27:25 alt3.gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 mx02.earthlink-vadesecure.net udp
US 51.81.61.71:25 mx02.earthlink-vadesecure.net tcp
US 8.8.8.8:53 de-smtp-inbound-1.mimecast.com udp
DE 194.104.108.22:25 de-smtp-inbound-1.mimecast.com tcp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
TW 142.250.157.27:25 alt3.gmail-smtp-in.l.google.com tcp
TW 142.250.157.27:25 alt3.gmail-smtp-in.l.google.com tcp
TW 142.250.157.27:25 alt3.gmail-smtp-in.l.google.com tcp
TW 142.250.157.27:25 alt3.gmail-smtp-in.l.google.com tcp
TW 142.250.157.27:25 alt3.gmail-smtp-in.l.google.com tcp
TW 142.250.157.27:25 alt3.gmail-smtp-in.l.google.com tcp
TW 142.250.157.27:25 alt3.gmail-smtp-in.l.google.com tcp
US 171.64.64.64:25 cs.stanford.edu tcp
TW 142.250.157.27:25 alt3.gmail-smtp-in.l.google.com tcp
TW 142.250.157.27:25 alt3.gmail-smtp-in.l.google.com tcp
US 173.194.202.26:25 alt4.gmail-smtp-in.l.google.com tcp
SG 74.125.200.27:25 aspmx3.googlemail.com tcp
US 173.194.202.26:25 alt4.gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 gmail-smtp-in.l.google.com udp
NL 172.217.218.27:25 gmail-smtp-in.l.google.com tcp
NL 172.217.218.27:25 gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 aspmx4.googlemail.com udp
TW 142.250.157.27:25 aspmx4.googlemail.com tcp
NL 172.217.218.27:25 gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 mx-in-mdn.apple.com udp
US 8.8.8.8:53 mx-in.g.apple.com udp
DK 17.57.170.2:25 mx-in.g.apple.com tcp
NL 172.217.218.27:25 gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 mx03.earthlink-vadesecure.net udp
US 51.81.232.218:25 mx03.earthlink-vadesecure.net tcp
US 8.8.8.8:53 mxa-00377f01.gslb.pphosted.com udp
US 8.8.8.8:53 mxa-00377f03.gslb.pphosted.com udp
US 8.8.8.8:53 sshqqrpapn.biz udp
US 8.8.8.8:53 aspawsqhwa.com udp
US 8.8.8.8:53 hmsrhawpaa.net udp
US 8.8.8.8:53 hrrrmrmans.net udp
US 8.8.8.8:53 qqswwhsmsh.info udp
IE 34.246.200.160:80 qqswwhsmsh.info tcp
US 8.8.8.8:53 wwpwmnawpa.in udp
US 8.8.8.8:53 nmmpsnprns.us udp
US 8.8.8.8:53 hnahnsnahn.net udp
US 8.8.8.8:53 awshranpen.com udp
US 8.8.8.8:53 spampenhrs.biz udp
US 8.8.8.8:53 aqqrshqnqn.com udp
US 8.8.8.8:53 mephpeapqh.in udp
US 44.221.84.105:80 mephpeapqh.in tcp
US 8.8.8.8:53 rwshsrqams.org udp
DE 178.162.203.202:80 rwshsrqams.org tcp
US 8.8.8.8:53 160.200.246.34.in-addr.arpa udp
US 8.8.8.8:53 105.84.221.44.in-addr.arpa udp
NL 172.217.218.27:25 gmail-smtp-in.l.google.com tcp
NL 172.217.218.27:25 gmail-smtp-in.l.google.com tcp
NL 172.217.218.27:25 gmail-smtp-in.l.google.com tcp
NL 172.217.218.27:25 gmail-smtp-in.l.google.com tcp
NL 172.217.218.27:25 gmail-smtp-in.l.google.com tcp
NL 172.217.218.27:25 gmail-smtp-in.l.google.com tcp
NL 172.217.218.27:25 gmail-smtp-in.l.google.com tcp
NL 172.217.218.27:25 gmail-smtp-in.l.google.com tcp
NL 172.217.218.27:25 gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
TW 142.250.157.27:25 aspmx4.googlemail.com tcp
US 8.8.8.8:53 aspmx.l.google.com udp
NL 173.194.79.26:25 aspmx.l.google.com tcp
TW 142.250.157.27:25 aspmx4.googlemail.com tcp
US 8.8.8.8:53 alt2.gmail-smtp-in.l.google.com udp
SG 74.125.200.27:25 alt2.gmail-smtp-in.l.google.com tcp
SG 74.125.200.27:25 alt2.gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 aspmx5.googlemail.com udp
US 173.194.202.27:25 aspmx5.googlemail.com tcp
SG 74.125.200.27:25 alt2.gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 mx-in-ma.apple.com udp
US 17.171.208.6:25 mx-in-ma.apple.com tcp
SG 74.125.200.27:25 alt2.gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 mx01.earthlink-vadesecure.net udp
US 51.81.61.70:25 mx01.earthlink-vadesecure.net tcp
US 8.8.8.8:53 hsrqsnarns.net udp
US 8.8.8.8:53 rrmwmpnaea.org udp
DE 178.162.203.202:80 rrmwmpnaea.org tcp
SG 74.125.200.27:25 alt2.gmail-smtp-in.l.google.com tcp
SG 74.125.200.27:25 alt2.gmail-smtp-in.l.google.com tcp
SG 74.125.200.27:25 alt2.gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 202.203.162.178.in-addr.arpa udp
SG 74.125.200.27:25 alt2.gmail-smtp-in.l.google.com tcp
SG 74.125.200.27:25 alt2.gmail-smtp-in.l.google.com tcp
SG 74.125.200.27:25 alt2.gmail-smtp-in.l.google.com tcp
SG 74.125.200.27:25 alt2.gmail-smtp-in.l.google.com tcp
SG 74.125.200.27:25 alt2.gmail-smtp-in.l.google.com tcp
SG 74.125.200.27:25 alt2.gmail-smtp-in.l.google.com tcp
NL 172.217.218.27:25 gmail-smtp-in.l.google.com tcp
FI 142.250.150.27:25 alt1.aspmx.l.google.com tcp
NL 172.217.218.27:25 gmail-smtp-in.l.google.com tcp
SG 74.125.200.27:25 alt2.gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 mx-in-hfd.apple.com udp
NL 17.57.165.2:25 mx-in-hfd.apple.com tcp

Files

memory/852-0-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Windows\SysWOW64\shervans.dll

MD5 78a0d3858d84bb3cceb562a604bfbd64
SHA1 50344041ea1a7c6d5e40dfd3b8c351f3d8bc1634
SHA256 9fcca37cefc39a5214fae5ea40704355bf9e598d0667991eb8b4096e0ff41692
SHA512 2f71b07d45432bd58342a6a8aae883c6f41851c64674b890559eeb908d5f6a6dc4795fea575bf693302bac0093b2f7664e75f2691431cb532f2f6431244c9aff

memory/852-12-0x0000000010000000-0x000000001000D000-memory.dmp

C:\Windows\SysWOW64\grcopy.dll

MD5 4f92b2dba0d3b910c2f9495b6f93c4bb
SHA1 33ffd1b0fda257abdda41ffdcac698c3d604b374
SHA256 70aebc441cf4522ebb37412bef7d9340ea9c86d4946dbc9b9e6e2614b52636e1
SHA512 662626f742bbcb90fd1ed67904adf04b722182d40be464d06ea24d320fce4dea975266bf9a8ecda736297b8ba4551b4c7e4a664049e3eea05d93b591b8682dea

memory/2288-21-0x0000000000400000-0x0000000000409000-memory.dmp

memory/852-25-0x0000000010000000-0x000000001000D000-memory.dmp

memory/852-24-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Windows\SysWOW64\ctfmen.exe

MD5 a187653d0386e4b7486de4b940d5df60
SHA1 98da51a6000a7dc46ed79be515c9af7585c071a6
SHA256 804176d7caf938bedcf147d8776bc670a3aa32c7faddd4279b9a92fbc6b9fe81
SHA512 14ef90e18c00ed5b36729b1b150ec7a295ffd2bcd2dea715bcc9d9febf6d9e46e0db51d8cd11bdd0a9472f0084499d7fa16038e9a1fe7724b0cf583bd1a1886e

memory/2288-28-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3936-30-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Windows\SysWOW64\satornas.dll

MD5 e9a699ce016a2d6710fd8e98ef33a859
SHA1 cbcbdf6c657a114b90e8321496a4a676cf32c909
SHA256 57352f6a6d7c5cc7b467c6705d495cfc024b584eece24c1c8c04b75c188a4359
SHA512 c7b539e8a754c549ee9f13ed74d2ca38c4afb887a40265e5f4eaee1bc98ca8eb6f1fc030d8268c295af63dfed901d3371d5c70b33087e6c44e6939dec24c9b56

memory/3936-37-0x0000000010000000-0x000000001000D000-memory.dmp

memory/3936-39-0x0000000000400000-0x000000000041F000-memory.dmp

memory/3936-40-0x0000000010000000-0x000000001000D000-memory.dmp