Malware Analysis Report

2025-08-10 14:20

Sample ID 241108-shgy7svamg
Target e992b01d3268493cf5aaf1127ef550b1bb52e5437415310e5a36861eae578f89N
SHA256 e992b01d3268493cf5aaf1127ef550b1bb52e5437415310e5a36861eae578f89
Tags
discovery persistence spyware stealer
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

e992b01d3268493cf5aaf1127ef550b1bb52e5437415310e5a36861eae578f89

Threat Level: Likely malicious

The file e992b01d3268493cf5aaf1127ef550b1bb52e5437415310e5a36861eae578f89N was found to be: Likely malicious.

Malicious Activity Summary

discovery persistence spyware stealer

Drops file in Drivers directory

ACProtect 1.3x - 1.4x DLL software

Executes dropped EXE

Reads user/profile data of web browsers

Loads dropped DLL

Adds Run key to start application

Enumerates connected drives

Maps connected drives based on registry

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-08 15:07

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-08 15:07

Reported

2024-11-08 15:09

Platform

win10v2004-20241007-en

Max time kernel

119s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e992b01d3268493cf5aaf1127ef550b1bb52e5437415310e5a36861eae578f89N.exe"

Signatures

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\drivers\gmreadme.txt C:\Windows\SysWOW64\smnss.exe N/A

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\ctfmen.exe N/A
N/A N/A C:\Windows\SysWOW64\smnss.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe" C:\Windows\SysWOW64\smnss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe" C:\Users\Admin\AppData\Local\Temp\e992b01d3268493cf5aaf1127ef550b1bb52e5437415310e5a36861eae578f89N.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\I: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\smnss.exe N/A

Maps connected drives based on registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\1 C:\Users\Admin\AppData\Local\Temp\e992b01d3268493cf5aaf1127ef550b1bb52e5437415310e5a36861eae578f89N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\smnss.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Windows\SysWOW64\smnss.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\1 C:\Windows\SysWOW64\smnss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Users\Admin\AppData\Local\Temp\e992b01d3268493cf5aaf1127ef550b1bb52e5437415310e5a36861eae578f89N.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Users\Admin\AppData\Local\Temp\e992b01d3268493cf5aaf1127ef550b1bb52e5437415310e5a36861eae578f89N.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\wbem\xsl-mappings.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\shervans.dll C:\Users\Admin\AppData\Local\Temp\e992b01d3268493cf5aaf1127ef550b1bb52e5437415310e5a36861eae578f89N.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms006.inf_amd64_c3bdcb6fc975b614\SendToOneNote-pipelineconfig.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\Speech_OneCore\Common\fr-FR\tokens_TTS_fr-FR.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\Speech_OneCore\Common\it-IT\Tokens_SR_it-IT-N.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms009.inf_amd64_a7412a554c9bc1fd\MPDW-pipelineconfig.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms014.inf_amd64_faec3fc366f8e1fa\Amd64\MSMPS.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\Speech_OneCore\Common\en-US\tokens_TTS_en-US_david.xml C:\Windows\SysWOW64\smnss.exe N/A
File created C:\Windows\SysWOW64\zipfiaq.dll C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms005.inf_amd64_add71423ba73e797\Amd64\MSxpsPS-pipelineconfig.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\Speech_OneCore\Common\en-US\tokens_TTS_en-US.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms009.inf_amd64_a7412a554c9bc1fd\MPDW_devmode_map.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms010.inf_amd64_9e410195c3b236c9\Amd64\MSECP-pipelineconfig.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\Speech_OneCore\Common\ja-JP\tokens_TTS_ja-JP.xml C:\Windows\SysWOW64\smnss.exe N/A
File created C:\Windows\SysWOW64\ctfmen.exe C:\Users\Admin\AppData\Local\Temp\e992b01d3268493cf5aaf1127ef550b1bb52e5437415310e5a36861eae578f89N.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms007.inf_amd64_8bbf44975c626ac5\Amd64\MSPassthrough-pipelineconfig.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms009.inf_amd64_a7412a554c9bc1fd\MPDW-PDC.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms011.inf_amd64_f83138380f5fb6ab\Amd64\MSAppMon-pipelineconfig.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\icsxml\cmnicfg.xml C:\Windows\SysWOW64\smnss.exe N/A
File created C:\Windows\SysWOW64\shervans.dll C:\Users\Admin\AppData\Local\Temp\e992b01d3268493cf5aaf1127ef550b1bb52e5437415310e5a36861eae578f89N.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms004.inf_amd64_c28ee88ec1bd4178\Amd64\unisharev4-pipelineconfig.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms007.inf_amd64_8bbf44975c626ac5\Amd64\MSXPS2.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\default.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms007.inf_amd64_8bbf44975c626ac5\Amd64\MSPWGR-pipelineconfig.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms008.inf_amd64_69b5e0c918eab9a6\Amd64\unishare3d-pipelineconfig.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\Speech_OneCore\Common\fr-FR\Tokens_SR_fr-FR-N.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms001.inf_amd64_8bc1bda6cf47380c\MXDW-pipelineconfig.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\MailContactsCalendarSync\LiveDomainList.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\Recovery\ReAgent.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\Speech_OneCore\Common\es-ES\tokens_TTS_es-ES.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\default.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\tsprint.inf_amd64_6066bc96a5f28b44\tsprint-PipelineConfig.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\F12\Timeline.cpu.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\icsxml\ipcfg.xml C:\Windows\SysWOW64\smnss.exe N/A
File created C:\Windows\SysWOW64\grcopy.dll C:\Users\Admin\AppData\Local\Temp\e992b01d3268493cf5aaf1127ef550b1bb52e5437415310e5a36861eae578f89N.exe N/A
File opened for modification C:\Windows\SysWOW64\NdfEventView.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc C:\Windows\SysWOW64\smnss.exe N/A
File created C:\Windows\SysWOW64\zipfi.dll C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms010.inf_amd64_9e410195c3b236c9\Amd64\MSECP.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms012.inf_amd64_707d3849370b9d23\Amd64\MSIPP-pipelineconfig.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\icsxml\osinfo.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\IME\IMEJP\APPLETS\IMJPCLST.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\Speech_OneCore\Common\de-DE\Tokens_SR_de-DE-N.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\Speech_OneCore\Common\fr-FR\tokens_TTS_fr-FR_hortense.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsCodecsRaw.txt C:\Windows\SysWOW64\smnss.exe N/A
File created C:\Windows\SysWOW64\satornas.dll C:\Users\Admin\AppData\Local\Temp\e992b01d3268493cf5aaf1127ef550b1bb52e5437415310e5a36861eae578f89N.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\ntprint4.inf_amd64_0958c7cad3cd6075\Amd64\V3HostingFilter-pipelineconfig.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms003.inf_x86_360f6f3a7c4b3433\I386\unishare-pipelineconfig.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\Speech_OneCore\Common\tokens.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\tcpbidi.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\default.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File created C:\Windows\SysWOW64\smnss.exe C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms011.inf_amd64_f83138380f5fb6ab\Amd64\MSAppMon.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\Speech_OneCore\Common\ja-JP\Tokens_SR_ja-JP-N.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms014.inf_amd64_faec3fc366f8e1fa\Amd64\MSMPS-pipelineconfig.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\icsxml\pppcfg.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\ctfmen.exe C:\Users\Admin\AppData\Local\Temp\e992b01d3268493cf5aaf1127ef550b1bb52e5437415310e5a36861eae578f89N.exe N/A
File created C:\Windows\SysWOW64\smnss.exe C:\Users\Admin\AppData\Local\Temp\e992b01d3268493cf5aaf1127ef550b1bb52e5437415310e5a36861eae578f89N.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms012.inf_amd64_707d3849370b9d23\Amd64\MSIPP.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\default.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\wsmanconfig_schema.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms003.inf_amd64_0e2452f597790e95\Amd64\unishare-pipelineconfig.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\Speech_OneCore\Common\de-DE\tokens_TTS_de-DE_hedda.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\default.help.txt C:\Windows\SysWOW64\smnss.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN086.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxManifest.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\telemetryrules\hxcalendarappimm.exe_Rules.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0016-0409-1000-0000000FF1CE.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\bg-BG\View3d\3DViewerProductDescription-universal.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\XboxApp.Telemetry\BIEvents.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Calibri Light-Constantia.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Integration\C2RManifest.office32mui.msi.16.en-us.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipshi.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\LyncBasic_Eula.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\dialogs\browse_window.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Integration\C2RManifest.excelmui.msi.16.en-us.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\cs-CZ\View3d\3DViewerProductDescription-universal.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_ca.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN090.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_neutral_split.scale-200_8wekyb3d8bbwe\AppxManifest.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_2019.807.41.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Xbox.TCUI_1.23.28002.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN111.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_2019.125.2243.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxBlockMap.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\ROMAN.TXT C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Orange Red.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxManifest.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\fr-FR\View3d\3DViewerProductDescription-universal.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.46.11001.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxManifest.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\THIRDPARTYLICENSEREADME.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Yellow Orange.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\Configuration\card_terms_dict.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\CROATIAN.TXT C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001F-0409-1000-0000000FF1CE.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\WINWORD.VisualElementsManifest.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\notetagsUI\index.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\en-US\about_BeforeEach_AfterEach.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Blue Green.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\TPN.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL103.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\skins\winamp2.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\lv-LV\View3d\3DViewerProductDescription-universal.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\io.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\MSOSEC.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\WinFXList.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\requests\README.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\uz-Latn-UZ\View3d\3DViewerProductDescription-universal.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.46.11001.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\af.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.46.11001.0_x64__8wekyb3d8bbwe\AppxManifest.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\CP1257.TXT C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxManifest.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\he.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Slipstream.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\SkypeForBusinessBasic2019_eula.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Windows Media Player\Media Renderer\RenderingControl_DMP.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Consolas-Verdana.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe\AppxManifest.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxManifest.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\kk.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Microsoft Office\Office16\SLERROR.XML C:\Windows\SysWOW64\smnss.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..osoftedge.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_cd2d1cde69f392b4\servbusy.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-microsoftedge_31bf3856ad364e35_10.0.19041.264_none_ef195f564f00d259\DisableAboutFlag.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-p..econsumer.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_9a7ce02ef73966bb\Report.System.Configuration.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_a673a811fe1122c1\default.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-srh_31bf3856ad364e35_10.0.19041.153_none_8757c470b9a0156e\NarratorControlTemplates.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\diagnostics\index\BITSDiagnostic.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\PLA\Rules\es-ES\Rules.System.CPU.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-iana-tzdb-timezones_31bf3856ad364e35_10.0.19041.1081_none_7844725cf8ddff9b\r\timezoneMapping.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-tabletpc-softkeyboard_31bf3856ad364e35_10.0.19041.746_none_afaafac6b02c16fa\ja-jp-sym.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\inclusiveOobe\view\oobecortana-main.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\AppxManifest.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_b4fc93ef208f3edb\502.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..osoftedge.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_cd2d1cde69f392b4\http_403.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\PLA\Rules\ja-JP\Rules.System.Common.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\PLA\Rules\ja-JP\Rules.System.Wired.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\uk-UA\assets\ErrorPages\DisableAboutFlag.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-tabletpc-softkeyboard_31bf3856ad364e35_10.0.19041.173_none_af877ec0b0472fde\base_altgr.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\fr-FR\assets\ErrorPages\unknownprotocol.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.117_none_e0d32848ac56114e\unifiedEnrollmentProgress.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-management-oobe_31bf3856ad364e35_10.0.19041.207_none_504b6becabbef9fe\oobeprovisioningprogress-main.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.1266_none_777e4c5802d14c18\enterpriseNgcEnrollment.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_es-es_12451df02dbd2879\405.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-p..econsumer.resources_31bf3856ad364e35_10.0.19041.1_de-de_c2bbc1ff4b155b96\Report.System.Summary.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-p..econsumer.resources_31bf3856ad364e35_10.0.19041.1_en-us_6bac97f839f3675b\Rules.System.Diagnostics.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-sechealthui.appxsetup_31bf3856ad364e35_10.0.19041.1023_none_d34f4fd846c530a1\AppxManifest.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\es-ES\assets\ErrorPages\pdferrorunknownerror.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\enterpriseNgcEnrollment\views\enterpriseNgcEnrollment.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\cache\Desktop\8.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-t..nputpersonalization_31bf3856ad364e35_10.0.19041.1_none_f59d207965b1bbc3\ipsrus.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\unifiedEnrollment\views\unifiedEnrollmentDiscoveryError.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_dual_prnms012.inf_31bf3856ad364e35_10.0.19041.1_none_a3feabb281faa7e4\Amd64\MSIPP-pipelineconfig.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_de-de_6988eb133eb82b0f\501.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_es-es_12451df02dbd2879\401-2.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_es-es_12451df02dbd2879\403-9.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-p..econsumer.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_0e2f6adb2cec6f62\Rules.System.CPU.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\dom\dom.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\it-IT\assets\ErrorPages\http_gen.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AppxManifest.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_10.0.19041.1_es-es_776ebcbf40f21506\default.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-tabletpc-softkeyboard_31bf3856ad364e35_10.0.19041.746_none_afaafac6b02c16fa\zh-phonetic.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..osoftedge.resources_31bf3856ad364e35_10.0.19041.1_es-es_a2ef4aab3bff561a\http_400.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..osoftedge.resources_31bf3856ad364e35_10.0.19041.1_it-it_2fceb6f1060351fa\http_403.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-o..ectionflow.appxmain_31bf3856ad364e35_10.0.19041.1_none_e2e6c013142b9760\tokens_zhCN.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-t..nputpersonalization_31bf3856ad364e35_10.0.19041.746_none_1da55dc225237a0d\ipshe.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\Fonts\fms_metadata.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\uk-UA\assets\ErrorPages\defaultbrowser.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-i..raries-servercommon_31bf3856ad364e35_10.0.19041.906_none_87b019d7cebd66d4\rscaext.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-editions-professional_31bf3856ad364e35_10.0.19041.264_none_ba5e4a287945a683\UpgradeMatrix.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_en-us_1279c10c2d9636d4\403-17.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_b4fc93ef208f3edb\500-18.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..osoftedge.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_d1f435fdf91e63d5\startfresh.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-microsoftedge_31bf3856ad364e35_10.0.19041.264_none_ef195f564f00d259\pdferrorquitapplicationguard.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.AsyncTextService_8wekyb3d8bbwe\AppxManifest.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\cache\Desktop\26.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SystemApps\ParentalControls_cw5n1h2txyewy\AppxManifest.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-o..tiveportal.appxmain_31bf3856ad364e35_10.0.19041.1_none_f830216e59eee182\tokens_deDE.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..iguration.searchapp_31bf3856ad364e35_10.0.19041.1_none_6a5e909ee80bfce7\BingConfiguration_it-IT.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-t..peech-en-us-onecore_31bf3856ad364e35_10.0.19041.1_none_bc42a9bf5c9b2605\tokens_TTS_en-US.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\x86_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1_none_6331d348ae4a8fa9\GlobalInstallOrder.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\views\test.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-a..gement-uevtemplates_31bf3856ad364e35_10.0.19041.1_none_0d66b54875835a49\VdiState.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..osoftedge.resources_31bf3856ad364e35_10.0.19041.1_en-us_a323edc73bd86475\pdferrorneedcontentlocally.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windowsdx..xperience.resources_31bf3856ad364e35_10.0.19041.1_it-it_2e95c31087ddb067\resource.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\fr-FR\assets\ApplicationGuard\LearnMore.html C:\Windows\SysWOW64\smnss.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ctfmen.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\smnss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e992b01d3268493cf5aaf1127ef550b1bb52e5437415310e5a36861eae578f89N.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID C:\Users\Admin\AppData\Local\Temp\e992b01d3268493cf5aaf1127ef550b1bb52e5437415310e5a36861eae578f89N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED} C:\Users\Admin\AppData\Local\Temp\e992b01d3268493cf5aaf1127ef550b1bb52e5437415310e5a36861eae578f89N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll" C:\Users\Admin\AppData\Local\Temp\e992b01d3268493cf5aaf1127ef550b1bb52e5437415310e5a36861eae578f89N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll" C:\Windows\SysWOW64\smnss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\e992b01d3268493cf5aaf1127ef550b1bb52e5437415310e5a36861eae578f89N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node C:\Users\Admin\AppData\Local\Temp\e992b01d3268493cf5aaf1127ef550b1bb52e5437415310e5a36861eae578f89N.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\smnss.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\e992b01d3268493cf5aaf1127ef550b1bb52e5437415310e5a36861eae578f89N.exe

"C:\Users\Admin\AppData\Local\Temp\e992b01d3268493cf5aaf1127ef550b1bb52e5437415310e5a36861eae578f89N.exe"

C:\Windows\SysWOW64\ctfmen.exe

ctfmen.exe

C:\Windows\SysWOW64\smnss.exe

C:\Windows\system32\smnss.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 qarasaqmrn.info udp
US 8.8.8.8:53 hsnewqerea.net udp
US 8.8.8.8:53 qepqqmprnr.info udp
US 76.223.54.146:80 qepqqmprnr.info tcp
US 8.8.8.8:53 gzip.org udp
US 8.8.8.8:53 gzip.org udp
US 8.8.8.8:53 alumni.caltech.edu udp
US 85.187.148.2:25 gzip.org tcp
US 8.8.8.8:53 alumni-caltech-edu.mail.protection.outlook.com udp
US 8.8.8.8:53 cs.stanford.edu udp
US 52.101.10.18:25 alumni-caltech-edu.mail.protection.outlook.com tcp
US 8.8.8.8:53 smtp2.cs.stanford.edu udp
US 171.64.64.26:25 smtp2.cs.stanford.edu tcp
US 171.64.64.26:25 smtp2.cs.stanford.edu tcp
US 8.8.8.8:53 acm.org udp
US 8.8.8.8:53 mail.mailroute.net udp
US 199.89.1.120:25 mail.mailroute.net tcp
US 8.8.8.8:53 146.54.223.76.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 gmail.com udp
US 8.8.8.8:53 alt1.gmail-smtp-in.l.google.com udp
US 8.8.8.8:53 m-ou.se udp
FI 142.250.150.26:25 alt1.gmail-smtp-in.l.google.com tcp
FI 142.250.150.26:25 alt1.gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 aspmx3.googlemail.com udp
SG 74.125.200.27:25 aspmx3.googlemail.com tcp
FI 142.250.150.26:25 alt1.gmail-smtp-in.l.google.com tcp
FI 142.250.150.26:25 alt1.gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 2.1.0 udp
US 8.8.8.8:53 4.0.1 udp
US 8.8.8.8:53 nocorp.me udp
US 8.8.8.8:53 in1-smtp.messagingengine.com udp
US 103.168.172.216:25 in1-smtp.messagingengine.com tcp
FI 142.250.150.26:25 alt1.gmail-smtp-in.l.google.com tcp
FI 142.250.150.26:25 alt1.gmail-smtp-in.l.google.com tcp
FI 142.250.150.26:25 alt1.gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 outlook.com udp
US 8.8.8.8:53 outlook-com.olc.protection.outlook.com udp
US 52.101.10.15:25 outlook-com.olc.protection.outlook.com tcp
FI 142.250.150.26:25 alt1.gmail-smtp-in.l.google.com tcp
FI 142.250.150.26:25 alt1.gmail-smtp-in.l.google.com tcp
FI 142.250.150.26:25 alt1.gmail-smtp-in.l.google.com tcp
FI 142.250.150.26:25 alt1.gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 smtp1.cs.stanford.edu udp
US 171.64.64.25:25 smtp1.cs.stanford.edu tcp
US 171.64.64.25:25 smtp1.cs.stanford.edu tcp
US 171.64.64.26:25 smtp2.cs.stanford.edu tcp
FI 142.250.150.26:25 alt1.gmail-smtp-in.l.google.com tcp
FI 142.250.150.26:25 alt1.gmail-smtp-in.l.google.com tcp
US 85.187.148.2:25 gzip.org tcp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 alt3.gmail-smtp-in.l.google.com udp
TW 142.250.157.26:25 alt3.gmail-smtp-in.l.google.com tcp
TW 142.250.157.26:25 alt3.gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 aspmx.l.google.com udp
NL 74.125.143.27:25 aspmx.l.google.com tcp
US 8.8.8.8:53 alumni-caltech-edu.mail.protection.outlook.com udp
US 52.101.9.24:25 alumni-caltech-edu.mail.protection.outlook.com tcp
TW 142.250.157.26:25 alt3.gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 coin.mpg udp
US 8.8.8.8:53 apple.com udp
US 8.8.8.8:53 mx-in-ma.apple.com udp
US 17.171.208.6:25 mx-in-ma.apple.com tcp
US 8.8.8.8:53 pobox.com udp
US 8.8.8.8:53 mx-1.rightbox.com udp
US 64.147.108.52:25 mx-1.rightbox.com tcp
TW 142.250.157.26:25 alt3.gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 in2-smtp.messagingengine.com udp
US 202.12.124.217:25 in2-smtp.messagingengine.com tcp
US 8.8.8.8:53 netcom.com udp
US 8.8.8.8:53 mx03.earthlink-vadesecure.net udp
US 8.8.8.8:53 northcoast.com udp
US 51.81.232.218:25 mx03.earthlink-vadesecure.net tcp
US 8.8.8.8:53 cl.cam.ac.uk udp
US 8.8.8.8:53 de-smtp-inbound-1.mimecast.com udp
US 8.8.8.8:53 mx.cam.ac.uk udp
US 8.8.8.8:53 src.dec.com udp
DE 194.104.110.22:25 de-smtp-inbound-1.mimecast.com tcp
GB 131.111.8.147:25 mx.cam.ac.uk tcp
TW 142.250.157.26:25 alt3.gmail-smtp-in.l.google.com tcp
TW 142.250.157.26:25 alt3.gmail-smtp-in.l.google.com tcp
TW 142.250.157.26:25 alt3.gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 theriver.com udp
US 8.8.8.8:53 ismtp.sitestar.everyone.net udp
US 8.8.8.8:53 bryson.demon.co.uk udp
US 8.8.8.8:53 onlineconnections.com.au udp
US 8.8.8.8:53 onlineconnections.com.au udp
US 8.8.8.8:53 openoffice.org udp
US 192.254.190.168:25 onlineconnections.com.au tcp
US 64.29.151.236:25 ismtp.sitestar.everyone.net tcp
US 8.8.8.8:53 mx1-lw-us.apache.org udp
US 8.8.8.8:53 mx1-lw-eu.apache.org udp
US 8.8.8.8:53 mx2-lw-eu.apache.org udp
US 8.8.8.8:53 mx2-lw-us.apache.org udp
TW 142.250.157.26:25 alt3.gmail-smtp-in.l.google.com tcp
TW 142.250.157.26:25 alt3.gmail-smtp-in.l.google.com tcp
TW 142.250.157.26:25 alt3.gmail-smtp-in.l.google.com tcp
TW 142.250.157.26:25 alt3.gmail-smtp-in.l.google.com tcp
US 85.187.148.2:25 gzip.org tcp
US 8.8.8.8:53 alumni-caltech-edu.mail.protection.outlook.com udp
US 8.8.8.8:53 nongnu.org udp
US 52.101.11.17:25 alumni-caltech-edu.mail.protection.outlook.com tcp
US 8.8.8.8:53 eggs.gnu.org udp
US 209.51.188.92:25 eggs.gnu.org tcp
US 209.51.188.92:25 eggs.gnu.org tcp
US 8.8.8.8:53 cs.stanford.edu udp
US 171.64.64.64:25 cs.stanford.edu tcp
US 171.64.64.64:25 cs.stanford.edu tcp
US 171.64.64.25:25 smtp1.cs.stanford.edu tcp
TW 142.250.157.26:25 alt3.gmail-smtp-in.l.google.com tcp
TW 142.250.157.26:25 alt3.gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 kinoho.net udp
US 8.8.8.8:53 alt1.aspmx.l.google.com udp
FI 142.250.150.26:25 alt1.aspmx.l.google.com tcp
FI 142.250.150.27:25 alt1.aspmx.l.google.com tcp
US 8.8.8.8:53 riseup.net udp
US 8.8.8.8:53 mx1.riseup.net udp
FI 142.250.150.26:25 alt1.aspmx.l.google.com tcp
US 198.252.153.129:25 mx1.riseup.net tcp
US 8.8.8.8:53 alt4.gmail-smtp-in.l.google.com udp
US 173.194.202.26:25 alt4.gmail-smtp-in.l.google.com tcp
US 173.194.202.26:25 alt4.gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 alt2.aspmx.l.google.com udp
SG 74.125.200.27:25 alt2.aspmx.l.google.com tcp
US 173.194.202.26:25 alt4.gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 mx-in-vib.apple.com udp
DK 17.57.170.2:25 mx-in-vib.apple.com tcp
US 8.8.8.8:53 mx-2.rightbox.com udp
US 64.147.108.55:25 mx-2.rightbox.com tcp
US 8.8.8.8:53 mail.ru udp
US 8.8.8.8:53 mxs.mail.ru udp
US 8.8.8.8:53 bog.msu.ru udp
RU 217.69.139.150:25 mxs.mail.ru tcp
US 173.194.202.26:25 alt4.gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 mx02.earthlink-vadesecure.net udp
US 51.81.61.71:25 mx02.earthlink-vadesecure.net tcp
US 8.8.8.8:53 mxa-00377f01.gslb.pphosted.com udp
US 8.8.8.8:53 de-smtp-inbound-2.mimecast.com udp
DE 194.104.110.22:25 de-smtp-inbound-2.mimecast.com tcp
US 173.194.202.26:25 alt4.gmail-smtp-in.l.google.com tcp
US 173.194.202.26:25 alt4.gmail-smtp-in.l.google.com tcp
US 173.194.202.26:25 alt4.gmail-smtp-in.l.google.com tcp
US 173.194.202.26:25 alt4.gmail-smtp-in.l.google.com tcp
US 173.194.202.26:25 alt4.gmail-smtp-in.l.google.com tcp
US 173.194.202.26:25 alt4.gmail-smtp-in.l.google.com tcp
US 173.194.202.26:25 alt4.gmail-smtp-in.l.google.com tcp
US 171.64.64.64:25 cs.stanford.edu tcp
US 173.194.202.26:25 alt4.gmail-smtp-in.l.google.com tcp
US 173.194.202.26:25 alt4.gmail-smtp-in.l.google.com tcp
TW 142.250.157.26:25 alt3.gmail-smtp-in.l.google.com tcp
SG 74.125.200.27:25 alt2.aspmx.l.google.com tcp
TW 142.250.157.26:25 alt3.gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 alt2.gmail-smtp-in.l.google.com udp
SG 74.125.200.26:25 alt2.gmail-smtp-in.l.google.com tcp
SG 74.125.200.26:25 alt2.gmail-smtp-in.l.google.com tcp
FI 142.250.150.27:25 alt1.aspmx.l.google.com tcp
SG 74.125.200.26:25 alt2.gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 mx-in-mdn.apple.com udp
US 8.8.8.8:53 mx-in-sg.apple.com udp
SG 17.23.14.18:25 mx-in-sg.apple.com tcp
SG 74.125.200.26:25 alt2.gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 mx01.earthlink-vadesecure.net udp
US 51.81.61.70:25 mx01.earthlink-vadesecure.net tcp
US 8.8.8.8:53 mxb-00377f03.gslb.pphosted.com udp
US 8.8.8.8:53 mxb-00377f01.gslb.pphosted.com udp
US 8.8.8.8:53 mxa-00377f03.gslb.pphosted.com udp
US 8.8.8.8:53 sshqqrpapn.biz udp
US 8.8.8.8:53 aspawsqhwa.com udp
US 8.8.8.8:53 hmsrhawpaa.net udp
US 8.8.8.8:53 pqrhsswehn.in udp
US 8.8.8.8:53 hrrrmrmans.net udp
US 8.8.8.8:53 qqswwhsmsh.info udp
IE 34.246.200.160:80 qqswwhsmsh.info tcp
US 8.8.8.8:53 wwpwmnawpa.in udp
US 8.8.8.8:53 nmmpsnprns.us udp
US 8.8.8.8:53 hnahnsnahn.net udp
US 8.8.8.8:53 awshranpen.com udp
US 8.8.8.8:53 spampenhrs.biz udp
US 8.8.8.8:53 aqqrshqnqn.com udp
US 44.221.84.105:80 mephpeapqh.in tcp
US 8.8.8.8:53 160.200.246.34.in-addr.arpa udp
US 8.8.8.8:53 rwshsrqams.org udp
NL 85.17.31.122:80 rwshsrqams.org tcp
US 8.8.8.8:53 hsrqsnarns.net udp
US 8.8.8.8:53 rrmwmpnaea.org udp
DE 178.162.203.211:80 rrmwmpnaea.org tcp
SG 74.125.200.26:25 alt2.gmail-smtp-in.l.google.com tcp
SG 74.125.200.26:25 alt2.gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 105.84.221.44.in-addr.arpa udp
US 8.8.8.8:53 122.31.17.85.in-addr.arpa udp
SG 74.125.200.26:25 alt2.gmail-smtp-in.l.google.com tcp
SG 74.125.200.26:25 alt2.gmail-smtp-in.l.google.com tcp
SG 74.125.200.26:25 alt2.gmail-smtp-in.l.google.com tcp
SG 74.125.200.26:25 alt2.gmail-smtp-in.l.google.com tcp
SG 74.125.200.26:25 alt2.gmail-smtp-in.l.google.com tcp
SG 74.125.200.26:25 alt2.gmail-smtp-in.l.google.com tcp
SG 74.125.200.26:25 alt2.gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 aspmx2.googlemail.com udp
US 173.194.202.26:25 alt4.gmail-smtp-in.l.google.com tcp
FI 142.250.150.27:25 aspmx2.googlemail.com tcp
US 173.194.202.26:25 alt4.gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 gmail-smtp-in.l.google.com udp
US 8.8.8.8:53 aspmx4.googlemail.com udp
NL 172.217.218.26:25 gmail-smtp-in.l.google.com tcp
NL 172.217.218.26:25 gmail-smtp-in.l.google.com tcp
TW 142.250.157.27:25 aspmx4.googlemail.com tcp
NL 172.217.218.26:25 gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 mx-in.g.apple.com udp
DK 17.57.170.2:25 mx-in.g.apple.com tcp
NL 172.217.218.26:25 gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 mx04.earthlink-vadesecure.net udp
US 147.135.98.120:25 mx04.earthlink-vadesecure.net tcp
US 8.8.8.8:53 mswwsshphn.in udp
US 8.8.8.8:53 ahsspmrens.com udp
US 8.8.8.8:53 weqrmearma.in udp
US 8.8.8.8:53 rqehamsanr.org udp
NL 172.217.218.26:25 gmail-smtp-in.l.google.com tcp
DE 178.162.203.202:80 rqehamsanr.org tcp
NL 172.217.218.26:25 gmail-smtp-in.l.google.com tcp
NL 172.217.218.26:25 gmail-smtp-in.l.google.com tcp
NL 172.217.218.26:25 gmail-smtp-in.l.google.com tcp
NL 172.217.218.26:25 gmail-smtp-in.l.google.com tcp
NL 172.217.218.26:25 gmail-smtp-in.l.google.com tcp
NL 172.217.218.26:25 gmail-smtp-in.l.google.com tcp
NL 172.217.218.26:25 gmail-smtp-in.l.google.com tcp
NL 172.217.218.26:25 gmail-smtp-in.l.google.com tcp
SG 74.125.200.26:25 alt2.gmail-smtp-in.l.google.com tcp
NL 74.125.143.27:25 aspmx.l.google.com tcp
SG 74.125.200.26:25 alt2.gmail-smtp-in.l.google.com tcp
FI 142.250.150.27:25 aspmx2.googlemail.com tcp
US 8.8.8.8:53 udp
N/A 17.57.165.2:25 tcp

Files

memory/2012-0-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Windows\SysWOW64\shervans.dll

MD5 7d98b3c88c2bd230d123a8269f92e6d5
SHA1 b8bd50c71d88781c8f0b63f69b74062b3d4a5c06
SHA256 7921c45166244c492f5589c45aeec98be4e3a45496f7abc133d54f5b6d3ff20b
SHA512 dbc7408e7fd21cd5f405803c325f3b2d998988e46d6a63f1e1f08006b9d4a800701542a5f6082a565883e8601f720f594f1f61f63b3a993948c12e12937cdb4d

memory/2012-13-0x0000000010000000-0x000000001000D000-memory.dmp

C:\Windows\SysWOW64\grcopy.dll

MD5 4af548b1f6aee6927311b320dd910023
SHA1 55a8ce89ded1551b565bfb308270ead8ba67b893
SHA256 2d2dd1f6f57e165cd17bf31c1d5cd2bf7b4ef06f4f719b909922c92833977619
SHA512 102088c67891dfe38c597d1051a1afc55399ee1815d0cc1acb1cfc47a249b98295611bd4485a5859082175784ad4abb622280ee506a7a79f034b76b0ab012ef5

C:\Windows\SysWOW64\ctfmen.exe

MD5 06fd32e1fcaf9844e22106e0af8e3759
SHA1 bd075138d84aa06975f2920a41916bc878a1ef8b
SHA256 54910e6991aaedad5f2ade287ef71cf65d3ec64e33a7c7d4f8dbde5470aa021b
SHA512 19ca97309a7b5c84d5ef9ffa40596a19a48b870536d17b1a12d124258ac6db2e8c0f9472a0a16c4b1e88439f9c2282a77b5f5ea250f14ec8f40c0fee10666e73

memory/4440-21-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2012-25-0x0000000010000000-0x000000001000D000-memory.dmp

memory/2012-24-0x0000000000400000-0x0000000000420000-memory.dmp

memory/4440-28-0x0000000000400000-0x0000000000409000-memory.dmp

memory/4396-30-0x0000000000400000-0x0000000000420000-memory.dmp

memory/4396-37-0x0000000010000000-0x000000001000D000-memory.dmp

C:\Windows\SysWOW64\satornas.dll

MD5 ccf5f62244aee26a2a13e46d2a8834ce
SHA1 b687ad94eff8d7ea88c710c06f45d40c8d7e9039
SHA256 20f7aaeaab3dc6ef57d01fabaa7e9fcbf1775f50333e379f2fef7fb0d8b2b333
SHA512 17ec54cb8475b6d4357b9a996447eb4569d9108178c04cd5fe7ea4cfe0d045aa5f28052d19b56ab736fb984aa52f8d6b82637ded8888a7869d9031d901750244

memory/4396-39-0x0000000000400000-0x0000000000420000-memory.dmp

memory/4396-40-0x0000000010000000-0x000000001000D000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-08 15:07

Reported

2024-11-08 15:09

Platform

win7-20241023-en

Max time kernel

118s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e992b01d3268493cf5aaf1127ef550b1bb52e5437415310e5a36861eae578f89N.exe"

Signatures

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\drivers\gmreadme.txt C:\Windows\SysWOW64\smnss.exe N/A

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\ctfmen.exe N/A
N/A N/A C:\Windows\SysWOW64\smnss.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe" C:\Users\Admin\AppData\Local\Temp\e992b01d3268493cf5aaf1127ef550b1bb52e5437415310e5a36861eae578f89N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe" C:\Windows\SysWOW64\smnss.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\E: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\smnss.exe N/A

Maps connected drives based on registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Users\Admin\AppData\Local\Temp\e992b01d3268493cf5aaf1127ef550b1bb52e5437415310e5a36861eae578f89N.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Users\Admin\AppData\Local\Temp\e992b01d3268493cf5aaf1127ef550b1bb52e5437415310e5a36861eae578f89N.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\1 C:\Users\Admin\AppData\Local\Temp\e992b01d3268493cf5aaf1127ef550b1bb52e5437415310e5a36861eae578f89N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\smnss.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Windows\SysWOW64\smnss.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\1 C:\Windows\SysWOW64\smnss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnky306.inf_amd64_ja-jp_97f0de39317f6837\Amd64\KYW7QUR5.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_Continue.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_Windows_PowerShell_ISE.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_If.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\System.Management.Automation.dll-Help.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_Continue.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_providers.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_functions_advanced.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_split.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_operators.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\grcopy.dll C:\Users\Admin\AppData\Local\Temp\e992b01d3268493cf5aaf1127ef550b1bb52e5437415310e5a36861eae578f89N.exe N/A
File created C:\Windows\SysWOW64\satornas.dll C:\Users\Admin\AppData\Local\Temp\e992b01d3268493cf5aaf1127ef550b1bb52e5437415310e5a36861eae578f89N.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_remote_FAQ.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_WMI_Cmdlets.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\Amd64\HPW0460T.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\Recovery\ReAgent.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_format.ps1xml.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_functions_advanced_parameters.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_join.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_Arithmetic_Operators.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_Continue.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\Amd64\HPO1600T.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpd4200t.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnsa002.inf_amd64_neutral_d9df1d04d8cbe336\Amd64\smc660u.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Assignment_Operators.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_Reserved_Words.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\System.Management.Automation.dll-Help.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_Special_Characters.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\Amd64\hpmcpdp6.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_regular_expressions.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_script_internationalization.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_Windows_PowerShell_ISE.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_profiles.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\shervans.dll C:\Users\Admin\AppData\Local\Temp\e992b01d3268493cf5aaf1127ef550b1bb52e5437415310e5a36861eae578f89N.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\Amd64\HPO3100T.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Parsing.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_jobs.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_Windows_PowerShell_2.0.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_methods.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpd2400t.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp004.inf_amd64_neutral_53f688945cfc24cc\Amd64\hpc4500t.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_WMI_Cmdlets.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_functions_cmdletbindingattribute.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpoa440t.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnkm003.inf_amd64_neutral_48652cda3bb15180\Amd64\koc353X.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\Microsoft.Wsman.Management.dll-Help.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_Language_Keywords.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_Signing.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_methods.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_pssession_details.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_arrays.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_Windows_PowerShell_ISE.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnrc00a.inf_amd64_neutral_565c5d04cc520c48\Amd64\RICFG7.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_remote_jobs.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_locations.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Quoting_Rules.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_prompts.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_properties.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_scripts.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_arrays.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_scopes.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\satornas.dll C:\Users\Admin\AppData\Local\Temp\e992b01d3268493cf5aaf1127ef550b1bb52e5437415310e5a36861eae578f89N.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnsa002.inf_amd64_neutral_d9df1d04d8cbe336\Amd64\smf583u.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_script_blocks.help.txt C:\Windows\SysWOW64\smnss.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\fr-FR\gadget.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.CA.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\FrameworkList.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\slideShow.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\vlm_export.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-application-views.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1258.TXT C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\1033\README.HTM C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PG_INDEX.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\BANNER.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\kab.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\about.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core-multitabs.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\requests\README.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL103.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Hand Prints.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\BROCHURE.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\PROGRAM.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-startup.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Windows NT\TableTextService\TableTextServiceSimplifiedShuangPin.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\PowerPoint.en-us\SETUP.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\THIRDPARTYLICENSEREADME.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\gadget.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US_POSIX.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CENTEURO.TXT C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Executive.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsHomePage.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMFormServices\InfoPathOMFormServicesV12\Microsoft.Office.InfoPath.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Shades of Blue.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CROATIAN.TXT C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proofing.en-us\SETUP.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\PROPLUS\SETUP.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\1033\MCABOUT.HTM C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGPICCAP.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\License.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-tools.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipsesp.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-progress-ui.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\settings.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\picturePuzzle.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsViewTemplate.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL010.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\weather.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\feature.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\uz-cyrl.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-editor-mimelookup-impl.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGDOTS.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\he.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\epl-v10.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\es-ES\gadget.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\it-IT\settings.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\flyout.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\METCONV.TXT C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Roses.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsPreviewTemplate.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ka.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\EMAIL.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\flyout.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN109.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\en-US\gadget.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-options-api.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-dialogs.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\clock.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\gadget.xml C:\Windows\SysWOW64\smnss.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-g..ets-clock.resources_31bf3856ad364e35_6.1.7600.16385_es-es_dbc7c5d1d33a67b5\clock.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_1da743febb1ea38d\about_remote_troubleshooting.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_prnhp003.inf_31bf3856ad364e35_6.1.7600.16385_none_2fd781a76c9dcc13\Amd64\hpsd730t.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\x86_microsoft-windows-t..d-chinese-shuangpin_31bf3856ad364e35_6.1.7600.16385_none_1e8c88df3830bbcc\TableTextServiceSimplifiedShuangPin.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-dot3svc_31bf3856ad364e35_6.1.7601.17514_none_c99214378a23d63b\Rules.System.Wired.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_1da743febb1ea38d\about_remote.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_7f0b185800a159c3\about_types.ps1xml.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ca7ec133e2786d8f\about_For.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\PLA\Reports\en-US\Report.System.Common.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7601.17514_none_4f7e32f76654bd3c\Peacock.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_c02a16e1ae17ab94\Microsoft.PowerShell.Commands.Management.dll-Help.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_prnhp005.inf_31bf3856ad364e35_6.1.7600.16385_none_30e9a6119eda44e5\Amd64\hp8500gt.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ca7ec133e2786d8f\about_Reserved_Words.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets.Resources\6.1.0.0_de_31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets.dll-Help.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\servicing\Sessions\31139182_3447032128.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-i..lprovider.resources_31bf3856ad364e35_6.1.7600.16385_it-it_795ac2ac69664653\Microsoft.IIS.Powershell.Provider.dll-Help.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_es-es_b8490213a810a8a5\403-18.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_74b66e05cc4097c8\about_environment_variables.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_4c778c357864a2ed\about_trap.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_7f0b185800a159c3\about_format.ps1xml.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\Vss\Writers\System\0bada1de-01a9-4625-8278-69e735f39dd2.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-g..howgadget.resources_31bf3856ad364e35_6.1.7600.16385_en-us_c99bfc6ddd1bf1d2\slideShow.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_it-it_45286e597214a485\401.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_1da743febb1ea38d\about_scripts.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_prnhp003.inf_31bf3856ad364e35_6.1.7600.16385_none_2fd781a76c9dcc13\Amd64\hpd7300t.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_56cc3687acc564e8\Microsoft.PowerShell.Commands.Management.dll-Help.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\Panther\diagwrn.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\PLA\Reports\es-ES\Report.System.Disk.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\PLA\Rules\de-DE\Rules.System.NetDiagFramework.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-g..edsgadget.resources_31bf3856ad364e35_6.1.7600.16385_de-de_de44258d81747ce2\settings.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-g..ets-clock.resources_31bf3856ad364e35_6.1.7600.16385_de-de_330b92f4e4356a4b\settings.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_e74ded66652fb660\403-7.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ca7ec133e2786d8f\System.Management.Automation.dll-Help.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\x86_microsoft-windows-e..rtingcore.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_31ba297055661ca3\erofflps.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\x86_microsoft-windows-g..howgadget.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_9c4da920e2047ffc\settings.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets.Resources\6.1.0.0_fr_31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets.dll-Help.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\PLA\Reports\ja-JP\Report.System.Configuration.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\PLA\Rules\en-US\Rules.System.CPU.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_27fbee50ef7f6588\about_History.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\PLA\Rules\ja-JP\Rules.System.Diagnostics.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_de-de_0f8ccf36b90bab3b\403.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_es-es_b8490213a810a8a5\500.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_it-it_45286e597214a485\403-4.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_e74ded66652fb660\404-13.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7601.17514_none_4f7e32f76654bd3c\Garden.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_1d72a0e2bb459532\about_Line_Editing.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_1d72a0e2bb459532\Microsoft.PowerShell.Commands.Utility.dll-Help.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_7f0b185800a159c3\about_CommonParameters.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ca7ec133e2786d8f\about_requires.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_56cc3687acc564e8\about_script_internationalization.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_56cc3687acc564e8\about_types.ps1xml.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-dot3svc.resources_31bf3856ad364e35_6.1.7600.16385_it-it_efb864eb1b8d487f\Rules.System.Wired.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..g-fdprint.resources_31bf3856ad364e35_6.1.7600.16385_de-de_22518098b4e6d3e2\resource.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_5b0078129ae2bf07\500-14.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_4c778c357864a2ed\about_modules.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_prnhp003.inf_31bf3856ad364e35_6.1.7600.16385_none_2fd781a76c9dcc13\Amd64\hpb8300t.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_prnts002.inf_31bf3856ad364e35_6.1.7600.16385_none_19d5b3fbc067e0bb\Amd64\tsmpu002.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_27c74b34efa6572d\about_environment_variables.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_56cc3687acc564e8\about_functions_advanced_methods.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-sharedaccess_31bf3856ad364e35_6.1.7600.16385_none_6b16fa9f975e1109\potscfg.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\PLA\Rules\en-US\Rules.System.Network.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_1da743febb1ea38d\about_Command_Syntax.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_1da743febb1ea38d\about_functions_advanced_parameters.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft.backgroun..nt.module.resources_31bf3856ad364e35_6.1.7600.16385_de-de_37f6db1e3094fd2b\Microsoft.BackgroundIntelligentTransfer.Management.dll-Help.xml C:\Windows\SysWOW64\smnss.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\smnss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e992b01d3268493cf5aaf1127ef550b1bb52e5437415310e5a36861eae578f89N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ctfmen.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED} C:\Users\Admin\AppData\Local\Temp\e992b01d3268493cf5aaf1127ef550b1bb52e5437415310e5a36861eae578f89N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll" C:\Users\Admin\AppData\Local\Temp\e992b01d3268493cf5aaf1127ef550b1bb52e5437415310e5a36861eae578f89N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll" C:\Windows\SysWOW64\smnss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\e992b01d3268493cf5aaf1127ef550b1bb52e5437415310e5a36861eae578f89N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node C:\Users\Admin\AppData\Local\Temp\e992b01d3268493cf5aaf1127ef550b1bb52e5437415310e5a36861eae578f89N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID C:\Users\Admin\AppData\Local\Temp\e992b01d3268493cf5aaf1127ef550b1bb52e5437415310e5a36861eae578f89N.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\smnss.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\e992b01d3268493cf5aaf1127ef550b1bb52e5437415310e5a36861eae578f89N.exe

"C:\Users\Admin\AppData\Local\Temp\e992b01d3268493cf5aaf1127ef550b1bb52e5437415310e5a36861eae578f89N.exe"

C:\Windows\SysWOW64\ctfmen.exe

ctfmen.exe

C:\Windows\SysWOW64\smnss.exe

C:\Windows\system32\smnss.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 qarasaqmrn.info udp
US 8.8.8.8:53 gzip.org udp
US 8.8.8.8:53 gzip.org udp
US 8.8.8.8:53 alumni.caltech.edu udp
US 8.8.8.8:53 alumni-caltech-edu.mail.protection.outlook.com udp
US 8.8.8.8:53 megginson.com udp
US 85.187.148.2:25 gzip.org tcp
US 8.8.8.8:53 megginson.com udp
US 52.101.42.6:25 alumni-caltech-edu.mail.protection.outlook.com tcp
US 8.8.8.8:53 aspmx5.googlemail.com udp
US 8.8.8.8:53 jk.uni-linz.ac.at udp
US 173.194.202.26:25 aspmx5.googlemail.com tcp
US 8.8.8.8:53 alt1.aspmx.l.google.com udp
FI 142.250.150.26:25 alt1.aspmx.l.google.com tcp
US 8.8.8.8:53 mail3.edvz.uni-linz.ac.at udp
AT 140.78.3.83:25 mail3.edvz.uni-linz.ac.at tcp
US 8.8.8.8:53 hsnewqerea.net udp
US 8.8.8.8:53 qepqqmprnr.info udp
US 13.248.169.48:80 qepqqmprnr.info tcp
US 8.8.8.8:53 cdata.tvnet.hu udp
US 8.8.8.8:53 attbi.com udp
US 8.8.8.8:53 cdata.tvnet.hu udp
US 8.8.8.8:53 courtesan.com udp
US 8.8.8.8:53 bigelowandholmes.com udp
US 8.8.8.8:53 millert.dev udp
US 65.102.237.118:25 millert.dev tcp
US 85.187.148.2:25 gzip.org tcp
US 52.101.42.6:25 alumni-caltech-edu.mail.protection.outlook.com tcp
US 8.8.8.8:53 gnu.org udp
US 8.8.8.8:53 eggs.gnu.org udp
US 209.51.188.92:25 eggs.gnu.org tcp
US 85.187.148.2:25 gzip.org tcp
US 8.8.8.8:53 alumni-caltech-edu.mail.protection.outlook.com udp
FI 142.250.150.26:25 alt1.aspmx.l.google.com tcp
US 52.101.41.26:25 alumni-caltech-edu.mail.protection.outlook.com tcp
FI 142.250.150.26:25 alt1.aspmx.l.google.com tcp
AT 140.78.3.83:25 mail3.edvz.uni-linz.ac.at tcp
US 65.102.237.118:25 millert.dev tcp
US 85.187.148.2:25 gzip.org tcp
FI 142.250.150.26:25 alt1.aspmx.l.google.com tcp
US 8.8.8.8:53 aspmx3.googlemail.com udp
US 52.101.41.26:25 alumni-caltech-edu.mail.protection.outlook.com tcp
SG 74.125.200.26:25 aspmx3.googlemail.com tcp
US 85.187.148.2:25 gzip.org tcp
US 52.101.41.26:25 alumni-caltech-edu.mail.protection.outlook.com tcp
US 8.8.8.8:53 mail1.edvz.uni-linz.ac.at udp
AT 140.78.3.68:25 mail1.edvz.uni-linz.ac.at tcp
FI 142.250.150.26:25 alt1.aspmx.l.google.com tcp
FI 142.250.150.26:25 alt1.aspmx.l.google.com tcp
AT 140.78.3.83:25 mail3.edvz.uni-linz.ac.at tcp
US 65.102.237.118:25 millert.dev tcp
US 85.187.148.2:25 gzip.org tcp
US 8.8.8.8:53 alumni-caltech-edu.mail.protection.outlook.com udp
US 52.101.10.18:25 alumni-caltech-edu.mail.protection.outlook.com tcp
SG 74.125.200.26:25 aspmx3.googlemail.com tcp
SG 74.125.200.26:25 aspmx3.googlemail.com tcp
AT 140.78.3.68:25 mail1.edvz.uni-linz.ac.at tcp
US 8.8.8.8:53 coin.mpg udp
US 8.8.8.8:53 domain.com udp
US 8.8.8.8:53 domain-com.mail.protection.outlook.com udp
US 52.101.9.26:25 domain-com.mail.protection.outlook.com tcp
US 8.8.8.8:53 aspmx.l.google.com udp
US 173.194.202.26:25 aspmx5.googlemail.com tcp
NL 108.177.96.26:25 aspmx.l.google.com tcp
US 8.8.8.8:53 mail4.edvz.uni-linz.ac.at udp
AT 140.78.3.82:25 mail4.edvz.uni-linz.ac.at tcp
SG 74.125.200.26:25 aspmx3.googlemail.com tcp
AT 140.78.3.68:25 mail1.edvz.uni-linz.ac.at tcp
SG 74.125.200.26:25 aspmx3.googlemail.com tcp
US 173.194.202.26:25 aspmx5.googlemail.com tcp
AT 140.78.3.82:25 mail4.edvz.uni-linz.ac.at tcp
US 173.194.202.26:25 aspmx5.googlemail.com tcp
US 8.8.8.8:53 alt2.aspmx.l.google.com udp
SG 74.125.200.27:25 alt2.aspmx.l.google.com tcp
SG 74.125.200.26:25 aspmx3.googlemail.com tcp
US 8.8.8.8:53 mail2.edvz.uni-linz.ac.at udp
AT 140.78.3.69:25 mail2.edvz.uni-linz.ac.at tcp
US 173.194.202.26:25 aspmx5.googlemail.com tcp
AT 140.78.3.82:25 mail4.edvz.uni-linz.ac.at tcp
US 173.194.202.26:25 aspmx5.googlemail.com tcp
SG 74.125.200.27:25 alt2.aspmx.l.google.com tcp
SG 74.125.200.27:25 alt2.aspmx.l.google.com tcp
AT 140.78.3.69:25 mail2.edvz.uni-linz.ac.at tcp
US 8.8.8.8:53 sshqqrpapn.biz udp
US 8.8.8.8:53 aspawsqhwa.com udp
US 8.8.8.8:53 hmsrhawpaa.net udp
US 8.8.8.8:53 aspmx2.googlemail.com udp
FI 142.250.150.27:25 aspmx2.googlemail.com tcp
SG 74.125.200.27:25 alt2.aspmx.l.google.com tcp
US 8.8.8.8:53 pqrhsswehn.in udp
US 8.8.8.8:53 hrrrmrmans.net udp
SG 74.125.200.27:25 alt2.aspmx.l.google.com tcp
AT 140.78.3.69:25 mail2.edvz.uni-linz.ac.at tcp
SG 74.125.200.27:25 alt2.aspmx.l.google.com tcp
US 8.8.8.8:53 qqswwhsmsh.info udp
IE 34.246.200.160:80 qqswwhsmsh.info tcp
US 8.8.8.8:53 wwpwmnawpa.in udp
US 8.8.8.8:53 nmmpsnprns.us udp
US 8.8.8.8:53 hnahnsnahn.net udp
FI 142.250.150.27:25 aspmx2.googlemail.com tcp
FI 142.250.150.27:25 aspmx2.googlemail.com tcp
US 8.8.8.8:53 awshranpen.com udp
US 8.8.8.8:53 spampenhrs.biz udp
US 8.8.8.8:53 aqqrshqnqn.com udp
US 8.8.8.8:53 mephpeapqh.in udp
US 8.8.8.8:53 aspmx4.googlemail.com udp
FI 142.250.150.27:25 aspmx2.googlemail.com tcp
TW 142.250.157.27:25 aspmx4.googlemail.com tcp
US 44.221.84.105:80 mephpeapqh.in tcp
US 8.8.8.8:53 rwshsrqams.org udp
DE 178.162.203.211:80 rwshsrqams.org tcp
FI 142.250.150.27:25 aspmx2.googlemail.com tcp
FI 142.250.150.27:25 aspmx2.googlemail.com tcp

Files

memory/2144-0-0x0000000000400000-0x0000000000420000-memory.dmp

\Windows\SysWOW64\shervans.dll

MD5 021a53df4eebbbc709b8d4c5042354ae
SHA1 35a4f333b43f63abb8fbcd0caafd54aa09e44f72
SHA256 8e40288ca688161fd43e615a4776fb22bc961f0d4ba32d751050f2f41eadc8ae
SHA512 f7cc51d8b61fec201efc9207189c4d24d622a745ba5a89fad334a98cafcf7560b8dc0fa6008fb03884a069376a068a5616514efea46096db6a8acd7fb7bd0874

memory/2144-12-0x0000000010000000-0x000000001000D000-memory.dmp

\Windows\SysWOW64\ctfmen.exe

MD5 21757df3fba722d67f95c4c6cd8b08f3
SHA1 3d1046bfeb340c50f40fde738e160f01f881a019
SHA256 071ce1a6a96cc9af3acb789b7a42155b6fe14d3a30498a4f4e09ecdbb3c6f39a
SHA512 ea7d3ab95e1aa6b34bff579f660b0aeafdd5137b3315889c2bf2ebd72685bbee3a2f372173ccea268c28571fb71adb1edad3fb385f021660744912f79dfbe043

memory/2144-24-0x0000000000350000-0x0000000000359000-memory.dmp

memory/2144-27-0x0000000010000000-0x000000001000D000-memory.dmp

memory/2144-26-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2144-23-0x0000000000350000-0x0000000000359000-memory.dmp

memory/1312-29-0x0000000000400000-0x0000000000409000-memory.dmp

\Windows\SysWOW64\smnss.exe

MD5 06f9a60fe792f7f6b1361e3cb84de8a3
SHA1 133197ae776f80fb25980ae3881228ea1de16024
SHA256 94dae8599b3708c45f4c5be59c5e9e724f880362b4481fbf68a42794203a6898
SHA512 69b303724f6432a560f8a33e59b3a24d17ca8e32b32e4490288dccc70a6f101b02aba15418843451996de16c5bc49adb7759bbd444de2c4d193f3e24c85d7fd6

memory/1312-31-0x0000000000340000-0x0000000000360000-memory.dmp

memory/2184-37-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1312-36-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2184-43-0x0000000010000000-0x000000001000D000-memory.dmp

C:\Windows\SysWOW64\satornas.dll

MD5 35e697deee1e114ba4b6ae21a38b2e6f
SHA1 6b46ebeb564f4e9f70249e3d088e9a2a126a5dbb
SHA256 f060ef37c08cdb353c30c553549d26b3092da43560ad8ee528b91e35abd8c443
SHA512 8bb7b79644fe0a29377820f6d93219694442970e159a72ccb9368ebc8fc70c4a7aae5cf571acd02178319c7eb9412b0fb9d50ee3654d0f2e9072f5d2a1e5e2c1

memory/2184-45-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2184-46-0x0000000010000000-0x000000001000D000-memory.dmp