Malware Analysis Report

2025-08-05 23:33

Sample ID 250119-xseztasjfm
Target 0d64893ccdfe8cc6f28caf28237b4cb846aa41ae07bd65330c4a1d7f8762351cN.exe
SHA256 0d64893ccdfe8cc6f28caf28237b4cb846aa41ae07bd65330c4a1d7f8762351c
Tags
discovery persistence spyware stealer
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

0d64893ccdfe8cc6f28caf28237b4cb846aa41ae07bd65330c4a1d7f8762351c

Threat Level: Likely malicious

The file 0d64893ccdfe8cc6f28caf28237b4cb846aa41ae07bd65330c4a1d7f8762351cN.exe was found to be: Likely malicious.

Malicious Activity Summary

discovery persistence spyware stealer

Drops file in Drivers directory

Reads user/profile data of web browsers

Loads dropped DLL

Executes dropped EXE

ACProtect 1.3x - 1.4x DLL software

Maps connected drives based on registry

Adds Run key to start application

Enumerates connected drives

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-01-19 19:06

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-01-19 19:06

Reported

2025-01-19 19:08

Platform

win7-20240729-en

Max time kernel

119s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0d64893ccdfe8cc6f28caf28237b4cb846aa41ae07bd65330c4a1d7f8762351cN.exe"

Signatures

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\drivers\gmreadme.txt C:\Windows\SysWOW64\smnss.exe N/A

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\ctfmen.exe N/A
N/A N/A C:\Windows\SysWOW64\smnss.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe" C:\Users\Admin\AppData\Local\Temp\0d64893ccdfe8cc6f28caf28237b4cb846aa41ae07bd65330c4a1d7f8762351cN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe" C:\Windows\SysWOW64\smnss.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\R: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\smnss.exe N/A

Maps connected drives based on registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Users\Admin\AppData\Local\Temp\0d64893ccdfe8cc6f28caf28237b4cb846aa41ae07bd65330c4a1d7f8762351cN.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Users\Admin\AppData\Local\Temp\0d64893ccdfe8cc6f28caf28237b4cb846aa41ae07bd65330c4a1d7f8762351cN.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\1 C:\Users\Admin\AppData\Local\Temp\0d64893ccdfe8cc6f28caf28237b4cb846aa41ae07bd65330c4a1d7f8762351cN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\smnss.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Windows\SysWOW64\smnss.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\1 C:\Windows\SysWOW64\smnss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_prompts.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_Variables.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\xpsrchvw.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_While.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_scopes.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_Parsing.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_Switch.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\Amd64\HPC9500S.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpl7700t.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp005.inf_amd64_neutral_914d6c300207814f\Amd64\hpf4400t.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_locations.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\System.Management.Automation.dll-Help.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\TroubleshootingPack\fr-FR\Microsoft.Windows.Diagnosis.TroubleshootingPack.dll-Help.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\Amd64\HPW1RC3L.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hphp915t.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_profiles.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_functions.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_aliases.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_pipelines.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_remote_requirements.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_script_blocks.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_History.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_pssession_details.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnsa002.inf_amd64_neutral_d9df1d04d8cbe336\Amd64\smf6x5u.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\en-US\erofflps.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\migwiz\PostMigRes\data\HardwareVendors.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_Switch.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_Core_Commands.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_History.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_Path_Syntax.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_Redirection.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\ctfmen.exe C:\Users\Admin\AppData\Local\Temp\0d64893ccdfe8cc6f28caf28237b4cb846aa41ae07bd65330c4a1d7f8762351cN.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\Amd64\HPO6200T.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_scopes.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_script_blocks.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_eventlogs.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_Automatic_Variables.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_execution_policies.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpc4200t.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpk5300t.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_Core_Commands.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_aliases.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_Reserved_Words.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\Microsoft.PowerShell.Commands.Management.dll-Help.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_remote_FAQ.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\TroubleshootingPack\en-US\Microsoft.Windows.Diagnosis.TroubleshootingPack.dll-Help.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\satornas.dll C:\Users\Admin\AppData\Local\Temp\0d64893ccdfe8cc6f28caf28237b4cb846aa41ae07bd65330c4a1d7f8762351cN.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\Amd64\HPC3052F.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpc5200t.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpsd730t.xml C:\Windows\SysWOW64\smnss.exe N/A
File created C:\Windows\SysWOW64\satornas.dll C:\Users\Admin\AppData\Local\Temp\0d64893ccdfe8cc6f28caf28237b4cb846aa41ae07bd65330c4a1d7f8762351cN.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\Amd64\HPOGDS3L.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_Windows_PowerShell_ISE.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_requires.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Continue.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Quoting_Rules.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpj4660t.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnky308.inf_amd64_ja-jp_d90af802b607044a\Amd64\KYW7QUR7.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_command_precedence.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_CommonParameters.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\TroubleshootingPack\es-ES\Microsoft.Windows.Diagnosis.TroubleshootingPack.dll-Help.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpc3100t.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_WS-Management_Cmdlets.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_execution_policies.help.txt C:\Windows\SysWOW64\smnss.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-print.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\dialogs\create_stream.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Windows Media Player\Network Sharing\MediaReceiverRegistrar.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Paper.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGACCBOX.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\SLERROR.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\license.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\it-IT\calendar.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-host-remote.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\requests\playlist.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Office 2.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL011.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL110.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-jvmstat.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1251.TXT C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Module.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsPrintTemplate.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\SIGN.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-sampler.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Concourse.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL077.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\gadget.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-api-annotations-common.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\flyout.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\BROCHURE.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\it-IT\gadget.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\currency.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMV12\Microsoft.Office.InfoPath.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.COM.CN.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\license.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Apothecary.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.CO.IN.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\gadget.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\THIRDPARTYLICENSEREADME.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-execution.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-lib-profiler-ui.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\weather.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL081.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-heapdump.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\1033\README.HTM C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL096.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-selector-api.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Word.en-us\SETUP.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsPrintTemplate.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.IT.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\CALENDAR.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-host.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\es-ES\cpu.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN111.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsFormTemplateRTL.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\ENVELOPE.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\QP.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\WinFXList.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-api-annotations-common.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\TURKISH.TXT C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\PROGRAM.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\zh-changjei.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\feature.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Angles.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\settings.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipssve.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-applemenu.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-uihandler.xml C:\Windows\SysWOW64\smnss.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\PLA\Rules\it-IT\Rules.System.Performance.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-g..ets-clock.resources_31bf3856ad364e35_6.1.7600.16385_de-de_330b92f4e4356a4b\gadget.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b87da52fa7e9b700\404-10.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_1da743febb1ea38d\about_Break.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\PLA\Reports\fr-FR\Report.System.Network.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_de-de_0f8ccf36b90bab3b\401-3.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_es-es_b8490213a810a8a5\500-13.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_5b0078129ae2bf07\403-2.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_5b0078129ae2bf07\403-5.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_6.1.7601.17514_none_678566b7ddea04a5\GlobalInstallOrder.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-w..svc-extra.resources_31bf3856ad364e35_6.1.7600.16385_it-it_5b995155abeb058c\Report.System.Wireless.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_it-it_b4a6b77ab9aa530d\about_providers.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_it-it_b4a6b77ab9aa530d\about_pssessions.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\x86_microsoft-windows-g..edsgadget.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_59e6a839753b16d1\flyout.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\x86_microsoft-windows-g..zlegadget.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_48ab2da59753f08b\settings.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_de-de_0f8ccf36b90bab3b\405.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\x86_microsoft-windows-g..ets-clock.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_2260a04d0daf0ce1\settings.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\NetFx40_IIS_schema_update.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\servicing\Editions\EnterpriseEdition.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_4c778c357864a2ed\Microsoft.PowerShell.Security.dll-Help.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_56cc3687acc564e8\about_Core_Commands.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\1038\LocalizedData.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\ParameterInfo.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-d..t-services-unattend_31bf3856ad364e35_6.1.7600.16385_none_25104b6dbe690465\WdsUnattendTemplate.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..econsumer.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_b4334efea73fef8e\Rules.System.Disk.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..econsumer.resources_31bf3856ad364e35_6.1.7600.16385_it-it_9e5b45457e71d50c\Report.System.Configuration.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_it-it_aa520d2885499112\about_CommonParameters.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_it-it_aa520d2885499112\about_Quoting_Rules.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ca7ec133e2786d8f\about_Reserved_Words.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\PLA\Rules\ja-JP\Rules.System.Network.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_it-it_45286e597214a485\502.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_prnhp005.inf_31bf3856ad364e35_6.1.7600.16385_none_30e9a6119eda44e5\Amd64\hp8500gt.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_27fbee50ef7f6588\about_transactions.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_27fbee50ef7f6588\Microsoft.PowerShell.Security.dll-Help.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.1.7601.17514_none_73e472e09a1a05d1\connectionmanager_dmr.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ca7ec133e2786d8f\about_split.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_de-de_0f8ccf36b90bab3b\404-12.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b87da52fa7e9b700\500-18.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-t..nputpersonalization_31bf3856ad364e35_6.1.7600.16385_none_9ba1049ce0053bef\ipsfra.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_prnkm003.inf_31bf3856ad364e35_6.1.7600.16385_none_50766fcc42797a9b\Amd64\koc650X.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ca7ec133e2786d8f\about_arrays.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\PLA\Reports\ja-JP\Report.System.Memory.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\servicing\Sessions\31121889_917283856.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_e74ded66652fb660\403-15.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_4c778c357864a2ed\about_logical_operators.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-tabletpc-softkeyboard_31bf3856ad364e35_6.1.7601.17514_none_2fd7b56967fc5c76\base_jpn.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_prnky004.inf_31bf3856ad364e35_6.1.7600.16385_none_3dd58b93065f62f8\Amd64\KYW7QUR4.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_7f0b185800a159c3\about_remote_FAQ.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\wow64_microsoft.windows.d..ackmodule.resources_31bf3856ad364e35_6.1.7600.16385_de-de_17f825275a083904\Microsoft.Windows.Diagnosis.TroubleshootingPack.dll-Help.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\servicing\Sessions\31121888_2532009152.back.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_74b66e05cc4097c8\about_functions.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_1d72a0e2bb459532\about_Foreach.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\x86_microsoft-windows-gadgets-cpu.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_7c3aeb36c5f98c70\cpu.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-e..rtingcore.resources_31bf3856ad364e35_6.1.7600.16385_es-es_5ed3d9a150a4801e\erofflps.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_1da743febb1ea38d\Microsoft.PowerShell.Commands.Management.dll-Help.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_1d72a0e2bb459532\about_Language_Keywords.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_7f0b185800a159c3\about_Comparison_Operators.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..econsumer.resources_31bf3856ad364e35_6.1.7600.16385_de-de_68bfa622c568dbc2\Rules.System.Disk.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_1da743febb1ea38d\about_Switch.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_prnhp002.inf_31bf3856ad364e35_6.1.7600.16385_none_2f4e6f72537f8faa\Amd64\HPC1RWSL.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_27fbee50ef7f6588\about_escape_characters.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\x86_microsoft-windows-g..-calendar.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_8018a00683b41fc3\calendar.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\x86_microsoft-windows-gadgets-cpu.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_efed75e2fbac9517\cpu.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b87da52fa7e9b700\404-9.htm C:\Windows\SysWOW64\smnss.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0d64893ccdfe8cc6f28caf28237b4cb846aa41ae07bd65330c4a1d7f8762351cN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ctfmen.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\smnss.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\0d64893ccdfe8cc6f28caf28237b4cb846aa41ae07bd65330c4a1d7f8762351cN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node C:\Users\Admin\AppData\Local\Temp\0d64893ccdfe8cc6f28caf28237b4cb846aa41ae07bd65330c4a1d7f8762351cN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID C:\Users\Admin\AppData\Local\Temp\0d64893ccdfe8cc6f28caf28237b4cb846aa41ae07bd65330c4a1d7f8762351cN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED} C:\Users\Admin\AppData\Local\Temp\0d64893ccdfe8cc6f28caf28237b4cb846aa41ae07bd65330c4a1d7f8762351cN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll" C:\Users\Admin\AppData\Local\Temp\0d64893ccdfe8cc6f28caf28237b4cb846aa41ae07bd65330c4a1d7f8762351cN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll" C:\Windows\SysWOW64\smnss.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\smnss.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\0d64893ccdfe8cc6f28caf28237b4cb846aa41ae07bd65330c4a1d7f8762351cN.exe

"C:\Users\Admin\AppData\Local\Temp\0d64893ccdfe8cc6f28caf28237b4cb846aa41ae07bd65330c4a1d7f8762351cN.exe"

C:\Windows\SysWOW64\ctfmen.exe

ctfmen.exe

C:\Windows\SysWOW64\smnss.exe

C:\Windows\system32\smnss.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 qermhhmmrn.info udp
US 8.8.8.8:53 gzip.org udp
US 8.8.8.8:53 gzip.org udp
US 8.8.8.8:53 alumni.caltech.edu udp
US 85.187.148.2:25 gzip.org tcp
US 8.8.8.8:53 alumni-caltech-edu.mail.protection.outlook.com udp
US 8.8.8.8:53 megginson.com udp
US 52.101.40.0:25 alumni-caltech-edu.mail.protection.outlook.com tcp
US 8.8.8.8:53 aspmx5.googlemail.com udp
US 8.8.8.8:53 aspmx5.googlemail.com udp
US 108.177.98.27:25 aspmx5.googlemail.com tcp
US 108.177.98.27:25 aspmx5.googlemail.com tcp
US 8.8.8.8:53 jk.uni-linz.ac.at udp
US 8.8.8.8:53 mail3.edvz.uni-linz.ac.at udp
AT 140.78.3.83:25 mail3.edvz.uni-linz.ac.at tcp
US 8.8.8.8:53 hnqrsprnhs.net udp
US 8.8.8.8:53 pheshqares.in udp
US 8.8.8.8:53 cdata.tvnet.hu udp
US 8.8.8.8:53 attbi.com udp
US 8.8.8.8:53 cdata.tvnet.hu udp
US 8.8.8.8:53 courtesan.com udp
US 8.8.8.8:53 bigelowandholmes.com udp
US 8.8.8.8:53 millert.dev udp
US 65.102.237.118:25 millert.dev tcp
US 8.8.8.8:53 hwrrhrqnsh.net udp
US 8.8.8.8:53 qwaeasqqsn.info udp
US 85.187.148.2:25 gzip.org tcp
US 52.101.40.0:25 alumni-caltech-edu.mail.protection.outlook.com tcp
US 8.8.8.8:53 gnu.org udp
US 8.8.8.8:53 eggs.gnu.org udp
US 209.51.188.92:25 eggs.gnu.org tcp
US 85.187.148.2:25 gzip.org tcp
US 8.8.8.8:53 mhhreprsnn.in udp
US 8.8.8.8:53 qpaqnwrqws.info udp
US 34.227.7.138:80 qpaqnwrqws.info tcp
US 8.8.8.8:53 alumni-caltech-edu.mail.protection.outlook.com udp
US 8.8.8.8:53 mqphenmpra.in udp
US 52.101.9.20:25 alumni-caltech-edu.mail.protection.outlook.com tcp
US 108.177.98.27:25 aspmx5.googlemail.com tcp
US 108.177.98.27:25 aspmx5.googlemail.com tcp
AT 140.78.3.83:25 mail3.edvz.uni-linz.ac.at tcp
US 8.8.8.8:53 nmemhnqqnh.us udp
US 65.102.237.118:25 millert.dev tcp
US 8.8.8.8:53 mwqqwwhqhs.in udp
US 8.8.8.8:53 phhenwaepa.in udp
US 18.246.231.120:80 phhenwaepa.in tcp
US 8.8.8.8:53 hwrwrqmpph.net udp
SG 13.251.16.150:80 hwrwrqmpph.net tcp
US 8.8.8.8:53 aspmx3.googlemail.com udp
US 8.8.8.8:53 aspmx3.googlemail.com udp
US 85.187.148.2:25 gzip.org tcp
US 8.8.8.8:53 qswnpnhphn.info udp
US 8.8.8.8:53 mail1.edvz.uni-linz.ac.at udp
SG 74.125.200.26:25 aspmx3.googlemail.com tcp
SG 74.125.200.26:25 aspmx3.googlemail.com tcp
AT 140.78.3.68:25 mail1.edvz.uni-linz.ac.at tcp
US 52.101.9.20:25 alumni-caltech-edu.mail.protection.outlook.com tcp
US 85.187.148.2:25 gzip.org tcp
US 52.101.9.20:25 alumni-caltech-edu.mail.protection.outlook.com tcp
US 8.8.8.8:53 ssqeawpsas.biz udp
US 108.177.98.27:25 aspmx5.googlemail.com tcp
US 108.177.98.27:25 aspmx5.googlemail.com tcp
AT 140.78.3.83:25 mail3.edvz.uni-linz.ac.at tcp
US 8.8.8.8:53 qaqpeqnmna.info udp
US 8.8.8.8:53 hearrhmphh.net udp
US 65.102.237.118:25 millert.dev tcp
US 85.187.148.2:25 gzip.org tcp
US 8.8.8.8:53 arpwmmsnnh.com udp
US 8.8.8.8:53 emaqpwawhs.ws udp
US 64.70.19.203:80 emaqpwawhs.ws tcp
US 8.8.8.8:53 napqswwqah.us udp
US 8.8.8.8:53 alumni-caltech-edu.mail.protection.outlook.com udp
US 52.101.8.44:25 alumni-caltech-edu.mail.protection.outlook.com tcp
SG 74.125.200.26:25 aspmx3.googlemail.com tcp
SG 74.125.200.26:25 aspmx3.googlemail.com tcp
US 8.8.8.8:53 coin.mpg udp
AT 140.78.3.68:25 mail1.edvz.uni-linz.ac.at tcp
US 8.8.8.8:53 domain.com udp
US 8.8.8.8:53 domain-com.mail.protection.outlook.com udp
US 52.101.8.44:25 domain-com.mail.protection.outlook.com tcp
US 8.8.8.8:53 wwesweasrs.in udp
US 8.8.8.8:53 pnpearqmpn.in udp
US 8.8.8.8:53 menamnaprs.in udp
US 8.8.8.8:53 alt2.aspmx.l.google.com udp
US 8.8.8.8:53 alt2.aspmx.l.google.com udp
SG 74.125.200.26:25 alt2.aspmx.l.google.com tcp
SG 74.125.200.27:25 alt2.aspmx.l.google.com tcp
US 8.8.8.8:53 mail2.edvz.uni-linz.ac.at udp
AT 140.78.3.69:25 mail2.edvz.uni-linz.ac.at tcp
US 8.8.8.8:53 pemhnnmqhs.in udp
SG 74.125.200.26:25 alt2.aspmx.l.google.com tcp
SG 74.125.200.26:25 alt2.aspmx.l.google.com tcp
AT 140.78.3.68:25 mail1.edvz.uni-linz.ac.at tcp
US 8.8.8.8:53 rnpqsrqqqn.org udp
NL 5.79.71.225:80 rnpqsrqqqn.org tcp
SG 74.125.200.27:25 alt2.aspmx.l.google.com tcp
SG 74.125.200.27:25 alt2.aspmx.l.google.com tcp
AT 140.78.3.69:25 mail2.edvz.uni-linz.ac.at tcp
US 8.8.8.8:53 aspmx2.googlemail.com udp
US 8.8.8.8:53 aspmx2.googlemail.com udp
FI 142.250.150.26:25 aspmx2.googlemail.com tcp
FI 142.250.150.26:25 aspmx2.googlemail.com tcp
US 8.8.8.8:53 mail4.edvz.uni-linz.ac.at udp
AT 140.78.3.82:25 mail4.edvz.uni-linz.ac.at tcp
SG 74.125.200.27:25 alt2.aspmx.l.google.com tcp
SG 74.125.200.27:25 alt2.aspmx.l.google.com tcp
AT 140.78.3.69:25 mail2.edvz.uni-linz.ac.at tcp
US 8.8.8.8:53 wnesarhehn.in udp
US 8.8.8.8:53 nqharpprah.us udp
US 8.8.8.8:53 hsspsaepah.net udp
US 8.8.8.8:53 nwsrremssn.us udp
FI 142.250.150.26:25 aspmx2.googlemail.com tcp
FI 142.250.150.26:25 aspmx2.googlemail.com tcp
AT 140.78.3.82:25 mail4.edvz.uni-linz.ac.at tcp
US 8.8.8.8:53 meaapmassh.in udp
US 8.8.8.8:53 awrwwwqqra.com udp
US 8.8.8.8:53 hwemahpmsr.net udp
US 8.8.8.8:53 aspmx4.googlemail.com udp
US 8.8.8.8:53 aspmx4.googlemail.com udp
TW 142.250.157.27:25 aspmx4.googlemail.com tcp
TW 142.250.157.26:25 aspmx4.googlemail.com tcp
US 8.8.8.8:53 papehrnmns.in udp
US 8.8.8.8:53 wqssmsphwh.in udp
FI 142.250.150.26:25 aspmx2.googlemail.com tcp
AT 140.78.3.82:25 mail4.edvz.uni-linz.ac.at tcp
FI 142.250.150.26:25 aspmx2.googlemail.com tcp
US 8.8.8.8:53 pwhssmawns.in udp
US 8.8.8.8:53 hehsqepasa.net udp
US 8.8.8.8:53 armsqmarms.com udp
TW 142.250.157.26:25 aspmx4.googlemail.com tcp
US 8.8.8.8:53 msrqspwanh.in udp
TW 142.250.157.26:25 aspmx4.googlemail.com tcp
US 8.8.8.8:53 qpprenspss.info udp
US 8.8.8.8:53 eqsmrprqps.ws udp
US 64.70.19.203:80 eqsmrprqps.ws tcp
US 8.8.8.8:53 qeqmhhsrna.info udp
US 8.8.8.8:53 sespwqhnaa.biz udp
US 8.8.8.8:53 aspmx.l.google.com udp
US 8.8.8.8:53 aspmx.l.google.com udp
NL 108.177.96.27:25 aspmx.l.google.com tcp
NL 142.250.145.27:25 aspmx.l.google.com tcp
US 8.8.8.8:53 narmpnpqnh.us udp
US 8.8.8.8:53 eamhhwmssh.ws udp
US 64.70.19.203:80 eamhhwmssh.ws tcp
US 8.8.8.8:53 ppennnhhmn.in udp
TW 142.250.157.26:25 aspmx4.googlemail.com tcp
TW 142.250.157.26:25 aspmx4.googlemail.com tcp
US 8.8.8.8:53 shmmrhrahh.biz udp

Files

\Windows\SysWOW64\shervans.dll

MD5 4c304daf094f35d0bb5505eb5282508f
SHA1 1166fadb66d0b2d1c87ead24b239b4f49dd3894d
SHA256 991525039abc4e1ea19f969c01bada7489a4b124fd9d58ba095d39da1a42a053
SHA512 8839e72cf5b71ad9b0f1e9da3dfb622f8fc7b299fe7a692f060f5fa98cf35a0601dc3cfbf2d05d1ddb2cd7a1cd50c930486560bd086ff60f8346d73e8f0b1aa6

memory/1740-11-0x0000000010000000-0x000000001000D000-memory.dmp

C:\Windows\SysWOW64\ctfmen.exe

MD5 8653ab2c76d1bfd57049b9118cf50245
SHA1 e16ae0a850f7c596c1b3b5280921bf8faab378ef
SHA256 9ba884f945a8112e99e1479d5c0609413a4476adcd73ba8f6dbb4cc60e104b7f
SHA512 ceb37123453f10b5362f028a166eb5603ec997986c2c7865fa9e7032516884b33328c9dfc18bdd0f3b4e0cb8a7fa3104ec5fffec78e182cff34e6d863aabc52a

memory/2780-26-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1740-22-0x0000000000400000-0x000000000041C000-memory.dmp

memory/1740-25-0x0000000010000000-0x000000001000D000-memory.dmp

\Windows\SysWOW64\smnss.exe

MD5 b1f67031ae79fccf01c8563c9550a4c2
SHA1 1dc591876655a9473ec01fd52a0733292eaf8b6c
SHA256 ac98cae277b999458837df40b0b08d71f0e29afc8f32025ef6e27a5e641434bd
SHA512 d669d6a05b39218b2f0c732cd17603e000d072458c68a30ac0b979e41e81168f145d8fbb027eeafbd63df1df5520b8ce5af63dcb65e5fc345ef60b289a2e4bf7

memory/2780-32-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2840-38-0x0000000010000000-0x000000001000D000-memory.dmp

C:\Windows\SysWOW64\satornas.dll

MD5 dd7f21d4ddf24528c66aee3430a962cd
SHA1 2fc0efd9c619507efb36f5e9ad8b006331515937
SHA256 e44be9997747c5230378b1f8a563114735bf65e2c8e8fecf4acf461025d89f8f
SHA512 2ba29ef8295ff1079c50085faaf73e82fc03571f85e64e1e1009df85bc4449160019ade4b1258f8949fbf241f83cdf9da034bf20b0185ab894f227c5fd7b12b5

memory/2840-40-0x0000000000400000-0x000000000041C000-memory.dmp

memory/2840-41-0x0000000010000000-0x000000001000D000-memory.dmp

memory/2840-42-0x0000000000400000-0x000000000041C000-memory.dmp

memory/2840-44-0x0000000000400000-0x000000000041C000-memory.dmp

memory/2840-46-0x0000000000400000-0x000000000041C000-memory.dmp

memory/2840-48-0x0000000000400000-0x000000000041C000-memory.dmp

memory/2840-50-0x0000000000400000-0x000000000041C000-memory.dmp

memory/2840-54-0x0000000000400000-0x000000000041C000-memory.dmp

memory/2840-56-0x0000000000400000-0x000000000041C000-memory.dmp

memory/2840-58-0x0000000000400000-0x000000000041C000-memory.dmp

memory/2840-60-0x0000000000400000-0x000000000041C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-01-19 19:06

Reported

2025-01-19 19:08

Platform

win10v2004-20241007-en

Max time kernel

119s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0d64893ccdfe8cc6f28caf28237b4cb846aa41ae07bd65330c4a1d7f8762351cN.exe"

Signatures

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\drivers\gmreadme.txt C:\Windows\SysWOW64\smnss.exe N/A

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\ctfmen.exe N/A
N/A N/A C:\Windows\SysWOW64\smnss.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe" C:\Windows\SysWOW64\smnss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe" C:\Users\Admin\AppData\Local\Temp\0d64893ccdfe8cc6f28caf28237b4cb846aa41ae07bd65330c4a1d7f8762351cN.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\E: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\smnss.exe N/A

Maps connected drives based on registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\smnss.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Windows\SysWOW64\smnss.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\1 C:\Windows\SysWOW64\smnss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Users\Admin\AppData\Local\Temp\0d64893ccdfe8cc6f28caf28237b4cb846aa41ae07bd65330c4a1d7f8762351cN.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Users\Admin\AppData\Local\Temp\0d64893ccdfe8cc6f28caf28237b4cb846aa41ae07bd65330c4a1d7f8762351cN.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\1 C:\Users\Admin\AppData\Local\Temp\0d64893ccdfe8cc6f28caf28237b4cb846aa41ae07bd65330c4a1d7f8762351cN.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\IME\IMEJP\APPLETS\IMJPCLST.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\NdfEventView.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\Speech_OneCore\Common\fr-FR\tokens_TTS_fr-FR_hortense.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\default.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\default.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\icsxml\cmnicfg.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\satornas.dll C:\Users\Admin\AppData\Local\Temp\0d64893ccdfe8cc6f28caf28237b4cb846aa41ae07bd65330c4a1d7f8762351cN.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms014.inf_amd64_faec3fc366f8e1fa\Amd64\MSMPS.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\tsprint.inf_amd64_6066bc96a5f28b44\tsprint-PipelineConfig.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\icsxml\osinfo.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\Recovery\ReAgent.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\Speech_OneCore\Common\it-IT\Tokens_SR_it-IT-N.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\default.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File created C:\Windows\SysWOW64\ctfmen.exe C:\Users\Admin\AppData\Local\Temp\0d64893ccdfe8cc6f28caf28237b4cb846aa41ae07bd65330c4a1d7f8762351cN.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms001.inf_amd64_8bc1bda6cf47380c\MXDW-pipelineconfig.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms010.inf_amd64_9e410195c3b236c9\Amd64\MSECP.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\icsxml\potscfg.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\Speech_OneCore\Common\es-ES\tokens_TTS_es-ES.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\shervans.dll C:\Users\Admin\AppData\Local\Temp\0d64893ccdfe8cc6f28caf28237b4cb846aa41ae07bd65330c4a1d7f8762351cN.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms009.inf_amd64_a7412a554c9bc1fd\MPDW_devmode_map.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\F12\Timeline.cpu.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\Speech_OneCore\Common\de-DE\tokens_TTS_de-DE_hedda.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\Speech_OneCore\Common\fr-FR\tokens_TTS_fr-FR.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\default.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms007.inf_amd64_8bbf44975c626ac5\Amd64\MSPWGR-pipelineconfig.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms009.inf_amd64_a7412a554c9bc1fd\MPDW-PDC.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\Speech_OneCore\Common\it-IT\tokens_TTS-it-IT.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\tcpbidi.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\wsmanconfig_schema.xml C:\Windows\SysWOW64\smnss.exe N/A
File created C:\Windows\SysWOW64\satornas.dll C:\Users\Admin\AppData\Local\Temp\0d64893ccdfe8cc6f28caf28237b4cb846aa41ae07bd65330c4a1d7f8762351cN.exe N/A
File opened for modification C:\Windows\SysWOW64\Speech_OneCore\Common\en-US\tokens_TTS_en-US_david.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\Speech_OneCore\Common\es-ES\Tokens_SR_es-ES-N.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms012.inf_amd64_707d3849370b9d23\Amd64\MSIPP-pipelineconfig.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms012.inf_amd64_707d3849370b9d23\Amd64\MSIPP.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\Speech_OneCore\Common\de-DE\Tokens_SR_de-DE-N.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\Speech_OneCore\Common\de-DE\tokens_TTS_de-DE.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\Speech_OneCore\Common\es-ES\tokens_TTS_es-ES_helena.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\Speech_OneCore\Common\tokens.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms005.inf_amd64_add71423ba73e797\Amd64\MSxpsPS-pipelineconfig.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms005.inf_amd64_add71423ba73e797\Amd64\MSxpsPCL6-pipelineconfig.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms005.inf_amd64_add71423ba73e797\Amd64\MSxpsXPS-pipelineconfig.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms009.inf_amd64_a7412a554c9bc1fd\MPDW-pipelineconfig.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms011.inf_amd64_f83138380f5fb6ab\Amd64\MSAppMon-pipelineconfig.xml C:\Windows\SysWOW64\smnss.exe N/A
File created C:\Windows\SysWOW64\zipfiaq.dll C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms008.inf_amd64_69b5e0c918eab9a6\Amd64\unishare3d-pipelineconfig.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms014.inf_amd64_faec3fc366f8e1fa\Amd64\MSMPS-pipelineconfig.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\Speech_OneCore\Common\en-US\tokens_TTS_en-US.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\default.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File created C:\Windows\SysWOW64\smnss.exe C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms007.inf_amd64_8bbf44975c626ac5\Amd64\MSPWGR.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\AppxProvisioning.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms006.inf_amd64_c3bdcb6fc975b614\SendToOneNote-pipelineconfig.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms007.inf_amd64_8bbf44975c626ac5\Amd64\MSPassthrough-pipelineconfig.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms007.inf_amd64_8bbf44975c626ac5\Amd64\MSXPS2.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms010.inf_amd64_9e410195c3b236c9\Amd64\MSECP-pipelineconfig.xml C:\Windows\SysWOW64\smnss.exe N/A
File created C:\Windows\SysWOW64\shervans.dll C:\Users\Admin\AppData\Local\Temp\0d64893ccdfe8cc6f28caf28237b4cb846aa41ae07bd65330c4a1d7f8762351cN.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms003.inf_x86_360f6f3a7c4b3433\I386\unishare-pipelineconfig.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms004.inf_amd64_c28ee88ec1bd4178\Amd64\unisharev4-pipelineconfig.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\MailContactsCalendarSync\LiveDomainList.txt C:\Windows\SysWOW64\smnss.exe N/A
File created C:\Windows\SysWOW64\grcopy.dll C:\Users\Admin\AppData\Local\Temp\0d64893ccdfe8cc6f28caf28237b4cb846aa41ae07bd65330c4a1d7f8762351cN.exe N/A
File opened for modification C:\Windows\SysWOW64\Speech_OneCore\Common\en-US\Tokens_SR_en-US-N.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsCodecsRaw.txt C:\Windows\SysWOW64\smnss.exe N/A
File created C:\Windows\SysWOW64\zipfi.dll C:\Windows\SysWOW64\smnss.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\7-Zip\Lang\hi.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\CP1252.TXT C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_US\List.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\README.HTM C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\zh-CN\View3d\3DViewerProductDescription-universal.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_2020.1906.55.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\mr.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\ClientPreview_eula.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00A1-0409-1000-0000000FF1CE.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Calibri Light-Constantia.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN110.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000049\manifest.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\bn-BD\View3d\3DViewerProductDescription-universal.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\AppxManifest.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ext.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Century Gothic.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ONENOTE.VisualElementsManifest.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\AppCore\Location\Shifter\Relicensing Statement.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.46.11001.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\CYRILLIC.TXT C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\hr.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00E2-0409-1000-0000000FF1CE.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Integration\C2RManifest.DCF.DCF.x-none.msi.16.x-none.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Integration\C2RManifest.office32ww.msi.16.x-none.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\1033\SFMESSAGES.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\et-EE\View3d\3DViewerProductDescription-universal.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipsfra.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\ClientARMRefer2019_eula.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN002.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Adobe\zdingbat.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Windows NT\TableTextService\TableTextServiceArray.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Times New Roman-Arial.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsSoundRecorder_10.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxManifest.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\COPYING.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsSoundRecorder_10.1906.1972.0_neutral_split.scale-200_8wekyb3d8bbwe\AppxBlockMap.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\view.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\kk-KZ\View3d\3DViewerProductDescription-universal.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxBlockMap.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.VCLibs.140.00_14.0.27323.0_x64__8wekyb3d8bbwe\AppxManifest.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipsesp.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\THIRDPARTYLICENSEREADME.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxManifest.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\AppxManifest.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\uz.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\FrequentOfficeUpdateSchedule.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Microsoft Office\FileSystemMetadata.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\th-TH\View3d\3DViewerProductDescription-universal.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\jsaddins\locallaunch\locallaunch.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000042\manifest.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\BuildInfo.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\server\Xusage.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\skins\winamp2.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\THANKS.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Microsoft Office\Office16\OSPP.HTM C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Violet II.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL081.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\fr-CA\View3d\3DViewerProductDescription-universal.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxIdentityProvider_12.50.6001.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-002C-0409-1000-0000000FF1CE.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Microsoft Office\PackageManifests\AuthoredExtensions.16.xml C:\Windows\SysWOW64\smnss.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\PLA\Rules\Rules.System.Performance.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\dom\inspect.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\core\view\backstack-chrome-breadcrumb-template.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_es-es_12451df02dbd2879\401-2.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..osoftedge.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_d1f435fdf91e63d5\pdferrorrepurchasecontent.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..e.desktop.searchapp_31bf3856ad364e35_10.0.19041.1_none_43fe9f4e368e081f\6.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-x..ectdialog.appxsetup_31bf3856ad364e35_10.0.19041.1_none_3f4396b90a71dc44\AppxBlockMap.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\wow64_microsoft.powershell.pester_31bf3856ad364e35_10.0.19041.1_none_9478227a478f23d5\about_should.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\PLA\Reports\es-ES\Report.System.Memory.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\schemas\CodeIntegrity\ExamplePolicies\AllowAll.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-b..nrollment.appxsetup_31bf3856ad364e35_10.0.19041.1_none_7d08a9dfdeeefe23\AppxManifest.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-d..ore-files.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_ae1a3f14dc8289ff\Report.AD.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_es-es_12451df02dbd2879\404.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-microsoftedge_31bf3856ad364e35_10.0.19041.264_none_ef195f564f00d259\acr_error.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\x86_netfx4-assemblylist_extended_xml_b03f5f7f11d50a3a_4.0.15805.0_none_190f33680a2debb9\AssemblyList_4_extended.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\BingConfiguration\BingConfiguration_ja-JP.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-a..gement-uevtemplates_31bf3856ad364e35_10.0.19041.1_none_0d66b54875835a49\MicrosoftLync2010.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.117_none_e0d32848ac56114e\cortana.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-p..g-fdprint.resources_31bf3856ad364e35_10.0.19041.1_es-es_2509cf5229985120\resource.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..e.desktop.searchapp_31bf3856ad364e35_10.0.19041.1_none_43fe9f4e368e081f\14.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..iguration.searchapp_31bf3856ad364e35_10.0.19041.1_none_6a5e909ee80bfce7\BingConfiguration_en-IN.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\PLA\Rules\fr-FR\Rules.System.Performance.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.1266_none_777e4c5802d14c18\common-header-template.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-c..rymanager.appxsetup_31bf3856ad364e35_10.0.19041.1023_none_f52dbf51d6536fa6\AppxBlockMap.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..osoftedge.resources_31bf3856ad364e35_10.0.19041.1_de-de_fa3317ce4cfa58b0\needhvsi.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-n..nosticsframeworkapi_31bf3856ad364e35_10.0.19041.1_none_e0e2be0e4a7b510d\NdfEventView.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-p..rastructureconsumer_31bf3856ad364e35_10.0.19041.1_none_69cd9c22cfcf9358\Rules.System.Finale.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\es-ES\assets\ErrorPages\pdferrorrepurchasecontent.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\AppxBlockMap.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\speech\0c09\tokens_enAU.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.1266_none_777e4c5802d14c18\oobe-light-frame-template.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-editions-professional_31bf3856ad364e35_10.0.19041.1288_none_51444fcfcf940a66\EducationEdition.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-t..nputpersonalization_31bf3856ad364e35_10.0.19041.746_none_1da55dc225237a0d\ipscht.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\PLA\Reports\ja-JP\Report.System.Diagnostics.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\ja-JP\assets\ErrorPages\unknownprotocol.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-d..view-host-appxsetup_31bf3856ad364e35_10.0.19041.1023_none_bc2fe801d2277712\f\appxmanifest.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-filepicker.appxsetup_31bf3856ad364e35_10.0.19041.1023_none_39a4d63e07cea862\r\AppxManifest.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_414a0942eadc3634\412.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-security-ngc-csp_31bf3856ad364e35_10.0.19041.1202_none_e04a7941c90aaf6f\f\NGCProDDF_v1.2_final.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\Temp\PendingDeletes\db809d4736e5d7010da200001815341f.IIS_schema.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.117_none_e0d32848ac56114e\oobe-header-template.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.1266_none_777e4c5802d14c18\default.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-mediaplayer-core_31bf3856ad364e35_10.0.19041.1266_none_802f96a5044b0fbe\avtransport.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-t..nputpersonalization_31bf3856ad364e35_10.0.19041.746_none_1da55dc225237a0d\ipsptg.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-mccs-syncutil_31bf3856ad364e35_10.0.19041.1_none_86cce7f676e99d52\LiveDomainList.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\diagnostics\index\SpeechDiagnostic.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\inclusiveOobe\view\templates\oobe-textinput-template.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_it-it_9f248a35f7c12459\403.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_414a0942eadc3634\500-15.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..osoftedge.appxsetup_31bf3856ad364e35_10.0.19041.1266_none_1810750b8eb9f2ea\AppxManifest.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..osoftedge.resources_31bf3856ad364e35_10.0.19041.1_es-es_a2ef4aab3bff561a\acr_error.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..osoftedge.resources_31bf3856ad364e35_10.0.19041.1_it-it_2fceb6f1060351fa\acr_error.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-mediaplayer-core_31bf3856ad364e35_10.0.19041.153_none_e95531bdadf3df5c\avtransport.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-p..econsumer.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_0e2f6adb2cec6f62\Report.System.Summary.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess_31bf3856ad364e35_10.0.19041.207_none_e2f2dfeea7fa44fc\pppcfg.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-w..igurationdiagnostic_31bf3856ad364e35_10.0.19041.1_none_9a29135572e069ec\WindowsMediaPlayerConfiguration.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\fr-FR\assets\ErrorPages\http_403.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\BingConfiguration\BingConfiguration_en-AU.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-printdialog.appxsetup_31bf3856ad364e35_10.0.19041.1023_none_a682193ea7614721\f\appxblockmap.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..iencehost.appxsetup_31bf3856ad364e35_10.0.19041.1023_none_411a61445fd08261\r\AppxBlockMap.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-w..bviewhost.appxsetup_31bf3856ad364e35_10.0.19041.1023_none_1277eb7f6aa856b4\f\AppxBlockMap.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\PLA\Rules\fr-FR\Rules.System.Wired.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.1266_none_777e4c5802d14c18\oobenetworklossaversion-main.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-filepicker.appxsetup_31bf3856ad364e35_10.0.19041.1023_none_39a4d63e07cea862\f\AppxBlockMap.xml C:\Windows\SysWOW64\smnss.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ctfmen.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\smnss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0d64893ccdfe8cc6f28caf28237b4cb846aa41ae07bd65330c4a1d7f8762351cN.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\0d64893ccdfe8cc6f28caf28237b4cb846aa41ae07bd65330c4a1d7f8762351cN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node C:\Users\Admin\AppData\Local\Temp\0d64893ccdfe8cc6f28caf28237b4cb846aa41ae07bd65330c4a1d7f8762351cN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID C:\Users\Admin\AppData\Local\Temp\0d64893ccdfe8cc6f28caf28237b4cb846aa41ae07bd65330c4a1d7f8762351cN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED} C:\Users\Admin\AppData\Local\Temp\0d64893ccdfe8cc6f28caf28237b4cb846aa41ae07bd65330c4a1d7f8762351cN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll" C:\Users\Admin\AppData\Local\Temp\0d64893ccdfe8cc6f28caf28237b4cb846aa41ae07bd65330c4a1d7f8762351cN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll" C:\Windows\SysWOW64\smnss.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\smnss.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\0d64893ccdfe8cc6f28caf28237b4cb846aa41ae07bd65330c4a1d7f8762351cN.exe

"C:\Users\Admin\AppData\Local\Temp\0d64893ccdfe8cc6f28caf28237b4cb846aa41ae07bd65330c4a1d7f8762351cN.exe"

C:\Windows\SysWOW64\ctfmen.exe

ctfmen.exe

C:\Windows\SysWOW64\smnss.exe

C:\Windows\system32\smnss.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 167.173.78.104.in-addr.arpa udp
US 8.8.8.8:53 qermhhmmrn.info udp
US 8.8.8.8:53 hnqrsprnhs.net udp
US 8.8.8.8:53 pheshqares.in udp
US 8.8.8.8:53 hwrrhrqnsh.net udp
US 8.8.8.8:53 qwaeasqqsn.info udp
US 8.8.8.8:53 mhhreprsnn.in udp
US 8.8.8.8:53 qpaqnwrqws.info udp
US 34.227.7.138:80 qpaqnwrqws.info tcp
US 8.8.8.8:53 mqphenmpra.in udp
US 8.8.8.8:53 gzip.org udp
US 8.8.8.8:53 gzip.org udp
US 8.8.8.8:53 alumni.caltech.edu udp
US 85.187.148.2:25 gzip.org tcp
US 8.8.8.8:53 alumni-caltech-edu.mail.protection.outlook.com udp
US 8.8.8.8:53 cs.stanford.edu udp
US 8.8.8.8:53 nmemhnqqnh.us udp
US 52.101.41.21:25 alumni-caltech-edu.mail.protection.outlook.com tcp
US 8.8.8.8:53 smtp1.cs.stanford.edu udp
US 8.8.8.8:53 mwqqwwhqhs.in udp
US 171.64.64.25:25 smtp1.cs.stanford.edu tcp
US 171.64.64.25:25 smtp1.cs.stanford.edu tcp
US 8.8.8.8:53 phhenwaepa.in udp
US 8.8.8.8:53 acm.org udp
US 18.246.231.120:80 phhenwaepa.in tcp
US 8.8.8.8:53 mail.mailroute.net udp
US 199.89.3.120:25 mail.mailroute.net tcp
US 8.8.8.8:53 138.7.227.34.in-addr.arpa udp
US 8.8.8.8:53 hwrwrqmpph.net udp
SG 13.251.16.150:80 hwrwrqmpph.net tcp
US 8.8.8.8:53 qswnpnhphn.info udp
US 8.8.8.8:53 ssqeawpsas.biz udp
US 8.8.8.8:53 qaqpeqnmna.info udp
US 8.8.8.8:53 hearrhmphh.net udp
US 8.8.8.8:53 150.16.251.13.in-addr.arpa udp
US 8.8.8.8:53 120.231.246.18.in-addr.arpa udp
US 8.8.8.8:53 arpwmmsnnh.com udp
US 8.8.8.8:53 emaqpwawhs.ws udp
US 64.70.19.203:80 emaqpwawhs.ws tcp
US 8.8.8.8:53 napqswwqah.us udp
US 8.8.8.8:53 wwesweasrs.in udp
US 8.8.8.8:53 203.19.70.64.in-addr.arpa udp
US 8.8.8.8:53 pnpearqmpn.in udp
US 8.8.8.8:53 menamnaprs.in udp
US 8.8.8.8:53 pemhnnmqhs.in udp
US 8.8.8.8:53 wemarpqahs.in udp
US 8.8.8.8:53 rnpqsrqqqn.org udp
DE 178.162.203.226:80 rnpqsrqqqn.org tcp
US 8.8.8.8:53 gmail.com udp
US 8.8.8.8:53 alt3.gmail-smtp-in.l.google.com udp
TW 142.250.157.27:25 alt3.gmail-smtp-in.l.google.com tcp
TW 142.250.157.27:25 alt3.gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 m-ou.se udp
US 8.8.8.8:53 aspmx5.googlemail.com udp
US 108.177.98.27:25 aspmx5.googlemail.com tcp
TW 142.250.157.27:25 alt3.gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 wnesarhehn.in udp
US 8.8.8.8:53 nqharpprah.us udp
US 8.8.8.8:53 hsspsaepah.net udp
US 8.8.8.8:53 nwsrremssn.us udp
US 8.8.8.8:53 meaapmassh.in udp
US 8.8.8.8:53 awrwwwqqra.com udp
US 8.8.8.8:53 hwemahpmsr.net udp
US 8.8.8.8:53 papehrnmns.in udp
US 8.8.8.8:53 wqssmsphwh.in udp
US 8.8.8.8:53 pwhssmawns.in udp
US 8.8.8.8:53 hehsqepasa.net udp
US 8.8.8.8:53 armsqmarms.com udp
US 8.8.8.8:53 msrqspwanh.in udp
US 8.8.8.8:53 qpprenspss.info udp
US 8.8.8.8:53 eqsmrprqps.ws udp
US 64.70.19.203:80 eqsmrprqps.ws tcp
US 8.8.8.8:53 qeqmhhsrna.info udp
US 8.8.8.8:53 sespwqhnaa.biz udp
US 8.8.8.8:53 narmpnpqnh.us udp
US 8.8.8.8:53 eamhhwmssh.ws udp
US 64.70.19.203:80 eamhhwmssh.ws tcp
US 8.8.8.8:53 ppennnhhmn.in udp
US 8.8.8.8:53 shmmrhrahh.biz udp
US 8.8.8.8:53 rhwphppaha.org udp
DE 178.162.203.226:80 rhwphppaha.org tcp
TW 142.250.157.27:25 alt3.gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 2.1.0 udp
US 8.8.8.8:53 4.0.1 udp
US 8.8.8.8:53 nocorp.me udp
US 8.8.8.8:53 in1-smtp.messagingengine.com udp
US 103.168.172.216:25 in1-smtp.messagingengine.com tcp
US 8.8.8.8:53 whaammqwps.in udp
US 8.8.8.8:53 qwwwwseans.info udp
US 8.8.8.8:53 mmseneswrh.in udp
US 8.8.8.8:53 wnshehamhh.in udp
US 8.8.8.8:53 remrpqpseh.org udp
NL 85.17.31.122:80 remrpqpseh.org tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
TW 142.250.157.27:25 alt3.gmail-smtp-in.l.google.com tcp
TW 142.250.157.27:25 alt3.gmail-smtp-in.l.google.com tcp
TW 142.250.157.27:25 alt3.gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 outlook.com udp
US 8.8.8.8:53 outlook-com.olc.protection.outlook.com udp
US 52.101.10.7:25 outlook-com.olc.protection.outlook.com tcp
TW 142.250.157.27:25 alt3.gmail-smtp-in.l.google.com tcp
TW 142.250.157.27:25 alt3.gmail-smtp-in.l.google.com tcp
TW 142.250.157.27:25 alt3.gmail-smtp-in.l.google.com tcp
TW 142.250.157.27:25 alt3.gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 hwnppemeea.net udp
US 8.8.8.8:53 pnaqheqnsa.in udp
US 8.8.8.8:53 mwhnpqrmrn.in udp
US 8.8.8.8:53 pwramqmsms.in udp
US 8.8.8.8:53 hmamsmwhar.net udp
US 8.8.8.8:53 pqshhpemrn.in udp
US 8.8.8.8:53 wpqqhhspps.in udp
SG 13.251.16.150:80 wpqqhhspps.in tcp
US 8.8.8.8:53 nqenrpwpeh.us udp
US 8.8.8.8:53 spawwehsrs.biz udp
US 8.8.8.8:53 ppeseaqmms.in udp
US 8.8.8.8:53 msarphnewh.in udp
US 8.8.8.8:53 pwqpewwahh.in udp
US 8.8.8.8:53 hmparqsaqa.net udp
US 8.8.8.8:53 qsqpspspqn.info udp
US 8.8.8.8:53 haearrsqhn.net udp
US 8.8.8.8:53 qnrnwnwaas.info udp
US 8.8.8.8:53 weaeprawra.in udp
US 8.8.8.8:53 qmhqeesawh.info udp
US 8.8.8.8:53 ssnsphrnws.biz udp
US 8.8.8.8:53 aewrhprres.com udp
NL 77.247.183.153:80 aewrhprres.com tcp
US 8.8.8.8:53 mpehqsqwmn.in udp
US 8.8.8.8:53 rnrmmnpnpn.org udp
DE 178.162.203.211:80 rnrmmnpnpn.org tcp
US 8.8.8.8:53 153.183.247.77.in-addr.arpa udp
US 8.8.8.8:53 cs.stanford.edu udp
US 171.64.64.64:25 cs.stanford.edu tcp
US 171.64.64.64:25 cs.stanford.edu tcp
US 171.64.64.25:25 smtp1.cs.stanford.edu tcp
TW 142.250.157.27:25 alt3.gmail-smtp-in.l.google.com tcp
TW 142.250.157.27:25 alt3.gmail-smtp-in.l.google.com tcp
US 85.187.148.2:25 gzip.org tcp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 alt2.gmail-smtp-in.l.google.com udp
SG 74.125.200.27:25 alt2.gmail-smtp-in.l.google.com tcp
SG 74.125.200.27:25 alt2.gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 aspmx3.googlemail.com udp
SG 74.125.200.27:25 aspmx3.googlemail.com tcp
US 8.8.8.8:53 alumni-caltech-edu.mail.protection.outlook.com udp
US 52.101.41.24:25 alumni-caltech-edu.mail.protection.outlook.com tcp
US 8.8.8.8:53 22.49.80.91.in-addr.arpa udp
SG 74.125.200.27:25 aspmx3.googlemail.com tcp
US 8.8.8.8:53 coin.mpg udp
US 8.8.8.8:53 apple.com udp
US 8.8.8.8:53 mx-in-sg.apple.com udp
SG 17.23.14.18:25 mx-in-sg.apple.com tcp
US 8.8.8.8:53 pobox.com udp
US 103.168.172.216:25 in1-smtp.messagingengine.com tcp
SG 74.125.200.27:25 aspmx3.googlemail.com tcp
US 8.8.8.8:53 in2-smtp.messagingengine.com udp
US 202.12.124.217:25 in2-smtp.messagingengine.com tcp
US 8.8.8.8:53 netcom.com udp
US 8.8.8.8:53 mx02.earthlink-vadesecure.net udp
US 8.8.8.8:53 northcoast.com udp
US 51.81.61.71:25 mx02.earthlink-vadesecure.net tcp
US 8.8.8.8:53 de-smtp-inbound-1.mimecast.com udp
US 8.8.8.8:53 cl.cam.ac.uk udp
DE 194.104.110.22:25 de-smtp-inbound-1.mimecast.com tcp
US 8.8.8.8:53 mx1.forwardemail.net udp
US 8.8.8.8:53 src.dec.com udp
US 138.197.213.185:25 mx1.forwardemail.net tcp
SG 74.125.200.27:25 aspmx3.googlemail.com tcp
SG 74.125.200.27:25 aspmx3.googlemail.com tcp
SG 74.125.200.27:25 aspmx3.googlemail.com tcp
US 8.8.8.8:53 theriver.com udp
US 8.8.8.8:53 bryson.demon.co.uk udp
US 8.8.8.8:53 211.203.162.178.in-addr.arpa udp
US 8.8.8.8:53 onlineconnections.com.au udp
US 8.8.8.8:53 onlineconnections.com.au udp
US 8.8.8.8:53 ismtp.sitestar.everyone.net udp
US 8.8.8.8:53 openoffice.org udp
US 192.254.190.168:25 onlineconnections.com.au tcp
US 64.29.151.236:25 ismtp.sitestar.everyone.net tcp
US 8.8.8.8:53 mx1-lw-eu.apache.org udp
US 8.8.8.8:53 mx2-lw-eu.apache.org udp
US 8.8.8.8:53 mx1-lw-us.apache.org udp
US 8.8.8.8:53 mx2-lw-us.apache.org udp
SG 74.125.200.27:25 aspmx3.googlemail.com tcp
SG 74.125.200.27:25 aspmx3.googlemail.com tcp
SG 74.125.200.27:25 aspmx3.googlemail.com tcp
SG 74.125.200.27:25 aspmx3.googlemail.com tcp
US 85.187.148.2:25 gzip.org tcp
US 8.8.8.8:53 alumni-caltech-edu.mail.protection.outlook.com udp
US 52.101.41.58:25 alumni-caltech-edu.mail.protection.outlook.com tcp
US 8.8.8.8:53 nongnu.org udp
US 8.8.8.8:53 eggs.gnu.org udp
US 209.51.188.92:25 eggs.gnu.org tcp
US 209.51.188.92:25 eggs.gnu.org tcp
US 8.8.8.8:53 smtp2.cs.stanford.edu udp
US 171.64.64.26:25 smtp2.cs.stanford.edu tcp
US 171.64.64.26:25 smtp2.cs.stanford.edu tcp
US 171.64.64.64:25 cs.stanford.edu tcp
SG 74.125.200.27:25 aspmx3.googlemail.com tcp
SG 74.125.200.27:25 aspmx3.googlemail.com tcp
US 8.8.8.8:53 kinoho.net udp
US 8.8.8.8:53 alt2.aspmx.l.google.com udp
TW 142.250.157.27:25 alt3.gmail-smtp-in.l.google.com tcp
SG 74.125.200.26:25 alt2.aspmx.l.google.com tcp
US 8.8.8.8:53 riseup.net udp
US 8.8.8.8:53 mx1.riseup.net udp
TW 142.250.157.27:25 alt3.gmail-smtp-in.l.google.com tcp
US 198.252.153.129:25 mx1.riseup.net tcp
US 8.8.8.8:53 alt1.gmail-smtp-in.l.google.com udp
FI 142.250.150.27:25 alt1.gmail-smtp-in.l.google.com tcp
FI 142.250.150.27:25 alt1.gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 aspmx.l.google.com udp
NL 172.217.218.27:25 aspmx.l.google.com tcp
FI 142.250.150.27:25 alt1.gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 mx-in-mdn.apple.com udp
US 8.8.8.8:53 mx-in-vib.apple.com udp
DK 17.57.170.2:25 mx-in-vib.apple.com tcp
US 202.12.124.217:25 in2-smtp.messagingengine.com tcp
US 8.8.8.8:53 mail.ru udp
US 8.8.8.8:53 mxs.mail.ru udp
US 8.8.8.8:53 bog.msu.ru udp
RU 217.69.139.150:25 mxs.mail.ru tcp
FI 142.250.150.27:25 alt1.gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 mx04.earthlink-vadesecure.net udp
US 147.135.98.120:25 mx04.earthlink-vadesecure.net tcp
US 8.8.8.8:53 de-smtp-inbound-2.mimecast.com udp
DE 194.104.110.22:25 de-smtp-inbound-2.mimecast.com tcp
US 8.8.8.8:53 mx2.forwardemail.net udp
US 104.248.224.170:25 mx2.forwardemail.net tcp
US 8.8.8.8:53 29.153.16.2.in-addr.arpa udp
FI 142.250.150.27:25 alt1.gmail-smtp-in.l.google.com tcp
FI 142.250.150.27:25 alt1.gmail-smtp-in.l.google.com tcp
FI 142.250.150.27:25 alt1.gmail-smtp-in.l.google.com tcp
FI 142.250.150.27:25 alt1.gmail-smtp-in.l.google.com tcp
FI 142.250.150.27:25 alt1.gmail-smtp-in.l.google.com tcp
FI 142.250.150.27:25 alt1.gmail-smtp-in.l.google.com tcp
FI 142.250.150.27:25 alt1.gmail-smtp-in.l.google.com tcp
US 171.64.64.26:25 smtp2.cs.stanford.edu tcp
FI 142.250.150.27:25 alt1.gmail-smtp-in.l.google.com tcp
FI 142.250.150.27:25 alt1.gmail-smtp-in.l.google.com tcp
SG 74.125.200.27:25 alt2.aspmx.l.google.com tcp
US 8.8.8.8:53 alt1.aspmx.l.google.com udp
FI 142.250.150.26:25 alt1.aspmx.l.google.com tcp
SG 74.125.200.27:25 alt2.aspmx.l.google.com tcp
US 8.8.8.8:53 alt4.gmail-smtp-in.l.google.com udp
US 108.177.98.27:25 alt4.gmail-smtp-in.l.google.com tcp
US 108.177.98.27:25 alt4.gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 aspmx4.googlemail.com udp
TW 142.250.157.27:25 aspmx4.googlemail.com tcp
US 108.177.98.27:25 alt4.gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 mwaaemmnhn.in udp
US 8.8.8.8:53 asnrrsamsa.com udp
US 23.82.12.31:80 asnrrsamsa.com tcp
US 8.8.8.8:53 whmrraawha.in udp
US 8.8.8.8:53 qmsaspnsna.info udp
US 8.8.8.8:53 hnehqqwwrs.net udp
US 8.8.8.8:53 qppamspwhs.info udp
US 8.8.8.8:53 weeqshswms.in udp
US 8.8.8.8:53 aanparshnh.com udp
NL 77.247.183.151:80 aanparshnh.com tcp
US 8.8.8.8:53 hpeqherars.net udp
US 8.8.8.8:53 nnhhneqnrh.us udp
US 8.8.8.8:53 saanqmaqpn.biz udp
US 8.8.8.8:53 armahmrsaa.com udp
US 8.8.8.8:53 wqahhaqenh.in udp
US 8.8.8.8:53 aharwhphnh.com udp
NL 212.32.237.101:80 aharwhphnh.com tcp
US 8.8.8.8:53 mnrepmepar.in udp
SG 13.251.16.150:80 mnrepmepar.in tcp
US 8.8.8.8:53 31.12.82.23.in-addr.arpa udp
US 8.8.8.8:53 101.237.32.212.in-addr.arpa udp
US 8.8.8.8:53 151.183.247.77.in-addr.arpa udp
US 8.8.8.8:53 mx-in-hfd.apple.com udp
NL 17.57.165.2:25 mx-in-hfd.apple.com tcp
US 8.8.8.8:53 apqhwmnqrh.com udp
US 8.8.8.8:53 mehsnsamha.in udp
US 8.8.8.8:53 qqpqwehwah.info udp
US 8.8.8.8:53 sqmswpnqws.biz udp
US 8.8.8.8:53 pqarnhhhhn.in udp
US 8.8.8.8:53 hqepnmqewn.net udp
US 8.8.8.8:53 rsrsemnren.org udp
US 216.245.214.85:80 rsrsemnren.org tcp
US 8.8.8.8:53 spewqmspma.biz udp
US 8.8.8.8:53 rahhhqwqqa.org udp
DE 178.162.217.107:80 rahhhqwqqa.org tcp
US 8.8.8.8:53 85.214.245.216.in-addr.arpa udp
US 108.177.98.27:25 alt4.gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 empewsqsqa.ws udp
US 64.70.19.203:80 empewsqsqa.ws tcp
US 8.8.8.8:53 pmnrrneaah.in udp
US 8.8.8.8:53 mnwsnarssr.in udp
US 8.8.8.8:53 rrpnmeawrs.org udp
DE 178.162.203.211:80 rrpnmeawrs.org tcp
US 8.8.8.8:53 mx01.earthlink-vadesecure.net udp
US 51.81.61.70:25 mx01.earthlink-vadesecure.net tcp
US 108.177.98.27:25 alt4.gmail-smtp-in.l.google.com tcp
US 108.177.98.27:25 alt4.gmail-smtp-in.l.google.com tcp
US 108.177.98.27:25 alt4.gmail-smtp-in.l.google.com tcp
US 108.177.98.27:25 alt4.gmail-smtp-in.l.google.com tcp
US 108.177.98.27:25 alt4.gmail-smtp-in.l.google.com tcp
US 108.177.98.27:25 alt4.gmail-smtp-in.l.google.com tcp
US 108.177.98.27:25 alt4.gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 204.27.101.95.in-addr.arpa udp
US 108.177.98.27:25 alt4.gmail-smtp-in.l.google.com tcp
US 108.177.98.27:25 alt4.gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
FI 142.250.150.27:25 alt1.aspmx.l.google.com tcp
NL 172.217.218.27:25 aspmx.l.google.com tcp
FI 142.250.150.27:25 alt1.aspmx.l.google.com tcp
US 8.8.8.8:53 gmail-smtp-in.l.google.com udp
NL 172.217.218.26:25 gmail-smtp-in.l.google.com tcp
NL 172.217.218.26:25 gmail-smtp-in.l.google.com tcp
FI 142.250.150.26:25 alt1.aspmx.l.google.com tcp
NL 172.217.218.26:25 gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 mx-in.g.apple.com udp
NL 17.57.165.2:25 mx-in.g.apple.com tcp
NL 172.217.218.26:25 gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 sermsqqqna.biz udp
US 8.8.8.8:53 rsqsepmwas.org udp
DE 178.162.203.202:80 rsqsepmwas.org tcp
US 8.8.8.8:53 mx03.earthlink-vadesecure.net udp
US 51.81.232.218:25 mx03.earthlink-vadesecure.net tcp
US 8.8.8.8:53 202.203.162.178.in-addr.arpa udp
NL 172.217.218.26:25 gmail-smtp-in.l.google.com tcp
NL 172.217.218.26:25 gmail-smtp-in.l.google.com tcp
NL 172.217.218.26:25 gmail-smtp-in.l.google.com tcp
NL 172.217.218.26:25 gmail-smtp-in.l.google.com tcp
NL 172.217.218.26:25 gmail-smtp-in.l.google.com tcp
NL 172.217.218.26:25 gmail-smtp-in.l.google.com tcp
NL 172.217.218.26:25 gmail-smtp-in.l.google.com tcp
NL 172.217.218.26:25 gmail-smtp-in.l.google.com tcp
NL 172.217.218.26:25 gmail-smtp-in.l.google.com tcp
US 108.177.98.27:25 alt4.gmail-smtp-in.l.google.com tcp
SG 74.125.200.27:25 alt2.aspmx.l.google.com tcp
US 108.177.98.27:25 alt4.gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 aspmx2.googlemail.com udp
FI 142.250.150.27:25 aspmx2.googlemail.com tcp
US 8.8.8.8:53 mx-in-rn.apple.com udp
US 17.56.176.6:25 mx-in-rn.apple.com tcp

Files

C:\Windows\SysWOW64\shervans.dll

MD5 99a04468c9cff2101d9cbefbec2463b4
SHA1 2f18c0ea86c2a6cc18424d53ffdd0951c54b9721
SHA256 94dfcfba828001ae13983c89e8f7d32ec08026bf8e6a67e231e16ee06955cf7a
SHA512 d24bc4abcbaef2fffde6afaa7ec76ef8b1ba77a24122007c4424fefe61d588bf1ce3c381e65bcc04309adbe4ac1ba5b95ff0546cd85eae9a3d16c46a3777ee6d

memory/3236-12-0x0000000010000000-0x000000001000D000-memory.dmp

C:\Windows\SysWOW64\grcopy.dll

MD5 8a7ca882c696df58b3ec1ea5d7aaa888
SHA1 68bd54068060ee1c282a100ac1af18836f106fa2
SHA256 8eaae038ad04752344c0722c15f76ab4405591e2736fa4adf9cd288ef403d91c
SHA512 113afe5744f20209009c709bed80cb4098596389d14bf3b40033a9fcd833b2d893777a1ac09cd11ba50df02c4c215dbfc8d31427ff7ad5bcb32e2a15af8ee358

memory/3856-20-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Windows\SysWOW64\ctfmen.exe

MD5 8a63e3dc9151675336f2e588f0d16ec7
SHA1 3034019cdc969f2af6cd671c9edba25a857feefd
SHA256 1501b3ba44e80b39acdda05859af691579ce6484074655b1a2af785983815663
SHA512 208d980b6e7ced91b01cb69bc076a418f14ffc57528b73c33e891a08b79d5d77f784c9de7497edd7f9088ffa861aa02059496b16ff8210f3d433b91277cc03c2

memory/3236-23-0x0000000010000000-0x000000001000D000-memory.dmp

memory/3236-21-0x0000000000400000-0x000000000041C000-memory.dmp

memory/3856-29-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Windows\SysWOW64\satornas.dll

MD5 a4aaa79fc51c1d7091c639932358f311
SHA1 6255910ec19ea54f3d63331d90fa9cb1a567e7ab
SHA256 f7e02554e60bcb675108cd81e2b122f3026027bc2e9431d021db6678d949ac5f
SHA512 6a678f5fc5c375e4176d9dbfbe2538a70fd583e6b4a6a22c7f770e4f1de487d1959e50a9292725bb551a09ec48440b9d7a6cbb4cded836da54d48280fb4b08f9

memory/3920-35-0x0000000010000000-0x000000001000D000-memory.dmp

memory/3920-37-0x0000000000400000-0x000000000041C000-memory.dmp

memory/3920-38-0x0000000010000000-0x000000001000D000-memory.dmp

memory/3920-39-0x0000000000400000-0x000000000041C000-memory.dmp

memory/3920-41-0x0000000000400000-0x000000000041C000-memory.dmp

memory/3920-43-0x0000000000400000-0x000000000041C000-memory.dmp

memory/3920-45-0x0000000000400000-0x000000000041C000-memory.dmp

memory/3920-47-0x0000000000400000-0x000000000041C000-memory.dmp

memory/3920-51-0x0000000000400000-0x000000000041C000-memory.dmp

memory/3920-55-0x0000000000400000-0x000000000041C000-memory.dmp