Malware Analysis Report

2025-03-15 04:28

Sample ID 241025-zy4w8ssnay
Target 3308c4ccc6d47897e9f8ac4b351aabec981af60571d6080a72c84609fcb436adN
SHA256 3308c4ccc6d47897e9f8ac4b351aabec981af60571d6080a72c84609fcb436ad
Tags
discovery persistence spyware stealer
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

3308c4ccc6d47897e9f8ac4b351aabec981af60571d6080a72c84609fcb436ad

Threat Level: Likely malicious

The file 3308c4ccc6d47897e9f8ac4b351aabec981af60571d6080a72c84609fcb436adN was found to be: Likely malicious.

Malicious Activity Summary

discovery persistence spyware stealer

Drops file in Drivers directory

Loads dropped DLL

Reads user/profile data of web browsers

ACProtect 1.3x - 1.4x DLL software

Executes dropped EXE

Maps connected drives based on registry

Enumerates connected drives

Adds Run key to start application

Drops file in System32 directory

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Program crash

System Location Discovery: System Language Discovery

Modifies registry class

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-25 21:08

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-25 21:08

Reported

2024-10-25 21:10

Platform

win7-20240729-en

Max time kernel

16s

Max time network

20s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3308c4ccc6d47897e9f8ac4b351aabec981af60571d6080a72c84609fcb436adN.exe"

Signatures

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\ctfmen.exe N/A
N/A N/A C:\Windows\SysWOW64\smnss.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe" C:\Users\Admin\AppData\Local\Temp\3308c4ccc6d47897e9f8ac4b351aabec981af60571d6080a72c84609fcb436adN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe" C:\Windows\SysWOW64\smnss.exe N/A

Maps connected drives based on registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\smnss.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Windows\SysWOW64\smnss.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\1 C:\Windows\SysWOW64\smnss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Users\Admin\AppData\Local\Temp\3308c4ccc6d47897e9f8ac4b351aabec981af60571d6080a72c84609fcb436adN.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Users\Admin\AppData\Local\Temp\3308c4ccc6d47897e9f8ac4b351aabec981af60571d6080a72c84609fcb436adN.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\1 C:\Users\Admin\AppData\Local\Temp\3308c4ccc6d47897e9f8ac4b351aabec981af60571d6080a72c84609fcb436adN.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\satornas.dll C:\Users\Admin\AppData\Local\Temp\3308c4ccc6d47897e9f8ac4b351aabec981af60571d6080a72c84609fcb436adN.exe N/A
File created C:\Windows\SysWOW64\zipfiaq.dll C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\ctfmen.exe C:\Users\Admin\AppData\Local\Temp\3308c4ccc6d47897e9f8ac4b351aabec981af60571d6080a72c84609fcb436adN.exe N/A
File opened for modification C:\Windows\SysWOW64\grcopy.dll C:\Users\Admin\AppData\Local\Temp\3308c4ccc6d47897e9f8ac4b351aabec981af60571d6080a72c84609fcb436adN.exe N/A
File created C:\Windows\SysWOW64\smnss.exe C:\Users\Admin\AppData\Local\Temp\3308c4ccc6d47897e9f8ac4b351aabec981af60571d6080a72c84609fcb436adN.exe N/A
File created C:\Windows\SysWOW64\satornas.dll C:\Users\Admin\AppData\Local\Temp\3308c4ccc6d47897e9f8ac4b351aabec981af60571d6080a72c84609fcb436adN.exe N/A
File created C:\Windows\SysWOW64\zipfi.dll C:\Windows\SysWOW64\smnss.exe N/A
File created C:\Windows\SysWOW64\smnss.exe C:\Windows\SysWOW64\smnss.exe N/A
File created C:\Windows\SysWOW64\ctfmen.exe C:\Users\Admin\AppData\Local\Temp\3308c4ccc6d47897e9f8ac4b351aabec981af60571d6080a72c84609fcb436adN.exe N/A
File created C:\Windows\SysWOW64\shervans.dll C:\Users\Admin\AppData\Local\Temp\3308c4ccc6d47897e9f8ac4b351aabec981af60571d6080a72c84609fcb436adN.exe N/A
File created C:\Windows\SysWOW64\grcopy.dll C:\Users\Admin\AppData\Local\Temp\3308c4ccc6d47897e9f8ac4b351aabec981af60571d6080a72c84609fcb436adN.exe N/A
File opened for modification C:\Windows\SysWOW64\shervans.dll C:\Users\Admin\AppData\Local\Temp\3308c4ccc6d47897e9f8ac4b351aabec981af60571d6080a72c84609fcb436adN.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\7-Zip\Lang\zh-tw.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\si.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\readme.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Orange Circles.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\br.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\fy.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\pt.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\lt.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\lv.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\pa-in.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\bg.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\et.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ja.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\mn.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Shades of Blue.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\de.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\el.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\kab.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\zh-phonetic.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\webbase.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipsdeu.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\Xusage.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\gl.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\th.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\keypadbase.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\sw.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_rtl.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Hand Prints.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\THIRDPARTYLICENSEREADME-JAVAFX.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ku-ckb.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ku.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\sr-spl.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\zh-changjei.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipscht.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipssrb.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Internet Explorer\Timeline.cpu.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\an.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ru.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\kor-kor.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\hu.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\ko-kr.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\zh-dayi.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Roses.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\be.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\es.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\fr.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\ja-jp.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\numbase.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipskor.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Green Bubbles.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ba.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\mr.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\vi.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\Filters.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\THIRDPARTYLICENSEREADME.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\mng.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\tg.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ast.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\co.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\gu.txt C:\Windows\SysWOW64\smnss.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\smnss.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\smnss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\3308c4ccc6d47897e9f8ac4b351aabec981af60571d6080a72c84609fcb436adN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ctfmen.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\3308c4ccc6d47897e9f8ac4b351aabec981af60571d6080a72c84609fcb436adN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node C:\Users\Admin\AppData\Local\Temp\3308c4ccc6d47897e9f8ac4b351aabec981af60571d6080a72c84609fcb436adN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID C:\Users\Admin\AppData\Local\Temp\3308c4ccc6d47897e9f8ac4b351aabec981af60571d6080a72c84609fcb436adN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED} C:\Users\Admin\AppData\Local\Temp\3308c4ccc6d47897e9f8ac4b351aabec981af60571d6080a72c84609fcb436adN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll" C:\Users\Admin\AppData\Local\Temp\3308c4ccc6d47897e9f8ac4b351aabec981af60571d6080a72c84609fcb436adN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll" C:\Windows\SysWOW64\smnss.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\smnss.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2296 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\3308c4ccc6d47897e9f8ac4b351aabec981af60571d6080a72c84609fcb436adN.exe C:\Windows\SysWOW64\ctfmen.exe
PID 2296 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\3308c4ccc6d47897e9f8ac4b351aabec981af60571d6080a72c84609fcb436adN.exe C:\Windows\SysWOW64\ctfmen.exe
PID 2296 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\3308c4ccc6d47897e9f8ac4b351aabec981af60571d6080a72c84609fcb436adN.exe C:\Windows\SysWOW64\ctfmen.exe
PID 2296 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\3308c4ccc6d47897e9f8ac4b351aabec981af60571d6080a72c84609fcb436adN.exe C:\Windows\SysWOW64\ctfmen.exe
PID 1908 wrote to memory of 2964 N/A C:\Windows\SysWOW64\ctfmen.exe C:\Windows\SysWOW64\smnss.exe
PID 1908 wrote to memory of 2964 N/A C:\Windows\SysWOW64\ctfmen.exe C:\Windows\SysWOW64\smnss.exe
PID 1908 wrote to memory of 2964 N/A C:\Windows\SysWOW64\ctfmen.exe C:\Windows\SysWOW64\smnss.exe
PID 1908 wrote to memory of 2964 N/A C:\Windows\SysWOW64\ctfmen.exe C:\Windows\SysWOW64\smnss.exe
PID 2964 wrote to memory of 2664 N/A C:\Windows\SysWOW64\smnss.exe C:\Windows\SysWOW64\WerFault.exe
PID 2964 wrote to memory of 2664 N/A C:\Windows\SysWOW64\smnss.exe C:\Windows\SysWOW64\WerFault.exe
PID 2964 wrote to memory of 2664 N/A C:\Windows\SysWOW64\smnss.exe C:\Windows\SysWOW64\WerFault.exe
PID 2964 wrote to memory of 2664 N/A C:\Windows\SysWOW64\smnss.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\3308c4ccc6d47897e9f8ac4b351aabec981af60571d6080a72c84609fcb436adN.exe

"C:\Users\Admin\AppData\Local\Temp\3308c4ccc6d47897e9f8ac4b351aabec981af60571d6080a72c84609fcb436adN.exe"

C:\Windows\SysWOW64\ctfmen.exe

ctfmen.exe

C:\Windows\SysWOW64\smnss.exe

C:\Windows\system32\smnss.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2964 -s 828

Network

Country Destination Domain Proto
US 8.8.8.8:53 qapnrqnnen.info udp
US 34.218.204.173:80 qapnrqnnen.info tcp
US 8.8.8.8:53 gzip.org udp
US 8.8.8.8:53 alumni.caltech.edu udp
US 8.8.8.8:53 megginson.com udp
US 8.8.8.8:53 megginson.com udp
US 8.8.8.8:53 jk.uni-linz.ac.at udp
US 8.8.8.8:53 mail1.edvz.uni-linz.ac.at udp
AT 140.78.3.68:25 mail1.edvz.uni-linz.ac.at tcp
US 8.8.8.8:53 alt2.aspmx.l.google.com udp
SG 74.125.200.27:25 alt2.aspmx.l.google.com tcp
US 8.8.8.8:53 aspmx2.googlemail.com udp
US 8.8.8.8:53 wmshnphprn.in udp
FI 142.251.1.27:25 aspmx2.googlemail.com tcp
US 8.8.8.8:53 cdata.tvnet.hu udp
US 8.8.8.8:53 attbi.com udp
US 8.8.8.8:53 cdata.tvnet.hu udp
US 8.8.8.8:53 courtesan.com udp

Files

memory/2296-0-0x0000000000400000-0x0000000000420000-memory.dmp

\Windows\SysWOW64\shervans.dll

MD5 58fbe2526566b1769b8f0c3705d0423a
SHA1 c3be619130af63082100c902314e8c58d04725cd
SHA256 b4c66eba0be4fc7a7f6134d098ec826058f5aaf4ca86531759afb0da26e33965
SHA512 9c43449e7fea27971c5f28cf5ade64a79533c17c2e5211c79fb39daf0ddf995642e768e01d9547bb7c32458039592e236afe9b58c20dcc6bc548c3c4989ea3a7

memory/2296-12-0x0000000010000000-0x000000001000D000-memory.dmp

\Windows\SysWOW64\ctfmen.exe

MD5 7821db314a373a73422d7429b61dd23b
SHA1 9b690b7218236605e45acd8c59dcba2d1945cd18
SHA256 2823942569dd8b045285dd6b5ce19e27667d612370dacfd83839b0304f6c89e4
SHA512 c4447686b3ac86a1b0a14f35fc677b9029da1232b46f2503653206bc3e003921efcb5332011617095da239312e96927633b3658a64cd2a2ac7fcb8ca8400ad11

memory/2296-18-0x00000000002B0000-0x00000000002B9000-memory.dmp

memory/2296-27-0x0000000010000000-0x000000001000D000-memory.dmp

memory/2296-26-0x0000000000400000-0x0000000000420000-memory.dmp

\Windows\SysWOW64\smnss.exe

MD5 6fc66f655fa04ac8fe3df70aca71c3ec
SHA1 b1a678f943e52fbce6bf6f08d7d27264516eb077
SHA256 b7611397b66a72c04c834bec49d1665a36d8a73a6d18e73c6dc8c44cac5e6816
SHA512 82f44504a2ad338b37c223a8e1169f5e35f22ec08f3b5778bee914b8b65845cd730f8532686782112e356b9626aa1829250f4bce5ef0808a9f03cbc182f23957

memory/1908-29-0x0000000000320000-0x0000000000340000-memory.dmp

memory/1908-33-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2964-34-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2964-40-0x0000000010000000-0x000000001000D000-memory.dmp

C:\Windows\SysWOW64\satornas.dll

MD5 30384658d847da3590d43332ab9c90cc
SHA1 afe4e21ed3baeefff3cef52f32254465110bdd9e
SHA256 cd68b719f738ab817579ef32a3afa869b14799650130980b27123a45be5c0788
SHA512 7fa5c9c240ce74865be6b118acce8b67b3221d140c9031dbc40335230dcea453c246e208513169413fd23ed2568795ef382772f35abe97e1be8e9e49d79ceede

memory/2964-45-0x0000000010000000-0x000000001000D000-memory.dmp

memory/2964-46-0x0000000000400000-0x0000000000420000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-25 21:08

Reported

2024-10-25 21:10

Platform

win10v2004-20241007-en

Max time kernel

118s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3308c4ccc6d47897e9f8ac4b351aabec981af60571d6080a72c84609fcb436adN.exe"

Signatures

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\drivers\gmreadme.txt C:\Windows\SysWOW64\smnss.exe N/A

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\ctfmen.exe N/A
N/A N/A C:\Windows\SysWOW64\smnss.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe" C:\Users\Admin\AppData\Local\Temp\3308c4ccc6d47897e9f8ac4b351aabec981af60571d6080a72c84609fcb436adN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe" C:\Windows\SysWOW64\smnss.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\K: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\smnss.exe N/A

Maps connected drives based on registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Users\Admin\AppData\Local\Temp\3308c4ccc6d47897e9f8ac4b351aabec981af60571d6080a72c84609fcb436adN.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Users\Admin\AppData\Local\Temp\3308c4ccc6d47897e9f8ac4b351aabec981af60571d6080a72c84609fcb436adN.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\1 C:\Users\Admin\AppData\Local\Temp\3308c4ccc6d47897e9f8ac4b351aabec981af60571d6080a72c84609fcb436adN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\smnss.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Windows\SysWOW64\smnss.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\1 C:\Windows\SysWOW64\smnss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms004.inf_amd64_c28ee88ec1bd4178\Amd64\unisharev4-pipelineconfig.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\icsxml\osinfo.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms012.inf_amd64_707d3849370b9d23\Amd64\MSIPP-pipelineconfig.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\icsxml\potscfg.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\Speech_OneCore\Common\de-DE\tokens_TTS_de-DE_hedda.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\Speech_OneCore\Common\ja-JP\tokens_TTS_ja-JP.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\tcpbidi.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\AppxProvisioning.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms007.inf_amd64_8bbf44975c626ac5\Amd64\MSXPS2.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms009.inf_amd64_a7412a554c9bc1fd\MPDW-PDC.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\wsmanconfig_schema.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\default.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\default.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File created C:\Windows\SysWOW64\grcopy.dll C:\Users\Admin\AppData\Local\Temp\3308c4ccc6d47897e9f8ac4b351aabec981af60571d6080a72c84609fcb436adN.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms005.inf_amd64_add71423ba73e797\Amd64\MSxpsPS-pipelineconfig.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\Speech_OneCore\Common\es-ES\Tokens_SR_es-ES-N.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\Speech_OneCore\Common\ja-JP\Tokens_SR_ja-JP-N.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\default.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms005.inf_amd64_add71423ba73e797\Amd64\MSxpsPCL6-pipelineconfig.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms007.inf_amd64_8bbf44975c626ac5\Amd64\MSPWGR-pipelineconfig.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\IME\IMEJP\APPLETS\IMJPCLST.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\Speech_OneCore\Common\tokens.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\default.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File created C:\Windows\SysWOW64\shervans.dll C:\Users\Admin\AppData\Local\Temp\3308c4ccc6d47897e9f8ac4b351aabec981af60571d6080a72c84609fcb436adN.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms009.inf_amd64_a7412a554c9bc1fd\MPDW_devmode_map.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms010.inf_amd64_9e410195c3b236c9\Amd64\MSECP-pipelineconfig.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\Speech_OneCore\Common\en-US\tokens_TTS_en-US_david.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\Speech_OneCore\Common\fr-FR\Tokens_SR_fr-FR-N.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\Speech_OneCore\Common\it-IT\Tokens_SR_it-IT-N.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms003.inf_amd64_0e2452f597790e95\Amd64\unishare-pipelineconfig.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms003.inf_x86_360f6f3a7c4b3433\I386\unishare-pipelineconfig.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms008.inf_amd64_69b5e0c918eab9a6\Amd64\unishare3d-pipelineconfig.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms007.inf_amd64_8bbf44975c626ac5\Amd64\MSPWGR.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\Speech_OneCore\Common\es-ES\tokens_TTS_es-ES_helena.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\grcopy.dll C:\Users\Admin\AppData\Local\Temp\3308c4ccc6d47897e9f8ac4b351aabec981af60571d6080a72c84609fcb436adN.exe N/A
File opened for modification C:\Windows\SysWOW64\satornas.dll C:\Users\Admin\AppData\Local\Temp\3308c4ccc6d47897e9f8ac4b351aabec981af60571d6080a72c84609fcb436adN.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms007.inf_amd64_8bbf44975c626ac5\Amd64\MSPassthrough-pipelineconfig.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\F12\Timeline.cpu.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\icsxml\cmnicfg.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\Speech_OneCore\Common\fr-FR\tokens_TTS_fr-FR.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsCodecsRaw.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\default.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\shervans.dll C:\Users\Admin\AppData\Local\Temp\3308c4ccc6d47897e9f8ac4b351aabec981af60571d6080a72c84609fcb436adN.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms001.inf_amd64_8bc1bda6cf47380c\MXDW-pipelineconfig.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms010.inf_amd64_9e410195c3b236c9\Amd64\MSECP.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms009.inf_amd64_a7412a554c9bc1fd\MPDW-pipelineconfig.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\Speech_OneCore\Common\de-DE\Tokens_SR_de-DE-N.xml C:\Windows\SysWOW64\smnss.exe N/A
File created C:\Windows\SysWOW64\satornas.dll C:\Users\Admin\AppData\Local\Temp\3308c4ccc6d47897e9f8ac4b351aabec981af60571d6080a72c84609fcb436adN.exe N/A
File opened for modification C:\Windows\SysWOW64\Speech_OneCore\Common\it-IT\tokens_TTS-it-IT.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\ctfmen.exe C:\Users\Admin\AppData\Local\Temp\3308c4ccc6d47897e9f8ac4b351aabec981af60571d6080a72c84609fcb436adN.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms012.inf_amd64_707d3849370b9d23\Amd64\MSIPP.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\wbem\xsl-mappings.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\MailContactsCalendarSync\LiveDomainList.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\Speech_OneCore\Common\de-DE\tokens_TTS_de-DE.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\Speech_OneCore\Common\fr-FR\tokens_TTS_fr-FR_hortense.xml C:\Windows\SysWOW64\smnss.exe N/A
File created C:\Windows\SysWOW64\ctfmen.exe C:\Users\Admin\AppData\Local\Temp\3308c4ccc6d47897e9f8ac4b351aabec981af60571d6080a72c84609fcb436adN.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\ntprint4.inf_amd64_0958c7cad3cd6075\Amd64\V3HostingFilter-pipelineconfig.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms005.inf_amd64_add71423ba73e797\Amd64\MSxpsXPS-pipelineconfig.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\Recovery\ReAgent.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\Speech_OneCore\Common\en-US\Tokens_SR_en-US-N.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms006.inf_amd64_c3bdcb6fc975b614\SendToOneNote-pipelineconfig.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms014.inf_amd64_faec3fc366f8e1fa\Amd64\MSMPS-pipelineconfig.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms014.inf_amd64_faec3fc366f8e1fa\Amd64\MSMPS.xml C:\Windows\SysWOW64\smnss.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN011.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\index.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL001.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL075.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\va.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\dialogs\error_window.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxManifest.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\sa.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\LyncVDI_Eula.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\eu-ES\View3d\3DViewerProductDescription-universal.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Velocity\FeatureStaging-SnipAndSketch.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.VCLibs.140.00.UWPDesktop_14.0.27629.0_x64__8wekyb3d8bbwe\AppxManifest.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\ink\ThirdPartyNotices.MSHWLatin.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\chrome.VisualElementsManifest.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jvisualvm.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN103.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\hu-HU\View3d\3DViewerProductDescription-universal.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftEdge.Stable_92.0.902.67_neutral__8wekyb3d8bbwe\AppxBlockMap.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_altgr.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\1033\ODBCMESSAGES.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL065.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\COPYING.LGPLv2.1.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\en-US\about_Pester.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\MSOSEC.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\THIRDPARTYLICENSEREADME-JAVAFX.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Microsoft Office\Office16\SLERROR.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_jpn.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Integration\C2RManifest.officemui.msi.16.en-us.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\nn.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\cs-CZ\View3d\3DViewerProductDescription-universal.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\THIRDPARTYLICENSEREADME.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\notificationsUI\notificationCenter.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\ml-IN\View3d\3DViewerProductDescription-universal.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\en\LocalizedStrings.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN022.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxBlockMap.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\sl-SI\View3d\3DViewerProductDescription-universal.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_CA\README_th_en_CA_v2.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\fy.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_GB\changelog.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\FrameworkList.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\jsaddins\locallaunch\locallaunch.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL077.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Century Gothic.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses\c2rpridslicensefiles_auto.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL118.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ThirdPartyNotices.MSHWLatin.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-125_kzf8qxf38zg5c\AppxBlockMap.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\CP1257.TXT C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\fr.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL111.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\1033\MCABOUT.HTM C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\dialogs\stream_config_window.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneVideo_10.19071.19011.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxManifest.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\EXCEL.VisualElementsManifest.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Office 2007 - 2010.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\it-IT\View3d\3DViewerProductDescription-universal.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\ru-RU\View3d\3DViewerProductDescription-universal.xml C:\Windows\SysWOW64\smnss.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\it-IT\assets\ErrorPages\pdferrorrenewrentallicense.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..e.desktop.searchapp_31bf3856ad364e35_10.0.19041.1_none_43fe9f4e368e081f\9.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..iencehost.appxsetup_31bf3856ad364e35_10.0.19041.1023_none_52fbb1b86a870614\f\AppxBlockMap.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\Provisioning\IccidToRegion.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-editions-professional_31bf3856ad364e35_10.0.19041.264_none_ba5e4a287945a683\EditionMappings.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..e.desktop.searchapp_31bf3856ad364e35_10.0.19041.1_none_43fe9f4e368e081f\26.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\x86_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.262_none_8b2066136dd02eb6\GlobalInstallOrder.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\x86_netfx4-netfx40_iis_schema_update_xml_b03f5f7f11d50a3a_4.0.15805.0_none_bd83a0446cce66f4\NetFx40_IIS_schema_update.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-p..econsumer.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_0e2f6adb2cec6f62\Rules.System.Diagnostics.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-security-ngc-csp_31bf3856ad364e35_10.0.19041.1202_none_e04a7941c90aaf6f\NGCProDDF_v1.2_final.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess_31bf3856ad364e35_10.0.19041.207_none_e2f2dfeea7fa44fc\osinfo.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\es-ES\assets\ErrorPages\unknownprotocol.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\inclusiveOobe\view\templates\oobe-header-template.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.1266_none_777e4c5802d14c18\oobecortana-main.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-d..t-services-unattend_31bf3856ad364e35_10.0.19041.1_none_7f0c674a44158439\WdsUnattendTemplate.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-p..econsumer.resources_31bf3856ad364e35_10.0.19041.1_de-de_c2bbc1ff4b155b96\Report.System.Performance.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-o..documents.resources_31bf3856ad364e35_10.0.19041.1_de-de_1f727312db940011\OOBE_HELP_Opt_in_Details.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft.configci.commands_31bf3856ad364e35_10.0.19041.1081_none_21d54f6a980a590b\DenyAllAudit.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\fr-FR\assets\ErrorPages\pdferrorunknownerror.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\uk-UA\assets\ErrorPages\http_gen.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\inclusiveOobe\view\templates\oobe-listview-template.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.1266_none_777e4c5802d14c18\oobeupdatesettings-main.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-d..ore-files.resources_31bf3856ad364e35_10.0.19041.1_de-de_d65920e5305e7eda\Rules.AD.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..osoftedge.resources_31bf3856ad364e35_10.0.19041.1_de-de_fa3317ce4cfa58b0\repost.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..osoftedge.resources_31bf3856ad364e35_10.0.19041.1_it-it_2fceb6f1060351fa\pdferrordisabledforregion.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-p..econsumer.resources_31bf3856ad364e35_10.0.19041.1_de-de_c2bbc1ff4b155b96\Rules.System.Network.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Shell\DefaultLayouts.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-a..gement-uevtemplates_31bf3856ad364e35_10.0.19041.1_none_0d66b54875835a49\MicrosoftOffice2013Win64.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.1266_none_777e4c5802d14c18\oobeeula-main.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-d..eexplorer.appxsetup_31bf3856ad364e35_10.0.19041.1023_none_03d7aa1083b7645d\r\AppxManifest.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..oolsclient.appxmain_31bf3856ad364e35_10.0.19041.1_none_75cd350cc8b5dbcf\dom.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-r..verycenter-platform_31bf3856ad364e35_10.0.19041.153_none_212a5b73f083deb3\SystemResetPlugins.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-t..nputpersonalization_31bf3856ad364e35_10.0.19041.746_none_1da55dc225237a0d\ipsrus.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-tabletpc-softkeyboard_31bf3856ad364e35_10.0.19041.746_none_afaafac6b02c16fa\insert.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-wlansvc.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_96396a6128717133\Rules.System.Wireless.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\PLA\Reports\ja-JP\Report.System.CPU.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\servicing\Sessions\31135899_1764589825.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.1266_none_777e4c5802d14c18\backstack-chrome-breadcrumb-template.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-a..gement-uevtemplates_31bf3856ad364e35_10.0.19041.1_none_0d66b54875835a49\RoamingCredentialSettings.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..osoftedge.resources_31bf3856ad364e35_10.0.19041.1_de-de_fa3317ce4cfa58b0\WpcBlockFrame.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-n..diagnostics-package_31bf3856ad364e35_10.0.19041.1_none_73a90993e64b6c40\NetworkDiagnostics_2_FileShare.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-t..nputpersonalization_31bf3856ad364e35_10.0.19041.1_none_f59d207965b1bbc3\ipscsy.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-microsoftedge_31bf3856ad364e35_10.0.19041.264_none_ef195f564f00d259\pdferrorrenewrentallicense.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-o..ctionflow.appxsetup_31bf3856ad364e35_10.0.19041.1023_none_4d3bd653a974d501\AppxManifest.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_netfx-aspnet_appdata_b03f5f7f11d50a3a_10.0.19041.1_none_14471de20d4e0380\GroupedProviders.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\PLA\Rules\de-DE\Rules.System.Diagnostics.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\servicing\Sessions\31135899_3053131110.back.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\speech\0c0c\tokens_frCA.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-a..tscontrol.appxsetup_31bf3856ad364e35_10.0.19041.1023_none_bcf0807cccfa0873\AppxManifest.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..osoftedge.resources_31bf3856ad364e35_10.0.19041.1_it-it_2fceb6f1060351fa\pdferrorrepurchasecontent.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-sechealthui.appxsetup_31bf3856ad364e35_10.0.19041.1023_none_d34f4fd846c530a1\f\AppxBlockMap.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\wow64_microsoft.powershell.pester_31bf3856ad364e35_10.0.19041.1_none_9478227a478f23d5\about_BeforeEach_AfterEach.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\ja-JP\assets\ErrorPages\invalidcert.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-d..ore-files.resources_31bf3856ad364e35_10.0.19041.1_it-it_0bf4c007e9677824\Rules.AD.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-i..raries-servercommon_31bf3856ad364e35_10.0.19041.264_none_876d2c71ceefefbb\rscaext.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..osoftedge.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_45a6c0aa2ed16c7c\http_404.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-ncsiuwpapp.appxsetup_31bf3856ad364e35_10.0.19041.1023_none_757b1fb62148c452\r\AppxManifest.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-wlansvc.resources_31bf3856ad364e35_10.0.19041.1_en-us_f3b6977e3578692c\Report.System.Wireless.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_es-es_12451df02dbd2879\431.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-iis-powershellprovider_31bf3856ad364e35_10.0.19041.1_none_5141693de66f81ed\NavigationTypes.namespace.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-p..econsumer.resources_31bf3856ad364e35_10.0.19041.1_en-us_6bac97f839f3675b\Report.System.Common.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-p..econsumer.resources_31bf3856ad364e35_10.0.19041.1_it-it_f8576122041e54e0\Rules.System.Memory.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-p..rastructureconsumer_31bf3856ad364e35_10.0.19041.1_none_69cd9c22cfcf9358\Report.System.Summary.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\diagnostics\index\PCWDiagnostic.xml C:\Windows\SysWOW64\smnss.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\smnss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\3308c4ccc6d47897e9f8ac4b351aabec981af60571d6080a72c84609fcb436adN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ctfmen.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll" C:\Windows\SysWOW64\smnss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\3308c4ccc6d47897e9f8ac4b351aabec981af60571d6080a72c84609fcb436adN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node C:\Users\Admin\AppData\Local\Temp\3308c4ccc6d47897e9f8ac4b351aabec981af60571d6080a72c84609fcb436adN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID C:\Users\Admin\AppData\Local\Temp\3308c4ccc6d47897e9f8ac4b351aabec981af60571d6080a72c84609fcb436adN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED} C:\Users\Admin\AppData\Local\Temp\3308c4ccc6d47897e9f8ac4b351aabec981af60571d6080a72c84609fcb436adN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll" C:\Users\Admin\AppData\Local\Temp\3308c4ccc6d47897e9f8ac4b351aabec981af60571d6080a72c84609fcb436adN.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\smnss.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\3308c4ccc6d47897e9f8ac4b351aabec981af60571d6080a72c84609fcb436adN.exe

"C:\Users\Admin\AppData\Local\Temp\3308c4ccc6d47897e9f8ac4b351aabec981af60571d6080a72c84609fcb436adN.exe"

C:\Windows\SysWOW64\ctfmen.exe

ctfmen.exe

C:\Windows\SysWOW64\smnss.exe

C:\Windows\system32\smnss.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 176.108.222.173.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 qapnrqnnen.info udp
US 34.218.204.173:80 qapnrqnnen.info tcp
US 8.8.8.8:53 wmshnphprn.in udp
US 8.8.8.8:53 nmwanswear.us udp
US 8.8.8.8:53 sshrrnweas.biz udp
US 8.8.8.8:53 qrhaswepeh.info udp
US 8.8.8.8:53 hwrhmqrnnr.net udp
US 8.8.8.8:53 pawspmnsms.in udp
US 8.8.8.8:53 hrrraewhar.net udp
US 8.8.8.8:53 rweqwnamwh.org udp
US 162.249.65.106:80 rweqwnamwh.org tcp
US 8.8.8.8:53 173.204.218.34.in-addr.arpa udp
US 8.8.8.8:53 gzip.org udp
US 8.8.8.8:53 gzip.org udp
US 8.8.8.8:53 alumni.caltech.edu udp
US 85.187.148.2:25 gzip.org tcp
US 8.8.8.8:53 alumni-caltech-edu.mail.protection.outlook.com udp
US 8.8.8.8:53 cs.stanford.edu udp
US 52.101.9.26:25 alumni-caltech-edu.mail.protection.outlook.com tcp
US 8.8.8.8:53 smtp2.cs.stanford.edu udp
US 171.64.64.26:25 smtp2.cs.stanford.edu tcp
US 171.64.64.26:25 smtp2.cs.stanford.edu tcp
US 8.8.8.8:53 acm.org udp
US 8.8.8.8:53 mail.mailroute.net udp
US 199.89.3.120:25 mail.mailroute.net tcp
US 8.8.8.8:53 gmail.com udp
US 8.8.8.8:53 gmail-smtp-in.l.google.com udp
NL 172.217.218.27:25 gmail-smtp-in.l.google.com tcp
NL 172.217.218.27:25 gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 m-ou.se udp
US 8.8.8.8:53 aspmx2.googlemail.com udp
FI 142.251.1.27:25 aspmx2.googlemail.com tcp
NL 172.217.218.27:25 gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 wmmaqshnea.in udp
US 8.8.8.8:53 qeawhnhqhn.info udp
US 8.8.8.8:53 ehwqsrwssn.ws udp
US 64.70.19.203:80 ehwqsrwssn.ws tcp
US 8.8.8.8:53 phememsmma.in udp
US 8.8.8.8:53 wsqpprqsrn.in udp
US 8.8.8.8:53 203.19.70.64.in-addr.arpa udp
US 8.8.8.8:53 nsrehmqhss.us udp
US 8.8.8.8:53 ssreqqaehs.biz udp
US 8.8.8.8:53 asmeessrph.com udp
US 8.8.8.8:53 mqphwwrpnn.in udp
US 8.8.8.8:53 rnqmwesrph.org udp
US 162.249.65.106:80 rnqmwesrph.org tcp
NL 172.217.218.27:25 gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 2.1.0 udp
US 8.8.8.8:53 4.0.1 udp
US 8.8.8.8:53 nocorp.me udp
US 8.8.8.8:53 in1-smtp.messagingengine.com udp
US 103.168.172.216:25 in1-smtp.messagingengine.com tcp
US 8.8.8.8:53 ewshpqnmsh.ws udp
US 64.70.19.203:80 ewshpqnmsh.ws tcp
US 8.8.8.8:53 qnpqwrsaes.info udp
US 8.8.8.8:53 wwsnmshqma.in udp
US 8.8.8.8:53 qmshahesah.info udp
US 8.8.8.8:53 ewapnwhnhs.ws udp
US 64.70.19.203:80 ewapnwhnhs.ws tcp
US 8.8.8.8:53 rerheeehss.org udp
US 162.249.65.106:80 rerheeehss.org tcp
NL 172.217.218.27:25 gmail-smtp-in.l.google.com tcp
NL 172.217.218.27:25 gmail-smtp-in.l.google.com tcp
NL 172.217.218.27:25 gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 outlook.com udp
US 8.8.8.8:53 outlook-com.olc.protection.outlook.com udp
US 52.101.194.18:25 outlook-com.olc.protection.outlook.com tcp
US 8.8.8.8:53 wssqmrmrsh.in udp
US 8.8.8.8:53 pnenmhshra.in udp
US 8.8.8.8:53 swawenrqms.biz udp
US 8.8.8.8:53 qamemmaweh.info udp
US 8.8.8.8:53 eqnrwmrwes.ws udp
US 64.70.19.203:80 eqnrwmrwes.ws tcp
US 8.8.8.8:53 pphrphmhrs.in udp
US 8.8.8.8:53 swssrparqa.biz udp
US 8.8.8.8:53 rhwemhsphh.org udp
US 162.249.65.106:80 rhwemhsphh.org tcp
NL 172.217.218.27:25 gmail-smtp-in.l.google.com tcp
NL 172.217.218.27:25 gmail-smtp-in.l.google.com tcp
NL 172.217.218.27:25 gmail-smtp-in.l.google.com tcp
NL 172.217.218.27:25 gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 eraqpeeres.ws udp
US 64.70.19.203:80 eraqpeeres.ws tcp
US 8.8.8.8:53 pnhammmpqh.in udp
US 8.8.8.8:53 mwrshrhear.in udp
US 8.8.8.8:53 qqnqewqams.info udp
US 8.8.8.8:53 erhwwwrmas.ws udp
US 64.70.19.203:80 erhwwwrmas.ws tcp
US 8.8.8.8:53 apesrprqqh.com udp
US 8.8.8.8:53 emehhmrpan.ws udp
US 64.70.19.203:80 emehhmrpan.ws tcp
US 8.8.8.8:53 npharqqhhs.us udp
US 8.8.8.8:53 errhsawwms.ws udp
US 8.8.8.8:53 smtp1.cs.stanford.edu udp
US 64.70.19.203:80 errhsawwms.ws tcp
US 171.64.64.26:25 smtp2.cs.stanford.edu tcp
NL 172.217.218.27:25 gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 nhpqssqeen.us udp
NL 172.217.218.27:25 gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 mhpmsnqnnn.in udp
US 8.8.8.8:53 qawrwqnmea.info udp
US 8.8.8.8:53 sraqewaenh.biz udp
US 8.8.8.8:53 aawsmwrawn.com udp
US 85.187.148.2:25 gzip.org tcp
US 8.8.8.8:53 eshmrnareh.ws udp
US 64.70.19.203:80 eshmrnareh.ws tcp
US 8.8.8.8:53 qnsmppehms.info udp
US 8.8.8.8:53 eaawmwwpnh.ws udp
US 64.70.19.203:80 eaawmwwpnh.ws tcp
US 8.8.8.8:53 wnshehamhh.in udp
US 8.8.8.8:53 remrpqpseh.org udp
US 162.249.65.106:80 remrpqpseh.org tcp
US 171.64.64.25:25 smtp1.cs.stanford.edu tcp
US 171.64.64.25:25 smtp1.cs.stanford.edu tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 alt2.gmail-smtp-in.l.google.com udp
SG 74.125.200.27:25 alt2.gmail-smtp-in.l.google.com tcp
SG 74.125.200.27:25 alt2.gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 aspmx3.googlemail.com udp
SG 74.125.200.26:25 aspmx3.googlemail.com tcp
US 8.8.8.8:53 alumni-caltech-edu.mail.protection.outlook.com udp
US 52.101.10.18:25 alumni-caltech-edu.mail.protection.outlook.com tcp
SG 74.125.200.27:25 aspmx3.googlemail.com tcp
US 8.8.8.8:53 coin.mpg udp
US 8.8.8.8:53 hwnppemeea.net udp
US 8.8.8.8:53 pnaqheqnsa.in udp
US 8.8.8.8:53 mwhnpqrmrn.in udp
US 8.8.8.8:53 pwramqmsms.in udp
US 8.8.8.8:53 hmamsmwhar.net udp
US 8.8.8.8:53 pqshhpemrn.in udp
US 8.8.8.8:53 apple.com udp
US 8.8.8.8:53 wpqqhhspps.in udp
US 8.8.8.8:53 mx-in-rn.apple.com udp
US 17.56.176.6:25 mx-in-rn.apple.com tcp
SG 13.251.16.150:80 wpqqhhspps.in tcp
US 8.8.8.8:53 pobox.com udp
US 8.8.8.8:53 mx-1.rightbox.com udp
US 64.147.108.51:25 mx-1.rightbox.com tcp
US 8.8.8.8:53 nqenrpwpeh.us udp
US 8.8.8.8:53 spawwehsrs.biz udp
US 8.8.8.8:53 ppeseaqmms.in udp
US 8.8.8.8:53 msarphnewh.in udp
US 8.8.8.8:53 pwqpewwahh.in udp
US 8.8.8.8:53 hmparqsaqa.net udp
US 8.8.8.8:53 72.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 150.16.251.13.in-addr.arpa udp
US 8.8.8.8:53 qsqpspspqn.info udp
US 8.8.8.8:53 haearrsqhn.net udp
US 8.8.8.8:53 qnrnwnwaas.info udp
US 8.8.8.8:53 weaeprawra.in udp
US 8.8.8.8:53 qmhqeesawh.info udp
US 8.8.8.8:53 ssnsphrnws.biz udp
US 8.8.8.8:53 aewrhprres.com udp
NL 77.247.183.155:80 aewrhprres.com tcp
US 8.8.8.8:53 mpehqsqwmn.in udp
US 8.8.8.8:53 rnrmmnpnpn.org udp
US 162.249.65.106:80 rnrmmnpnpn.org tcp
SG 74.125.200.27:25 aspmx3.googlemail.com tcp
US 8.8.8.8:53 in2-smtp.messagingengine.com udp
US 202.12.124.216:25 in2-smtp.messagingengine.com tcp
US 8.8.8.8:53 155.183.247.77.in-addr.arpa udp
US 8.8.8.8:53 netcom.com udp
US 8.8.8.8:53 mx03.earthlink-vadesecure.net udp
US 8.8.8.8:53 northcoast.com udp
US 51.81.232.218:25 mx03.earthlink-vadesecure.net tcp
US 8.8.8.8:53 cl.cam.ac.uk udp
US 8.8.8.8:53 mxa-00377f01.gslb.pphosted.com udp
US 8.8.8.8:53 mx.cam.ac.uk udp
US 8.8.8.8:53 src.dec.com udp
GB 131.111.8.146:25 mx.cam.ac.uk tcp
NL 185.183.28.235:25 mxa-00377f01.gslb.pphosted.com tcp
US 8.8.8.8:53 mwaaemmnhn.in udp
US 8.8.8.8:53 asnrrsamsa.com udp
NL 212.32.237.90:80 asnrrsamsa.com tcp
SG 74.125.200.27:25 aspmx3.googlemail.com tcp
SG 74.125.200.27:25 aspmx3.googlemail.com tcp
SG 74.125.200.27:25 aspmx3.googlemail.com tcp
US 8.8.8.8:53 theriver.com udp
US 8.8.8.8:53 bryson.demon.co.uk udp
US 8.8.8.8:53 onlineconnections.com.au udp
US 8.8.8.8:53 ismtp.sitestar.everyone.net udp
US 8.8.8.8:53 openoffice.org udp
US 8.8.8.8:53 onlineconnections.com.au udp
US 64.29.151.236:25 ismtp.sitestar.everyone.net tcp
US 8.8.8.8:53 mx1-lw-us.apache.org udp
US 192.254.190.168:25 onlineconnections.com.au tcp
US 8.8.8.8:53 mx2-lw-eu.apache.org udp
US 8.8.8.8:53 mx2-lw-us.apache.org udp
US 8.8.8.8:53 mx1-lw-eu.apache.org udp
SG 74.125.200.27:25 aspmx3.googlemail.com tcp
SG 74.125.200.27:25 aspmx3.googlemail.com tcp
SG 74.125.200.27:25 aspmx3.googlemail.com tcp
SG 74.125.200.27:25 aspmx3.googlemail.com tcp
US 8.8.8.8:53 whmrraawha.in udp
US 8.8.8.8:53 qmsaspnsna.info udp
US 8.8.8.8:53 hnehqqwwrs.net udp
US 8.8.8.8:53 qppamspwhs.info udp
US 8.8.8.8:53 weeqshswms.in udp
US 8.8.8.8:53 aanparshnh.com udp
NL 77.247.183.151:80 aanparshnh.com tcp
US 8.8.8.8:53 hpeqherars.net udp
US 8.8.8.8:53 nnhhneqnrh.us udp
US 8.8.8.8:53 saanqmaqpn.biz udp
US 8.8.8.8:53 armahmrsaa.com udp
US 8.8.8.8:53 wqahhaqenh.in udp
US 8.8.8.8:53 aharwhphnh.com udp
US 85.187.148.2:25 gzip.org tcp
NL 212.32.237.91:80 aharwhphnh.com tcp
US 8.8.8.8:53 alumni-caltech-edu.mail.protection.outlook.com udp
US 52.101.40.2:25 alumni-caltech-edu.mail.protection.outlook.com tcp
US 8.8.8.8:53 nongnu.org udp
US 8.8.8.8:53 eggs.gnu.org udp
US 209.51.188.92:25 eggs.gnu.org tcp
US 209.51.188.92:25 eggs.gnu.org tcp
US 8.8.8.8:53 90.237.32.212.in-addr.arpa udp
US 8.8.8.8:53 151.183.247.77.in-addr.arpa udp
US 171.64.64.25:25 smtp1.cs.stanford.edu tcp
SG 74.125.200.27:25 aspmx3.googlemail.com tcp
SG 74.125.200.27:25 aspmx3.googlemail.com tcp
US 8.8.8.8:53 kinoho.net udp
FI 142.251.1.27:25 aspmx2.googlemail.com tcp
NL 172.217.218.27:25 gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 riseup.net udp
NL 172.217.218.27:25 gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 mx1.riseup.net udp
US 198.252.153.129:25 mx1.riseup.net tcp
US 8.8.8.8:53 cs.stanford.edu udp
US 171.64.64.64:25 cs.stanford.edu tcp
US 171.64.64.64:25 cs.stanford.edu tcp
US 8.8.8.8:53 alt3.gmail-smtp-in.l.google.com udp
TW 142.250.157.26:25 alt3.gmail-smtp-in.l.google.com tcp
TW 142.250.157.26:25 alt3.gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 aspmx.l.google.com udp
NL 108.177.119.26:25 aspmx.l.google.com tcp
TW 142.250.157.26:25 alt3.gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 mx-in-hfd.apple.com udp
NL 17.57.165.2:25 mx-in-hfd.apple.com tcp
US 8.8.8.8:53 mx-2.rightbox.com udp
US 64.147.108.51:25 mx-2.rightbox.com tcp
US 8.8.8.8:53 mail.ru udp
US 8.8.8.8:53 mxs.mail.ru udp
US 8.8.8.8:53 bog.msu.ru udp
RU 94.100.180.31:25 mxs.mail.ru tcp
TW 142.250.157.26:25 alt3.gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 mx02.earthlink-vadesecure.net udp
US 51.81.61.71:25 mx02.earthlink-vadesecure.net tcp
US 8.8.8.8:53 mxa-00377f03.gslb.pphosted.com udp
US 205.220.164.130:25 mxa-00377f03.gslb.pphosted.com tcp
US 8.8.8.8:53 226.108.222.173.in-addr.arpa udp
TW 142.250.157.26:25 alt3.gmail-smtp-in.l.google.com tcp
TW 142.250.157.26:25 alt3.gmail-smtp-in.l.google.com tcp
TW 142.250.157.26:25 alt3.gmail-smtp-in.l.google.com tcp
TW 142.250.157.26:25 alt3.gmail-smtp-in.l.google.com tcp
TW 142.250.157.26:25 alt3.gmail-smtp-in.l.google.com tcp
TW 142.250.157.26:25 alt3.gmail-smtp-in.l.google.com tcp
TW 142.250.157.26:25 alt3.gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 mnrepmepar.in udp
SG 13.251.16.150:80 mnrepmepar.in tcp
US 8.8.8.8:53 apqhwmnqrh.com udp
US 8.8.8.8:53 mehsnsamha.in udp
US 8.8.8.8:53 qqpqwehwah.info udp
US 8.8.8.8:53 sqmswpnqws.biz udp
US 8.8.8.8:53 pqarnhhhhn.in udp
US 8.8.8.8:53 hqepnmqewn.net udp
US 8.8.8.8:53 rsrsemnren.org udp
NL 77.247.183.150:80 rsrsemnren.org tcp
US 8.8.8.8:53 spewqmspma.biz udp
US 8.8.8.8:53 rahhhqwqqa.org udp
US 162.249.65.106:80 rahhhqwqqa.org tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 150.183.247.77.in-addr.arpa udp
US 171.64.64.64:25 cs.stanford.edu tcp
TW 142.250.157.26:25 alt3.gmail-smtp-in.l.google.com tcp
TW 142.250.157.26:25 alt3.gmail-smtp-in.l.google.com tcp
NL 108.177.119.26:25 aspmx.l.google.com tcp
SG 74.125.200.27:25 aspmx3.googlemail.com tcp
SG 74.125.200.27:25 aspmx3.googlemail.com tcp
US 8.8.8.8:53 alt1.gmail-smtp-in.l.google.com udp
FI 142.251.1.26:25 alt1.gmail-smtp-in.l.google.com tcp
FI 142.251.1.26:25 alt1.gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 alt2.aspmx.l.google.com udp
SG 74.125.200.27:25 alt2.aspmx.l.google.com tcp
FI 142.251.1.26:25 alt1.gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 mx-in-sg.apple.com udp
SG 17.23.14.18:25 mx-in-sg.apple.com tcp
US 8.8.8.8:53 empewsqsqa.ws udp
US 64.70.19.203:80 empewsqsqa.ws tcp
FI 142.251.1.26:25 alt1.gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 pmnrrneaah.in udp
US 8.8.8.8:53 mnwsnarssr.in udp
US 8.8.8.8:53 mx01.earthlink-vadesecure.net udp
US 51.81.61.70:25 mx01.earthlink-vadesecure.net tcp
US 8.8.8.8:53 de-smtp-inbound-2.mimecast.com udp
DE 194.104.108.22:25 de-smtp-inbound-2.mimecast.com tcp
US 8.8.8.8:53 rrpnmeawrs.org udp
US 162.249.65.106:80 rrpnmeawrs.org tcp
FI 142.251.1.26:25 alt1.gmail-smtp-in.l.google.com tcp
FI 142.251.1.26:25 alt1.gmail-smtp-in.l.google.com tcp
FI 142.251.1.26:25 alt1.gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 sermsqqqna.biz udp
US 8.8.8.8:53 rsqsepmwas.org udp
US 162.249.65.106:80 rsqsepmwas.org tcp
FI 142.251.1.26:25 alt1.gmail-smtp-in.l.google.com tcp
FI 142.251.1.26:25 alt1.gmail-smtp-in.l.google.com tcp
FI 142.251.1.26:25 alt1.gmail-smtp-in.l.google.com tcp
FI 142.251.1.26:25 alt1.gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 mqpppnhaes.in udp
US 8.8.8.8:53 aqmrnawpan.com udp
US 8.8.8.8:53 wrnwernreh.in udp
US 8.8.8.8:53 aeaqmpsaqa.com udp
US 8.8.8.8:53 whwsqnemsn.in udp
US 8.8.8.8:53 rqeaqeewas.org udp
US 162.249.65.106:80 rqeaqeewas.org tcp
US 8.8.8.8:53 wqpaamhwrs.in udp
FI 142.251.1.26:25 alt1.gmail-smtp-in.l.google.com tcp
FI 142.251.1.26:25 alt1.gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 reaaheeara.org udp
US 162.249.65.106:80 reaaheeara.org tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
TW 142.250.157.26:25 alt3.gmail-smtp-in.l.google.com tcp
SG 74.125.200.27:25 alt2.aspmx.l.google.com tcp
TW 142.250.157.26:25 alt3.gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 mnaahmqpqs.in udp
US 8.8.8.8:53 rrhaerswna.org udp
US 162.249.65.106:80 rrhaerswna.org tcp
US 8.8.8.8:53 alt4.gmail-smtp-in.l.google.com udp
US 173.194.202.27:25 alt4.gmail-smtp-in.l.google.com tcp
US 173.194.202.27:25 alt4.gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 alt1.aspmx.l.google.com udp
FI 142.251.1.26:25 alt1.aspmx.l.google.com tcp
US 173.194.202.27:25 alt4.gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 wnhrrnhran.in udp
US 8.8.8.8:53 resrnrrmnn.org udp
US 162.249.65.106:80 resrnrrmnn.org tcp
US 8.8.8.8:53 mx-in-ma.apple.com udp
US 17.171.208.6:25 mx-in-ma.apple.com tcp
US 173.194.202.27:25 alt4.gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 mx04.earthlink-vadesecure.net udp
US 147.135.98.120:25 mx04.earthlink-vadesecure.net tcp
US 8.8.8.8:53 de-smtp-inbound-1.mimecast.com udp
DE 194.104.108.22:25 de-smtp-inbound-1.mimecast.com tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 173.194.202.27:25 alt4.gmail-smtp-in.l.google.com tcp
US 173.194.202.27:25 alt4.gmail-smtp-in.l.google.com tcp
US 173.194.202.27:25 alt4.gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 mannheraph.in udp
US 8.8.8.8:53 pqnqqqrpmh.in udp
US 8.8.8.8:53 smprehnwhs.biz udp
US 8.8.8.8:53 rhwnqwwnah.org udp
US 162.249.65.106:80 rhwnqwwnah.org tcp
US 173.194.202.27:25 alt4.gmail-smtp-in.l.google.com tcp
US 173.194.202.27:25 alt4.gmail-smtp-in.l.google.com tcp
US 173.194.202.27:25 alt4.gmail-smtp-in.l.google.com tcp
US 173.194.202.27:25 alt4.gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 srsersmhsa.biz udp
SG 47.129.31.212:80 srsersmhsa.biz tcp
US 8.8.8.8:53 neshnhhwss.us udp
US 8.8.8.8:53 mswapwrnan.in udp
US 8.8.8.8:53 ahsppnhrmh.com udp
US 8.8.8.8:53 wmamewnnea.in udp
US 8.8.8.8:53 nhwwheearh.us udp
US 8.8.8.8:53 msqepwamwn.in udp
US 8.8.8.8:53 pmmpmshmsr.in udp
US 8.8.8.8:53 mahwmwnrmn.in udp
US 8.8.8.8:53 aaawpshran.com udp
US 216.245.214.84:80 aaawpshran.com tcp
US 8.8.8.8:53 smmmwrsqhs.biz udp
US 8.8.8.8:53 pweenawwra.in udp
US 8.8.8.8:53 212.31.129.47.in-addr.arpa udp
US 8.8.8.8:53 84.214.245.216.in-addr.arpa udp
US 8.8.8.8:53 sqepwsanpn.biz udp
US 8.8.8.8:53 qseerensns.info udp
US 8.8.8.8:53 hnhsehnhpa.net udp
US 8.8.8.8:53 psswwrmraa.in udp
US 8.8.8.8:53 hwhnrpesma.net udp
US 8.8.8.8:53 qmqspqnhwa.info udp
US 8.8.8.8:53 shprahaqrh.biz udp
US 8.8.8.8:53 rmmamheshh.org udp
US 162.249.65.106:80 rmmamheshh.org tcp
US 173.194.202.27:25 alt4.gmail-smtp-in.l.google.com tcp
US 173.194.202.27:25 alt4.gmail-smtp-in.l.google.com tcp
FI 142.251.1.26:25 alt1.aspmx.l.google.com tcp
FI 142.251.1.26:25 alt1.aspmx.l.google.com tcp
FI 142.251.1.26:25 alt1.aspmx.l.google.com tcp
US 8.8.8.8:53 ennmqsmqna.ws udp
US 64.70.19.203:80 ennmqsmqna.ws tcp
US 8.8.8.8:53 qseahwrsps.info udp
US 8.8.8.8:53 ehrawpsrms.ws udp
US 64.70.19.203:80 ehrawpsrms.ws tcp
US 8.8.8.8:53 naspqmsmeh.us udp
US 8.8.8.8:53 wwnmhhenpa.in udp
US 8.8.8.8:53 qmrmswrran.info udp
US 8.8.8.8:53 wqeasppnas.in udp
US 8.8.8.8:53 aspmx4.googlemail.com udp
US 8.8.8.8:53 awhhsqness.com udp
TW 142.250.157.26:25 aspmx4.googlemail.com tcp
US 8.8.8.8:53 eqprsrnprs.ws udp
US 64.70.19.203:80 eqprsrnprs.ws tcp
US 8.8.8.8:53 aaesrmawah.com udp
NL 212.32.237.92:80 aaesrmawah.com tcp

Files

memory/4676-0-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Windows\SysWOW64\shervans.dll

MD5 03f4766f6499af4e72936863bba3324c
SHA1 9ef1f4634ee0819906f87d3db9e1fc91ea686ad0
SHA256 28326f68696e4a4c42e38af460d9bd2cb6d176cd37160dbc3f910e0e7ccde524
SHA512 68c569b29d4d5950f9eb6bead34aea8abcf14dacb5958d40e64ed02821fd0ac16d0458e9788aa66f0bfbf134cea98b653536a215ebc04f634339d9f16f9bfef6

memory/4676-12-0x0000000010000000-0x000000001000D000-memory.dmp

C:\Windows\SysWOW64\grcopy.dll

MD5 0f2079b97cc7bed9a92064a6247c3ab8
SHA1 4c9a8f13266cef8f9446bc6acdf8ff67d3368f3a
SHA256 6de416af134d950801a82020e36482e0325840fd17c0e118bc471efb5842c5a3
SHA512 468bbbf241467f79654360823637b211c2129e08ca48b19165b0e715c7443f3c958fcd256434a4bba4a420bf11228a1f2a1cbc6085aa80ac7e70162e1914f190

C:\Windows\SysWOW64\ctfmen.exe

MD5 4cab5c9e7837f7741bc67bfa774aa828
SHA1 d26510bd0e88d8f04b8f1c2940732738db60f11f
SHA256 a3071ae49cd31e5d7851e7687d6b2c3b525fa984feab71083a8a443c6a6a3f35
SHA512 65eaeb2772f1fd6f392db4363da8fd0faf6f6fb76ed46a03fcd34cafb4b6dab2f8066c43c4ab20bc85191d745823061f6bdc161f462d659f78468694a01842a8

memory/4792-21-0x0000000000400000-0x0000000000409000-memory.dmp

memory/4676-24-0x0000000010000000-0x000000001000D000-memory.dmp

memory/4676-23-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2308-28-0x0000000000400000-0x0000000000420000-memory.dmp

memory/4792-31-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2308-37-0x0000000010000000-0x000000001000D000-memory.dmp

C:\Windows\SysWOW64\satornas.dll

MD5 a0af425eb4fbdbb8cbbb98a87704b01e
SHA1 450c82697c155987782590158f0c6d13ce160514
SHA256 efb22cdd9e73800b41874175f07773ec1db90880ae8dbd7a0391228f3913f7b5
SHA512 79e92d5b04b61b5f985ff22327f09bc325dc755c584cf7945b456e464e713ef272a574131ad06e8c7f2403f77cd343f3e43c259b29410971a86ab844434348c2

memory/2308-39-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2308-40-0x0000000010000000-0x000000001000D000-memory.dmp