Malware Analysis Report

2025-08-11 04:38

Sample ID 250119-n4xjkawrhj
Target c10c2254b611992c169c5ac0d6396ca07249235fd7d0ef2111599d3843ade8c7.exe
SHA256 c10c2254b611992c169c5ac0d6396ca07249235fd7d0ef2111599d3843ade8c7
Tags
discovery persistence spyware stealer
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

c10c2254b611992c169c5ac0d6396ca07249235fd7d0ef2111599d3843ade8c7

Threat Level: Likely malicious

The file c10c2254b611992c169c5ac0d6396ca07249235fd7d0ef2111599d3843ade8c7.exe was found to be: Likely malicious.

Malicious Activity Summary

discovery persistence spyware stealer

Drops file in Drivers directory

Loads dropped DLL

Reads user/profile data of web browsers

ACProtect 1.3x - 1.4x DLL software

Executes dropped EXE

Adds Run key to start application

Maps connected drives based on registry

Enumerates connected drives

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Program crash

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-01-19 11:57

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2025-01-19 11:57

Reported

2025-01-19 11:59

Platform

win10v2004-20241007-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c10c2254b611992c169c5ac0d6396ca07249235fd7d0ef2111599d3843ade8c7.exe"

Signatures

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\drivers\gmreadme.txt C:\Windows\SysWOW64\smnss.exe N/A

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\ctfmen.exe N/A
N/A N/A C:\Windows\SysWOW64\smnss.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe" C:\Users\Admin\AppData\Local\Temp\c10c2254b611992c169c5ac0d6396ca07249235fd7d0ef2111599d3843ade8c7.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe" C:\Windows\SysWOW64\smnss.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\I: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\smnss.exe N/A

Maps connected drives based on registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Users\Admin\AppData\Local\Temp\c10c2254b611992c169c5ac0d6396ca07249235fd7d0ef2111599d3843ade8c7.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Users\Admin\AppData\Local\Temp\c10c2254b611992c169c5ac0d6396ca07249235fd7d0ef2111599d3843ade8c7.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\1 C:\Users\Admin\AppData\Local\Temp\c10c2254b611992c169c5ac0d6396ca07249235fd7d0ef2111599d3843ade8c7.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\smnss.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Windows\SysWOW64\smnss.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\1 C:\Windows\SysWOW64\smnss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\Recovery\ReAgent.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\default.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\MailContactsCalendarSync\LiveDomainList.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\Speech_OneCore\Common\ja-JP\tokens_TTS_ja-JP.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\wbem\xsl-mappings.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsCodecsRaw.txt C:\Windows\SysWOW64\smnss.exe N/A
File created C:\Windows\SysWOW64\ctfmen.exe C:\Users\Admin\AppData\Local\Temp\c10c2254b611992c169c5ac0d6396ca07249235fd7d0ef2111599d3843ade8c7.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms009.inf_amd64_a7412a554c9bc1fd\MPDW-pipelineconfig.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms011.inf_amd64_f83138380f5fb6ab\Amd64\MSAppMon.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\Speech_OneCore\Common\de-DE\tokens_TTS_de-DE_hedda.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\Speech_OneCore\Common\es-ES\tokens_TTS_es-ES_helena.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\Speech_OneCore\Common\it-IT\tokens_TTS-it-IT.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\Speech_OneCore\Common\ja-JP\Tokens_SR_ja-JP-N.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms008.inf_amd64_69b5e0c918eab9a6\Amd64\unishare3d-pipelineconfig.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\icsxml\ipcfg.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\icsxml\pppcfg.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\NdfEventView.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\Speech_OneCore\Common\de-DE\tokens_TTS_de-DE.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\Speech_OneCore\Common\es-ES\Tokens_SR_es-ES-N.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\Speech_OneCore\Common\fr-FR\tokens_TTS_fr-FR.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\default.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File created C:\Windows\SysWOW64\shervans.dll C:\Users\Admin\AppData\Local\Temp\c10c2254b611992c169c5ac0d6396ca07249235fd7d0ef2111599d3843ade8c7.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms006.inf_amd64_c3bdcb6fc975b614\SendToOneNote-pipelineconfig.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms012.inf_amd64_707d3849370b9d23\Amd64\MSIPP-pipelineconfig.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\icsxml\osinfo.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms012.inf_amd64_707d3849370b9d23\Amd64\MSIPP.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\Speech_OneCore\Common\fr-FR\Tokens_SR_fr-FR-N.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\default.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\default.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\grcopy.dll C:\Users\Admin\AppData\Local\Temp\c10c2254b611992c169c5ac0d6396ca07249235fd7d0ef2111599d3843ade8c7.exe N/A
File created C:\Windows\SysWOW64\smnss.exe C:\Users\Admin\AppData\Local\Temp\c10c2254b611992c169c5ac0d6396ca07249235fd7d0ef2111599d3843ade8c7.exe N/A
File opened for modification C:\Windows\SysWOW64\satornas.dll C:\Users\Admin\AppData\Local\Temp\c10c2254b611992c169c5ac0d6396ca07249235fd7d0ef2111599d3843ade8c7.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms004.inf_amd64_c28ee88ec1bd4178\Amd64\unisharev4-pipelineconfig.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\Speech_OneCore\Common\de-DE\Tokens_SR_de-DE-N.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\wsmanconfig_schema.xml C:\Windows\SysWOW64\smnss.exe N/A
File created C:\Windows\SysWOW64\grcopy.dll C:\Users\Admin\AppData\Local\Temp\c10c2254b611992c169c5ac0d6396ca07249235fd7d0ef2111599d3843ade8c7.exe N/A
File opened for modification C:\Windows\SysWOW64\shervans.dll C:\Users\Admin\AppData\Local\Temp\c10c2254b611992c169c5ac0d6396ca07249235fd7d0ef2111599d3843ade8c7.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms007.inf_amd64_8bbf44975c626ac5\Amd64\MSPWGR-pipelineconfig.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms014.inf_amd64_faec3fc366f8e1fa\Amd64\MSMPS.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\F12\Timeline.cpu.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\default.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\Speech_OneCore\Common\en-US\Tokens_SR_en-US-N.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\Speech_OneCore\Common\en-US\tokens_TTS_en-US.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\tcpbidi.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\default.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File created C:\Windows\SysWOW64\smnss.exe C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms001.inf_amd64_8bc1bda6cf47380c\MXDW-pipelineconfig.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms010.inf_amd64_9e410195c3b236c9\Amd64\MSECP-pipelineconfig.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms011.inf_amd64_f83138380f5fb6ab\Amd64\MSAppMon-pipelineconfig.xml C:\Windows\SysWOW64\smnss.exe N/A
File created C:\Windows\SysWOW64\zipfiaq.dll C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\AppxProvisioning.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\icsxml\potscfg.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\Speech_OneCore\Common\fr-FR\tokens_TTS_fr-FR_hortense.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\Speech_OneCore\Common\tokens.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms005.inf_amd64_add71423ba73e797\Amd64\MSxpsPCL6-pipelineconfig.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms005.inf_amd64_add71423ba73e797\Amd64\MSxpsXPS-pipelineconfig.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms010.inf_amd64_9e410195c3b236c9\Amd64\MSECP.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\icsxml\cmnicfg.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\ntprint4.inf_amd64_0958c7cad3cd6075\Amd64\V3HostingFilter-pipelineconfig.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\IME\IMEJP\APPLETS\IMJPCLST.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\Speech_OneCore\Common\it-IT\Tokens_SR_it-IT-N.xml C:\Windows\SysWOW64\smnss.exe N/A
File created C:\Windows\SysWOW64\satornas.dll C:\Users\Admin\AppData\Local\Temp\c10c2254b611992c169c5ac0d6396ca07249235fd7d0ef2111599d3843ade8c7.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms003.inf_x86_360f6f3a7c4b3433\I386\unishare-pipelineconfig.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms009.inf_amd64_a7412a554c9bc1fd\MPDW-PDC.xml C:\Windows\SysWOW64\smnss.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\en-US\about_TestDrive.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\br.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ne.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\osknumpadbase.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.NET.Native.Framework.1.7_1.7.25531.0_x64__8wekyb3d8bbwe\AppxManifest.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\tr.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Yellow Orange.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Assets\HeroAppTile.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\manifest.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.VisualElementsManifest.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.NET.Native.Runtime.1.7_1.7.25531.0_x64__8wekyb3d8bbwe\AppxManifest.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Assets\AppTile.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipsplk.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL048.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxBlockMap.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_2019.904.1644.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ps.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL083.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN103.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_neutral_split.scale-200_8wekyb3d8bbwe\AppxManifest.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxManifest.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\AppxManifest.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipsjpn.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Windows Media Player\Media Renderer\RenderingControl_DMP.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftEdge.Stable_92.0.902.67_neutral__8wekyb3d8bbwe\AppxManifest.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\mng2.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\1033\SFMESSAGES.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN054.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\en-US\about_should.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\CP1254.TXT C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL103.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\AppxManifest.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Third Party Notices.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxBlockMap.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\el.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\manifest.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxBlockMap.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\ru-RU\View3d\3DViewerProductDescription-universal.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\fi.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipsesp.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN095.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\requests\playlist.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\de.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RHeartbeatConfig.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\Welcome.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\AppxManifest.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2018.826.98.0_neutral_split.scale-200_8wekyb3d8bbwe\AppxManifest.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\en-US\about_Mocking.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipsid.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\fa-IR\View3d\3DViewerProductDescription-universal.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_x64__8wekyb3d8bbwe\AppxManifest.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL054.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\AppxManifest.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\fi-FI\View3d\3DViewerProductDescription-universal.xml C:\Windows\SysWOW64\smnss.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-p..econsumer.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_9a7ce02ef73966bb\Report.System.Diagnostics.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-p..rastructureconsumer_31bf3856ad364e35_10.0.19041.1_none_69cd9c22cfcf9358\Rules.System.Configuration.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-taskscheduler-service_31bf3856ad364e35_10.0.19041.264_none_0ce2bf73f5e3d0ee\D61D61C8-D73A-4EEE-8CDD-F6F9786B7124.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_netfx4-ngenassemblyexclusionclient_31bf3856ad364e35_4.0.19041.1_none_6e3f71d318a8f11a\clientexclusionlist.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_dual_prnms005.inf_31bf3856ad364e35_10.0.19041.1_none_1eab1be1d38e5678\Amd64\MSxpsXPS-pipelineconfig.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_b4fc93ef208f3edb\502.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-management-oobe_31bf3856ad364e35_10.0.19041.1266_none_e6ebbe2a02425392\oobeautopilotreboot-main.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-a..ep-chxapp.appxsetup_31bf3856ad364e35_10.0.19041.1023_none_7d8eee60f8081103\AppxBlockMap.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.1266_none_777e4c5802d14c18\oobesettings-main.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_it-it_9f248a35f7c12459\404-3.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-microsoftedge_31bf3856ad364e35_10.0.19041.264_none_ef195f564f00d259\needhvsi.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-p..rastructureconsumer_31bf3856ad364e35_10.0.19041.1_none_69cd9c22cfcf9358\Report.System.Diagnostics.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\ja-JP\assets\ErrorPages\pdferrorunknownerror.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\ja-JP\assets\ErrorPages\servbusy.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.AppResolverUX_cw5n1h2txyewy\AppxBlockMap.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..osoftedge.resources_31bf3856ad364e35_10.0.19041.1_it-it_2fceb6f1060351fa\BlockSite.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-o..documents.resources_31bf3856ad364e35_10.0.19041.1_de-de_1f727312db940011\oobe_learn_more_activity_history.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-tabletpc-softkeyboard_31bf3856ad364e35_10.0.19041.746_none_afaafac6b02c16fa\auxpad.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-tabletpc-softkeyboard_31bf3856ad364e35_10.0.19041.746_none_afaafac6b02c16fa\ko-kr.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\CP1254.TXT C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_10.0.19041.906_none_ef0e010d1381269b\ftp_rscaext.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..oolsclient.appxmain_31bf3856ad364e35_10.0.19041.423_none_9de80b9d881a1ebd\debugger.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..e.desktop.searchapp_31bf3856ad364e35_10.0.19041.1_none_43fe9f4e368e081f\18.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-trustedinstaller_31bf3856ad364e35_10.0.19041.153_none_6ef8a222ac00dbc2\f\20bbcadaff3e0543ef358ba4dd8b74bfe8e747c8.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-w..ialibrarydiagnostic_31bf3856ad364e35_10.0.19041.1_none_dedee787078f40e3\WindowsMediaPlayerMediaLibrary.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-w..wsupdateclient-core_31bf3856ad364e35_10.0.19041.207_none_8d07de31084775c6\r\14a3f9e824793931d34f7f786a538bbc9ef1f0d6.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-wlansvc.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_2286dfb4f2be688c\Report.System.Wireless.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\AppxManifest.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-editions-professional_31bf3856ad364e35_10.0.19041.1288_none_51444fcfcf940a66\UpgradeMatrix.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_b4fc93ef208f3edb\401-5.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_de-de_6988eb133eb82b0f\404-3.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..osoftedge.resources_31bf3856ad364e35_10.0.19041.1_es-es_a2ef4aab3bff561a\BlockSite.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..osoftedge.resources_31bf3856ad364e35_10.0.19041.1_it-it_2fceb6f1060351fa\PhishSiteEdge.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-p..econsumer.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_0e2f6adb2cec6f62\Report.System.Memory.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_dual_ntprint4.inf_31bf3856ad364e35_10.0.19041.1_none_003f1b632195ba8c\Amd64\V3HostingFilter-pipelineconfig.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.1266_none_777e4c5802d14c18\oobe-light-contentview-template.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.1266_none_777e4c5802d14c18\oobelocalngc-main.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\fr-FR\assets\ErrorPages\dnserror.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AppxBlockMap.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-dot3svc.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_ebd9ffd49454da2e\Rules.System.Wired.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_b4fc93ef208f3edb\500-16.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..osoftedge.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_45a6c0aa2ed16c7c\pdferrorneedcredentials.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\ImmersiveControlPanel\Settings\AllSystemSettings_{253E530E-387D-4BC2-959D-E6F86122E5F2}.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\PLA\Rules\fr-FR\Rules.System.Performance.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.AccountsControl_cw5n1h2txyewy\AppxManifest.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-microsoftedge_31bf3856ad364e35_10.0.19041.264_none_ef195f564f00d259\pdferrordisabledforregion.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..kerplugin.appxsetup_31bf3856ad364e35_10.0.19041.1_none_650e185617d118b6\AppxBlockMap.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-userexperience-desktop_31bf3856ad364e35_10.0.19041.173_none_6486f23c2831aaf3\f\AppxBlockMap.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_en-us_1279c10c2d9636d4\403-7.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..osoftedge.resources_31bf3856ad364e35_10.0.19041.1_es-es_a2ef4aab3bff561a\pdferror.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..e.desktop.searchapp_31bf3856ad364e35_10.0.19041.1_none_43fe9f4e368e081f\7.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-x..ectdialog.appxsetup_31bf3856ad364e35_10.0.19041.1023_none_fe2a3fc32038c1d1\f\AppxBlockMap.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\servicing\Sessions\31135900_4011253136.back.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\servicing\Sessions\31135901_1964944298.back.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\speech\0809\tokens_enGB.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-d..eexplorer.appxsetup_31bf3856ad364e35_10.0.19041.1023_none_03d7aa1083b7645d\r\AppxManifest.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-microsoftedge_31bf3856ad364e35_10.0.19041.264_none_ef195f564f00d259\http_404.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\Temp\PendingDeletes\d3a79d4736e5d70110a200001815341f.ASPNET_schema.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\diagnostics\index\NetworkDiagnostics_5_Inbound.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.1266_none_777e4c5802d14c18\oobelanguage-main.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_414a0942eadc3634\501.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\cache\Desktop\20.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.117_none_e0d32848ac56114e\common-textinput-template.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.117_none_e0d32848ac56114e\retailDemoSetupInclusive.html C:\Windows\SysWOW64\smnss.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\smnss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c10c2254b611992c169c5ac0d6396ca07249235fd7d0ef2111599d3843ade8c7.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ctfmen.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\c10c2254b611992c169c5ac0d6396ca07249235fd7d0ef2111599d3843ade8c7.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node C:\Users\Admin\AppData\Local\Temp\c10c2254b611992c169c5ac0d6396ca07249235fd7d0ef2111599d3843ade8c7.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID C:\Users\Admin\AppData\Local\Temp\c10c2254b611992c169c5ac0d6396ca07249235fd7d0ef2111599d3843ade8c7.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED} C:\Users\Admin\AppData\Local\Temp\c10c2254b611992c169c5ac0d6396ca07249235fd7d0ef2111599d3843ade8c7.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll" C:\Users\Admin\AppData\Local\Temp\c10c2254b611992c169c5ac0d6396ca07249235fd7d0ef2111599d3843ade8c7.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll" C:\Windows\SysWOW64\smnss.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\smnss.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\c10c2254b611992c169c5ac0d6396ca07249235fd7d0ef2111599d3843ade8c7.exe

"C:\Users\Admin\AppData\Local\Temp\c10c2254b611992c169c5ac0d6396ca07249235fd7d0ef2111599d3843ade8c7.exe"

C:\Windows\SysWOW64\ctfmen.exe

ctfmen.exe

C:\Windows\SysWOW64\smnss.exe

C:\Windows\system32\smnss.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 60.153.16.2.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 7.98.22.2.in-addr.arpa udp
US 8.8.8.8:53 qermhhmmrn.info udp
US 8.8.8.8:53 hnqrsprnhs.net udp
US 8.8.8.8:53 pheshqares.in udp
US 8.8.8.8:53 hwrrhrqnsh.net udp
US 8.8.8.8:53 qwaeasqqsn.info udp
US 8.8.8.8:53 mhhreprsnn.in udp
US 8.8.8.8:53 qpaqnwrqws.info udp
US 34.227.7.138:80 qpaqnwrqws.info tcp
US 8.8.8.8:53 mqphenmpra.in udp
US 8.8.8.8:53 nmemhnqqnh.us udp
US 8.8.8.8:53 mwqqwwhqhs.in udp
US 8.8.8.8:53 phhenwaepa.in udp
US 18.246.231.120:80 phhenwaepa.in tcp
US 8.8.8.8:53 138.7.227.34.in-addr.arpa udp
US 8.8.8.8:53 hwrwrqmpph.net udp
SG 13.251.16.150:80 hwrwrqmpph.net tcp
US 8.8.8.8:53 gzip.org udp
US 8.8.8.8:53 gzip.org udp
US 8.8.8.8:53 alumni.caltech.edu udp
US 85.187.148.2:25 gzip.org tcp
US 8.8.8.8:53 alumni-caltech-edu.mail.protection.outlook.com udp
US 8.8.8.8:53 cs.stanford.edu udp
US 52.101.9.12:25 alumni-caltech-edu.mail.protection.outlook.com tcp
US 8.8.8.8:53 smtp1.cs.stanford.edu udp
US 171.64.64.25:25 smtp1.cs.stanford.edu tcp
US 171.64.64.25:25 smtp1.cs.stanford.edu tcp
US 8.8.8.8:53 acm.org udp
US 8.8.8.8:53 mail.mailroute.net udp
US 199.89.3.120:25 mail.mailroute.net tcp
US 8.8.8.8:53 qswnpnhphn.info udp
US 8.8.8.8:53 ssqeawpsas.biz udp
US 8.8.8.8:53 qaqpeqnmna.info udp
US 8.8.8.8:53 hearrhmphh.net udp
US 8.8.8.8:53 120.231.246.18.in-addr.arpa udp
US 8.8.8.8:53 150.16.251.13.in-addr.arpa udp
US 8.8.8.8:53 arpwmmsnnh.com udp
US 8.8.8.8:53 emaqpwawhs.ws udp
US 64.70.19.203:80 emaqpwawhs.ws tcp
US 8.8.8.8:53 napqswwqah.us udp
US 8.8.8.8:53 wwesweasrs.in udp
US 8.8.8.8:53 pnpearqmpn.in udp
US 8.8.8.8:53 menamnaprs.in udp
US 8.8.8.8:53 pemhnnmqhs.in udp
US 8.8.8.8:53 203.19.70.64.in-addr.arpa udp
US 8.8.8.8:53 wemarpqahs.in udp
US 8.8.8.8:53 rnpqsrqqqn.org udp
NL 85.17.31.82:80 rnpqsrqqqn.org tcp
US 8.8.8.8:53 wnesarhehn.in udp
US 8.8.8.8:53 nqharpprah.us udp
US 8.8.8.8:53 hsspsaepah.net udp
US 8.8.8.8:53 nwsrremssn.us udp
US 8.8.8.8:53 meaapmassh.in udp
US 8.8.8.8:53 awrwwwqqra.com udp
US 8.8.8.8:53 hwemahpmsr.net udp
US 8.8.8.8:53 papehrnmns.in udp
US 8.8.8.8:53 wqssmsphwh.in udp
US 8.8.8.8:53 pwhssmawns.in udp
US 8.8.8.8:53 hehsqepasa.net udp
US 8.8.8.8:53 armsqmarms.com udp
US 8.8.8.8:53 msrqspwanh.in udp
US 8.8.8.8:53 qpprenspss.info udp
US 8.8.8.8:53 eqsmrprqps.ws udp
US 64.70.19.203:80 eqsmrprqps.ws tcp
US 8.8.8.8:53 82.31.17.85.in-addr.arpa udp
US 8.8.8.8:53 qeqmhhsrna.info udp
US 8.8.8.8:53 sespwqhnaa.biz udp
US 8.8.8.8:53 narmpnpqnh.us udp
US 8.8.8.8:53 eamhhwmssh.ws udp
US 64.70.19.203:80 eamhhwmssh.ws tcp
US 8.8.8.8:53 gmail.com udp
US 8.8.8.8:53 alt1.gmail-smtp-in.l.google.com udp
FI 142.250.150.27:25 alt1.gmail-smtp-in.l.google.com tcp
FI 142.250.150.27:25 alt1.gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 m-ou.se udp
US 8.8.8.8:53 aspmx3.googlemail.com udp
SG 74.125.200.27:25 aspmx3.googlemail.com tcp
US 8.8.8.8:53 ppennnhhmn.in udp
US 8.8.8.8:53 shmmrhrahh.biz udp
US 8.8.8.8:53 rhwphppaha.org udp
NL 85.17.31.122:80 rhwphppaha.org tcp
FI 142.250.150.27:25 alt1.gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 whaammqwps.in udp
US 8.8.8.8:53 qwwwwseans.info udp
US 8.8.8.8:53 mmseneswrh.in udp
US 8.8.8.8:53 wnshehamhh.in udp
US 8.8.8.8:53 remrpqpseh.org udp
US 8.8.8.8:53 122.31.17.85.in-addr.arpa udp
DE 178.162.203.226:80 remrpqpseh.org tcp
US 8.8.8.8:53 hwnppemeea.net udp
US 8.8.8.8:53 pnaqheqnsa.in udp
US 8.8.8.8:53 mwhnpqrmrn.in udp
US 8.8.8.8:53 pwramqmsms.in udp
US 8.8.8.8:53 hmamsmwhar.net udp
US 8.8.8.8:53 pqshhpemrn.in udp
US 8.8.8.8:53 wpqqhhspps.in udp
SG 13.251.16.150:80 wpqqhhspps.in tcp
FI 142.250.150.27:25 alt1.gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 2.1.0 udp
US 8.8.8.8:53 4.0.1 udp
US 8.8.8.8:53 nocorp.me udp
US 8.8.8.8:53 nqenrpwpeh.us udp
US 8.8.8.8:53 in2-smtp.messagingengine.com udp
US 8.8.8.8:53 spawwehsrs.biz udp
US 202.12.124.216:25 in2-smtp.messagingengine.com tcp
US 8.8.8.8:53 ppeseaqmms.in udp
US 8.8.8.8:53 msarphnewh.in udp
US 8.8.8.8:53 pwqpewwahh.in udp
US 8.8.8.8:53 hmparqsaqa.net udp
US 8.8.8.8:53 qsqpspspqn.info udp
US 8.8.8.8:53 haearrsqhn.net udp
US 8.8.8.8:53 qnrnwnwaas.info udp
US 8.8.8.8:53 weaeprawra.in udp
US 8.8.8.8:53 qmhqeesawh.info udp
US 8.8.8.8:53 ssnsphrnws.biz udp
US 8.8.8.8:53 aewrhprres.com udp
US 216.245.214.85:80 aewrhprres.com tcp
US 8.8.8.8:53 mpehqsqwmn.in udp
US 8.8.8.8:53 rnrmmnpnpn.org udp
NL 5.79.71.225:80 rnrmmnpnpn.org tcp
US 8.8.8.8:53 85.214.245.216.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
FI 142.250.150.27:25 alt1.gmail-smtp-in.l.google.com tcp
FI 142.250.150.27:25 alt1.gmail-smtp-in.l.google.com tcp
FI 142.250.150.27:25 alt1.gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 outlook.com udp
US 8.8.8.8:53 outlook-com.olc.protection.outlook.com udp
US 52.101.10.11:25 outlook-com.olc.protection.outlook.com tcp
FI 142.250.150.27:25 alt1.gmail-smtp-in.l.google.com tcp
FI 142.250.150.27:25 alt1.gmail-smtp-in.l.google.com tcp
FI 142.250.150.27:25 alt1.gmail-smtp-in.l.google.com tcp
FI 142.250.150.27:25 alt1.gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 smtp2.cs.stanford.edu udp
US 171.64.64.26:25 smtp2.cs.stanford.edu tcp
US 171.64.64.26:25 smtp2.cs.stanford.edu tcp
US 171.64.64.25:25 smtp1.cs.stanford.edu tcp
FI 142.250.150.27:25 alt1.gmail-smtp-in.l.google.com tcp
FI 142.250.150.27:25 alt1.gmail-smtp-in.l.google.com tcp
US 85.187.148.2:25 gzip.org tcp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 alt2.gmail-smtp-in.l.google.com udp
SG 74.125.200.26:25 alt2.gmail-smtp-in.l.google.com tcp
SG 74.125.200.26:25 alt2.gmail-smtp-in.l.google.com tcp
FI 142.250.150.26:25 alt1.aspmx.l.google.com tcp
US 8.8.8.8:53 alumni-caltech-edu.mail.protection.outlook.com udp
US 52.101.41.26:25 alumni-caltech-edu.mail.protection.outlook.com tcp
SG 74.125.200.26:25 alt2.gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 coin.mpg udp
US 8.8.8.8:53 apple.com udp
US 8.8.8.8:53 mx-in-hfd.apple.com udp
NL 17.57.165.2:25 mx-in-hfd.apple.com tcp
US 8.8.8.8:53 pobox.com udp
US 202.12.124.216:25 in2-smtp.messagingengine.com tcp
SG 74.125.200.26:25 alt2.gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 in1-smtp.messagingengine.com udp
US 103.168.172.221:25 in1-smtp.messagingengine.com tcp
US 8.8.8.8:53 mwaaemmnhn.in udp
US 8.8.8.8:53 asnrrsamsa.com udp
NL 212.32.237.91:80 asnrrsamsa.com tcp
US 8.8.8.8:53 whmrraawha.in udp
US 8.8.8.8:53 qmsaspnsna.info udp
US 8.8.8.8:53 91.237.32.212.in-addr.arpa udp
US 8.8.8.8:53 hnehqqwwrs.net udp
US 8.8.8.8:53 qppamspwhs.info udp
US 8.8.8.8:53 weeqshswms.in udp
US 8.8.8.8:53 netcom.com udp
US 8.8.8.8:53 aanparshnh.com udp
NL 77.247.183.154:80 aanparshnh.com tcp
US 8.8.8.8:53 mx04.earthlink-vadesecure.net udp
US 8.8.8.8:53 northcoast.com udp
US 147.135.98.120:25 mx04.earthlink-vadesecure.net tcp
US 8.8.8.8:53 de-smtp-inbound-2.mimecast.com udp
DE 194.104.108.22:25 de-smtp-inbound-2.mimecast.com tcp
US 8.8.8.8:53 hpeqherars.net udp
US 8.8.8.8:53 mx2.forwardemail.net udp
US 8.8.8.8:53 nnhhneqnrh.us udp
US 8.8.8.8:53 src.dec.com udp
US 104.248.224.170:25 mx2.forwardemail.net tcp
US 8.8.8.8:53 saanqmaqpn.biz udp
US 8.8.8.8:53 armahmrsaa.com udp
US 8.8.8.8:53 wqahhaqenh.in udp
US 8.8.8.8:53 aharwhphnh.com udp
NL 212.32.237.92:80 aharwhphnh.com tcp
US 8.8.8.8:53 mnrepmepar.in udp
SG 13.251.16.150:80 mnrepmepar.in tcp
US 8.8.8.8:53 92.237.32.212.in-addr.arpa udp
US 8.8.8.8:53 154.183.247.77.in-addr.arpa udp
US 8.8.8.8:53 apqhwmnqrh.com udp
US 8.8.8.8:53 mehsnsamha.in udp
US 8.8.8.8:53 qqpqwehwah.info udp
US 8.8.8.8:53 sqmswpnqws.biz udp
US 8.8.8.8:53 pqarnhhhhn.in udp
US 8.8.8.8:53 hqepnmqewn.net udp
US 8.8.8.8:53 rsrsemnren.org udp
NL 77.247.183.151:80 rsrsemnren.org tcp
US 8.8.8.8:53 spewqmspma.biz udp
US 8.8.8.8:53 rahhhqwqqa.org udp
DE 178.162.203.226:80 rahhhqwqqa.org tcp
SG 74.125.200.26:25 alt2.gmail-smtp-in.l.google.com tcp
SG 74.125.200.26:25 alt2.gmail-smtp-in.l.google.com tcp
SG 74.125.200.26:25 alt2.gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 empewsqsqa.ws udp
US 64.70.19.203:80 empewsqsqa.ws tcp
US 8.8.8.8:53 pmnrrneaah.in udp
US 8.8.8.8:53 theriver.com udp
US 8.8.8.8:53 mnwsnarssr.in udp
US 8.8.8.8:53 rrpnmeawrs.org udp
US 8.8.8.8:53 bryson.demon.co.uk udp
NL 5.79.71.225:80 rrpnmeawrs.org tcp
US 8.8.8.8:53 onlineconnections.com.au udp
US 8.8.8.8:53 onlineconnections.com.au udp
US 8.8.8.8:53 ismtp.sitestar.everyone.net udp
US 8.8.8.8:53 openoffice.org udp
US 192.254.190.168:25 onlineconnections.com.au tcp
US 64.29.151.236:25 ismtp.sitestar.everyone.net tcp
US 8.8.8.8:53 mx1-lw-eu.apache.org udp
US 8.8.8.8:53 mx2-lw-eu.apache.org udp
US 8.8.8.8:53 mx1-lw-us.apache.org udp
US 8.8.8.8:53 mx2-lw-us.apache.org udp
SG 74.125.200.26:25 alt2.gmail-smtp-in.l.google.com tcp
SG 74.125.200.26:25 alt2.gmail-smtp-in.l.google.com tcp
SG 74.125.200.26:25 alt2.gmail-smtp-in.l.google.com tcp
SG 74.125.200.26:25 alt2.gmail-smtp-in.l.google.com tcp
US 85.187.148.2:25 gzip.org tcp
US 8.8.8.8:53 alumni-caltech-edu.mail.protection.outlook.com udp
US 52.101.10.16:25 alumni-caltech-edu.mail.protection.outlook.com tcp
US 8.8.8.8:53 nongnu.org udp
US 8.8.8.8:53 eggs.gnu.org udp
US 209.51.188.92:25 eggs.gnu.org tcp
US 209.51.188.92:25 eggs.gnu.org tcp
US 8.8.8.8:53 cs.stanford.edu udp
US 171.64.64.64:25 cs.stanford.edu tcp
US 171.64.64.64:25 cs.stanford.edu tcp
US 171.64.64.26:25 smtp2.cs.stanford.edu tcp
SG 74.125.200.26:25 alt2.gmail-smtp-in.l.google.com tcp
SG 74.125.200.26:25 alt2.gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 kinoho.net udp
SG 74.125.200.27:25 aspmx3.googlemail.com tcp
FI 142.250.150.27:25 alt1.gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 riseup.net udp
US 8.8.8.8:53 mx1.riseup.net udp
FI 142.250.150.27:25 alt1.gmail-smtp-in.l.google.com tcp
US 198.252.153.129:25 mx1.riseup.net tcp
US 8.8.8.8:53 alt4.gmail-smtp-in.l.google.com udp
US 108.177.98.27:25 alt4.gmail-smtp-in.l.google.com tcp
US 108.177.98.27:25 alt4.gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 alt2.aspmx.l.google.com udp
SG 74.125.200.27:25 alt2.aspmx.l.google.com tcp
US 108.177.98.27:25 alt4.gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 mx-in-mdn.apple.com udp
US 8.8.8.8:53 mx-in-vib.apple.com udp
US 103.168.172.221:25 in1-smtp.messagingengine.com tcp
DK 17.57.170.2:25 mx-in-vib.apple.com tcp
US 8.8.8.8:53 mail.ru udp
US 8.8.8.8:53 mxs.mail.ru udp
US 8.8.8.8:53 bog.msu.ru udp
RU 94.100.180.31:25 mxs.mail.ru tcp
US 108.177.98.27:25 alt4.gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 mx02.earthlink-vadesecure.net udp
US 8.8.8.8:53 de-smtp-inbound-1.mimecast.com udp
US 51.81.61.71:25 mx02.earthlink-vadesecure.net tcp
DE 194.104.110.22:25 de-smtp-inbound-1.mimecast.com tcp
US 8.8.8.8:53 mx1.forwardemail.net udp
US 138.197.213.185:25 mx1.forwardemail.net tcp
US 108.177.98.27:25 alt4.gmail-smtp-in.l.google.com tcp
US 108.177.98.27:25 alt4.gmail-smtp-in.l.google.com tcp
US 108.177.98.27:25 alt4.gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 sermsqqqna.biz udp
US 8.8.8.8:53 rsqsepmwas.org udp
DE 178.162.217.107:80 rsqsepmwas.org tcp
US 8.8.8.8:53 mqpppnhaes.in udp
US 8.8.8.8:53 aqmrnawpan.com udp
US 8.8.8.8:53 wrnwernreh.in udp
US 8.8.8.8:53 aeaqmpsaqa.com udp
US 8.8.8.8:53 whwsqnemsn.in udp
US 8.8.8.8:53 rqeaqeewas.org udp
NL 85.17.31.82:80 rqeaqeewas.org tcp
US 108.177.98.27:25 alt4.gmail-smtp-in.l.google.com tcp
US 108.177.98.27:25 alt4.gmail-smtp-in.l.google.com tcp
US 108.177.98.27:25 alt4.gmail-smtp-in.l.google.com tcp
US 108.177.98.27:25 alt4.gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 wqpaamhwrs.in udp
US 8.8.8.8:53 reaaheeara.org udp
NL 5.79.71.225:80 reaaheeara.org tcp
US 171.64.64.64:25 cs.stanford.edu tcp
US 108.177.98.27:25 alt4.gmail-smtp-in.l.google.com tcp
US 108.177.98.27:25 alt4.gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 aspmx2.googlemail.com udp
FI 142.250.150.27:25 aspmx2.googlemail.com tcp
SG 74.125.200.26:25 alt2.aspmx.l.google.com tcp
SG 74.125.200.26:25 alt2.aspmx.l.google.com tcp
US 8.8.8.8:53 gmail-smtp-in.l.google.com udp
NL 172.217.218.26:25 gmail-smtp-in.l.google.com tcp
NL 172.217.218.26:25 gmail-smtp-in.l.google.com tcp
FI 142.250.150.27:25 aspmx2.googlemail.com tcp
NL 172.217.218.26:25 gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 mx-in-rn.apple.com udp
US 17.56.176.6:25 mx-in-rn.apple.com tcp
NL 172.217.218.26:25 gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 mx01.earthlink-vadesecure.net udp
US 51.81.61.70:25 mx01.earthlink-vadesecure.net tcp
NL 172.217.218.26:25 gmail-smtp-in.l.google.com tcp
NL 172.217.218.26:25 gmail-smtp-in.l.google.com tcp
NL 172.217.218.26:25 gmail-smtp-in.l.google.com tcp
NL 172.217.218.26:25 gmail-smtp-in.l.google.com tcp
NL 172.217.218.26:25 gmail-smtp-in.l.google.com tcp
NL 172.217.218.26:25 gmail-smtp-in.l.google.com tcp
NL 172.217.218.26:25 gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 mnaahmqpqs.in udp
US 8.8.8.8:53 rrhaerswna.org udp
NL 5.79.71.225:80 rrhaerswna.org tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
NL 172.217.218.26:25 gmail-smtp-in.l.google.com tcp
NL 172.217.218.26:25 gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 aspmx.l.google.com udp
NL 173.194.79.27:25 aspmx.l.google.com tcp
US 108.177.98.27:25 alt4.gmail-smtp-in.l.google.com tcp
US 108.177.98.27:25 alt4.gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 alt3.gmail-smtp-in.l.google.com udp
TW 142.250.157.27:25 alt3.gmail-smtp-in.l.google.com tcp
TW 142.250.157.27:25 alt3.gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 aspmx4.googlemail.com udp
TW 142.250.157.27:25 aspmx4.googlemail.com tcp
TW 142.250.157.27:25 aspmx4.googlemail.com tcp
US 8.8.8.8:53 mx-in-sg.apple.com udp
SG 17.23.14.18:25 mx-in-sg.apple.com tcp
TW 142.250.157.27:25 aspmx4.googlemail.com tcp
US 8.8.8.8:53 mx03.earthlink-vadesecure.net udp
US 51.81.232.218:25 mx03.earthlink-vadesecure.net tcp
TW 142.250.157.27:25 aspmx4.googlemail.com tcp
TW 142.250.157.27:25 aspmx4.googlemail.com tcp
TW 142.250.157.27:25 aspmx4.googlemail.com tcp
TW 142.250.157.27:25 aspmx4.googlemail.com tcp
TW 142.250.157.27:25 aspmx4.googlemail.com tcp
TW 142.250.157.27:25 aspmx4.googlemail.com tcp
TW 142.250.157.27:25 aspmx4.googlemail.com tcp
US 8.8.8.8:53 wnhrrnhran.in udp
US 8.8.8.8:53 resrnrrmnn.org udp
NL 85.17.31.82:80 resrnrrmnn.org tcp
TW 142.250.157.27:25 aspmx4.googlemail.com tcp
US 8.8.8.8:53 mannheraph.in udp
US 8.8.8.8:53 pqnqqqrpmh.in udp
TW 142.250.157.27:25 aspmx4.googlemail.com tcp
US 8.8.8.8:53 smprehnwhs.biz udp
US 8.8.8.8:53 rhwnqwwnah.org udp
DE 178.162.217.107:80 rhwnqwwnah.org tcp
SG 74.125.200.27:25 alt2.aspmx.l.google.com tcp
NL 172.217.218.26:25 gmail-smtp-in.l.google.com tcp
NL 172.217.218.26:25 gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 srsersmhsa.biz udp
SG 47.129.31.212:80 srsersmhsa.biz tcp
US 8.8.8.8:53 212.31.129.47.in-addr.arpa udp
US 8.8.8.8:53 neshnhhwss.us udp
US 8.8.8.8:53 mswapwrnan.in udp
US 8.8.8.8:53 ahsppnhrmh.com udp
US 8.8.8.8:53 wmamewnnea.in udp
US 8.8.8.8:53 nhwwheearh.us udp
US 8.8.8.8:53 msqepwamwn.in udp
US 8.8.8.8:53 pmmpmshmsr.in udp
US 8.8.8.8:53 mahwmwnrmn.in udp
US 8.8.8.8:53 aaawpshran.com udp
US 216.245.214.84:80 aaawpshran.com tcp
US 8.8.8.8:53 smmmwrsqhs.biz udp
US 8.8.8.8:53 pweenawwra.in udp
US 8.8.8.8:53 sqepwsanpn.biz udp
US 8.8.8.8:53 qseerensns.info udp
US 8.8.8.8:53 hnhsehnhpa.net udp
US 8.8.8.8:53 psswwrmraa.in udp
NL 173.194.79.27:25 aspmx.l.google.com tcp
US 8.8.8.8:53 hwhnrpesma.net udp
US 8.8.8.8:53 qmqspqnhwa.info udp
US 8.8.8.8:53 shprahaqrh.biz udp
US 8.8.8.8:53 84.214.245.216.in-addr.arpa udp
US 8.8.8.8:53 rmmamheshh.org udp
DE 178.162.203.211:80 rmmamheshh.org tcp
US 8.8.8.8:53 mx-in-ma.apple.com udp
US 17.171.208.6:25 mx-in-ma.apple.com tcp

Files

C:\Windows\SysWOW64\shervans.dll

MD5 4ddcfc2840b95028ff4045917bd2e333
SHA1 749e7ecc4a0fae91656532e68c1240668c9f725c
SHA256 69a173d66b46bdb2471ca6bbc7593b16ec2aa171c4294f1e4a99a6112625aefc
SHA512 6e4f5ff11440d168dc710544bd18b9a46aa0dbf4312d60a5448e4cd87e59cc9c06b70faeeae76244f8352ac9a4f78c07453982ee21d875e252ad7f9c7ed81c6f

memory/3192-11-0x0000000010000000-0x000000001000D000-memory.dmp

C:\Windows\SysWOW64\grcopy.dll

MD5 4ae3bdb4a44783fad05e73e3f7e91e77
SHA1 61bd8063ac040da93414017e4839e54a9ee35dc2
SHA256 1e8abc776220f4c42d26644c359fee7287a9cc77a5c6c020d5bc55e3ce478cc0
SHA512 e84927d30d7df7014d64ccffd2455d6365596c38a62d663a1429136c6eb47db4e65502c2590b959a7a54d6de4e460386a2e55975c692c782bfd484dc1a58b74b

C:\Windows\SysWOW64\ctfmen.exe

MD5 293dfbb7f42232418a1ce0dbc91f0da9
SHA1 705675b56025c53dd660d66a2db2f973feda9459
SHA256 ac1dbc74c7b581fc2e15e0fd67bee7e1deef399abb90eb6901e71d0b05f12fa7
SHA512 527352556b1d760abea8e7fb6ad74fea87505b5be5dc3b3663e4931d0e35b3b746a2aad9aa1c5a369109d0c799ee5da012a02036a8aa9bf32baad6eedbc1ff10

memory/3304-20-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3192-21-0x0000000000400000-0x000000000041C000-memory.dmp

memory/3192-24-0x0000000010000000-0x000000001000D000-memory.dmp

memory/3304-30-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1208-36-0x0000000010000000-0x000000001000D000-memory.dmp

C:\Windows\SysWOW64\satornas.dll

MD5 26ba6f8354e11d00f7e51e35d794f73a
SHA1 82cb5e7aa36447dff247e529e951a2dd1bcc1e96
SHA256 7db78f120f059eaceeb29455fd15b1a44b9aa1cd435d6068d1ff30bc6ff4d47b
SHA512 91ea98db4b794b7d3f7bf0c8dbdaa2984719a9fb0642e660e4ba84f352fc92ddcd56d98aa1cb8c444327637271eb86cb70cf51490ece9fd4ffdb6c93747cc069

memory/1208-37-0x0000000000400000-0x000000000041C000-memory.dmp

memory/1208-38-0x0000000010000000-0x000000001000D000-memory.dmp

memory/1208-39-0x0000000000400000-0x000000000041C000-memory.dmp

memory/1208-41-0x0000000000400000-0x000000000041C000-memory.dmp

memory/1208-43-0x0000000000400000-0x000000000041C000-memory.dmp

memory/1208-45-0x0000000000400000-0x000000000041C000-memory.dmp

memory/1208-47-0x0000000000400000-0x000000000041C000-memory.dmp

memory/1208-49-0x0000000000400000-0x000000000041C000-memory.dmp

memory/1208-53-0x0000000000400000-0x000000000041C000-memory.dmp

memory/1208-57-0x0000000000400000-0x000000000041C000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2025-01-19 11:57

Reported

2025-01-19 11:59

Platform

win7-20240903-en

Max time kernel

118s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c10c2254b611992c169c5ac0d6396ca07249235fd7d0ef2111599d3843ade8c7.exe"

Signatures

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\ctfmen.exe N/A
N/A N/A C:\Windows\SysWOW64\smnss.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe" C:\Users\Admin\AppData\Local\Temp\c10c2254b611992c169c5ac0d6396ca07249235fd7d0ef2111599d3843ade8c7.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe" C:\Windows\SysWOW64\smnss.exe N/A

Maps connected drives based on registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Users\Admin\AppData\Local\Temp\c10c2254b611992c169c5ac0d6396ca07249235fd7d0ef2111599d3843ade8c7.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\1 C:\Users\Admin\AppData\Local\Temp\c10c2254b611992c169c5ac0d6396ca07249235fd7d0ef2111599d3843ade8c7.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\smnss.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Windows\SysWOW64\smnss.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\1 C:\Windows\SysWOW64\smnss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Users\Admin\AppData\Local\Temp\c10c2254b611992c169c5ac0d6396ca07249235fd7d0ef2111599d3843ade8c7.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\grcopy.dll C:\Users\Admin\AppData\Local\Temp\c10c2254b611992c169c5ac0d6396ca07249235fd7d0ef2111599d3843ade8c7.exe N/A
File opened for modification C:\Windows\SysWOW64\shervans.dll C:\Users\Admin\AppData\Local\Temp\c10c2254b611992c169c5ac0d6396ca07249235fd7d0ef2111599d3843ade8c7.exe N/A
File created C:\Windows\SysWOW64\zipfi.dll C:\Windows\SysWOW64\smnss.exe N/A
File created C:\Windows\SysWOW64\zipfiaq.dll C:\Windows\SysWOW64\smnss.exe N/A
File created C:\Windows\SysWOW64\grcopy.dll C:\Users\Admin\AppData\Local\Temp\c10c2254b611992c169c5ac0d6396ca07249235fd7d0ef2111599d3843ade8c7.exe N/A
File opened for modification C:\Windows\SysWOW64\ctfmen.exe C:\Users\Admin\AppData\Local\Temp\c10c2254b611992c169c5ac0d6396ca07249235fd7d0ef2111599d3843ade8c7.exe N/A
File created C:\Windows\SysWOW64\shervans.dll C:\Users\Admin\AppData\Local\Temp\c10c2254b611992c169c5ac0d6396ca07249235fd7d0ef2111599d3843ade8c7.exe N/A
File created C:\Windows\SysWOW64\smnss.exe C:\Users\Admin\AppData\Local\Temp\c10c2254b611992c169c5ac0d6396ca07249235fd7d0ef2111599d3843ade8c7.exe N/A
File created C:\Windows\SysWOW64\satornas.dll C:\Users\Admin\AppData\Local\Temp\c10c2254b611992c169c5ac0d6396ca07249235fd7d0ef2111599d3843ade8c7.exe N/A
File opened for modification C:\Windows\SysWOW64\satornas.dll C:\Users\Admin\AppData\Local\Temp\c10c2254b611992c169c5ac0d6396ca07249235fd7d0ef2111599d3843ade8c7.exe N/A
File created C:\Windows\SysWOW64\smnss.exe C:\Windows\SysWOW64\smnss.exe N/A
File created C:\Windows\SysWOW64\ctfmen.exe C:\Users\Admin\AppData\Local\Temp\c10c2254b611992c169c5ac0d6396ca07249235fd7d0ef2111599d3843ade8c7.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\osknumpadbase.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Internet Explorer\Timeline.cpu.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\eo.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ext.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\it.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_kor.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\sr-spl.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\readme.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Bears.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ja.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipsnld.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Green Bubbles.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\be.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ko.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Stars.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ms.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\zh-changjei.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Peacock.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\is.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\mk.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Soft Blue.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ne.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\uz.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\Alphabet.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\Xusage.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\af.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\da.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\mn.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\mr.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\chrome.VisualElementsManifest.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\gu.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ku-ckb.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\mng2.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\pa-in.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\keypadbase.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\ko-kr.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipscsy.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\fa.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\kaa.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\mng.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\nn.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipshrv.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Garden.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\id.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\nl.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\sv.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipsjpn.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\et.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_ca.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\jvm.hprof.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipsdeu.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipsen.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\History.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\he.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\kab.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ro.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\an.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ast.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ba.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\cy.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipscht.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\THIRDPARTYLICENSEREADME-JAVAFX.txt C:\Windows\SysWOW64\smnss.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\smnss.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\smnss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c10c2254b611992c169c5ac0d6396ca07249235fd7d0ef2111599d3843ade8c7.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ctfmen.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED} C:\Users\Admin\AppData\Local\Temp\c10c2254b611992c169c5ac0d6396ca07249235fd7d0ef2111599d3843ade8c7.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll" C:\Users\Admin\AppData\Local\Temp\c10c2254b611992c169c5ac0d6396ca07249235fd7d0ef2111599d3843ade8c7.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll" C:\Windows\SysWOW64\smnss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\c10c2254b611992c169c5ac0d6396ca07249235fd7d0ef2111599d3843ade8c7.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node C:\Users\Admin\AppData\Local\Temp\c10c2254b611992c169c5ac0d6396ca07249235fd7d0ef2111599d3843ade8c7.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID C:\Users\Admin\AppData\Local\Temp\c10c2254b611992c169c5ac0d6396ca07249235fd7d0ef2111599d3843ade8c7.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\smnss.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1420 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\c10c2254b611992c169c5ac0d6396ca07249235fd7d0ef2111599d3843ade8c7.exe C:\Windows\SysWOW64\ctfmen.exe
PID 1420 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\c10c2254b611992c169c5ac0d6396ca07249235fd7d0ef2111599d3843ade8c7.exe C:\Windows\SysWOW64\ctfmen.exe
PID 1420 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\c10c2254b611992c169c5ac0d6396ca07249235fd7d0ef2111599d3843ade8c7.exe C:\Windows\SysWOW64\ctfmen.exe
PID 1420 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\c10c2254b611992c169c5ac0d6396ca07249235fd7d0ef2111599d3843ade8c7.exe C:\Windows\SysWOW64\ctfmen.exe
PID 2188 wrote to memory of 2572 N/A C:\Windows\SysWOW64\ctfmen.exe C:\Windows\SysWOW64\smnss.exe
PID 2188 wrote to memory of 2572 N/A C:\Windows\SysWOW64\ctfmen.exe C:\Windows\SysWOW64\smnss.exe
PID 2188 wrote to memory of 2572 N/A C:\Windows\SysWOW64\ctfmen.exe C:\Windows\SysWOW64\smnss.exe
PID 2188 wrote to memory of 2572 N/A C:\Windows\SysWOW64\ctfmen.exe C:\Windows\SysWOW64\smnss.exe
PID 2572 wrote to memory of 2016 N/A C:\Windows\SysWOW64\smnss.exe C:\Windows\SysWOW64\WerFault.exe
PID 2572 wrote to memory of 2016 N/A C:\Windows\SysWOW64\smnss.exe C:\Windows\SysWOW64\WerFault.exe
PID 2572 wrote to memory of 2016 N/A C:\Windows\SysWOW64\smnss.exe C:\Windows\SysWOW64\WerFault.exe
PID 2572 wrote to memory of 2016 N/A C:\Windows\SysWOW64\smnss.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\c10c2254b611992c169c5ac0d6396ca07249235fd7d0ef2111599d3843ade8c7.exe

"C:\Users\Admin\AppData\Local\Temp\c10c2254b611992c169c5ac0d6396ca07249235fd7d0ef2111599d3843ade8c7.exe"

C:\Windows\SysWOW64\ctfmen.exe

ctfmen.exe

C:\Windows\SysWOW64\smnss.exe

C:\Windows\system32\smnss.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2572 -s 828

Network

Country Destination Domain Proto
US 8.8.8.8:53 qermhhmmrn.info udp
US 8.8.8.8:53 gzip.org udp
US 8.8.8.8:53 alumni.caltech.edu udp
US 8.8.8.8:53 megginson.com udp
US 8.8.8.8:53 aspmx.l.google.com udp
US 8.8.8.8:53 aspmx.l.google.com udp
NL 173.194.79.27:25 aspmx.l.google.com tcp
NL 108.177.119.26:25 aspmx.l.google.com tcp
US 8.8.8.8:53 jk.uni-linz.ac.at udp
US 8.8.8.8:53 mail3.edvz.uni-linz.ac.at udp
AT 140.78.3.83:25 mail3.edvz.uni-linz.ac.at tcp
US 8.8.8.8:53 hnqrsprnhs.net udp
US 8.8.8.8:53 pheshqares.in udp
US 8.8.8.8:53 cdata.tvnet.hu udp
US 8.8.8.8:53 attbi.com udp
US 8.8.8.8:53 courtesan.com udp
US 8.8.8.8:53 millert.dev udp
US 8.8.8.8:53 bigelowandholmes.com udp

Files

memory/1420-11-0x0000000010000000-0x000000001000D000-memory.dmp

\Windows\SysWOW64\shervans.dll

MD5 5841e566b5ae865f5578b947b0626826
SHA1 46c39ad6c1cb2fea531bbadb06d7ee2c77b4e253
SHA256 7b08cbfdf9016d86ae943ac575a1d3098d5143c1c181483495eba18cb2e8dc82
SHA512 87af8c58b940bce8671cb688f54e8f7bccc42bbb7c49d1b7b4cd9d6577d7de12093e4c1f7c7b5cbaf2e33eace888bfdd6d5e7127fff14ab24437f282cc5317d9

\Windows\SysWOW64\ctfmen.exe

MD5 b6be925977558e26780660fec41a07fe
SHA1 5fd6fcff8021821cd94ace581630fec3433c7346
SHA256 fe64c2f76501ccb8f125f8e4a084be6d2ff498661a8046e5597733e19bb4b29d
SHA512 9d3d900f1ef3c3b8a2ba30c251ce2a901a1526a33b507568fa181c27dfb4a38b4fac87884db368f69a54ad7a9b98d55c91f18a8bd125108ff49aa67de643f0eb

memory/1420-17-0x0000000000340000-0x0000000000349000-memory.dmp

memory/1420-26-0x0000000010000000-0x000000001000D000-memory.dmp

memory/1420-24-0x0000000000400000-0x000000000041C000-memory.dmp

C:\Windows\SysWOW64\smnss.exe

MD5 5a53a9e24e8bd54b1a503a5acbfd0b79
SHA1 58603c394dff147f2d342b5653bee5dd149df8ba
SHA256 700a43b37ff7d021dce3d026ad7f7da8b9ce6831a323e42e71d1d0f4c11dc2b7
SHA512 0001afc627ee13f024ed82de2e71470bc170cc1e6e62995d4495202eda390feaac7b73bca7f88dd8e8130748831e51e6090229f3bedc323cac844ed0bbbb4a3d

memory/2188-31-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Windows\SysWOW64\satornas.dll

MD5 15facdf578f7e1a6472cfa6e870dd567
SHA1 af6e69c6770b445a3ad857262f5442bad68a4aad
SHA256 195825c154d73bb4483156e0d7f0661e139d178e4f5f43a1ea056c935b844b79
SHA512 8ddffcc24109f9b1029a5e8437a8947440dd285a3ab9ebc806bf25589dca45ed2fc4934e3bc7752cc6fad8fc5ef193baa55faa38db5a7f6390b2809d6d68bb6b

memory/2572-42-0x0000000000400000-0x000000000041C000-memory.dmp

memory/2572-44-0x0000000010000000-0x000000001000D000-memory.dmp