Malware Analysis Report

2025-08-11 04:38

Sample ID 250119-pnqxhsxlcw
Target e5c50a22f1d888e3a9bbcbca6ccab908ef1490652912a283d6e9dd427deb902d.exe
SHA256 e5c50a22f1d888e3a9bbcbca6ccab908ef1490652912a283d6e9dd427deb902d
Tags
discovery persistence spyware stealer
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

e5c50a22f1d888e3a9bbcbca6ccab908ef1490652912a283d6e9dd427deb902d

Threat Level: Likely malicious

The file e5c50a22f1d888e3a9bbcbca6ccab908ef1490652912a283d6e9dd427deb902d.exe was found to be: Likely malicious.

Malicious Activity Summary

discovery persistence spyware stealer

Drops file in Drivers directory

Executes dropped EXE

ACProtect 1.3x - 1.4x DLL software

Reads user/profile data of web browsers

Loads dropped DLL

Maps connected drives based on registry

Adds Run key to start application

Enumerates connected drives

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in System32 directory

Drops file in Program Files directory

Drops file in Windows directory

Program crash

System Location Discovery: System Language Discovery

Unsigned PE

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-01-19 12:28

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-01-19 12:28

Reported

2025-01-19 12:30

Platform

win7-20240903-en

Max time kernel

84s

Max time network

25s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e5c50a22f1d888e3a9bbcbca6ccab908ef1490652912a283d6e9dd427deb902d.exe"

Signatures

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\ctfmen.exe N/A
N/A N/A C:\Windows\SysWOW64\smnss.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe" C:\Users\Admin\AppData\Local\Temp\e5c50a22f1d888e3a9bbcbca6ccab908ef1490652912a283d6e9dd427deb902d.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe" C:\Windows\SysWOW64\smnss.exe N/A

Maps connected drives based on registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Users\Admin\AppData\Local\Temp\e5c50a22f1d888e3a9bbcbca6ccab908ef1490652912a283d6e9dd427deb902d.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Users\Admin\AppData\Local\Temp\e5c50a22f1d888e3a9bbcbca6ccab908ef1490652912a283d6e9dd427deb902d.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\1 C:\Users\Admin\AppData\Local\Temp\e5c50a22f1d888e3a9bbcbca6ccab908ef1490652912a283d6e9dd427deb902d.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\smnss.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Windows\SysWOW64\smnss.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\1 C:\Windows\SysWOW64\smnss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\grcopy.dll C:\Users\Admin\AppData\Local\Temp\e5c50a22f1d888e3a9bbcbca6ccab908ef1490652912a283d6e9dd427deb902d.exe N/A
File created C:\Windows\SysWOW64\smnss.exe C:\Users\Admin\AppData\Local\Temp\e5c50a22f1d888e3a9bbcbca6ccab908ef1490652912a283d6e9dd427deb902d.exe N/A
File created C:\Windows\SysWOW64\satornas.dll C:\Users\Admin\AppData\Local\Temp\e5c50a22f1d888e3a9bbcbca6ccab908ef1490652912a283d6e9dd427deb902d.exe N/A
File created C:\Windows\SysWOW64\zipfi.dll C:\Windows\SysWOW64\smnss.exe N/A
File created C:\Windows\SysWOW64\zipfiaq.dll C:\Windows\SysWOW64\smnss.exe N/A
File created C:\Windows\SysWOW64\smnss.exe C:\Windows\SysWOW64\smnss.exe N/A
File created C:\Windows\SysWOW64\ctfmen.exe C:\Users\Admin\AppData\Local\Temp\e5c50a22f1d888e3a9bbcbca6ccab908ef1490652912a283d6e9dd427deb902d.exe N/A
File opened for modification C:\Windows\SysWOW64\ctfmen.exe C:\Users\Admin\AppData\Local\Temp\e5c50a22f1d888e3a9bbcbca6ccab908ef1490652912a283d6e9dd427deb902d.exe N/A
File created C:\Windows\SysWOW64\shervans.dll C:\Users\Admin\AppData\Local\Temp\e5c50a22f1d888e3a9bbcbca6ccab908ef1490652912a283d6e9dd427deb902d.exe N/A
File created C:\Windows\SysWOW64\grcopy.dll C:\Users\Admin\AppData\Local\Temp\e5c50a22f1d888e3a9bbcbca6ccab908ef1490652912a283d6e9dd427deb902d.exe N/A
File opened for modification C:\Windows\SysWOW64\shervans.dll C:\Users\Admin\AppData\Local\Temp\e5c50a22f1d888e3a9bbcbca6ccab908ef1490652912a283d6e9dd427deb902d.exe N/A
File opened for modification C:\Windows\SysWOW64\satornas.dll C:\Users\Admin\AppData\Local\Temp\e5c50a22f1d888e3a9bbcbca6ccab908ef1490652912a283d6e9dd427deb902d.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\7-Zip\Lang\az.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\be.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ko.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_rtl.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\kab.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ug.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\auxbase.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\ja-jp.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Peacock.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Green Bubbles.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\et.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\mk.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\th.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\kor-kor.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\symbase.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\de.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\mng2.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ta.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Roses.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Stars.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\fi.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ka.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\kk.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\uk.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipsfra.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipssrb.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\gu.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\osknumpadbase.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\ea-sym.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipssrl.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Shades of Blue.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\README.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\sr-spl.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\License.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\keypadbase.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipsen.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipsptb.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipsnor.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Soft Blue.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\co.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ext.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ku.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\uz.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipsdeu.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipshrv.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\sv.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\readme.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipsdan.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\it.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\THIRDPARTYLICENSEREADME.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipsptg.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ast.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\el.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\fy.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\hu.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\kaa.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_heb.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipsita.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Bears.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\eo.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\hy.txt C:\Windows\SysWOW64\smnss.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\smnss.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e5c50a22f1d888e3a9bbcbca6ccab908ef1490652912a283d6e9dd427deb902d.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ctfmen.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\smnss.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED} C:\Users\Admin\AppData\Local\Temp\e5c50a22f1d888e3a9bbcbca6ccab908ef1490652912a283d6e9dd427deb902d.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll" C:\Users\Admin\AppData\Local\Temp\e5c50a22f1d888e3a9bbcbca6ccab908ef1490652912a283d6e9dd427deb902d.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll" C:\Windows\SysWOW64\smnss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\e5c50a22f1d888e3a9bbcbca6ccab908ef1490652912a283d6e9dd427deb902d.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node C:\Users\Admin\AppData\Local\Temp\e5c50a22f1d888e3a9bbcbca6ccab908ef1490652912a283d6e9dd427deb902d.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID C:\Users\Admin\AppData\Local\Temp\e5c50a22f1d888e3a9bbcbca6ccab908ef1490652912a283d6e9dd427deb902d.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\smnss.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e5c50a22f1d888e3a9bbcbca6ccab908ef1490652912a283d6e9dd427deb902d.exe N/A
N/A N/A C:\Windows\SysWOW64\smnss.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2084 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\e5c50a22f1d888e3a9bbcbca6ccab908ef1490652912a283d6e9dd427deb902d.exe C:\Windows\SysWOW64\ctfmen.exe
PID 2084 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\e5c50a22f1d888e3a9bbcbca6ccab908ef1490652912a283d6e9dd427deb902d.exe C:\Windows\SysWOW64\ctfmen.exe
PID 2084 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\e5c50a22f1d888e3a9bbcbca6ccab908ef1490652912a283d6e9dd427deb902d.exe C:\Windows\SysWOW64\ctfmen.exe
PID 2084 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\e5c50a22f1d888e3a9bbcbca6ccab908ef1490652912a283d6e9dd427deb902d.exe C:\Windows\SysWOW64\ctfmen.exe
PID 2824 wrote to memory of 2580 N/A C:\Windows\SysWOW64\ctfmen.exe C:\Windows\SysWOW64\smnss.exe
PID 2824 wrote to memory of 2580 N/A C:\Windows\SysWOW64\ctfmen.exe C:\Windows\SysWOW64\smnss.exe
PID 2824 wrote to memory of 2580 N/A C:\Windows\SysWOW64\ctfmen.exe C:\Windows\SysWOW64\smnss.exe
PID 2824 wrote to memory of 2580 N/A C:\Windows\SysWOW64\ctfmen.exe C:\Windows\SysWOW64\smnss.exe
PID 2580 wrote to memory of 2168 N/A C:\Windows\SysWOW64\smnss.exe C:\Windows\SysWOW64\WerFault.exe
PID 2580 wrote to memory of 2168 N/A C:\Windows\SysWOW64\smnss.exe C:\Windows\SysWOW64\WerFault.exe
PID 2580 wrote to memory of 2168 N/A C:\Windows\SysWOW64\smnss.exe C:\Windows\SysWOW64\WerFault.exe
PID 2580 wrote to memory of 2168 N/A C:\Windows\SysWOW64\smnss.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e5c50a22f1d888e3a9bbcbca6ccab908ef1490652912a283d6e9dd427deb902d.exe

"C:\Users\Admin\AppData\Local\Temp\e5c50a22f1d888e3a9bbcbca6ccab908ef1490652912a283d6e9dd427deb902d.exe"

C:\Windows\SysWOW64\ctfmen.exe

ctfmen.exe

C:\Windows\SysWOW64\smnss.exe

C:\Windows\system32\smnss.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2580 -s 900

Network

Country Destination Domain Proto
US 8.8.8.8:53 qermhhmmrn.info udp
US 8.8.8.8:53 gzip.org udp
US 8.8.8.8:53 alumni.caltech.edu udp
US 8.8.8.8:53 megginson.com udp
US 8.8.8.8:53 aspmx5.googlemail.com udp
US 8.8.8.8:53 aspmx5.googlemail.com udp
US 108.177.98.26:25 aspmx5.googlemail.com tcp
US 108.177.98.26:25 aspmx5.googlemail.com tcp
US 8.8.8.8:53 jk.uni-linz.ac.at udp
US 8.8.8.8:53 mail1.edvz.uni-linz.ac.at udp
AT 140.78.3.68:25 mail1.edvz.uni-linz.ac.at tcp
US 8.8.8.8:53 hnqrsprnhs.net udp
US 8.8.8.8:53 pheshqares.in udp
US 8.8.8.8:53 cdata.tvnet.hu udp
US 8.8.8.8:53 attbi.com udp
US 8.8.8.8:53 courtesan.com udp
US 8.8.8.8:53 millert.dev udp
US 8.8.8.8:53 bigelowandholmes.com udp

Files

memory/2084-0-0x0000000000400000-0x0000000000DCE000-memory.dmp

memory/2084-1-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

\Windows\SysWOW64\shervans.dll

MD5 1f658daafefa15a33910ee33bd5e89a5
SHA1 89a05b8b90d301ab7970dfb667be4679c138fce7
SHA256 20d26bc9dc98d91fc501e0fa9b281c3a3e3439fcc8bf444942131047bb12c2a0
SHA512 83aee922532627a8899469db40a885fcb6cadada520a644e99e771b9ceab57bc9f95858864761a0bc1e4eca977a73e8eab0b5c31094590024113bb8df7eb0215

memory/2084-13-0x0000000010000000-0x000000001000D000-memory.dmp

\Windows\SysWOW64\ctfmen.exe

MD5 7ca41d1b59b5d9e3a687b7327ff6f910
SHA1 52dc595f32447867f16966bfb4d41d397a274d38
SHA256 c9420938a49ddbc1d854c45ede73befdbacf28d291831f715a44ff19dc9b0ca2
SHA512 cb9660015e10e105293e80006d51a7501825e458c5779bcd594a255fba5aa7f3736cf98fb3f0478cc7328d2f37066a72994078d666ecc9edd100f7f85ea08a8c

memory/2084-26-0x0000000000390000-0x0000000000399000-memory.dmp

memory/2084-24-0x0000000000400000-0x0000000000DCE000-memory.dmp

memory/2084-31-0x0000000010000000-0x000000001000D000-memory.dmp

memory/2084-30-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

memory/2824-28-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2084-25-0x0000000000390000-0x0000000000399000-memory.dmp

\Windows\SysWOW64\smnss.exe

MD5 661dc7d04f0c5ac68fe4ced2600f79fe
SHA1 08196a8ff04d17741877a409c5c2216f8da02d9c
SHA256 294e8d5a85176aa655024cc512df830b837c03fbd6d83aee1d6e7410bb81aa3f
SHA512 ef73d681b5a210ff9cf86258383fd144336695a5caa596832b757a15fd8a6a9d210369d82174657ce4279a01a89a9b6e409f9d41032f3ace22a6e660005cc179

memory/2580-38-0x0000000000400000-0x0000000000DCE000-memory.dmp

memory/2824-36-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2580-39-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

memory/2580-45-0x0000000010000000-0x000000001000D000-memory.dmp

C:\Windows\SysWOW64\satornas.dll

MD5 ab53fcffaf2f0383921549050d5a1efa
SHA1 9ccdf3c440e5fd7d9007d67cbc477703ab31b273
SHA256 c92222c15720210ac94c60a5e208d205f5d089a03bdc1d4321452ff683c1776a
SHA512 dcd7476422b832cf818fbf4f9a112958c05800189c5b557c33e69821fb9d923ad87dbd1dea35d6c1574c496241209ee2afeab2539d14dfac75b81da2ca99c71a

memory/2580-50-0x0000000000400000-0x0000000000DCE000-memory.dmp

memory/2580-53-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

memory/2580-51-0x0000000000400000-0x0000000000DCE000-memory.dmp

memory/2580-52-0x0000000010000000-0x000000001000D000-memory.dmp

memory/2580-54-0x0000000000400000-0x0000000000DCE000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-01-19 12:28

Reported

2025-01-19 12:30

Platform

win10v2004-20241007-en

Max time kernel

118s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e5c50a22f1d888e3a9bbcbca6ccab908ef1490652912a283d6e9dd427deb902d.exe"

Signatures

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\drivers\gmreadme.txt C:\Windows\SysWOW64\smnss.exe N/A

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\ctfmen.exe N/A
N/A N/A C:\Windows\SysWOW64\smnss.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe" C:\Users\Admin\AppData\Local\Temp\e5c50a22f1d888e3a9bbcbca6ccab908ef1490652912a283d6e9dd427deb902d.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe" C:\Windows\SysWOW64\smnss.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\V: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\smnss.exe N/A

Maps connected drives based on registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Users\Admin\AppData\Local\Temp\e5c50a22f1d888e3a9bbcbca6ccab908ef1490652912a283d6e9dd427deb902d.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Users\Admin\AppData\Local\Temp\e5c50a22f1d888e3a9bbcbca6ccab908ef1490652912a283d6e9dd427deb902d.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\1 C:\Users\Admin\AppData\Local\Temp\e5c50a22f1d888e3a9bbcbca6ccab908ef1490652912a283d6e9dd427deb902d.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\smnss.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Windows\SysWOW64\smnss.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\1 C:\Windows\SysWOW64\smnss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms007.inf_amd64_8bbf44975c626ac5\Amd64\MSXPS2.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\Speech_OneCore\Common\ja-JP\Tokens_SR_ja-JP-N.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\satornas.dll C:\Users\Admin\AppData\Local\Temp\e5c50a22f1d888e3a9bbcbca6ccab908ef1490652912a283d6e9dd427deb902d.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms007.inf_amd64_8bbf44975c626ac5\Amd64\MSPassthrough-pipelineconfig.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\tsprint.inf_amd64_6066bc96a5f28b44\tsprint-PipelineConfig.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\Speech_OneCore\Common\en-US\Tokens_SR_en-US-N.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\Speech_OneCore\Common\en-US\tokens_TTS_en-US.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\ntprint4.inf_amd64_0958c7cad3cd6075\Amd64\V3HostingFilter-pipelineconfig.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms003.inf_amd64_0e2452f597790e95\Amd64\unishare-pipelineconfig.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\IME\IMEJP\APPLETS\IMJPCLST.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\Speech_OneCore\Common\it-IT\Tokens_SR_it-IT-N.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\default.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\ctfmen.exe C:\Users\Admin\AppData\Local\Temp\e5c50a22f1d888e3a9bbcbca6ccab908ef1490652912a283d6e9dd427deb902d.exe N/A
File opened for modification C:\Windows\SysWOW64\grcopy.dll C:\Users\Admin\AppData\Local\Temp\e5c50a22f1d888e3a9bbcbca6ccab908ef1490652912a283d6e9dd427deb902d.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms004.inf_amd64_c28ee88ec1bd4178\Amd64\unisharev4-pipelineconfig.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms007.inf_amd64_8bbf44975c626ac5\Amd64\MSPWGR-pipelineconfig.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\Speech_OneCore\Common\fr-FR\tokens_TTS_fr-FR.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\Speech_OneCore\Common\tokens.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\tcpbidi.xml C:\Windows\SysWOW64\smnss.exe N/A
File created C:\Windows\SysWOW64\grcopy.dll C:\Users\Admin\AppData\Local\Temp\e5c50a22f1d888e3a9bbcbca6ccab908ef1490652912a283d6e9dd427deb902d.exe N/A
File created C:\Windows\SysWOW64\smnss.exe C:\Users\Admin\AppData\Local\Temp\e5c50a22f1d888e3a9bbcbca6ccab908ef1490652912a283d6e9dd427deb902d.exe N/A
File created C:\Windows\SysWOW64\zipfiaq.dll C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms005.inf_amd64_add71423ba73e797\Amd64\MSxpsXPS-pipelineconfig.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms009.inf_amd64_a7412a554c9bc1fd\MPDW-pipelineconfig.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\default.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File created C:\Windows\SysWOW64\shervans.dll C:\Users\Admin\AppData\Local\Temp\e5c50a22f1d888e3a9bbcbca6ccab908ef1490652912a283d6e9dd427deb902d.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms001.inf_amd64_8bc1bda6cf47380c\MXDW-pipelineconfig.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms003.inf_x86_360f6f3a7c4b3433\I386\unishare-pipelineconfig.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms011.inf_amd64_f83138380f5fb6ab\Amd64\MSAppMon.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\icsxml\osinfo.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\wbem\xsl-mappings.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsCodecsRaw.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\default.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\shervans.dll C:\Users\Admin\AppData\Local\Temp\e5c50a22f1d888e3a9bbcbca6ccab908ef1490652912a283d6e9dd427deb902d.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms007.inf_amd64_8bbf44975c626ac5\Amd64\MSPWGR.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms012.inf_amd64_707d3849370b9d23\Amd64\MSIPP.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\icsxml\ipcfg.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\Recovery\ReAgent.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\default.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms009.inf_amd64_a7412a554c9bc1fd\MPDW_devmode_map.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\Speech_OneCore\Common\en-US\tokens_TTS_en-US_david.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\default.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms005.inf_amd64_add71423ba73e797\Amd64\MSxpsPCL6-pipelineconfig.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\Speech_OneCore\Common\es-ES\tokens_TTS_es-ES.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms012.inf_amd64_707d3849370b9d23\Amd64\MSIPP-pipelineconfig.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms014.inf_amd64_faec3fc366f8e1fa\Amd64\MSMPS-pipelineconfig.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\Speech_OneCore\Common\de-DE\Tokens_SR_de-DE-N.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\Speech_OneCore\Common\de-DE\tokens_TTS_de-DE_hedda.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms005.inf_amd64_add71423ba73e797\Amd64\MSxpsPS-pipelineconfig.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms010.inf_amd64_9e410195c3b236c9\Amd64\MSECP.xml C:\Windows\SysWOW64\smnss.exe N/A
File created C:\Windows\SysWOW64\satornas.dll C:\Users\Admin\AppData\Local\Temp\e5c50a22f1d888e3a9bbcbca6ccab908ef1490652912a283d6e9dd427deb902d.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms008.inf_amd64_69b5e0c918eab9a6\Amd64\unishare3d-pipelineconfig.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms009.inf_amd64_a7412a554c9bc1fd\MPDW-PDC.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\MailContactsCalendarSync\LiveDomainList.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\Speech_OneCore\Common\es-ES\Tokens_SR_es-ES-N.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\Speech_OneCore\Common\es-ES\tokens_TTS_es-ES_helena.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\default.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File created C:\Windows\SysWOW64\ctfmen.exe C:\Users\Admin\AppData\Local\Temp\e5c50a22f1d888e3a9bbcbca6ccab908ef1490652912a283d6e9dd427deb902d.exe N/A
File opened for modification C:\Windows\SysWOW64\AppxProvisioning.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\Speech_OneCore\Common\fr-FR\Tokens_SR_fr-FR-N.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\Speech_OneCore\Common\fr-FR\tokens_TTS_fr-FR_hortense.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\Speech_OneCore\Common\ja-JP\tokens_TTS_ja-JP.xml C:\Windows\SysWOW64\smnss.exe N/A
File created C:\Windows\SysWOW64\smnss.exe C:\Windows\SysWOW64\smnss.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Speech\en-US\tokens_enUS.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\af.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipsrom.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Microsoft Office\Office16\OSPP.HTM C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Candara.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\co.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\AccessMessageDismissal.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\dialogs\batch_window.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxManifest.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_US\README_en_US.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\AppxManifest.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\WacLangPack2019Eula.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipskor.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\Welcome.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-006E-0409-1000-0000000FF1CE.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\en-us\CT_ROOTS.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_CA\added.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipsfra.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Franklin Gothic.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\he-IL\View3d\3DViewerProductDescription-universal.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_2019.729.2301.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.17.29001.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Adobe\zdingbat.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\io.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Consolas-Verdana.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\EXCEL.VisualElementsManifest.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\th-TH\View3d\3DViewerProductDescription-universal.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN082.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\dialogs\stream_config_window.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\AppxManifest.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Yellow Orange.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN001.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\en-us\CT_ROOTS.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\Content.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Microsoft.Advertising\bootstrap.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\mng2.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\nl.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\loc\AppXManifestLoc.16.en-us.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\ReadMe.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\yo.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\Alphabet.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL103.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN075.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\es-MX\View3d\3DViewerProductDescription-universal.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Adobe\Products.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN027.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Advertising.Xaml_10.1808.3.0_x64__8wekyb3d8bbwe\Microsoft.Advertising\bootstrap.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxBlockMap.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\AppxManifest.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\ha-Latn-NG\View3d\3DViewerProductDescription-universal.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_neutral_~_kzf8qxf38zg5c\AppxMetadata\AppxBundleManifest.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\AppCS\WebviewOffline.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\telemetryrules\hxcalendarappimm.exe_Rules.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Office 2007 - 2010.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\Bibliography\BIBFORM.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL118.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN058.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\bn.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Yellow.xml C:\Windows\SysWOW64\smnss.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\fr-FR\assets\ErrorPages\DisableAboutFlag.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\speech\0407\tokens_deDE.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-c..iencehost.appxsetup_31bf3856ad364e35_10.0.19041.1266_none_12ea08a0c4f345b0\r\AppxBlockMap.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_es-es_12451df02dbd2879\404-11.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_es-es_12451df02dbd2879\404-4.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_it-it_9f248a35f7c12459\501.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..osoftedge.resources_31bf3856ad364e35_10.0.19041.1_en-us_a323edc73bd86475\http_403.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\de-DE\assets\ErrorPages\PhishSiteEdge.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windowsdx..xperience.resources_31bf3856ad364e35_10.0.19041.1_en-us_a1eaf9e6bdb2c2e2\resource.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\fr-FR\assets\ErrorPages\WpcBlockFrame.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_es-es_12451df02dbd2879\403-17.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_414a0942eadc3634\404-3.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..e.desktop.searchapp_31bf3856ad364e35_10.0.19041.1_none_43fe9f4e368e081f\14.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-vssapi-core_31bf3856ad364e35_10.0.19041.746_none_b83305e47a98185b\75DFB225-E2E4-4d39-9AC9-FFAFF65DDF06.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\es-ES\assets\ErrorPages\acr_error.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\PLA\Rules\Rules.System.Network.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\ja-JP\assets\ErrorPages\unknownprotocol.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..osoftedge.resources_31bf3856ad364e35_10.0.19041.1_it-it_2fceb6f1060351fa\http_403.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..osoftedge.resources_31bf3856ad364e35_10.0.19041.1_it-it_2fceb6f1060351fa\pdferrorquitapplicationguard.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\RedistList\FrameworkList.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\servicing\Sessions\31135900_3971192226.back.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..osoftedge.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_d1f435fdf91e63d5\hstscerterror.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..e.desktop.searchapp_31bf3856ad364e35_10.0.19041.1_none_43fe9f4e368e081f\8.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\PLA\Reports\it-IT\Report.System.Network.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\core\view\oobe-light-footer-template.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\views\roamingDisambiguation.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-d..view-host-appxsetup_31bf3856ad364e35_10.0.19041.1023_none_bc2fe801d2277712\r\appxmanifest.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..osoftedge.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_cd2d1cde69f392b4\unknownprotocol.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-t..nputpersonalization_31bf3856ad364e35_10.0.19041.746_none_1da55dc225237a0d\ipsfin.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-tabletpc-softkeyboard_31bf3856ad364e35_10.0.19041.173_none_af877ec0b0472fde\base.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-tabletpc-softkeyboard_31bf3856ad364e35_10.0.19041.173_none_af877ec0b0472fde\insertbase.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\servicing\Sessions\31135900_3954035554.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\x86_microsoft-windows-ie-timeline_is_31bf3856ad364e35_11.0.19041.746_none_3f68c845997377c3\Timeline.cpu.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AppxManifest.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-d..ore-files.resources_31bf3856ad364e35_10.0.19041.1_it-it_0bf4c007e9677824\Rules.AD.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-service-shared_31bf3856ad364e35_10.0.19041.1151_none_fbdc4c5f677dc2ec\HvsiMachinePolicies_ContainerCreate.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..osoftedge.resources_31bf3856ad364e35_10.0.19041.1_de-de_fa3317ce4cfa58b0\http_gen.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-tabletpc-softkeyboard_31bf3856ad364e35_10.0.19041.173_none_af877ec0b0472fde\base_kor.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\de-DE\assets\ErrorPages\pdferrorrepurchasecontent.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\ja-JP\assets\ErrorPages\http_500.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-bits-client-core_31bf3856ad364e35_10.0.19041.153_none_04304b75e9b1037f\r\315818c03ccc2b10070df2d4ebd09eb6c4c66e58.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.117_none_e0d32848ac56114e\oobe-chrome-breadcrumb-template.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_de-de_6988eb133eb82b0f\404-3.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_es-es_12451df02dbd2879\403-13.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..osoftedge.resources_31bf3856ad364e35_10.0.19041.1_en-us_a323edc73bd86475\PhishSiteEdge.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..osoftedge.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_d1f435fdf91e63d5\OfflineTabs.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\de-DE\assets\ErrorPages\forbidframingedge.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-t..nputpersonalization_31bf3856ad364e35_10.0.19041.746_none_1da55dc225237a0d\ipsptb.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-mediaplayer-core_31bf3856ad364e35_10.0.19041.153_none_e95531bdadf3df5c\RenderingControl.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\PLA\Rules\it-IT\Rules.System.Wired.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\PLA\Rules\ja-JP\Rules.System.Network.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.117_none_e0d32848ac56114e\tokens_enCA.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_414a0942eadc3634\404-1.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\PLA\Reports\fr-FR\Report.System.CPU.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\es-ES\assets\ErrorPages\http_gen.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\enterpriseNgcEnrollment\views\enterpriseNgcEnrollment.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\inclusiveOobe\view\oobeautopilotupdate-main.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-editions-professional_31bf3856ad364e35_10.0.19041.1288_none_51444fcfcf940a66\UpgradeMatrix.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..osoftedge.resources_31bf3856ad364e35_10.0.19041.1_de-de_fa3317ce4cfa58b0\http_500.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-p..econsumer.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_0e2f6adb2cec6f62\Rules.System.Performance.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_247add106824ed63\default.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\de-DE\assets\ErrorPages\defaultbrowser.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\it-IT\assets\ErrorPages\http_406.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\diagnostics\index\NetworkDiagnostics_2_FileShare.xml C:\Windows\SysWOW64\smnss.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e5c50a22f1d888e3a9bbcbca6ccab908ef1490652912a283d6e9dd427deb902d.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ctfmen.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\smnss.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\e5c50a22f1d888e3a9bbcbca6ccab908ef1490652912a283d6e9dd427deb902d.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node C:\Users\Admin\AppData\Local\Temp\e5c50a22f1d888e3a9bbcbca6ccab908ef1490652912a283d6e9dd427deb902d.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID C:\Users\Admin\AppData\Local\Temp\e5c50a22f1d888e3a9bbcbca6ccab908ef1490652912a283d6e9dd427deb902d.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED} C:\Users\Admin\AppData\Local\Temp\e5c50a22f1d888e3a9bbcbca6ccab908ef1490652912a283d6e9dd427deb902d.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll" C:\Users\Admin\AppData\Local\Temp\e5c50a22f1d888e3a9bbcbca6ccab908ef1490652912a283d6e9dd427deb902d.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll" C:\Windows\SysWOW64\smnss.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\smnss.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e5c50a22f1d888e3a9bbcbca6ccab908ef1490652912a283d6e9dd427deb902d.exe N/A
N/A N/A C:\Windows\SysWOW64\smnss.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\e5c50a22f1d888e3a9bbcbca6ccab908ef1490652912a283d6e9dd427deb902d.exe

"C:\Users\Admin\AppData\Local\Temp\e5c50a22f1d888e3a9bbcbca6ccab908ef1490652912a283d6e9dd427deb902d.exe"

C:\Windows\SysWOW64\ctfmen.exe

ctfmen.exe

C:\Windows\SysWOW64\smnss.exe

C:\Windows\system32\smnss.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 8.153.16.2.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 7.98.22.2.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 qermhhmmrn.info udp
US 8.8.8.8:53 hnqrsprnhs.net udp
US 8.8.8.8:53 pheshqares.in udp
US 8.8.8.8:53 hwrrhrqnsh.net udp
US 8.8.8.8:53 qwaeasqqsn.info udp
US 8.8.8.8:53 mhhreprsnn.in udp
US 8.8.8.8:53 qpaqnwrqws.info udp
US 34.227.7.138:80 qpaqnwrqws.info tcp
US 8.8.8.8:53 mqphenmpra.in udp
US 8.8.8.8:53 nmemhnqqnh.us udp
US 8.8.8.8:53 mwqqwwhqhs.in udp
US 8.8.8.8:53 phhenwaepa.in udp
US 18.246.231.120:80 phhenwaepa.in tcp
US 8.8.8.8:53 138.7.227.34.in-addr.arpa udp
US 8.8.8.8:53 hwrwrqmpph.net udp
SG 13.251.16.150:80 hwrwrqmpph.net tcp
US 8.8.8.8:53 gzip.org udp
US 8.8.8.8:53 alumni.caltech.edu udp
US 8.8.8.8:53 gzip.org udp
US 8.8.8.8:53 cs.stanford.edu udp
US 8.8.8.8:53 alumni-caltech-edu.mail.protection.outlook.com udp
US 85.187.148.2:25 gzip.org tcp
US 8.8.8.8:53 smtp1.cs.stanford.edu udp
US 52.101.9.12:25 alumni-caltech-edu.mail.protection.outlook.com tcp
US 8.8.8.8:53 acm.org udp
US 171.64.64.25:25 smtp1.cs.stanford.edu tcp
US 171.64.64.25:25 smtp1.cs.stanford.edu tcp
US 8.8.8.8:53 120.231.246.18.in-addr.arpa udp
US 8.8.8.8:53 mail.mailroute.net udp
US 199.89.3.120:25 mail.mailroute.net tcp
US 8.8.8.8:53 qswnpnhphn.info udp
US 8.8.8.8:53 ssqeawpsas.biz udp
US 8.8.8.8:53 qaqpeqnmna.info udp
US 8.8.8.8:53 hearrhmphh.net udp
US 8.8.8.8:53 arpwmmsnnh.com udp
US 8.8.8.8:53 emaqpwawhs.ws udp
US 64.70.19.203:80 emaqpwawhs.ws tcp
US 8.8.8.8:53 150.16.251.13.in-addr.arpa udp
US 8.8.8.8:53 203.19.70.64.in-addr.arpa udp
US 8.8.8.8:53 napqswwqah.us udp
US 8.8.8.8:53 wwesweasrs.in udp
US 8.8.8.8:53 pnpearqmpn.in udp
US 8.8.8.8:53 menamnaprs.in udp
US 8.8.8.8:53 pemhnnmqhs.in udp
US 8.8.8.8:53 wemarpqahs.in udp
US 8.8.8.8:53 rnpqsrqqqn.org udp
DE 178.162.203.226:80 rnpqsrqqqn.org tcp
US 8.8.8.8:53 wnesarhehn.in udp
US 8.8.8.8:53 nqharpprah.us udp
US 8.8.8.8:53 hsspsaepah.net udp
US 8.8.8.8:53 nwsrremssn.us udp
US 8.8.8.8:53 gmail.com udp
US 8.8.8.8:53 meaapmassh.in udp
US 8.8.8.8:53 alt2.gmail-smtp-in.l.google.com udp
US 8.8.8.8:53 awrwwwqqra.com udp
US 8.8.8.8:53 m-ou.se udp
SG 74.125.200.26:25 alt2.gmail-smtp-in.l.google.com tcp
SG 74.125.200.26:25 alt2.gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 hwemahpmsr.net udp
US 8.8.8.8:53 aspmx2.googlemail.com udp
US 8.8.8.8:53 papehrnmns.in udp
FI 142.250.150.27:25 aspmx2.googlemail.com tcp
US 8.8.8.8:53 wqssmsphwh.in udp
US 8.8.8.8:53 pwhssmawns.in udp
US 8.8.8.8:53 hehsqepasa.net udp
US 8.8.8.8:53 armsqmarms.com udp
US 8.8.8.8:53 msrqspwanh.in udp
US 8.8.8.8:53 qpprenspss.info udp
US 8.8.8.8:53 eqsmrprqps.ws udp
US 64.70.19.203:80 eqsmrprqps.ws tcp
SG 74.125.200.26:25 alt2.gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 qeqmhhsrna.info udp
US 8.8.8.8:53 sespwqhnaa.biz udp
US 8.8.8.8:53 narmpnpqnh.us udp
US 8.8.8.8:53 eamhhwmssh.ws udp
US 64.70.19.203:80 eamhhwmssh.ws tcp
US 8.8.8.8:53 ppennnhhmn.in udp
US 8.8.8.8:53 shmmrhrahh.biz udp
US 8.8.8.8:53 rhwphppaha.org udp
DE 178.162.203.211:80 rhwphppaha.org tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
SG 74.125.200.26:25 alt2.gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 2.1.0 udp
US 8.8.8.8:53 4.0.1 udp
US 8.8.8.8:53 nocorp.me udp
US 8.8.8.8:53 in2-smtp.messagingengine.com udp
US 202.12.124.216:25 in2-smtp.messagingengine.com tcp
SG 74.125.200.26:25 alt2.gmail-smtp-in.l.google.com tcp
SG 74.125.200.26:25 alt2.gmail-smtp-in.l.google.com tcp
SG 74.125.200.26:25 alt2.gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 outlook.com udp
US 8.8.8.8:53 outlook-com.olc.protection.outlook.com udp
US 52.101.41.59:25 outlook-com.olc.protection.outlook.com tcp
SG 74.125.200.26:25 alt2.gmail-smtp-in.l.google.com tcp
SG 74.125.200.26:25 alt2.gmail-smtp-in.l.google.com tcp
SG 74.125.200.26:25 alt2.gmail-smtp-in.l.google.com tcp
SG 74.125.200.26:25 alt2.gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 cs.stanford.edu udp
US 171.64.64.64:25 cs.stanford.edu tcp
US 171.64.64.64:25 cs.stanford.edu tcp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 171.64.64.25:25 smtp1.cs.stanford.edu tcp
SG 74.125.200.26:25 alt2.gmail-smtp-in.l.google.com tcp
SG 74.125.200.26:25 alt2.gmail-smtp-in.l.google.com tcp
US 85.187.148.2:25 gzip.org tcp
US 8.8.8.8:53 21.49.80.91.in-addr.arpa udp
US 8.8.8.8:53 alt4.gmail-smtp-in.l.google.com udp
US 108.177.98.26:25 alt4.gmail-smtp-in.l.google.com tcp
US 108.177.98.26:25 alt4.gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 alt2.aspmx.l.google.com udp
SG 74.125.200.27:25 alt2.aspmx.l.google.com tcp
US 8.8.8.8:53 alumni.caltech.edu udp
US 8.8.8.8:53 alumni-caltech-edu.mail.protection.outlook.com udp
US 108.177.98.26:25 alt4.gmail-smtp-in.l.google.com tcp
US 52.101.41.24:25 alumni-caltech-edu.mail.protection.outlook.com tcp
US 8.8.8.8:53 coin.mpg udp
US 8.8.8.8:53 whaammqwps.in udp
US 8.8.8.8:53 qwwwwseans.info udp
US 8.8.8.8:53 mmseneswrh.in udp
US 8.8.8.8:53 wnshehamhh.in udp
US 8.8.8.8:53 remrpqpseh.org udp
NL 85.17.31.82:80 remrpqpseh.org tcp
US 8.8.8.8:53 hwnppemeea.net udp
US 8.8.8.8:53 pnaqheqnsa.in udp
US 8.8.8.8:53 mwhnpqrmrn.in udp
US 8.8.8.8:53 apple.com udp
US 8.8.8.8:53 pwramqmsms.in udp
US 8.8.8.8:53 mx-in-hfd.apple.com udp
US 8.8.8.8:53 hmamsmwhar.net udp
US 8.8.8.8:53 pobox.com udp
NL 17.57.165.2:25 mx-in-hfd.apple.com tcp
US 202.12.124.216:25 in2-smtp.messagingengine.com tcp
US 8.8.8.8:53 pqshhpemrn.in udp
US 8.8.8.8:53 wpqqhhspps.in udp
SG 13.251.16.150:80 wpqqhhspps.in tcp
US 8.8.8.8:53 82.31.17.85.in-addr.arpa udp
US 8.8.8.8:53 nqenrpwpeh.us udp
US 8.8.8.8:53 spawwehsrs.biz udp
US 8.8.8.8:53 ppeseaqmms.in udp
US 8.8.8.8:53 msarphnewh.in udp
US 8.8.8.8:53 pwqpewwahh.in udp
US 8.8.8.8:53 hmparqsaqa.net udp
US 8.8.8.8:53 qsqpspspqn.info udp
US 8.8.8.8:53 haearrsqhn.net udp
US 8.8.8.8:53 qnrnwnwaas.info udp
US 8.8.8.8:53 weaeprawra.in udp
US 8.8.8.8:53 qmhqeesawh.info udp
US 8.8.8.8:53 ssnsphrnws.biz udp
US 8.8.8.8:53 aewrhprres.com udp
US 216.245.214.81:80 aewrhprres.com tcp
US 108.177.98.26:25 alt4.gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 in1-smtp.messagingengine.com udp
US 103.168.172.218:25 in1-smtp.messagingengine.com tcp
US 8.8.8.8:53 netcom.com udp
US 8.8.8.8:53 northcoast.com udp
US 8.8.8.8:53 mx04.earthlink-vadesecure.net udp
US 8.8.8.8:53 cl.cam.ac.uk udp
US 147.135.98.120:25 mx04.earthlink-vadesecure.net tcp
US 8.8.8.8:53 src.dec.com udp
US 8.8.8.8:53 mx1.forwardemail.net udp
US 8.8.8.8:53 de-smtp-inbound-2.mimecast.com udp
US 138.197.213.185:25 mx1.forwardemail.net tcp
DE 194.104.108.22:25 de-smtp-inbound-2.mimecast.com tcp
US 8.8.8.8:53 mpehqsqwmn.in udp
US 8.8.8.8:53 rnrmmnpnpn.org udp
DE 178.162.217.107:80 rnrmmnpnpn.org tcp
US 108.177.98.26:25 alt4.gmail-smtp-in.l.google.com tcp
US 108.177.98.26:25 alt4.gmail-smtp-in.l.google.com tcp
US 108.177.98.26:25 alt4.gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 mwaaemmnhn.in udp
US 8.8.8.8:53 asnrrsamsa.com udp
NL 212.32.237.90:80 asnrrsamsa.com tcp
US 8.8.8.8:53 whmrraawha.in udp
US 8.8.8.8:53 qmsaspnsna.info udp
US 8.8.8.8:53 hnehqqwwrs.net udp
US 8.8.8.8:53 qppamspwhs.info udp
US 8.8.8.8:53 weeqshswms.in udp
US 8.8.8.8:53 aanparshnh.com udp
NL 77.247.183.152:80 aanparshnh.com tcp
US 8.8.8.8:53 hpeqherars.net udp
US 8.8.8.8:53 nnhhneqnrh.us udp
US 8.8.8.8:53 saanqmaqpn.biz udp
US 8.8.8.8:53 90.237.32.212.in-addr.arpa udp
US 8.8.8.8:53 152.183.247.77.in-addr.arpa udp
US 8.8.8.8:53 armahmrsaa.com udp
US 8.8.8.8:53 wqahhaqenh.in udp
US 8.8.8.8:53 aharwhphnh.com udp
NL 212.32.237.91:80 aharwhphnh.com tcp
US 8.8.8.8:53 mnrepmepar.in udp
SG 13.251.16.150:80 mnrepmepar.in tcp
US 8.8.8.8:53 theriver.com udp
US 8.8.8.8:53 ismtp.sitestar.everyone.net udp
US 8.8.8.8:53 onlineconnections.com.au udp
US 64.29.151.236:25 ismtp.sitestar.everyone.net tcp
US 8.8.8.8:53 openoffice.org udp
US 8.8.8.8:53 onlineconnections.com.au udp
US 192.254.190.168:25 onlineconnections.com.au tcp
US 8.8.8.8:53 mx2-lw-us.apache.org udp
US 8.8.8.8:53 mx2-lw-eu.apache.org udp
US 8.8.8.8:53 mx1-lw-eu.apache.org udp
US 8.8.8.8:53 mx1-lw-us.apache.org udp
US 8.8.8.8:53 91.237.32.212.in-addr.arpa udp
US 8.8.8.8:53 apqhwmnqrh.com udp
US 8.8.8.8:53 mehsnsamha.in udp
US 8.8.8.8:53 qqpqwehwah.info udp
US 8.8.8.8:53 sqmswpnqws.biz udp
US 8.8.8.8:53 pqarnhhhhn.in udp
US 8.8.8.8:53 hqepnmqewn.net udp
US 8.8.8.8:53 rsrsemnren.org udp
NL 77.247.183.153:80 rsrsemnren.org tcp
US 8.8.8.8:53 spewqmspma.biz udp
US 8.8.8.8:53 rahhhqwqqa.org udp
NL 5.79.71.205:80 rahhhqwqqa.org tcp
US 8.8.8.8:53 153.183.247.77.in-addr.arpa udp
US 108.177.98.26:25 alt4.gmail-smtp-in.l.google.com tcp
US 108.177.98.26:25 alt4.gmail-smtp-in.l.google.com tcp
US 108.177.98.26:25 alt4.gmail-smtp-in.l.google.com tcp
US 108.177.98.26:25 alt4.gmail-smtp-in.l.google.com tcp
US 85.187.148.2:25 gzip.org tcp
US 8.8.8.8:53 alumni-caltech-edu.mail.protection.outlook.com udp
US 8.8.8.8:53 nongnu.org udp
US 52.101.40.6:25 alumni-caltech-edu.mail.protection.outlook.com tcp
US 8.8.8.8:53 eggs.gnu.org udp
US 209.51.188.92:25 eggs.gnu.org tcp
US 209.51.188.92:25 eggs.gnu.org tcp
US 8.8.8.8:53 smtp2.cs.stanford.edu udp
US 171.64.64.26:25 smtp2.cs.stanford.edu tcp
US 171.64.64.26:25 smtp2.cs.stanford.edu tcp
US 171.64.64.64:25 cs.stanford.edu tcp
US 108.177.98.26:25 alt4.gmail-smtp-in.l.google.com tcp
US 108.177.98.26:25 alt4.gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 kinoho.net udp
SG 74.125.200.26:25 alt2.gmail-smtp-in.l.google.com tcp
FI 142.250.150.27:25 aspmx2.googlemail.com tcp
US 8.8.8.8:53 riseup.net udp
SG 74.125.200.26:25 alt2.gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 mx1.riseup.net udp
US 198.252.153.129:25 mx1.riseup.net tcp
US 8.8.8.8:53 alt1.gmail-smtp-in.l.google.com udp
FI 142.250.150.27:25 alt1.gmail-smtp-in.l.google.com tcp
FI 142.250.150.27:25 alt1.gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 aspmx3.googlemail.com udp
SG 74.125.200.26:25 aspmx3.googlemail.com tcp
FI 142.250.150.27:25 alt1.gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 mx-in-vib.apple.com udp
DK 17.57.170.2:25 mx-in-vib.apple.com tcp
US 103.168.172.218:25 in1-smtp.messagingengine.com tcp
US 8.8.8.8:53 mail.ru udp
US 8.8.8.8:53 bog.msu.ru udp
US 8.8.8.8:53 mxs.mail.ru udp
RU 217.69.139.150:25 mxs.mail.ru tcp
FI 142.250.150.27:25 alt1.gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 mx03.earthlink-vadesecure.net udp
US 51.81.232.218:25 mx03.earthlink-vadesecure.net tcp
US 8.8.8.8:53 mx2.forwardemail.net udp
US 8.8.8.8:53 de-smtp-inbound-1.mimecast.com udp
DE 194.104.110.22:25 de-smtp-inbound-1.mimecast.com tcp
US 104.248.224.170:25 mx2.forwardemail.net tcp
FI 142.250.150.27:25 alt1.gmail-smtp-in.l.google.com tcp
FI 142.250.150.27:25 alt1.gmail-smtp-in.l.google.com tcp
FI 142.250.150.27:25 alt1.gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 empewsqsqa.ws udp
US 64.70.19.203:80 empewsqsqa.ws tcp
US 8.8.8.8:53 pmnrrneaah.in udp
US 8.8.8.8:53 mnwsnarssr.in udp
US 8.8.8.8:53 rrpnmeawrs.org udp
NL 5.79.71.225:80 rrpnmeawrs.org tcp
FI 142.250.150.27:25 alt1.gmail-smtp-in.l.google.com tcp
FI 142.250.150.27:25 alt1.gmail-smtp-in.l.google.com tcp
FI 142.250.150.27:25 alt1.gmail-smtp-in.l.google.com tcp
FI 142.250.150.27:25 alt1.gmail-smtp-in.l.google.com tcp
FI 142.250.150.27:25 alt1.gmail-smtp-in.l.google.com tcp
US 171.64.64.26:25 smtp2.cs.stanford.edu tcp
FI 142.250.150.27:25 alt1.gmail-smtp-in.l.google.com tcp
US 108.177.98.26:25 alt4.gmail-smtp-in.l.google.com tcp
SG 74.125.200.26:25 aspmx3.googlemail.com tcp
US 108.177.98.26:25 alt4.gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 alt3.gmail-smtp-in.l.google.com udp
TW 142.250.157.27:25 alt3.gmail-smtp-in.l.google.com tcp
TW 142.250.157.27:25 alt3.gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 aspmx5.googlemail.com udp
US 108.177.98.26:25 aspmx5.googlemail.com tcp
TW 142.250.157.27:25 alt3.gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 mx-in-ma.apple.com udp
US 17.171.208.6:25 mx-in-ma.apple.com tcp
TW 142.250.157.27:25 alt3.gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 mx01.earthlink-vadesecure.net udp
US 51.81.61.70:25 mx01.earthlink-vadesecure.net tcp
TW 142.250.157.27:25 alt3.gmail-smtp-in.l.google.com tcp
TW 142.250.157.27:25 alt3.gmail-smtp-in.l.google.com tcp
TW 142.250.157.27:25 alt3.gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 sermsqqqna.biz udp
US 8.8.8.8:53 rsqsepmwas.org udp
DE 178.162.203.202:80 rsqsepmwas.org tcp
TW 142.250.157.27:25 alt3.gmail-smtp-in.l.google.com tcp
TW 142.250.157.27:25 alt3.gmail-smtp-in.l.google.com tcp
TW 142.250.157.27:25 alt3.gmail-smtp-in.l.google.com tcp
TW 142.250.157.27:25 alt3.gmail-smtp-in.l.google.com tcp
TW 142.250.157.27:25 alt3.gmail-smtp-in.l.google.com tcp
TW 142.250.157.27:25 alt3.gmail-smtp-in.l.google.com tcp
FI 142.250.150.27:25 alt1.gmail-smtp-in.l.google.com tcp
SG 74.125.200.27:25 alt2.aspmx.l.google.com tcp
FI 142.250.150.27:25 alt1.gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 gmail-smtp-in.l.google.com udp
NL 172.217.218.27:25 gmail-smtp-in.l.google.com tcp
NL 172.217.218.27:25 gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 aspmx.l.google.com udp
NL 108.177.96.26:25 aspmx.l.google.com tcp
NL 172.217.218.27:25 gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 mx-in.g.apple.com udp
DK 17.57.170.2:25 mx-in.g.apple.com tcp
NL 172.217.218.27:25 gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 mx02.earthlink-vadesecure.net udp
US 51.81.61.71:25 mx02.earthlink-vadesecure.net tcp
NL 172.217.218.27:25 gmail-smtp-in.l.google.com tcp
NL 172.217.218.27:25 gmail-smtp-in.l.google.com tcp
NL 172.217.218.27:25 gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 mqpppnhaes.in udp
US 8.8.8.8:53 aqmrnawpan.com udp
US 8.8.8.8:53 wrnwernreh.in udp
US 8.8.8.8:53 aeaqmpsaqa.com udp
US 8.8.8.8:53 whwsqnemsn.in udp
US 8.8.8.8:53 rqeaqeewas.org udp
DE 178.162.217.107:80 rqeaqeewas.org tcp
NL 172.217.218.27:25 gmail-smtp-in.l.google.com tcp
NL 172.217.218.27:25 gmail-smtp-in.l.google.com tcp
NL 172.217.218.27:25 gmail-smtp-in.l.google.com tcp
NL 172.217.218.27:25 gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 wqpaamhwrs.in udp
US 8.8.8.8:53 reaaheeara.org udp
DE 178.162.203.202:80 reaaheeara.org tcp
NL 172.217.218.27:25 gmail-smtp-in.l.google.com tcp
NL 172.217.218.27:25 gmail-smtp-in.l.google.com tcp
NL 108.177.96.26:25 aspmx.l.google.com tcp
TW 142.250.157.27:25 alt3.gmail-smtp-in.l.google.com tcp
TW 142.250.157.27:25 alt3.gmail-smtp-in.l.google.com tcp

Files

memory/4616-0-0x0000000000400000-0x0000000000DCE000-memory.dmp

memory/4616-1-0x000000007FA70000-0x000000007FE41000-memory.dmp

C:\Windows\SysWOW64\shervans.dll

MD5 5d39b82ea31fa9e0d759cd4ec90de4dd
SHA1 75fce31c1d64b4d82a355de95bf6e19b107206c6
SHA256 72c8eb04be19dcb5c54b83c05407360b25bd1f9830ca7540f3df1a3ad0ac698b
SHA512 6b9b6d8e7b16f5765beb8462196d47b4171a06aeb8635a00758c30622c5c245806e9d324f9870536f1f6275611be96d8332a0b30b964084fd902eefb786c42a8

memory/4616-14-0x0000000010000000-0x000000001000D000-memory.dmp

C:\Windows\SysWOW64\grcopy.dll

MD5 277205751a573def63db10232df2dd35
SHA1 7defc3486b8be450a868e8276307caf42720a3de
SHA256 9d6007bb87275e06508597b19e5da472378e1ac8f6c898193cefc0dc0b1c6e36
SHA512 5b655c19a08bba52b27bcfc6601ee6f87c0027c2dc27737bb3dd6bdf8d636ccbfe75302dad4a5300af8b1fa5ef1ec57b9f92493335375aac90da75cff9a57ad2

C:\Windows\SysWOW64\ctfmen.exe

MD5 ea460b2d290b9ca7d3dd1f7d4b206cbc
SHA1 fccf903036fdd25de9c5d527ed84d9f25f14ff59
SHA256 22fac0ba58abb43b22751098554bb896f61ed355b40bceed6db2b34e889c6a0e
SHA512 479d5207adedace67c30645d8a191f3e2b0810b9e6a98598bc08a757119b950b5ca9df2a4c2c07867b556cf27c563023f3617ec73c08ad69879ae8b28c22baa1

memory/1432-22-0x0000000000400000-0x0000000000409000-memory.dmp

memory/4616-25-0x0000000010000000-0x000000001000D000-memory.dmp

memory/4616-27-0x0000000000400000-0x0000000000DCE000-memory.dmp

memory/1432-30-0x0000000000400000-0x0000000000409000-memory.dmp

memory/4616-29-0x000000007FA70000-0x000000007FE41000-memory.dmp

memory/1028-33-0x0000000000400000-0x0000000000DCE000-memory.dmp

memory/1028-34-0x000000007FA70000-0x000000007FE41000-memory.dmp

memory/1028-40-0x0000000010000000-0x000000001000D000-memory.dmp

C:\Windows\SysWOW64\satornas.dll

MD5 6e76a7c5a4db0eaf275a8f4e7edbb22e
SHA1 5f4e257c86c0093803638443288528b498b457f1
SHA256 e19cebe11eccfb478b220fce7cdaf82a07d0ea2967ef52887bbcc2c5440d1abc
SHA512 605cc0a48f43632fe903c9bc0087da0d700e426349f1195527ae7b2cf76c31a8fdd3eb4057bc4ddb6e01f6d9de0fc167362dcd88a31dbdde8f0c90fde45a7692

memory/1028-42-0x0000000000400000-0x0000000000DCE000-memory.dmp

memory/1028-43-0x000000007FA70000-0x000000007FE41000-memory.dmp

memory/1028-45-0x0000000010000000-0x000000001000D000-memory.dmp

memory/1028-44-0x0000000000400000-0x0000000000DCE000-memory.dmp

memory/1028-46-0x0000000000400000-0x0000000000DCE000-memory.dmp

memory/1028-48-0x0000000000400000-0x0000000000DCE000-memory.dmp

memory/1028-50-0x0000000000400000-0x0000000000DCE000-memory.dmp

memory/1028-52-0x0000000000400000-0x0000000000DCE000-memory.dmp

memory/1028-54-0x0000000000400000-0x0000000000DCE000-memory.dmp

memory/1028-56-0x0000000000400000-0x0000000000DCE000-memory.dmp

memory/1028-58-0x0000000000400000-0x0000000000DCE000-memory.dmp

memory/1028-60-0x0000000000400000-0x0000000000DCE000-memory.dmp

memory/1028-62-0x0000000000400000-0x0000000000DCE000-memory.dmp

memory/1028-64-0x0000000000400000-0x0000000000DCE000-memory.dmp