Malware Analysis Report

2024-11-30 07:54

Sample ID 240603-gemjqsde6w
Target f95f323f382c6671416f77104361c6c8be822a6012ceeea90f77b518d7965044
SHA256 f95f323f382c6671416f77104361c6c8be822a6012ceeea90f77b518d7965044
Tags
persistence spyware stealer
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

f95f323f382c6671416f77104361c6c8be822a6012ceeea90f77b518d7965044

Threat Level: Likely malicious

The file f95f323f382c6671416f77104361c6c8be822a6012ceeea90f77b518d7965044 was found to be: Likely malicious.

Malicious Activity Summary

persistence spyware stealer

UPX dump on OEP (original entry point)

Drops file in Drivers directory

Reads user/profile data of web browsers

Executes dropped EXE

Loads dropped DLL

ACProtect 1.3x - 1.4x DLL software

Adds Run key to start application

Enumerates connected drives

Maps connected drives based on registry

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Program crash

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-03 05:43

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-03 05:43

Reported

2024-06-03 05:45

Platform

win7-20240221-en

Max time kernel

144s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f95f323f382c6671416f77104361c6c8be822a6012ceeea90f77b518d7965044.exe"

Signatures

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\ctfmen.exe N/A
N/A N/A C:\Windows\SysWOW64\smnss.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe" C:\Users\Admin\AppData\Local\Temp\f95f323f382c6671416f77104361c6c8be822a6012ceeea90f77b518d7965044.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe" C:\Windows\SysWOW64\smnss.exe N/A

Maps connected drives based on registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\1 C:\Windows\SysWOW64\smnss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Users\Admin\AppData\Local\Temp\f95f323f382c6671416f77104361c6c8be822a6012ceeea90f77b518d7965044.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Users\Admin\AppData\Local\Temp\f95f323f382c6671416f77104361c6c8be822a6012ceeea90f77b518d7965044.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\1 C:\Users\Admin\AppData\Local\Temp\f95f323f382c6671416f77104361c6c8be822a6012ceeea90f77b518d7965044.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\smnss.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Windows\SysWOW64\smnss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\ctfmen.exe C:\Users\Admin\AppData\Local\Temp\f95f323f382c6671416f77104361c6c8be822a6012ceeea90f77b518d7965044.exe N/A
File created C:\Windows\SysWOW64\grcopy.dll C:\Users\Admin\AppData\Local\Temp\f95f323f382c6671416f77104361c6c8be822a6012ceeea90f77b518d7965044.exe N/A
File opened for modification C:\Windows\SysWOW64\grcopy.dll C:\Users\Admin\AppData\Local\Temp\f95f323f382c6671416f77104361c6c8be822a6012ceeea90f77b518d7965044.exe N/A
File opened for modification C:\Windows\SysWOW64\shervans.dll C:\Users\Admin\AppData\Local\Temp\f95f323f382c6671416f77104361c6c8be822a6012ceeea90f77b518d7965044.exe N/A
File created C:\Windows\SysWOW64\smnss.exe C:\Users\Admin\AppData\Local\Temp\f95f323f382c6671416f77104361c6c8be822a6012ceeea90f77b518d7965044.exe N/A
File created C:\Windows\SysWOW64\ctfmen.exe C:\Users\Admin\AppData\Local\Temp\f95f323f382c6671416f77104361c6c8be822a6012ceeea90f77b518d7965044.exe N/A
File created C:\Windows\SysWOW64\shervans.dll C:\Users\Admin\AppData\Local\Temp\f95f323f382c6671416f77104361c6c8be822a6012ceeea90f77b518d7965044.exe N/A
File created C:\Windows\SysWOW64\satornas.dll C:\Users\Admin\AppData\Local\Temp\f95f323f382c6671416f77104361c6c8be822a6012ceeea90f77b518d7965044.exe N/A
File opened for modification C:\Windows\SysWOW64\satornas.dll C:\Users\Admin\AppData\Local\Temp\f95f323f382c6671416f77104361c6c8be822a6012ceeea90f77b518d7965044.exe N/A
File created C:\Windows\SysWOW64\zipfi.dll C:\Windows\SysWOW64\smnss.exe N/A
File created C:\Windows\SysWOW64\zipfiaq.dll C:\Windows\SysWOW64\smnss.exe N/A
File created C:\Windows\SysWOW64\smnss.exe C:\Windows\SysWOW64\smnss.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\7-Zip\Lang\ug.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipsdeu.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\pl.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\et.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\uz.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\ja-jp-sym.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\RELEASE-NOTES.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ca.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\kaa.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\Xusage.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\fr.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\tr.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_jpn.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipscsy.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Hand Prints.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\de.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\fur.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ku.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\mk.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\nl.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\nn.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\sq.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ta.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\bg.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_ca.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_kor.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipsfra.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipsptb.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Soft Blue.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ast.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ka.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\mn.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ms.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\ko-kr.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\numbase.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipssve.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Peacock.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\el.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\auxbase.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\hi.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\tt.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ps.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\fa.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\kab.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\sk.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\yo.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\keypadbase.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\History.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Garden.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\bn.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\kk.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\uz-cyrl.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ar.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\lt.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\pa-in.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\vi.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\baseAltGr_rtl.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\af.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\mng2.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ru.txt C:\Windows\SysWOW64\smnss.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\smnss.exe

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll" C:\Windows\SysWOW64\smnss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\f95f323f382c6671416f77104361c6c8be822a6012ceeea90f77b518d7965044.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node C:\Users\Admin\AppData\Local\Temp\f95f323f382c6671416f77104361c6c8be822a6012ceeea90f77b518d7965044.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID C:\Users\Admin\AppData\Local\Temp\f95f323f382c6671416f77104361c6c8be822a6012ceeea90f77b518d7965044.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED} C:\Users\Admin\AppData\Local\Temp\f95f323f382c6671416f77104361c6c8be822a6012ceeea90f77b518d7965044.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll" C:\Users\Admin\AppData\Local\Temp\f95f323f382c6671416f77104361c6c8be822a6012ceeea90f77b518d7965044.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\smnss.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2880 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\f95f323f382c6671416f77104361c6c8be822a6012ceeea90f77b518d7965044.exe C:\Windows\SysWOW64\ctfmen.exe
PID 2880 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\f95f323f382c6671416f77104361c6c8be822a6012ceeea90f77b518d7965044.exe C:\Windows\SysWOW64\ctfmen.exe
PID 2880 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\f95f323f382c6671416f77104361c6c8be822a6012ceeea90f77b518d7965044.exe C:\Windows\SysWOW64\ctfmen.exe
PID 2880 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\f95f323f382c6671416f77104361c6c8be822a6012ceeea90f77b518d7965044.exe C:\Windows\SysWOW64\ctfmen.exe
PID 2756 wrote to memory of 2620 N/A C:\Windows\SysWOW64\ctfmen.exe C:\Windows\SysWOW64\smnss.exe
PID 2756 wrote to memory of 2620 N/A C:\Windows\SysWOW64\ctfmen.exe C:\Windows\SysWOW64\smnss.exe
PID 2756 wrote to memory of 2620 N/A C:\Windows\SysWOW64\ctfmen.exe C:\Windows\SysWOW64\smnss.exe
PID 2756 wrote to memory of 2620 N/A C:\Windows\SysWOW64\ctfmen.exe C:\Windows\SysWOW64\smnss.exe
PID 2620 wrote to memory of 2728 N/A C:\Windows\SysWOW64\smnss.exe C:\Windows\SysWOW64\WerFault.exe
PID 2620 wrote to memory of 2728 N/A C:\Windows\SysWOW64\smnss.exe C:\Windows\SysWOW64\WerFault.exe
PID 2620 wrote to memory of 2728 N/A C:\Windows\SysWOW64\smnss.exe C:\Windows\SysWOW64\WerFault.exe
PID 2620 wrote to memory of 2728 N/A C:\Windows\SysWOW64\smnss.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\f95f323f382c6671416f77104361c6c8be822a6012ceeea90f77b518d7965044.exe

"C:\Users\Admin\AppData\Local\Temp\f95f323f382c6671416f77104361c6c8be822a6012ceeea90f77b518d7965044.exe"

C:\Windows\SysWOW64\ctfmen.exe

ctfmen.exe

C:\Windows\SysWOW64\smnss.exe

C:\Windows\system32\smnss.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2620 -s 828

Network

Country Destination Domain Proto
US 8.8.8.8:53 qeseqhmwrn.info udp
US 8.8.8.8:53 gzip.org udp
US 8.8.8.8:53 alumni.caltech.edu udp
US 8.8.8.8:53 megginson.com udp
US 8.8.8.8:53 megginson.com udp
US 8.8.8.8:53 alt2.aspmx.l.google.com udp
US 8.8.8.8:53 jk.uni-linz.ac.at udp
FI 142.250.150.27:25 alt2.aspmx.l.google.com tcp
US 8.8.8.8:53 alt1.aspmx.l.google.com udp
NL 142.251.9.27:25 alt1.aspmx.l.google.com tcp
US 8.8.8.8:53 mail3.edvz.uni-linz.ac.at udp
AT 140.78.3.83:25 mail3.edvz.uni-linz.ac.at tcp
US 8.8.8.8:53 merermrrma.in udp
US 8.8.8.8:53 nqnrwwasqa.us udp
US 8.8.8.8:53 cdata.tvnet.hu udp
US 8.8.8.8:53 attbi.com udp
US 8.8.8.8:53 courtesan.com udp
US 8.8.8.8:53 cdata.tvnet.hu udp
US 8.8.8.8:53 bigelowandholmes.com udp

Files

\Windows\SysWOW64\shervans.dll

MD5 3d35e1c88abfc7f16049f7d5dcc02212
SHA1 6fa757de4ec00b5937ebb15ffc735cfb451cafc1
SHA256 afd4b44c5e99232da031b0efed2fe9a387e1fa1e815981ade99f7eaabcb45a7d
SHA512 aa0723a87e019156e0482ebb2e8c485d8ebd4a3c79038de4fc1e0a7fcd223066d58051aceba89097da56cffd65f90a7293b0b846862b4573a656fc5caaa7b701

memory/2880-11-0x0000000010000000-0x000000001000D000-memory.dmp

\Windows\SysWOW64\ctfmen.exe

MD5 af4d5e1c277efad7353a242b6d37307a
SHA1 7d98685588dd8bb193b38224630f526e8daea790
SHA256 ec98dce8c1914cf5121fb009dbd266a5b04c0a66bde52ba01f65363345efed4d
SHA512 84b2763229929c9f839d79a92272565e4d83a0e49a8a7a5a594221dc2877791fe19ae61527cb5ebdaf9417efd0349694c35155d64a5e126ee869d2dc566da25f

memory/2880-17-0x0000000000350000-0x0000000000359000-memory.dmp

memory/2880-26-0x0000000010000000-0x000000001000D000-memory.dmp

C:\Windows\SysWOW64\smnss.exe

MD5 28f44f2cf74eac776ddef3048c8b7d1a
SHA1 5a64f84076177edf31b91aa74c4ddd220c62e97a
SHA256 cd5192cddb79401c9c461c906c70c335a3210bad90b27f9d7ba4bd1f2bf06b49
SHA512 b130ba99d3e338b3f7a2f8db35f4303978c28db65eeecadf7f0f433d8809549437957e8354089f6c095907d3ed3557355681a386276c55b51be681af6906c73d

memory/2756-31-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2880-24-0x0000000000400000-0x000000000041C000-memory.dmp

C:\Windows\SysWOW64\satornas.dll

MD5 6391a5b6708f4d4996a52f1eaee6abd8
SHA1 af01cef882bbc720bb13a9736480a309c288eb3e
SHA256 42b81f8f2d21f5700bde1a75a65104590dff4bb9c1ec7ffeb65d72317feda85d
SHA512 ef67326edad822ff91c3a2925b88322bb07f98468373bcc074b0d3d08643e6496bfbfd13d46a1f62371d54c024b2b90d4aaa245f16a719e2e36ac1b632fb7320

memory/2620-39-0x0000000010000000-0x000000001000D000-memory.dmp

memory/2620-43-0x0000000000400000-0x000000000041C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-03 05:43

Reported

2024-06-03 05:45

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f95f323f382c6671416f77104361c6c8be822a6012ceeea90f77b518d7965044.exe"

Signatures

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\drivers\gmreadme.txt C:\Windows\SysWOW64\smnss.exe N/A

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\ctfmen.exe N/A
N/A N/A C:\Windows\SysWOW64\smnss.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe" C:\Users\Admin\AppData\Local\Temp\f95f323f382c6671416f77104361c6c8be822a6012ceeea90f77b518d7965044.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe" C:\Windows\SysWOW64\smnss.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\T: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\smnss.exe N/A

Maps connected drives based on registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Users\Admin\AppData\Local\Temp\f95f323f382c6671416f77104361c6c8be822a6012ceeea90f77b518d7965044.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Users\Admin\AppData\Local\Temp\f95f323f382c6671416f77104361c6c8be822a6012ceeea90f77b518d7965044.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\1 C:\Users\Admin\AppData\Local\Temp\f95f323f382c6671416f77104361c6c8be822a6012ceeea90f77b518d7965044.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\smnss.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Windows\SysWOW64\smnss.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\1 C:\Windows\SysWOW64\smnss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\satornas.dll C:\Users\Admin\AppData\Local\Temp\f95f323f382c6671416f77104361c6c8be822a6012ceeea90f77b518d7965044.exe N/A
File opened for modification C:\Windows\SysWOW64\satornas.dll C:\Users\Admin\AppData\Local\Temp\f95f323f382c6671416f77104361c6c8be822a6012ceeea90f77b518d7965044.exe N/A
File created C:\Windows\SysWOW64\zipfi.dll C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\IME\IMEJP\APPLETS\IMJPCLST.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\default.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\default.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File created C:\Windows\SysWOW64\zipfiaq.dll C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms007.inf_amd64_8bbf44975c626ac5\Amd64\MSPassthrough-pipelineconfig.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms010.inf_amd64_9e410195c3b236c9\Amd64\MSECP-pipelineconfig.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms011.inf_amd64_f83138380f5fb6ab\Amd64\MSAppMon.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\grcopy.dll C:\Users\Admin\AppData\Local\Temp\f95f323f382c6671416f77104361c6c8be822a6012ceeea90f77b518d7965044.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms012.inf_amd64_707d3849370b9d23\Amd64\MSIPP-pipelineconfig.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\icsxml\ipcfg.xml C:\Windows\SysWOW64\smnss.exe N/A
File created C:\Windows\SysWOW64\smnss.exe C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\F12\Timeline.cpu.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\MailContactsCalendarSync\LiveDomainList.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\wbem\xsl-mappings.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms001.inf_amd64_8bc1bda6cf47380c\MXDW-pipelineconfig.xml C:\Windows\SysWOW64\smnss.exe N/A
File created C:\Windows\SysWOW64\grcopy.dll C:\Users\Admin\AppData\Local\Temp\f95f323f382c6671416f77104361c6c8be822a6012ceeea90f77b518d7965044.exe N/A
File opened for modification C:\Windows\SysWOW64\shervans.dll C:\Users\Admin\AppData\Local\Temp\f95f323f382c6671416f77104361c6c8be822a6012ceeea90f77b518d7965044.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms004.inf_amd64_c28ee88ec1bd4178\Amd64\unisharev4-pipelineconfig.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms007.inf_amd64_8bbf44975c626ac5\Amd64\MSXPS2.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\Speech_OneCore\Common\en-US\tokens_TTS_en-US.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsCodecsRaw.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms010.inf_amd64_9e410195c3b236c9\Amd64\MSECP.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\Speech_OneCore\Common\tokens.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\tsprint.inf_amd64_6066bc96a5f28b44\tsprint-PipelineConfig.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\icsxml\cmnicfg.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\icsxml\osinfo.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\Speech_OneCore\Common\en-US\tokens_TTS_en-US_david.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms005.inf_amd64_add71423ba73e797\Amd64\MSxpsXPS-pipelineconfig.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms007.inf_amd64_8bbf44975c626ac5\Amd64\MSPWGR.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\NdfEventView.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\default.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\Recovery\ReAgent.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\default.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File created C:\Windows\SysWOW64\shervans.dll C:\Users\Admin\AppData\Local\Temp\f95f323f382c6671416f77104361c6c8be822a6012ceeea90f77b518d7965044.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms009.inf_amd64_a7412a554c9bc1fd\MPDW_devmode_map.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms012.inf_amd64_707d3849370b9d23\Amd64\MSIPP.xml C:\Windows\SysWOW64\smnss.exe N/A
File created C:\Windows\SysWOW64\ctfmen.exe C:\Users\Admin\AppData\Local\Temp\f95f323f382c6671416f77104361c6c8be822a6012ceeea90f77b518d7965044.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms003.inf_amd64_0e2452f597790e95\Amd64\unishare-pipelineconfig.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms003.inf_x86_360f6f3a7c4b3433\I386\unishare-pipelineconfig.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms007.inf_amd64_8bbf44975c626ac5\Amd64\MSPWGR-pipelineconfig.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\icsxml\potscfg.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\default.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\default.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\AppxProvisioning.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms005.inf_amd64_add71423ba73e797\Amd64\MSxpsPCL6-pipelineconfig.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms008.inf_amd64_69b5e0c918eab9a6\Amd64\unishare3d-pipelineconfig.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\Speech_OneCore\Common\en-US\Tokens_SR_en-US-N.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\tcpbidi.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\ctfmen.exe C:\Users\Admin\AppData\Local\Temp\f95f323f382c6671416f77104361c6c8be822a6012ceeea90f77b518d7965044.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms006.inf_amd64_c3bdcb6fc975b614\SendToOneNote-pipelineconfig.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms009.inf_amd64_a7412a554c9bc1fd\MPDW-PDC.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms011.inf_amd64_f83138380f5fb6ab\Amd64\MSAppMon-pipelineconfig.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\wsmanconfig_schema.xml C:\Windows\SysWOW64\smnss.exe N/A
File created C:\Windows\SysWOW64\smnss.exe C:\Users\Admin\AppData\Local\Temp\f95f323f382c6671416f77104361c6c8be822a6012ceeea90f77b518d7965044.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\ntprint4.inf_amd64_0958c7cad3cd6075\Amd64\V3HostingFilter-pipelineconfig.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms005.inf_amd64_add71423ba73e797\Amd64\MSxpsPS-pipelineconfig.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms009.inf_amd64_a7412a554c9bc1fd\MPDW-pipelineconfig.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms014.inf_amd64_faec3fc366f8e1fa\Amd64\MSMPS.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\icsxml\pppcfg.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms014.inf_amd64_faec3fc366f8e1fa\Amd64\MSMPS-pipelineconfig.xml C:\Windows\SysWOW64\smnss.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Adobe\symbol.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\sdxs.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsSoundRecorder_10.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxManifest.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-006E-0409-1000-0000000FF1CE.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\va.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_jpn.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL106.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxManifest.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\en-us\onenote_whatsnew.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Blue II.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub_M365_eula.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Windows Media Player\Media Renderer\RenderingControl_DMP.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.513.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_CA\List.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipsnld.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\en-GB\View3d\3DViewerProductDescription-universal.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxManifest.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\AppxManifest.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\AppxManifest.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\WebviewOffline.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.46.11001.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\kaa.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\Alphabet.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\_Resources\index.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\id.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\MSOSEC.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\THIRDPARTYLICENSEREADME.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Microsoft Office\Office16\SLERROR.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses\c2rpridslicensefiles_auto.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\FrequentOfficeUpdateSchedule.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.VCLibs.140.00_14.0.27323.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\WebviewOffline.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\VoiceCommands.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipssrb.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\manifests\BuiltinAddCustomTags.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL107.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\be-BY\View3d\3DViewerProductDescription-universal.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Arial-Times New Roman.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Georgia.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN027.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\el-GR\View3d\3DViewerProductDescription-universal.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\en-US\about_TestDrive.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\hi.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\insertbase.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\fa-IR\View3d\3DViewerProductDescription-universal.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\sv-SE\View3d\3DViewerProductDescription-universal.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\InitializeAdd.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\manifest.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\nb.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\ClientOSub_eula.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.People_2019.305.632.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\ja-jp.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Microsoft Office\PackageManifests\AuthoredExtensions.16.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\MLModels\autofill_labeling_features_email.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL090.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_neutral_~_kzf8qxf38zg5c\AppxMetadata\AppxBundleManifest.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\AppxManifest.xml C:\Windows\SysWOW64\smnss.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\SystemApps\Microsoft.ECApp_8wekyb3d8bbwe\AppxBlockMap.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\ja-JP\assets\ErrorPages\http_404.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\speech\0c0c\tokens_frCA.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-service-shared_31bf3856ad364e35_10.0.19041.1151_none_fbdc4c5f677dc2ec\HvsiMachinePolicies_ContainerCreate.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_en-us_1279c10c2d9636d4\403-15.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\PLA\Reports\fr-FR\Report.System.Network.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..olsclient.appxsetup_31bf3856ad364e35_10.0.19041.1023_none_fe9996dc5d311970\r\AppxBlockMap.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..osoftedge.resources_31bf3856ad364e35_10.0.19041.1_es-es_a2ef4aab3bff561a\sslnavcancel.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..kerplugin.appxsetup_31bf3856ad364e35_10.0.19041.1023_none_23f4c1602d97fe43\r\AppxBlockMap.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-p..econsumer.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_0e2f6adb2cec6f62\Report.System.Network.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\uk-UA\assets\ErrorPages\http_406.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_de-de_6988eb133eb82b0f\403-8.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_en-us_1279c10c2d9636d4\403-4.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_it-it_9f248a35f7c12459\403-14.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..osoftedge.resources_31bf3856ad364e35_10.0.19041.1_es-es_a2ef4aab3bff561a\http_410.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-printdialog.appxsetup_31bf3856ad364e35_10.0.19041.1_none_e79b7034919a6194\appxblockmap.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..e.desktop.searchapp_31bf3856ad364e35_10.0.19041.1_none_43fe9f4e368e081f\5.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_netfx4-attributionfile_b03f5f7f11d50a3a_4.0.15805.0_none_763fb8d053feb31c\ThirdPartyNotices.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\fr-FR\assets\ErrorPages\proxyerror.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AppxManifest.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_dual_prnms003.inf_31bf3856ad364e35_10.0.19041.264_none_f47802fda1463635\Amd64\unishare-pipelineconfig.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-ecapp.appxsetup_31bf3856ad364e35_10.0.19041.1023_none_6d4be35dd691e117\AppxManifest.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-editions-professional_31bf3856ad364e35_10.0.19041.264_none_ba5e4a287945a683\ProfessionalEdition.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-userexperience-desktop_31bf3856ad364e35_10.0.19041.173_none_6486f23c2831aaf3\f\AppxManifest.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\PLA\Rules\it-IT\Rules.System.Network.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.1266_none_777e4c5802d14c18\default.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-dot3svc.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_5f8c8a80ca07e2d5\Report.System.NetDiagFramework.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-iana-tzdb-timezones_31bf3856ad364e35_10.0.19041.264_none_e1482d65a2a08701\r\timezones.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-p..econsumer.resources_31bf3856ad364e35_10.0.19041.1_it-it_f8576122041e54e0\Report.System.Summary.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\Temp\PendingDeletes\a3e8984536e5d701149b00001815341f.Ftp_schema.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\wow64_microsoft.powershell.pester_31bf3856ad364e35_10.0.19041.1_none_9478227a478f23d5\about_Mocking.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\PLA\Reports\ja-JP\Report.System.NetDiagFramework.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-dxp-deviceexperience_31bf3856ad364e35_10.0.19041.1_none_fd1639479924c51c\behavior.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_de-de_6988eb133eb82b0f\500.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-keyboarddiagnostic_31bf3856ad364e35_10.0.19041.1_none_976b7794ffbef99f\KeyboardDiagnostic.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-w..igurationdiagnostic_31bf3856ad364e35_10.0.19041.1_none_9a29135572e069ec\WindowsMediaPlayerConfiguration.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\es-ES\assets\ErrorPages\pdferror.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\uk-UA\assets\ErrorPages\http_410.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\uk-UA\assets\ErrorPages\navcancl.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.117_none_e0d32848ac56114e\oobe-light-progress-template.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_it-it_9f248a35f7c12459\401-2.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..osoftedge.resources_31bf3856ad364e35_10.0.19041.1_it-it_2fceb6f1060351fa\startfresh.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-p..g-fdprint.resources_31bf3856ad364e35_10.0.19041.1_es-es_2509cf5229985120\resource.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\es-ES\assets\ErrorPages\repost.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\speech\0409\tokens_enUS.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-d..ment-enterprisecsps_31bf3856ad364e35_10.0.19041.153_none_2a1e6a613d7771a3\DMClient_DDF.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-service-shared_31bf3856ad364e35_10.0.19041.1151_none_fbdc4c5f677dc2ec\AuditPol_ContainerRealtime.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_en-us_1279c10c2d9636d4\401.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-userexperience-desktop_31bf3856ad364e35_10.0.19041.1266_none_fb76f6fb7e78a373\AppxBlockMap.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-w..bviewhost.appxsetup_31bf3856ad364e35_10.0.19041.1023_none_1277eb7f6aa856b4\f\AppxBlockMap.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft.processmitigations.commands_31bf3856ad364e35_10.0.19041.662_none_2a8c125210169f86\Microsoft.ProcessMitigations.Commands.dll-Help.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess_31bf3856ad364e35_10.0.19041.207_none_e2f2dfeea7fa44fc\pppcfg.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windowsdx..xperience.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_cbf428fdebcdf121\resource.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\diagnostics\index\BITSDiagnostic.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\cache\Desktop\26.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-o..documents.resources_31bf3856ad364e35_10.0.19041.1_es-es_c82ea5efca98fd7b\OOBE_HELP_Opt_in_Details.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-p..econsumer.resources_31bf3856ad364e35_10.0.19041.1_de-de_c2bbc1ff4b155b96\Report.System.Network.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-p..econsumer.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_9a7ce02ef73966bb\Report.System.Summary.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-d..view-host-appxsetup_31bf3856ad364e35_10.0.19041.1023_none_bc2fe801d2277712\f\appxmanifest.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_414a0942eadc3634\403-7.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..osoftedge.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_cd2d1cde69f392b4\BlockSite.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\PLA\Reports\Report.System.Common.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\PLA\Rules\de-DE\Rules.System.Finale.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.LockApp_cw5n1h2txyewy\AppxManifest.xml C:\Windows\SysWOW64\smnss.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll" C:\Windows\SysWOW64\smnss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\f95f323f382c6671416f77104361c6c8be822a6012ceeea90f77b518d7965044.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node C:\Users\Admin\AppData\Local\Temp\f95f323f382c6671416f77104361c6c8be822a6012ceeea90f77b518d7965044.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID C:\Users\Admin\AppData\Local\Temp\f95f323f382c6671416f77104361c6c8be822a6012ceeea90f77b518d7965044.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED} C:\Users\Admin\AppData\Local\Temp\f95f323f382c6671416f77104361c6c8be822a6012ceeea90f77b518d7965044.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll" C:\Users\Admin\AppData\Local\Temp\f95f323f382c6671416f77104361c6c8be822a6012ceeea90f77b518d7965044.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\smnss.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\f95f323f382c6671416f77104361c6c8be822a6012ceeea90f77b518d7965044.exe

"C:\Users\Admin\AppData\Local\Temp\f95f323f382c6671416f77104361c6c8be822a6012ceeea90f77b518d7965044.exe"

C:\Windows\SysWOW64\ctfmen.exe

ctfmen.exe

C:\Windows\SysWOW64\smnss.exe

C:\Windows\system32\smnss.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
NL 23.62.61.129:443 www.bing.com tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 129.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 qeseqhmwrn.info udp
US 8.8.8.8:53 merermrrma.in udp
US 8.8.8.8:53 nqnrwwasqa.us udp
US 8.8.8.8:53 saeenqpsns.biz udp
US 8.8.8.8:53 nwarhrqwsn.us udp
US 8.8.8.8:53 sehehpnhhn.biz udp
US 8.8.8.8:53 npahparnas.us udp
US 8.8.8.8:53 wsaahwesea.in udp
US 34.218.204.173:80 wsaahwesea.in tcp
US 8.8.8.8:53 qhaeqawspn.info udp
US 8.8.8.8:53 173.204.218.34.in-addr.arpa udp
US 8.8.8.8:53 gzip.org udp
US 8.8.8.8:53 gzip.org udp
US 8.8.8.8:53 alumni.caltech.edu udp
US 85.187.148.2:25 gzip.org tcp
US 8.8.8.8:53 alumni-caltech-edu.mail.protection.outlook.com udp
US 8.8.8.8:53 cs.stanford.edu udp
US 52.101.9.0:25 alumni-caltech-edu.mail.protection.outlook.com tcp
US 8.8.8.8:53 cs.stanford.edu udp
US 171.64.64.64:25 cs.stanford.edu tcp
US 171.64.64.64:25 cs.stanford.edu tcp
US 8.8.8.8:53 acm.org udp
US 8.8.8.8:53 mail.mailroute.net udp
US 199.89.3.120:25 mail.mailroute.net tcp
US 8.8.8.8:53 hqsswpwmqn.net udp
US 8.8.8.8:53 nqnwpqehnh.us udp
US 8.8.8.8:53 eqhehrremn.ws udp
US 64.70.19.203:80 eqhehrremn.ws tcp
US 8.8.8.8:53 arrerpeweh.com udp
US 8.8.8.8:53 shrqaanaeh.biz udp
US 8.8.8.8:53 203.19.70.64.in-addr.arpa udp
US 8.8.8.8:53 nrahmqmars.us udp
US 8.8.8.8:53 hmeespsrpa.net udp
US 8.8.8.8:53 qhrrnrpsmh.info udp
US 8.8.8.8:53 haapqhwpea.net udp
US 8.8.8.8:53 nreeawhqea.us udp
US 8.8.8.8:53 hhssppaemn.net udp
US 8.8.8.8:53 nhnnmwwhqs.us udp
US 8.8.8.8:53 hrmhpawhen.net udp
US 8.8.8.8:53 asrnhrepss.com udp
US 8.8.8.8:53 srahhmeams.biz udp
US 8.8.8.8:53 rrqsewasma.org udp
US 162.249.65.106:80 rrqsewasma.org tcp
US 8.8.8.8:53 gmail.com udp
US 8.8.8.8:53 alt4.gmail-smtp-in.l.google.com udp
TW 142.250.157.27:25 alt4.gmail-smtp-in.l.google.com tcp
TW 142.250.157.27:25 alt4.gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 m-ou.se udp
US 8.8.8.8:53 aspmx.l.google.com udp
NL 142.250.27.26:25 aspmx.l.google.com tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
TW 142.250.157.27:25 alt4.gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 mwmwqrweas.in udp
US 8.8.8.8:53 rmnhhernnn.org udp
US 162.249.65.106:80 rmnhhernnn.org tcp
US 8.8.8.8:53 eqsawmrann.ws udp
US 64.70.19.203:80 eqsawmrann.ws tcp
TW 142.250.157.27:25 alt4.gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 2.1.0 udp
US 8.8.8.8:53 4.0.1 udp
US 8.8.8.8:53 nocorp.me udp
US 8.8.8.8:53 in1-smtp.messagingengine.com udp
US 103.168.172.216:25 in1-smtp.messagingengine.com tcp
US 8.8.8.8:53 nswmawmnhh.us udp
US 8.8.8.8:53 swqnnwmehs.biz udp
US 8.8.8.8:53 resspqqrna.org udp
US 162.249.65.106:80 resspqqrna.org tcp
US 8.8.8.8:53 spphhhpmra.biz udp
US 8.8.8.8:53 pqnmmnhpsh.in udp
US 8.8.8.8:53 hanhhwmren.net udp
US 8.8.8.8:53 psmprneqnn.in udp
US 8.8.8.8:53 spseraamar.biz udp
US 8.8.8.8:53 qwewrshrwa.info udp
US 8.8.8.8:53 eenmepsmwh.ws udp
US 64.70.19.203:80 eenmepsmwh.ws tcp
US 8.8.8.8:53 rwaaahansn.org udp
US 162.249.65.106:80 rwaaahansn.org tcp
TW 142.250.157.27:25 alt4.gmail-smtp-in.l.google.com tcp
TW 142.250.157.27:25 alt4.gmail-smtp-in.l.google.com tcp
TW 142.250.157.27:25 alt4.gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 outlook.com udp
US 8.8.8.8:53 outlook-com.olc.protection.outlook.com udp
IE 52.101.68.38:25 outlook-com.olc.protection.outlook.com tcp
US 8.8.8.8:53 sppphhhamn.biz udp
US 8.8.8.8:53 nhwasnhrss.us udp
US 8.8.8.8:53 mhernnwsrs.in udp
US 8.8.8.8:53 rmrnnhwmsa.org udp
US 162.249.65.106:80 rmrnnhwmsa.org tcp
TW 142.250.157.27:25 alt4.gmail-smtp-in.l.google.com tcp
TW 142.250.157.27:25 alt4.gmail-smtp-in.l.google.com tcp
TW 142.250.157.27:25 alt4.gmail-smtp-in.l.google.com tcp
TW 142.250.157.27:25 alt4.gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 eqenanrana.ws udp
US 64.70.19.203:80 eqenanrana.ws tcp
US 8.8.8.8:53 rawnweswps.org udp
US 162.249.65.106:80 rawnweswps.org tcp
US 8.8.8.8:53 smtp2.cs.stanford.edu udp
US 171.64.64.26:25 smtp2.cs.stanford.edu tcp
US 171.64.64.26:25 smtp2.cs.stanford.edu tcp
US 171.64.64.64:25 cs.stanford.edu tcp
TW 142.250.157.27:25 alt4.gmail-smtp-in.l.google.com tcp
TW 142.250.157.27:25 alt4.gmail-smtp-in.l.google.com tcp
US 85.187.148.2:25 gzip.org tcp
US 8.8.8.8:53 seewpnaehh.biz udp
US 8.8.8.8:53 qrepmmnnhs.info udp
US 8.8.8.8:53 wmrmhanmnn.in udp
US 8.8.8.8:53 ppwanshhah.in udp
US 8.8.8.8:53 emmnwpsarn.ws udp
US 64.70.19.203:80 emmnwpsarn.ws tcp
US 8.8.8.8:53 wnshehamhh.in udp
US 8.8.8.8:53 remrpqpseh.org udp
US 162.249.65.106:80 remrpqpseh.org tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 gmail-smtp-in.l.google.com udp
NL 142.250.102.27:25 gmail-smtp-in.l.google.com tcp
NL 142.250.102.27:25 gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 hwnppemeea.net udp
US 8.8.8.8:53 pnaqheqnsa.in udp
US 8.8.8.8:53 alt1.aspmx.l.google.com udp
US 8.8.8.8:53 mwhnpqrmrn.in udp
NL 142.251.9.27:25 alt1.aspmx.l.google.com tcp
US 8.8.8.8:53 pwramqmsms.in udp
US 8.8.8.8:53 hmamsmwhar.net udp
US 8.8.8.8:53 pqshhpemrn.in udp
US 8.8.8.8:53 wpqqhhspps.in udp
SG 13.251.16.150:80 wpqqhhspps.in tcp
US 8.8.8.8:53 alumni-caltech-edu.mail.protection.outlook.com udp
US 52.101.10.6:25 alumni-caltech-edu.mail.protection.outlook.com tcp
NL 142.250.102.27:25 gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 coin.mpg udp
US 8.8.8.8:53 nqenrpwpeh.us udp
US 8.8.8.8:53 spawwehsrs.biz udp
US 8.8.8.8:53 ppeseaqmms.in udp
US 8.8.8.8:53 msarphnewh.in udp
US 8.8.8.8:53 pwqpewwahh.in udp
US 8.8.8.8:53 hmparqsaqa.net udp
US 8.8.8.8:53 150.16.251.13.in-addr.arpa udp
US 8.8.8.8:53 qsqpspspqn.info udp
US 8.8.8.8:53 haearrsqhn.net udp
US 8.8.8.8:53 qnrnwnwaas.info udp
US 8.8.8.8:53 weaeprawra.in udp
US 8.8.8.8:53 qmhqeesawh.info udp
US 8.8.8.8:53 ssnsphrnws.biz udp
US 8.8.8.8:53 aewrhprres.com udp
NL 77.247.183.151:80 aewrhprres.com tcp
US 8.8.8.8:53 mpehqsqwmn.in udp
US 8.8.8.8:53 rnrmmnpnpn.org udp
US 162.249.65.106:80 rnrmmnpnpn.org tcp
US 8.8.8.8:53 apple.com udp
US 8.8.8.8:53 151.183.247.77.in-addr.arpa udp
US 8.8.8.8:53 mx-in.g.apple.com udp
NL 17.57.165.2:25 mx-in.g.apple.com tcp
US 8.8.8.8:53 pobox.com udp
US 8.8.8.8:53 pb-mx23.pobox.com udp
US 173.228.157.42:25 pb-mx23.pobox.com tcp
NL 142.250.102.27:25 gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 mwaaemmnhn.in udp
US 8.8.8.8:53 asnrrsamsa.com udp
NL 212.32.237.90:80 asnrrsamsa.com tcp
US 8.8.8.8:53 in2-smtp.messagingengine.com udp
US 64.147.123.52:25 in2-smtp.messagingengine.com tcp
US 8.8.8.8:53 whmrraawha.in udp
US 8.8.8.8:53 qmsaspnsna.info udp
US 8.8.8.8:53 hnehqqwwrs.net udp
US 8.8.8.8:53 qppamspwhs.info udp
US 8.8.8.8:53 weeqshswms.in udp
US 8.8.8.8:53 aanparshnh.com udp
NL 77.247.183.150:80 aanparshnh.com tcp
US 8.8.8.8:53 hpeqherars.net udp
US 8.8.8.8:53 nnhhneqnrh.us udp
US 8.8.8.8:53 saanqmaqpn.biz udp
US 8.8.8.8:53 armahmrsaa.com udp
US 8.8.8.8:53 wqahhaqenh.in udp
US 8.8.8.8:53 aharwhphnh.com udp
US 8.8.8.8:53 90.237.32.212.in-addr.arpa udp
US 8.8.8.8:53 150.183.247.77.in-addr.arpa udp
NL 212.32.237.91:80 aharwhphnh.com tcp
US 8.8.8.8:53 mnrepmepar.in udp
SG 13.251.16.150:80 mnrepmepar.in tcp
US 8.8.8.8:53 91.237.32.212.in-addr.arpa udp
US 8.8.8.8:53 netcom.com udp
US 8.8.8.8:53 mx01.earthlink-vadesecure.net udp
US 51.81.61.70:25 mx01.earthlink-vadesecure.net tcp
US 8.8.8.8:53 northcoast.com udp
US 8.8.8.8:53 cl.cam.ac.uk udp
US 8.8.8.8:53 mx.cam.ac.uk udp
GB 131.111.8.148:25 mx.cam.ac.uk tcp
US 8.8.8.8:53 src.dec.com udp
US 8.8.8.8:53 mxa-00377f03.gslb.pphosted.com udp
US 205.220.164.130:25 mxa-00377f03.gslb.pphosted.com tcp
US 8.8.8.8:53 apqhwmnqrh.com udp
US 8.8.8.8:53 mehsnsamha.in udp
US 8.8.8.8:53 qqpqwehwah.info udp
US 8.8.8.8:53 sqmswpnqws.biz udp
US 8.8.8.8:53 pqarnhhhhn.in udp
US 8.8.8.8:53 hqepnmqewn.net udp
US 8.8.8.8:53 rsrsemnren.org udp
NL 77.247.183.151:80 rsrsemnren.org tcp
US 8.8.8.8:53 spewqmspma.biz udp
US 8.8.8.8:53 rahhhqwqqa.org udp
US 162.249.65.106:80 rahhhqwqqa.org tcp
NL 142.250.102.27:25 gmail-smtp-in.l.google.com tcp
NL 142.250.102.27:25 gmail-smtp-in.l.google.com tcp
NL 142.250.102.27:25 gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 empewsqsqa.ws udp
US 64.70.19.203:80 empewsqsqa.ws tcp
US 8.8.8.8:53 pmnrrneaah.in udp
US 8.8.8.8:53 mnwsnarssr.in udp
US 8.8.8.8:53 rrpnmeawrs.org udp
US 8.8.8.8:53 theriver.com udp
US 8.8.8.8:53 bryson.demon.co.uk udp
US 8.8.8.8:53 onlineconnections.com.au udp
US 162.249.65.106:80 rrpnmeawrs.org tcp
US 8.8.8.8:53 ismtp.sitestar.everyone.net udp
US 8.8.8.8:53 openoffice.org udp
US 64.29.151.236:25 ismtp.sitestar.everyone.net tcp
US 8.8.8.8:53 mx1-lw-us.apache.org udp
US 8.8.8.8:53 mx2-lw-eu.apache.org udp
US 8.8.8.8:53 mx2-lw-us.apache.org udp
US 8.8.8.8:53 mx1-lw-eu.apache.org udp
US 8.8.8.8:53 onlineconnections.com.au udp
US 192.254.190.168:25 onlineconnections.com.au tcp
NL 142.250.102.27:25 gmail-smtp-in.l.google.com tcp
NL 142.250.102.27:25 gmail-smtp-in.l.google.com tcp
NL 142.250.102.27:25 gmail-smtp-in.l.google.com tcp
NL 142.250.102.27:25 gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 sermsqqqna.biz udp
US 8.8.8.8:53 rsqsepmwas.org udp
US 162.249.65.106:80 rsqsepmwas.org tcp
US 85.187.148.2:25 gzip.org tcp
US 8.8.8.8:53 alumni-caltech-edu.mail.protection.outlook.com udp
US 52.101.40.2:25 alumni-caltech-edu.mail.protection.outlook.com tcp
US 8.8.8.8:53 nongnu.org udp
US 8.8.8.8:53 eggs.gnu.org udp
US 209.51.188.92:25 eggs.gnu.org tcp
US 209.51.188.92:25 eggs.gnu.org tcp
US 8.8.8.8:53 mqpppnhaes.in udp
US 8.8.8.8:53 aqmrnawpan.com udp
US 8.8.8.8:53 wrnwernreh.in udp
US 8.8.8.8:53 aeaqmpsaqa.com udp
US 8.8.8.8:53 whwsqnemsn.in udp
US 8.8.8.8:53 rqeaqeewas.org udp
US 162.249.65.106:80 rqeaqeewas.org tcp
US 8.8.8.8:53 smtp1.cs.stanford.edu udp
US 171.64.64.25:25 smtp1.cs.stanford.edu tcp
US 171.64.64.25:25 smtp1.cs.stanford.edu tcp
US 171.64.64.26:25 smtp2.cs.stanford.edu tcp
NL 142.250.102.27:25 gmail-smtp-in.l.google.com tcp
NL 142.250.102.27:25 gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 wqpaamhwrs.in udp
US 8.8.8.8:53 reaaheeara.org udp
US 162.249.65.106:80 reaaheeara.org tcp
US 8.8.8.8:53 kinoho.net udp
US 8.8.8.8:53 aspmx3.googlemail.com udp
TW 142.250.157.27:25 alt4.gmail-smtp-in.l.google.com tcp
FI 142.250.150.26:25 aspmx3.googlemail.com tcp
US 8.8.8.8:53 riseup.net udp
US 8.8.8.8:53 mx1.riseup.net udp
TW 142.250.157.27:25 alt4.gmail-smtp-in.l.google.com tcp
US 198.252.153.129:25 mx1.riseup.net tcp
US 8.8.8.8:53 alt1.gmail-smtp-in.l.google.com udp
NL 142.251.9.27:25 alt1.gmail-smtp-in.l.google.com tcp
NL 142.251.9.27:25 alt1.gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 alt2.aspmx.l.google.com udp
FI 142.250.150.26:25 alt2.aspmx.l.google.com tcp
NL 142.251.9.27:25 alt1.gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 mnaahmqpqs.in udp
US 8.8.8.8:53 rrhaerswna.org udp
US 162.249.65.106:80 rrhaerswna.org tcp
US 8.8.8.8:53 mx-in-vib.apple.com udp
US 17.57.170.2:25 mx-in-vib.apple.com tcp
US 8.8.8.8:53 pb-mx14.pobox.com udp
US 64.147.108.55:25 pb-mx14.pobox.com tcp
US 8.8.8.8:53 mail.ru udp
US 8.8.8.8:53 mxs.mail.ru udp
RU 217.69.139.150:25 mxs.mail.ru tcp
US 8.8.8.8:53 bog.msu.ru udp
US 8.8.8.8:53 wnhrrnhran.in udp
US 8.8.8.8:53 resrnrrmnn.org udp
US 162.249.65.106:80 resrnrrmnn.org tcp
NL 142.251.9.27:25 alt1.gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 mx02.earthlink-vadesecure.net udp
US 51.81.61.71:25 mx02.earthlink-vadesecure.net tcp
US 8.8.8.8:53 mxb-00377f03.gslb.pphosted.com udp
US 205.220.164.130:25 mxb-00377f03.gslb.pphosted.com tcp
US 8.8.8.8:53 mannheraph.in udp
US 8.8.8.8:53 pqnqqqrpmh.in udp
US 8.8.8.8:53 smprehnwhs.biz udp
US 8.8.8.8:53 rhwnqwwnah.org udp
US 162.249.65.106:80 rhwnqwwnah.org tcp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
NL 142.251.9.27:25 alt1.gmail-smtp-in.l.google.com tcp
NL 142.251.9.27:25 alt1.gmail-smtp-in.l.google.com tcp
NL 142.251.9.27:25 alt1.gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 srsersmhsa.biz udp
SG 47.129.31.212:80 srsersmhsa.biz tcp
US 8.8.8.8:53 neshnhhwss.us udp
US 8.8.8.8:53 mswapwrnan.in udp
US 8.8.8.8:53 ahsppnhrmh.com udp
US 8.8.8.8:53 wmamewnnea.in udp
US 8.8.8.8:53 nhwwheearh.us udp
US 8.8.8.8:53 msqepwamwn.in udp
US 8.8.8.8:53 pmmpmshmsr.in udp
US 8.8.8.8:53 mahwmwnrmn.in udp
US 8.8.8.8:53 aaawpshran.com udp
US 216.245.214.85:80 aaawpshran.com tcp
US 8.8.8.8:53 212.31.129.47.in-addr.arpa udp
US 8.8.8.8:53 smmmwrsqhs.biz udp
US 8.8.8.8:53 pweenawwra.in udp
US 8.8.8.8:53 sqepwsanpn.biz udp
US 8.8.8.8:53 qseerensns.info udp
US 8.8.8.8:53 hnhsehnhpa.net udp
US 8.8.8.8:53 psswwrmraa.in udp
US 8.8.8.8:53 hwhnrpesma.net udp
US 8.8.8.8:53 qmqspqnhwa.info udp
US 8.8.8.8:53 shprahaqrh.biz udp
US 8.8.8.8:53 rmmamheshh.org udp
US 162.249.65.106:80 rmmamheshh.org tcp
US 8.8.8.8:53 85.214.245.216.in-addr.arpa udp
NL 142.251.9.27:25 alt1.gmail-smtp-in.l.google.com tcp
NL 142.251.9.27:25 alt1.gmail-smtp-in.l.google.com tcp
NL 142.251.9.27:25 alt1.gmail-smtp-in.l.google.com tcp
NL 142.251.9.27:25 alt1.gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 ennmqsmqna.ws udp
US 64.70.19.203:80 ennmqsmqna.ws tcp
US 8.8.8.8:53 qseahwrsps.info udp
US 8.8.8.8:53 ehrawpsrms.ws udp
US 64.70.19.203:80 ehrawpsrms.ws tcp
US 8.8.8.8:53 naspqmsmeh.us udp
US 8.8.8.8:53 wwnmhhenpa.in udp
US 8.8.8.8:53 qmrmswrran.info udp
US 8.8.8.8:53 wqeasppnas.in udp
US 8.8.8.8:53 awhhsqness.com udp
US 8.8.8.8:53 eqprsrnprs.ws udp
US 64.70.19.203:80 eqprsrnprs.ws tcp
US 8.8.8.8:53 aaesrmawah.com udp
NL 212.32.237.101:80 aaesrmawah.com tcp
US 8.8.8.8:53 wnaampsmna.in udp
US 8.8.8.8:53 qpnphqawmh.info udp
US 8.8.8.8:53 hmqrapnpsh.net udp
US 8.8.8.8:53 aqsnaasemh.com udp
US 8.8.8.8:53 haswmnsqah.net udp
US 8.8.8.8:53 aeaqnwmhes.com udp
US 8.8.8.8:53 mqsnrenerh.in udp
US 8.8.8.8:53 haaahpspqs.net udp
US 8.8.8.8:53 101.237.32.212.in-addr.arpa udp
US 8.8.8.8:53 qppqsasahn.info udp
US 8.8.8.8:53 mnnhnhahmh.in udp
US 8.8.8.8:53 nwrrpeshhn.us udp
US 8.8.8.8:53 wqsrephqms.in udp
US 8.8.8.8:53 nprhssnrmn.us udp
US 8.8.8.8:53 eqnhphnqms.ws udp
US 64.70.19.203:80 eqnhphnqms.ws tcp
NL 142.251.9.27:25 alt1.gmail-smtp-in.l.google.com tcp
US 171.64.64.25:25 smtp1.cs.stanford.edu tcp
US 8.8.8.8:53 neqanhanwn.us udp
NL 142.251.9.27:25 alt1.gmail-smtp-in.l.google.com tcp
SG 13.251.16.150:80 neqanhanwn.us tcp
US 8.8.8.8:53 smrnnmaqra.biz udp
US 8.8.8.8:53 nnnrpsanwh.us udp
US 8.8.8.8:53 wharrewhpn.in udp
US 8.8.8.8:53 qhhnpesehs.info udp
US 8.8.8.8:53 mesrphwwas.in udp
US 8.8.8.8:53 awmmprseha.com udp
US 8.8.8.8:53 weaamsqssa.in udp
US 8.8.8.8:53 rqeaqsqpsr.org udp
US 162.249.65.106:80 rqeaqsqpsr.org tcp
NL 142.251.9.27:25 alt1.gmail-smtp-in.l.google.com tcp
NL 142.250.102.27:25 gmail-smtp-in.l.google.com tcp
NL 142.250.102.27:25 gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 alt2.gmail-smtp-in.l.google.com udp
FI 142.250.150.27:25 alt2.gmail-smtp-in.l.google.com tcp
FI 142.250.150.27:25 alt2.gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 aspmx2.googlemail.com udp
NL 142.251.9.27:25 aspmx2.googlemail.com tcp
US 8.8.8.8:53 wrmqnnrqmh.in udp
US 8.8.8.8:53 npmpsewraa.us udp
FI 142.250.150.27:25 alt2.gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 whqrmqmnrs.in udp
US 8.8.8.8:53 nwqsnneawh.us udp
US 8.8.8.8:53 smwrehrsph.biz udp
US 8.8.8.8:53 qrmhwrwwmn.info udp
US 8.8.8.8:53 sprpmpqasn.biz udp
US 8.8.8.8:53 apmeppqwqh.com udp
US 8.8.8.8:53 wqpeaenphs.in udp
US 8.8.8.8:53 awqqrwmwsh.com udp
US 8.8.8.8:53 erphseshhh.ws udp
US 64.70.19.203:80 erphseshhh.ws tcp
US 8.8.8.8:53 nmerqanann.us udp
US 8.8.8.8:53 hpswpmhqah.net udp
US 8.8.8.8:53 psqesnmpph.in udp
US 8.8.8.8:53 hwnwwhmapa.net udp
US 8.8.8.8:53 nerrawwees.us udp
US 8.8.8.8:53 smqnsaanqs.biz udp
US 8.8.8.8:53 pehawnswha.in udp
US 8.8.8.8:53 wsmsannrsr.in udp
US 8.8.8.8:53 pnmhpsaqwn.in udp
US 8.8.8.8:53 wpraeqahma.in udp
US 8.8.8.8:53 napenhsmha.us udp
US 8.8.8.8:53 manrhhmrsn.in udp
US 8.8.8.8:53 rqsepprwmh.org udp
US 162.249.65.106:80 rqsepprwmh.org tcp
US 8.8.8.8:53 mx-in-mdn.apple.com udp
US 17.32.222.242:25 mx-in-mdn.apple.com tcp
US 8.8.8.8:53 pb-mx21.pobox.com udp
US 173.228.157.40:25 pb-mx21.pobox.com tcp
FI 142.250.150.27:25 alt2.gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 wnrphnsawn.in udp
US 8.8.8.8:53 npeewrpmsh.us udp
US 8.8.8.8:53 spmpesqama.biz udp
US 8.8.8.8:53 rpwrwpqmrs.org udp
US 162.249.65.106:80 rpwrwpqmrs.org tcp
US 8.8.8.8:53 mx03.earthlink-vadesecure.net udp
US 51.81.232.218:25 mx03.earthlink-vadesecure.net tcp
US 8.8.8.8:53 mxb-00377f01.gslb.pphosted.com udp
DE 185.132.181.97:25 mxb-00377f01.gslb.pphosted.com tcp
US 8.8.8.8:53 smspppawmn.biz udp
US 8.8.8.8:53 pmrqmemawa.in udp
US 8.8.8.8:53 wmphheprha.in udp
US 8.8.8.8:53 prmaahsmqs.in udp
US 8.8.8.8:53 emhmmwaasa.ws udp
US 64.70.19.203:80 emhmmwaasa.ws tcp
US 8.8.8.8:53 pehprrmnns.in udp
US 8.8.8.8:53 hwenrqmmmh.net udp
US 8.8.8.8:53 nhamrnqsps.us udp
US 8.8.8.8:53 wpnermpasr.in udp
US 8.8.8.8:53 mnmrweahpn.in udp
US 8.8.8.8:53 nhseewhaps.us udp
US 8.8.8.8:53 msaemqshmh.in udp
US 8.8.8.8:53 aewnhwwpwa.com udp
US 8.8.8.8:53 snarawppsr.biz udp
US 8.8.8.8:53 qsaqhnrwwn.info udp
US 8.8.8.8:53 swqrheamea.biz udp
US 8.8.8.8:53 aeaqppqhqs.com udp
US 8.8.8.8:53 mpnssapaws.in udp
US 8.8.8.8:53 rnehrmnwqa.org udp
US 162.249.65.106:80 rnehrmnwqa.org tcp
FI 142.250.150.27:25 alt2.gmail-smtp-in.l.google.com tcp
FI 142.250.150.27:25 alt2.gmail-smtp-in.l.google.com tcp
FI 142.250.150.27:25 alt2.gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 wnnqnrwqea.in udp
US 8.8.8.8:53 qnmmhnspwn.info udp
US 8.8.8.8:53 wwaqpenhnn.in udp
US 8.8.8.8:53 rnrnqqawqs.org udp
US 162.249.65.106:80 rnrnqqawqs.org tcp
FI 142.250.150.27:25 alt2.gmail-smtp-in.l.google.com tcp
FI 142.250.150.27:25 alt2.gmail-smtp-in.l.google.com tcp
FI 142.250.150.27:25 alt2.gmail-smtp-in.l.google.com tcp
FI 142.250.150.27:25 alt2.gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 mmmphaeann.in udp
US 8.8.8.8:53 aweqaesrms.com udp
US 8.8.8.8:53 hswwqmmseh.net udp
US 8.8.8.8:53 qhqqqnerss.info udp
US 8.8.8.8:53 wnnempshra.in udp
US 8.8.8.8:53 qnhwpqaans.info udp
US 8.8.8.8:53 mpmhhhprnn.in udp
US 8.8.8.8:53 qhwqwrpwnn.info udp
US 8.8.8.8:53 mhaewrqnps.in udp
US 8.8.8.8:53 psqeppnaha.in udp
US 8.8.8.8:53 maanhsqens.in udp
US 8.8.8.8:53 qsspraneas.info udp
US 8.8.8.8:53 msprmhpesa.in udp
US 8.8.8.8:53 nrmwqewpnn.us udp
US 8.8.8.8:53 sphpehqmsh.biz udp
US 8.8.8.8:53 nwrrsharmn.us udp
US 8.8.8.8:53 wnhpqrweas.in udp
US 8.8.8.8:53 rmmwpwhapn.org udp
US 162.249.65.106:80 rmmwpwhapn.org tcp
FI 142.250.150.27:25 alt2.gmail-smtp-in.l.google.com tcp
FI 142.250.150.27:25 alt2.gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 hharwnqhha.net udp
US 8.8.8.8:53 rrqmmwahna.org udp
US 162.249.65.106:80 rrqmmwahna.org tcp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
NL 142.251.9.27:25 aspmx2.googlemail.com tcp
FI 142.250.150.26:25 alt2.gmail-smtp-in.l.google.com tcp
NL 142.251.9.27:25 aspmx2.googlemail.com tcp
US 8.8.8.8:53 ssapaqsepa.biz udp
US 8.8.8.8:53 qqewasnrnr.info udp
US 8.8.8.8:53 mnpsepswhs.in udp
US 8.8.8.8:53 rammaswpsh.org udp
US 162.249.65.106:80 rammaswpsh.org tcp
US 8.8.8.8:53 alt3.gmail-smtp-in.l.google.com udp
SG 74.125.200.26:25 alt3.gmail-smtp-in.l.google.com tcp
SG 74.125.200.26:25 alt3.gmail-smtp-in.l.google.com tcp
FI 142.250.150.26:25 alt2.gmail-smtp-in.l.google.com tcp
SG 74.125.200.26:25 alt3.gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 ssmrnmspws.biz udp
US 8.8.8.8:53 resmarqarn.org udp
US 162.249.65.106:80 resmarqarn.org tcp
US 8.8.8.8:53 mx-in-rno.apple.com udp
US 17.179.253.242:25 mx-in-rno.apple.com tcp
US 8.8.8.8:53 pb-mx11.pobox.com udp
US 64.147.108.52:25 pb-mx11.pobox.com tcp
SG 74.125.200.26:25 alt3.gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 mapasaqear.in udp
US 8.8.8.8:53 qsepnwpmna.info udp
US 8.8.8.8:53 eshmhnprpa.ws udp
US 64.70.19.203:80 eshmhnprpa.ws tcp
US 8.8.8.8:53 qrrmswemps.info udp
US 8.8.8.8:53 hhsmeanamh.net udp
US 8.8.8.8:53 qeraempash.info udp
US 8.8.8.8:53 amqwpwewrs.com udp
US 8.8.8.8:53 hewamrprrs.net udp
US 8.8.8.8:53 nsneerhwrs.us udp
US 8.8.8.8:53 wphhpmahqs.in udp
US 8.8.8.8:53 nqrreahqrh.us udp
US 8.8.8.8:53 hhwhmwmaws.net udp
US 8.8.8.8:53 rphpaspqar.org udp
US 162.249.65.106:80 rphpaspqar.org tcp
US 8.8.8.8:53 mx04.earthlink-vadesecure.net udp
US 147.135.98.120:25 mx04.earthlink-vadesecure.net tcp
US 8.8.8.8:53 mxa-00377f01.gslb.pphosted.com udp
DE 185.132.181.97:25 mxa-00377f01.gslb.pphosted.com tcp
SG 74.125.200.26:25 alt3.gmail-smtp-in.l.google.com tcp
SG 74.125.200.26:25 alt3.gmail-smtp-in.l.google.com tcp
SG 74.125.200.26:25 alt3.gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 hrwswapann.net udp
US 8.8.8.8:53 awharshhrh.com udp
US 8.8.8.8:53 sqmmqqssea.biz udp
US 8.8.8.8:53 rrnpamehwa.org udp
US 162.249.65.106:80 rrnpamehwa.org tcp
US 8.8.8.8:53 ehnwnaqnss.ws udp
US 64.70.19.203:80 ehnwnaqnss.ws tcp
US 8.8.8.8:53 rwmswamheh.org udp
US 162.249.65.106:80 rwmswamheh.org tcp
SG 74.125.200.26:25 alt3.gmail-smtp-in.l.google.com tcp
SG 74.125.200.26:25 alt3.gmail-smtp-in.l.google.com tcp
SG 74.125.200.26:25 alt3.gmail-smtp-in.l.google.com tcp
SG 74.125.200.26:25 alt3.gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 wwaprrwnwa.in udp
US 8.8.8.8:53 rrseshrqsn.org udp
US 162.249.65.106:80 rrseshrqsn.org tcp
SG 74.125.200.26:25 alt3.gmail-smtp-in.l.google.com tcp
SG 74.125.200.26:25 alt3.gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 hqremeeheh.net udp
US 8.8.8.8:53 aspamphaqh.com udp
NL 212.32.237.91:80 aspamphaqh.com tcp
US 8.8.8.8:53 wereqmsnwh.in udp
US 8.8.8.8:53 nwspmnannr.us udp
US 8.8.8.8:53 swwmpphesa.biz udp
US 8.8.8.8:53 peerrrehen.in udp
US 8.8.8.8:53 sreeshwpmh.biz udp
US 8.8.8.8:53 rnnnpannna.org udp
US 162.249.65.106:80 rnnnpannna.org tcp
FI 142.250.150.27:25 alt2.gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 aspmx.l.google.com udp
NL 142.250.27.27:25 aspmx.l.google.com tcp
FI 142.250.150.27:25 alt2.gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 aspmx4.googlemail.com udp
SG 74.125.200.27:25 aspmx4.googlemail.com tcp
US 8.8.8.8:53 emqewenpsh.ws udp
US 64.70.19.203:80 emqewenpsh.ws tcp
US 8.8.8.8:53 penpnnehwa.in udp
US 8.8.8.8:53 mnwqmqhrsh.in udp
US 8.8.8.8:53 wnnnqwpeea.in udp
US 8.8.8.8:53 rmpmspqhph.org udp
US 162.249.65.106:80 rmpmspqhph.org tcp
US 8.8.8.8:53 mx-in-hfd.apple.com udp
US 8.8.8.8:53 pb-mx20.pobox.com udp
NL 17.57.165.2:25 mx-in-hfd.apple.com tcp
US 173.228.157.39:25 pb-mx20.pobox.com tcp
US 8.8.8.8:53 mrwpmwnnra.in udp
US 8.8.8.8:53 nwaahharmh.us udp
US 8.8.8.8:53 meseewppah.in udp
US 8.8.8.8:53 rswnmhhsrh.org udp
US 162.249.65.106:80 rswnmhhsrh.org tcp
US 8.8.8.8:53 ersaenrnwh.ws udp
US 64.70.19.203:80 ersaenrnwh.ws tcp
US 8.8.8.8:53 qsswqemmws.info udp
US 8.8.8.8:53 wnarpnqaqh.in udp
US 8.8.8.8:53 rmqsrpsqes.org udp
US 162.249.65.106:80 rmqsrpsqes.org tcp
US 8.8.8.8:53 henwwsahhh.net udp
US 8.8.8.8:53 ansenhrann.com udp
US 8.8.8.8:53 wpaeaapwhh.in udp
US 8.8.8.8:53 rshesmeshs.org udp
US 162.249.65.106:80 rshesmeshs.org tcp
US 8.8.8.8:53 wsnnneaqws.in udp
US 8.8.8.8:53 rnsmmparph.org udp
US 162.249.65.106:80 rnsmmparph.org tcp
US 8.8.8.8:53 hnemspmeaa.net udp
US 8.8.8.8:53 ahqnaqpwps.com udp
US 8.8.8.8:53 sasspmseas.biz udp
US 8.8.8.8:53 arqsarmwna.com udp
US 8.8.8.8:53 eernsaepaa.ws udp
US 64.70.19.203:80 eernsaepaa.ws tcp
US 8.8.8.8:53 qpwsqahpaa.info udp
US 8.8.8.8:53 whhanasrsa.in udp
US 8.8.8.8:53 aqpanwnraa.com udp
US 8.8.8.8:53 wrshrprwrh.in udp
US 8.8.8.8:53 rhmwsseqea.org udp
US 162.249.65.106:80 rhmwsseqea.org tcp
US 8.8.8.8:53 enwqmeawna.ws udp
US 64.70.19.203:80 enwqmeawna.ws tcp
US 8.8.8.8:53 pnhhenwapn.in udp
US 8.8.8.8:53 eepswnahha.ws udp
SG 74.125.200.26:25 alt3.gmail-smtp-in.l.google.com tcp
NL 142.251.9.27:25 aspmx2.googlemail.com tcp
US 64.70.19.203:80 eepswnahha.ws tcp
SG 74.125.200.26:25 alt3.gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 qpmsqhrrph.info udp
US 8.8.8.8:53 srppwarhna.biz udp
US 8.8.8.8:53 annsqehena.com udp
US 8.8.8.8:53 emhsphwesn.ws udp
US 64.70.19.203:80 emhsphwesn.ws tcp
US 8.8.8.8:53 ameeqsrswn.com udp
US 8.8.8.8:53 rqrmqhmhrn.org udp
US 162.249.65.106:80 rqrmqhmhrn.org tcp
US 8.8.8.8:53 aspmx5.googlemail.com udp
TW 142.250.157.27:25 aspmx5.googlemail.com tcp
US 8.8.8.8:53 eerrwwharh.ws udp
US 64.70.19.203:80 eerrwwharh.ws tcp
US 8.8.8.8:53 pb-mx10.pobox.com udp
US 64.147.108.51:25 pb-mx10.pobox.com tcp
US 8.8.8.8:53 nqhaaprhns.us udp
US 8.8.8.8:53 hwrsqmqpra.net udp
US 8.8.8.8:53 areqrwqrrs.com udp
US 8.8.8.8:53 hprhanepes.net udp
US 8.8.8.8:53 rmrrsspwmn.org udp
US 162.249.65.106:80 rmrrsspwmn.org tcp
US 8.8.8.8:53 hwwpqshqsh.net udp
US 8.8.8.8:53 anwqphnwsr.com udp
US 8.8.8.8:53 emppqmsmeh.ws udp
US 64.70.19.203:80 emppqmsmeh.ws tcp
US 8.8.8.8:53 naqwahersn.us udp
US 8.8.8.8:53 mrnaepehws.in udp
US 8.8.8.8:53 apmapqesma.com udp
US 8.8.8.8:53 msaphmnwqn.in udp
US 8.8.8.8:53 asmseshqqh.com udp
US 8.8.8.8:53 enweeeamwn.ws udp
US 64.70.19.203:80 enweeeamwn.ws tcp
US 8.8.8.8:53 nmmwwmapwh.us udp
US 8.8.8.8:53 shnnmahqps.biz udp
US 8.8.8.8:53 nppsaeheqa.us udp
US 8.8.8.8:53 whesepqran.in udp
US 8.8.8.8:53 qmemqhsnnn.info udp
US 8.8.8.8:53 ssqsqrapws.biz udp
US 8.8.8.8:53 qprhhrhems.info udp
US 8.8.8.8:53 eanhsaqhea.ws udp
US 64.70.19.203:80 eanhsaqhea.ws tcp
US 8.8.8.8:53 appqeqnems.com udp
US 8.8.8.8:53 seswqasrqa.biz udp
US 8.8.8.8:53 qpshhqhwes.info udp
US 8.8.8.8:53 nsnnpnwaas.us udp
US 8.8.8.8:53 msprnqrwph.in udp
US 8.8.8.8:53 pwqahwmman.in udp
US 8.8.8.8:53 hmqerwpasr.net udp
US 8.8.8.8:53 rqnamprpen.org udp
US 162.249.65.106:80 rqnamprpen.org tcp
US 8.8.8.8:53 4.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 hrmsapnrsh.net udp
US 8.8.8.8:53 pmnpresenh.in udp
US 8.8.8.8:53 hewrsrsppn.net udp
US 8.8.8.8:53 rrqeqssnnn.org udp
US 162.249.65.106:80 rrqeqssnnn.org tcp

Files

C:\Windows\SysWOW64\shervans.dll

MD5 c85aca62a67a7b8b5d60738c68005f3f
SHA1 19cf9ece4e2f3e96823c6dc7db9f768aba34c35e
SHA256 20d3efc81d8c0ef85f00a431a627e25cf72fb4fd632da75bd9e4ab34e49d085e
SHA512 db96a34b3985c4d1bfd1049f55dc184d4c5960567d2c2520a0fca9ccbaa912118e373551b0ae16c6e6a15598a3c0a714597cf957a48fee0a6b482baa504cae8c

C:\Windows\SysWOW64\grcopy.dll

MD5 abf6c7085bf83b0b106b1039e58ab4cb
SHA1 dfb5c5cb0953cc0a96293f4b218ebd3648dc019e
SHA256 d88e0e49fea301d806932a3cabb086c3cc148450ae17823d23ca5c082072a2c0
SHA512 06ba7dd6065b2b228ebe703e5fd65e23bbba5ace761a69f46ca0d735ac8655204d89493373205727fd81e9a6dab6975f452e4fd0571a354cb8bb4fe79ac6a084

memory/4768-17-0x0000000010000000-0x000000001000D000-memory.dmp

C:\Windows\SysWOW64\ctfmen.exe

MD5 9071491ac39060bae5e35c12ac3288c0
SHA1 456a206895fbb1952d23587e61e774881d96659f
SHA256 135c6271317d9465fde4c718da78309d7303711ed02338cacf66999acb06637a
SHA512 2d14f8b160357dc1ddf0ce5f5c5d6ad806ccd021c68fc22cae07a543ae5ecd347f5295e6118015dd69b4ab485fa4a56a3627b697587e649471257ec4181cc67a

memory/4768-23-0x0000000010000000-0x000000001000D000-memory.dmp

memory/4768-20-0x0000000000400000-0x000000000041C000-memory.dmp

memory/2052-24-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Windows\SysWOW64\satornas.dll

MD5 15da9b9cdbbae0cea42a1e1eea88f13b
SHA1 fa32ea4f337df22e67b73ddb21814af767829ee1
SHA256 f5f9a2174ac9db2135c9792dc13810c3f0ac81d284430842da1846b7e9decd73
SHA512 d034d201a99d011d011818355b75c1eaa9b13865ec4e6d497d6eb52c373f5c0c3b5ff845f2230d63a39be92944a66b06f1733cff9cb109aa4f163184c8b8b864

memory/2708-35-0x0000000010000000-0x000000001000D000-memory.dmp

memory/2708-36-0x0000000000400000-0x000000000041C000-memory.dmp

memory/2708-38-0x0000000000400000-0x000000000041C000-memory.dmp

memory/2708-40-0x0000000000400000-0x000000000041C000-memory.dmp

memory/2708-42-0x0000000000400000-0x000000000041C000-memory.dmp

memory/2708-44-0x0000000000400000-0x000000000041C000-memory.dmp

memory/2708-46-0x0000000000400000-0x000000000041C000-memory.dmp

memory/2708-48-0x0000000000400000-0x000000000041C000-memory.dmp

memory/2708-50-0x0000000000400000-0x000000000041C000-memory.dmp

memory/2708-52-0x0000000000400000-0x000000000041C000-memory.dmp

memory/2708-54-0x0000000000400000-0x000000000041C000-memory.dmp

memory/2708-56-0x0000000000400000-0x000000000041C000-memory.dmp

memory/2708-58-0x0000000000400000-0x000000000041C000-memory.dmp

memory/2708-60-0x0000000000400000-0x000000000041C000-memory.dmp

memory/2708-62-0x0000000000400000-0x000000000041C000-memory.dmp