Malware Analysis Report

2025-08-10 20:53

Sample ID 240825-hp8emaselp
Target ed6345cdae4ba098fa07431d7f79f154ce80a73818a24bd2863ee3fa51c53690
SHA256 ed6345cdae4ba098fa07431d7f79f154ce80a73818a24bd2863ee3fa51c53690
Tags
discovery persistence spyware stealer
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

ed6345cdae4ba098fa07431d7f79f154ce80a73818a24bd2863ee3fa51c53690

Threat Level: Likely malicious

The file ed6345cdae4ba098fa07431d7f79f154ce80a73818a24bd2863ee3fa51c53690 was found to be: Likely malicious.

Malicious Activity Summary

discovery persistence spyware stealer

Drops file in Drivers directory

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

ACProtect 1.3x - 1.4x DLL software

Enumerates connected drives

Maps connected drives based on registry

Adds Run key to start application

Drops file in System32 directory

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of AdjustPrivilegeToken

Modifies registry class

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-25 06:55

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-25 06:55

Reported

2024-08-25 06:58

Platform

win7-20240704-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ed6345cdae4ba098fa07431d7f79f154ce80a73818a24bd2863ee3fa51c53690.exe"

Signatures

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\drivers\gmreadme.txt C:\Windows\SysWOW64\smnss.exe N/A

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\ctfmen.exe N/A
N/A N/A C:\Windows\SysWOW64\smnss.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe" C:\Users\Admin\AppData\Local\Temp\ed6345cdae4ba098fa07431d7f79f154ce80a73818a24bd2863ee3fa51c53690.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe" C:\Windows\SysWOW64\smnss.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\N: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\smnss.exe N/A

Maps connected drives based on registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Users\Admin\AppData\Local\Temp\ed6345cdae4ba098fa07431d7f79f154ce80a73818a24bd2863ee3fa51c53690.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\1 C:\Users\Admin\AppData\Local\Temp\ed6345cdae4ba098fa07431d7f79f154ce80a73818a24bd2863ee3fa51c53690.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\smnss.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Windows\SysWOW64\smnss.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\1 C:\Windows\SysWOW64\smnss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Users\Admin\AppData\Local\Temp\ed6345cdae4ba098fa07431d7f79f154ce80a73818a24bd2863ee3fa51c53690.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_functions_advanced.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_profiles.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_Break.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_functions.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpc5100t.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnky308.inf_amd64_ja-jp_d90af802b607044a\Amd64\KYW7QUR7.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_data_sections.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_objects.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_Parsing.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\Amd64\HPO4PG3L.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpd1500t.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp005.inf_amd64_neutral_914d6c300207814f\Amd64\hp6000at.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_functions_advanced_methods.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpah470t.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_operators.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_WMI_Cmdlets.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_Special_Characters.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\Amd64\hpmcpap6.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_jobs.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_pssessions.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_execution_policies.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\icsxml\osinfo.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_providers.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\Microsoft.Wsman.Management.dll-Help.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_escape_characters.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\Amd64\HPO5H83L.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_Comment_Based_Help.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_Windows_PowerShell_2.0.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\Microsoft.PowerShell.ConsoleHost.dll-Help.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\Microsoft.PowerShell.ConsoleHost.dll-Help.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpc4400t.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_Arithmetic_Operators.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_locations.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_remote.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_arrays.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\Microsoft.PowerShell.Commands.Utility.dll-Help.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_Language_Keywords.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\en-US\erofflps.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_transactions.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_Comparison_Operators.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_History.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpc6200t.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_type_operators.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\Microsoft.PowerShell.Commands.Utility.dll-Help.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitsTransfer\en-US\Microsoft.BackgroundIntelligentTransfer.Management.dll-Help.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Path_Syntax.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_methods.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_data_sections.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_Foreach.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_Windows_PowerShell_ISE.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_Assignment_Operators.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_modules.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_type_operators.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnky307.inf_amd64_ja-jp_e40bd14f18e8ff7d\Amd64\KYW7QUR6.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_Assignment_Operators.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_preference_variables.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\ctfmen.exe C:\Users\Admin\AppData\Local\Temp\ed6345cdae4ba098fa07431d7f79f154ce80a73818a24bd2863ee3fa51c53690.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_Session_Configurations.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_eventlogs.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_remote_troubleshooting.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_wildcards.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_parameters.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_Redirection.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_locations.help.txt C:\Windows\SysWOW64\smnss.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.core_5.5.0.165303\feature.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-sampler.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\cpu.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\feature.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\license.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-swing-tabcontrol.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\settings.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\gadget.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Composite.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\vi.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Access.en-us\SETUP.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\about.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\gadget.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\ADDINS\MSOSEC.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGWEBHD.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\hr.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_ca.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL058.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\picturePuzzle.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\sw.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core-ui.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\slideShow.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGPICCAP.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\ko-kr.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\gadget.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\gadget.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Apothecary.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.COM.MY.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL065.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL107.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\WORDREP.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\about.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-heapdump.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Windows Media Player\Network Sharing\MediaReceiverRegistrar.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\ja-JP\gadget.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\settings.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.IT.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\FOLDPROJ.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\hy.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Windows Media Player\Media Renderer\RenderingControl.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipsjpn.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\clock.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGCAL.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\ja-JP\cpu.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\settings.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.COM.MX.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-print.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-loaders.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-selector-ui.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\mobile.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\gadget.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\settings.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Solstice.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\es-ES\calendar.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Internet Explorer\Timeline.cpu.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\cpu.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Technic.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.HK.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\requests\playlist.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\skins\winamp2.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsFormTemplate.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\SBCGLOBAL.NET.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Couture.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL016.XML C:\Windows\SysWOW64\smnss.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-w..svc-extra.resources_31bf3856ad364e35_6.1.7600.16385_de-de_25fdb232f2e20c42\Report.System.Wireless.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_27fbee50ef7f6588\Microsoft.PowerShell.Commands.Diagnostics.dll-Help.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_it-it_b4a6b77ab9aa530d\about_While.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\PLA\Reports\es-ES\Report.System.Wired.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_1d72a0e2bb459532\about_Line_Editing.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_c02a16e1ae17ab94\about_Automatic_Variables.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_7f0b185800a159c3\default.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\x86_microsoft-windows-g..edsgadget.resources_31bf3856ad364e35_6.1.7600.16385_de-de_82258a09c9170bac\settings.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..econsumer.resources_31bf3856ad364e35_6.1.7600.16385_de-de_68bfa622c568dbc2\Report.System.Disk.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_c02a16e1ae17ab94\about_remote_troubleshooting.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_27fbee50ef7f6588\about_parameters.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_it-it_b4a6b77ab9aa530d\about_functions_cmdletbindingattribute.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\ehome\es-ES\epgtos.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\PLA\Rules\de-DE\Rules.System.Finale.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-g..-calendar.resources_31bf3856ad364e35_6.1.7600.16385_it-it_c65f31d113437677\gadget.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_e74ded66652fb660\404-14.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_74b66e05cc4097c8\about_parameters.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_7f0b185800a159c3\about_providers.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\PLA\Reports\es-ES\Report.System.Diagnostics.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\PLA\Reports\Report.System.Diagnostics.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\PLA\Rules\Rules.System.CPU.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_it-it_45286e597214a485\404-13.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_74b66e05cc4097c8\about_Reserved_Words.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\ehome\CreateDisc\sonic.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b87da52fa7e9b700\401-4.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b87da52fa7e9b700\404-14.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_1d72a0e2bb459532\about_functions_advanced.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_1d72a0e2bb459532\Microsoft.PowerShell.Commands.Diagnostics.dll-Help.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_it-it_aa520d2885499112\about_Windows_PowerShell_2.0.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_prnhp002.inf_31bf3856ad364e35_6.1.7600.16385_none_2f4e6f72537f8faa\Amd64\HPF4BK3L.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_27fbee50ef7f6588\about_Break.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-g..-calendar.resources_31bf3856ad364e35_6.1.7600.16385_en-us_39b468a7491888f2\calendar.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ca7ec133e2786d8f\about_Assignment_Operators.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_27fbee50ef7f6588\about_Quoting_Rules.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_it-it_45286e597214a485\401.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..econsumer.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_4080c452718ce6e7\Rules.System.Common.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_1da743febb1ea38d\about_jobs.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\msil_microsoft.security...t.cmdlets.resources_31bf3856ad364e35_6.1.7600.16385_en-us_cbde052b5e31472c\Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets.dll-Help.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_es-es_b8490213a810a8a5\404-8.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_7f0b185800a159c3\about_command_precedence.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\x86_microsoft-windows-g..zlegadget.resources_31bf3856ad364e35_6.1.7600.16385_en-us_a6285ac2a45ae884\gadget.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-gadgets-cpu.resources_31bf3856ad364e35_6.1.7600.16385_de-de_0098688ad232f281\gadget.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_prnhp002.inf_31bf3856ad364e35_6.1.7600.16385_none_2f4e6f72537f8faa\Amd64\HPP8700T.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ca7ec133e2786d8f\about_Comment_Based_Help.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\x86_microsoft-windows-g..howgadget.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_9c4da920e2047ffc\settings.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_5b0078129ae2bf07\404-3.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_it-it_45286e597214a485\403.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_74b66e05cc4097c8\about_pipelines.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_1da743febb1ea38d\about_do.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_1da743febb1ea38d\about_try_catch_finally.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_it-it_aa520d2885499112\about_wildcards.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_4c778c357864a2ed\about_do.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ca7ec133e2786d8f\about_providers.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\servicing\Sessions\31116887_2253444448.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.1.7601.17514_none_6f0f7833cb71e18d\rscaext.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_1da743febb1ea38d\about_Arithmetic_Operators.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_4c778c357864a2ed\about_locations.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_4c778c357864a2ed\about_remote_troubleshooting.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-t..nputpersonalization_31bf3856ad364e35_6.1.7600.16385_none_9ba1049ce0053bef\ipsplk.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-t..nputpersonalization_31bf3856ad364e35_6.1.7600.16385_none_9ba1049ce0053bef\ipsrom.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_prnhp003.inf_31bf3856ad364e35_6.1.7600.16385_none_2fd781a76c9dcc13\Amd64\hpc3100t.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\PLA\Rules\it-IT\Rules.System.Configuration.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\amd64_prnsa002.inf_31bf3856ad364e35_6.1.7600.16385_none_02a32ac8d56280f6\Amd64\smf6x4u.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_27c74b34efa6572d\about_PSSnapins.help.txt C:\Windows\SysWOW64\smnss.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ed6345cdae4ba098fa07431d7f79f154ce80a73818a24bd2863ee3fa51c53690.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ctfmen.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\smnss.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node C:\Users\Admin\AppData\Local\Temp\ed6345cdae4ba098fa07431d7f79f154ce80a73818a24bd2863ee3fa51c53690.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID C:\Users\Admin\AppData\Local\Temp\ed6345cdae4ba098fa07431d7f79f154ce80a73818a24bd2863ee3fa51c53690.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED} C:\Users\Admin\AppData\Local\Temp\ed6345cdae4ba098fa07431d7f79f154ce80a73818a24bd2863ee3fa51c53690.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll" C:\Users\Admin\AppData\Local\Temp\ed6345cdae4ba098fa07431d7f79f154ce80a73818a24bd2863ee3fa51c53690.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll" C:\Windows\SysWOW64\smnss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\ed6345cdae4ba098fa07431d7f79f154ce80a73818a24bd2863ee3fa51c53690.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\smnss.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ed6345cdae4ba098fa07431d7f79f154ce80a73818a24bd2863ee3fa51c53690.exe

"C:\Users\Admin\AppData\Local\Temp\ed6345cdae4ba098fa07431d7f79f154ce80a73818a24bd2863ee3fa51c53690.exe"

C:\Windows\SysWOW64\ctfmen.exe

ctfmen.exe

C:\Windows\SysWOW64\smnss.exe

C:\Windows\system32\smnss.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 qewhshmsen.info udp
US 34.218.204.173:80 qewhshmsen.info tcp
US 8.8.8.8:53 wpwhpqraws.in udp
US 8.8.8.8:53 gzip.org udp
US 8.8.8.8:53 alumni.caltech.edu udp
US 8.8.8.8:53 gzip.org udp
US 8.8.8.8:53 megginson.com udp
US 8.8.8.8:53 alumni-caltech-edu.mail.protection.outlook.com udp
US 85.187.148.2:25 gzip.org tcp
US 8.8.8.8:53 megginson.com udp
US 8.8.8.8:53 aspmx2.googlemail.com udp
US 52.101.41.24:25 alumni-caltech-edu.mail.protection.outlook.com tcp
US 8.8.8.8:53 jk.uni-linz.ac.at udp
NL 142.250.27.27:25 aspmx2.googlemail.com tcp
US 8.8.8.8:53 alt1.aspmx.l.google.com udp
US 8.8.8.8:53 mail3.edvz.uni-linz.ac.at udp
NL 142.250.27.27:25 alt1.aspmx.l.google.com tcp
AT 140.78.3.83:25 mail3.edvz.uni-linz.ac.at tcp
US 8.8.8.8:53 rsppprawrn.org udp
US 18.208.156.248:80 rsppprawrn.org tcp
US 8.8.8.8:53 mrsqwnmhwa.in udp
US 8.8.8.8:53 cdata.tvnet.hu udp
US 8.8.8.8:53 apaqwweesn.com udp
US 8.8.8.8:53 attbi.com udp
US 8.8.8.8:53 cdata.tvnet.hu udp
US 8.8.8.8:53 courtesan.com udp
US 8.8.8.8:53 bigelowandholmes.com udp
US 8.8.8.8:53 millert.dev udp
US 65.102.237.118:25 millert.dev tcp
US 8.8.8.8:53 wnhhwpqman.in udp
US 85.187.148.2:25 gzip.org tcp
US 52.101.41.24:25 alumni-caltech-edu.mail.protection.outlook.com tcp
US 8.8.8.8:53 gnu.org udp
US 8.8.8.8:53 eggs.gnu.org udp
US 209.51.188.92:25 eggs.gnu.org tcp
US 85.187.148.2:25 gzip.org tcp
US 8.8.8.8:53 amamqheaen.com udp
US 8.8.8.8:53 snwwwwnqra.biz udp
US 8.8.8.8:53 alumni-caltech-edu.mail.protection.outlook.com udp
NL 142.250.27.27:25 alt1.aspmx.l.google.com tcp
US 52.101.40.1:25 alumni-caltech-edu.mail.protection.outlook.com tcp
NL 142.250.27.27:25 alt1.aspmx.l.google.com tcp
AT 140.78.3.83:25 mail3.edvz.uni-linz.ac.at tcp
US 8.8.8.8:53 prsrsreswh.in udp
US 8.8.8.8:53 emsnpqmnaa.ws udp
US 64.70.19.203:80 emsnpqmnaa.ws tcp
US 8.8.8.8:53 aswahwaqwn.com udp
US 65.102.237.118:25 millert.dev tcp
US 8.8.8.8:53 epnnmpmnea.ws udp
US 64.70.19.203:80 epnnmpmnea.ws tcp
US 8.8.8.8:53 nmmmswamss.us udp
US 85.187.148.2:25 gzip.org tcp
US 8.8.8.8:53 alt2.aspmx.l.google.com udp
NL 142.250.27.27:25 alt1.aspmx.l.google.com tcp
US 52.101.40.1:25 alumni-caltech-edu.mail.protection.outlook.com tcp
NL 142.250.153.26:25 alt2.aspmx.l.google.com tcp
US 85.187.148.2:25 gzip.org tcp
US 8.8.8.8:53 mail4.edvz.uni-linz.ac.at udp
US 52.101.40.1:25 alumni-caltech-edu.mail.protection.outlook.com tcp
AT 140.78.3.82:25 mail4.edvz.uni-linz.ac.at tcp
US 8.8.8.8:53 wpanwhahpn.in udp
US 8.8.8.8:53 qqrsmeawrh.info udp
NL 142.250.27.27:25 alt1.aspmx.l.google.com tcp
NL 142.250.27.27:25 alt1.aspmx.l.google.com tcp
AT 140.78.3.83:25 mail3.edvz.uni-linz.ac.at tcp
US 8.8.8.8:53 wsneamsrqs.in udp
US 8.8.8.8:53 rrnsweenen.org udp
US 162.249.65.106:80 rrnsweenen.org tcp
US 65.102.237.118:25 millert.dev tcp
US 85.187.148.2:25 gzip.org tcp
US 8.8.8.8:53 wpsranresn.in udp
US 8.8.8.8:53 qqwaqwqwns.info udp
US 8.8.8.8:53 alumni-caltech-edu.mail.protection.outlook.com udp
US 52.101.42.13:25 alumni-caltech-edu.mail.protection.outlook.com tcp
NL 142.250.153.26:25 alt2.aspmx.l.google.com tcp
NL 142.250.153.26:25 alt2.aspmx.l.google.com tcp
US 8.8.8.8:53 coin.mpg udp
AT 140.78.3.82:25 mail4.edvz.uni-linz.ac.at tcp
US 8.8.8.8:53 domain.com udp
US 8.8.8.8:53 domain-com.mail.protection.outlook.com udp
US 52.101.11.13:25 domain-com.mail.protection.outlook.com tcp
US 8.8.8.8:53 wshmnneqsr.in udp
US 8.8.8.8:53 rnrmsaeesr.org udp
US 162.249.65.106:80 rnrmsaeesr.org tcp
US 8.8.8.8:53 eweqmrhnra.ws udp
US 64.70.19.203:80 eweqmrhnra.ws tcp
US 8.8.8.8:53 qaeesahees.info udp
US 8.8.8.8:53 aspmx.l.google.com udp
NL 142.250.27.27:25 alt1.aspmx.l.google.com tcp
IE 74.125.193.27:25 aspmx.l.google.com tcp
US 8.8.8.8:53 mail1.edvz.uni-linz.ac.at udp
AT 140.78.3.68:25 mail1.edvz.uni-linz.ac.at tcp
US 8.8.8.8:53 hwpprwwawa.net udp
US 8.8.8.8:53 pawrsswnsa.in udp
NL 142.250.153.26:25 alt2.aspmx.l.google.com tcp
AT 140.78.3.82:25 mail4.edvz.uni-linz.ac.at tcp
NL 142.250.153.26:25 alt2.aspmx.l.google.com tcp
US 8.8.8.8:53 ewaehhmrqh.ws udp
US 64.70.19.203:80 ewaehhmrqh.ws tcp
US 8.8.8.8:53 ahrwrshwph.com udp
US 8.8.8.8:53 sqaqqaeqmh.biz udp
US 8.8.8.8:53 nhqpwhmama.us udp
US 8.8.8.8:53 sesawnwqea.biz udp
NL 142.250.27.27:25 alt1.aspmx.l.google.com tcp
NL 142.250.27.27:25 alt1.aspmx.l.google.com tcp
AT 140.78.3.68:25 mail1.edvz.uni-linz.ac.at tcp
US 8.8.8.8:53 qpwhwpqpqa.info udp
US 8.8.8.8:53 mqmwshhaqh.in udp
US 8.8.8.8:53 rrqmheqmqh.org udp
US 162.249.65.106:80 rrqmheqmqh.org tcp
US 8.8.8.8:53 aspmx3.googlemail.com udp
US 8.8.8.8:53 ehpspqshqa.ws udp
NL 142.250.153.26:25 aspmx3.googlemail.com tcp
US 64.70.19.203:80 ehpspqshqa.ws tcp
US 8.8.8.8:53 aspmx4.googlemail.com udp
US 8.8.8.8:53 mail2.edvz.uni-linz.ac.at udp
AT 140.78.3.69:25 mail2.edvz.uni-linz.ac.at tcp
DE 142.251.9.26:25 aspmx4.googlemail.com tcp
US 8.8.8.8:53 phphweqwna.in udp
US 8.8.8.8:53 snprrannra.biz udp
AT 140.78.3.68:25 mail1.edvz.uni-linz.ac.at tcp
NL 142.250.27.27:25 alt1.aspmx.l.google.com tcp
NL 142.250.27.27:25 alt1.aspmx.l.google.com tcp
US 8.8.8.8:53 rahqwwphsh.org udp
US 162.249.65.106:80 rahqwwphsh.org tcp
US 8.8.8.8:53 hpehwwhnqn.net udp
US 8.8.8.8:53 pmqmannrna.in udp
US 8.8.8.8:53 mrrmehqnpa.in udp
NL 142.250.153.26:25 aspmx3.googlemail.com tcp
NL 142.250.153.26:25 aspmx3.googlemail.com tcp
AT 140.78.3.69:25 mail2.edvz.uni-linz.ac.at tcp
US 8.8.8.8:53 qwpehrrhqh.info udp
US 8.8.8.8:53 meammaenmn.in udp
US 8.8.8.8:53 rsampnrran.org udp
US 162.249.65.106:80 rsampnrran.org tcp
US 8.8.8.8:53 mrmwmnarws.in udp
IE 74.125.193.27:25 aspmx.l.google.com tcp
NL 142.250.153.26:25 aspmx3.googlemail.com tcp
US 8.8.8.8:53 nwrnwprmmh.us udp
US 8.8.8.8:53 sshnsrpenh.biz udp
AT 140.78.3.69:25 mail2.edvz.uni-linz.ac.at tcp
NL 142.250.153.26:25 aspmx3.googlemail.com tcp
NL 142.250.153.26:25 aspmx3.googlemail.com tcp
US 8.8.8.8:53 psnqrqmpeh.in udp
US 8.8.8.8:53 wwearmsqrs.in udp
US 8.8.8.8:53 aqanannwqh.com udp
IE 74.125.193.27:25 aspmx.l.google.com tcp
IE 74.125.193.27:25 aspmx.l.google.com tcp
US 8.8.8.8:53 wasasnqrna.in udp
US 8.8.8.8:53 wnshehamhh.in udp
US 8.8.8.8:53 remrpqpseh.org udp
US 162.249.65.106:80 remrpqpseh.org tcp
DE 142.251.9.26:25 aspmx4.googlemail.com tcp
US 8.8.8.8:53 hwnppemeea.net udp
US 8.8.8.8:53 aspmx5.googlemail.com udp
FI 142.250.150.27:25 aspmx5.googlemail.com tcp
US 8.8.8.8:53 pnaqheqnsa.in udp
IE 74.125.193.27:25 aspmx.l.google.com tcp
IE 74.125.193.27:25 aspmx.l.google.com tcp
US 8.8.8.8:53 mwhnpqrmrn.in udp
US 8.8.8.8:53 pwramqmsms.in udp
US 8.8.8.8:53 hmamsmwhar.net udp
US 8.8.8.8:53 pqshhpemrn.in udp
DE 142.251.9.26:25 aspmx4.googlemail.com tcp
DE 142.251.9.26:25 aspmx4.googlemail.com tcp
US 8.8.8.8:53 wpqqhhspps.in udp
SG 13.251.16.150:80 wpqqhhspps.in tcp
US 8.8.8.8:53 nqenrpwpeh.us udp
US 8.8.8.8:53 spawwehsrs.biz udp
US 8.8.8.8:53 ppeseaqmms.in udp
FI 142.250.150.27:25 aspmx5.googlemail.com tcp
NL 142.250.153.26:25 aspmx3.googlemail.com tcp
US 8.8.8.8:53 msarphnewh.in udp
DE 142.251.9.26:25 aspmx4.googlemail.com tcp
DE 142.251.9.26:25 aspmx4.googlemail.com tcp
US 8.8.8.8:53 pwqpewwahh.in udp
US 8.8.8.8:53 hmparqsaqa.net udp
US 8.8.8.8:53 qsqpspspqn.info udp
US 8.8.8.8:53 haearrsqhn.net udp
FI 142.250.150.27:25 aspmx5.googlemail.com tcp
FI 142.250.150.27:25 aspmx5.googlemail.com tcp
US 8.8.8.8:53 qnrnwnwaas.info udp

Files

memory/2388-0-0x0000000000400000-0x0000000000420000-memory.dmp

\Windows\SysWOW64\shervans.dll

MD5 486b04b562bf3a387257b68e7931e124
SHA1 a03922aa051cb079bc3d9995d31ac1f463faf832
SHA256 1cf7900f0d5079275db6f70b9072897b398fd9edc0bbf4400e5f1241695b72b4
SHA512 dee97e000afee1f485b1a34d7e80b3ad9e7716e96c4e56aa2ada7b03908e02618140f526da1d9e134c37784c8e56efe88985925b64c0cd4c8d223f46ad4fc1a9

memory/2388-12-0x0000000010000000-0x000000001000D000-memory.dmp

\Windows\SysWOW64\ctfmen.exe

MD5 6d4afc7e4773ef169b7c8030f21527cb
SHA1 c6fdc3f7a9de11d844b8376cad70de8e01b3b289
SHA256 dc02256e69f59ec2faf34c1811af3699ed0914d443ca8530c2c3643b8f0e3b3c
SHA512 f96d5178113d6e5443aec90bac9ca9430c5a3cd2f48797f28758a8745762d38fb748ed35d55914eda75e08e3300cb709032e0d7dd5fb7f6319375fdeedf37e1d

memory/2388-19-0x0000000000340000-0x0000000000349000-memory.dmp

memory/2388-26-0x0000000010000000-0x000000001000D000-memory.dmp

memory/2388-25-0x0000000000400000-0x0000000000420000-memory.dmp

\Windows\SysWOW64\smnss.exe

MD5 f46472fb22d86b6efe8dc82355bf9efe
SHA1 3a1e970ff03a1838d4626645baa937c3d124ae6d
SHA256 17a3c7a230c224f1e56003534b8e415e1e97497ac01555251989111e99ce10e5
SHA512 e7253a7e5f3bd1b005240d376620c91ff6c005953461f806e164fcb7b4fac0b169e563e5bbde44a91be4bc3e69ec624df01ec6c9dec7735128a923dfb6c0cdf8

memory/2696-29-0x0000000000320000-0x0000000000340000-memory.dmp

memory/1088-35-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2696-34-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1088-41-0x0000000010000000-0x000000001000D000-memory.dmp

C:\Windows\SysWOW64\satornas.dll

MD5 ed786bcd43661d5d16301cd120a2d8de
SHA1 3e5b00d7fc4baa948d8e8c982177681aa355c28d
SHA256 4a8a061d88a541cf6e8da58894e5601f4abe3ae07a76f807ff07f3507a0afee5
SHA512 c0f55e80d1429157a788d5905a088d5a5f465357ca2436173cda1ba3ef0e9995bdd9070665e9ac33b866aecf63af6c801eff6db3f3b1a7a08fc479a2f741d316

memory/1088-43-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1088-44-0x0000000010000000-0x000000001000D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-25 06:55

Reported

2024-08-25 06:58

Platform

win10v2004-20240802-en

Max time kernel

150s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ed6345cdae4ba098fa07431d7f79f154ce80a73818a24bd2863ee3fa51c53690.exe"

Signatures

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\drivers\gmreadme.txt C:\Windows\SysWOW64\smnss.exe N/A

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\ctfmen.exe N/A
N/A N/A C:\Windows\SysWOW64\smnss.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe" C:\Users\Admin\AppData\Local\Temp\ed6345cdae4ba098fa07431d7f79f154ce80a73818a24bd2863ee3fa51c53690.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe" C:\Windows\SysWOW64\smnss.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\V: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\smnss.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\smnss.exe N/A

Maps connected drives based on registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Users\Admin\AppData\Local\Temp\ed6345cdae4ba098fa07431d7f79f154ce80a73818a24bd2863ee3fa51c53690.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Users\Admin\AppData\Local\Temp\ed6345cdae4ba098fa07431d7f79f154ce80a73818a24bd2863ee3fa51c53690.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\1 C:\Users\Admin\AppData\Local\Temp\ed6345cdae4ba098fa07431d7f79f154ce80a73818a24bd2863ee3fa51c53690.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\smnss.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Windows\SysWOW64\smnss.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\1 C:\Windows\SysWOW64\smnss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\ctfmen.exe C:\Users\Admin\AppData\Local\Temp\ed6345cdae4ba098fa07431d7f79f154ce80a73818a24bd2863ee3fa51c53690.exe N/A
File opened for modification C:\Windows\SysWOW64\icsxml\cmnicfg.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\NdfEventView.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\default.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms003.inf_amd64_0e2452f597790e95\Amd64\unishare-pipelineconfig.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\tsprint.inf_amd64_6066bc96a5f28b44\tsprint-PipelineConfig.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\MailContactsCalendarSync\LiveDomainList.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\wsmanconfig_schema.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms009.inf_amd64_a7412a554c9bc1fd\MPDW_devmode_map.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsCodecsRaw.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\default.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\ntprint4.inf_amd64_0958c7cad3cd6075\Amd64\V3HostingFilter-pipelineconfig.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\Speech_OneCore\Common\en-US\Tokens_SR_en-US-N.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\Speech_OneCore\Common\tokens.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\icsxml\potscfg.xml C:\Windows\SysWOW64\smnss.exe N/A
File created C:\Windows\SysWOW64\shervans.dll C:\Users\Admin\AppData\Local\Temp\ed6345cdae4ba098fa07431d7f79f154ce80a73818a24bd2863ee3fa51c53690.exe N/A
File created C:\Windows\SysWOW64\zipfiaq.dll C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms007.inf_amd64_8bbf44975c626ac5\Amd64\MSPWGR-pipelineconfig.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms010.inf_amd64_9e410195c3b236c9\Amd64\MSECP-pipelineconfig.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms010.inf_amd64_9e410195c3b236c9\Amd64\MSECP.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\default.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File created C:\Windows\SysWOW64\grcopy.dll C:\Users\Admin\AppData\Local\Temp\ed6345cdae4ba098fa07431d7f79f154ce80a73818a24bd2863ee3fa51c53690.exe N/A
File opened for modification C:\Windows\SysWOW64\satornas.dll C:\Users\Admin\AppData\Local\Temp\ed6345cdae4ba098fa07431d7f79f154ce80a73818a24bd2863ee3fa51c53690.exe N/A
File opened for modification C:\Windows\SysWOW64\AppxProvisioning.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms001.inf_amd64_8bc1bda6cf47380c\MXDW-pipelineconfig.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms005.inf_amd64_add71423ba73e797\Amd64\MSxpsPS-pipelineconfig.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\icsxml\ipcfg.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms009.inf_amd64_a7412a554c9bc1fd\MPDW-pipelineconfig.xml C:\Windows\SysWOW64\smnss.exe N/A
File created C:\Windows\SysWOW64\smnss.exe C:\Users\Admin\AppData\Local\Temp\ed6345cdae4ba098fa07431d7f79f154ce80a73818a24bd2863ee3fa51c53690.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms011.inf_amd64_f83138380f5fb6ab\Amd64\MSAppMon.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\wbem\xsl-mappings.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\default.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms004.inf_amd64_c28ee88ec1bd4178\Amd64\unisharev4-pipelineconfig.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms005.inf_amd64_add71423ba73e797\Amd64\MSxpsPCL6-pipelineconfig.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms006.inf_amd64_c3bdcb6fc975b614\SendToOneNote-pipelineconfig.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\icsxml\osinfo.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms007.inf_amd64_8bbf44975c626ac5\Amd64\MSPWGR.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms007.inf_amd64_8bbf44975c626ac5\Amd64\MSXPS2.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms009.inf_amd64_a7412a554c9bc1fd\MPDW-PDC.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\icsxml\pppcfg.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\Recovery\ReAgent.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\Speech_OneCore\Common\en-US\tokens_TTS_en-US.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms005.inf_amd64_add71423ba73e797\Amd64\MSxpsXPS-pipelineconfig.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms008.inf_amd64_69b5e0c918eab9a6\Amd64\unishare3d-pipelineconfig.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms012.inf_amd64_707d3849370b9d23\Amd64\MSIPP.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms014.inf_amd64_faec3fc366f8e1fa\Amd64\MSMPS-pipelineconfig.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\IME\IMEJP\APPLETS\IMJPCLST.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\default.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\grcopy.dll C:\Users\Admin\AppData\Local\Temp\ed6345cdae4ba098fa07431d7f79f154ce80a73818a24bd2863ee3fa51c53690.exe N/A
File created C:\Windows\SysWOW64\satornas.dll C:\Users\Admin\AppData\Local\Temp\ed6345cdae4ba098fa07431d7f79f154ce80a73818a24bd2863ee3fa51c53690.exe N/A
File created C:\Windows\SysWOW64\smnss.exe C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms003.inf_x86_360f6f3a7c4b3433\I386\unishare-pipelineconfig.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms011.inf_amd64_f83138380f5fb6ab\Amd64\MSAppMon-pipelineconfig.xml C:\Windows\SysWOW64\smnss.exe N/A
File created C:\Windows\SysWOW64\ctfmen.exe C:\Users\Admin\AppData\Local\Temp\ed6345cdae4ba098fa07431d7f79f154ce80a73818a24bd2863ee3fa51c53690.exe N/A
File created C:\Windows\SysWOW64\zipfi.dll C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms007.inf_amd64_8bbf44975c626ac5\Amd64\MSPassthrough-pipelineconfig.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms012.inf_amd64_707d3849370b9d23\Amd64\MSIPP-pipelineconfig.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms014.inf_amd64_faec3fc366f8e1fa\Amd64\MSMPS.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\F12\Timeline.cpu.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\Speech_OneCore\Common\en-US\tokens_TTS_en-US_david.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\default.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SysWOW64\shervans.dll C:\Users\Admin\AppData\Local\Temp\ed6345cdae4ba098fa07431d7f79f154ce80a73818a24bd2863ee3fa51c53690.exe N/A
File opened for modification C:\Windows\SysWOW64\tcpbidi.xml C:\Windows\SysWOW64\smnss.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\VideoLAN\VLC\README.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxBlockMap.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_neutral_split.scale-200_8wekyb3d8bbwe\AppxManifest.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\Welcome.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\Client2019_eula.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\ClientPreview_eula.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\COPYING.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL107.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN001.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Services.Store.Engagement_10.0.18101.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\manifests\BuiltinLearningTools.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\si.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0018-0000-1000-0000000FF1CE.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Integration\C2RManifest.OSM.OSM.x-none.msi.16.x-none.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\AppxManifest.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL075.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\HeartbeatConfig.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Advertising.Xaml_10.1808.3.0_x64__8wekyb3d8bbwe\AppxManifest.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\tt.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipscht.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxManifest.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Yellow.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Cambria.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\WinFXList.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Integration\C2RManifest.osmmui.msi.16.en-us.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PPT_WHATSNEW.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\AppxManifest.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\en-us\pages\wefgalleryonenoteinsertwinrt.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\hy.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00C1-0409-1000-0000000FF1CE.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\de-DE\View3d\3DViewerProductDescription-universal.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.NET.Native.Framework.2.2_2.2.27405.0_x64__8wekyb3d8bbwe\AppxManifest.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\AppxManifest.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxGamingOverlay_2.34.28001.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxManifest.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\id-ID\View3d\3DViewerProductDescription-universal.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxBlockMap.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ku-ckb.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\uz-cyrl.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL020.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Windows Media Player\Network Sharing\MediaReceiverRegistrar.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\MANIFEST.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxManifest.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft.NET\RedistList\AssemblyList_4_client.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\chrome.VisualElementsManifest.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Garamond.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Integration\C2RManifest.DCF.DCF.x-none.msi.16.x-none.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Win32Bridge.Protocol.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\he.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00E1-0409-1000-0000000FF1CE.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN114.XML C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\sq.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\OneNote\SendToOneNote-PipelineConfig.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\1033\MCABOUT.HTM C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\en-US\about_BeforeEach_AfterEach.help.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\baseAltGr_rtl.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0016-0409-1000-0000000FF1CE.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\ExcelMessageDismissal.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsSoundRecorder_10.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxBlockMap.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\WINWORD.VisualElementsManifest.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2018.826.98.0_neutral_split.scale-200_8wekyb3d8bbwe\AppxManifest.xml C:\Windows\SysWOW64\smnss.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_en-us_1279c10c2d9636d4\401-4.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_en-us_1279c10c2d9636d4\500-16.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\fr-FR\assets\ErrorPages\pdferrorofflineaccessdenied.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\uk-UA\assets\ErrorPages\pdferrorrenewrentallicense.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\inclusiveOobe\view\oobenetworklossaversionv2-main.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-dxp-deviceexperience_31bf3856ad364e35_10.0.19041.746_none_251e769058968366\resource.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_de-de_6988eb133eb82b0f\401-1.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_de-de_6988eb133eb82b0f\412.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..osoftedge.resources_31bf3856ad364e35_10.0.19041.1_es-es_a2ef4aab3bff561a\invalidcert.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-n..diagnostics-package_31bf3856ad364e35_10.0.19041.1_none_73a90993e64b6c40\NetworkDiagnostics_1_Web.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\fr-FR\assets\ErrorPages\forbidframingedge.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\Vss\Writers\System\D61D61C8-D73A-4EEE-8CDD-F6F9786B7124.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_es-es_12451df02dbd2879\403-15.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-ncsiuwpapp.appxsetup_31bf3856ad364e35_10.0.19041.1023_none_757b1fb62148c452\AppxManifest.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-t..nputpersonalization_31bf3856ad364e35_10.0.19041.746_none_1da55dc225237a0d\Content.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\x86_netfx-aspnet_appdata_b03f5f7f11d50a3a_10.0.19041.1_none_5bf454b921ca2c86\GroupedProviders.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\inclusiveOobe\view\oobeupdatesettings-main.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-a..tscontrol.appxsetup_31bf3856ad364e35_10.0.19041.1_none_fe09d772b73322e6\AppxBlockMap.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-c..iencehost.appxsetup_31bf3856ad364e35_10.0.19041.1_none_5415429eaf1f7602\AppxBlockMap.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..osoftedge.resources_31bf3856ad364e35_10.0.19041.1_it-it_2fceb6f1060351fa\needie.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-o..tiveportal.appxmain_31bf3856ad364e35_10.0.19041.1_none_f830216e59eee182\tokens_enIN.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-p..econsumer.resources_31bf3856ad364e35_10.0.19041.1_en-us_6bac97f839f3675b\Report.System.Network.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-a..tscontrol.appxsetup_31bf3856ad364e35_10.0.19041.1023_none_bcf0807cccfa0873\AppxManifest.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..olsclient.appxsetup_31bf3856ad364e35_10.0.19041.1023_none_fe9996dc5d311970\r\AppxManifest.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-p..econsumer.resources_31bf3856ad364e35_10.0.19041.1_it-it_f8576122041e54e0\Rules.System.Performance.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\ja-JP\assets\ErrorPages\repost.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\speech\0809\tokens_enGB.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_en-us_1279c10c2d9636d4\403-13.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..e.desktop.searchapp_31bf3856ad364e35_10.0.19041.1_none_43fe9f4e368e081f\18.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess_31bf3856ad364e35_10.0.19041.746_none_e2c6a972a81b8d2c\cmnicfg.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\PLA\Reports\fr-FR\Report.System.NetDiagFramework.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\PLA\Reports\Report.System.Configuration.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\inclusiveSspr\view\ssprerror-main.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\speech\0410\tokens_itIT.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_it-it_9f248a35f7c12459\403-14.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\PLA\Reports\it-IT\Report.System.Common.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\servicing\Editions\EducationEdition.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\speech\0c0c\tokens_frCA.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-a..ep-chxapp.appxsetup_31bf3856ad364e35_10.0.19041.1023_none_7d8eee60f8081103\AppxBlockMap.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-iana-tzdb-timezones_31bf3856ad364e35_10.0.19041.264_none_e1482d65a2a08701\r\timezones.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-tabletpc-softkeyboard_31bf3856ad364e35_10.0.19041.746_none_afaafac6b02c16fa\osknumpadbase.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\Panther\UnattendGC\diagerr.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\BingConfiguration\BingConfiguration_ja-JP.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.1266_none_777e4c5802d14c18\oobe-toggle-template.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..osoftedge.resources_31bf3856ad364e35_10.0.19041.1_es-es_a2ef4aab3bff561a\sslnavcancel.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-o..ctionflow.appxsetup_31bf3856ad364e35_10.0.19041.1023_none_4d3bd653a974d501\r\AppxManifest.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..e.desktop.searchapp_31bf3856ad364e35_10.0.19041.1_none_43fe9f4e368e081f\13.txt C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\it-IT\assets\ErrorPages\pdferrorquitapplicationguard.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\ja-JP\assets\ErrorPages\http_406.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-editions-professional_31bf3856ad364e35_10.0.19041.1288_none_51444fcfcf940a66\EnterpriseEdition.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_b4fc93ef208f3edb\405.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-p..econsumer.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_9a7ce02ef73966bb\Report.System.Summary.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..iencehost.appxsetup_31bf3856ad364e35_10.0.19041.1023_none_411a61445fd08261\AppxBlockMap.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-a..sslockapp.appxsetup_31bf3856ad364e35_10.0.19041.1023_none_7014825cdc7916b8\r\AppxManifest.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_en-us_1279c10c2d9636d4\403-2.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..osoftedge.resources_31bf3856ad364e35_10.0.19041.1_es-es_a2ef4aab3bff561a\PhishSiteEdge.htm C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-tabletpc-softkeyboard_31bf3856ad364e35_10.0.19041.173_none_af877ec0b0472fde\ea.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-tabletpc-softkeyboard_31bf3856ad364e35_10.0.19041.746_none_afaafac6b02c16fa\keypadbase.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\diagnostics\index\WindowsMediaPlayerPlayDVD.xml C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\es-ES\assets\ErrorPages\dnserror.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.117_none_e0d32848ac56114e\common-header-template.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.117_none_e0d32848ac56114e\hololensDiagnostics.html C:\Windows\SysWOW64\smnss.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.1266_none_777e4c5802d14c18\test.html C:\Windows\SysWOW64\smnss.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ctfmen.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\smnss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ed6345cdae4ba098fa07431d7f79f154ce80a73818a24bd2863ee3fa51c53690.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID C:\Users\Admin\AppData\Local\Temp\ed6345cdae4ba098fa07431d7f79f154ce80a73818a24bd2863ee3fa51c53690.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED} C:\Users\Admin\AppData\Local\Temp\ed6345cdae4ba098fa07431d7f79f154ce80a73818a24bd2863ee3fa51c53690.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll" C:\Users\Admin\AppData\Local\Temp\ed6345cdae4ba098fa07431d7f79f154ce80a73818a24bd2863ee3fa51c53690.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll" C:\Windows\SysWOW64\smnss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\ed6345cdae4ba098fa07431d7f79f154ce80a73818a24bd2863ee3fa51c53690.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node C:\Users\Admin\AppData\Local\Temp\ed6345cdae4ba098fa07431d7f79f154ce80a73818a24bd2863ee3fa51c53690.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\smnss.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ed6345cdae4ba098fa07431d7f79f154ce80a73818a24bd2863ee3fa51c53690.exe

"C:\Users\Admin\AppData\Local\Temp\ed6345cdae4ba098fa07431d7f79f154ce80a73818a24bd2863ee3fa51c53690.exe"

C:\Windows\SysWOW64\ctfmen.exe

ctfmen.exe

C:\Windows\SysWOW64\smnss.exe

C:\Windows\system32\smnss.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 qewhshmsen.info udp
US 34.218.204.173:80 qewhshmsen.info tcp
US 8.8.8.8:53 wpwhpqraws.in udp
US 8.8.8.8:53 rsppprawrn.org udp
US 18.208.156.248:80 rsppprawrn.org tcp
US 8.8.8.8:53 173.204.218.34.in-addr.arpa udp
US 8.8.8.8:53 mrsqwnmhwa.in udp
US 8.8.8.8:53 apaqwweesn.com udp
US 8.8.8.8:53 wnhhwpqman.in udp
US 8.8.8.8:53 amamqheaen.com udp
US 8.8.8.8:53 snwwwwnqra.biz udp
US 8.8.8.8:53 prsrsreswh.in udp
US 8.8.8.8:53 emsnpqmnaa.ws udp
US 64.70.19.203:80 emsnpqmnaa.ws tcp
US 8.8.8.8:53 gzip.org udp
US 8.8.8.8:53 alumni.caltech.edu udp
US 8.8.8.8:53 alumni-caltech-edu.mail.protection.outlook.com udp
US 8.8.8.8:53 aswahwaqwn.com udp
US 8.8.8.8:53 cs.stanford.edu udp
US 8.8.8.8:53 epnnmpmnea.ws udp
US 52.101.10.14:25 alumni-caltech-edu.mail.protection.outlook.com tcp
US 8.8.8.8:53 smtp2.cs.stanford.edu udp
US 64.70.19.203:80 epnnmpmnea.ws tcp
US 171.64.64.26:25 smtp2.cs.stanford.edu tcp
US 171.64.64.26:25 smtp2.cs.stanford.edu tcp
US 8.8.8.8:53 acm.org udp
US 8.8.8.8:53 mail.mailroute.net udp
US 199.89.3.120:25 mail.mailroute.net tcp
US 8.8.8.8:53 248.156.208.18.in-addr.arpa udp
US 8.8.8.8:53 203.19.70.64.in-addr.arpa udp
US 8.8.8.8:53 nmmmswamss.us udp
US 8.8.8.8:53 wpanwhahpn.in udp
US 8.8.8.8:53 qqrsmeawrh.info udp
US 8.8.8.8:53 wsneamsrqs.in udp
US 8.8.8.8:53 rrnsweenen.org udp
US 8.8.8.8:53 gzip.org udp
US 162.249.65.106:80 rrnsweenen.org tcp
US 85.187.148.2:25 gzip.org tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 gmail.com udp
US 8.8.8.8:53 m-ou.se udp
US 8.8.8.8:53 alt2.aspmx.l.google.com udp
NL 142.250.153.26:25 alt2.aspmx.l.google.com tcp
US 8.8.8.8:53 wpsranresn.in udp
US 8.8.8.8:53 qqwaqwqwns.info udp
US 8.8.8.8:53 wshmnneqsr.in udp
US 8.8.8.8:53 rnrmsaeesr.org udp
US 162.249.65.106:80 rnrmsaeesr.org tcp
US 8.8.8.8:53 alt3.gmail-smtp-in.l.google.com udp
DE 142.251.9.26:25 alt3.gmail-smtp-in.l.google.com tcp
DE 142.251.9.26:25 alt3.gmail-smtp-in.l.google.com tcp
DE 142.251.9.26:25 alt3.gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 eweqmrhnra.ws udp
US 64.70.19.203:80 eweqmrhnra.ws tcp
US 8.8.8.8:53 qaeesahees.info udp
US 8.8.8.8:53 hwpprwwawa.net udp
US 8.8.8.8:53 pawrsswnsa.in udp
US 8.8.8.8:53 ewaehhmrqh.ws udp
US 64.70.19.203:80 ewaehhmrqh.ws tcp
US 8.8.8.8:53 ahrwrshwph.com udp
US 8.8.8.8:53 sqaqqaeqmh.biz udp
US 8.8.8.8:53 nhqpwhmama.us udp
US 8.8.8.8:53 sesawnwqea.biz udp
US 8.8.8.8:53 qpwhwpqpqa.info udp
US 8.8.8.8:53 mqmwshhaqh.in udp
US 8.8.8.8:53 rrqmheqmqh.org udp
US 162.249.65.106:80 rrqmheqmqh.org tcp
DE 142.251.9.26:25 alt3.gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 2.1.0 udp
US 8.8.8.8:53 4.0.1 udp
US 8.8.8.8:53 nocorp.me udp
US 8.8.8.8:53 in2-smtp.messagingengine.com udp
US 202.12.124.217:25 in2-smtp.messagingengine.com tcp
US 8.8.8.8:53 ehpspqshqa.ws udp
US 64.70.19.203:80 ehpspqshqa.ws tcp
US 8.8.8.8:53 phphweqwna.in udp
US 8.8.8.8:53 snprrannra.biz udp
US 8.8.8.8:53 rahqwwphsh.org udp
US 162.249.65.106:80 rahqwwphsh.org tcp
DE 142.251.9.26:25 alt3.gmail-smtp-in.l.google.com tcp
DE 142.251.9.26:25 alt3.gmail-smtp-in.l.google.com tcp
DE 142.251.9.26:25 alt3.gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 outlook.com udp
US 8.8.8.8:53 outlook-com.olc.protection.outlook.com udp
US 52.101.41.7:25 outlook-com.olc.protection.outlook.com tcp
US 8.8.8.8:53 hpehwwhnqn.net udp
US 8.8.8.8:53 pmqmannrna.in udp
US 8.8.8.8:53 mrrmehqnpa.in udp
US 8.8.8.8:53 qwpehrrhqh.info udp
US 8.8.8.8:53 meammaenmn.in udp
US 8.8.8.8:53 rsampnrran.org udp
US 162.249.65.106:80 rsampnrran.org tcp
DE 142.251.9.26:25 alt3.gmail-smtp-in.l.google.com tcp
DE 142.251.9.26:25 alt3.gmail-smtp-in.l.google.com tcp
DE 142.251.9.26:25 alt3.gmail-smtp-in.l.google.com tcp
DE 142.251.9.26:25 alt3.gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 mrmwmnarws.in udp
US 8.8.8.8:53 nwrnwprmmh.us udp
US 8.8.8.8:53 sshnsrpenh.biz udp
US 8.8.8.8:53 psnqrqmpeh.in udp
US 8.8.8.8:53 wwearmsqrs.in udp
US 8.8.8.8:53 aqanannwqh.com udp
US 8.8.8.8:53 wasasnqrna.in udp
US 8.8.8.8:53 wnshehamhh.in udp
US 8.8.8.8:53 remrpqpseh.org udp
US 162.249.65.106:80 remrpqpseh.org tcp
US 8.8.8.8:53 smtp1.cs.stanford.edu udp
US 171.64.64.25:25 smtp1.cs.stanford.edu tcp
US 171.64.64.25:25 smtp1.cs.stanford.edu tcp
US 171.64.64.26:25 smtp2.cs.stanford.edu tcp
DE 142.251.9.26:25 alt3.gmail-smtp-in.l.google.com tcp
DE 142.251.9.26:25 alt3.gmail-smtp-in.l.google.com tcp
US 85.187.148.2:25 gzip.org tcp
US 8.8.8.8:53 hwnppemeea.net udp
US 8.8.8.8:53 pnaqheqnsa.in udp
US 8.8.8.8:53 mwhnpqrmrn.in udp
US 8.8.8.8:53 pwramqmsms.in udp
US 8.8.8.8:53 hmamsmwhar.net udp
US 8.8.8.8:53 pqshhpemrn.in udp
US 8.8.8.8:53 wpqqhhspps.in udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
SG 13.251.16.150:80 wpqqhhspps.in tcp
US 8.8.8.8:53 150.16.251.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 aspmx3.googlemail.com udp
NL 142.250.153.27:25 aspmx3.googlemail.com tcp
US 8.8.8.8:53 alumni-caltech-edu.mail.protection.outlook.com udp
US 52.101.40.6:25 alumni-caltech-edu.mail.protection.outlook.com tcp
US 8.8.8.8:53 alt2.gmail-smtp-in.l.google.com udp
NL 142.250.153.27:25 alt2.gmail-smtp-in.l.google.com tcp
NL 142.250.153.27:25 alt2.gmail-smtp-in.l.google.com tcp
NL 142.250.153.27:25 alt2.gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 coin.mpg udp
US 8.8.8.8:53 nqenrpwpeh.us udp
US 8.8.8.8:53 spawwehsrs.biz udp
US 8.8.8.8:53 ppeseaqmms.in udp
US 8.8.8.8:53 msarphnewh.in udp
US 8.8.8.8:53 pwqpewwahh.in udp
US 8.8.8.8:53 hmparqsaqa.net udp
US 8.8.8.8:53 qsqpspspqn.info udp
US 8.8.8.8:53 haearrsqhn.net udp
US 8.8.8.8:53 qnrnwnwaas.info udp
US 8.8.8.8:53 weaeprawra.in udp
US 8.8.8.8:53 qmhqeesawh.info udp
US 8.8.8.8:53 ssnsphrnws.biz udp
US 8.8.8.8:53 aewrhprres.com udp
NL 77.247.183.149:80 aewrhprres.com tcp
US 8.8.8.8:53 mpehqsqwmn.in udp
US 8.8.8.8:53 rnrmmnpnpn.org udp
US 162.249.65.106:80 rnrmmnpnpn.org tcp
US 8.8.8.8:53 apple.com udp
US 8.8.8.8:53 mx-in-rn.apple.com udp
US 17.56.176.6:25 mx-in-rn.apple.com tcp
US 8.8.8.8:53 pobox.com udp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 149.183.247.77.in-addr.arpa udp
US 8.8.8.8:53 pb-mx11.pobox.com udp
US 64.147.108.52:25 pb-mx11.pobox.com tcp
NL 142.250.153.27:25 alt2.gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 in1-smtp.messagingengine.com udp
US 103.168.172.218:25 in1-smtp.messagingengine.com tcp
US 8.8.8.8:53 mwaaemmnhn.in udp
US 8.8.8.8:53 asnrrsamsa.com udp
NL 212.32.237.91:80 asnrrsamsa.com tcp
US 8.8.8.8:53 whmrraawha.in udp
US 8.8.8.8:53 qmsaspnsna.info udp
US 8.8.8.8:53 hnehqqwwrs.net udp
US 8.8.8.8:53 qppamspwhs.info udp
US 8.8.8.8:53 weeqshswms.in udp
US 8.8.8.8:53 aanparshnh.com udp
NL 77.247.183.152:80 aanparshnh.com tcp
US 8.8.8.8:53 hpeqherars.net udp
US 8.8.8.8:53 nnhhneqnrh.us udp
US 8.8.8.8:53 saanqmaqpn.biz udp
US 8.8.8.8:53 91.237.32.212.in-addr.arpa udp
US 8.8.8.8:53 152.183.247.77.in-addr.arpa udp
US 8.8.8.8:53 armahmrsaa.com udp
US 8.8.8.8:53 wqahhaqenh.in udp
US 8.8.8.8:53 aharwhphnh.com udp
NL 212.32.237.92:80 aharwhphnh.com tcp
US 8.8.8.8:53 mnrepmepar.in udp
SG 13.251.16.150:80 mnrepmepar.in tcp
US 8.8.8.8:53 netcom.com udp
US 8.8.8.8:53 92.237.32.212.in-addr.arpa udp
US 8.8.8.8:53 northcoast.com udp
US 8.8.8.8:53 mx03.earthlink-vadesecure.net udp
US 8.8.8.8:53 cl.cam.ac.uk udp
US 51.81.232.218:25 mx03.earthlink-vadesecure.net tcp
US 8.8.8.8:53 mxa-00377f01.gslb.pphosted.com udp
US 8.8.8.8:53 mx.cam.ac.uk udp
NL 185.183.28.235:25 mxa-00377f01.gslb.pphosted.com tcp
US 8.8.8.8:53 src.dec.com udp
GB 131.111.8.149:25 mx.cam.ac.uk tcp
US 8.8.8.8:53 apqhwmnqrh.com udp
US 8.8.8.8:53 mehsnsamha.in udp
US 8.8.8.8:53 qqpqwehwah.info udp
US 8.8.8.8:53 sqmswpnqws.biz udp
US 8.8.8.8:53 pqarnhhhhn.in udp
US 8.8.8.8:53 hqepnmqewn.net udp
US 8.8.8.8:53 rsrsemnren.org udp
US 216.245.214.82:80 rsrsemnren.org tcp
US 8.8.8.8:53 spewqmspma.biz udp
US 8.8.8.8:53 rahhhqwqqa.org udp
US 162.249.65.106:80 rahhhqwqqa.org tcp
US 8.8.8.8:53 82.214.245.216.in-addr.arpa udp
NL 142.250.153.27:25 alt2.gmail-smtp-in.l.google.com tcp
NL 142.250.153.27:25 alt2.gmail-smtp-in.l.google.com tcp
NL 142.250.153.27:25 alt2.gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 empewsqsqa.ws udp
US 64.70.19.203:80 empewsqsqa.ws tcp
US 8.8.8.8:53 pmnrrneaah.in udp
US 8.8.8.8:53 mnwsnarssr.in udp
US 8.8.8.8:53 rrpnmeawrs.org udp
US 162.249.65.106:80 rrpnmeawrs.org tcp
US 8.8.8.8:53 theriver.com udp
US 8.8.8.8:53 ismtp.sitestar.everyone.net udp
US 8.8.8.8:53 bryson.demon.co.uk udp
US 64.29.151.236:25 ismtp.sitestar.everyone.net tcp
US 8.8.8.8:53 onlineconnections.com.au udp
US 8.8.8.8:53 onlineconnections.com.au udp
US 8.8.8.8:53 openoffice.org udp
US 192.254.190.168:25 onlineconnections.com.au tcp
US 8.8.8.8:53 mx1-lw-eu.apache.org udp
US 8.8.8.8:53 mx2-lw-eu.apache.org udp
US 8.8.8.8:53 mx1-lw-us.apache.org udp
US 8.8.8.8:53 mx2-lw-us.apache.org udp
NL 142.250.153.27:25 alt2.gmail-smtp-in.l.google.com tcp
NL 142.250.153.27:25 alt2.gmail-smtp-in.l.google.com tcp
NL 142.250.153.27:25 alt2.gmail-smtp-in.l.google.com tcp
NL 142.250.153.27:25 alt2.gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 sermsqqqna.biz udp
US 8.8.8.8:53 rsqsepmwas.org udp
US 162.249.65.106:80 rsqsepmwas.org tcp
US 85.187.148.2:25 gzip.org tcp
US 8.8.8.8:53 alumni-caltech-edu.mail.protection.outlook.com udp
US 8.8.8.8:53 nongnu.org udp
US 52.101.8.51:25 alumni-caltech-edu.mail.protection.outlook.com tcp
US 8.8.8.8:53 eggs.gnu.org udp
US 209.51.188.92:25 eggs.gnu.org tcp
US 209.51.188.92:25 eggs.gnu.org tcp
US 8.8.8.8:53 mqpppnhaes.in udp
US 8.8.8.8:53 aqmrnawpan.com udp
US 8.8.8.8:53 wrnwernreh.in udp
US 8.8.8.8:53 aeaqmpsaqa.com udp
US 8.8.8.8:53 whwsqnemsn.in udp
US 8.8.8.8:53 rqeaqeewas.org udp
US 162.249.65.106:80 rqeaqeewas.org tcp
US 8.8.8.8:53 cs.stanford.edu udp
US 171.64.64.64:25 cs.stanford.edu tcp
US 171.64.64.64:25 cs.stanford.edu tcp
US 171.64.64.25:25 smtp1.cs.stanford.edu tcp
NL 142.250.153.27:25 alt2.gmail-smtp-in.l.google.com tcp
NL 142.250.153.27:25 alt2.gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 wqpaamhwrs.in udp
US 8.8.8.8:53 reaaheeara.org udp
US 8.8.8.8:53 kinoho.net udp
US 162.249.65.106:80 reaaheeara.org tcp
US 8.8.8.8:53 aspmx.l.google.com udp
DE 142.251.9.26:25 alt3.gmail-smtp-in.l.google.com tcp
IE 74.125.193.27:25 aspmx.l.google.com tcp
US 8.8.8.8:53 riseup.net udp
US 8.8.8.8:53 mx1.riseup.net udp
DE 142.251.9.26:25 alt3.gmail-smtp-in.l.google.com tcp
US 198.252.153.129:25 mx1.riseup.net tcp
IE 74.125.193.27:25 aspmx.l.google.com tcp
US 8.8.8.8:53 alt1.gmail-smtp-in.l.google.com udp
NL 142.250.27.27:25 alt1.gmail-smtp-in.l.google.com tcp
NL 142.250.27.27:25 alt1.gmail-smtp-in.l.google.com tcp
NL 142.250.27.27:25 alt1.gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 mnaahmqpqs.in udp
US 8.8.8.8:53 rrhaerswna.org udp
US 162.249.65.106:80 rrhaerswna.org tcp
US 8.8.8.8:53 mx-in-sg.apple.com udp
SG 17.23.14.18:25 mx-in-sg.apple.com tcp
US 8.8.8.8:53 pb-mx9.pobox.com udp
US 64.147.108.50:25 pb-mx9.pobox.com tcp
US 8.8.8.8:53 mail.ru udp
US 8.8.8.8:53 mxs.mail.ru udp
US 8.8.8.8:53 bog.msu.ru udp
RU 94.100.180.31:25 mxs.mail.ru tcp
US 8.8.8.8:53 wnhrrnhran.in udp
US 8.8.8.8:53 resrnrrmnn.org udp
US 162.249.65.106:80 resrnrrmnn.org tcp
NL 142.250.27.27:25 alt1.gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 mx01.earthlink-vadesecure.net udp
US 51.81.61.70:25 mx01.earthlink-vadesecure.net tcp
US 8.8.8.8:53 mxb-00377f01.gslb.pphosted.com udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
NL 185.183.28.235:25 mxb-00377f01.gslb.pphosted.com tcp
US 8.8.8.8:53 mannheraph.in udp
US 8.8.8.8:53 pqnqqqrpmh.in udp
US 8.8.8.8:53 smprehnwhs.biz udp
US 8.8.8.8:53 rhwnqwwnah.org udp
US 162.249.65.106:80 rhwnqwwnah.org tcp
NL 142.250.27.27:25 alt1.gmail-smtp-in.l.google.com tcp
NL 142.250.27.27:25 alt1.gmail-smtp-in.l.google.com tcp
NL 142.250.27.27:25 alt1.gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 srsersmhsa.biz udp
SG 47.129.31.212:80 srsersmhsa.biz tcp
US 8.8.8.8:53 neshnhhwss.us udp
US 8.8.8.8:53 mswapwrnan.in udp
US 8.8.8.8:53 ahsppnhrmh.com udp
US 8.8.8.8:53 wmamewnnea.in udp
US 8.8.8.8:53 nhwwheearh.us udp
US 8.8.8.8:53 msqepwamwn.in udp
US 8.8.8.8:53 pmmpmshmsr.in udp
US 8.8.8.8:53 mahwmwnrmn.in udp
US 8.8.8.8:53 aaawpshran.com udp
US 216.245.214.85:80 aaawpshran.com tcp
US 8.8.8.8:53 212.31.129.47.in-addr.arpa udp
US 8.8.8.8:53 smmmwrsqhs.biz udp
US 8.8.8.8:53 sqepwsanpn.biz udp
US 8.8.8.8:53 qseerensns.info udp
US 8.8.8.8:53 hnhsehnhpa.net udp
US 8.8.8.8:53 psswwrmraa.in udp
US 8.8.8.8:53 hwhnrpesma.net udp
US 8.8.8.8:53 qmqspqnhwa.info udp
US 8.8.8.8:53 shprahaqrh.biz udp
US 8.8.8.8:53 rmmamheshh.org udp
US 162.249.65.106:80 rmmamheshh.org tcp
US 8.8.8.8:53 85.214.245.216.in-addr.arpa udp
NL 142.250.27.27:25 alt1.gmail-smtp-in.l.google.com tcp
NL 142.250.27.27:25 alt1.gmail-smtp-in.l.google.com tcp
NL 142.250.27.27:25 alt1.gmail-smtp-in.l.google.com tcp
NL 142.250.27.27:25 alt1.gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 ennmqsmqna.ws udp
US 64.70.19.203:80 ennmqsmqna.ws tcp
US 8.8.8.8:53 qseahwrsps.info udp
US 8.8.8.8:53 ehrawpsrms.ws udp
US 64.70.19.203:80 ehrawpsrms.ws tcp
US 8.8.8.8:53 naspqmsmeh.us udp
US 8.8.8.8:53 wwnmhhenpa.in udp
US 8.8.8.8:53 qmrmswrran.info udp
US 8.8.8.8:53 wqeasppnas.in udp
US 8.8.8.8:53 awhhsqness.com udp
US 8.8.8.8:53 eqprsrnprs.ws udp
US 64.70.19.203:80 eqprsrnprs.ws tcp
NL 212.32.237.92:80 aharwhphnh.com tcp
US 171.64.64.64:25 cs.stanford.edu tcp
NL 142.250.27.27:25 alt1.gmail-smtp-in.l.google.com tcp
NL 142.250.27.27:25 alt1.gmail-smtp-in.l.google.com tcp
NL 142.250.153.27:25 alt2.gmail-smtp-in.l.google.com tcp
NL 142.250.153.27:25 alt2.gmail-smtp-in.l.google.com tcp
NL 142.250.153.27:25 alt2.gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 aspmx2.googlemail.com udp
NL 142.250.27.27:25 aspmx2.googlemail.com tcp
US 8.8.8.8:53 alt4.gmail-smtp-in.l.google.com udp
FI 142.250.150.27:25 alt4.gmail-smtp-in.l.google.com tcp
FI 142.250.150.27:25 alt4.gmail-smtp-in.l.google.com tcp
FI 142.250.150.27:25 alt4.gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 mx-in-vib.apple.com udp
DK 17.57.170.2:25 mx-in-vib.apple.com tcp
US 8.8.8.8:53 wnaampsmna.in udp
US 8.8.8.8:53 pb-mx22.pobox.com udp
US 8.8.8.8:53 qpnphqawmh.info udp
US 173.228.157.41:25 pb-mx22.pobox.com tcp
US 8.8.8.8:53 hmqrapnpsh.net udp
US 8.8.8.8:53 aqsnaasemh.com udp
US 8.8.8.8:53 haswmnsqah.net udp
US 8.8.8.8:53 aeaqnwmhes.com udp
US 8.8.8.8:53 mqsnrenerh.in udp
US 8.8.8.8:53 nspseanhrs.us udp
US 8.8.8.8:53 haaahpspqs.net udp
US 8.8.8.8:53 qppqsasahn.info udp
US 8.8.8.8:53 mnnhnhahmh.in udp
US 8.8.8.8:53 nwrrpeshhn.us udp
US 8.8.8.8:53 wqsrephqms.in udp
US 8.8.8.8:53 nprhssnrmn.us udp
US 8.8.8.8:53 eqnhphnqms.ws udp
US 64.70.19.203:80 eqnhphnqms.ws tcp
US 8.8.8.8:53 neqanhanwn.us udp
SG 13.251.16.150:80 neqanhanwn.us tcp
US 8.8.8.8:53 smrnnmaqra.biz udp
US 8.8.8.8:53 nnnrpsanwh.us udp
US 8.8.8.8:53 wharrewhpn.in udp
US 8.8.8.8:53 qhhnpesehs.info udp
US 8.8.8.8:53 mesrphwwas.in udp
US 8.8.8.8:53 awmmprseha.com udp
FI 142.250.150.27:25 alt4.gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 rqeaqsqpsr.org udp
US 162.249.65.106:80 rqeaqsqpsr.org tcp
US 8.8.8.8:53 mx04.earthlink-vadesecure.net udp
US 147.135.98.120:25 mx04.earthlink-vadesecure.net tcp
US 8.8.8.8:53 mxb-00377f03.gslb.pphosted.com udp
US 205.220.164.130:25 mxb-00377f03.gslb.pphosted.com tcp
FI 142.250.150.27:25 alt4.gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 wrmqnnrqmh.in udp
FI 142.250.150.27:25 alt4.gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 npmpsewraa.us udp
FI 142.250.150.27:25 alt4.gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 whqrmqmnrs.in udp
US 8.8.8.8:53 nwqsnneawh.us udp
US 8.8.8.8:53 smwrehrsph.biz udp
US 8.8.8.8:53 qrmhwrwwmn.info udp
US 8.8.8.8:53 apmeppqwqh.com udp
US 8.8.8.8:53 wqpeaenphs.in udp
US 8.8.8.8:53 awqqrwmwsh.com udp
US 8.8.8.8:53 erphseshhh.ws udp
US 64.70.19.203:80 erphseshhh.ws tcp
US 8.8.8.8:53 nmerqanann.us udp
US 8.8.8.8:53 hpswpmhqah.net udp
US 8.8.8.8:53 psqesnmpph.in udp
US 8.8.8.8:53 hwnwwhmapa.net udp
US 8.8.8.8:53 nerrawwees.us udp
US 8.8.8.8:53 smqnsaanqs.biz udp
US 8.8.8.8:53 pehawnswha.in udp
US 8.8.8.8:53 wsmsannrsr.in udp
US 8.8.8.8:53 pnmhpsaqwn.in udp
US 8.8.8.8:53 wpraeqahma.in udp
US 8.8.8.8:53 napenhsmha.us udp
US 8.8.8.8:53 manrhhmrsn.in udp
US 8.8.8.8:53 rqsepprwmh.org udp
US 162.249.65.106:80 rqsepprwmh.org tcp
US 8.8.8.8:53 wnrphnsawn.in udp
FI 142.250.150.27:25 alt4.gmail-smtp-in.l.google.com tcp
FI 142.250.150.27:25 alt4.gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 npeewrpmsh.us udp
US 8.8.8.8:53 spmpesqama.biz udp
US 8.8.8.8:53 rpwrwpqmrs.org udp
US 162.249.65.106:80 rpwrwpqmrs.org tcp
FI 142.250.150.27:25 alt4.gmail-smtp-in.l.google.com tcp
FI 142.250.150.27:25 alt4.gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 smspppawmn.biz udp
US 8.8.8.8:53 pmrqmemawa.in udp
US 8.8.8.8:53 wmphheprha.in udp
US 8.8.8.8:53 prmaahsmqs.in udp
US 8.8.8.8:53 emhmmwaasa.ws udp
US 64.70.19.203:80 emhmmwaasa.ws tcp
US 8.8.8.8:53 pehprrmnns.in udp
US 8.8.8.8:53 hwenrqmmmh.net udp
US 8.8.8.8:53 nhamrnqsps.us udp
US 8.8.8.8:53 wpnermpasr.in udp
US 8.8.8.8:53 nnhssqsasr.us udp
US 8.8.8.8:53 mnmrweahpn.in udp
US 8.8.8.8:53 nhseewhaps.us udp
US 8.8.8.8:53 msaemqshmh.in udp
US 8.8.8.8:53 aewnhwwpwa.com udp
US 8.8.8.8:53 snarawppsr.biz udp
US 8.8.8.8:53 qsaqhnrwwn.info udp
US 8.8.8.8:53 swqrheamea.biz udp
US 8.8.8.8:53 aeaqppqhqs.com udp
US 8.8.8.8:53 mpnssapaws.in udp
US 8.8.8.8:53 rnehrmnwqa.org udp
US 162.249.65.106:80 rnehrmnwqa.org tcp
FI 142.250.150.27:25 alt4.gmail-smtp-in.l.google.com tcp
FI 142.250.150.27:25 alt4.gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 alt1.aspmx.l.google.com udp
NL 142.250.27.27:25 aspmx2.googlemail.com tcp
NL 142.250.27.26:25 alt1.aspmx.l.google.com tcp
NL 142.250.27.27:25 aspmx2.googlemail.com tcp
US 8.8.8.8:53 wnnqnrwqea.in udp
US 8.8.8.8:53 qnmmhnspwn.info udp
US 8.8.8.8:53 wwaqpenhnn.in udp
US 8.8.8.8:53 rnrnqqawqs.org udp
US 162.249.65.106:80 rnrnqqawqs.org tcp
NL 142.250.27.26:25 alt1.aspmx.l.google.com tcp
US 8.8.8.8:53 gmail-smtp-in.l.google.com udp
IE 209.85.203.26:25 gmail-smtp-in.l.google.com tcp
IE 209.85.203.26:25 gmail-smtp-in.l.google.com tcp
IE 209.85.203.26:25 gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 mmmphaeann.in udp
US 8.8.8.8:53 aweqaesrms.com udp
US 8.8.8.8:53 hswwqmmseh.net udp
US 8.8.8.8:53 qhqqqnerss.info udp
US 8.8.8.8:53 wnnempshra.in udp
US 8.8.8.8:53 qnhwpqaans.info udp
US 8.8.8.8:53 mpmhhhprnn.in udp
US 8.8.8.8:53 qhwqwrpwnn.info udp
US 8.8.8.8:53 mhaewrqnps.in udp
US 8.8.8.8:53 psqeppnaha.in udp
US 8.8.8.8:53 maanhsqens.in udp
US 8.8.8.8:53 qsspraneas.info udp
US 8.8.8.8:53 msprmhpesa.in udp
US 8.8.8.8:53 nrmwqewpnn.us udp
US 8.8.8.8:53 sphpehqmsh.biz udp
US 8.8.8.8:53 mx-in-mdn.apple.com udp
US 8.8.8.8:53 nwrrsharmn.us udp
US 17.32.222.242:25 mx-in-mdn.apple.com tcp
US 8.8.8.8:53 wnhpqrweas.in udp
US 8.8.8.8:53 rmmwpwhapn.org udp
US 162.249.65.106:80 rmmwpwhapn.org tcp
US 8.8.8.8:53 pb-mx23.pobox.com udp
US 173.228.157.42:25 pb-mx23.pobox.com tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
IE 209.85.203.26:25 gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 hharwnqhha.net udp
US 8.8.8.8:53 rrqmmwahna.org udp
US 162.249.65.106:80 rrqmmwahna.org tcp
US 8.8.8.8:53 mx02.earthlink-vadesecure.net udp
US 51.81.61.71:25 mx02.earthlink-vadesecure.net tcp
US 8.8.8.8:53 mxa-00377f03.gslb.pphosted.com udp
US 205.220.164.130:25 mxa-00377f03.gslb.pphosted.com tcp
US 8.8.8.8:53 ssapaqsepa.biz udp
US 8.8.8.8:53 qqewasnrnr.info udp
US 8.8.8.8:53 mnpsepswhs.in udp
US 8.8.8.8:53 rammaswpsh.org udp
US 162.249.65.106:80 rammaswpsh.org tcp
IE 209.85.203.26:25 gmail-smtp-in.l.google.com tcp
IE 209.85.203.26:25 gmail-smtp-in.l.google.com tcp
IE 209.85.203.26:25 gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 ssmrnmspws.biz udp
US 8.8.8.8:53 resmarqarn.org udp
US 162.249.65.106:80 resmarqarn.org tcp
IE 209.85.203.26:25 gmail-smtp-in.l.google.com tcp
IE 209.85.203.26:25 gmail-smtp-in.l.google.com tcp
IE 209.85.203.26:25 gmail-smtp-in.l.google.com tcp
IE 209.85.203.26:25 gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 mapasaqear.in udp
US 8.8.8.8:53 qsepnwpmna.info udp
US 8.8.8.8:53 eshmhnprpa.ws udp
US 64.70.19.203:80 eshmhnprpa.ws tcp
US 8.8.8.8:53 qrrmswemps.info udp
US 8.8.8.8:53 hhsmeanamh.net udp
US 8.8.8.8:53 qeraempash.info udp
US 8.8.8.8:53 wrpeasspnn.in udp
US 8.8.8.8:53 amqwpwewrs.com udp
US 8.8.8.8:53 hewamrprrs.net udp
US 8.8.8.8:53 nsneerhwrs.us udp
US 8.8.8.8:53 wphhpmahqs.in udp
US 8.8.8.8:53 nqrreahqrh.us udp
US 8.8.8.8:53 hhwhmwmaws.net udp
US 8.8.8.8:53 rphpaspqar.org udp
US 162.249.65.106:80 rphpaspqar.org tcp
IE 209.85.203.26:25 gmail-smtp-in.l.google.com tcp
IE 209.85.203.26:25 gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 hrwswapann.net udp
US 8.8.8.8:53 sqmmqqssea.biz udp
US 8.8.8.8:53 rrnpamehwa.org udp
US 162.249.65.106:80 rrnpamehwa.org tcp
FI 142.250.150.27:25 alt4.gmail-smtp-in.l.google.com tcp
NL 142.250.27.27:25 aspmx2.googlemail.com tcp
FI 142.250.150.27:25 alt4.gmail-smtp-in.l.google.com tcp
US 64.70.19.203:80 eshmhnprpa.ws tcp
US 8.8.8.8:53 rwmswamheh.org udp
US 162.249.65.106:80 rwmswamheh.org tcp
US 8.8.8.8:53 aspmx4.googlemail.com udp
DE 142.251.9.27:25 aspmx4.googlemail.com tcp
US 8.8.8.8:53 mx-in.g.apple.com udp
DK 17.57.170.2:25 mx-in.g.apple.com tcp
US 8.8.8.8:53 pb-mx20.pobox.com udp
US 173.228.157.39:25 pb-mx20.pobox.com tcp
US 8.8.8.8:53 wwaprrwnwa.in udp
US 8.8.8.8:53 rrseshrqsn.org udp
US 162.249.65.106:80 rrseshrqsn.org tcp
US 8.8.8.8:53 hqremeeheh.net udp
US 8.8.8.8:53 aspamphaqh.com udp
US 23.82.12.31:80 aspamphaqh.com tcp
US 8.8.8.8:53 wereqmsnwh.in udp
US 8.8.8.8:53 swwmpphesa.biz udp
US 8.8.8.8:53 peerrrehen.in udp
US 8.8.8.8:53 sreeshwpmh.biz udp
US 8.8.8.8:53 rnnnpannna.org udp
US 162.249.65.106:80 rnnnpannna.org tcp
US 8.8.8.8:53 31.12.82.23.in-addr.arpa udp
US 8.8.8.8:53 emqewenpsh.ws udp
US 64.70.19.203:80 emqewenpsh.ws tcp
US 8.8.8.8:53 penpnnehwa.in udp
US 8.8.8.8:53 mnwqmqhrsh.in udp
US 8.8.8.8:53 qhnhqesmnn.info udp
US 8.8.8.8:53 wnnnqwpeea.in udp
US 8.8.8.8:53 rmpmspqhph.org udp
US 162.249.65.106:80 rmpmspqhph.org tcp
US 8.8.8.8:53 mrwpmwnnra.in udp
US 8.8.8.8:53 nwaahharmh.us udp
US 8.8.8.8:53 meseewppah.in udp
US 8.8.8.8:53 rswnmhhsrh.org udp
US 162.249.65.106:80 rswnmhhsrh.org tcp
US 64.70.19.203:80 emqewenpsh.ws tcp
US 8.8.8.8:53 qsswqemmws.info udp
US 8.8.8.8:53 wnarpnqaqh.in udp
US 8.8.8.8:53 rmqsrpsqes.org udp
US 162.249.65.106:80 rmqsrpsqes.org tcp
IE 209.85.203.26:25 gmail-smtp-in.l.google.com tcp
NL 142.250.153.26:25 alt2.gmail-smtp-in.l.google.com tcp
IE 209.85.203.26:25 gmail-smtp-in.l.google.com tcp
FI 142.250.150.27:25 aspmx5.googlemail.com tcp
US 8.8.8.8:53 henwwsahhh.net udp
US 8.8.8.8:53 ansenhrann.com udp
US 8.8.8.8:53 wpaeaapwhh.in udp
US 8.8.8.8:53 rshesmeshs.org udp
US 162.249.65.106:80 rshesmeshs.org tcp
US 8.8.8.8:53 mx-in-hfd.apple.com udp
NL 17.57.165.2:25 mx-in-hfd.apple.com tcp
US 8.8.8.8:53 pb-mx14.pobox.com udp
US 64.147.108.55:25 pb-mx14.pobox.com tcp
US 8.8.8.8:53 wsnnneaqws.in udp
US 8.8.8.8:53 rnsmmparph.org udp
US 162.249.65.106:80 rnsmmparph.org tcp
US 8.8.8.8:53 hnemspmeaa.net udp
US 8.8.8.8:53 ahqnaqpwps.com udp
US 8.8.8.8:53 sasspmseas.biz udp
US 8.8.8.8:53 arqsarmwna.com udp
US 8.8.8.8:53 eernsaepaa.ws udp
US 64.70.19.203:80 eernsaepaa.ws tcp
US 8.8.8.8:53 qpwsqahpaa.info udp
US 8.8.8.8:53 whhanasrsa.in udp
US 8.8.8.8:53 aqpanwnraa.com udp
US 8.8.8.8:53 wrshrprwrh.in udp
US 8.8.8.8:53 rhmwsseqea.org udp
US 162.249.65.106:80 rhmwsseqea.org tcp
US 8.8.8.8:53 enwqmeawna.ws udp
US 64.70.19.203:80 enwqmeawna.ws tcp
US 8.8.8.8:53 pnhhenwapn.in udp
US 8.8.8.8:53 eepswnahha.ws udp
US 64.70.19.203:80 eepswnahha.ws tcp
US 8.8.8.8:53 srppwarhna.biz udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 64.70.19.203:80 tcp

Files

memory/3668-0-0x0000000000400000-0x0000000000420000-memory.dmp

memory/3668-13-0x0000000010000000-0x000000001000D000-memory.dmp

C:\Windows\SysWOW64\shervans.dll

MD5 12eca2daca36abcd79a8f727f476aa8b
SHA1 d94387ec0b04ebd974d3390ca311e8ab5718e007
SHA256 03eb237cb3dec41c1d49bff5c712d2fe379ba799b98fbea3eb08ba8e18b1b14c
SHA512 3f09139f2fb4e842f457ce82719f11012ad98fb6dabfc292202f4de2c7e3af4e4b215ef843f133d46e10339e21256d122df49ea3545aa0e267780549d1cc9763

C:\Windows\SysWOW64\grcopy.dll

MD5 894cc366077b44c0c4c58c669b7f9bce
SHA1 bda588123f09222d4696cec0e024e5b87cd4a253
SHA256 d3debf07f1fe54e2a1869f18e0a27e61df7acbc4e5715ccb8912f10418c8b51e
SHA512 58f00365858d5fad02543a04b05ddc750b22eb048b3b1cf0c800400a16a4625113a76ff8a7fb7e70dd40e51a219541d98192a1a62c8d450b78ddf4be1522c15a

C:\Windows\SysWOW64\ctfmen.exe

MD5 d695a16bd29862e738b16bf87dcd6092
SHA1 eb508671d0c92cb201865218557bbb5e71b17df7
SHA256 8148c95c5e16635b1a630dd1ac113609e5088c9757780323f2bda8a44b2fe139
SHA512 98f02662b7bc14221bce54740de10f4ae3e23973640c143f431838eddb12dd05470fc87e8472b1d64da3d1365b0d9de2af414cc507b3752191a389e29e194228

memory/3668-25-0x0000000010000000-0x000000001000D000-memory.dmp

memory/3668-24-0x0000000000400000-0x0000000000420000-memory.dmp

memory/5000-21-0x0000000000400000-0x0000000000409000-memory.dmp

memory/5000-31-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1452-29-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Windows\SysWOW64\satornas.dll

MD5 120d7632ba75bb6a00191ff4750196ae
SHA1 75dd562c782bff49ba284d81d2b0cd7bc16826ff
SHA256 1bc5bc611e84cec61d24c0a7e809d580d7f050fdee23f51686a9729ca6632131
SHA512 591d8d1bf8a8a0c7cb37036bcadb35964a4debc1a5d62aa57b5c32dce40d1c70bbf347dad2990df39c8a77d79d82e0feb409b9e4c419b3471b75ca52b9b925f2

memory/1452-37-0x0000000010000000-0x000000001000D000-memory.dmp

memory/1452-39-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1452-40-0x0000000010000000-0x000000001000D000-memory.dmp