191ea4a15f344e7f68660ed1fac5494f0467f27fb2c02d62620631fc66cc4c50

Analysis

max time kernel
152s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
13/10/2023, 20:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.4e563d84c6b217afe7c56add4dd84d60.exe
Size

70KB
MD5

4e563d84c6b217afe7c56add4dd84d60
SHA1

641d2fbc97225ffbd65d83cb73094316ba2547e2
SHA256

191ea4a15f344e7f68660ed1fac5494f0467f27fb2c02d62620631fc66cc4c50
SHA512

0e7818f64007a75066fe47a55f3ef04fac54f99763d1d0fc83cb122bedf20a27d8db1176e25a81f3a755fbdf13fe02c8cb8b276bc6ee3210d64ff63a63e22363
SSDEEP

1536:Jq5VwWDjDkdTRqHFOn8tIbbeYiuZIFS9b1YTjipvF2a:Jq5ud9qHFO8Kf3rIIb1YvQd2a

Score

8^/10

persistence spyware stealer

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\drivers\gmreadme.txt	smnss.exe

ACProtect 1.3x - 1.4x DLL software 3 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x0006000000023270-10.dat	acprotect
behavioral2/files/0x0006000000023270-30.dat	acprotect
behavioral2/files/0x0006000000023270-34.dat	acprotect

Executes dropped EXE 2 IoCs

pid	Process
3348	ctfmen.exe
3868	smnss.exe

Loads dropped DLL 2 IoCs

pid	Process
4620	NEAS.4e563d84c6b217afe7c56add4dd84d60.exe
3868	smnss.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe"	NEAS.4e563d84c6b217afe7c56add4dd84d60.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe"	smnss.exe

Maps connected drives based on registry 3 TTPs 6 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	smnss.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\1	smnss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	NEAS.4e563d84c6b217afe7c56add4dd84d60.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	NEAS.4e563d84c6b217afe7c56add4dd84d60.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\1	NEAS.4e563d84c6b217afe7c56add4dd84d60.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	smnss.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ctfmen.exe	NEAS.4e563d84c6b217afe7c56add4dd84d60.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms004.inf_amd64_c28ee88ec1bd4178\Amd64\unisharev4-pipelineconfig.xml	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms006.inf_amd64_c3bdcb6fc975b614\SendToOneNote-pipelineconfig.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\default.help.txt	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms007.inf_amd64_8bbf44975c626ac5\Amd64\MSPWGR-pipelineconfig.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsCodecsRaw.txt	smnss.exe
File created	C:\Windows\SysWOW64\zipfiaq.dll	smnss.exe
File opened for modification	C:\Windows\SysWOW64\Speech_OneCore\Common\en-US\tokens_TTS_en-US_david.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\tcpbidi.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\grcopy.dll	NEAS.4e563d84c6b217afe7c56add4dd84d60.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\ntprint4.inf_amd64_0958c7cad3cd6075\Amd64\V3HostingFilter-pipelineconfig.xml	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms007.inf_amd64_8bbf44975c626ac5\Amd64\MSXPS2.xml	smnss.exe
File created	C:\Windows\SysWOW64\satornas.dll	NEAS.4e563d84c6b217afe7c56add4dd84d60.exe
File opened for modification	C:\Windows\SysWOW64\AppxProvisioning.xml	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms011.inf_amd64_f83138380f5fb6ab\Amd64\MSAppMon-pipelineconfig.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\icsxml\potscfg.xml	smnss.exe
File created	C:\Windows\SysWOW64\zipfi.dll	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms014.inf_amd64_faec3fc366f8e1fa\Amd64\MSMPS.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\default.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\shervans.dll	NEAS.4e563d84c6b217afe7c56add4dd84d60.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms003.inf_amd64_0e2452f597790e95\Amd64\unishare-pipelineconfig.xml	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms014.inf_amd64_faec3fc366f8e1fa\Amd64\MSMPS-pipelineconfig.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\F12\Timeline.cpu.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\Speech_OneCore\Common\tokens.xml	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms007.inf_amd64_8bbf44975c626ac5\Amd64\MSPWGR.xml	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms009.inf_amd64_a7412a554c9bc1fd\MPDW-pipelineconfig.xml	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms009.inf_amd64_a7412a554c9bc1fd\MPDW_devmode_map.xml	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms012.inf_amd64_707d3849370b9d23\Amd64\MSIPP-pipelineconfig.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\icsxml\cmnicfg.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\MailContactsCalendarSync\LiveDomainList.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\Speech_OneCore\Common\en-US\tokens_TTS_en-US.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\satornas.dll	NEAS.4e563d84c6b217afe7c56add4dd84d60.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms005.inf_amd64_add71423ba73e797\Amd64\MSxpsPCL6-pipelineconfig.xml	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms005.inf_amd64_add71423ba73e797\Amd64\MSxpsXPS-pipelineconfig.xml	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms009.inf_amd64_a7412a554c9bc1fd\MPDW-PDC.xml	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms010.inf_amd64_9e410195c3b236c9\Amd64\MSECP.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\default.help.txt	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms010.inf_amd64_9e410195c3b236c9\Amd64\MSECP-pipelineconfig.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\icsxml\osinfo.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\IME\IMEJP\APPLETS\IMJPCLST.XML	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\default.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\Speech_OneCore\Common\en-US\Tokens_SR_en-US-N.xml	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms003.inf_x86_360f6f3a7c4b3433\I386\unishare-pipelineconfig.xml	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms007.inf_amd64_8bbf44975c626ac5\Amd64\MSPassthrough-pipelineconfig.xml	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms008.inf_amd64_69b5e0c918eab9a6\Amd64\unishare3d-pipelineconfig.xml	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\tsprint.inf_amd64_6066bc96a5f28b44\tsprint-PipelineConfig.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\icsxml\pppcfg.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc	smnss.exe
File opened for modification	C:\Windows\SysWOW64\NdfEventView.xml	smnss.exe
File created	C:\Windows\SysWOW64\shervans.dll	NEAS.4e563d84c6b217afe7c56add4dd84d60.exe
File created	C:\Windows\SysWOW64\smnss.exe	NEAS.4e563d84c6b217afe7c56add4dd84d60.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms001.inf_amd64_8bc1bda6cf47380c\MXDW-pipelineconfig.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\icsxml\ipcfg.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\Recovery\ReAgent.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\wbem\xsl-mappings.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\ctfmen.exe	NEAS.4e563d84c6b217afe7c56add4dd84d60.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\default.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\wsmanconfig_schema.xml	smnss.exe
File created	C:\Windows\SysWOW64\grcopy.dll	NEAS.4e563d84c6b217afe7c56add4dd84d60.exe
File created	C:\Windows\SysWOW64\smnss.exe	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms005.inf_amd64_add71423ba73e797\Amd64\MSxpsPS-pipelineconfig.xml	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms011.inf_amd64_f83138380f5fb6ab\Amd64\MSAppMon.xml	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms012.inf_amd64_707d3849370b9d23\Amd64\MSIPP.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\default.help.txt	smnss.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Office\Office16\SLERROR.XML	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Violet II.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Arial.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Configuration\card_expiration_terms_dict.txt	smnss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\ICELAND.TXT	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\license.html	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\plugin.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-openide-awt.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001F-0C0A-1000-0000000FF1CE.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.Proof.Culture.msi.16.fr-fr.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN010.XML	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-openide-io.xml	smnss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\manifests\BuiltinAddCustomTags.xml	smnss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\bn-BD\View3d\3DViewerProductDescription-universal.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\license.html	smnss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\el-GR\View3d\3DViewerProductDescription-universal.xml	smnss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_2019.807.41.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\license.html	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-jvm.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL096.XML	smnss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\da-DK\View3d\3DViewerProductDescription-universal.xml	smnss.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\MLModels\autofill_labeling_features.txt	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Green Yellow.xml	smnss.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.VisualElementsManifest.xml	smnss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.1813.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml	smnss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VCLibs.140.00.UWPDesktop_14.0.27629.0_x64__8wekyb3d8bbwe\AppxManifest.xml	smnss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_2019.1111.2029.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\License.txt	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-modules-keyring.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\ClientLangPack2019_eula.txt	smnss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftEdge.Stable_92.0.902.67_neutral__8wekyb3d8bbwe\AppxBlockMap.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\ClientLangPack_eula.txt	smnss.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_US\README_en_US.txt	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-attach.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-tools.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.office32ww.msi.16.x-none.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL121.XML	smnss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\AppxManifest.xml	smnss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\en-us\onenote_whatsnew.xml	smnss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\AppCS\WebviewOffline.html	smnss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxManifest.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-modules-keyring.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00E2-0409-1000-0000000FF1CE.xml	smnss.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB_EURO.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ne.txt	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL116.XML	smnss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml	smnss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\AppxManifest.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-host.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\THIRDPARTYLICENSEREADME-JAVAFX.txt	smnss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxManifest.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-jvmstat.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL119.XML	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN082.XML	smnss.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxGamingOverlay_2.34.28001.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxManifest.xml	smnss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxManifest.xml	smnss.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\en-US\about_TestDrive.help.txt	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\feature.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Garamond-TrebuchetMs.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\ClientOSub_eula.txt	smnss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\epl-v10.html	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-core-output2.xml	smnss.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxManifest.xml	smnss.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\ja-JP\assets\ErrorPages\servbusy.htm	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_dual_prnms007.inf_31bf3856ad364e35_10.0.19041.1_none_70cec824c55a4876\Amd64\MSPWGR-pipelineconfig.xml	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-dot3svc.resources_31bf3856ad364e35_10.0.19041.1_de-de_1418e1a4e830cf09\Report.System.Wired.xml	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-i..raries-servercommon_31bf3856ad364e35_10.0.19041.906_none_87b019d7cebd66d4\appcmd.xml	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-o..iveportal.appxsetup_31bf3856ad364e35_10.0.19041.1023_none_ae1950955a82d8ef\f\AppxManifest.xml	smnss.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\it-IT\assets\ErrorPages\http_gen.htm	smnss.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\inclusiveOobe\view\oobesettings-main.html	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-c..urepicker.appxsetup_31bf3856ad364e35_10.0.19041.1023_none_2719bdeef32ae98e\AppxManifest.xml	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_de-de_6988eb133eb82b0f\404-6.htm	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-m..osoftedge.resources_31bf3856ad364e35_10.0.19041.1_en-us_a323edc73bd86475\needhvsi.html	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-m..osoftedge.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_d1f435fdf91e63d5\navcancl.htm	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-p..econsumer.resources_31bf3856ad364e35_10.0.19041.1_es-es_6b77f4dc3a1a5900\Report.System.Disk.xml	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..kerplugin.appxsetup_31bf3856ad364e35_10.0.19041.1023_none_23f4c1602d97fe43\r\AppxManifest.xml	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-w..bviewhost.appxsetup_31bf3856ad364e35_10.0.19041.1023_none_1277eb7f6aa856b4\r\AppxManifest.xml	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-a..gement-uevtemplates_31bf3856ad364e35_10.0.19041.1_none_0d66b54875835a49\MicrosoftOffice2016Win64.xml	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-editions-professional_31bf3856ad364e35_10.0.19041.1288_none_51444fcfcf940a66\r\EditionMatrix.xml	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-p..econsumer.resources_31bf3856ad364e35_10.0.19041.1_de-de_c2bbc1ff4b155b96\Report.System.Network.xml	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-t..nputpersonalization_31bf3856ad364e35_10.0.19041.746_none_1da55dc225237a0d\ipshe.xml	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_de-de_6988eb133eb82b0f\403-11.htm	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_en-us_1279c10c2d9636d4\403-8.htm	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft.configci.commands_31bf3856ad364e35_10.0.19041.1081_none_21d54f6a980a590b\DefaultWindows_Enforced.xml	smnss.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\fr-FR\assets\ErrorPages\http_gen.htm	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-service-shared_31bf3856ad364e35_10.0.19041.1151_none_fbdc4c5f677dc2ec\WDATP_ContainerCreate.xml	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-o..iveportal.appxsetup_31bf3856ad364e35_10.0.19041.1_none_ef32a78b44bbf362\AppxBlockMap.xml	smnss.exe
File opened for modification	C:\Windows\PLA\Reports\Report.System.Configuration.xml	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.1266_none_777e4c5802d14c18\helloEnrollment.html	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_es-es_12451df02dbd2879\404-7.htm	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-t..nputpersonalization_31bf3856ad364e35_10.0.19041.746_none_1da55dc225237a0d\ipsid.xml	smnss.exe
File opened for modification	C:\Windows\PLA\Rules\en-US\Rules.System.Memory.xml	smnss.exe
File opened for modification	C:\Windows\schemas\CodeIntegrity\ExamplePolicies\AllowAll_EnableHVCI.xml	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.117_none_e0d32848ac56114e\oobe-retaildemo-exit-dialog-template.html	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_414a0942eadc3634\403-10.htm	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-m..osoftedge.resources_31bf3856ad364e35_10.0.19041.1_it-it_2fceb6f1060351fa\http_400.htm	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..iencehost.appxsetup_31bf3856ad364e35_10.0.19041.1023_none_411a61445fd08261\f\AppxBlockMap.xml	smnss.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\core\view\oobe-chrome-footer-template.html	smnss.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\templates\view\common-button-template.html	smnss.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.FileExplorer_cw5n1h2txyewy\AppxManifest.xml	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_de-de_6988eb133eb82b0f\403-14.htm	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_b4fc93ef208f3edb\403-6.htm	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-m..oolsclient.appxmain_31bf3856ad364e35_10.0.19041.423_none_9de80b9d881a1ebd\debugger.html	smnss.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\speech\0410\tokens_itIT.xml	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.117_none_e0d32848ac56114e\oobelightfooterhost.html	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_it-it_9f248a35f7c12459\404-9.htm	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-o..ectionflow.appxmain_31bf3856ad364e35_10.0.19041.1_none_e2e6c013142b9760\tokens_deDE.xml	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-p..econsumer.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_9a7ce02ef73966bb\Rules.System.CPU.xml	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1_none_bf506ecc66a800df\GlobalInstallOrder.xml	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-tabletpc-softkeyboard_31bf3856ad364e35_10.0.19041.746_none_afaafac6b02c16fa\osknav.xml	smnss.exe
File opened for modification	C:\Windows\PLA\Reports\es-ES\Report.System.Memory.xml	smnss.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Shell\DefaultLayouts.xml	smnss.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\fr-FR\assets\ErrorPages\http_410.htm	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-bits-client-core_31bf3856ad364e35_10.0.19041.153_none_04304b75e9b1037f\f\315818c03ccc2b10070df2d4ebd09eb6c4c66e58.xml	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-o..documents.resources_31bf3856ad364e35_10.0.19041.423_en-us_f07e1f9c89d64ec4\f\OOBE_HELP_Opt_in_Details.htm	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-p..g-xpsdocumentwriter_31bf3856ad364e35_10.0.19041.1_none_d8c9ac6e0263d02c\mxdw-pipelineconfig.xml	smnss.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.FilePicker_cw5n1h2txyewy\AppxBlockMap.xml	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.1266_none_777e4c5802d14c18\tokenManagerErrorHandler.html	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-editions-professional_31bf3856ad364e35_10.0.19041.1288_none_51444fcfcf940a66\ServerRdshEdition.xml	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-management-oobe_31bf3856ad364e35_10.0.19041.1266_none_e6ebbe2a02425392\oobeautopilotupdate-main.html	smnss.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\speech\4009\tokens_enIN.xml	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_414a0942eadc3634\404-11.htm	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-p..rastructureconsumer_31bf3856ad364e35_10.0.19041.1_none_69cd9c22cfcf9358\Report.System.Diagnostics.xml	smnss.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\fr-FR\assets\ErrorPages\navcancl.htm	smnss.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\it-IT\assets\ErrorPages\http_404.htm	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.117_none_e0d32848ac56114e\default-contentview-template.html	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-ecapp.appxsetup_31bf3856ad364e35_10.0.19041.1023_none_6d4be35dd691e117\AppxBlockMap.xml	smnss.exe

Modifies registry class 6 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll"	NEAS.4e563d84c6b217afe7c56add4dd84d60.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll"	smnss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32	NEAS.4e563d84c6b217afe7c56add4dd84d60.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	NEAS.4e563d84c6b217afe7c56add4dd84d60.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	NEAS.4e563d84c6b217afe7c56add4dd84d60.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}	NEAS.4e563d84c6b217afe7c56add4dd84d60.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3868	smnss.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4620 wrote to memory of 3348	4620	NEAS.4e563d84c6b217afe7c56add4dd84d60.exe	85
PID 4620 wrote to memory of 3348	4620	NEAS.4e563d84c6b217afe7c56add4dd84d60.exe	85
PID 4620 wrote to memory of 3348	4620	NEAS.4e563d84c6b217afe7c56add4dd84d60.exe	85
PID 3348 wrote to memory of 3868	3348	ctfmen.exe	86
PID 3348 wrote to memory of 3868	3348	ctfmen.exe	86
PID 3348 wrote to memory of 3868	3348	ctfmen.exe	86

C:\Users\Admin\AppData\Local\Temp\NEAS.4e563d84c6b217afe7c56add4dd84d60.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.4e563d84c6b217afe7c56add4dd84d60.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4620
- C:\Windows\SysWOW64\ctfmen.exe
  ctfmen.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3348
- - C:\Windows\SysWOW64\smnss.exe
    C:\Windows\system32\smnss.exe
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Maps connected drives based on registry
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    PID:3868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\ctfmen.exe

Filesize
4KB

MD5
96d519f87dcb5c6de3f10fd1d2763ad7

SHA1
999b6495c1955c20519bbd1eec83317559640018

SHA256
8f6d3e86c0f63c9506086920d39490168081b073ee13a187f03f4ee4ff52bf6e

SHA512
9802ad01d69c4cddffe1744f673ac624082e01de6f108e0ca7e3c4b9375ff5191766bbb2a2149030f46db2d1728c265e1abdff4878ba40732c02ace5b39bf411

Download Submit
C:\Windows\SysWOW64\ctfmen.exe

Filesize
4KB

MD5
96d519f87dcb5c6de3f10fd1d2763ad7

SHA1
999b6495c1955c20519bbd1eec83317559640018

SHA256
8f6d3e86c0f63c9506086920d39490168081b073ee13a187f03f4ee4ff52bf6e

SHA512
9802ad01d69c4cddffe1744f673ac624082e01de6f108e0ca7e3c4b9375ff5191766bbb2a2149030f46db2d1728c265e1abdff4878ba40732c02ace5b39bf411

Download Submit
C:\Windows\SysWOW64\grcopy.dll

Filesize
70KB

MD5
30c3cc35f3803b6a57cdbe0739637435

SHA1
31af7aea3200dfe61f68c769c50959f93e63f0fe

SHA256
a2f6968aed7715b372bc28c3b11798f057e5538ff6e21732add396d3040ee078

SHA512
60d471fd28ed8b6f5a403def3d23c1b282cf422075fe1ece69a0e30c6ebae715ed8f61c63b307d2c1eafa3fb0ca39d30e942db982e3f85ffa296714e1ecb0627

Download Submit
C:\Windows\SysWOW64\grcopy.dll

Filesize
70KB

MD5
30c3cc35f3803b6a57cdbe0739637435

SHA1
31af7aea3200dfe61f68c769c50959f93e63f0fe

SHA256
a2f6968aed7715b372bc28c3b11798f057e5538ff6e21732add396d3040ee078

SHA512
60d471fd28ed8b6f5a403def3d23c1b282cf422075fe1ece69a0e30c6ebae715ed8f61c63b307d2c1eafa3fb0ca39d30e942db982e3f85ffa296714e1ecb0627

Download Submit
C:\Windows\SysWOW64\satornas.dll

Filesize
183B

MD5
6e3a6ebacbb1fc74448599b4fe10c476

SHA1
54c522ca9b051f5e3d8fba9bbfb1a545a8e8904d

SHA256
fe65bf9b57c706a4439c952f8fedc155f65bdd905a92745c7ce259a6aeee88eb

SHA512
311b199b356374e86c9e4f4f194cc798651432003636fc5f9b59763860ac1398e735812381824b20bc2be755ff29033b30f6881b9d38997072547639a4c88c38

Download Submit
C:\Windows\SysWOW64\shervans.dll

Filesize
8KB

MD5
5fba5ad46c8deb6046065a3005039f89

SHA1
b9a4b2ce0a315e633d61cff08b4ca4257f5ab3a7

SHA256
2f4ca4f82ec06ba2b4d14a0cf0a549011fe85ec0f33e2e07e2dc3c173ad45ad4

SHA512
9e3098f3fab6666fcd77c07696e8168634d88d42230df3d476180f411b95853f636f9633dc7de4cb84e40c3aab5b9738e8949257455454fff8a4a7bf5fa6d231

Download Submit
C:\Windows\SysWOW64\shervans.dll

Filesize
8KB

MD5
5fba5ad46c8deb6046065a3005039f89

SHA1
b9a4b2ce0a315e633d61cff08b4ca4257f5ab3a7

SHA256
2f4ca4f82ec06ba2b4d14a0cf0a549011fe85ec0f33e2e07e2dc3c173ad45ad4

SHA512
9e3098f3fab6666fcd77c07696e8168634d88d42230df3d476180f411b95853f636f9633dc7de4cb84e40c3aab5b9738e8949257455454fff8a4a7bf5fa6d231

Download Submit
C:\Windows\SysWOW64\shervans.dll

Filesize
8KB

MD5
5fba5ad46c8deb6046065a3005039f89

SHA1
b9a4b2ce0a315e633d61cff08b4ca4257f5ab3a7

SHA256
2f4ca4f82ec06ba2b4d14a0cf0a549011fe85ec0f33e2e07e2dc3c173ad45ad4

SHA512
9e3098f3fab6666fcd77c07696e8168634d88d42230df3d476180f411b95853f636f9633dc7de4cb84e40c3aab5b9738e8949257455454fff8a4a7bf5fa6d231

Download Submit
C:\Windows\SysWOW64\smnss.exe

Filesize
70KB

MD5
30c3cc35f3803b6a57cdbe0739637435

SHA1
31af7aea3200dfe61f68c769c50959f93e63f0fe

SHA256
a2f6968aed7715b372bc28c3b11798f057e5538ff6e21732add396d3040ee078

SHA512
60d471fd28ed8b6f5a403def3d23c1b282cf422075fe1ece69a0e30c6ebae715ed8f61c63b307d2c1eafa3fb0ca39d30e942db982e3f85ffa296714e1ecb0627

Download Submit
C:\Windows\SysWOW64\smnss.exe

Filesize
70KB

MD5
30c3cc35f3803b6a57cdbe0739637435

SHA1
31af7aea3200dfe61f68c769c50959f93e63f0fe

SHA256
a2f6968aed7715b372bc28c3b11798f057e5538ff6e21732add396d3040ee078

SHA512
60d471fd28ed8b6f5a403def3d23c1b282cf422075fe1ece69a0e30c6ebae715ed8f61c63b307d2c1eafa3fb0ca39d30e942db982e3f85ffa296714e1ecb0627

Download Submit
memory/3348-26-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3348-22-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3868-44-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3868-48-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3868-56-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3868-54-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3868-35-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/3868-52-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3868-37-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3868-38-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3868-50-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3868-42-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3868-40-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3868-28-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3868-46-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3868-39-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/4620-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4620-13-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/4620-21-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4620-24-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads