771234a03592f5c15e85cd2eef33d993bb61b957841cc62cbc69b6b474d98389

Analysis

max time kernel
148s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
15/05/2024, 23:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

771234a03592f5c15e85cd2eef33d993bb61b957841cc62cbc69b6b474d98389.exe
Size

240KB
MD5

3b8204c94aaa3d5281ec1b5850bcf7f9
SHA1

6d8526132b9aafc2877f29bac30feb4a55b7c57b
SHA256

771234a03592f5c15e85cd2eef33d993bb61b957841cc62cbc69b6b474d98389
SHA512

ea9963001ba90086f12a69e5f40a7c131dbacfb90a51ed22eb2ec8bca0bdce94b60ecb9bfb574c33f44839c74ba09f76874fd7123dc7d78a1a32fde7aaa54be3
SSDEEP

1536:iq5VwWDjDkdTRqHFOn8tIbbeYiuZIFS9bB:iq5ud9qHFO8Kf3rIIbB

Score

9^/10

persistence spyware stealer

Malware Config

Signatures

UPX dump on OEP (original entry point) 25 IoCs

resource	yara_rule
behavioral2/memory/1480-0-0x0000000000400000-0x0000000000420000-memory.dmp	UPX
behavioral2/files/0x0007000000023471-10.dat	UPX
behavioral2/memory/1480-13-0x0000000010000000-0x000000001000D000-memory.dmp	UPX
behavioral2/files/0x0007000000023472-16.dat	UPX
behavioral2/files/0x0006000000023305-20.dat	UPX
behavioral2/memory/1480-24-0x0000000010000000-0x000000001000D000-memory.dmp	UPX
behavioral2/memory/2840-26-0x0000000000400000-0x0000000000409000-memory.dmp	UPX
behavioral2/memory/1480-23-0x0000000000400000-0x0000000000420000-memory.dmp	UPX
behavioral2/memory/2840-30-0x0000000000400000-0x0000000000409000-memory.dmp	UPX
behavioral2/memory/2272-31-0x0000000000400000-0x0000000000420000-memory.dmp	UPX
behavioral2/memory/2272-39-0x0000000010000000-0x000000001000D000-memory.dmp	UPX
behavioral2/memory/2272-40-0x0000000000400000-0x0000000000420000-memory.dmp	UPX
behavioral2/memory/2272-42-0x0000000000400000-0x0000000000420000-memory.dmp	UPX
behavioral2/memory/2272-44-0x0000000000400000-0x0000000000420000-memory.dmp	UPX
behavioral2/memory/2272-46-0x0000000000400000-0x0000000000420000-memory.dmp	UPX
behavioral2/memory/2272-48-0x0000000000400000-0x0000000000420000-memory.dmp	UPX
behavioral2/memory/2272-50-0x0000000000400000-0x0000000000420000-memory.dmp	UPX
behavioral2/memory/2272-52-0x0000000000400000-0x0000000000420000-memory.dmp	UPX
behavioral2/memory/2272-54-0x0000000000400000-0x0000000000420000-memory.dmp	UPX
behavioral2/memory/2272-56-0x0000000000400000-0x0000000000420000-memory.dmp	UPX
behavioral2/memory/2272-58-0x0000000000400000-0x0000000000420000-memory.dmp	UPX
behavioral2/memory/2272-60-0x0000000000400000-0x0000000000420000-memory.dmp	UPX
behavioral2/memory/2272-62-0x0000000000400000-0x0000000000420000-memory.dmp	UPX
behavioral2/memory/2272-64-0x0000000000400000-0x0000000000420000-memory.dmp	UPX
behavioral2/memory/2272-66-0x0000000000400000-0x0000000000420000-memory.dmp	UPX

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\drivers\gmreadme.txt	smnss.exe

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x0007000000023471-10.dat	acprotect

Executes dropped EXE 2 IoCs

pid	Process
2840	ctfmen.exe
2272	smnss.exe

Loads dropped DLL 2 IoCs

pid	Process
1480	771234a03592f5c15e85cd2eef33d993bb61b957841cc62cbc69b6b474d98389.exe
2272	smnss.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe"	771234a03592f5c15e85cd2eef33d993bb61b957841cc62cbc69b6b474d98389.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe"	smnss.exe

Enumerates connected drives 3 TTPs 19 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\H:	smnss.exe
File opened (read-only)	\??\J:	smnss.exe
File opened (read-only)	\??\M:	smnss.exe
File opened (read-only)	\??\Q:	smnss.exe
File opened (read-only)	\??\R:	smnss.exe
File opened (read-only)	\??\U:	smnss.exe
File opened (read-only)	\??\E:	smnss.exe
File opened (read-only)	\??\G:	smnss.exe
File opened (read-only)	\??\K:	smnss.exe
File opened (read-only)	\??\L:	smnss.exe
File opened (read-only)	\??\N:	smnss.exe
File opened (read-only)	\??\O:	smnss.exe
File opened (read-only)	\??\S:	smnss.exe
File opened (read-only)	\??\V:	smnss.exe
File opened (read-only)	\??\I:	smnss.exe
File opened (read-only)	\??\P:	smnss.exe
File opened (read-only)	\??\T:	smnss.exe
File opened (read-only)	\??\W:	smnss.exe
File opened (read-only)	\??\X:	smnss.exe

Maps connected drives based on registry 3 TTPs 6 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	smnss.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\1	smnss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	771234a03592f5c15e85cd2eef33d993bb61b957841cc62cbc69b6b474d98389.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	771234a03592f5c15e85cd2eef33d993bb61b957841cc62cbc69b6b474d98389.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\1	771234a03592f5c15e85cd2eef33d993bb61b957841cc62cbc69b6b474d98389.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	smnss.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms003.inf_x86_360f6f3a7c4b3433\I386\unishare-pipelineconfig.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\default.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\wsmanconfig_schema.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\Recovery\ReAgent.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\Speech_OneCore\Common\tokens.xml	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms004.inf_amd64_c28ee88ec1bd4178\Amd64\unisharev4-pipelineconfig.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\icsxml\ipcfg.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\NdfEventView.xml	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms006.inf_amd64_c3bdcb6fc975b614\SendToOneNote-pipelineconfig.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc	smnss.exe
File created	C:\Windows\SysWOW64\zipfiaq.dll	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms010.inf_amd64_9e410195c3b236c9\Amd64\MSECP.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\Speech_OneCore\Common\en-US\Tokens_SR_en-US-N.xml	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms008.inf_amd64_69b5e0c918eab9a6\Amd64\unishare3d-pipelineconfig.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\icsxml\cmnicfg.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\grcopy.dll	771234a03592f5c15e85cd2eef33d993bb61b957841cc62cbc69b6b474d98389.exe
File opened for modification	C:\Windows\SysWOW64\AppxProvisioning.xml	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms003.inf_amd64_0e2452f597790e95\Amd64\unishare-pipelineconfig.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\Speech_OneCore\Common\en-US\tokens_TTS_en-US.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\default.help.txt	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms007.inf_amd64_8bbf44975c626ac5\Amd64\MSPWGR.xml	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms014.inf_amd64_faec3fc366f8e1fa\Amd64\MSMPS-pipelineconfig.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\MailContactsCalendarSync\LiveDomainList.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\default.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\satornas.dll	771234a03592f5c15e85cd2eef33d993bb61b957841cc62cbc69b6b474d98389.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms005.inf_amd64_add71423ba73e797\Amd64\MSxpsPCL6-pipelineconfig.xml	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms012.inf_amd64_707d3849370b9d23\Amd64\MSIPP-pipelineconfig.xml	smnss.exe
File created	C:\Windows\SysWOW64\zipfi.dll	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms007.inf_amd64_8bbf44975c626ac5\Amd64\MSPWGR-pipelineconfig.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\Speech_OneCore\Common\en-US\tokens_TTS_en-US_david.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\F12\Timeline.cpu.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\IME\IMEJP\APPLETS\IMJPCLST.XML	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms009.inf_amd64_a7412a554c9bc1fd\MPDW-PDC.xml	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms011.inf_amd64_f83138380f5fb6ab\Amd64\MSAppMon.xml	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms012.inf_amd64_707d3849370b9d23\Amd64\MSIPP.xml	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms007.inf_amd64_8bbf44975c626ac5\Amd64\MSPassthrough-pipelineconfig.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\icsxml\potscfg.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\default.help.txt	smnss.exe
File created	C:\Windows\SysWOW64\grcopy.dll	771234a03592f5c15e85cd2eef33d993bb61b957841cc62cbc69b6b474d98389.exe
File created	C:\Windows\SysWOW64\satornas.dll	771234a03592f5c15e85cd2eef33d993bb61b957841cc62cbc69b6b474d98389.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms001.inf_amd64_8bc1bda6cf47380c\MXDW-pipelineconfig.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\default.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\ctfmen.exe	771234a03592f5c15e85cd2eef33d993bb61b957841cc62cbc69b6b474d98389.exe
File created	C:\Windows\SysWOW64\smnss.exe	771234a03592f5c15e85cd2eef33d993bb61b957841cc62cbc69b6b474d98389.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\default.help.txt	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms014.inf_amd64_faec3fc366f8e1fa\Amd64\MSMPS.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\tcpbidi.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\wbem\xsl-mappings.xml	smnss.exe
File created	C:\Windows\SysWOW64\smnss.exe	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms009.inf_amd64_a7412a554c9bc1fd\MPDW_devmode_map.xml	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms011.inf_amd64_f83138380f5fb6ab\Amd64\MSAppMon-pipelineconfig.xml	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms005.inf_amd64_add71423ba73e797\Amd64\MSxpsPS-pipelineconfig.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\icsxml\osinfo.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsCodecsRaw.txt	smnss.exe
File created	C:\Windows\SysWOW64\ctfmen.exe	771234a03592f5c15e85cd2eef33d993bb61b957841cc62cbc69b6b474d98389.exe
File created	C:\Windows\SysWOW64\shervans.dll	771234a03592f5c15e85cd2eef33d993bb61b957841cc62cbc69b6b474d98389.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\ntprint4.inf_amd64_0958c7cad3cd6075\Amd64\V3HostingFilter-pipelineconfig.xml	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\tsprint.inf_amd64_6066bc96a5f28b44\tsprint-PipelineConfig.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\shervans.dll	771234a03592f5c15e85cd2eef33d993bb61b957841cc62cbc69b6b474d98389.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms005.inf_amd64_add71423ba73e797\Amd64\MSxpsXPS-pipelineconfig.xml	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms010.inf_amd64_9e410195c3b236c9\Amd64\MSECP-pipelineconfig.xml	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms009.inf_amd64_a7412a554c9bc1fd\MPDW-pipelineconfig.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\icsxml\pppcfg.xml	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms007.inf_amd64_8bbf44975c626ac5\Amd64\MSXPS2.xml	smnss.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Arial Black-Arial.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\io.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sk.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\readme.txt	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0090-0000-1000-0000000FF1CE.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\LyncVDI_Eula.txt	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL105.XML	smnss.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml	smnss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\AppxManifest.xml	smnss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\CP1253.TXT	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mk.txt	smnss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\is-IS\View3d\3DViewerProductDescription-universal.xml	smnss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Third Party Notices.txt	smnss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_2019.807.41.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gu.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\ko-kr.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\osknavbase.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL022.XML	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL092.XML	smnss.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_GB\added.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\eu.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\vi.txt	smnss.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxBlockMap.xml	smnss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\zh-CN\View3d\3DViewerProductDescription-universal.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uk.txt	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL102.XML	smnss.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.People_10.1902.633.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxBlockMap.xml	smnss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\CORPCHAR.TXT	smnss.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\Media Renderer\RenderingControl_DMP.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0090-0409-1000-0000000FF1CE.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000049\manifest.xml	smnss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\manifests\BuiltinStickyNotes.xml	smnss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Xbox.TCUI_1.23.28002.0_x64__8wekyb3d8bbwe\BuildInfo.xml	smnss.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\FrameworkList.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.DCF.DCF.x-none.msi.16.x-none.xml	smnss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxManifest.xml	smnss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jmc.txt	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-3101-0000-1000-0000000FF1CE.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AuthoredExtensions.16.xml	smnss.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\mobile_browse.html	smnss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxBlockMap.xml	smnss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\manifests\BuiltinAddCustomTags.xml	smnss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxBlockMap.xml	smnss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_2019.1111.2029.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL112.XML	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN075.XML	smnss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Speech\en-GB\tokens_enGB.xml	smnss.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_GB\license.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ca.txt	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Consolas-Verdana.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\ONENOTE_WHATSNEW.XML	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Configuration\card_terms_dict.txt	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL107.XML	smnss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\manifests\BuiltinAccessibilityChecker.xml	smnss.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_GB\excluded.txt	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL082.XML	smnss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxBlockMap.xml	smnss.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\TableTextServiceTigrinya.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pt-br.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipssve.xml	smnss.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsSoundRecorder_10.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxBlockMap.xml	smnss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\ro-RO\View3d\3DViewerProductDescription-universal.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mn.txt	smnss.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-a..ep-chxapp.appxsetup_31bf3856ad364e35_10.0.19041.1023_none_7d8eee60f8081103\f\AppxBlockMap.xml	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-c..urepicker.appxsetup_31bf3856ad364e35_10.0.19041.1023_none_2719bdeef32ae98e\r\AppxBlockMap.xml	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-p..econsumer.resources_31bf3856ad364e35_10.0.19041.1_en-us_6bac97f839f3675b\Report.System.Disk.xml	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-t..nputpersonalization_31bf3856ad364e35_10.0.19041.746_none_1da55dc225237a0d\ipsptg.xml	smnss.exe
File opened for modification	C:\Windows\WinSxS\x86_microsoft-windows-ie-timeline_is_31bf3856ad364e35_11.0.19041.746_none_3f68c845997377c3\Timeline.cpu.xml	smnss.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\fr-FR\assets\ErrorPages\servbusy.htm	smnss.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\it-IT\assets\ErrorPages\servbusy.htm	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-m..osoftedge.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_d1f435fdf91e63d5\PhishSite_Iframe.htm	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_10.0.19041.1_es-es_776ebcbf40f21506\default.help.txt	smnss.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\cache\Desktop\AppCacheMetadata.xml	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-m..osoftedge.resources_31bf3856ad364e35_10.0.19041.1_en-us_a323edc73bd86475\hstscerterror.htm	smnss.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\speech\080a\tokens_esMX.xml	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-o..ectionflow.appxmain_31bf3856ad364e35_10.0.19041.1_none_e2e6c013142b9760\tokens_enGB.xml	smnss.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-s..zer-en-us-n-onecore_31bf3856ad364e35_10.0.19041.1_none_765caf6603816cb0\Tokens_SR_en-US-N.xml	smnss.exe
File opened for modification	C:\Windows\PLA\Reports\fr-FR\Report.System.Diagnostics.xml	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-b..nrollment.appxsetup_31bf3856ad364e35_10.0.19041.1023_none_3bef52e9f4b5e3b0\r\AppxBlockMap.xml	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-m..osoftedge.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_cd2d1cde69f392b4\DisableAboutFlag.htm	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-maintenancediagnostic_31bf3856ad364e35_10.0.19041.1_none_3fe01118a9018735\MaintenanceDiagnostic.xml	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-p..econsumer.resources_31bf3856ad364e35_10.0.19041.1_it-it_f8576122041e54e0\Report.System.Disk.xml	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-i..raries-servercommon_31bf3856ad364e35_10.0.19041.906_none_87b019d7cebd66d4\ASPNET_schema.xml	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_414a0942eadc3634\404-15.htm	smnss.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\cache\Desktop\4.txt	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-c..iser-inboxdatafiles_31bf3856ad364e35_10.0.19041.1202_none_e636843d96260ccd\f\Appraiser_TelemetryRunList.xml	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.117_none_e0d32848ac56114e\ssprerror-main.html	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_es-es_12451df02dbd2879\401-4.htm	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-m..olsclient.appxsetup_31bf3856ad364e35_10.0.19041.1_none_3fb2edd2476a33e3\AppxManifest.xml	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-m..osoftedge.resources_31bf3856ad364e35_10.0.19041.1_de-de_fa3317ce4cfa58b0\repost.htm	smnss.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ThirdPartyNotices.txt	smnss.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\inclusiveOobe\view\oobenetworklossaversion-main.html	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-p..econsumer.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_0e2f6adb2cec6f62\Rules.System.Configuration.xml	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-w..for-management-core_31bf3856ad364e35_10.0.19041.1288_none_3f2d1be96237886e\wsmanconfig_schema.xml	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-p..rastructureconsumer_31bf3856ad364e35_10.0.19041.1_none_69cd9c22cfcf9358\Rules.System.Performance.xml	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-t..nputpersonalization_31bf3856ad364e35_10.0.19041.1_none_f59d207965b1bbc3\ipsid.xml	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_en-us_1279c10c2d9636d4\404-4.htm	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-n..uickstart.appxsetup_31bf3856ad364e35_10.0.19041.1023_none_c81408a27d1805ca\r\AppxBlockMap.xml	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-t..nputpersonalization_31bf3856ad364e35_10.0.19041.746_none_1da55dc225237a0d\ipshrv.xml	smnss.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-sharedaccess_31bf3856ad364e35_10.0.19041.1_none_c513167c1d0a90dd\osinfo.xml	smnss.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\hololensDiagnostics\views\hololensDiagnostics.html	smnss.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\inclusiveOobe\view\oobeeula-hololens.html	smnss.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\it-IT\assets\ErrorPages\startfresh.html	smnss.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\core\view\oobe-light-progress-template.html	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.117_none_e0d32848ac56114e\OEMRegistration.html	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.117_none_e0d32848ac56114e\surfaceHubAccount.html	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_it-it_9f248a35f7c12459\500-16.htm	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-m..osoftedge.resources_31bf3856ad364e35_10.0.19041.1_es-es_a2ef4aab3bff561a\startfresh.html	smnss.exe
File opened for modification	C:\Windows\PLA\Reports\en-US\Report.System.Wired.xml	smnss.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\network\network.html	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-m..osoftedge.resources_31bf3856ad364e35_10.0.19041.1_it-it_2fceb6f1060351fa\needie.html	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-w..igurationdiagnostic_31bf3856ad364e35_10.0.19041.1_none_9a29135572e069ec\WindowsMediaPlayerConfiguration.xml	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_es-es_12451df02dbd2879\403-9.htm	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_b4fc93ef208f3edb\404-14.htm	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_414a0942eadc3634\401.htm	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-ie-timeline_is_31bf3856ad364e35_11.0.19041.746_none_9b8763c951d0e8f9\Timeline.cpu.xml	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-m..osoftedge.resources_31bf3856ad364e35_10.0.19041.1_de-de_fa3317ce4cfa58b0\pdferror.html	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-m..osoftedge.resources_31bf3856ad364e35_10.0.19041.1_es-es_a2ef4aab3bff561a\http_501.htm	smnss.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\TURKISH.TXT	smnss.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\it-IT\assets\ErrorPages\http_410.htm	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-t..nputpersonalization_31bf3856ad364e35_10.0.19041.1_none_f59d207965b1bbc3\ipssrb.xml	smnss.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\es-ES\assets\ErrorPages\pdferrordisabledforregion.html	smnss.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\ja-JP\assets\ErrorPages\PhishSiteEdge.htm	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-appx-alluserstore_31bf3856ad364e35_10.0.19041.153_none_01c1d85556ce4652\AppxProvisioning.xml	smnss.exe
File opened for modification	C:\Windows\PLA\Rules\fr-FR\Rules.System.Finale.xml	smnss.exe
File opened for modification	C:\Windows\PLA\Rules\ja-JP\Rules.System.Summary.xml	smnss.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\uk-UA\assets\ErrorPages\startfresh.html	smnss.exe

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32	771234a03592f5c15e85cd2eef33d993bb61b957841cc62cbc69b6b474d98389.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	771234a03592f5c15e85cd2eef33d993bb61b957841cc62cbc69b6b474d98389.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	771234a03592f5c15e85cd2eef33d993bb61b957841cc62cbc69b6b474d98389.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}	771234a03592f5c15e85cd2eef33d993bb61b957841cc62cbc69b6b474d98389.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll"	771234a03592f5c15e85cd2eef33d993bb61b957841cc62cbc69b6b474d98389.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll"	smnss.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2272	smnss.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1480 wrote to memory of 2840	1480	771234a03592f5c15e85cd2eef33d993bb61b957841cc62cbc69b6b474d98389.exe	93
PID 1480 wrote to memory of 2840	1480	771234a03592f5c15e85cd2eef33d993bb61b957841cc62cbc69b6b474d98389.exe	93
PID 1480 wrote to memory of 2840	1480	771234a03592f5c15e85cd2eef33d993bb61b957841cc62cbc69b6b474d98389.exe	93
PID 2840 wrote to memory of 2272	2840	ctfmen.exe	94
PID 2840 wrote to memory of 2272	2840	ctfmen.exe	94
PID 2840 wrote to memory of 2272	2840	ctfmen.exe	94

C:\Users\Admin\AppData\Local\Temp\771234a03592f5c15e85cd2eef33d993bb61b957841cc62cbc69b6b474d98389.exe
"C:\Users\Admin\AppData\Local\Temp\771234a03592f5c15e85cd2eef33d993bb61b957841cc62cbc69b6b474d98389.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1480
- C:\Windows\SysWOW64\ctfmen.exe
  ctfmen.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2840
- - C:\Windows\SysWOW64\smnss.exe
    C:\Windows\system32\smnss.exe
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Enumerates connected drives
    - Maps connected drives based on registry
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    PID:2272

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\ctfmen.exe

Filesize
4KB

MD5
aeb1c8ccad78de07e345c95be5c8fe4c

SHA1
7cdb724eca00ed333dcee48f3399c1a53a9017eb

SHA256
4e33ab02ab8d2c639cd34cbc77340e7fb325ad68179e776897395756971f95c9

SHA512
f9bf73e3a77e1cdf3c2ffb09a7d8a70b583961e05b5719e0865c517c95365501f60597b08fdb215864dcbeded4a61060d0f21deaddd26e4212a17c3a04a9311a

Download Submit
C:\Windows\SysWOW64\grcopy.dll

Filesize
240KB

MD5
7302ddff0d18ca2fe2959f0769e3814a

SHA1
915fb82d239f8d06dfe60b37764fae0a82f945f4

SHA256
44f6b0aaa377de48a685a60b6b41d6cddc4e9e22d55761ce4205cc4735bf2647

SHA512
4a56091f8d8b4c02f167d45a35b2142f3f9b2c9fd0e9f58ef019789616e821737556144f7e460d8ccf849b06a59b4b3a18ca0304c2e8de522ad7440494c56f6c

Download Submit
C:\Windows\SysWOW64\satornas.dll

Filesize
183B

MD5
8e43397a68bd4e00465f00a6d4874bb6

SHA1
c0d060426f4ff322ebaa66d020e6d9203af1c09a

SHA256
fb4c7898aa13f5f8b163b3a36612ce531fdda8c2d6e54b6d332db602ac289c71

SHA512
784511923ea979708e00f4391d90706293b0a3b44c06cad46aa94efdccc066cccf74b70e5f48a6d468cb538782a11fd2fcf37ee23764081abb60e39a528c25e3

Download Submit
C:\Windows\SysWOW64\shervans.dll

Filesize
8KB

MD5
78fe75a5435a31d6dec0ea8727032237

SHA1
f65d5fe653e9df8c374974939595e3e1472b4ea5

SHA256
c497cfa8a45980b2f3843c98fb4680a84afe2c85fcb225cc0410456fb9272b75

SHA512
8f8fa4789aa00e1a5b5e843407a0542fa93066c16c73370c4dd90f3426b803ba27ddf55c9624c43b1e7cedecd0487a460892121df96de7320b8230e77c00e5f6

Download Submit
memory/1480-13-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/1480-24-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/1480-0-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1480-23-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2272-52-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2272-50-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2272-66-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2272-39-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/2272-40-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2272-42-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2272-44-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2272-46-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2272-48-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2272-31-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2272-64-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2272-54-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2272-56-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2272-58-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2272-60-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2272-62-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2840-26-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2840-30-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads