3bdf9239d1f72a8c469c93c77bad95798a619a6fa178cfb8af1029ffc72a1ea8

Analysis

max time kernel
120s
max time network
35s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
01-10-2024 06:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3bdf9239d1f72a8c469c93c77bad95798a619a6fa178cfb8af1029ffc72a1ea8N.exe
Size

2.3MB
MD5

8834f733c6f453b90c96ccae549de200
SHA1

154b1b87dca936784a3c618b1f1d1bc0eff05d87
SHA256

3bdf9239d1f72a8c469c93c77bad95798a619a6fa178cfb8af1029ffc72a1ea8
SHA512

187c3923210dd9de13ec0a154a045d74b10e52b0fdc04100940d5c7fe3b34388e066735507a721ae89c140002bfbadd567a3cb8e97a07062a401ee1640676f70
SSDEEP

49152:ojvk2d9rJpNJ6jUFdXaDoIHmXMupzh72lxakn2YpHdy4ZBgIoooNe:orkI9rSjA5aDo73pzF2bz3p9y4HgIoov

Score

7^/10

discovery persistence

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0008000000016c4a-11.dat	acprotect

Executes dropped EXE 2 IoCs

pid	Process
1564	ctfmen.exe
2828	smnss.exe

Loads dropped DLL 9 IoCs

pid	Process
2688	3bdf9239d1f72a8c469c93c77bad95798a619a6fa178cfb8af1029ffc72a1ea8N.exe
2688	3bdf9239d1f72a8c469c93c77bad95798a619a6fa178cfb8af1029ffc72a1ea8N.exe
2688	3bdf9239d1f72a8c469c93c77bad95798a619a6fa178cfb8af1029ffc72a1ea8N.exe
1564	ctfmen.exe
1564	ctfmen.exe
2828	smnss.exe
1908	WerFault.exe
1908	WerFault.exe
1908	WerFault.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe"	3bdf9239d1f72a8c469c93c77bad95798a619a6fa178cfb8af1029ffc72a1ea8N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe"	smnss.exe

Maps connected drives based on registry 3 TTPs 6 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\1	smnss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	3bdf9239d1f72a8c469c93c77bad95798a619a6fa178cfb8af1029ffc72a1ea8N.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	3bdf9239d1f72a8c469c93c77bad95798a619a6fa178cfb8af1029ffc72a1ea8N.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\1	3bdf9239d1f72a8c469c93c77bad95798a619a6fa178cfb8af1029ffc72a1ea8N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	smnss.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	smnss.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ctfmen.exe	3bdf9239d1f72a8c469c93c77bad95798a619a6fa178cfb8af1029ffc72a1ea8N.exe
File opened for modification	C:\Windows\SysWOW64\ctfmen.exe	3bdf9239d1f72a8c469c93c77bad95798a619a6fa178cfb8af1029ffc72a1ea8N.exe
File created	C:\Windows\SysWOW64\smnss.exe	3bdf9239d1f72a8c469c93c77bad95798a619a6fa178cfb8af1029ffc72a1ea8N.exe
File opened for modification	C:\Windows\SysWOW64\satornas.dll	3bdf9239d1f72a8c469c93c77bad95798a619a6fa178cfb8af1029ffc72a1ea8N.exe
File created	C:\Windows\SysWOW64\zipfi.dll	smnss.exe
File created	C:\Windows\SysWOW64\zipfiaq.dll	smnss.exe
File created	C:\Windows\SysWOW64\shervans.dll	3bdf9239d1f72a8c469c93c77bad95798a619a6fa178cfb8af1029ffc72a1ea8N.exe
File created	C:\Windows\SysWOW64\grcopy.dll	3bdf9239d1f72a8c469c93c77bad95798a619a6fa178cfb8af1029ffc72a1ea8N.exe
File opened for modification	C:\Windows\SysWOW64\grcopy.dll	3bdf9239d1f72a8c469c93c77bad95798a619a6fa178cfb8af1029ffc72a1ea8N.exe
File opened for modification	C:\Windows\SysWOW64\shervans.dll	3bdf9239d1f72a8c469c93c77bad95798a619a6fa178cfb8af1029ffc72a1ea8N.exe
File created	C:\Windows\SysWOW64\satornas.dll	3bdf9239d1f72a8c469c93c77bad95798a619a6fa178cfb8af1029ffc72a1ea8N.exe
File created	C:\Windows\SysWOW64\smnss.exe	smnss.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
2688	3bdf9239d1f72a8c469c93c77bad95798a619a6fa178cfb8af1029ffc72a1ea8N.exe
2828	smnss.exe
2828	smnss.exe
2828	smnss.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\olh001.htm	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-uihandler.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-host-remote.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\bg.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Hand Prints.htm	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-dialogs.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-autoupdate-ui.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-sampler.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\az.txt	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-sa.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core-execution.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-editor-mimelookup.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-windows.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-utilities.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\License.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\auxbase.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Green Bubbles.htm	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\olh.htm	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-uisupport.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\cs.txt	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\license.html	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-modules.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-attach.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fy.txt	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\license.html	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-actions.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-lib-profiler-charts.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\epl-v10.html	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kaa.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\Alphabet.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Bears.htm	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\epl-v10.html	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\keypadbase.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-netbeans-modules-queries.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-application.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\title.htm	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-selector-api.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kk.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\ja-jp-sym.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\symbase.xml	smnss.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\Filters.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fr.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\Content.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\epl-v10.html	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Shades of Blue.htm	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\README-JDK.html	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-options-keymap.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gl.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\baseAltGr_rtl.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303\feature.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-uihandler.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_rtl.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-options-api.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_ca.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\feature.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\epl-v10.html	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-sendopts.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-swing-plaf.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ku-ckb.txt	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-multitabs.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-snaptracer.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-jmx.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\bn.txt	smnss.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1908	2828	WerFault.exe	31

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ctfmen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smnss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3bdf9239d1f72a8c469c93c77bad95798a619a6fa178cfb8af1029ffc72a1ea8N.exe

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32	3bdf9239d1f72a8c469c93c77bad95798a619a6fa178cfb8af1029ffc72a1ea8N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	3bdf9239d1f72a8c469c93c77bad95798a619a6fa178cfb8af1029ffc72a1ea8N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	3bdf9239d1f72a8c469c93c77bad95798a619a6fa178cfb8af1029ffc72a1ea8N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}	3bdf9239d1f72a8c469c93c77bad95798a619a6fa178cfb8af1029ffc72a1ea8N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll"	3bdf9239d1f72a8c469c93c77bad95798a619a6fa178cfb8af1029ffc72a1ea8N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll"	smnss.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2828	smnss.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2688	3bdf9239d1f72a8c469c93c77bad95798a619a6fa178cfb8af1029ffc72a1ea8N.exe
2828	smnss.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2688 wrote to memory of 1564	2688	3bdf9239d1f72a8c469c93c77bad95798a619a6fa178cfb8af1029ffc72a1ea8N.exe	30
PID 2688 wrote to memory of 1564	2688	3bdf9239d1f72a8c469c93c77bad95798a619a6fa178cfb8af1029ffc72a1ea8N.exe	30
PID 2688 wrote to memory of 1564	2688	3bdf9239d1f72a8c469c93c77bad95798a619a6fa178cfb8af1029ffc72a1ea8N.exe	30
PID 2688 wrote to memory of 1564	2688	3bdf9239d1f72a8c469c93c77bad95798a619a6fa178cfb8af1029ffc72a1ea8N.exe	30
PID 1564 wrote to memory of 2828	1564	ctfmen.exe	31
PID 1564 wrote to memory of 2828	1564	ctfmen.exe	31
PID 1564 wrote to memory of 2828	1564	ctfmen.exe	31
PID 1564 wrote to memory of 2828	1564	ctfmen.exe	31
PID 2828 wrote to memory of 1908	2828	smnss.exe	33
PID 2828 wrote to memory of 1908	2828	smnss.exe	33
PID 2828 wrote to memory of 1908	2828	smnss.exe	33
PID 2828 wrote to memory of 1908	2828	smnss.exe	33

C:\Users\Admin\AppData\Local\Temp\3bdf9239d1f72a8c469c93c77bad95798a619a6fa178cfb8af1029ffc72a1ea8N.exe
"C:\Users\Admin\AppData\Local\Temp\3bdf9239d1f72a8c469c93c77bad95798a619a6fa178cfb8af1029ffc72a1ea8N.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2688
- C:\Windows\SysWOW64\ctfmen.exe
  ctfmen.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1564
- - C:\Windows\SysWOW64\smnss.exe
    C:\Windows\system32\smnss.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Maps connected drives based on registry
    - Drops file in System32 directory
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2828
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2828 -s 988
      4⤵
      Loads dropped DLL
      Program crash
      PID:1908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\satornas.dll

Filesize
183B

MD5
d90d3792f6e6b0340904bffd8ec2adfb

SHA1
18b8c511af1e14cef2f16eb36f4c5120fd3d0e7c

SHA256
6c93fcba2c4eb6296cd7e810f9a0aae1c511d1db32a048c3d08a496299f110c8

SHA512
c80ab24bdc6364a410e4e179fa9085ab2658fe4e920b8e827050fc2ee590bb89be4fd2ffdfde61db456ba818cca9ea26b8b46ce7e4e5986bd414be8f06593774

Download Submit
C:\Windows\SysWOW64\smnss.exe

Filesize
2.3MB

MD5
62e1554c60a0168d5c7100d65b6adc2e

SHA1
c36e6d6a91bc829f72749d1981634ec07ed4a97d

SHA256
66e49c0f55d56acc5738a9d9178e3f4427181c5a61483a1726167c0c8313e4e7

SHA512
30cbf87be8807ef370b80d2b11a20e2fc6a3a9026952282beb9d75362a66dfcc14dbb4c7546f5bc572d2d369eb94fedf355ad02ea950a4cbef4e2c9ef379dd00

Download Submit
\Windows\SysWOW64\ctfmen.exe

Filesize
4KB

MD5
b42ea281a9e87206791395b0df9f8cdb

SHA1
622d2e8c432582c21733747e50a8395d20a37cea

SHA256
ff7eeacdd05ac50a0b0127e8eb258bda8a90e79a795d712bba1ef9a34a6254df

SHA512
a6c1c0ba6e1b5a27848907d9c24690e8c48b4d5da1198dcb3c50c28413e9608dac328a6d34a0ac68276644d5f28458551c21fc44d906361c6a08455dbfc9249a

Download Submit
\Windows\SysWOW64\shervans.dll

Filesize
8KB

MD5
34279c82148ecede3f0c6a29f81dc722

SHA1
a9c16551c84c8431fd0c7f5adc90aa90dd411dc3

SHA256
e088c197bc662d892872224f28684497a728c4478a8033e8c8d7726bbcac1620

SHA512
79d82ae1679959cebe187244f37b34737ae09362e3a9af71be3995a5b8d76681a23b56cacc33d5ca1b3c01017a9b811d2e8b6f450cb3f1e0972c2a42bd7d7587

Download Submit
memory/1564-32-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2688-25-0x0000000001360000-0x0000000001369000-memory.dmp

Filesize
36KB

Download
memory/2688-24-0x0000000001360000-0x0000000001369000-memory.dmp

Filesize
36KB

Download
memory/2688-29-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

Filesize
3.8MB

Download
memory/2688-30-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/2688-0-0x0000000000400000-0x0000000000DCE000-memory.dmp

Filesize
9.8MB

Download
memory/2688-31-0x0000000000400000-0x0000000000DCE000-memory.dmp

Filesize
9.8MB

Download
memory/2688-13-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/2688-2-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

Filesize
3.8MB

Download
memory/2828-45-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/2828-39-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

Filesize
3.8MB

Download
memory/2828-38-0x0000000000400000-0x0000000000DCE000-memory.dmp

Filesize
9.8MB

Download
memory/2828-47-0x0000000000400000-0x0000000000DCE000-memory.dmp

Filesize
9.8MB

Download
memory/2828-48-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

Filesize
3.8MB

Download
memory/2828-50-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/2828-49-0x0000000000400000-0x0000000000DCE000-memory.dmp

Filesize
9.8MB

Download
memory/2828-51-0x0000000000400000-0x0000000000DCE000-memory.dmp

Filesize
9.8MB

Download
memory/2828-56-0x0000000000400000-0x0000000000DCE000-memory.dmp

Filesize
9.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads