d9f6584d8d40c05a1e0f096dcde448d4cc7d52a9dc3ff61f2a1292f608c5f39f

General

Target

d9f6584d8d40c05a1e0f096dcde448d4cc7d52a9dc3ff61f2a1292f608c5f39f.exe
Size

226KB
MD5

51b302e07414fc728313d5abc02d505e
SHA1

280e787eb0caa0dfc1d6e19702250ffe941cf874
SHA256

d9f6584d8d40c05a1e0f096dcde448d4cc7d52a9dc3ff61f2a1292f608c5f39f
SHA512

2c8930768ba39c45425a7938835f2bf96b9a949cd3d6978aeb4ad610963da15dcaf0e109d24cfe977c1d798b5584e2c8670c2f34b83aed88515856dede54cad6
SSDEEP

6144:BpIs9OKofHfHTXQLzgvnzHPowYbvrjD/L7QPbg/Dr0T3rnXLHf7zjPFsEPAsKCtS:BQKofHfHTXQLzgvnzHPowYbvrjD/L7QK

Score

8^/10

discovery persistence spyware stealer

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

Processes:

smnss.exe

description ioc process

File opened for modification C:\Windows\SysWOW64\drivers\gmreadme.txt smnss.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\drivers\gmreadme.txt	smnss.exe

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
\Windows\SysWOW64\shervans.dll	acprotect

Executes dropped EXE 2 IoCs

Processes:

ctfmen.exesmnss.exe

pid process

3032 ctfmen.exe
2956 smnss.exe

pid	process
3032	ctfmen.exe
2956	smnss.exe

Loads dropped DLL 6 IoCs

Processes:

d9f6584d8d40c05a1e0f096dcde448d4cc7d52a9dc3ff61f2a1292f608c5f39f.exectfmen.exesmnss.exe

pid	process
2472	d9f6584d8d40c05a1e0f096dcde448d4cc7d52a9dc3ff61f2a1292f608c5f39f.exe
2472	d9f6584d8d40c05a1e0f096dcde448d4cc7d52a9dc3ff61f2a1292f608c5f39f.exe
2472	d9f6584d8d40c05a1e0f096dcde448d4cc7d52a9dc3ff61f2a1292f608c5f39f.exe
3032	ctfmen.exe
3032	ctfmen.exe
2956	smnss.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

d9f6584d8d40c05a1e0f096dcde448d4cc7d52a9dc3ff61f2a1292f608c5f39f.exesmnss.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe"	d9f6584d8d40c05a1e0f096dcde448d4cc7d52a9dc3ff61f2a1292f608c5f39f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe"	smnss.exe

Enumerates connected drives 3 TTPs 19 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

smnss.exe

description	ioc	process
File opened (read-only)	\??\T:	smnss.exe
File opened (read-only)	\??\U:	smnss.exe
File opened (read-only)	\??\X:	smnss.exe
File opened (read-only)	\??\L:	smnss.exe
File opened (read-only)	\??\M:	smnss.exe
File opened (read-only)	\??\Q:	smnss.exe
File opened (read-only)	\??\R:	smnss.exe
File opened (read-only)	\??\G:	smnss.exe
File opened (read-only)	\??\N:	smnss.exe
File opened (read-only)	\??\W:	smnss.exe
File opened (read-only)	\??\V:	smnss.exe
File opened (read-only)	\??\E:	smnss.exe
File opened (read-only)	\??\J:	smnss.exe
File opened (read-only)	\??\P:	smnss.exe
File opened (read-only)	\??\S:	smnss.exe
File opened (read-only)	\??\H:	smnss.exe
File opened (read-only)	\??\I:	smnss.exe
File opened (read-only)	\??\K:	smnss.exe
File opened (read-only)	\??\O:	smnss.exe

Maps connected drives based on registry 3 TTPs 6 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

smnss.exed9f6584d8d40c05a1e0f096dcde448d4cc7d52a9dc3ff61f2a1292f608c5f39f.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	smnss.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	smnss.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\1	smnss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	d9f6584d8d40c05a1e0f096dcde448d4cc7d52a9dc3ff61f2a1292f608c5f39f.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	d9f6584d8d40c05a1e0f096dcde448d4cc7d52a9dc3ff61f2a1292f608c5f39f.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\1	d9f6584d8d40c05a1e0f096dcde448d4cc7d52a9dc3ff61f2a1292f608c5f39f.exe

Drops file in System32 directory 64 IoCs

Processes:

smnss.exe

description	ioc	process
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpc7100t.xml	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnkm003.inf_amd64_neutral_48652cda3bb15180\Amd64\kom4650X.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\Microsoft.PowerShell.Security.dll-Help.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_requires.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_providers.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_type_operators.help.txt	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpc5200t.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_escape_characters.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_types.ps1xml.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_parameters.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\Microsoft.Wsman.Management.dll-Help.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\icsxml\cmnicfg.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_hash_tables.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_WS-Management_Cmdlets.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\Microsoft.PowerShell.Security.dll-Help.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_Special_Characters.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_For.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_functions_advanced.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_objects.help.txt	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnep002.inf_amd64_neutral_efc4a7485b172c07\Amd64\EP0SBT00.XML	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpoa310t.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_job_details.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_Quoting_Rules.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_environment_variables.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_modules.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\Microsoft.Wsman.Management.dll-Help.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_type_operators.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\TroubleshootingPack\es-ES\Microsoft.Windows.Diagnosis.TroubleshootingPack.dll-Help.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_operators.help.txt	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpd5100t.xml	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpd5300t.xml	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpoa620t.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_Automatic_Variables.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_do.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_Quoting_Rules.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_split.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_operators.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_types.ps1xml.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\System.Management.Automation.dll-Help.xml	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\Amd64\HPO3200T.XML	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnkm003.inf_amd64_neutral_48652cda3bb15180\Amd64\koc650X.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_functions_advanced_parameters.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_types.ps1xml.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_remote_output.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_Automatic_Variables.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_locations.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\Microsoft.PowerShell.ConsoleHost.dll-Help.xml	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\Amd64\HPOGDS3L.XML	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpj4680t.xml	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp005.inf_amd64_neutral_914d6c300207814f\Amd64\hp8500nt.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\erofflps.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_transactions.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_script_internationalization.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_Reserved_Words.help.txt	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\Amd64\HPF0450T.XML	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpj4500t.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_objects.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_PSSnapins.help.txt	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnky302.inf_amd64_ja-jp_dd74fe49601b74f6\Amd64\KYW7QURY.XML	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Break.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_providers.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\TroubleshootingPack\fr-FR\Microsoft.Windows.Diagnosis.TroubleshootingPack.dll-Help.xml	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\Amd64\HPO5600T.XML	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpd2360t.xml	smnss.exe

Drops file in Program Files directory 64 IoCs

Processes:

smnss.exe

description	ioc	process
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\weather.html	smnss.exe
File opened for modification	C:\Program Files\Java\jre7\Welcome.html	smnss.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\fr-FR\gadget.xml	smnss.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\gadget.xml	smnss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.COM.AU.XML	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\ja-jp.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\VERSION.txt	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler.xml	smnss.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office.en-us\SETUP.XML	smnss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Perspective.xml	smnss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsPrintTemplate.html	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-javahelp.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-options-api.xml	smnss.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\requests\browse.xml	smnss.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\gadget.xml	smnss.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\gadget.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-coredump.xml	smnss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Aspect.xml	smnss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\Bibliography\BIBFORM.XML	smnss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN110.XML	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pt-br.txt	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\about.html	smnss.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Garden.htm	smnss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\FLYER.XML	smnss.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\ja-JP\cpu.html	smnss.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\settings.html	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\Content.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-application-views.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad.xml	smnss.exe
File opened for modification	C:\Program Files\CompareHide.doc	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-windows.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_rtl.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\osknumpadbase.xml	smnss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Stationery\1033\PINELUMB.HTM	smnss.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\RSSFeeds.html	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-keyring-fallback.xml	smnss.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\currency.html	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\feature.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-api-visual.xml	smnss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Solstice.xml	smnss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL022.XML	smnss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL110.XML	smnss.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\RedistList\AssemblyList_4_extended.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uz.txt	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\license.html	smnss.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\gadget.xml	smnss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\MENU.XML	smnss.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\fr-FR\calendar.html	smnss.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\settings.html	smnss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Oriel.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-attach.xml	smnss.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\settings.html	smnss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1252.TXT	smnss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsBlankPage.html	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\feature.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-lib-profiler-charts.xml	smnss.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Roses.htm	smnss.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\settings.html	smnss.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\slideShow.html	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-nodes.xml	smnss.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\currency.html	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\plugin.xml	smnss.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\settings.html	smnss.exe

Drops file in Windows directory 64 IoCs

Processes:

smnss.exe

description	ioc	process
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_27c74b34efa6572d\about_Session_Configurations.help.txt	smnss.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7601.17514_none_f35f9773adf74c06\Roses.htm	smnss.exe
File opened for modification	C:\Windows\PLA\Reports\de-DE\Report.System.Performance.xml	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-n..sh-helper.resources_31bf3856ad364e35_6.1.7600.16385_es-es_43f7c2ea0646a637\Rules.System.NetTrace.xml	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_1da743febb1ea38d\about_logical_operators.help.txt	smnss.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_27fbee50ef7f6588\about_regular_expressions.help.txt	smnss.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_it-it_b4a6b77ab9aa530d\about_trap.help.txt	smnss.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_it-it_b4a6b77ab9aa530d\about_Windows_PowerShell_2.0.help.txt	smnss.exe
File opened for modification	C:\Windows\PLA\Reports\Report.System.Memory.xml	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_it-it_45286e597214a485\401.htm	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_1d72a0e2bb459532\about_WS-Management_Cmdlets.help.txt	smnss.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_27c74b34efa6572d\Microsoft.PowerShell.ConsoleHost.dll-Help.xml	smnss.exe
File opened for modification	C:\Windows\PLA\Rules\Rules.System.Wireless.xml	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-sonic-sonicxml_31bf3856ad364e35_6.1.7600.16385_none_473b7f0d0af85d51\sonic.xml	smnss.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-g..-calendar.resources_31bf3856ad364e35_6.1.7600.16385_it-it_6a40964d5ae60541\calendar.html	smnss.exe
File opened for modification	C:\Windows\ehome\CreateDisc\sonic.xml	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_1d72a0e2bb459532\default.help.txt	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..rastructureconsumer_31bf3856ad364e35_6.1.7601.17514_none_1202940e4711971e\System Performance.xml	smnss.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-g..-currency.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_73db80f37a680574\currency.html	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_prnhp003.inf_31bf3856ad364e35_6.1.7600.16385_none_2fd781a76c9dcc13\Amd64\hpoa430t.xml	smnss.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_7f0b185800a159c3\about_Parsing.help.txt	smnss.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_27fbee50ef7f6588\about_aliases.help.txt	smnss.exe
File opened for modification	C:\Windows\diagnostics\index\NetworkDiagnostics_5_Inbound.xml	smnss.exe
File opened for modification	C:\Windows\PLA\Rules\en-US\Rules.System.NetTrace.xml	smnss.exe
File opened for modification	C:\Windows\PLA\Rules\Rules.System.Disk.xml	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_1d72a0e2bb459532\about_While.help.txt	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-t..nputpersonalization_31bf3856ad364e35_6.1.7600.16385_none_9ba1049ce0053bef\ipscsy.xml	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_prnhp002.inf_31bf3856ad364e35_6.1.7600.16385_none_2f4e6f72537f8faa\Amd64\HPC1RXSL.XML	smnss.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_27fbee50ef7f6588\about_Switch.help.txt	smnss.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_it-it_b4a6b77ab9aa530d\about_Ref.help.txt	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_it-it_45286e597214a485\401-2.htm	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-n..sh-helper.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_72fcae3cc365b3f2\Rules.System.NetTrace.xml	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_1d72a0e2bb459532\about_Signing.help.txt	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_1d72a0e2bb459532\Microsoft.Wsman.Management.dll-Help.xml	smnss.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-g..ets-clock.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_2260a04d0daf0ce1\settings.html	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_de-de_0f8ccf36b90bab3b\500-18.htm	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_1d72a0e2bb459532\about_pssession_details.help.txt	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_prnhp002.inf_31bf3856ad364e35_6.1.7600.16385_none_2f4e6f72537f8faa\Amd64\HPMCPDP5.XML	smnss.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_27c74b34efa6572d\about_Parsing.help.txt	smnss.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_27c74b34efa6572d\about_WS-Management_Cmdlets.help.txt	smnss.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ca7ec133e2786d8f\about_Parsing.help.txt	smnss.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_it-it_b4a6b77ab9aa530d\about_functions_advanced.help.txt	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_it-it_45286e597214a485\404-5.htm	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7601.17514_none_4f7e32f76654bd3c\Peacock.htm	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_4c778c357864a2ed\about_remote_FAQ.help.txt	smnss.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_7f0b185800a159c3\about_types.ps1xml.help.txt	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_prnhp002.inf_31bf3856ad364e35_6.1.7600.16385_none_2f4e6f72537f8faa\Amd64\HPP8400T.XML	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_prnhp003.inf_31bf3856ad364e35_6.1.7600.16385_none_2fd781a76c9dcc13\Amd64\hpj5700t.xml	smnss.exe
File opened for modification	C:\Windows\PLA\Reports\Report.System.Configuration.xml	smnss.exe
File opened for modification	C:\Windows\PLA\Rules\de-DE\Rules.System.CPU.xml	smnss.exe
File opened for modification	C:\Windows\PLA\Rules\es-ES\Rules.System.Wired.xml	smnss.exe
File opened for modification	C:\Windows\servicing\Sessions\31129025_263079600.back.xml	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-g..ets-clock.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_0accb12490597570\settings.html	smnss.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_27fbee50ef7f6588\about_providers.help.txt	smnss.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-g..edsgadget.resources_31bf3856ad364e35_6.1.7600.16385_es-es_2ae1bce6b81c0916\gadget.xml	smnss.exe
File opened for modification	C:\Windows\diagnostics\index\AudioPlaybackDiagnostic.xml	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..econsumer.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_b4334efea73fef8e\Report.System.Performance.xml	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_it-it_aa520d2885499112\about_Special_Characters.help.txt	smnss.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_it-it_b4a6b77ab9aa530d\about_scripts.help.txt	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_5b0078129ae2bf07\403-4.htm	smnss.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_it-it_b4a6b77ab9aa530d\about_Throw.help.txt	smnss.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft.backgroun..nt.module.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_1a0ca3a01119ca4b\Microsoft.BackgroundIntelligentTransfer.Management.dll-Help.xml	smnss.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-g..edsgadget.resources_31bf3856ad364e35_6.1.7600.16385_it-it_b7c1292c822004f6\flyout.html	smnss.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_27fbee50ef7f6588\about_Special_Characters.help.txt	smnss.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

d9f6584d8d40c05a1e0f096dcde448d4cc7d52a9dc3ff61f2a1292f608c5f39f.exectfmen.exesmnss.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d9f6584d8d40c05a1e0f096dcde448d4cc7d52a9dc3ff61f2a1292f608c5f39f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ctfmen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smnss.exe

Modifies registry class 6 IoCs

Processes:

d9f6584d8d40c05a1e0f096dcde448d4cc7d52a9dc3ff61f2a1292f608c5f39f.exesmnss.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll"	d9f6584d8d40c05a1e0f096dcde448d4cc7d52a9dc3ff61f2a1292f608c5f39f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll"	smnss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32	d9f6584d8d40c05a1e0f096dcde448d4cc7d52a9dc3ff61f2a1292f608c5f39f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	d9f6584d8d40c05a1e0f096dcde448d4cc7d52a9dc3ff61f2a1292f608c5f39f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	d9f6584d8d40c05a1e0f096dcde448d4cc7d52a9dc3ff61f2a1292f608c5f39f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}	d9f6584d8d40c05a1e0f096dcde448d4cc7d52a9dc3ff61f2a1292f608c5f39f.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

smnss.exe

description pid process

Token: SeDebugPrivilege 2956 smnss.exe

description	pid	process
Token: SeDebugPrivilege	2956	smnss.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

d9f6584d8d40c05a1e0f096dcde448d4cc7d52a9dc3ff61f2a1292f608c5f39f.exectfmen.exe

description	pid	process	target process
PID 2472 wrote to memory of 3032	2472	d9f6584d8d40c05a1e0f096dcde448d4cc7d52a9dc3ff61f2a1292f608c5f39f.exe	ctfmen.exe
PID 2472 wrote to memory of 3032	2472	d9f6584d8d40c05a1e0f096dcde448d4cc7d52a9dc3ff61f2a1292f608c5f39f.exe	ctfmen.exe
PID 2472 wrote to memory of 3032	2472	d9f6584d8d40c05a1e0f096dcde448d4cc7d52a9dc3ff61f2a1292f608c5f39f.exe	ctfmen.exe
PID 2472 wrote to memory of 3032	2472	d9f6584d8d40c05a1e0f096dcde448d4cc7d52a9dc3ff61f2a1292f608c5f39f.exe	ctfmen.exe
PID 3032 wrote to memory of 2956	3032	ctfmen.exe	smnss.exe
PID 3032 wrote to memory of 2956	3032	ctfmen.exe	smnss.exe
PID 3032 wrote to memory of 2956	3032	ctfmen.exe	smnss.exe
PID 3032 wrote to memory of 2956	3032	ctfmen.exe	smnss.exe

C:\Users\Admin\AppData\Local\Temp\d9f6584d8d40c05a1e0f096dcde448d4cc7d52a9dc3ff61f2a1292f608c5f39f.exe
"C:\Users\Admin\AppData\Local\Temp\d9f6584d8d40c05a1e0f096dcde448d4cc7d52a9dc3ff61f2a1292f608c5f39f.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2472
- C:\Windows\SysWOW64\ctfmen.exe
  ctfmen.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3032
- - C:\Windows\SysWOW64\smnss.exe
    C:\Windows\system32\smnss.exe
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Enumerates connected drives
    - Maps connected drives based on registry
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    PID:2956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\satornas.dll

Filesize
183B

MD5
fc7e7ab3792b3607c52c86ac85bf7e55

SHA1
d8be0f265e84c6a54e0974746e481371e5f76fa8

SHA256
19ebeb477f9e390b4d1a58be1105affb73049f867923972e5a56cece750239c2

SHA512
735a61e3ac82fc53c4af2fee5aa7fa52971014dee90938effd9ea4e8d90e517dac6ecd173f9b29e5e6770eccfb2743a28b3470129990bf2efe8dc3cf1676208b

Download Submit
C:\Windows\SysWOW64\smnss.exe

Filesize
226KB

MD5
6226086d202fb55907d644353fe1a87e

SHA1
06c8b792ad456a5a4cfa8629412e97c2a0b340aa

SHA256
23541e9f57fb9c1d00a88189c976d14ee02b8e948452dc893796a6ce8ceacf11

SHA512
d9e6701cc8e1bfb305ffbac67dee04cfdaf825130e42a3e9dd79120a4d657319f8f50ff01ff144c9da5b9885e6138afe66f324eded41820af03b26053202918c

Download Submit
\Windows\SysWOW64\ctfmen.exe

Filesize
4KB

MD5
92d5b576468339c5a920a4d5514476e5

SHA1
4194eca4817c8b8329ce5efb089913e838cf3333

SHA256
0e0d633c6c72cee68795122742ccdb48b77d0ad5c2a4c089d420c1d84ebd4da9

SHA512
cea4ef6b91bac188626d3bbc78e93dced85a0b5a4f49812c6fa4ec3f6c143061f9fc0887db1213e8f4e471e3bf4906b7a75a0aa446c15ba674a9c8dfd14e8f97

Download Submit
\Windows\SysWOW64\shervans.dll

Filesize
8KB

MD5
ecfd3b14a17660e5f459277efb9db290

SHA1
a42e625585f129b93fdc7f7b80f7acf8554f84a5

SHA256
90b403e3b54faa237bffd8e535a515f8266a25db1f7e38cfc7298725c8c2532d

SHA512
dce2e26ba499f9669a8e643202ae0bf7e99cc7016e51bbd23e505523d7f53b516a80f21581d01483360f9bb7c9cfa6e32eccc1f0bfadfd503ea90a1586b4be55

Download Submit
memory/2472-18-0x0000000000340000-0x0000000000349000-memory.dmp

Filesize
36KB

Download
memory/2472-26-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2472-27-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/2472-0-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2472-12-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/2956-36-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2956-42-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/2956-43-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3032-28-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3032-31-0x0000000000320000-0x0000000000352000-memory.dmp

Filesize
200KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads