d9f6584d8d40c05a1e0f096dcde448d4cc7d52a9dc3ff61f2a1292f608c5f39f

General

Target

d9f6584d8d40c05a1e0f096dcde448d4cc7d52a9dc3ff61f2a1292f608c5f39f.exe
Size

226KB
MD5

51b302e07414fc728313d5abc02d505e
SHA1

280e787eb0caa0dfc1d6e19702250ffe941cf874
SHA256

d9f6584d8d40c05a1e0f096dcde448d4cc7d52a9dc3ff61f2a1292f608c5f39f
SHA512

2c8930768ba39c45425a7938835f2bf96b9a949cd3d6978aeb4ad610963da15dcaf0e109d24cfe977c1d798b5584e2c8670c2f34b83aed88515856dede54cad6
SSDEEP

6144:BpIs9OKofHfHTXQLzgvnzHPowYbvrjD/L7QPbg/Dr0T3rnXLHf7zjPFsEPAsKCtS:BQKofHfHTXQLzgvnzHPowYbvrjD/L7QK

Score

8^/10

discovery persistence spyware stealer

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

Processes:

smnss.exe

description ioc process

File opened for modification C:\Windows\SysWOW64\drivers\gmreadme.txt smnss.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\drivers\gmreadme.txt	smnss.exe

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
C:\Windows\SysWOW64\shervans.dll	acprotect

Executes dropped EXE 2 IoCs

Processes:

ctfmen.exesmnss.exe

pid process

2004 ctfmen.exe
3992 smnss.exe
Loads dropped DLL 2 IoCs

Processes:

d9f6584d8d40c05a1e0f096dcde448d4cc7d52a9dc3ff61f2a1292f608c5f39f.exesmnss.exe

pid process

4224 d9f6584d8d40c05a1e0f096dcde448d4cc7d52a9dc3ff61f2a1292f608c5f39f.exe
3992 smnss.exe
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

pid	process
2004	ctfmen.exe
3992	smnss.exe

pid	process
4224	d9f6584d8d40c05a1e0f096dcde448d4cc7d52a9dc3ff61f2a1292f608c5f39f.exe
3992	smnss.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

d9f6584d8d40c05a1e0f096dcde448d4cc7d52a9dc3ff61f2a1292f608c5f39f.exesmnss.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe"	d9f6584d8d40c05a1e0f096dcde448d4cc7d52a9dc3ff61f2a1292f608c5f39f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe"	smnss.exe

Enumerates connected drives 3 TTPs 19 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

smnss.exe

description	ioc	process
File opened (read-only)	\??\K:	smnss.exe
File opened (read-only)	\??\L:	smnss.exe
File opened (read-only)	\??\M:	smnss.exe
File opened (read-only)	\??\N:	smnss.exe
File opened (read-only)	\??\O:	smnss.exe
File opened (read-only)	\??\P:	smnss.exe
File opened (read-only)	\??\R:	smnss.exe
File opened (read-only)	\??\E:	smnss.exe
File opened (read-only)	\??\S:	smnss.exe
File opened (read-only)	\??\Q:	smnss.exe
File opened (read-only)	\??\U:	smnss.exe
File opened (read-only)	\??\J:	smnss.exe
File opened (read-only)	\??\I:	smnss.exe
File opened (read-only)	\??\T:	smnss.exe
File opened (read-only)	\??\W:	smnss.exe
File opened (read-only)	\??\X:	smnss.exe
File opened (read-only)	\??\H:	smnss.exe
File opened (read-only)	\??\V:	smnss.exe
File opened (read-only)	\??\G:	smnss.exe

Maps connected drives based on registry 3 TTPs 6 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

d9f6584d8d40c05a1e0f096dcde448d4cc7d52a9dc3ff61f2a1292f608c5f39f.exesmnss.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	d9f6584d8d40c05a1e0f096dcde448d4cc7d52a9dc3ff61f2a1292f608c5f39f.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	d9f6584d8d40c05a1e0f096dcde448d4cc7d52a9dc3ff61f2a1292f608c5f39f.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\1	d9f6584d8d40c05a1e0f096dcde448d4cc7d52a9dc3ff61f2a1292f608c5f39f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	smnss.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	smnss.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\1	smnss.exe

Drops file in System32 directory 64 IoCs

Processes:

smnss.exed9f6584d8d40c05a1e0f096dcde448d4cc7d52a9dc3ff61f2a1292f608c5f39f.exe

description	ioc	process
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms014.inf_amd64_faec3fc366f8e1fa\Amd64\MSMPS-pipelineconfig.xml	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms014.inf_amd64_faec3fc366f8e1fa\Amd64\MSMPS.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\Speech_OneCore\Common\it-IT\tokens_TTS-it-IT.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\tcpbidi.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\shervans.dll	d9f6584d8d40c05a1e0f096dcde448d4cc7d52a9dc3ff61f2a1292f608c5f39f.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms009.inf_amd64_a7412a554c9bc1fd\MPDW-pipelineconfig.xml	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms009.inf_amd64_a7412a554c9bc1fd\MPDW_devmode_map.xml	smnss.exe
File created	C:\Windows\SysWOW64\zipfi.dll	smnss.exe
File created	C:\Windows\SysWOW64\smnss.exe	smnss.exe
File opened for modification	C:\Windows\SysWOW64\icsxml\pppcfg.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\default.help.txt	smnss.exe
File created	C:\Windows\SysWOW64\smnss.exe	d9f6584d8d40c05a1e0f096dcde448d4cc7d52a9dc3ff61f2a1292f608c5f39f.exe
File created	C:\Windows\SysWOW64\zipfiaq.dll	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms007.inf_amd64_8bbf44975c626ac5\Amd64\MSPWGR-pipelineconfig.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\icsxml\cmnicfg.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\IME\IMEJP\APPLETS\IMJPCLST.XML	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms010.inf_amd64_9e410195c3b236c9\Amd64\MSECP.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\Speech_OneCore\Common\fr-FR\tokens_TTS_fr-FR_hortense.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\default.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\satornas.dll	d9f6584d8d40c05a1e0f096dcde448d4cc7d52a9dc3ff61f2a1292f608c5f39f.exe
File opened for modification	C:\Windows\SysWOW64\AppxProvisioning.xml	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\ntprint4.inf_amd64_0958c7cad3cd6075\Amd64\V3HostingFilter-pipelineconfig.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\Speech_OneCore\Common\tokens.xml	smnss.exe
File created	C:\Windows\SysWOW64\ctfmen.exe	d9f6584d8d40c05a1e0f096dcde448d4cc7d52a9dc3ff61f2a1292f608c5f39f.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms008.inf_amd64_69b5e0c918eab9a6\Amd64\unishare3d-pipelineconfig.xml	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\tsprint.inf_amd64_6066bc96a5f28b44\tsprint-PipelineConfig.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\Speech_OneCore\Common\fr-FR\tokens_TTS_fr-FR.xml	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms003.inf_x86_360f6f3a7c4b3433\I386\unishare-pipelineconfig.xml	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms011.inf_amd64_f83138380f5fb6ab\Amd64\MSAppMon-pipelineconfig.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\Speech_OneCore\Common\fr-FR\Tokens_SR_fr-FR-N.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsCodecsRaw.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\F12\Timeline.cpu.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\Speech_OneCore\Common\de-DE\Tokens_SR_de-DE-N.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\Speech_OneCore\Common\en-US\Tokens_SR_en-US-N.xml	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms005.inf_amd64_add71423ba73e797\Amd64\MSxpsPCL6-pipelineconfig.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\NdfEventView.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\default.help.txt	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms006.inf_amd64_c3bdcb6fc975b614\SendToOneNote-pipelineconfig.xml	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms007.inf_amd64_8bbf44975c626ac5\Amd64\MSXPS2.xml	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms012.inf_amd64_707d3849370b9d23\Amd64\MSIPP-pipelineconfig.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\icsxml\osinfo.xml	smnss.exe
File created	C:\Windows\SysWOW64\shervans.dll	d9f6584d8d40c05a1e0f096dcde448d4cc7d52a9dc3ff61f2a1292f608c5f39f.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms003.inf_amd64_0e2452f597790e95\Amd64\unishare-pipelineconfig.xml	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms005.inf_amd64_add71423ba73e797\Amd64\MSxpsPS-pipelineconfig.xml	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms005.inf_amd64_add71423ba73e797\Amd64\MSxpsXPS-pipelineconfig.xml	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms009.inf_amd64_a7412a554c9bc1fd\MPDW-PDC.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\icsxml\potscfg.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc	smnss.exe
File opened for modification	C:\Windows\SysWOW64\Speech_OneCore\Common\de-DE\tokens_TTS_de-DE.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\ctfmen.exe	d9f6584d8d40c05a1e0f096dcde448d4cc7d52a9dc3ff61f2a1292f608c5f39f.exe
File created	C:\Windows\SysWOW64\grcopy.dll	d9f6584d8d40c05a1e0f096dcde448d4cc7d52a9dc3ff61f2a1292f608c5f39f.exe
File opened for modification	C:\Windows\SysWOW64\grcopy.dll	d9f6584d8d40c05a1e0f096dcde448d4cc7d52a9dc3ff61f2a1292f608c5f39f.exe
File opened for modification	C:\Windows\SysWOW64\wbem\xsl-mappings.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\default.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\Speech_OneCore\Common\de-DE\tokens_TTS_de-DE_hedda.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\Speech_OneCore\Common\es-ES\Tokens_SR_es-ES-N.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\Speech_OneCore\Common\ja-JP\tokens_TTS_ja-JP.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\icsxml\ipcfg.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\Recovery\ReAgent.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\default.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\wsmanconfig_schema.xml	smnss.exe
File created	C:\Windows\SysWOW64\satornas.dll	d9f6584d8d40c05a1e0f096dcde448d4cc7d52a9dc3ff61f2a1292f608c5f39f.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms001.inf_amd64_8bc1bda6cf47380c\MXDW-pipelineconfig.xml	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms004.inf_amd64_c28ee88ec1bd4178\Amd64\unisharev4-pipelineconfig.xml	smnss.exe

Drops file in Program Files directory 64 IoCs

Processes:

smnss.exe

description	ioc	process
File opened for modification	C:\Program Files\7-Zip\Lang\fy.txt	smnss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml	smnss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\es.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsdan.xml	smnss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml	smnss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL112.XML	smnss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxManifest.xml	smnss.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_CA\README_en_CA.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\bn.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ThirdPartyNotices.ja-jp.txt	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00E2-0409-1000-0000000FF1CE.xml	smnss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxBlockMap.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN020.XML	smnss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml	smnss.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_GB\changelog.txt	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN058.XML	smnss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\symbase.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jvisualvm.txt	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\OFFICE\Heartbeat\HeartbeatCache.xml	smnss.exe
File opened for modification	C:\Program Files\Windows Media Player\Network Sharing\MediaReceiverRegistrar.xml	smnss.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxBlockMap.xml	smnss.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_GB\affDescription.txt	smnss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\be.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsjpn.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL011.XML	smnss.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxManifest.xml	smnss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\bn-BD\View3d\3DViewerProductDescription-universal.xml	smnss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\kk-KZ\View3d\3DViewerProductDescription-universal.xml	smnss.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2018.826.98.0_neutral_split.scale-200_8wekyb3d8bbwe\AppxManifest.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\FrequentOfficeUpdateSchedule.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Marquee.xml	smnss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.UI.Xaml.2.0_2.1810.18004.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml	smnss.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\Media Renderer\RenderingControl.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lt.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsptb.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\1033\PGOMESSAGES.XML	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000042\manifest.xml	smnss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ky.txt	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL026.XML	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL065.XML	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL095.XML	smnss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_2019.19071.19011.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\an.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsar.xml	smnss.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxManifest.xml	smnss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml	smnss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxBlockMap.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL110.XML	smnss.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxManifest.xml	smnss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\ha-Latn-NG\View3d\3DViewerProductDescription-universal.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\THIRDPARTYLICENSEREADME-JAVAFX.txt	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MANIFEST.XML	smnss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_2019.729.2301.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fr.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\zh-cn.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipstr.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00A1-0409-1000-0000000FF1CE.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Yellow.xml	smnss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\ja-JP\View3d\3DViewerProductDescription-universal.xml	smnss.exe

Drops file in Windows directory 64 IoCs

Processes:

smnss.exe

description	ioc	process
File opened for modification	C:\Windows\PLA\Rules\en-US\Rules.System.Network.xml	smnss.exe
File opened for modification	C:\Windows\PLA\Rules\ja-JP\Rules.System.Performance.xml	smnss.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\cache\Desktop\13.txt	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-p..econsumer.resources_31bf3856ad364e35_10.0.19041.1_de-de_c2bbc1ff4b155b96\Rules.System.Diagnostics.xml	smnss.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-mediaplayer-core_31bf3856ad364e35_10.0.19041.153_none_f3a9dc0fe254a157\avtransport.xml	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-w..wsupdateclient-core_31bf3856ad364e35_10.0.19041.1288_none_23aa03725ec9354a\f\14a3f9e824793931d34f7f786a538bbc9ef1f0d6.xml	smnss.exe
File opened for modification	C:\Windows\diagnostics\index\VideoPlaybackDiagnostic.xml	smnss.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\GREEK.TXT	smnss.exe
File opened for modification	C:\Windows\servicing\Sessions\31135901_504476205.back.xml	smnss.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\inclusiveOobe\view\oobekeyboard-main.html	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-editions-professional_31bf3856ad364e35_10.0.19041.264_none_ba5e4a287945a683\ServerRdshEdition.xml	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-p..econsumer.resources_31bf3856ad364e35_10.0.19041.1_en-us_6bac97f839f3675b\Rules.System.Summary.xml	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-w..bviewhost.appxsetup_31bf3856ad364e35_10.0.19041.1_none_5391427554e17127\AppxBlockMap.xml	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windowsdx..xperience.resources_31bf3856ad364e35_10.0.19041.1_en-us_a1eaf9e6bdb2c2e2\resource.xml	smnss.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\de-DE\assets\ErrorPages\pdferrorneedcontentlocally.html	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-m..osoftedge.resources_31bf3856ad364e35_10.0.19041.1_it-it_2fceb6f1060351fa\proxyerror.htm	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-p..iencehost.appxsetup_31bf3856ad364e35_10.0.19041.1023_none_fb71c64c36f7dd93\f\AppxManifest.xml	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-printdialog.appxsetup_31bf3856ad364e35_10.0.19041.1023_none_a682193ea7614721\r\appxblockmap.xml	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-tabletpc-softkeyboard_31bf3856ad364e35_10.0.19041.173_none_af877ec0b0472fde\auxpad.xml	smnss.exe
File opened for modification	C:\Windows\WinSxS\x86_netfx4-assemblylist_core_xml_b03f5f7f11d50a3a_4.0.15805.0_none_3d6b4979572959fd\AssemblyList_4_client.xml	smnss.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\RetailDemo\retailDemoSecurity.html	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-a..arydialog.appxsetup_31bf3856ad364e35_10.0.19041.1023_none_be8a1cf90a92f9f9\r\AppxBlockMap.xml	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.1266_none_777e4c5802d14c18\enterpriseNgcEnrollment.html	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_it-it_9f248a35f7c12459\500-13.htm	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-m..osoftedge.resources_31bf3856ad364e35_10.0.19041.1_en-us_a323edc73bd86475\unknownprotocol.htm	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-ncsiuwpapp.appxsetup_31bf3856ad364e35_10.0.19041.1023_none_757b1fb62148c452\f\AppxBlockMap.xml	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-w..igurationdiagnostic_31bf3856ad364e35_10.0.19041.1_none_9a29135572e069ec\WindowsMediaPlayerConfiguration.xml	smnss.exe
File opened for modification	C:\Windows\servicing\Sessions\31135900_2736541572.back.xml	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-a..gement-uevtemplates_31bf3856ad364e35_10.0.19041.1_none_0d66b54875835a49\MicrosoftInternetExplorer2013Backup.xml	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_en-us_1279c10c2d9636d4\404.htm	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-iana-tzdb-timezones_31bf3856ad364e35_10.0.19041.1081_none_7844725cf8ddff9b\r\timezoneMapping.xml	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-m..osoftedge.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_d1f435fdf91e63d5\pdferrormfnotfound.html	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..p.desktop.appxsetup_31bf3856ad364e35_10.0.19041.1_none_68a55acab544b1f4\AppxBlockMap.xml	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-w..bviewhost.appxsetup_31bf3856ad364e35_10.0.19041.1023_none_1277eb7f6aa856b4\AppxBlockMap.xml	smnss.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\inclusiveOobe\view\oobeactivitysyncconsent-main.html	smnss.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\inclusiveOobe\view\templates\oobe-toggle-template.html	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-c..rymanager.appxsetup_31bf3856ad364e35_10.0.19041.1_none_36471647c08c8a19\AppxManifest.xml	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_b4fc93ef208f3edb\404-5.htm	smnss.exe
File opened for modification	C:\Windows\PLA\Reports\it-IT\Report.System.Summary.xml	smnss.exe
File opened for modification	C:\Windows\SystemApps\microsoft.creddialoghost_cw5n1h2txyewy\AppxManifest.xml	smnss.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\fr-FR\assets\ApplicationGuard\LearnMore.html	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.1266_none_777e4c5802d14c18\oobeoutro-main.html	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-m..osoftedge.resources_31bf3856ad364e35_10.0.19041.1_de-de_fa3317ce4cfa58b0\pdferrorofflineaccessdenied.html	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-m..t-browser.appxsetup_31bf3856ad364e35_10.0.19041.1023_none_9335233f4761b170\AppxManifest.xml	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-p..econsumer.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_0e2f6adb2cec6f62\Report.System.CPU.xml	smnss.exe
File opened for modification	C:\Windows\diagnostics\index\BITSDiagnostic.xml	smnss.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\speech\080a\tokens_esMX.xml	smnss.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\speech\0407\tokens_deDE.xml	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.1266_none_777e4c5802d14c18\retailDemoShutdowns.html	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-o..tiveportal.appxmain_31bf3856ad364e35_10.0.19041.423_none_204af7ff19532470\tokens_frFR.xml	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-p..econsumer.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_9a7ce02ef73966bb\Rules.System.Disk.xml	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..e.desktop.searchapp_31bf3856ad364e35_10.0.19041.1_none_43fe9f4e368e081f\11.txt	smnss.exe
File opened for modification	C:\Windows\PLA\Rules\it-IT\Rules.System.Network.xml	smnss.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\emulation\emulation.html	smnss.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\uk-UA\assets\ErrorPages\pdferrormfnotfound.html	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-audiodiagnostic_31bf3856ad364e35_10.0.19041.1_none_767880898f16fada\AudioRecordingDiagnostic.xml	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-m..osoftedge.resources_31bf3856ad364e35_10.0.19041.1_en-us_a323edc73bd86475\hstscerterror.htm	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-o..iveportal.appxsetup_31bf3856ad364e35_10.0.19041.1023_none_ae1950955a82d8ef\r\AppxBlockMap.xml	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-p..lcontrols.appxsetup_31bf3856ad364e35_10.0.19041.1023_none_40b016a173f49507\f\AppxBlockMap.xml	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-t..nputpersonalization_31bf3856ad364e35_10.0.19041.746_none_1da55dc225237a0d\ipsfra.xml	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_b4fc93ef208f3edb\401-2.htm	smnss.exe
File opened for modification	C:\Windows\diagnostics\index\PowerDiagnostic.xml	smnss.exe
File opened for modification	C:\Windows\servicing\Sessions\31135900_2678128876.back.xml	smnss.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

smnss.exed9f6584d8d40c05a1e0f096dcde448d4cc7d52a9dc3ff61f2a1292f608c5f39f.exectfmen.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smnss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d9f6584d8d40c05a1e0f096dcde448d4cc7d52a9dc3ff61f2a1292f608c5f39f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ctfmen.exe

Modifies registry class 6 IoCs

Processes:

d9f6584d8d40c05a1e0f096dcde448d4cc7d52a9dc3ff61f2a1292f608c5f39f.exesmnss.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	d9f6584d8d40c05a1e0f096dcde448d4cc7d52a9dc3ff61f2a1292f608c5f39f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}	d9f6584d8d40c05a1e0f096dcde448d4cc7d52a9dc3ff61f2a1292f608c5f39f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll"	d9f6584d8d40c05a1e0f096dcde448d4cc7d52a9dc3ff61f2a1292f608c5f39f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll"	smnss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32	d9f6584d8d40c05a1e0f096dcde448d4cc7d52a9dc3ff61f2a1292f608c5f39f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	d9f6584d8d40c05a1e0f096dcde448d4cc7d52a9dc3ff61f2a1292f608c5f39f.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

smnss.exe

description pid process

Token: SeDebugPrivilege 3992 smnss.exe

description	pid	process
Token: SeDebugPrivilege	3992	smnss.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

d9f6584d8d40c05a1e0f096dcde448d4cc7d52a9dc3ff61f2a1292f608c5f39f.exectfmen.exe

description	pid	process	target process
PID 4224 wrote to memory of 2004	4224	d9f6584d8d40c05a1e0f096dcde448d4cc7d52a9dc3ff61f2a1292f608c5f39f.exe	ctfmen.exe
PID 4224 wrote to memory of 2004	4224	d9f6584d8d40c05a1e0f096dcde448d4cc7d52a9dc3ff61f2a1292f608c5f39f.exe	ctfmen.exe
PID 4224 wrote to memory of 2004	4224	d9f6584d8d40c05a1e0f096dcde448d4cc7d52a9dc3ff61f2a1292f608c5f39f.exe	ctfmen.exe
PID 2004 wrote to memory of 3992	2004	ctfmen.exe	smnss.exe
PID 2004 wrote to memory of 3992	2004	ctfmen.exe	smnss.exe
PID 2004 wrote to memory of 3992	2004	ctfmen.exe	smnss.exe

C:\Users\Admin\AppData\Local\Temp\d9f6584d8d40c05a1e0f096dcde448d4cc7d52a9dc3ff61f2a1292f608c5f39f.exe
"C:\Users\Admin\AppData\Local\Temp\d9f6584d8d40c05a1e0f096dcde448d4cc7d52a9dc3ff61f2a1292f608c5f39f.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4224
- C:\Windows\SysWOW64\ctfmen.exe
  ctfmen.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2004
- - C:\Windows\SysWOW64\smnss.exe
    C:\Windows\system32\smnss.exe
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Enumerates connected drives
    - Maps connected drives based on registry
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    PID:3992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\ctfmen.exe

Filesize
4KB

MD5
ca339faa985e1ffe076a716aa441313b

SHA1
5139925bb814fed5dadc98157266dbb4ff1b589d

SHA256
23aac08ac5934ed2cb3785adb3b07f25a1b29d7a04c5db5355541aab85d6f74e

SHA512
c1a791696da283f8d655d5061cf3d17334ad745b9e8a4b5f8c77a80c74cbeaf34a7d2cf99cbcb9c0c86db29ba2d394d2ecde004cd3f7608151153e6c4ea39b2e

Download Submit
C:\Windows\SysWOW64\grcopy.dll

Filesize
226KB

MD5
7d98b0e28a4f3eeae750f05776215d37

SHA1
3a54b5f85335b4e1d4fc385a3418026c8eabfb00

SHA256
52552c4bd0e7b78c7f9e57b2b505b2f3e36dbe7c081faa3e6ec1dc5fda998aff

SHA512
c8618b9369e4721c8f703924710da9cc41d1dbe775544c8cf4ab5122d2a958688fea7de7de0e61a4e01e0dcdd220c4e8a835118564a6ada7201a089ab66b93fa

Download Submit
C:\Windows\SysWOW64\satornas.dll

Filesize
183B

MD5
417326175f03466fa6ddf40dbc92d9aa

SHA1
6cdc861076b72a5c3c67256f296feb1ea0f0b8a1

SHA256
212d7e3b34515066fb5a34eef9be24a4d9746980b2183dc989f557fa1044b219

SHA512
b63c88075fdfc4e2cee85d55f53c081579005ed842814d828b4cc2d759ba5601ae1dab94c297a98117b93df9380f01a83a20221aa634d0e456b2029ef4522da2

Download Submit
C:\Windows\SysWOW64\shervans.dll

Filesize
8KB

MD5
e6d21ab7af4ed6a9f1c8eeea9f788bed

SHA1
c28cd0aaed07f1527aa67dbe0eb12665ce793c5a

SHA256
e7d7bb28fd154420538956d9ed3049d4017da423821a03ce8302fd4ccdf1b431

SHA512
6be21c234976999e17b37d15a254db0b86eb8326e4556b6b4ff25bd316c58113caa4692c03a83d3ddbd52a48b131dfdfa1ee7bb5732d7797d8d0cf3ef4274940

Download Submit
memory/2004-30-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2004-21-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3992-32-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3992-37-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/3992-39-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3992-40-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/4224-25-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/4224-24-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4224-0-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4224-12-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads