133ef33af1192defd5df6b6b614c738c3505acaaf2d8001b781f4a42e5892a39

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
01-09-2024 02:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

91ef2b7314f319925e9bc4ca2f1fa690N.exe
Size

96KB
MD5

91ef2b7314f319925e9bc4ca2f1fa690
SHA1

e6ff981de7d841922a59dfd9354d88f07d52e7d7
SHA256

133ef33af1192defd5df6b6b614c738c3505acaaf2d8001b781f4a42e5892a39
SHA512

b62d5e68f825d9778c194a5c4b831468a8a8a3046a2ddc18bc0859c8b3b20b286ca5c05c7071c334eedae9e67c0276392c7ea28523cc90cc0af2505acfbd3f6d
SSDEEP

1536:WyfSSqk1NQ4t0aW3dfjuvUBTAa2LYZS/FCb4noaJSNzJO/:jGkrQ4t0aQdS8EYZSs4noakXO/

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 16 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	91ef2b7314f319925e9bc4ca2f1fa690N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegoqlof.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djdgic32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cileqlmg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Clojhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Clojhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djdgic32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	91ef2b7314f319925e9bc4ca2f1fa690N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cileqlmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cpfmmf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cinafkkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cegoqlof.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpfmmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cinafkkd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbffoabe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cbffoabe.exe

Executes dropped EXE 8 IoCs

pid	Process
2836	Cileqlmg.exe
2720	Cpfmmf32.exe
2632	Cinafkkd.exe
2624	Cbffoabe.exe
2156	Clojhf32.exe
2780	Cegoqlof.exe
2108	Djdgic32.exe
860	Dpapaj32.exe

Loads dropped DLL 19 IoCs

pid	Process
2708	91ef2b7314f319925e9bc4ca2f1fa690N.exe
2708	91ef2b7314f319925e9bc4ca2f1fa690N.exe
2836	Cileqlmg.exe
2836	Cileqlmg.exe
2720	Cpfmmf32.exe
2720	Cpfmmf32.exe
2632	Cinafkkd.exe
2632	Cinafkkd.exe
2624	Cbffoabe.exe
2624	Cbffoabe.exe
2156	Clojhf32.exe
2156	Clojhf32.exe
2780	Cegoqlof.exe
2780	Cegoqlof.exe
2108	Djdgic32.exe
2108	Djdgic32.exe
2292	WerFault.exe
2292	WerFault.exe
2292	WerFault.exe

Drops file in System32 directory 26 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Cegoqlof.exe	Clojhf32.exe
File created	C:\Windows\SysWOW64\Cmbfdl32.dll	91ef2b7314f319925e9bc4ca2f1fa690N.exe
File created	C:\Windows\SysWOW64\Cbffoabe.exe	Cinafkkd.exe
File opened for modification	C:\Windows\SysWOW64\Cinafkkd.exe	Cpfmmf32.exe
File opened for modification	C:\Windows\SysWOW64\Djdgic32.exe	Cegoqlof.exe
File created	C:\Windows\SysWOW64\Cileqlmg.exe	91ef2b7314f319925e9bc4ca2f1fa690N.exe
File created	C:\Windows\SysWOW64\Cinafkkd.exe	Cpfmmf32.exe
File created	C:\Windows\SysWOW64\Clojhf32.exe	Cbffoabe.exe
File created	C:\Windows\SysWOW64\Efeckm32.dll	Cbffoabe.exe
File opened for modification	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File opened for modification	C:\Windows\SysWOW64\Cpfmmf32.exe	Cileqlmg.exe
File opened for modification	C:\Windows\SysWOW64\Cbffoabe.exe	Cinafkkd.exe
File created	C:\Windows\SysWOW64\Hbocphim.dll	Cinafkkd.exe
File opened for modification	C:\Windows\SysWOW64\Cegoqlof.exe	Clojhf32.exe
File created	C:\Windows\SysWOW64\Nloone32.dll	Clojhf32.exe
File created	C:\Windows\SysWOW64\Cpfmmf32.exe	Cileqlmg.exe
File created	C:\Windows\SysWOW64\Djdgic32.exe	Cegoqlof.exe
File created	C:\Windows\SysWOW64\Dpapaj32.exe	Djdgic32.exe
File opened for modification	C:\Windows\SysWOW64\Dpapaj32.exe	Djdgic32.exe
File created	C:\Windows\SysWOW64\Pdkefp32.dll	Djdgic32.exe
File created	C:\Windows\SysWOW64\Eepejpil.dll	Cpfmmf32.exe
File opened for modification	C:\Windows\SysWOW64\Clojhf32.exe	Cbffoabe.exe
File created	C:\Windows\SysWOW64\Ccofjipn.dll	Cegoqlof.exe
File opened for modification	C:\Windows\SysWOW64\Cileqlmg.exe	91ef2b7314f319925e9bc4ca2f1fa690N.exe
File created	C:\Windows\SysWOW64\Nefamd32.dll	Cileqlmg.exe
File created	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2292	860	WerFault.exe	38

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cileqlmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpfmmf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cinafkkd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbffoabe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Clojhf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegoqlof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdgic32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpapaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	91ef2b7314f319925e9bc4ca2f1fa690N.exe

Modifies registry class 27 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmbfdl32.dll"	91ef2b7314f319925e9bc4ca2f1fa690N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Clojhf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cinafkkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Clojhf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cpfmmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djdgic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	91ef2b7314f319925e9bc4ca2f1fa690N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbocphim.dll"	Cinafkkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cinafkkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efeckm32.dll"	Cbffoabe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cegoqlof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccofjipn.dll"	Cegoqlof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cileqlmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cbffoabe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	91ef2b7314f319925e9bc4ca2f1fa690N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nloone32.dll"	Clojhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cegoqlof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djdgic32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	91ef2b7314f319925e9bc4ca2f1fa690N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	91ef2b7314f319925e9bc4ca2f1fa690N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eepejpil.dll"	Cpfmmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cpfmmf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cbffoabe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkefp32.dll"	Djdgic32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	91ef2b7314f319925e9bc4ca2f1fa690N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cileqlmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nefamd32.dll"	Cileqlmg.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2708 wrote to memory of 2836	2708	91ef2b7314f319925e9bc4ca2f1fa690N.exe	31
PID 2708 wrote to memory of 2836	2708	91ef2b7314f319925e9bc4ca2f1fa690N.exe	31
PID 2708 wrote to memory of 2836	2708	91ef2b7314f319925e9bc4ca2f1fa690N.exe	31
PID 2708 wrote to memory of 2836	2708	91ef2b7314f319925e9bc4ca2f1fa690N.exe	31
PID 2836 wrote to memory of 2720	2836	Cileqlmg.exe	32
PID 2836 wrote to memory of 2720	2836	Cileqlmg.exe	32
PID 2836 wrote to memory of 2720	2836	Cileqlmg.exe	32
PID 2836 wrote to memory of 2720	2836	Cileqlmg.exe	32
PID 2720 wrote to memory of 2632	2720	Cpfmmf32.exe	33
PID 2720 wrote to memory of 2632	2720	Cpfmmf32.exe	33
PID 2720 wrote to memory of 2632	2720	Cpfmmf32.exe	33
PID 2720 wrote to memory of 2632	2720	Cpfmmf32.exe	33
PID 2632 wrote to memory of 2624	2632	Cinafkkd.exe	34
PID 2632 wrote to memory of 2624	2632	Cinafkkd.exe	34
PID 2632 wrote to memory of 2624	2632	Cinafkkd.exe	34
PID 2632 wrote to memory of 2624	2632	Cinafkkd.exe	34
PID 2624 wrote to memory of 2156	2624	Cbffoabe.exe	35
PID 2624 wrote to memory of 2156	2624	Cbffoabe.exe	35
PID 2624 wrote to memory of 2156	2624	Cbffoabe.exe	35
PID 2624 wrote to memory of 2156	2624	Cbffoabe.exe	35
PID 2156 wrote to memory of 2780	2156	Clojhf32.exe	36
PID 2156 wrote to memory of 2780	2156	Clojhf32.exe	36
PID 2156 wrote to memory of 2780	2156	Clojhf32.exe	36
PID 2156 wrote to memory of 2780	2156	Clojhf32.exe	36
PID 2780 wrote to memory of 2108	2780	Cegoqlof.exe	37
PID 2780 wrote to memory of 2108	2780	Cegoqlof.exe	37
PID 2780 wrote to memory of 2108	2780	Cegoqlof.exe	37
PID 2780 wrote to memory of 2108	2780	Cegoqlof.exe	37
PID 2108 wrote to memory of 860	2108	Djdgic32.exe	38
PID 2108 wrote to memory of 860	2108	Djdgic32.exe	38
PID 2108 wrote to memory of 860	2108	Djdgic32.exe	38
PID 2108 wrote to memory of 860	2108	Djdgic32.exe	38
PID 860 wrote to memory of 2292	860	Dpapaj32.exe	39
PID 860 wrote to memory of 2292	860	Dpapaj32.exe	39
PID 860 wrote to memory of 2292	860	Dpapaj32.exe	39
PID 860 wrote to memory of 2292	860	Dpapaj32.exe	39

C:\Users\Admin\AppData\Local\Temp\91ef2b7314f319925e9bc4ca2f1fa690N.exe
"C:\Users\Admin\AppData\Local\Temp\91ef2b7314f319925e9bc4ca2f1fa690N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2708
- C:\Windows\SysWOW64\Cileqlmg.exe
  C:\Windows\system32\Cileqlmg.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2836
- - C:\Windows\SysWOW64\Cpfmmf32.exe
    C:\Windows\system32\Cpfmmf32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2720
  - - C:\Windows\SysWOW64\Cinafkkd.exe
      C:\Windows\system32\Cinafkkd.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2632
    - - C:\Windows\SysWOW64\Cbffoabe.exe
        
        C:\Windows\system32\Cbffoabe.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2624
      - C:\Windows\SysWOW64\Clojhf32.exe
        
        C:\Windows\system32\Clojhf32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2156
        
        C:\Windows\SysWOW64\Cegoqlof.exe
        
        C:\Windows\system32\Cegoqlof.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2780
        
        C:\Windows\SysWOW64\Djdgic32.exe
        
        C:\Windows\system32\Djdgic32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2108
        
        C:\Windows\SysWOW64\Dpapaj32.exe
        
        C:\Windows\system32\Dpapaj32.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:860
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 860 -s 144
        10⤵
        Loads dropped DLL
        Program crash
        
        PID:2292

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Cegoqlof.exe

Filesize
96KB

MD5
646ac4eb9d5039c686d1ddefbf0f9734

SHA1
4d2b4f09500959fd42381b22af4bf1a7d4d40e01

SHA256
28125eb4fc75193d0c1b73d11c43534cdf3ff563fb7feb6e08078038f11c828f

SHA512
cbce56bf964d1064a217b84d9f2830467bc593648da4314d9940bd705e6045cb18c502a78d9b62dd67a3e35aa6e0f41e18d86aef4c0aaf1e5b564bda984e63a3

Download Submit
C:\Windows\SysWOW64\Cinafkkd.exe

Filesize
96KB

MD5
a52f3365250d7b4920aafb82cb07ad52

SHA1
75d2de7df8e5e7edcd77fa508715000fb1aeb56b

SHA256
e156a845a3d68af644e29816cc752a45da601a90a8fb92fec7a58305d389a99a

SHA512
9fdac2003ca5171475a4aef2f34b1085e2780ba55403630ae4ec69944428884df8a0d244ff81459f8cca45bb48d27247d047b2157e64e7273e8633cd800566c4

Download Submit
\Windows\SysWOW64\Cbffoabe.exe

Filesize
96KB

MD5
2315bba65e1a989b2f554a47af842ff4

SHA1
c476be9956a17cdd354b0b5928a1290eb1e31488

SHA256
13b5221f581706a541488d0b96d0b04a3bafb3e8084dafdc45cc4eb0a84363a7

SHA512
73dad5b87f2d9d4ba5c3252046912b50fb0732ffb82b3ea8c87f4c91ed0276eef3daaeb2c9ebb7b6178c3240acc44a88ec9a7dbcaa9e4ed4f3b220ff4c2414cb

Download Submit
\Windows\SysWOW64\Cileqlmg.exe

Filesize
96KB

MD5
8b9ae80fe496e005c90d34956ef67b05

SHA1
be234be2db61353007aab7b979d2eb9181d58ae6

SHA256
e7520fbc61ee8e4c84686a48eea45afdbc61700d9482f32e8b2410650215bdb8

SHA512
498fe72a4bab12d8c4b5c9f1eb4dd7081e5ac5479b543866d1ea95d4b784a18c307dacc10b3f5f06d02b89f08ebce383b13c67607858153ada163ee66cc08b8c

Download Submit
\Windows\SysWOW64\Clojhf32.exe

Filesize
96KB

MD5
5a5b660bddd3413e08e964a7589248fc

SHA1
fd13bf87a10969813edb922583128fa3aa23de46

SHA256
63cf9341a0fe0a321882a83e24a3ff856eab02e72f4e794396db2983e0839830

SHA512
7352746449234bd5de56d09596e2b13a62b9a7951daac2572f42b9d54fc98bca4a0c2450a6db73d22ba7d9ce6ab06ad6946fef91d6fbf5b26cee5605f56dc2e9

Download Submit
\Windows\SysWOW64\Cpfmmf32.exe

Filesize
96KB

MD5
326b89ad1b25aa1bf79ad1d0208a3e22

SHA1
7c3017673460b98478083cfbd495188625ca9888

SHA256
f95a5b266555ccd136dd28119a45dcef9881dd0befa39965c4cf67f73a6eb286

SHA512
02bf0aa2e1a1d0abfcc652a4794f28c54183420bceca3eddbe9de0e4e12a0e438d8ecf830558ae119b29e249724ea13c17494280c5be96022a3c36b1288fc2f9

Download Submit
\Windows\SysWOW64\Djdgic32.exe

Filesize
96KB

MD5
5d063d70441e57d5a1106941adc55590

SHA1
aa7ab7307a189a8b30656a4580fa2cf24e1b2a90

SHA256
7fe02716ded2ac4f70d904f1125c71a6b004a7c0141ce0f7d8f055e0d3a5cb68

SHA512
210c18482312a68018bae41bebed8983400fdc2cdcdacfe36791c9e8712e6416a50af8b35905e64628d3f4318321b9dfb486f6175fe443a653007dc7ed0c4eea

Download Submit
\Windows\SysWOW64\Dpapaj32.exe

Filesize
96KB

MD5
27634a7961d787412f7aa5ce3edc23b0

SHA1
7083b9e7f2d27059d39f315fff8ade7a32ef64d0

SHA256
7a91a039df18205a4a8657dc9b19b1b0d63c37b0481e74af3b859fe4e7a467cf

SHA512
a9a7ac61a4f2c92a07966412dee36fe189c5cd51f6189bdada8c50c59cf5f42ca5b4a3b6baaaff98809f730265aa7f58c722aaa44298c2099ad3ec5a0700d413

Download Submit
memory/860-122-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2108-94-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2108-102-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2108-121-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2156-119-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2156-68-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2156-81-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2624-55-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2624-118-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2632-41-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2632-53-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2632-117-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2708-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2708-114-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2708-12-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2708-13-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2720-33-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2720-116-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2780-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2836-115-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2836-22-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2836-14-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads