6f4f86f804275bcac6a527864fec9ada5d2273bb1bb3070b584b7606322f48b8

Analysis

max time kernel
118s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
04/09/2024, 04:37

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

3e242ec37b3f82a4d915addd42092f40N.exe
Size

96KB
MD5

3e242ec37b3f82a4d915addd42092f40
SHA1

230df28e79fc9f98679e44c0fb52e51e4964b9d4
SHA256

6f4f86f804275bcac6a527864fec9ada5d2273bb1bb3070b584b7606322f48b8
SHA512

ceed47f52f8b9a8dfc018074a30555549c5b9e6b3e9f4f7d6b714fa3d51471e2dc522b89e62e8a0c1236bf40829ba3bbeadce93fadd6b1786ec8c1a90b25d2b1
SSDEEP

1536:kgHJtMDVDVz7aoOQXj79SgLp47fTNnXSbEUIYB9KxiKK/BOmtDCMy0QiLiizHNQi:NHLcVB7PruhaMxXK5OmRCMyELiAHONdq

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 16 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmedlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cbffoabe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Calcpm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgcbhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bgcbhd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmedlk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmbgfkje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnfqccna.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbffoabe.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calcpm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	3e242ec37b3f82a4d915addd42092f40N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmbgfkje.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgaaah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	3e242ec37b3f82a4d915addd42092f40N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnfqccna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cgaaah32.exe

Executes dropped EXE 8 IoCs

pid	Process
2540	Bgcbhd32.exe
2376	Bmbgfkje.exe
2832	Cmedlk32.exe
2600	Cnfqccna.exe
2632	Cgaaah32.exe
2672	Cbffoabe.exe
2572	Calcpm32.exe
2808	Dpapaj32.exe

Loads dropped DLL 19 IoCs

pid	Process
948	3e242ec37b3f82a4d915addd42092f40N.exe
948	3e242ec37b3f82a4d915addd42092f40N.exe
2540	Bgcbhd32.exe
2540	Bgcbhd32.exe
2376	Bmbgfkje.exe
2376	Bmbgfkje.exe
2832	Cmedlk32.exe
2832	Cmedlk32.exe
2600	Cnfqccna.exe
2600	Cnfqccna.exe
2632	Cgaaah32.exe
2632	Cgaaah32.exe
2672	Cbffoabe.exe
2672	Cbffoabe.exe
2572	Calcpm32.exe
2572	Calcpm32.exe
2352	WerFault.exe
2352	WerFault.exe
2352	WerFault.exe

Drops file in System32 directory 26 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Cgaaah32.exe	Cnfqccna.exe
File created	C:\Windows\SysWOW64\Fnpeed32.dll	Cmedlk32.exe
File created	C:\Windows\SysWOW64\Hbocphim.dll	Cgaaah32.exe
File opened for modification	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File opened for modification	C:\Windows\SysWOW64\Calcpm32.exe	Cbffoabe.exe
File created	C:\Windows\SysWOW64\Dfefmpeo.dll	3e242ec37b3f82a4d915addd42092f40N.exe
File opened for modification	C:\Windows\SysWOW64\Cmedlk32.exe	Bmbgfkje.exe
File created	C:\Windows\SysWOW64\Cbffoabe.exe	Cgaaah32.exe
File created	C:\Windows\SysWOW64\Dpapaj32.exe	Calcpm32.exe
File created	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File created	C:\Windows\SysWOW64\Lbhnia32.dll	Bgcbhd32.exe
File created	C:\Windows\SysWOW64\Cmedlk32.exe	Bmbgfkje.exe
File created	C:\Windows\SysWOW64\Cgaaah32.exe	Cnfqccna.exe
File created	C:\Windows\SysWOW64\Kaqnpc32.dll	Cnfqccna.exe
File opened for modification	C:\Windows\SysWOW64\Cbffoabe.exe	Cgaaah32.exe
File opened for modification	C:\Windows\SysWOW64\Dpapaj32.exe	Calcpm32.exe
File created	C:\Windows\SysWOW64\Bgcbhd32.exe	3e242ec37b3f82a4d915addd42092f40N.exe
File opened for modification	C:\Windows\SysWOW64\Bmbgfkje.exe	Bgcbhd32.exe
File created	C:\Windows\SysWOW64\Ofaejacl.dll	Cbffoabe.exe
File opened for modification	C:\Windows\SysWOW64\Bgcbhd32.exe	3e242ec37b3f82a4d915addd42092f40N.exe
File created	C:\Windows\SysWOW64\Lmajfk32.dll	Bmbgfkje.exe
File created	C:\Windows\SysWOW64\Cnfqccna.exe	Cmedlk32.exe
File opened for modification	C:\Windows\SysWOW64\Cnfqccna.exe	Cmedlk32.exe
File created	C:\Windows\SysWOW64\Pdkefp32.dll	Calcpm32.exe
File created	C:\Windows\SysWOW64\Bmbgfkje.exe	Bgcbhd32.exe
File created	C:\Windows\SysWOW64\Calcpm32.exe	Cbffoabe.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2352	2808	WerFault.exe	38

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3e242ec37b3f82a4d915addd42092f40N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcbhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbgfkje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnfqccna.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmedlk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgaaah32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbffoabe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calcpm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpapaj32.exe

Modifies registry class 27 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bgcbhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbocphim.dll"	Cgaaah32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cbffoabe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kaqnpc32.dll"	Cnfqccna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cgaaah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofaejacl.dll"	Cbffoabe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	3e242ec37b3f82a4d915addd42092f40N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	3e242ec37b3f82a4d915addd42092f40N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bmbgfkje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnpeed32.dll"	Cmedlk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cnfqccna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cnfqccna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	3e242ec37b3f82a4d915addd42092f40N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmajfk32.dll"	Bmbgfkje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bmbgfkje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cbffoabe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbhnia32.dll"	Bgcbhd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cmedlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cgaaah32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	3e242ec37b3f82a4d915addd42092f40N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	3e242ec37b3f82a4d915addd42092f40N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cmedlk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Calcpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkefp32.dll"	Calcpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfefmpeo.dll"	3e242ec37b3f82a4d915addd42092f40N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bgcbhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Calcpm32.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 948 wrote to memory of 2540	948	3e242ec37b3f82a4d915addd42092f40N.exe	31
PID 948 wrote to memory of 2540	948	3e242ec37b3f82a4d915addd42092f40N.exe	31
PID 948 wrote to memory of 2540	948	3e242ec37b3f82a4d915addd42092f40N.exe	31
PID 948 wrote to memory of 2540	948	3e242ec37b3f82a4d915addd42092f40N.exe	31
PID 2540 wrote to memory of 2376	2540	Bgcbhd32.exe	32
PID 2540 wrote to memory of 2376	2540	Bgcbhd32.exe	32
PID 2540 wrote to memory of 2376	2540	Bgcbhd32.exe	32
PID 2540 wrote to memory of 2376	2540	Bgcbhd32.exe	32
PID 2376 wrote to memory of 2832	2376	Bmbgfkje.exe	33
PID 2376 wrote to memory of 2832	2376	Bmbgfkje.exe	33
PID 2376 wrote to memory of 2832	2376	Bmbgfkje.exe	33
PID 2376 wrote to memory of 2832	2376	Bmbgfkje.exe	33
PID 2832 wrote to memory of 2600	2832	Cmedlk32.exe	34
PID 2832 wrote to memory of 2600	2832	Cmedlk32.exe	34
PID 2832 wrote to memory of 2600	2832	Cmedlk32.exe	34
PID 2832 wrote to memory of 2600	2832	Cmedlk32.exe	34
PID 2600 wrote to memory of 2632	2600	Cnfqccna.exe	35
PID 2600 wrote to memory of 2632	2600	Cnfqccna.exe	35
PID 2600 wrote to memory of 2632	2600	Cnfqccna.exe	35
PID 2600 wrote to memory of 2632	2600	Cnfqccna.exe	35
PID 2632 wrote to memory of 2672	2632	Cgaaah32.exe	36
PID 2632 wrote to memory of 2672	2632	Cgaaah32.exe	36
PID 2632 wrote to memory of 2672	2632	Cgaaah32.exe	36
PID 2632 wrote to memory of 2672	2632	Cgaaah32.exe	36
PID 2672 wrote to memory of 2572	2672	Cbffoabe.exe	37
PID 2672 wrote to memory of 2572	2672	Cbffoabe.exe	37
PID 2672 wrote to memory of 2572	2672	Cbffoabe.exe	37
PID 2672 wrote to memory of 2572	2672	Cbffoabe.exe	37
PID 2572 wrote to memory of 2808	2572	Calcpm32.exe	38
PID 2572 wrote to memory of 2808	2572	Calcpm32.exe	38
PID 2572 wrote to memory of 2808	2572	Calcpm32.exe	38
PID 2572 wrote to memory of 2808	2572	Calcpm32.exe	38
PID 2808 wrote to memory of 2352	2808	Dpapaj32.exe	39
PID 2808 wrote to memory of 2352	2808	Dpapaj32.exe	39
PID 2808 wrote to memory of 2352	2808	Dpapaj32.exe	39
PID 2808 wrote to memory of 2352	2808	Dpapaj32.exe	39

C:\Users\Admin\AppData\Local\Temp\3e242ec37b3f82a4d915addd42092f40N.exe
"C:\Users\Admin\AppData\Local\Temp\3e242ec37b3f82a4d915addd42092f40N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:948
- C:\Windows\SysWOW64\Bgcbhd32.exe
  C:\Windows\system32\Bgcbhd32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2540
- - C:\Windows\SysWOW64\Bmbgfkje.exe
    C:\Windows\system32\Bmbgfkje.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2376
  - - C:\Windows\SysWOW64\Cmedlk32.exe
      C:\Windows\system32\Cmedlk32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2832
    - - C:\Windows\SysWOW64\Cnfqccna.exe
        
        C:\Windows\system32\Cnfqccna.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2600
      - C:\Windows\SysWOW64\Cgaaah32.exe
        
        C:\Windows\system32\Cgaaah32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2632
        
        C:\Windows\SysWOW64\Cbffoabe.exe
        
        C:\Windows\system32\Cbffoabe.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2672
        
        C:\Windows\SysWOW64\Calcpm32.exe
        
        C:\Windows\system32\Calcpm32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2572
        
        C:\Windows\SysWOW64\Dpapaj32.exe
        
        C:\Windows\system32\Dpapaj32.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2808
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2808 -s 144
        10⤵
        Loads dropped DLL
        Program crash
        
        PID:2352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Cgaaah32.exe

Filesize
96KB

MD5
3b5d3cde9ae35da23c44b9349d4c9852

SHA1
35cbf1880a8c39813330b83418af6a394058b123

SHA256
fddf068cccfab8fd505598b2837e52b8e5bf5cb7e9d56aa4b717c2f4e194741f

SHA512
e0c80cd24c6d9615aadcb2756075bb33289f34e45c62b9bcfa9d136b9337676c5077fd3df8046538464085f6a09c3141cb8986a88dbaa51e62937ac36a82d70c

Download Submit
C:\Windows\SysWOW64\Kaqnpc32.dll

Filesize
7KB

MD5
4f972a7592e0c7dd63ca0739bc6a9230

SHA1
0d6a69edbfe329e44ed2b1f95f0e3eba62fd27ad

SHA256
972b38488b74ebf82e887b8f9ea290a74defd26f67be7b681abd2694c46fea9b

SHA512
45b73becca4b6161a20066aaddfde0c88deb277b4afc9a9c2f8abeaca96acbc12b2537458da69c3a58e541b54af88ac7c10b96bb9bf4db8763177026d69f989e

Download Submit
\Windows\SysWOW64\Bgcbhd32.exe

Filesize
96KB

MD5
08f0be69f608a348a977cabb5d82e8d5

SHA1
f321e89fb4edabd99c29838ed210612a93c0d503

SHA256
a801035444aa6928ff68dd0e25bc8d3f3f4651cccb2e33c98a0cb0a5e2997d44

SHA512
f5e87642e2e6a0b9ccd8ab18e61caed7d5e12ed469eea1184d4e6b271f774fc05000fbc149df7040743e2af72c4db2535a5fbe6a684bee2068521b5979dee00b

Download Submit
\Windows\SysWOW64\Bmbgfkje.exe

Filesize
96KB

MD5
d2530f3c5a09231af7227ef31e8f49da

SHA1
8a8e666d7b4474b8ef7e82c77224c0e8c36eff8b

SHA256
dcf9e93d46a6443be1ebbeeb4f90f55cc9112614dfc7317dcb77ffe455624dbb

SHA512
57166cd6102f8cb42c117e30ec82d5a9900b50182611ba1a65711d2bb80e2625b3466530163c79fc48e8633b93b9e52801f8bfafc567e35da890835fd8922f74

Download Submit
\Windows\SysWOW64\Calcpm32.exe

Filesize
96KB

MD5
3476f2508f9efb352ced78c2922cb6b0

SHA1
b97328e641b70394b15d22b862017d7a3aabf342

SHA256
28c7d528005349e4f3440a4e438e9ce4d554d5010a1c90977b07935a05dabbdd

SHA512
339dfc8f47cf77c64f1836d693c3922ec42bc1afc79213694517a24da355c142ec238a0b9a71fbbfc543e26777e95094710fe178bc6d453046d2965e6c6a459b

Download Submit
\Windows\SysWOW64\Cbffoabe.exe

Filesize
96KB

MD5
47fc67f67a39ecae788f4d853c35e4c3

SHA1
b78f5d9ee35f1f5d6b6954e6c9fd33a6c3a6f6ac

SHA256
c06fa5ec69cd6956338df36f54be697d104583897de891cf5b00edfb9e71c7a9

SHA512
b083d4d939f1ba44982b77607b067579d6d220e049a23b78b4ef5ed87e4069fc416bef1242bb72051cf4d6513b4bbd5d38aaa10f9a4c8e1bb618c2cf3806a34e

Download Submit
\Windows\SysWOW64\Cmedlk32.exe

Filesize
96KB

MD5
181b221f0eb46eea667d4e6575f681f9

SHA1
0b5031c012e37bf6ee5f142c8d1300b0d6890762

SHA256
c6ba0557ff82784d6f20b3bef38f223a1cbd679a95b67a585e9fe939e9bb8ffc

SHA512
038da43dccc5f85685ae0702e24ab7b39207abc85873e9b28497761823bbf213bc563c14b2b5b2464cd65904c7bc5388a8823cc0245012da0ff4978484d4e076

Download Submit
\Windows\SysWOW64\Cnfqccna.exe

Filesize
96KB

MD5
9c02921a47e4a8c9237cb52b40dfe46b

SHA1
d1681fe58587d77dcbd9b8dfc2f3aeb1bff5486a

SHA256
b72b5d2901eb9c0535134aa0a1bc81f81c21a1ad7c64cfdb5bc866155cb9f840

SHA512
9cf4e18a42801daf44dcff7311f463e7b31bb04e6150ca9ff5a1ba1ab152baf71f85a882d1d918354703d50a1b5139a2370de50397733b4acab2128b49cb5d06

Download Submit
\Windows\SysWOW64\Dpapaj32.exe

Filesize
96KB

MD5
b319e5d6157fc16f22e358943addbfb0

SHA1
bf1b544e588ed9ac5090c6f8d38a4cd6fbb57452

SHA256
131d79d5bf893b0d1d73c5bb3a740205618d2d19e0c5d6d926dc1e8fd78ccd58

SHA512
31d90e47e3db5479dbc63e251a7433d55b2ce0a766988cb8b800991ccbdb6a499edccc5b564589c264fd3c087b0300fc78d2a58a481036eb934a09602e89178f

Download Submit
memory/948-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/948-52-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/948-7-0x0000000000220000-0x000000000025F000-memory.dmp

Filesize
252KB

Download
memory/948-12-0x0000000000220000-0x000000000025F000-memory.dmp

Filesize
252KB

Download
memory/2376-38-0x0000000000220000-0x000000000025F000-memory.dmp

Filesize
252KB

Download
memory/2376-82-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2540-64-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2540-20-0x0000000000220000-0x000000000025F000-memory.dmp

Filesize
252KB

Download
memory/2572-103-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2600-66-0x0000000000440000-0x000000000047F000-memory.dmp

Filesize
252KB

Download
memory/2600-120-0x0000000000440000-0x000000000047F000-memory.dmp

Filesize
252KB

Download
memory/2600-111-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2600-119-0x0000000000440000-0x000000000047F000-memory.dmp

Filesize
252KB

Download
memory/2600-54-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2632-84-0x0000000000220000-0x000000000025F000-memory.dmp

Filesize
252KB

Download
memory/2632-80-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2632-122-0x0000000000220000-0x000000000025F000-memory.dmp

Filesize
252KB

Download
memory/2672-95-0x0000000000220000-0x000000000025F000-memory.dmp

Filesize
252KB

Download
memory/2672-81-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2672-121-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2672-123-0x0000000000220000-0x000000000025F000-memory.dmp

Filesize
252KB

Download
memory/2672-124-0x0000000000220000-0x000000000025F000-memory.dmp

Filesize
252KB

Download
memory/2808-112-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2808-125-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2832-97-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2832-40-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads