a2c3c1d33c3f8c51ec305d359eac5094190b057f79a7276678a1f06947ba71de

Analysis

max time kernel
81s
max time network
19s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
13/09/2024, 19:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

28a8fd0f09c37ecf19a3c30a29085fb0N.exe
Size

57KB
MD5

28a8fd0f09c37ecf19a3c30a29085fb0
SHA1

82eb1c010e8ff04c2eb04398782aebf3fdbd1775
SHA256

a2c3c1d33c3f8c51ec305d359eac5094190b057f79a7276678a1f06947ba71de
SHA512

f389f67fd105e6a57fed2b2626849ca86d55c6013d40bedca6afc1150d35c6c0b5d5a2e4ee1048ee9699f7a077eb9261adfd3842eca0a86e365db56b7c4141b8
SSDEEP

1536:BloaaaSbnL2DO/g7c7SXz22DEtEv/zT/yWc2:EbAYSj22DESXXdc2

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 16 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djdgic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djdgic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cbffoabe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cchbgi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnmfdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnmfdb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgfkmgnj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cchbgi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Clojhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	28a8fd0f09c37ecf19a3c30a29085fb0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Clojhf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calcpm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	28a8fd0f09c37ecf19a3c30a29085fb0N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbffoabe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Calcpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgfkmgnj.exe

Executes dropped EXE 8 IoCs

pid	Process
3016	Cbffoabe.exe
2328	Cchbgi32.exe
2692	Clojhf32.exe
2704	Cnmfdb32.exe
2668	Calcpm32.exe
2724	Cgfkmgnj.exe
2592	Djdgic32.exe
2488	Dpapaj32.exe

Loads dropped DLL 19 IoCs

pid	Process
3020	28a8fd0f09c37ecf19a3c30a29085fb0N.exe
3020	28a8fd0f09c37ecf19a3c30a29085fb0N.exe
3016	Cbffoabe.exe
3016	Cbffoabe.exe
2328	Cchbgi32.exe
2328	Cchbgi32.exe
2692	Clojhf32.exe
2692	Clojhf32.exe
2704	Cnmfdb32.exe
2704	Cnmfdb32.exe
2668	Calcpm32.exe
2668	Calcpm32.exe
2724	Cgfkmgnj.exe
2724	Cgfkmgnj.exe
2592	Djdgic32.exe
2592	Djdgic32.exe
1088	WerFault.exe
1088	WerFault.exe
1088	WerFault.exe

Drops file in System32 directory 26 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Cpmahlfd.dll	Calcpm32.exe
File created	C:\Windows\SysWOW64\Djdgic32.exe	Cgfkmgnj.exe
File created	C:\Windows\SysWOW64\Cbffoabe.exe	28a8fd0f09c37ecf19a3c30a29085fb0N.exe
File created	C:\Windows\SysWOW64\Efeckm32.dll	Cchbgi32.exe
File created	C:\Windows\SysWOW64\Cgfkmgnj.exe	Calcpm32.exe
File created	C:\Windows\SysWOW64\Pdkefp32.dll	Djdgic32.exe
File opened for modification	C:\Windows\SysWOW64\Cchbgi32.exe	Cbffoabe.exe
File created	C:\Windows\SysWOW64\Cnmfdb32.exe	Clojhf32.exe
File opened for modification	C:\Windows\SysWOW64\Cnmfdb32.exe	Clojhf32.exe
File created	C:\Windows\SysWOW64\Cchbgi32.exe	Cbffoabe.exe
File opened for modification	C:\Windows\SysWOW64\Calcpm32.exe	Cnmfdb32.exe
File opened for modification	C:\Windows\SysWOW64\Djdgic32.exe	Cgfkmgnj.exe
File created	C:\Windows\SysWOW64\Hbocphim.dll	28a8fd0f09c37ecf19a3c30a29085fb0N.exe
File created	C:\Windows\SysWOW64\Clojhf32.exe	Cchbgi32.exe
File created	C:\Windows\SysWOW64\Calcpm32.exe	Cnmfdb32.exe
File created	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File created	C:\Windows\SysWOW64\Acnenl32.dll	Cbffoabe.exe
File created	C:\Windows\SysWOW64\Niebgj32.dll	Clojhf32.exe
File opened for modification	C:\Windows\SysWOW64\Dpapaj32.exe	Djdgic32.exe
File opened for modification	C:\Windows\SysWOW64\Clojhf32.exe	Cchbgi32.exe
File created	C:\Windows\SysWOW64\Ofaejacl.dll	Cnmfdb32.exe
File opened for modification	C:\Windows\SysWOW64\Cbffoabe.exe	28a8fd0f09c37ecf19a3c30a29085fb0N.exe
File opened for modification	C:\Windows\SysWOW64\Cgfkmgnj.exe	Calcpm32.exe
File created	C:\Windows\SysWOW64\Ccofjipn.dll	Cgfkmgnj.exe
File created	C:\Windows\SysWOW64\Dpapaj32.exe	Djdgic32.exe
File opened for modification	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1088	2488	WerFault.exe	38

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbffoabe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnmfdb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calcpm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgfkmgnj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdgic32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpapaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	28a8fd0f09c37ecf19a3c30a29085fb0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Clojhf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cchbgi32.exe

Modifies registry class 27 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cchbgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efeckm32.dll"	Cchbgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Niebgj32.dll"	Clojhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofaejacl.dll"	Cnmfdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpmahlfd.dll"	Calcpm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cgfkmgnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djdgic32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	28a8fd0f09c37ecf19a3c30a29085fb0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbocphim.dll"	28a8fd0f09c37ecf19a3c30a29085fb0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	28a8fd0f09c37ecf19a3c30a29085fb0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cbffoabe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnmfdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccofjipn.dll"	Cgfkmgnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cchbgi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Calcpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cgfkmgnj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djdgic32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	28a8fd0f09c37ecf19a3c30a29085fb0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	28a8fd0f09c37ecf19a3c30a29085fb0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acnenl32.dll"	Cbffoabe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Clojhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Clojhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Calcpm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	28a8fd0f09c37ecf19a3c30a29085fb0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cbffoabe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnmfdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkefp32.dll"	Djdgic32.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 3020 wrote to memory of 3016	3020	28a8fd0f09c37ecf19a3c30a29085fb0N.exe	31
PID 3020 wrote to memory of 3016	3020	28a8fd0f09c37ecf19a3c30a29085fb0N.exe	31
PID 3020 wrote to memory of 3016	3020	28a8fd0f09c37ecf19a3c30a29085fb0N.exe	31
PID 3020 wrote to memory of 3016	3020	28a8fd0f09c37ecf19a3c30a29085fb0N.exe	31
PID 3016 wrote to memory of 2328	3016	Cbffoabe.exe	32
PID 3016 wrote to memory of 2328	3016	Cbffoabe.exe	32
PID 3016 wrote to memory of 2328	3016	Cbffoabe.exe	32
PID 3016 wrote to memory of 2328	3016	Cbffoabe.exe	32
PID 2328 wrote to memory of 2692	2328	Cchbgi32.exe	33
PID 2328 wrote to memory of 2692	2328	Cchbgi32.exe	33
PID 2328 wrote to memory of 2692	2328	Cchbgi32.exe	33
PID 2328 wrote to memory of 2692	2328	Cchbgi32.exe	33
PID 2692 wrote to memory of 2704	2692	Clojhf32.exe	34
PID 2692 wrote to memory of 2704	2692	Clojhf32.exe	34
PID 2692 wrote to memory of 2704	2692	Clojhf32.exe	34
PID 2692 wrote to memory of 2704	2692	Clojhf32.exe	34
PID 2704 wrote to memory of 2668	2704	Cnmfdb32.exe	35
PID 2704 wrote to memory of 2668	2704	Cnmfdb32.exe	35
PID 2704 wrote to memory of 2668	2704	Cnmfdb32.exe	35
PID 2704 wrote to memory of 2668	2704	Cnmfdb32.exe	35
PID 2668 wrote to memory of 2724	2668	Calcpm32.exe	36
PID 2668 wrote to memory of 2724	2668	Calcpm32.exe	36
PID 2668 wrote to memory of 2724	2668	Calcpm32.exe	36
PID 2668 wrote to memory of 2724	2668	Calcpm32.exe	36
PID 2724 wrote to memory of 2592	2724	Cgfkmgnj.exe	37
PID 2724 wrote to memory of 2592	2724	Cgfkmgnj.exe	37
PID 2724 wrote to memory of 2592	2724	Cgfkmgnj.exe	37
PID 2724 wrote to memory of 2592	2724	Cgfkmgnj.exe	37
PID 2592 wrote to memory of 2488	2592	Djdgic32.exe	38
PID 2592 wrote to memory of 2488	2592	Djdgic32.exe	38
PID 2592 wrote to memory of 2488	2592	Djdgic32.exe	38
PID 2592 wrote to memory of 2488	2592	Djdgic32.exe	38
PID 2488 wrote to memory of 1088	2488	Dpapaj32.exe	39
PID 2488 wrote to memory of 1088	2488	Dpapaj32.exe	39
PID 2488 wrote to memory of 1088	2488	Dpapaj32.exe	39
PID 2488 wrote to memory of 1088	2488	Dpapaj32.exe	39

C:\Users\Admin\AppData\Local\Temp\28a8fd0f09c37ecf19a3c30a29085fb0N.exe
"C:\Users\Admin\AppData\Local\Temp\28a8fd0f09c37ecf19a3c30a29085fb0N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3020
- C:\Windows\SysWOW64\Cbffoabe.exe
  C:\Windows\system32\Cbffoabe.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3016
- - C:\Windows\SysWOW64\Cchbgi32.exe
    C:\Windows\system32\Cchbgi32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2328
  - - C:\Windows\SysWOW64\Clojhf32.exe
      C:\Windows\system32\Clojhf32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2692
    - - C:\Windows\SysWOW64\Cnmfdb32.exe
        
        C:\Windows\system32\Cnmfdb32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2704
      - C:\Windows\SysWOW64\Calcpm32.exe
        
        C:\Windows\system32\Calcpm32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2668
        
        C:\Windows\SysWOW64\Cgfkmgnj.exe
        
        C:\Windows\system32\Cgfkmgnj.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2724
        
        C:\Windows\SysWOW64\Djdgic32.exe
        
        C:\Windows\system32\Djdgic32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2592
        
        C:\Windows\SysWOW64\Dpapaj32.exe
        
        C:\Windows\system32\Dpapaj32.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2488
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2488 -s 144
        10⤵
        Loads dropped DLL
        Program crash
        
        PID:1088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Cchbgi32.exe

Filesize
57KB

MD5
5b1acf3863b82e09284730e8e2db336c

SHA1
94fcad5dab29f5c29a6e0e36f0e67d496e65e483

SHA256
d527fda1a6bab7f6653049281d9840a448d07dd8181a7612eabc8ae6b9547e80

SHA512
c8320a978dc165849cbaffb09e8f947dfb04f22e77942f6e877e9de086cc2dc8d2a6674dd1cdf8b2192caf5c6bed940f79f10c1668e92e49caafd543805592cd

Download Submit
C:\Windows\SysWOW64\Clojhf32.exe

Filesize
57KB

MD5
6591b85aed0aeab3a736c4ae9e93ea36

SHA1
4a7785b39cd4814446548b8a4ef828c5427eec3f

SHA256
dd969c13549d02b79dbb98e30459aa1cc40737aad68212938ae61113912a16fa

SHA512
5615bc6e8fd81bd90362b7aeb9ad37e136d497a8ebf72db4e89263eeb5732f8fc9ab1b8808ebe720ed8968b165574d1a552142124627e8f34e3d830808783f09

Download Submit
C:\Windows\SysWOW64\Cnmfdb32.exe

Filesize
57KB

MD5
72382d2076a0c3275115a80b24093fd2

SHA1
e2e98dde698ce31a3152dfd0292f103f2932cfae

SHA256
9bbfcf970ecc3331e8858b77b9b2b827d504e3137cb3f2697db749a7313c0fa2

SHA512
061affaedfd4f7d8c0c3b07dbe7bc10dc25ada4a08724c5792cd7cf18b958161c93a70feb1fccc3c46c1d2a646f10d940f0ce397a37a4e31125e00281c7a21ed

Download Submit
\Windows\SysWOW64\Calcpm32.exe

Filesize
57KB

MD5
c06948fcb3e67081ec742abb90326cba

SHA1
99edc657d158fa0bc6bfbd38bae03a06910a0f1b

SHA256
1a101f2ad541cc345a0f31c4583ffaac31f4847599a5d03a0ad19c70baa56703

SHA512
beb960c0e3397527b221edac63bd88b0af12be89698aca5e67276b534d36be37737e5ae73c41dc329eb5fc2c224c9b847656a04dae6833cd093ecbdc099f02a3

Download Submit
\Windows\SysWOW64\Cbffoabe.exe

Filesize
57KB

MD5
3da63215d8a14190274a1bed77467208

SHA1
bc09f06578d0b1c2c5c1a522b578476689f6e24f

SHA256
898ffab3eafd54cfc4d23c35b752a6160160e50d6663017233a299133c5ebd69

SHA512
611669bb8068a237f25d87ca76f0476c1b9105c88d524f36f19270e5edce386a25768133841f5c5cd770d2f423e76bde59d94596320ff3d20838e43127b8f997

Download Submit
\Windows\SysWOW64\Cgfkmgnj.exe

Filesize
57KB

MD5
c38a97f4e3ce2fa5d856a03d7efc2c7c

SHA1
749aa73156aeb446f6054024e6b6dfe9fc0ce5b2

SHA256
0ba658278759a76af21e17ec635218a79accd5498bc50f3c8241497eca09591f

SHA512
1679f90e1508e3c5a67bb2afc4ced3e60ef0b34b25e07a001dcec6194cb76f023df4e74a76bdba2687b57f43e8ea0029395da2a12c14e13018ecd259070aec94

Download Submit
\Windows\SysWOW64\Djdgic32.exe

Filesize
57KB

MD5
5228c3fa3f0202827dc0661d5f17b305

SHA1
fec8ab5f43c411cd45b52e020aa252c9cf8bc5a1

SHA256
780fc943fe2a3586fb68951d27cc05b31f66d6c0e50b24cf175157f3e9cd1e1a

SHA512
8d83c1cf2a165efa6e7df79d11fedad4f2e5c33f47d43d20bf6d332a9e01ed54669e66ae5c3a16bcfb36a02dfb6674c7daf0f88f7c1951f86306176e1bb9e64d

Download Submit
\Windows\SysWOW64\Dpapaj32.exe

Filesize
57KB

MD5
5067f85eec8da53c4fa294cf3bd3b06b

SHA1
43a0a07a72e1ca0cc35851121de1d35bc3816205

SHA256
814c59a4270c473db5436d48a57d8f91cf17b81fabdad0fc500b91236e49c9db

SHA512
95bb48f88b99487b355a3ee2809ee9bbaf997563f2d523fe17aa3b3540121b7db4f71e6255abc66ee939f837c54eb5d493ff7a33f8427d0aaa19292d402ecdbe

Download Submit
memory/2328-35-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2328-115-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2328-27-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2488-121-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2488-107-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2592-120-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2668-118-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2692-116-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2692-54-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2692-48-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2704-117-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2704-62-0x0000000000260000-0x0000000000295000-memory.dmp

Filesize
212KB

Download
memory/2724-92-0x0000000000260000-0x0000000000295000-memory.dmp

Filesize
212KB

Download
memory/2724-80-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2724-119-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3016-114-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3016-14-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3020-113-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3020-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3020-13-0x0000000000260000-0x0000000000295000-memory.dmp

Filesize
212KB

Download
memory/3020-12-0x0000000000260000-0x0000000000295000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads