597d06e44811afb2e030ccca2ae68e765ab69a08b27bc61d41f4caa7e60756c5

Analysis

max time kernel
147s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
17/03/2025, 13:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cafw.exe
Size

4.5MB
MD5

4b750345250adaba414dc22cfbc3dea1
SHA1

520684d27764c06c6ea377602e6dba6d1da4b169
SHA256

545aa38233d699754ba0bc447509e9aedf2eabde54d9abb5183387c468a51c78
SHA512

464a17bb41d2791e3ab4d4ef1a2f753ef42c8c0014bc8683db924675e585a975d560c7d4ae82c42c65269ef431b3564450bcda0ad3ef49b0f49d0b94d14890a5
SSDEEP

98304:zxfw+ea9Zb5qLPTycBSHtP+7JXxxOhV6TOG3kCGKxoZH+:Jw+ea9FgPTyJt27JBxOhVsl31GKmh+

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
1732	csc.exe
2224	cvtres.exe
2228	csc.exe
1692	cvtres.exe

Loads dropped DLL 4 IoCs

pid	Process
2496	cafw.exe
1732	csc.exe
2496	cafw.exe
2228	csc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cafw.exe

Modifies Internet Explorer settings 1 TTPs 5 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\Disable Script Debugger = "yes"	cafw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\DisableScriptDebuggerIE = "yes"	cafw.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\SuppressScriptDebuggerDialog = "1"	cafw.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main	cafw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\Use FormSuggest = "no"	cafw.exe

Modifies registry class 53 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\LCPI.IBProvider\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ibprovider.dll,1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\LCPI.IBProvider\Shell\open	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\LCPI.IBProvider.3\CLSID\ = "{769A1280-04BF-11D8-AE8B-00A0C907DB93}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{769A1280-04BF-11D8-AE8B-00A0C907DB93}\ExtendedErrors	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{769A1280-04BF-11D8-AE8B-00A0C907DB93}\ExtendedErrors\ = "Extended Error Service"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{769A1280-04BF-11D8-AE8B-00A0C907DB93}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{769A1280-04BF-11D8-AE8B-00A0C907DB93}\VersionIndependentProgID\ = "LCPI.IBProvider"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\LCPI.IBProvider\DefaultIcon	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\LCPI.IBProvider\Shell\open\command\ = "notepad.exe %1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{769A1281-04BF-11D8-AE8B-00A0C907DB93}\ = "LCPI.IBProvider Error Lookup [v3]"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{769A1280-04BF-11D8-AE8B-00A0C907DB93}\ = "LCPI.IBProvider.3"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{769A1280-04BF-11D8-AE8B-00A0C907DB93}\ExtendedErrors\{769A1281-04BF-11D8-AE8B-00A0C907DB93}\ = "LCPI.IBProvider Error Lookup [v3]"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{769A1281-04BF-11D8-AE8B-00A0C907DB93}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{769A1282-04BF-11D8-AE8B-00A0C907DB93}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{769A1282-04BF-11D8-AE8B-00A0C907DB93}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{769A1282-04BF-11D8-AE8B-00A0C907DB93}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{769A1284-04BF-11D8-AE8B-00A0C907DB93}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ibp	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{769A1280-04BF-11D8-AE8B-00A0C907DB93}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ibprovider.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{769A1280-04BF-11D8-AE8B-00A0C907DB93}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\LCPI.IBProvider.3\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\LCPI.IBProvider\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\LCPI.IBProvider\Shell	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{769A1281-04BF-11D8-AE8B-00A0C907DB93}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{769A1281-04BF-11D8-AE8B-00A0C907DB93}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ibprovider.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{769A1280-04BF-11D8-AE8B-00A0C907DB93}\OLE DB Provider\ = "LCPI OLE DB Provider for InterBase [v3] [RC4]"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{769A1280-04BF-11D8-AE8B-00A0C907DB93}\Version\ = "3.0.0.8628"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\LCPI.IBProvider	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{769A1280-04BF-11D8-AE8B-00A0C907DB93}\flush_log_period = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{769A1280-04BF-11D8-AE8B-00A0C907DB93}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{769A1280-04BF-11D8-AE8B-00A0C907DB93}\Version	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{769A1282-04BF-11D8-AE8B-00A0C907DB93}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ibprovider.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{769A1284-04BF-11D8-AE8B-00A0C907DB93}\ = "LCPI.IBProvider Advanced Data Link Page [v3]"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{769A1280-04BF-11D8-AE8B-00A0C907DB93}\ExtendedErrors\{769A1281-04BF-11D8-AE8B-00A0C907DB93}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{769A1280-04BF-11D8-AE8B-00A0C907DB93}\OLE DB Provider	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{769A1280-04BF-11D8-AE8B-00A0C907DB93}\ProgID\ = "LCPI.IBProvider.3"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\LCPI.IBProvider\CurVer\ = "LCPI.IBProvider.3"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{769A1281-04BF-11D8-AE8B-00A0C907DB93}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{769A1284-04BF-11D8-AE8B-00A0C907DB93}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{769A1284-04BF-11D8-AE8B-00A0C907DB93}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ibprovider.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\LCPI.IBProvider.3	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\LCPI.IBProvider\ = "LCPI OLE DB Provider for InterBase [v3] [RC4]"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\LCPI.IBProvider\CLSID\ = "{769A1280-04BF-11D8-AE8B-00A0C907DB93}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\LCPI.IBProvider\Shell\open\command	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{769A1282-04BF-11D8-AE8B-00A0C907DB93}\ = "LCPI.IBProvider Data Link Page [v3]"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{769A1284-04BF-11D8-AE8B-00A0C907DB93}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.ibp\ = "LCPI.IBProvider"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{769A1280-04BF-11D8-AE8B-00A0C907DB93}	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{769A1280-04BF-11D8-AE8B-00A0C907DB93}\OLEDB_Services = "4294967295"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{769A1280-04BF-11D8-AE8B-00A0C907DB93}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\LCPI.IBProvider.3\ = "LCPI OLE DB Provider for InterBase [v3] [RC4]"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\LCPI.IBProvider\CurVer	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2496	cafw.exe
2496	cafw.exe
2496	cafw.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: 33	2496	cafw.exe
Token: SeIncBasePriorityPrivilege	2496	cafw.exe
Token: 33	2496	cafw.exe
Token: SeIncBasePriorityPrivilege	2496	cafw.exe
Token: 33	2496	cafw.exe
Token: SeIncBasePriorityPrivilege	2496	cafw.exe
Token: 33	2496	cafw.exe
Token: SeIncBasePriorityPrivilege	2496	cafw.exe
Token: 33	2496	cafw.exe
Token: SeIncBasePriorityPrivilege	2496	cafw.exe
Token: 33	2496	cafw.exe
Token: SeIncBasePriorityPrivilege	2496	cafw.exe
Token: 33	2496	cafw.exe
Token: SeIncBasePriorityPrivilege	2496	cafw.exe
Token: 33	2496	cafw.exe
Token: SeIncBasePriorityPrivilege	2496	cafw.exe
Token: 33	2496	cafw.exe
Token: SeIncBasePriorityPrivilege	2496	cafw.exe
Token: 33	2496	cafw.exe
Token: SeIncBasePriorityPrivilege	2496	cafw.exe
Token: 33	2496	cafw.exe
Token: SeIncBasePriorityPrivilege	2496	cafw.exe
Token: SeDebugPrivilege	2496	cafw.exe
Token: 33	2496	cafw.exe
Token: SeIncBasePriorityPrivilege	2496	cafw.exe
Token: 33	2496	cafw.exe
Token: SeIncBasePriorityPrivilege	2496	cafw.exe
Token: 33	2496	cafw.exe
Token: SeIncBasePriorityPrivilege	2496	cafw.exe
Token: 33	2496	cafw.exe
Token: SeIncBasePriorityPrivilege	2496	cafw.exe
Token: 33	2496	cafw.exe
Token: SeIncBasePriorityPrivilege	2496	cafw.exe
Token: 33	2496	cafw.exe
Token: SeIncBasePriorityPrivilege	2496	cafw.exe
Token: 33	2496	cafw.exe
Token: SeIncBasePriorityPrivilege	2496	cafw.exe
Token: 33	2496	cafw.exe
Token: SeIncBasePriorityPrivilege	2496	cafw.exe
Token: 33	2496	cafw.exe
Token: SeIncBasePriorityPrivilege	2496	cafw.exe
Token: 33	2496	cafw.exe
Token: SeIncBasePriorityPrivilege	2496	cafw.exe
Token: 33	2496	cafw.exe
Token: SeIncBasePriorityPrivilege	2496	cafw.exe
Token: 33	2496	cafw.exe
Token: SeIncBasePriorityPrivilege	2496	cafw.exe
Token: 33	2496	cafw.exe
Token: SeIncBasePriorityPrivilege	2496	cafw.exe
Token: 33	2496	cafw.exe
Token: SeIncBasePriorityPrivilege	2496	cafw.exe
Token: 33	2496	cafw.exe
Token: SeIncBasePriorityPrivilege	2496	cafw.exe
Token: 33	2496	cafw.exe
Token: SeIncBasePriorityPrivilege	2496	cafw.exe
Token: 33	2496	cafw.exe
Token: SeIncBasePriorityPrivilege	2496	cafw.exe
Token: 33	2496	cafw.exe
Token: SeIncBasePriorityPrivilege	2496	cafw.exe
Token: 33	2496	cafw.exe
Token: SeIncBasePriorityPrivilege	2496	cafw.exe
Token: 33	2496	cafw.exe
Token: SeIncBasePriorityPrivilege	2496	cafw.exe
Token: 33	2496	cafw.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2496	cafw.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2496	cafw.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2496	cafw.exe
2496	cafw.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 2496 wrote to memory of 2044	2496	cafw.exe	33
PID 2496 wrote to memory of 2044	2496	cafw.exe	33
PID 2496 wrote to memory of 2044	2496	cafw.exe	33
PID 2496 wrote to memory of 2044	2496	cafw.exe	33
PID 2496 wrote to memory of 2044	2496	cafw.exe	33
PID 2496 wrote to memory of 2044	2496	cafw.exe	33
PID 2496 wrote to memory of 2044	2496	cafw.exe	33
PID 2496 wrote to memory of 1732	2496	cafw.exe	35
PID 2496 wrote to memory of 1732	2496	cafw.exe	35
PID 2496 wrote to memory of 1732	2496	cafw.exe	35
PID 2496 wrote to memory of 1732	2496	cafw.exe	35
PID 1732 wrote to memory of 2224	1732	csc.exe	37
PID 1732 wrote to memory of 2224	1732	csc.exe	37
PID 1732 wrote to memory of 2224	1732	csc.exe	37
PID 1732 wrote to memory of 2224	1732	csc.exe	37
PID 2496 wrote to memory of 2228	2496	cafw.exe	38
PID 2496 wrote to memory of 2228	2496	cafw.exe	38
PID 2496 wrote to memory of 2228	2496	cafw.exe	38
PID 2496 wrote to memory of 2228	2496	cafw.exe	38
PID 2228 wrote to memory of 1692	2228	csc.exe	40
PID 2228 wrote to memory of 1692	2228	csc.exe	40
PID 2228 wrote to memory of 1692	2228	csc.exe	40
PID 2228 wrote to memory of 1692	2228	csc.exe	40

C:\Users\Admin\AppData\Local\Temp\cafw.exe
"C:\Users\Admin\AppData\Local\Temp\cafw.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2496
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" "C:\Users\Admin\AppData\Local\Temp\\ibprovider.dll" /s
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:2044
- \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Temp\Xenocode\Sandbox\CLADGenius\1.0.0.0\Native\STUBEXE\8.0.1135\@WINDIR@\Microsoft.NET\Framework\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\u2a0qrfe.cmdline"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1732
- - \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Temp\Xenocode\Sandbox\CLADGenius\1.0.0.0\Native\STUBEXE\8.0.1135\@WINDIR@\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEFF.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCEFE.tmp"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2224
- \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Temp\Xenocode\Sandbox\CLADGenius\1.0.0.0\Native\STUBEXE\8.0.1135\@WINDIR@\Microsoft.NET\Framework\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\tr3rj_os.cmdline"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2228
- - \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Temp\Xenocode\Sandbox\CLADGenius\1.0.0.0\Native\STUBEXE\8.0.1135\@WINDIR@\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1150.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC114F.tmp"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES1150.tmp

Filesize
1KB

MD5
1139afe1ffae877ad427648138128b07

SHA1
60e452fe5fdc9e37859d912dc9b9b95d410426ee

SHA256
b2d0b758db58a639c94264ec1a69539e3a0d8cf02cc989739212f9bdb26e084e

SHA512
98a1bb59df7c5a3eee23965da07467aaabb38d0e3091957fdcf573833d4be1dfaeb6b473c51857d77288239ca36ed6ee6e23a8e076b0f182f965bc481c28849d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESEFF.tmp

Filesize
1KB

MD5
caad2eca6294c58071a6be2cf8e42632

SHA1
306fa0d451a957c2806ab3575a195bc468994069

SHA256
2772f51048d263dfa718fda40d14197078e5c550696da8d5ad477900380aed2d

SHA512
aa8c5e4cb294b02b685dad0d14a7d16307c1231488b1731af2e736b31753d492e9220b783f5153f62054cf75f818e7871c062f93d396375d6a2d91bd94352554

Download Submit
C:\Users\Admin\AppData\Local\Temp\tr3rj_os.dll

Filesize
92KB

MD5
0dc1ad543aab46a201f07cfe2b22decd

SHA1
a0082c44c60023893d25844e92fd934715e0940d

SHA256
7dc1cb5203f02011ee853f6098e0685dd8fdffdd738035febfd6937a33be7c41

SHA512
0abc38ebd4f442170ebcf32c14d6d7390f81e9cdd80cd28284a6fb1a38b8f60c3e5a374e904a55a7bb485e1ea2d13b00e2aa900add0d0d95efbb2cf350a48585

Download Submit
C:\Users\Admin\AppData\Local\Temp\tr3rj_os.out

Filesize
674B

MD5
53f6315d9abf166ca68cdd17fd83d219

SHA1
effa593ab79c66348b58b24625685835c6da7a29

SHA256
181949f25294093cb38edcf63d9e76c22e6232f61ed4ade4f43a2663686d2987

SHA512
55a5e6c30e926461d52a124f4f8d2b478a29ee4e67bfce722c79b1aef122b5c1895dacd0eec3847a71b60639fb3810c1b219a0afe67586e855ea827f62e8bb6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\u2a0qrfe.dll

Filesize
32KB

MD5
8b10df5e0f4b697d25a70424b5273482

SHA1
790c6a081bc0d0ae5bcab34e06adcee87563575d

SHA256
21cd2efc6b4f91fa873d9d775821112d5e0b3f77d2eb17dc41a7ccbe027e844f

SHA512
c4586d19becd00f20b33bba0617031c8330f4e8fc854f42a1cc7a31f44be07800458dfb15df73e3a999bcb3a5ff20309f40a233532ca1f8761ce729a5421ee68

Download Submit
C:\Users\Admin\AppData\Local\Temp\u2a0qrfe.out

Filesize
674B

MD5
f2b92bb2e531b64d9dda8ec12ff54630

SHA1
c8cac23b0188d874663f9e3636a5042ec54fa64f

SHA256
63480724ada616f33074c91565044898feaac1ef5d8a521d2b6b986e04eddba3

SHA512
3040fedb5bf06be059ae5078bf4fc2203306857b84e9e417a3639eba67c0eb9e0d32d2bebffaa40f34ab9812e82ab3d450f2e415e5021058d793ec437064786f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC114F.tmp

Filesize
652B

MD5
6ffcb8e76cb27f04a8fe097b57209129

SHA1
6945045aea55b997f05e5172cfb5652a54e02e81

SHA256
a16a15a7272d762e9e29bb949b02d133e5fe721ff3e84e871ba2da472c13ff69

SHA512
f7cefc653c270decce5c04402e668d6dddbede91974bf118a8171a3a4a8004a323fa9a998e4ee7396b1be900c3f2313fd430d987aa54a2da8d70cf98e5857ff2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCEFE.tmp

Filesize
652B

MD5
96d4f15392386fcaec57055ce508654f

SHA1
2abb7a31a5dc1e5db89504ebad6d33a93b987a76

SHA256
b3a0b0e17f17c916a0d4934da536c239f015d1b2aad86334e46c20062725a5a7

SHA512
894b8db5d524d3db3ac13a632ce35bfead4cfd008410937b5b814598b549c25e15d2802d0501b85020cd8aa24bcf890e54184922d7b336dd96c6706189c0e611

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\tr3rj_os.0.cs

Filesize
205KB

MD5
6280e8b96d2529deceb6bbf6b16e7dcd

SHA1
9d90879c689ec7b365976ac953ab8ca97f88ea5d

SHA256
c7c2daaba570effc6f96da91b8238a1187dd9a5a31a6457554e8b032dd1fb0be

SHA512
3f7e88612e2d0db1aab3c248f65eb9b3111e260c73f519224ffc46509de8f885ce8c9ab03443f9234947f3d1ed5a3c80a8739f7f059df92723e3326b0c50fa87

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\tr3rj_os.cmdline

Filesize
577B

MD5
257f297c5531858623c56a12cc2faeb3

SHA1
93b6507c921c96bc4e59dddc4e9a7ed81fca3a6f

SHA256
fed69755999969c21344d923bc870a31f278d871f982f181ad25ea6e8eaa8831

SHA512
504777af26a3a05b6c20be1ccef448047ae761cc0ee8dad49a30d9f00674e293a2b7e3aaaf9dbfe31f75a2fe3a957953dc78618cd17ea205e8fc3dac8ed1bd07

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\u2a0qrfe.0.cs

Filesize
39KB

MD5
31362c7c5f53e393092b0d4ace854ba8

SHA1
907a839cc0d64f8b95513f54aa9028feec69eaac

SHA256
7108588d6a32f9cf5dc33012f8b599afd8fc51d997e03b6474ea28c895036237

SHA512
3df4175015c565cf662bcfd71d07e66c1f946b870d7f735f8baa8e08f7fc8c34e544492543fdf1db3f93e2a4d24310bbc7d89f57778a559b3448a71dcc7ce159

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\u2a0qrfe.cmdline

Filesize
577B

MD5
d9f859a4abebd5dfa474b7f466f34435

SHA1
f0a3f66bcf6d0dd8ab7fd87135b87a701835562f

SHA256
71d041d68910d520d0ebefebb7a418f8434f1c774c898517b2eb7c3b7c1d88f7

SHA512
a3f7f3c22eea5a559d5ac22ddb5e408d8fdd8b6d783412689c7d542f3769961cd2940ac667edc399d6d0d732c3fda038d49ae0200597457b5f315f65d59a4976

Download Submit
\Users\Admin\AppData\Local\Temp\Xenocode\Sandbox\CLADGenius\1.0.0.0\Native\STUBEXE\8.0.1135\@WINDIR@\Microsoft.NET\Framework\v2.0.50727\csc.exe

Filesize
17KB

MD5
f21d8a9d6a5f4d9bb0c03932597eb4cf

SHA1
b590e61551d7c6620c2b1ef2abd0b199d86d44da

SHA256
bd2deb0f4e70edf56cf985629f67e4e023b8b943e3efdffbe8bc0a0eda76b9d6

SHA512
4cb847d5121316182207c93cd3ca1484de9bb8106b64c1bd206b84e5958a7e06249642b30a664414cbfa83e56da96cc44119bd420225942be4a1ef32369a866d

Download Submit
\Users\Admin\AppData\Local\Temp\Xenocode\Sandbox\CLADGenius\1.0.0.0\Native\STUBEXE\8.0.1135\@WINDIR@\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

Filesize
17KB

MD5
e5ecef9ccb082cbfd888517b2368ac4d

SHA1
c2d0fcefd91eb34e0c92e505f2e8df673d9e41b7

SHA256
7906e13b4812bad64c8e296b61a0afccb2bb660e0cd12b1b25ea2faf14ae9fda

SHA512
0702ab9570db41857bce8902b2b63120d1c0ae8958960c7db45f79c391c13dae705018da6384451a37e70849104b219c03b3fcfe4fb4243c697c0f7b90461a25

Download Submit
memory/2496-29-0x0000000002310000-0x0000000002336000-memory.dmp

Filesize
152KB

Download
memory/2496-45-0x0000000004BF0000-0x0000000004C1A000-memory.dmp

Filesize
168KB

Download
memory/2496-15-0x0000000005320000-0x0000000005A50000-memory.dmp

Filesize
7.2MB

Download
memory/2496-16-0x0000000005320000-0x0000000005A50000-memory.dmp

Filesize
7.2MB

Download
memory/2496-17-0x0000000005320000-0x0000000005A50000-memory.dmp

Filesize
7.2MB

Download
memory/2496-14-0x0000000005320000-0x0000000005A50000-memory.dmp

Filesize
7.2MB

Download
memory/2496-22-0x00000000002E0000-0x0000000000352000-memory.dmp

Filesize
456KB

Download
memory/2496-23-0x0000000006180000-0x00000000068B0000-memory.dmp

Filesize
7.2MB

Download
memory/2496-27-0x0000000006180000-0x00000000068B0000-memory.dmp

Filesize
7.2MB

Download
memory/2496-28-0x00000000002E0000-0x0000000000352000-memory.dmp

Filesize
456KB

Download
memory/2496-31-0x0000000002310000-0x0000000002336000-memory.dmp

Filesize
152KB

Download
memory/2496-30-0x0000000002310000-0x0000000002336000-memory.dmp

Filesize
152KB

Download
memory/2496-9-0x00000000002E0000-0x0000000000352000-memory.dmp

Filesize
456KB

Download
memory/2496-35-0x0000000002370000-0x0000000002396000-memory.dmp

Filesize
152KB

Download
memory/2496-39-0x0000000002370000-0x0000000002396000-memory.dmp

Filesize
152KB

Download
memory/2496-40-0x00000000002E0000-0x0000000000352000-memory.dmp

Filesize
456KB

Download
memory/2496-41-0x00000000002E0000-0x0000000000352000-memory.dmp

Filesize
456KB

Download
memory/2496-42-0x00000000002E0000-0x0000000000352000-memory.dmp

Filesize
456KB

Download
memory/2496-48-0x0000000004BF0000-0x0000000004C1A000-memory.dmp

Filesize
168KB

Download
memory/2496-47-0x0000000004BF0000-0x0000000004C1A000-memory.dmp

Filesize
168KB

Download
memory/2496-46-0x0000000004BF0000-0x0000000004C1A000-memory.dmp

Filesize
168KB

Download
memory/2496-12-0x00000000002E0000-0x0000000000352000-memory.dmp

Filesize
456KB

Download
memory/2496-53-0x0000000004BF0000-0x0000000004C1A000-memory.dmp

Filesize
168KB

Download
memory/2496-57-0x0000000004BF0000-0x0000000004C1A000-memory.dmp

Filesize
168KB

Download
memory/2496-58-0x0000000004C50000-0x0000000004C70000-memory.dmp

Filesize
128KB

Download
memory/2496-64-0x0000000004C50000-0x0000000004C70000-memory.dmp

Filesize
128KB

Download
memory/2496-60-0x0000000004C50000-0x0000000004C70000-memory.dmp

Filesize
128KB

Download
memory/2496-4-0x0000000010000000-0x0000000010037000-memory.dmp

Filesize
220KB

Download
memory/2496-6-0x0000000010000000-0x0000000010037000-memory.dmp

Filesize
220KB

Download
memory/2496-5-0x0000000010000000-0x0000000010037000-memory.dmp

Filesize
220KB

Download
memory/2496-8-0x0000000010000000-0x0000000010037000-memory.dmp

Filesize
220KB

Download
memory/2496-7-0x0000000010000000-0x0000000010037000-memory.dmp

Filesize
220KB

Download
memory/2496-1-0x0000000077680000-0x0000000077681000-memory.dmp

Filesize
4KB

Download
memory/2496-2-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2496-3-0x0000000077680000-0x0000000077681000-memory.dmp

Filesize
4KB

Download
memory/2496-0-0x00000000002E0000-0x0000000000352000-memory.dmp

Filesize
456KB

Download
memory/2496-59-0x0000000004C50000-0x0000000004C70000-memory.dmp

Filesize
128KB

Download
memory/2496-68-0x0000000004C50000-0x0000000004C70000-memory.dmp

Filesize
128KB

Download
memory/2496-69-0x0000000004C90000-0x0000000004CC6000-memory.dmp

Filesize
216KB

Download
memory/2496-127-0x00000000002E0000-0x0000000000352000-memory.dmp

Filesize
456KB

Download
memory/2496-172-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download