cmdl32.exe

  • File Path: C:\windows\SysWOW64\cmdl32.exe
  • Description: Microsoft Connection Manager Auto-Download

Hashes

Type Hash
MD5 421B1E635E43A97F98FE7E1A8B612CAA
SHA1 6512B4F70AB991F696464CDA09DD157B7FF00D9F
SHA256 9631159F2AAF4832D4E4DF11054948C4A1439946E21C1680FF8B108274E59C6E
SHA384 6BB5D475AF07E8E1A56088CB91670A8C8AC4A8B65ED5E5A77E618F9F4B32CD598FA33056C118F0846CF1D33A7AEAF125
SHA512 867920EC7B836F8BA0C12C736FC55B633F876F5A3F04E60495B4E80D17B3430D8570E201EB372B2AD55859FECEBF2BDA4B729965DE047B02148761307B8AE184
SSDEEP 768:XTvH3EiucKtfMd18HpenahEt7tIguJhtxgi7JfY/r5JQn9M0SULD6nYe9q6qMTcm:XTf3EJcKtIeHIaitiguNxJ7JfY1JQn9O

Signature

  • Status: The file C:\windows\SysWOW64\cmdl32.exe is not digitally signed. You cannot run this script on the current system. For more information about running scripts and setting execution policy, see about_Execution_Policies at http://go.microsoft.com/fwlink/?LinkID=135170
  • Serial: ``
  • Thumbprint: ``
  • Issuer:
  • Subject:

File Metadata

  • Original Filename: CMDL32.EXE.MUI
  • Product Name: Microsoft(R) Connection Manager
  • Company Name: Microsoft Corporation
  • File Version: 7.02.9600.16384 (winblue_rtm.130821-1623)
  • Product Version: 7.02.9600.16384
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

File Similarity (ssdeep match)

File Score
C:\WINDOWS\SysWOW64\cmdl32.exe 33

Possible Misuse

The following table contains possible examples of cmdl32.exe being misused. While cmdl32.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_creation_win_susp_cmdl32_lolbas.yml title: Suspicious Cmdl32 Execution DRL 1.0
sigma proc_creation_win_susp_cmdl32_lolbas.yml description: lolbas Cmdl32 is use to download a payload to evade antivirus DRL 1.0
sigma proc_creation_win_susp_cmdl32_lolbas.yml - https://lolbas-project.github.io/lolbas/Binaries/Cmdl32/ DRL 1.0
sigma proc_creation_win_susp_cmdl32_lolbas.yml cmdl32: DRL 1.0
sigma proc_creation_win_susp_cmdl32_lolbas.yml - Image\|endswith: '\cmdl32.exe' DRL 1.0
sigma proc_creation_win_susp_cmdl32_lolbas.yml - OriginalFileName: CMDL32.EXE DRL 1.0
sigma proc_creation_win_susp_cmdl32_lolbas.yml condition: cmdl32 and options DRL 1.0
LOLBAS Cmdl32.yml Name: cmdl32.exe  
LOLBAS Cmdl32.yml - Command: cmdl32 /vpn /lan %cd%\config  
LOLBAS Cmdl32.yml - Path: C:\Windows\System32\cmdl32.exe  
LOLBAS Cmdl32.yml - Path: C:\Windows\SysWOW64\cmdl32.exe  
atomic-red-team T1105.md Uses the cmdl32 to download arbitrary file from the internet. The cmdl32 package is allowed to install the profile used to launch the VPN connection. However, the config is modified to download the arbitary file. MIT License. © 2018 Red Canary
atomic-red-team T1105.md The issue of cmdl32.exe detecting and deleting the payload by identifying it as not a VPN Servers profile is avoided by setting a temporary TMP folder and denying the delete permission to all files for the user. MIT License. © 2018 Red Canary
atomic-red-team T1105.md https://lolbas-project.github.io/lolbas/Binaries/Cmdl32/ MIT License. © 2018 Red Canary
atomic-red-team T1105.md https://strontic.github.io/xcyclopedia/library/cmdl32.exe-FA1D5B8802FFF4A85B6F52A52C871BBB.html MIT License. © 2018 Red Canary

MIT License. Copyright (c) 2020-2021 Strontic.