Analysis
-
max time kernel
93s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
22-12-2024 12:05
General
-
Target
3aa2466f6625f6c49980450d935fa2efc80d0ba6e7b34b8f26531799a92b6213N.exe
-
Size
285KB
-
MD5
137986393e886ea9c50f8da4e33ce6f0
-
SHA1
953b126fc68ea78d15fba7d8e1ecda98198188d5
-
SHA256
3aa2466f6625f6c49980450d935fa2efc80d0ba6e7b34b8f26531799a92b6213
-
SHA512
2e04716580f11d2e5aab33f588fd027fbf53ca8ea3efe2a74340fb85509f3c525cc2a0b10241946871ee4aacfb3d0b94a4aefe3001d94783796898d38fa178eb
-
SSDEEP
3072:4zO1QWi3Xys7ePUqbeEKVcbMloVRr3uMg0kAqSxYiJ2QM4GKch:4rx3Xys7e6EKQIoi7tWa
Malware Config
Extracted
berbew
http://viruslist.com/wcmd.txt
http://viruslist.com/ppslog.php
http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
-
Berbew
Berbew is a backdoor written in C++.
-
Berbew family
-
Executes dropped EXE 64 IoCs
-
Drops file in System32 directory 64 IoCs
-
Program crash 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies registry class 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\3aa2466f6625f6c49980450d935fa2efc80d0ba6e7b34b8f26531799a92b6213N.exe"C:\Users\Admin\AppData\Local\Temp\3aa2466f6625f6c49980450d935fa2efc80d0ba6e7b34b8f26531799a92b6213N.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Pjhlml32.exeC:\Windows\system32\Pjhlml32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Pcppfaka.exeC:\Windows\system32\Pcppfaka.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Pmidog32.exeC:\Windows\system32\Pmidog32.exe4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Pdpmpdbd.exeC:\Windows\system32\Pdpmpdbd.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Qnhahj32.exeC:\Windows\system32\Qnhahj32.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Qgqeappe.exeC:\Windows\system32\Qgqeappe.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Qmmnjfnl.exeC:\Windows\system32\Qmmnjfnl.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Qffbbldm.exeC:\Windows\system32\Qffbbldm.exe9⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Ajanck32.exeC:\Windows\system32\Ajanck32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Ampkof32.exeC:\Windows\system32\Ampkof32.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Ajckij32.exeC:\Windows\system32\Ajckij32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Ambgef32.exeC:\Windows\system32\Ambgef32.exe13⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Afjlnk32.exeC:\Windows\system32\Afjlnk32.exe14⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Anadoi32.exeC:\Windows\system32\Anadoi32.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Aqppkd32.exeC:\Windows\system32\Aqppkd32.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Afmhck32.exeC:\Windows\system32\Afmhck32.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Amgapeea.exeC:\Windows\system32\Amgapeea.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Aeniabfd.exeC:\Windows\system32\Aeniabfd.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Aglemn32.exeC:\Windows\system32\Aglemn32.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Afoeiklb.exeC:\Windows\system32\Afoeiklb.exe21⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Anfmjhmd.exeC:\Windows\system32\Anfmjhmd.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Aminee32.exeC:\Windows\system32\Aminee32.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
-
C:\Windows\SysWOW64\Aadifclh.exeC:\Windows\system32\Aadifclh.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\Aepefb32.exeC:\Windows\system32\Aepefb32.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\Windows\SysWOW64\Accfbokl.exeC:\Windows\system32\Accfbokl.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\Agoabn32.exeC:\Windows\system32\Agoabn32.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\Windows\SysWOW64\Bfabnjjp.exeC:\Windows\system32\Bfabnjjp.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
-
C:\Windows\SysWOW64\Bjmnoi32.exeC:\Windows\system32\Bjmnoi32.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\Bnhjohkb.exeC:\Windows\system32\Bnhjohkb.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\Bagflcje.exeC:\Windows\system32\Bagflcje.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
-
C:\Windows\SysWOW64\Bcebhoii.exeC:\Windows\system32\Bcebhoii.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Bfdodjhm.exeC:\Windows\system32\Bfdodjhm.exe33⤵
- Executes dropped EXE
- Modifies registry class
-
C:\Windows\SysWOW64\Bjokdipf.exeC:\Windows\system32\Bjokdipf.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Bnkgeg32.exeC:\Windows\system32\Bnkgeg32.exe35⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\Bmngqdpj.exeC:\Windows\system32\Bmngqdpj.exe36⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\Baicac32.exeC:\Windows\system32\Baicac32.exe37⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\Windows\SysWOW64\Beeoaapl.exeC:\Windows\system32\Beeoaapl.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Bgcknmop.exeC:\Windows\system32\Bgcknmop.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\Bffkij32.exeC:\Windows\system32\Bffkij32.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\Bjagjhnc.exeC:\Windows\system32\Bjagjhnc.exe41⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\Bnmcjg32.exeC:\Windows\system32\Bnmcjg32.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\Windows\SysWOW64\Bmpcfdmg.exeC:\Windows\system32\Bmpcfdmg.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\Windows\SysWOW64\Beglgani.exeC:\Windows\system32\Beglgani.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\Bcjlcn32.exeC:\Windows\system32\Bcjlcn32.exe45⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\Windows\SysWOW64\Bgehcmmm.exeC:\Windows\system32\Bgehcmmm.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Bjddphlq.exeC:\Windows\system32\Bjddphlq.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\Windows\SysWOW64\Bnpppgdj.exeC:\Windows\system32\Bnpppgdj.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
-
C:\Windows\SysWOW64\Banllbdn.exeC:\Windows\system32\Banllbdn.exe49⤵
- Executes dropped EXE
- Modifies registry class
-
C:\Windows\SysWOW64\Beihma32.exeC:\Windows\system32\Beihma32.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
-
C:\Windows\SysWOW64\Bclhhnca.exeC:\Windows\system32\Bclhhnca.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\Windows\SysWOW64\Bfkedibe.exeC:\Windows\system32\Bfkedibe.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\Bjfaeh32.exeC:\Windows\system32\Bjfaeh32.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Bnbmefbg.exeC:\Windows\system32\Bnbmefbg.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\Windows\SysWOW64\Bapiabak.exeC:\Windows\system32\Bapiabak.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Belebq32.exeC:\Windows\system32\Belebq32.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\Windows\SysWOW64\Chjaol32.exeC:\Windows\system32\Chjaol32.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\Cfmajipb.exeC:\Windows\system32\Cfmajipb.exe58⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\Cndikf32.exeC:\Windows\system32\Cndikf32.exe59⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\Windows\SysWOW64\Cmgjgcgo.exeC:\Windows\system32\Cmgjgcgo.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\Cabfga32.exeC:\Windows\system32\Cabfga32.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
-
C:\Windows\SysWOW64\Cdabcm32.exeC:\Windows\system32\Cdabcm32.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\Chmndlge.exeC:\Windows\system32\Chmndlge.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\Cfpnph32.exeC:\Windows\system32\Cfpnph32.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\Windows\SysWOW64\Cnffqf32.exeC:\Windows\system32\Cnffqf32.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\Windows\SysWOW64\Cmiflbel.exeC:\Windows\system32\Cmiflbel.exe66⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\Ceqnmpfo.exeC:\Windows\system32\Ceqnmpfo.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\Windows\SysWOW64\Cdcoim32.exeC:\Windows\system32\Cdcoim32.exe68⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\Windows\SysWOW64\Chokikeb.exeC:\Windows\system32\Chokikeb.exe69⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\Windows\SysWOW64\Cjmgfgdf.exeC:\Windows\system32\Cjmgfgdf.exe70⤵
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\Cnicfe32.exeC:\Windows\system32\Cnicfe32.exe71⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\Cagobalc.exeC:\Windows\system32\Cagobalc.exe72⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\Ceckcp32.exeC:\Windows\system32\Ceckcp32.exe73⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\Windows\SysWOW64\Cdfkolkf.exeC:\Windows\system32\Cdfkolkf.exe74⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\Windows\SysWOW64\Cfdhkhjj.exeC:\Windows\system32\Cfdhkhjj.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\Windows\SysWOW64\Cjpckf32.exeC:\Windows\system32\Cjpckf32.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\Cnkplejl.exeC:\Windows\system32\Cnkplejl.exe77⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\Cajlhqjp.exeC:\Windows\system32\Cajlhqjp.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
-
C:\Windows\SysWOW64\Ceehho32.exeC:\Windows\system32\Ceehho32.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Chcddk32.exeC:\Windows\system32\Chcddk32.exe80⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Cffdpghg.exeC:\Windows\system32\Cffdpghg.exe81⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\Windows\SysWOW64\Cnnlaehj.exeC:\Windows\system32\Cnnlaehj.exe82⤵
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\Cmqmma32.exeC:\Windows\system32\Cmqmma32.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\Calhnpgn.exeC:\Windows\system32\Calhnpgn.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\Ddjejl32.exeC:\Windows\system32\Ddjejl32.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\Windows\SysWOW64\Dhfajjoj.exeC:\Windows\system32\Dhfajjoj.exe86⤵
-
C:\Windows\SysWOW64\Djdmffnn.exeC:\Windows\system32\Djdmffnn.exe87⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Dopigd32.exeC:\Windows\system32\Dopigd32.exe88⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\Windows\SysWOW64\Dmcibama.exeC:\Windows\system32\Dmcibama.exe89⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\Dejacond.exeC:\Windows\system32\Dejacond.exe90⤵
- Modifies registry class
-
C:\Windows\SysWOW64\Ddmaok32.exeC:\Windows\system32\Ddmaok32.exe91⤵
-
C:\Windows\SysWOW64\Dfknkg32.exeC:\Windows\system32\Dfknkg32.exe92⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\Djgjlelk.exeC:\Windows\system32\Djgjlelk.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\Dobfld32.exeC:\Windows\system32\Dobfld32.exe94⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\Windows\SysWOW64\Dhkjej32.exeC:\Windows\system32\Dhkjej32.exe95⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\Dkifae32.exeC:\Windows\system32\Dkifae32.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\Dmgbnq32.exeC:\Windows\system32\Dmgbnq32.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
-
C:\Windows\SysWOW64\Dkkcge32.exeC:\Windows\system32\Dkkcge32.exe98⤵
- Modifies registry class
-
C:\Windows\SysWOW64\Dmjocp32.exeC:\Windows\system32\Dmjocp32.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\Windows\SysWOW64\Dddhpjof.exeC:\Windows\system32\Dddhpjof.exe100⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\Windows\SysWOW64\Dknpmdfc.exeC:\Windows\system32\Dknpmdfc.exe101⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Dmllipeg.exeC:\Windows\system32\Dmllipeg.exe102⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5556 -s 416103⤵
- Program crash
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 5556 -ip 55561⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
285KB
MD5ec560495436cf6e309b466ec8ac846fa
SHA16e127c6d644106a2bd80f9bd8873c3c8fa23f2f4
SHA2564b4e4a45aef45c5e32e34b4a389602df58be345c58a085760a2d1e51674c6270
SHA512b98b0d15d874812f698300f79b632f6a9c91921208ea42c1341d079b9523bedd86f1cc4540fdf711bc48ac2363c5172fa90ddcd24b2e56700dd171f5319e54d3
-
Filesize
285KB
MD5a0ff6597e0a43655818433252890f59e
SHA1f67708be232b0a49122697642f626b91fa7bff22
SHA25657cb3dc8abaea79b8e5a3fa44a4a8244a6f838a19390c828526acb287affcae3
SHA51283e3bcda21915086602ddf0f29c17a6cc5b2d701f646261fe131a83194be02c5457ce67b9ac240b37af213fcdc4735bd51ab370c44b5e6898897fbb8ded5993b
-
Filesize
285KB
MD5b34159759faeccb2a6e854abf02b4e5b
SHA108b243e4d8e34e68ba4d2a833238bbfb3d9844ef
SHA256a8062f1ff2b2dc2954b75ff1c0377f52413df544788df2a8318277b3eb418852
SHA51201c0681306931e5bff0d003bbca6aac6baee54814a51db143d2b35954c790f1d4ebffeeaf9533a7ca2bd371c63df9d98c0d3f47048ceb948fc8f9b63b8b0dea9
-
Filesize
285KB
MD50a8643367b126b12c04fdc026f1b6b64
SHA1e40485ef2a3f530e57e1c1175420c090d043e443
SHA2564f31b4e311fe2987cb1f038ffab2627975750d8896cad4c62bac4257d1aa0c93
SHA5125e602e59c741464a8403aba0b9901a97a58794f77443f6fe23b82aa7b6a01ef78fee358b31516b4eac6f7758cb7def53f5d47ec69595e87c274b10bdeff56935
-
Filesize
285KB
MD5345550ee09ba91025374693d1fb22b8e
SHA1a9d2c0a9f48d9983e5256dae58fb0834501b2918
SHA256b5526faa945ec17962a16c8bc9e76ebf2b27c4c63ae8bbd6334b30481ff7cace
SHA512c163ac1a3a78f9bec5043371298f0333438628b5927dd3182c77dd2518c19118540b56df381f5e1807888ce24bc26a23750ee7b765f2761f8537ea06374c25a0
-
Filesize
285KB
MD5531acf0c6294697a72110242b588a9b2
SHA183321c1b7c11ed87df4a0aad4ee7c98a3aa4eb8c
SHA256fc7c5b007ce6a3e5c22fc88e651b9176273160c5af60bcec9f636682b7e10660
SHA512b128e62879d5242196b62cc57e1508297934e34aad1b28ddea01691063f108b7c28e9f5b32c5a4d6bc78b0e53526b803cc7c1856cc96e6ddcadcb5777607901c
-
Filesize
285KB
MD55e28e97a8b085605612a82893660bf28
SHA12a876d9e16cd9dc80724feb1b92142e5df1729ba
SHA2565601316c9696281b1e87f63d14e37fe6faa1ecba3744378595a6f0d4293135ff
SHA5126e6b07caf9e591264f1f462d2898f0e36bf8255c8fe02abc66bea791ab327204e23a37c8d30a715b93c914829157588762ebde7dc6965be1a241f6f5a4513fda
-
Filesize
285KB
MD5c5ee856db568cbdca7b604a69617ef0c
SHA197d31556efae87a80d8009745fef672c57d3b1d6
SHA256afcfe8ed9cd50a3713591581570c2784fe223188bbf179174d9ef8d5c589752e
SHA512a229da98b2e92511deb5a72ccd8ee8b1be5478c7b81c90785de5b0a79ab159d3ca7b3e7ff55840148455894fa4fde5b42fa33de85d88c4e95caf1e7c9e4f15a3
-
Filesize
285KB
MD564ec2cde922cbc0b2e09a541bd330c80
SHA18d19cc1ac6bc08097882ba84e0655e2690014a38
SHA256d9497d1ddc7dc4a5ff661620e4bca6dc884823e2f90acb9d2d20dea1cdf183e9
SHA512fbb8e433052a312743eb5724ee0834908c0c014fedae8a4c2a479caa1be996dc23bade40f31826b2c5ba65d2e94dba57bec87ac62761349ed849ea2da9bfa446
-
Filesize
285KB
MD514e34aed8d1264ab4f17d92991f7ab48
SHA1ac35a79fa8d5a58bb36df05d4b45dfec9a6d4b4f
SHA256b37753821160f1a88e8ac9048e2a0eb00de04e484bb392cb22356ff8a6e217b8
SHA512babacfc017008d103aaa435cc8341967cb95ba12e55c73169a9d3d1c401e1f4f77bc4de662876569988df5d738ce75276e3a03a2ef767a810c5d519d98e20225
-
Filesize
285KB
MD546fb4002031d4424d28deb6259037f3b
SHA1a05caf94f228366b84788f8f00b71399f20aea40
SHA256bc02be758b52fd262740e7defb6fdae9cc4e45b2cef574c7714aef60db03ff74
SHA512b25a07c7ee3cf614b6f660d6ff138e6e865ee4f4fb632c67a8beff3692a46eb1c04cb758b82b9cffd25370e8e9a0de3cb48901b5b4af0d34a4e92eaae1fc41a7
-
Filesize
285KB
MD59c43671f080204891a21d18875b84e00
SHA13043e77b3334ae21b4031e8443ffa28917e17674
SHA256e9a2cde5190eafd079974c93e69caa7750a53e0bd0305c725eac9f60c3f2a014
SHA512b50dcc136629d7614a299547388cec0c5be58cd09b73c2d723e88dc0c234bd1243b35644c4a4fa97f039d5ed7de5c8d26a1baaabf772c056511534d5f6f62eea
-
Filesize
285KB
MD541d6e3dd5e55d6e363cee53dabf0df7e
SHA104918424fbbd3ea720fb9ea8167124e4ae3c270a
SHA256c6558e7e1c7699e5920ce06263991ac9436b496ceb37dc73b770bf393d41db9e
SHA512d0cc4ac1c0acee3903cd56732e0b36c2ac54193456035f86604ddfd49381afe93760e7947a0debe4fb51e29019bb98a89ec926dc42ae37b0c387f54e1249bc82
-
Filesize
285KB
MD5be9297fb8d3cc5d1698ac1e3c8ad1968
SHA13f2b35184961ca45f27d1ee63a500c9099acdb16
SHA25630f582c10e05e66537fa89f0e00dd35e4df96114832fa87511aab544e874b145
SHA512d15df0cc04a170fcc5a3f019b45d83dcd911620f107e44136ec938bef8cfdb4ba9c3737be67fb9ccc583782823b149e0f740240c12a13e55034600eb863527ac
-
Filesize
285KB
MD5a2bba881389891c8f57c70b2a56b6ef5
SHA12c6391aa675a8a1711051a2d85cd7cac7dc81343
SHA25627478f7869cfb5832929419d44ec9659a9ceeb4a8f16604e928f33b9a7119b04
SHA512b4fba14a698310fd9e3635f02e01d0b3d1e8e77c6a6a8e20902c24c2afebeb8a64d71d588a5f897fc85baf76d05f9f59993d809b6757a7d7235f7d03c188e4ad
-
Filesize
285KB
MD55afadc40b5034fdfffcdf97e95e5b0d6
SHA141a36d273292db2661af32b638c24cadff3cd3a9
SHA256a4ecdcfa52a9ee148014bad9bb238cb158a01f938ebd84edf8b0cc22b7a9c344
SHA512b6bcb5255bde811bcd679998f6955a0b7de2aa633201a4fd27273b95e6c2c5f67695349731c6a5f5f53b7db741f6cdc63078f145c7191a90a6a3a01565cd3bc1
-
Filesize
285KB
MD53fc6408ca7c6d0e570b576a8743112f8
SHA18456cac19c68cadbcdaa6ac68d56a24834450204
SHA2566005aefcf9c83b267c9e6fa51f285c1ed6662167a52af3fac34369a8750e458e
SHA512ed19eec1457cb1d58f67ca8e60f258a86d93b78165a627ef3ebe0739501eee3ad1795e3a864f8a07cf0309775de3409a23858a392d42434874dec7976226ee45
-
Filesize
285KB
MD5e4d947131f635a80ba6d4be45daee912
SHA1130001a2727f10021a961def6d6eeac8d1bc0522
SHA2567d0fb2a2d2de30d08957510f3448b6aed27d4b7e94d20cace4b8e61f0acda159
SHA51203b5fb6411ea8f87a6d3ce1cdfbcc83ebfaf332d111ec268c0b112ddef58d9f5e435aa7ba460a14884e18641e951f5030254252c7b07cc101c621afe20d5e1fe
-
Filesize
285KB
MD554f8773ba8fd94025a7527bb706d9023
SHA133baa7aeb0cb16371fe296de652448ca9f935fc4
SHA256f4809e845ea27a3e739dbf2573b78dd7c0c950961ab760acfafded6e65ab7814
SHA5126cb1988ff68deb97d151c50cdd3130d03ba0b25648280f2bc3a59c10e81f99bdf3cbbbf0ed3356470cbdd1cb865fa7ba9da07458706e228db78fe934a966b065
-
Filesize
285KB
MD5836d5a12d195562168c01faa169fdf0b
SHA1d8273edb5d7c13d94cd539c161aec989ce8608a5
SHA256690449b8f236021426587b28e45425752b7761df417f5fb6857a97b605e6d33f
SHA512aae7a1b368ab477482aea31b39a0492d79a12067b0fb0681bad105fd55a48740a5636182e0ff777789435475b372b8970033a8136d6643c3d334ee0e9a6de46d
-
Filesize
285KB
MD57b6445bbb85f1a008c11256226be7d24
SHA1d110e4305fece795dcd2485a8bc851a0ddbe1bfc
SHA256d239c69f86e494c0242f85dd923722929b912d7b93d61f8c174dd1973b81263b
SHA512db713ddc98136b95fdc6762f6ec0b24e41263ffad7bdd9e603338610f7d179fbe0113d52a5c308128529ec684e584b2797dc5ce9cc2f0c003bef5444485559a8
-
Filesize
285KB
MD5f59d7324a8c89689deabc1a791a0252c
SHA1edc4ba99c4d61cd3cc65ac70124b3049a0a26324
SHA256559cf9de94a7b0308904970f9c18c13fc20c3705de9a35c9fde45774e8d72ad2
SHA512da07beb80de8a0bb7d9ce7672880f63d6ae553786d47cc795009c2a625dea92bffb9fb68dd125f2f1a5c8ace88747e0118885b7510c20f813cdf2809b8a380c4
-
Filesize
285KB
MD5ecc797e781f3a687e4307173df3ef411
SHA14e24ea2a525c2409888e08ec6ce8c37ff9e3696c
SHA256844aa2dad6356e609271e464f68715f55f92125456589bb3e9ee6948e49e00e5
SHA512f8d4b731fa0cf2f7a92bf94ee5f8df42b1bb174a0f73aacb7632b66d1be838babfc68fb31c413a096afe3bec381249e5b28251c861a43c4b3d242011684d101c
-
Filesize
285KB
MD52365539ea9ac83fa84e87354ad4f6ee6
SHA1f8094046a508fc7735e1749892c8ca693028bae8
SHA25688ddb826f5a3c61cdd18e14fc1bd840134fe8b4ea4b4c0024453c3c1450f4aa3
SHA51249161a9218589b2ff73300890a7fa2df8aaeeccbdf376985078d3b94b0382aab4d55e61a23c3638f88c9bd6ed11466052229fed70d7b2a2d91aaa4b7767965a9
-
Filesize
285KB
MD55843069aa24b8d0381a3116301a05096
SHA16199c31dabc293adbdb08b09efe9ba0db7fb642f
SHA25692d0b0fdb6923b65b0959f7dfbd4fbe954b8d01c027df84f427915c93615bd9f
SHA512f4b75072a33c7efc856419593afbaf93240c89753ce6858d8adc60ea028836769ca0a155b165652a2a563cfbaea29c1e5ba349a678fa7d3666294570043dca36
-
Filesize
7KB
MD5b026c84460f1f34b4839b48a60e9d7a7
SHA1bdb4cf7b7409a9d7119d0162008d4cd3ca5e3e46
SHA256e2cc796c2b083ff1245790340c6ae68ffc535d6611a6e4294613cb36c4d230bd
SHA5129d7b5469f9b7423420f7edc83268bfbeae8312a0044c56d60cfd20e7018ee49eaf68b39e7631c57acab9b59209968de9ecadd52697c2ee5d0a0145cabc208eb3
-
Filesize
285KB
MD521bb4abe5e7b8853e81b2ca70b9e0b73
SHA1ef34c12f639d21c00617de590a1c746b7d18b833
SHA25668537bc21cadd5cb15f4bef632d968c4701056f4cf2468d7abd8e277b0f3de0d
SHA5120239df86bff0cbcb329ebf1b542a573c758a5f40938ee4c685378ba6282827bb289a6ba9a95834d92d8f1e71ee7b384aeac69fc51a3ccfc0249079985ab20878
-
Filesize
285KB
MD595a1b4b58638b78cd3b032dbcc474b0b
SHA150b31e9171ebd45e4d1b5bcb3b7de2219ee99fac
SHA256317e6ac3eded57485d824980ab895e6a85231d689e855f48a5ae78bef6feeada
SHA5129e2d5de1fc7ac791ed7a5062edd6e33c40ec38f65d662724efa04f8c23e47412cb1bdd89f9c5cd6792ab9cc819f24439effbc9031c2b6e56167eecd75930fb21
-
Filesize
285KB
MD5423e83d43a6690f5aec5ace6668b2966
SHA1bc0166d7c1d9ae1948a5ddd4fbb190aa67f27f8e
SHA256ad9994924186326ac43774798d28f30319a072670ec3416c4624ca26d4d49a2c
SHA512e4b8ccc8a477689164dde10b28a1b7a6ebfaeaa33a4dfbe10d2ffbdd6e47d0cb8c86ff4fa9c48b1b93db0fd4319bba53701ca75f3e7f7ae730990f7d99f1bf23
-
Filesize
285KB
MD52a3b264137d582a4ba59ab6b2e2fca72
SHA12c4881d886a8e48b2577a6f742fde2526edc3234
SHA2564d933979026d90d76d46ec442863d8f8085ff22422d81f5fc51cf975db7da4bd
SHA512d579f339f6a35fea3e4c50ed3fbd5c6a5b1e0c047beaebb631f4e06c0bb09eea3173ca3a2ca10e9443976b5027cfbcc8fcb3a7bceb8ef5e80205e768391456fd
-
Filesize
285KB
MD56e2c1135d7221f37ccfd04b80a85c61f
SHA186a8719019ba7822f58395b1ddecc14dd4eef765
SHA256fdd2000a0e287c782fa54acc55bafedc46db2c3a4e87ab6e28a50ed57eeb8ec4
SHA5127c2c71096f585db69713b29fe1f5ce75d20cd6c22133c6a1be3f4d87f25e81a093934500e1bded5e57c8a7ca94493aa3201560a004dd3a13e2dfc81908b3d983
-
Filesize
285KB
MD5bbadce77c2af7b969383cc7dddf41f5f
SHA1edcec5a7642d1c9a64690eab424261307561b31c
SHA2560a9231c4f7bc900c9740861c4f712a5ba6ab45d6e28c2b95851d0c99bfd830d9
SHA51252fff452ba986ca26dab08c6223c8b97e0750a0f594c2b308b868d19dfe0c504e1d4d60680971907e1746cb4111c7fb578cae201b1be7c2b98766cd37a820f5a
-
Filesize
285KB
MD514f30e7c2e5652c3a20cf03ab4b9f433
SHA169b3ae4c33b907f9dbdf71f977f890baf62597d3
SHA25600e8274e54e968235b436ad68020f88647a1e4d4a0e96a1a005975fa5ad2cb6e
SHA51254f7c319588ec33a1941f77cd014f01db1dfd5e9a668122a994b46c532f2643bb89a6e9565ec24277209900f75847ba5c4f5a61d7e6c0aa2f05d79854fe570d4
-
Filesize
285KB
MD5f535f0b20864baf5cda66d9d978bad51
SHA13a975929fd678eb158dc2ddb0c090b8e7b53ab25
SHA2564ae111c8c1a17b5e8e20fda11e897a6abd0bfb7bce69b8874506e07e75954e06
SHA5122d00009f68753595630ee3fc310a93ff58b3d00560b68a7434628459dce0c8e32934f4a85fca8d053b22902e84386e5caf335813629cce7bf92e29a6680c05e8
-
Filesize
204KB
-
Filesize
204KB
-
Filesize
204KB
-
Filesize
204KB
-
Filesize
204KB
-
Filesize
204KB
-
Filesize
204KB
-
Filesize
204KB
-
Filesize
204KB
-
Filesize
204KB
-
Filesize
204KB
-
Filesize
204KB
-
Filesize
204KB
-
Filesize
204KB
-
Filesize
204KB
-
Filesize
204KB
-
Filesize
204KB
-
Filesize
204KB
-
Filesize
204KB
-
Filesize
204KB
-
Filesize
204KB
-
Filesize
204KB
-
Filesize
204KB
-
Filesize
204KB
-
Filesize
204KB
-
Filesize
204KB
-
Filesize
204KB
-
Filesize
204KB
-
Filesize
204KB
-
Filesize
204KB
-
Filesize
204KB
-
Filesize
204KB
-
Filesize
204KB
-
Filesize
204KB
-
Filesize
204KB
-
Filesize
204KB
-
Filesize
204KB
-
Filesize
204KB
-
Filesize
204KB
-
Filesize
204KB
-
Filesize
204KB
-
Filesize
204KB
-
Filesize
204KB
-
Filesize
204KB
-
Filesize
204KB
-
Filesize
204KB
-
Filesize
204KB
-
Filesize
204KB
-
Filesize
204KB
-
Filesize
204KB
-
Filesize
204KB
-
Filesize
204KB
-
Filesize
204KB
-
Filesize
204KB
-
Filesize
204KB
-
Filesize
204KB
-
Filesize
204KB
-
Filesize
204KB
-
Filesize
204KB
-
Filesize
204KB
-
Filesize
204KB
-
Filesize
204KB
-
Filesize
204KB
-
Filesize
204KB
-
Filesize
204KB
-
Filesize
204KB
-
Filesize
204KB
-
Filesize
204KB
-
Filesize
204KB
-
Filesize
204KB
-
Filesize
204KB
-
Filesize
204KB
-
Filesize
204KB
-
Filesize
204KB
-
Filesize
204KB
-
Filesize
204KB
-
Filesize
204KB
-
Filesize
204KB
-
Filesize
204KB
-
Filesize
204KB
-
Filesize
204KB
-
Filesize
204KB
-
Filesize
204KB
-
Filesize
204KB
-
Filesize
204KB
-
Filesize
204KB
-
Filesize
204KB
-
Filesize
204KB
-
Filesize
204KB
-
Filesize
204KB
-
Filesize
204KB
-
Filesize
204KB
-
Filesize
204KB
-
Filesize
204KB
-
Filesize
204KB
-
Filesize
204KB