4afd744951189ece367b4fe1189197858c4dd0c3b29dc50b15ba7e53d0940ce4

Analysis

max time kernel
141s
max time network
184s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
28-10-2023 20:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.c4964fd222e9f59d6a44ee55f780e300.exe
Size

196KB
MD5

c4964fd222e9f59d6a44ee55f780e300
SHA1

5c38adbef06a7bf9473b5d2978cb662ae7c4e67c
SHA256

4afd744951189ece367b4fe1189197858c4dd0c3b29dc50b15ba7e53d0940ce4
SHA512

81a8edf51d6eba7c47ed457fbf256a065a78f2004b36f1ade79f8ee84a2453e86394a5175bccf7260047345d6eb8ebfb3a6ed2fd04b9825d3cc45dae3a6797b8
SSDEEP

6144:Fa+GsUpLjSBTsa81+jq4peBK02SjSM0zI6rH:o+G1sTs1+jheBwSv0E6rH

Score

10^/10

dropper persistence trojan

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 18 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lolcnman.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	NEAS.c4964fd222e9f59d6a44ee55f780e300.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Edaaccbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ekljpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ekljpm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ephbhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Llimgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Egnajocq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kopcbo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lahbei32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lolcnman.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	NEAS.c4964fd222e9f59d6a44ee55f780e300.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Edaaccbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ephbhd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kopcbo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Llimgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lahbei32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Egnajocq.exe

Malware Backdoor - Berbew 19 IoCs

Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.

persistence dropper trojan

resource	yara_rule
behavioral2/files/0x0006000000022e18-8.dat	family_berbew
behavioral2/files/0x0006000000022e18-7.dat	family_berbew
behavioral2/files/0x0006000000022e1a-15.dat	family_berbew
behavioral2/files/0x0006000000022e1a-16.dat	family_berbew
behavioral2/files/0x0006000000022e1c-23.dat	family_berbew
behavioral2/files/0x0006000000022e1c-24.dat	family_berbew
behavioral2/files/0x0006000000022e1f-31.dat	family_berbew
behavioral2/files/0x0006000000022e1f-33.dat	family_berbew
behavioral2/files/0x0006000000022e21-39.dat	family_berbew
behavioral2/files/0x0006000000022e21-41.dat	family_berbew
behavioral2/files/0x0006000000022e23-42.dat	family_berbew
behavioral2/files/0x0006000000022e23-47.dat	family_berbew
behavioral2/files/0x0006000000022e25-55.dat	family_berbew
behavioral2/files/0x0006000000022e23-49.dat	family_berbew
behavioral2/files/0x0006000000022e25-58.dat	family_berbew
behavioral2/files/0x0006000000022e27-66.dat	family_berbew
behavioral2/files/0x0006000000022e27-64.dat	family_berbew
behavioral2/files/0x0006000000022e29-72.dat	family_berbew
behavioral2/files/0x0006000000022e29-74.dat	family_berbew

Executes dropped EXE 9 IoCs

pid	Process
4196	Egnajocq.exe
5012	Edaaccbj.exe
4116	Ekljpm32.exe
1548	Ephbhd32.exe
1656	Kopcbo32.exe
2064	Llimgb32.exe
2776	Lahbei32.exe
2868	Lolcnman.exe
4380	Ldikgdpe.exe

Drops file in System32 directory 27 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Edaaccbj.exe	Egnajocq.exe
File opened for modification	C:\Windows\SysWOW64\Ekljpm32.exe	Edaaccbj.exe
File created	C:\Windows\SysWOW64\Ldikgdpe.exe	Lolcnman.exe
File created	C:\Windows\SysWOW64\Fllinoed.dll	Ekljpm32.exe
File opened for modification	C:\Windows\SysWOW64\Egnajocq.exe	NEAS.c4964fd222e9f59d6a44ee55f780e300.exe
File opened for modification	C:\Windows\SysWOW64\Llimgb32.exe	Kopcbo32.exe
File opened for modification	C:\Windows\SysWOW64\Lolcnman.exe	Lahbei32.exe
File opened for modification	C:\Windows\SysWOW64\Edaaccbj.exe	Egnajocq.exe
File created	C:\Windows\SysWOW64\Cjeejn32.dll	Egnajocq.exe
File opened for modification	C:\Windows\SysWOW64\Ephbhd32.exe	Ekljpm32.exe
File created	C:\Windows\SysWOW64\Lfeliqka.dll	Llimgb32.exe
File created	C:\Windows\SysWOW64\Oofial32.dll	Lahbei32.exe
File created	C:\Windows\SysWOW64\Bhkacq32.dll	NEAS.c4964fd222e9f59d6a44ee55f780e300.exe
File created	C:\Windows\SysWOW64\Ekljpm32.exe	Edaaccbj.exe
File created	C:\Windows\SysWOW64\Cgilho32.dll	Edaaccbj.exe
File created	C:\Windows\SysWOW64\Ephbhd32.exe	Ekljpm32.exe
File created	C:\Windows\SysWOW64\Lahbei32.exe	Llimgb32.exe
File created	C:\Windows\SysWOW64\Lolcnman.exe	Lahbei32.exe
File opened for modification	C:\Windows\SysWOW64\Ldikgdpe.exe	Lolcnman.exe
File created	C:\Windows\SysWOW64\Bekdaogi.dll	Lolcnman.exe
File created	C:\Windows\SysWOW64\Egnajocq.exe	NEAS.c4964fd222e9f59d6a44ee55f780e300.exe
File created	C:\Windows\SysWOW64\Kopcbo32.exe	Ephbhd32.exe
File created	C:\Windows\SysWOW64\Llfgke32.dll	Ephbhd32.exe
File created	C:\Windows\SysWOW64\Cjbdmo32.dll	Kopcbo32.exe
File opened for modification	C:\Windows\SysWOW64\Lahbei32.exe	Llimgb32.exe
File opened for modification	C:\Windows\SysWOW64\Kopcbo32.exe	Ephbhd32.exe
File created	C:\Windows\SysWOW64\Llimgb32.exe	Kopcbo32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4504	4380	WerFault.exe	95

Modifies registry class 30 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ekljpm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kopcbo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Llimgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llfgke32.dll"	Ephbhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjbdmo32.dll"	Kopcbo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kopcbo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	NEAS.c4964fd222e9f59d6a44ee55f780e300.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	NEAS.c4964fd222e9f59d6a44ee55f780e300.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgilho32.dll"	Edaaccbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lahbei32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bekdaogi.dll"	Lolcnman.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lolcnman.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	NEAS.c4964fd222e9f59d6a44ee55f780e300.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ephbhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ephbhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ekljpm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Llimgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhkacq32.dll"	NEAS.c4964fd222e9f59d6a44ee55f780e300.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	NEAS.c4964fd222e9f59d6a44ee55f780e300.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Egnajocq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	NEAS.c4964fd222e9f59d6a44ee55f780e300.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Edaaccbj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lolcnman.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfeliqka.dll"	Llimgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Egnajocq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Edaaccbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fllinoed.dll"	Ekljpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjeejn32.dll"	Egnajocq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lahbei32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oofial32.dll"	Lahbei32.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 2856 wrote to memory of 4196	2856	NEAS.c4964fd222e9f59d6a44ee55f780e300.exe	87
PID 2856 wrote to memory of 4196	2856	NEAS.c4964fd222e9f59d6a44ee55f780e300.exe	87
PID 2856 wrote to memory of 4196	2856	NEAS.c4964fd222e9f59d6a44ee55f780e300.exe	87
PID 4196 wrote to memory of 5012	4196	Egnajocq.exe	88
PID 4196 wrote to memory of 5012	4196	Egnajocq.exe	88
PID 4196 wrote to memory of 5012	4196	Egnajocq.exe	88
PID 5012 wrote to memory of 4116	5012	Edaaccbj.exe	89
PID 5012 wrote to memory of 4116	5012	Edaaccbj.exe	89
PID 5012 wrote to memory of 4116	5012	Edaaccbj.exe	89
PID 4116 wrote to memory of 1548	4116	Ekljpm32.exe	90
PID 4116 wrote to memory of 1548	4116	Ekljpm32.exe	90
PID 4116 wrote to memory of 1548	4116	Ekljpm32.exe	90
PID 1548 wrote to memory of 1656	1548	Ephbhd32.exe	91
PID 1548 wrote to memory of 1656	1548	Ephbhd32.exe	91
PID 1548 wrote to memory of 1656	1548	Ephbhd32.exe	91
PID 1656 wrote to memory of 2064	1656	Kopcbo32.exe	93
PID 1656 wrote to memory of 2064	1656	Kopcbo32.exe	93
PID 1656 wrote to memory of 2064	1656	Kopcbo32.exe	93
PID 2064 wrote to memory of 2776	2064	Llimgb32.exe	94
PID 2064 wrote to memory of 2776	2064	Llimgb32.exe	94
PID 2064 wrote to memory of 2776	2064	Llimgb32.exe	94
PID 2776 wrote to memory of 2868	2776	Lahbei32.exe	96
PID 2776 wrote to memory of 2868	2776	Lahbei32.exe	96
PID 2776 wrote to memory of 2868	2776	Lahbei32.exe	96
PID 2868 wrote to memory of 4380	2868	Lolcnman.exe	95
PID 2868 wrote to memory of 4380	2868	Lolcnman.exe	95
PID 2868 wrote to memory of 4380	2868	Lolcnman.exe	95

C:\Users\Admin\AppData\Local\Temp\NEAS.c4964fd222e9f59d6a44ee55f780e300.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.c4964fd222e9f59d6a44ee55f780e300.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2856
- C:\Windows\SysWOW64\Egnajocq.exe
  C:\Windows\system32\Egnajocq.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4196
- - C:\Windows\SysWOW64\Edaaccbj.exe
    C:\Windows\system32\Edaaccbj.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:5012
  - - C:\Windows\SysWOW64\Ekljpm32.exe
      C:\Windows\system32\Ekljpm32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4116
    - - C:\Windows\SysWOW64\Ephbhd32.exe
        
        C:\Windows\system32\Ephbhd32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1548
      - C:\Windows\SysWOW64\Kopcbo32.exe
        
        C:\Windows\system32\Kopcbo32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1656
        
        C:\Windows\SysWOW64\Llimgb32.exe
        
        C:\Windows\system32\Llimgb32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2064
        
        C:\Windows\SysWOW64\Lahbei32.exe
        
        C:\Windows\system32\Lahbei32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2776
        
        C:\Windows\SysWOW64\Lolcnman.exe
        
        C:\Windows\system32\Lolcnman.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2868

C:\Windows\SysWOW64\Ldikgdpe.exe
C:\Windows\system32\Ldikgdpe.exe
1⤵
- Executes dropped EXE
PID:4380
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4380 -s 400
  2⤵
  - Program crash
  PID:4504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4380 -ip 4380
1⤵
PID:1000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Edaaccbj.exe

Filesize
196KB

MD5
5a07f335c59bb0c905f02d951b21d380

SHA1
b98caa5aa32168e790487af862af8f0b57cb7fa0

SHA256
d4780fc917dfc96f802282d1777e01185b133db324b6fcbc0ecf6f0d4b23286e

SHA512
f5c9fbe82bcec2508cb5e882146bba3cc3ed0cc6cbc77e5e20b1ce461aeb9381d800799baa52323dfe61e9b26fa97935a4e9496b8717e249ace99fdc6b001454

Download Submit
C:\Windows\SysWOW64\Edaaccbj.exe

Filesize
196KB

MD5
5a07f335c59bb0c905f02d951b21d380

SHA1
b98caa5aa32168e790487af862af8f0b57cb7fa0

SHA256
d4780fc917dfc96f802282d1777e01185b133db324b6fcbc0ecf6f0d4b23286e

SHA512
f5c9fbe82bcec2508cb5e882146bba3cc3ed0cc6cbc77e5e20b1ce461aeb9381d800799baa52323dfe61e9b26fa97935a4e9496b8717e249ace99fdc6b001454

Download Submit
C:\Windows\SysWOW64\Egnajocq.exe

Filesize
196KB

MD5
77aa047e3dd5acdc196c8ac187b4cc61

SHA1
2f01c7f3e26a12f40f3e3201721da1b43218e764

SHA256
61b4888b33a75eaa9c4c49e541f9015dd2f2c728a842fce68b29d23f0e97eb96

SHA512
364301ba43216cb5ed266b7a0910dd9e5dbb89454ae213308e9a496327ce08748317549a1376c42791f925625398d6d74f2b5866f8aac4bffa2272aa3c87c89e

Download Submit
C:\Windows\SysWOW64\Egnajocq.exe

Filesize
196KB

MD5
77aa047e3dd5acdc196c8ac187b4cc61

SHA1
2f01c7f3e26a12f40f3e3201721da1b43218e764

SHA256
61b4888b33a75eaa9c4c49e541f9015dd2f2c728a842fce68b29d23f0e97eb96

SHA512
364301ba43216cb5ed266b7a0910dd9e5dbb89454ae213308e9a496327ce08748317549a1376c42791f925625398d6d74f2b5866f8aac4bffa2272aa3c87c89e

Download Submit
C:\Windows\SysWOW64\Ekljpm32.exe

Filesize
196KB

MD5
34df73d22d150ae93f146e4febbcfbd1

SHA1
ebc53db57d0a54cb06849b3aaa9c2985a5a80e0e

SHA256
fb4c846b8e493b2c57e2553033a460bd42e7a217300878e18e847acf64986a3b

SHA512
1563fbd530b3b04bb767b6f2095ae415f048ea574bc4366f218221209aa5a13808feafe21ca6c86536fe59f7b499ab4bdf4ca0daf9ec7f641d533f3f48147123

Download Submit
C:\Windows\SysWOW64\Ekljpm32.exe

Filesize
196KB

MD5
34df73d22d150ae93f146e4febbcfbd1

SHA1
ebc53db57d0a54cb06849b3aaa9c2985a5a80e0e

SHA256
fb4c846b8e493b2c57e2553033a460bd42e7a217300878e18e847acf64986a3b

SHA512
1563fbd530b3b04bb767b6f2095ae415f048ea574bc4366f218221209aa5a13808feafe21ca6c86536fe59f7b499ab4bdf4ca0daf9ec7f641d533f3f48147123

Download Submit
C:\Windows\SysWOW64\Ephbhd32.exe

Filesize
196KB

MD5
3625faa5dbabcaab1384ebe29bf38e6e

SHA1
fb84d9aef1a89d5f7a86face4724b6572cc25a51

SHA256
1f57721719f4b2b2d3be94f58b9ec9184e0f1bc22158d6b12064a950913c8ba9

SHA512
acfe76c8ff7905a1e344aa431cb0564a40f02b20c4ebf5e5431c74711dab9d2abf6dfabfdb21b86e561553b6201b78de83c97e405944be7aca77cacb34c9ef5a

Download Submit
C:\Windows\SysWOW64\Ephbhd32.exe

Filesize
196KB

MD5
3625faa5dbabcaab1384ebe29bf38e6e

SHA1
fb84d9aef1a89d5f7a86face4724b6572cc25a51

SHA256
1f57721719f4b2b2d3be94f58b9ec9184e0f1bc22158d6b12064a950913c8ba9

SHA512
acfe76c8ff7905a1e344aa431cb0564a40f02b20c4ebf5e5431c74711dab9d2abf6dfabfdb21b86e561553b6201b78de83c97e405944be7aca77cacb34c9ef5a

Download Submit
C:\Windows\SysWOW64\Kopcbo32.exe

Filesize
196KB

MD5
7de36dfdb01fbc3f64dedac8683654d8

SHA1
9a2568bbe6a355c71c066dfd2dff35c5c977b16f

SHA256
ba030d097f7fac1237d2324351138f99c5acab59fadb9e25f32966188106182d

SHA512
df997a33f3ceaffb257a02b66ca487d5ad22f4ada2149b7c15c9e43e8918a2bddf4bfa94e9fdb5abd83e7e5ad97271c8d9068da5a9fe8a66bd9f5739f6d39e91

Download Submit
C:\Windows\SysWOW64\Kopcbo32.exe

Filesize
196KB

MD5
7de36dfdb01fbc3f64dedac8683654d8

SHA1
9a2568bbe6a355c71c066dfd2dff35c5c977b16f

SHA256
ba030d097f7fac1237d2324351138f99c5acab59fadb9e25f32966188106182d

SHA512
df997a33f3ceaffb257a02b66ca487d5ad22f4ada2149b7c15c9e43e8918a2bddf4bfa94e9fdb5abd83e7e5ad97271c8d9068da5a9fe8a66bd9f5739f6d39e91

Download Submit
C:\Windows\SysWOW64\Lahbei32.exe

Filesize
196KB

MD5
e19bad657e69da48c06f5ff8ae0e02a0

SHA1
c0ab467d85140bb6a595a6362c4f8f1b2a108f2b

SHA256
16086b41ca44cbc800330606e977544ea87616d514041642d76297802ea793ff

SHA512
3e018d1f6ede622ffb6caeb8f6ea1827896eac0633a439a59991728e296820a30f4212f4680400f8dcd145552ee1ee91b0b78cf6970b6f16c69b2fa936d73780

Download Submit
C:\Windows\SysWOW64\Lahbei32.exe

Filesize
196KB

MD5
e19bad657e69da48c06f5ff8ae0e02a0

SHA1
c0ab467d85140bb6a595a6362c4f8f1b2a108f2b

SHA256
16086b41ca44cbc800330606e977544ea87616d514041642d76297802ea793ff

SHA512
3e018d1f6ede622ffb6caeb8f6ea1827896eac0633a439a59991728e296820a30f4212f4680400f8dcd145552ee1ee91b0b78cf6970b6f16c69b2fa936d73780

Download Submit
C:\Windows\SysWOW64\Ldikgdpe.exe

Filesize
196KB

MD5
4955141fcc6fd78e957d4592184a199b

SHA1
250eb8971def43b693ce4b7bab1001a42e0e9fca

SHA256
b605cf624fa9e22647573348c86815966a67da55bddd0b8ff0772c06871f7cb4

SHA512
aeb42b7a57f7fd2f370de6efacb5a3bd617922cd27ec4c0077b536a731525eabfd0ee91f3f6fe6443fd8be9c9d3571554da6274e35236e46fc1e2e7342080c43

Download Submit
C:\Windows\SysWOW64\Ldikgdpe.exe

Filesize
196KB

MD5
4955141fcc6fd78e957d4592184a199b

SHA1
250eb8971def43b693ce4b7bab1001a42e0e9fca

SHA256
b605cf624fa9e22647573348c86815966a67da55bddd0b8ff0772c06871f7cb4

SHA512
aeb42b7a57f7fd2f370de6efacb5a3bd617922cd27ec4c0077b536a731525eabfd0ee91f3f6fe6443fd8be9c9d3571554da6274e35236e46fc1e2e7342080c43

Download Submit
C:\Windows\SysWOW64\Llimgb32.exe

Filesize
196KB

MD5
0374aade9139918064bcb2f70af2b7ad

SHA1
93193a12a2e2a731a609a0e00f5d0397b8b14eea

SHA256
c59ca29f184b6a0505a3b0761ebc3ba1dbbb2255ee6fc9a689a95618254b2436

SHA512
cd1592b3aef6709cae173bcea4e5b11e9094acc01393ab44358b34922aefca252a6bad12b06b2d4113eaf281cf85d0add689c660f5d810b2dbbf30a025356c62

Download Submit
C:\Windows\SysWOW64\Llimgb32.exe

Filesize
196KB

MD5
0374aade9139918064bcb2f70af2b7ad

SHA1
93193a12a2e2a731a609a0e00f5d0397b8b14eea

SHA256
c59ca29f184b6a0505a3b0761ebc3ba1dbbb2255ee6fc9a689a95618254b2436

SHA512
cd1592b3aef6709cae173bcea4e5b11e9094acc01393ab44358b34922aefca252a6bad12b06b2d4113eaf281cf85d0add689c660f5d810b2dbbf30a025356c62

Download Submit
C:\Windows\SysWOW64\Llimgb32.exe

Filesize
196KB

MD5
0374aade9139918064bcb2f70af2b7ad

SHA1
93193a12a2e2a731a609a0e00f5d0397b8b14eea

SHA256
c59ca29f184b6a0505a3b0761ebc3ba1dbbb2255ee6fc9a689a95618254b2436

SHA512
cd1592b3aef6709cae173bcea4e5b11e9094acc01393ab44358b34922aefca252a6bad12b06b2d4113eaf281cf85d0add689c660f5d810b2dbbf30a025356c62

Download Submit
C:\Windows\SysWOW64\Lolcnman.exe

Filesize
196KB

MD5
70a4c53597d2695c32adf490abd701db

SHA1
552b6877d0bae98296f1e0c462247d2ae93d3358

SHA256
af3bd7604b1a4495a344d82feffa5a149b447f27e720f558ec943cbaa2f278e0

SHA512
81815d9d9a3f28c3c7c6ed45beb7f413f136382f18d133eaa94379a3302a8a94cb961b2d665d7f12a8033e23c4cdf2d590c765fd857fe5909dca5baa49d34194

Download Submit
C:\Windows\SysWOW64\Lolcnman.exe

Filesize
196KB

MD5
70a4c53597d2695c32adf490abd701db

SHA1
552b6877d0bae98296f1e0c462247d2ae93d3358

SHA256
af3bd7604b1a4495a344d82feffa5a149b447f27e720f558ec943cbaa2f278e0

SHA512
81815d9d9a3f28c3c7c6ed45beb7f413f136382f18d133eaa94379a3302a8a94cb961b2d665d7f12a8033e23c4cdf2d590c765fd857fe5909dca5baa49d34194

Download Submit
memory/1548-32-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1548-79-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1656-40-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1656-80-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2064-48-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2064-78-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2776-77-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2776-57-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2856-56-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2856-0-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2856-1-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2868-65-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2868-76-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4116-25-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4116-81-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4196-83-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4196-9-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4380-73-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4380-75-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5012-82-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5012-20-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads