berbew | eba46d2b2c6b4820ea7fc95510da39eaec03d69b4e8389098c6cd88b55a8742e

Analysis

max time kernel
102s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
10/04/2025, 13:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-04-10_8e8146c1c4d77553955ab42d5a06066e_amadey_elex_rhadamanthys_smoke-loader.exe
Size

400KB
MD5

8e8146c1c4d77553955ab42d5a06066e
SHA1

8d1a12cc5c8d65538f02bbc45f5a5422c782484c
SHA256

eba46d2b2c6b4820ea7fc95510da39eaec03d69b4e8389098c6cd88b55a8742e
SHA512

a3243ee069c9a6d94e069a4e575e50b494db3f9e7d6b442b07ee9b16d71dec379e1365e262cb52c784093000444fd982e457a2a0aa38e622edac599234139cd4
SSDEEP

12288:ta8iyJ2o8wE39uW8wESByvNv54B9f01Zm:QyJ2o8wDW8wQvr4B9f01Zm

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://viruslist.com/wcmd.txt

http://viruslist.com/ppslog.php

http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Deokon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Chjaol32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Caebma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Chagok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bffkij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chagok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Danecp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dejacond.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Chokikeb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dobfld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnbmefbg.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 56 IoCs

pid	Process
2000	Bffkij32.exe
1120	Beglgani.exe
3364	Bgehcmmm.exe
3232	Bhhdil32.exe
764	Bfkedibe.exe
5132	Bnbmefbg.exe
2700	Belebq32.exe
5760	Chjaol32.exe
1984	Cfmajipb.exe
3520	Cmgjgcgo.exe
1100	Cenahpha.exe
4544	Cdabcm32.exe
4592	Chmndlge.exe
4708	Cfpnph32.exe
4816	Cnffqf32.exe
5640	Cmiflbel.exe
1892	Caebma32.exe
5676	Cdcoim32.exe
4920	Chokikeb.exe
1244	Cfbkeh32.exe
4932	Cnicfe32.exe
5004	Cmlcbbcj.exe
1504	Ceckcp32.exe
6084	Chagok32.exe
5612	Cfdhkhjj.exe
4792	Cnkplejl.exe
3024	Cmnpgb32.exe
884	Ceehho32.exe
2108	Cdhhdlid.exe
4092	Cffdpghg.exe
1776	Cjbpaf32.exe
5100	Cmqmma32.exe
1900	Cegdnopg.exe
4132	Ddjejl32.exe
4376	Dfiafg32.exe
1884	Dopigd32.exe
2204	Danecp32.exe
5720	Dejacond.exe
3480	Dhhnpjmh.exe
5224	Dfknkg32.exe
2296	Dobfld32.exe
3668	Daqbip32.exe
3400	Delnin32.exe
3036	Dhkjej32.exe
3060	Dkifae32.exe
4400	Dodbbdbb.exe
2004	Daconoae.exe
5840	Deokon32.exe
4636	Dhmgki32.exe
3904	Dkkcge32.exe
3092	Dogogcpo.exe
5084	Daekdooc.exe
808	Dddhpjof.exe
5660	Dhocqigp.exe
228	Dknpmdfc.exe
224	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Dogogcpo.exe	Dkkcge32.exe
File opened for modification	C:\Windows\SysWOW64\Dhocqigp.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Jfihel32.dll	Belebq32.exe
File opened for modification	C:\Windows\SysWOW64\Cfpnph32.exe	Chmndlge.exe
File created	C:\Windows\SysWOW64\Dkifae32.exe	Dhkjej32.exe
File opened for modification	C:\Windows\SysWOW64\Dknpmdfc.exe	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Bnbmefbg.exe	Bfkedibe.exe
File opened for modification	C:\Windows\SysWOW64\Bnbmefbg.exe	Bfkedibe.exe
File opened for modification	C:\Windows\SysWOW64\Ceehho32.exe	Cmnpgb32.exe
File opened for modification	C:\Windows\SysWOW64\Dobfld32.exe	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Dhocqigp.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Bfkedibe.exe	Bhhdil32.exe
File created	C:\Windows\SysWOW64\Chmndlge.exe	Cdabcm32.exe
File created	C:\Windows\SysWOW64\Bbloam32.dll	Cnffqf32.exe
File opened for modification	C:\Windows\SysWOW64\Ceckcp32.exe	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Ffpmlcim.dll	Cnkplejl.exe
File opened for modification	C:\Windows\SysWOW64\Dfiafg32.exe	Ddjejl32.exe
File opened for modification	C:\Windows\SysWOW64\Dejacond.exe	Danecp32.exe
File created	C:\Windows\SysWOW64\Gmcfdb32.dll	Daqbip32.exe
File created	C:\Windows\SysWOW64\Pjngmo32.dll	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Cmqmma32.exe	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Mgcail32.dll	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Hfanhp32.dll	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Dfiafg32.exe	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Dhhnpjmh.exe	Dejacond.exe
File created	C:\Windows\SysWOW64\Dknpmdfc.exe	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Bhhdil32.exe	Bgehcmmm.exe
File created	C:\Windows\SysWOW64\Cnicfe32.exe	Cfbkeh32.exe
File created	C:\Windows\SysWOW64\Ceckcp32.exe	Cmlcbbcj.exe
File opened for modification	C:\Windows\SysWOW64\Cmgjgcgo.exe	Cfmajipb.exe
File created	C:\Windows\SysWOW64\Qlgene32.dll	Ceckcp32.exe
File created	C:\Windows\SysWOW64\Ddjejl32.exe	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Lfjhbihm.dll	Cfpnph32.exe
File opened for modification	C:\Windows\SysWOW64\Cffdpghg.exe	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Fpnnia32.dll	2025-04-10_8e8146c1c4d77553955ab42d5a06066e_amadey_elex_rhadamanthys_smoke-loader.exe
File created	C:\Windows\SysWOW64\Cdhhdlid.exe	Ceehho32.exe
File created	C:\Windows\SysWOW64\Cffdpghg.exe	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Pdheac32.dll	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Cfpnph32.exe	Chmndlge.exe
File created	C:\Windows\SysWOW64\Cdcoim32.exe	Caebma32.exe
File created	C:\Windows\SysWOW64\Ghekjiam.dll	Chokikeb.exe
File created	C:\Windows\SysWOW64\Cmnpgb32.exe	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Dchfiejc.dll	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Cjbpaf32.exe	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Jcbdhp32.dll	Dhmgki32.exe
File opened for modification	C:\Windows\SysWOW64\Deokon32.exe	Daconoae.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dknpmdfc.exe
File opened for modification	C:\Windows\SysWOW64\Chjaol32.exe	Belebq32.exe
File opened for modification	C:\Windows\SysWOW64\Belebq32.exe	Bnbmefbg.exe
File created	C:\Windows\SysWOW64\Fmjkjk32.dll	Cnicfe32.exe
File created	C:\Windows\SysWOW64\Dobfld32.exe	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Daqbip32.exe	Dobfld32.exe
File created	C:\Windows\SysWOW64\Nnjaqjfh.dll	Bhhdil32.exe
File created	C:\Windows\SysWOW64\Chjaol32.exe	Belebq32.exe
File created	C:\Windows\SysWOW64\Nokpao32.dll	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Bffkij32.exe	2025-04-10_8e8146c1c4d77553955ab42d5a06066e_amadey_elex_rhadamanthys_smoke-loader.exe
File created	C:\Windows\SysWOW64\Belebq32.exe	Bnbmefbg.exe
File created	C:\Windows\SysWOW64\Ckmllpik.dll	Cfbkeh32.exe
File opened for modification	C:\Windows\SysWOW64\Chagok32.exe	Ceckcp32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Bgehcmmm.exe	Beglgani.exe
File created	C:\Windows\SysWOW64\Iqjikg32.dll	Bgehcmmm.exe
File created	C:\Windows\SysWOW64\Mkijij32.dll	Cmgjgcgo.exe
File created	C:\Windows\SysWOW64\Cdabcm32.exe	Cenahpha.exe

Program crash 1 IoCs

pid	pid_target	Process
4312	224	WerFault.exe

System Location Discovery: System Language Discovery 1 TTPs 57 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenahpha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bffkij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfpnph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnbmefbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chjaol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkedibe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnicfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beglgani.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgehcmmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmajipb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdabcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Belebq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-10_8e8146c1c4d77553955ab42d5a06066e_amadey_elex_rhadamanthys_smoke-loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhdil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmiflbel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceckcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnffqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddjejl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghilmi32.dll"	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gallfmbn.dll"	Bnbmefbg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgcail32.dll"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdheac32.dll"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Daconoae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpnnia32.dll"	2025-04-10_8e8146c1c4d77553955ab42d5a06066e_amadey_elex_rhadamanthys_smoke-loader.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpnkaj32.dll"	Danecp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhicommo.dll"	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cdabcm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfihel32.dll"	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jekpanpa.dll"	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	2025-04-10_8e8146c1c4d77553955ab42d5a06066e_amadey_elex_rhadamanthys_smoke-loader.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Deokon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpggmhkg.dll"	Ceehho32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dejacond.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnjaqjfh.dll"	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Chjaol32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Caebma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohmoom32.dll"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	2025-04-10_8e8146c1c4d77553955ab42d5a06066e_amadey_elex_rhadamanthys_smoke-loader.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Belebq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnieoofh.dll"	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okgoadbf.dll"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cenahpha.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Chokikeb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Chagok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qlgene32.dll"	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elkadb32.dll"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	2025-04-10_8e8146c1c4d77553955ab42d5a06066e_amadey_elex_rhadamanthys_smoke-loader.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 6116 wrote to memory of 2000	6116	2025-04-10_8e8146c1c4d77553955ab42d5a06066e_amadey_elex_rhadamanthys_smoke-loader.exe	86
PID 6116 wrote to memory of 2000	6116	2025-04-10_8e8146c1c4d77553955ab42d5a06066e_amadey_elex_rhadamanthys_smoke-loader.exe	86
PID 6116 wrote to memory of 2000	6116	2025-04-10_8e8146c1c4d77553955ab42d5a06066e_amadey_elex_rhadamanthys_smoke-loader.exe	86
PID 2000 wrote to memory of 1120	2000	Bffkij32.exe	87
PID 2000 wrote to memory of 1120	2000	Bffkij32.exe	87
PID 2000 wrote to memory of 1120	2000	Bffkij32.exe	87
PID 1120 wrote to memory of 3364	1120	Beglgani.exe	88
PID 1120 wrote to memory of 3364	1120	Beglgani.exe	88
PID 1120 wrote to memory of 3364	1120	Beglgani.exe	88
PID 3364 wrote to memory of 3232	3364	Bgehcmmm.exe	89
PID 3364 wrote to memory of 3232	3364	Bgehcmmm.exe	89
PID 3364 wrote to memory of 3232	3364	Bgehcmmm.exe	89
PID 3232 wrote to memory of 764	3232	Bhhdil32.exe	90
PID 3232 wrote to memory of 764	3232	Bhhdil32.exe	90
PID 3232 wrote to memory of 764	3232	Bhhdil32.exe	90
PID 764 wrote to memory of 5132	764	Bfkedibe.exe	91
PID 764 wrote to memory of 5132	764	Bfkedibe.exe	91
PID 764 wrote to memory of 5132	764	Bfkedibe.exe	91
PID 5132 wrote to memory of 2700	5132	Bnbmefbg.exe	92
PID 5132 wrote to memory of 2700	5132	Bnbmefbg.exe	92
PID 5132 wrote to memory of 2700	5132	Bnbmefbg.exe	92
PID 2700 wrote to memory of 5760	2700	Belebq32.exe	93
PID 2700 wrote to memory of 5760	2700	Belebq32.exe	93
PID 2700 wrote to memory of 5760	2700	Belebq32.exe	93
PID 5760 wrote to memory of 1984	5760	Chjaol32.exe	94
PID 5760 wrote to memory of 1984	5760	Chjaol32.exe	94
PID 5760 wrote to memory of 1984	5760	Chjaol32.exe	94
PID 1984 wrote to memory of 3520	1984	Cfmajipb.exe	95
PID 1984 wrote to memory of 3520	1984	Cfmajipb.exe	95
PID 1984 wrote to memory of 3520	1984	Cfmajipb.exe	95
PID 3520 wrote to memory of 1100	3520	Cmgjgcgo.exe	96
PID 3520 wrote to memory of 1100	3520	Cmgjgcgo.exe	96
PID 3520 wrote to memory of 1100	3520	Cmgjgcgo.exe	96
PID 1100 wrote to memory of 4544	1100	Cenahpha.exe	97
PID 1100 wrote to memory of 4544	1100	Cenahpha.exe	97
PID 1100 wrote to memory of 4544	1100	Cenahpha.exe	97
PID 4544 wrote to memory of 4592	4544	Cdabcm32.exe	98
PID 4544 wrote to memory of 4592	4544	Cdabcm32.exe	98
PID 4544 wrote to memory of 4592	4544	Cdabcm32.exe	98
PID 4592 wrote to memory of 4708	4592	Chmndlge.exe	99
PID 4592 wrote to memory of 4708	4592	Chmndlge.exe	99
PID 4592 wrote to memory of 4708	4592	Chmndlge.exe	99
PID 4708 wrote to memory of 4816	4708	Cfpnph32.exe	100
PID 4708 wrote to memory of 4816	4708	Cfpnph32.exe	100
PID 4708 wrote to memory of 4816	4708	Cfpnph32.exe	100
PID 4816 wrote to memory of 5640	4816	Cnffqf32.exe	101
PID 4816 wrote to memory of 5640	4816	Cnffqf32.exe	101
PID 4816 wrote to memory of 5640	4816	Cnffqf32.exe	101
PID 5640 wrote to memory of 1892	5640	Cmiflbel.exe	102
PID 5640 wrote to memory of 1892	5640	Cmiflbel.exe	102
PID 5640 wrote to memory of 1892	5640	Cmiflbel.exe	102
PID 1892 wrote to memory of 5676	1892	Caebma32.exe	103
PID 1892 wrote to memory of 5676	1892	Caebma32.exe	103
PID 1892 wrote to memory of 5676	1892	Caebma32.exe	103
PID 5676 wrote to memory of 4920	5676	Cdcoim32.exe	104
PID 5676 wrote to memory of 4920	5676	Cdcoim32.exe	104
PID 5676 wrote to memory of 4920	5676	Cdcoim32.exe	104
PID 4920 wrote to memory of 1244	4920	Chokikeb.exe	105
PID 4920 wrote to memory of 1244	4920	Chokikeb.exe	105
PID 4920 wrote to memory of 1244	4920	Chokikeb.exe	105
PID 1244 wrote to memory of 4932	1244	Cfbkeh32.exe	106
PID 1244 wrote to memory of 4932	1244	Cfbkeh32.exe	106
PID 1244 wrote to memory of 4932	1244	Cfbkeh32.exe	106
PID 4932 wrote to memory of 5004	4932	Cnicfe32.exe	107

C:\Users\Admin\AppData\Local\Temp\2025-04-10_8e8146c1c4d77553955ab42d5a06066e_amadey_elex_rhadamanthys_smoke-loader.exe
"C:\Users\Admin\AppData\Local\Temp\2025-04-10_8e8146c1c4d77553955ab42d5a06066e_amadey_elex_rhadamanthys_smoke-loader.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:6116
- C:\Windows\SysWOW64\Bffkij32.exe
  C:\Windows\system32\Bffkij32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2000
- - C:\Windows\SysWOW64\Beglgani.exe
    C:\Windows\system32\Beglgani.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1120
  - - C:\Windows\SysWOW64\Bgehcmmm.exe
      C:\Windows\system32\Bgehcmmm.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3364
    - - C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3232
      - C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:764
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5132
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2700
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5760
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1984
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3520
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1100
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4544
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4592
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4708
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4816
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5640
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1892
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5676
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4920
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1244
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4932
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5004
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1504
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6084
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5612
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4792
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3024
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:884
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2108
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4092
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1776
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5100
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1900
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4132
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4376
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1884
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2204
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5720
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3480
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5224
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2296
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3668
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3400
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3036
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3060
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4400
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2004
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5840
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4636
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3904
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3092
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5084
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:808
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5660
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:228
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        57⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:224
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 224 -s 408
        58⤵
        Program crash
        
        PID:4312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 224 -ip 224
1⤵
PID:1928

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Beglgani.exe

Filesize
400KB

MD5
5ddf2209a0384f412fe6e35d99c3d41e

SHA1
ee5c2c4711448d10188e68245716f7e00090bdef

SHA256
c734c2ff8452ba5b58b704e7eca2add017afad43f3510278ea77f72532388011

SHA512
6fc20acdaeab5be81dbf6e72ce30ef781270ce30fee54c6ca871f06b4475305d3f9419f7b76121a720405875baf082574a0d8a6010f210e5e880dff2acee8745

Download Submit
C:\Windows\SysWOW64\Belebq32.exe

Filesize
400KB

MD5
1a0d712b689a8c05f60e0770d808a1a9

SHA1
621358940645b2fdab8a6757766ad4421e9117ec

SHA256
90c66edb3827acdc1ab15a91169c8dd3ad2cc4e35a6f193e081e6844aa34658b

SHA512
ee66c68afc280dc5bf7ab0836b32cc9267a86d1ed343440e4525379a8375a305f06bd117baac9bf0d085276f841e04481b21ed7400012407a97c8a67a70e3b17

Download Submit
C:\Windows\SysWOW64\Bffkij32.exe

Filesize
400KB

MD5
562a6b2645b7414a603a88364847d2ea

SHA1
22da99c2caa2a418693d2934cbece0d9ec792376

SHA256
c3bffa69748a4aa7c97a45bf8638e09416e192f7e2baf77b43df57761e50113a

SHA512
c5cd51f3f3b63c67b8257aea5cd7e846ebd34ae70c0625e9f8318bbf7349b9982cb92ab2b726d973d6e5620a4e821e960119d8003a9f5c491c19cef7e901b587

Download Submit
C:\Windows\SysWOW64\Bfkedibe.exe

Filesize
400KB

MD5
db52c45c948db5b743211cfc9f887adb

SHA1
421574d6d2ae8fddc21062171268f4c66d256f45

SHA256
3d1e5f553def8acc79737ea28835e50840e6a6d72fb92b67f4545a57d4f42845

SHA512
89f092c4f7fa945932f50a624318fa0270e80e477c3121fa572ff37e8cb93958054b4504209b3770c5ff834c290aaf160bb66e4cc1dba351df4344a1351dd12b

Download Submit
C:\Windows\SysWOW64\Bgehcmmm.exe

Filesize
400KB

MD5
8a6dfe661e9b7fffa5c11afe2471ad83

SHA1
ec956e83444eed62069776d70a4faebe86dd1838

SHA256
83224d13939f7cff62fa25be3951ab8b986430598a1acd072e24a51bb3f82ffd

SHA512
049408f89982b867adce37e5ebe01e0f3f7ed60ec1453f2d5ae58990b5bd29980c9453c6cad5d19dc84fbb6030325d1db9e85032254dfa741865b413b34b1c84

Download Submit
C:\Windows\SysWOW64\Bhhdil32.exe

Filesize
400KB

MD5
8fda64a8bd87b41bdca69c5893f8271d

SHA1
0c616ae35914c47baad2377f3b38ebd6aab874e4

SHA256
5c94439660089e01cacd7fd6a9aa2f468dd5f3cd60612d73c96df5e3e129184a

SHA512
6dcb2eee5c50d671fccf88ed09ba8593c9a1dd805f3026eb7057de2533c38c99503ebd3c61a7e2be21e314f52807419a15973f7b31aaf70600cf9d2c1a719a63

Download Submit
C:\Windows\SysWOW64\Bhhdil32.exe

Filesize
400KB

MD5
87e77a6fb5dd4a3cf93ad63d3a2a7cf9

SHA1
b37265af93601cb71dee2825452f21434a17a836

SHA256
4f2921898d3297586f85fc142985351fb19e23a53dbbc0a599c6d708ea0bcc3a

SHA512
4ba4c2a304a0a056393d40b1513d5e37e72b226ede97f333a4bd94474ab000ab283a44b814bc3e7f05b896e80420d333a21f0e5cec178283b9c8d6548ccea707

Download Submit
C:\Windows\SysWOW64\Bnbmefbg.exe

Filesize
400KB

MD5
ce0c313b47f3d11d020f219fbb452305

SHA1
6dd9104ad7e7dc22befdb22de1c02cbf298c15a9

SHA256
d65dfb3e0a8d010d249cc74c2a8ccc1c2e790d1d4d17f7975fcd5e73e48ed7dc

SHA512
71cfd1817969341f68ee485c2c238a6382d1bd755ad558c64dd1395ae565c973113f5b6a4880f8fae4c7d4673d2a750ca1deaaebd7ddec5611465b487c082bfc

Download Submit
C:\Windows\SysWOW64\Caebma32.exe

Filesize
400KB

MD5
cb28bd03bf139ef73e178d94d4659170

SHA1
879cbf9c68d049dd6c57d9dd3fbadd7e3913692a

SHA256
2870b78d243749e79c837a4c49a3dfa4e1884722c05e3bc1cd45e46076715d24

SHA512
f94e9f9658420c249f4a0baaa8c5f644b4e355df22092a44b6b5cac0481d0d4c61d507ee6deb279d821c593df4a31def77994df5371a3c3c5874ad87b17f7d4a

Download Submit
C:\Windows\SysWOW64\Cdabcm32.exe

Filesize
400KB

MD5
1ef21beed2c24f0b8d4c9fd6855ef97d

SHA1
728dd91ca89d8123216f615548e66c0d1464a66b

SHA256
754c5e4b1bad5b1dac05cc78a108762f2da1913d51a14e8c779d528847776594

SHA512
f6b899cb9219605770d27f5121cf00d748a273745573b7c1cc779f7a9d9f014026f04733a12a12ce8d0e3978d252528477bfdd935a158a01c42065b750ace878

Download Submit
C:\Windows\SysWOW64\Cdcoim32.exe

Filesize
400KB

MD5
8db67cde21eb6a33dd6968ab762f574f

SHA1
b5cc8909a28155faf34abbf641321809bf43b40c

SHA256
8de984eabeb081b5fd99de33c6e78e28ac715ff017277276bc644c780fa369e8

SHA512
1ee33e439c7e7448a82e8ef02e04274f8fb72233e5c2c5a9e838530aae99dcee793fecd75e22f4d412413579d289284b1462d924288cd254be7cccdeae22c244

Download Submit
C:\Windows\SysWOW64\Cdhhdlid.exe

Filesize
400KB

MD5
90cc70bd3db0fede3f9029f592672027

SHA1
73be963787084a3116c2a55adb66a7874969bc36

SHA256
16b11f444cf788e459ad6a505747edca4a513fcbdfca4ecc72dd000ccac1dbe4

SHA512
0a7d96609d7b4a8c59d824b0dfb97adef5bbe523e8ef5324e0c968c30bc0f2054abf5bdc117698e1d0915c34cb8f78974f78cd9b8f83af5e164bdf67dbe60363

Download Submit
C:\Windows\SysWOW64\Ceckcp32.exe

Filesize
400KB

MD5
918b0493bab568261c9ecebdd3ba4619

SHA1
f25e74e6423b2566fa4d57ebb77c4e471a7e7dcb

SHA256
7c99d1d278e0163db73e2ba38859f47c69817393e5bce7e26b2fd3e61a3feac4

SHA512
f3d1d2afd64db72d9da37acf45e6b445409be3d1765528e9bed004f0c04308127da86fa0a4d2bf20b215a31b785e528caf2afe2a5abb95a50563660714383a42

Download Submit
C:\Windows\SysWOW64\Ceehho32.exe

Filesize
400KB

MD5
6a7c221f7cb2cafd4f04c9d3331b9464

SHA1
801d9344ca8fd99ace7542f9cb9dca68bf9e0f54

SHA256
4a639f9aa3410c891a38791d79477ab5e1cf308c9f8c53d84977abb440a4e419

SHA512
de464b3377dae960281a76775cf4c3767f766af1f6a37a34255d17db2ca206b753aef8e39a639b0ee37d226454a5773ddc300f1b478d20c49d29aff9cc9f44f6

Download Submit
C:\Windows\SysWOW64\Cenahpha.exe

Filesize
400KB

MD5
da324ed2187acc57918b4eda31862a46

SHA1
3535c5031dfed411c1387416f55c3804a9df48f7

SHA256
3e43e18336cc8268c2424cb11b3bda9296f439f4752a7ca27ff64c66577df904

SHA512
fae6b999d7636b6d49f081f610d5fee7eafcc17a01dc76094a3ee373aa05396847cdc3d4fff9983ffe9e03269ba45fd8d83a3c1136061fe5403e2310ec2a3588

Download Submit
C:\Windows\SysWOW64\Cfbkeh32.exe

Filesize
400KB

MD5
a23c3c078a04ea00e2b007d83495be70

SHA1
14d52a768f7b613a499ed0b7bbc951bc12acb601

SHA256
bb06d3ee8dd675a6293d6d216dce4cac231af6ab233988fb294dec52566d7d02

SHA512
1723ec089ee8c9c62eeea422e829a412edccb681d88f65e0515abdd8345a78b508bf2e1dd301568231ce0f2dfeca9a7e2e0fa5fceda68cc1000d1d02f07b0df9

Download Submit
C:\Windows\SysWOW64\Cfdhkhjj.exe

Filesize
400KB

MD5
a4ca3ab36ff82754a00f05bdf59d2b74

SHA1
22345c3ebc9556f8a38dd802836d896e8993f7be

SHA256
0ab08165fb54731b674d6a8169abf0819d1808690495f8f62ba1d6267355f77b

SHA512
c707ea7f6989d8f599cdaebcf9a1c02cc2312f6c0ba5d320492d347622f30a8e3ba480434007ceb224e35d03e02570a313e5923a7ebd25d08938ad440c8c07ea

Download Submit
C:\Windows\SysWOW64\Cffdpghg.exe

Filesize
400KB

MD5
d9932758de95c6e4f5ed19a8498a9c75

SHA1
e3851a3f606a395126bd40ef87664cd2b011be54

SHA256
d9e77b9d38663857d131fe5bd55ef4cd80af4465ac0283bf07167040dc7dc6ee

SHA512
896d790dfbe1a9c7c96af67687f1b98ecfb3ffce73d37252918d691d13c4a4d5c3dad3a0fadfcddf52f9e12684d6bb1c8d0a793441243e6b03faaf4c0cd1ea43

Download Submit
C:\Windows\SysWOW64\Cfmajipb.exe

Filesize
400KB

MD5
d4e7a4efa91dbf72e7769bc3a126f004

SHA1
1653740304b53d55c9ad8ca4f88be2f18c4e3934

SHA256
ca05605313e11238dcad82cd05dbb7e10aeb379df9a970545491c6a3ed645d58

SHA512
59a8836173737fd3c75a25c449a005ec70d6e1f642a89747a0ad00afc830225d0cb932f2b3f458be22b5c6dfda4c4e323a6faa77bc44f1a3631b684acfbae674

Download Submit
C:\Windows\SysWOW64\Cfpnph32.exe

Filesize
400KB

MD5
23cc9416c5f6ac124fae25c2f4341a15

SHA1
2aecccf87dd85558dbd33d64c2793a38879cdf9b

SHA256
18fc582c6461ed72e4c0573ac11de580234c40934752e071b25085d0589e19ac

SHA512
1521858e1076f2ca672ee624f7143d95c9815389538c209a889f6fb969800fc851ab498cbadf445891ebb97b2b1913af217277bad8074dd4322d44664d5a4ec8

Download Submit
C:\Windows\SysWOW64\Chagok32.exe

Filesize
400KB

MD5
d35637a460a8797754bf8e8d3bf3460a

SHA1
c9430e99dcc4fc3e58c4e6309a43ab2d8e29edfb

SHA256
0b437f1752bf95d25c5c542c7f7cf7c8dfd2f886deae47f05f2962dd6dd9f07c

SHA512
af2bc869368df37f68a545c51e447e656deba6a6142d262bf772d1fec2f7d0687dff4fb22c8122705155836c7547a6468e68d9c473f05fb9623407309739aab4

Download Submit
C:\Windows\SysWOW64\Chjaol32.exe

Filesize
400KB

MD5
3b97d8553c10e520000bdf82156dbe36

SHA1
c27f744a0849a922d65aa4a807b6be4a32add8eb

SHA256
3bf4971f8a537dff6a10d1dc7eefea52ab30fd23f4573384f03edbf1a18bb911

SHA512
a2165a5a2056ccfdc713ebe6b111065d371b693d52a3edca94699752d25bcafb8ea0b4eaa95a043f4ab255f560ffaf38b42ac062e4579159ac92cf483df01a72

Download Submit
C:\Windows\SysWOW64\Chmndlge.exe

Filesize
400KB

MD5
a6cd1081361a56453f45b0df98984eef

SHA1
c11fb5e0fa876d68f3b69b1a609459512ff673a2

SHA256
d5e4d2fb71a70a42e944c0945e0c2042759a6292aad24292099c366ab4b631aa

SHA512
04a274620053bd0de4f63635932980658bdaf3ed6bb8438be451fb52561f852d0d21eb62f9e4db1fcaf6f6ca3a86af95280a8b9b0f6daa14b5796a813755b9a4

Download Submit
C:\Windows\SysWOW64\Chokikeb.exe

Filesize
400KB

MD5
0f210c2a56a189866514fda3ea4b7be6

SHA1
4697a3cb9969238bb4fa72a35fa676a992767c6f

SHA256
a10ef1fa3b3b1ce1c73e392a24a8addeb03edf2edc6aeb88b90d2db822a03633

SHA512
3235c40052da6b255614982758326b4447059e531e6026cab22022a7ef37dea78d5b3de29c738f1f1f115a4b6a1625f86356235ea905470fd6b1465cda8c4590

Download Submit
C:\Windows\SysWOW64\Cjbpaf32.exe

Filesize
400KB

MD5
1cba6ec07a7b8279df9c834ea4d42a26

SHA1
631c115c960af7869d98c76aa6fdf6eb1ebdb0ba

SHA256
1f253e4575b12552470d4f2cf2fb4ee5c9caa064c4390726ea24f4ddd5caa365

SHA512
91932ea29b3ace56639443ef2abdc5ee54a43f9c8c6c3a8fcecdb630ebe4a205473482a5f74e430673523d84d9c7c5894879f3e31e15107dfbbcb98f4299e9b4

Download Submit
C:\Windows\SysWOW64\Cmgjgcgo.exe

Filesize
400KB

MD5
7d741f523efc3b87fe1bc9536420fa3e

SHA1
28baff7bff65f4f473df9079805ab65ca7d02f22

SHA256
ad22c9ba80714431359dedfd93ee5d0c41098ec05ef71ffafb067e3fa3090cca

SHA512
dd50780befa58a619f1ab3c78697a66d7e6600b93b14909bc23894d6420c44332539f3ee45d5aca9049ed3906bb1bde7b35fb3ed0eec08b814ba947d69bd08ae

Download Submit
C:\Windows\SysWOW64\Cmiflbel.exe

Filesize
400KB

MD5
f13639d7f633ead9a437f89496571157

SHA1
de55d33b7b4add341b055ef2e8ea69fe89c30eec

SHA256
f7929655d8377a98e5764be811197b104f39025d44bff04cbe38ce89d8b9e54e

SHA512
89fbf95c3cf7a620a39d715feffd0babe0272995dbbbe3b353f9869b3f34ee5c18cd4896f5c0d2feeb467d1f6c318a83537f0729afacd8f11907a179229fbfd3

Download Submit
C:\Windows\SysWOW64\Cmlcbbcj.exe

Filesize
400KB

MD5
8fee1adf51ba5464e4bca49075552db0

SHA1
cccd915651918a67ac7a84030091457d9e732fde

SHA256
3cfb7c406ca93dd57494a9f972979b91bf75abb5e1f7cd0125eaeb234ac10eb0

SHA512
0191e1d212fb371316729cd9da2a3e98cccf20bb8609d647689df6a4520ba52a1466d3cdb50ca8de52de2c33656d9f44740da749c82d230f20526bb3fdcb9da2

Download Submit
C:\Windows\SysWOW64\Cmnpgb32.exe

Filesize
400KB

MD5
6a366b34547d3d22c2f4b39e883eb964

SHA1
34045baadd2b8ac5578fd97b97cf2f058b4a530e

SHA256
51bfeef6430fc45e3a0190142d149bbf38e6dfad1bccc1dc470336c7eec79107

SHA512
73f2dc5f7a35207744d130fbdf6a12165b43b42aca748d4c1087beb1acd150fcee4ce78f04b3369c4b026df7897c2213f6a603b3a830f527d8995e98ba79ea26

Download Submit
C:\Windows\SysWOW64\Cmqmma32.exe

Filesize
400KB

MD5
fb28313b544033bde95b82cc3ca47951

SHA1
d464a06349ee97e195a55e4214fccc9df664dc22

SHA256
d5b142792f1c5022fa72b3b8415e1efebb5e714104df0f14d82a3eac7fe0a7d9

SHA512
90b7d736f1e74af15e5562a7334de05605462c8ae4303bf4e1e45a57f7c197aece5584080d312b803aaf8992b11c9665808a8ecf4ab1ade643f32b0a0b458053

Download Submit
C:\Windows\SysWOW64\Cnffqf32.exe

Filesize
400KB

MD5
2a5dcccd1f5242e103caf9a6139b832c

SHA1
3f637b7b7e667680aeb12bd4fbf4ce7ffec68ffb

SHA256
87e2a53f62f87b848066c3fcdac1023a1fb7234f488f71ca2c0ea6e7180f8140

SHA512
c391d115313ee59bf966bbd03274b5543bade421443d5d0f1d1d07d698a8a7c27e42da9212fb8601c849b5868d4d111384db5b12487f76d142faad21a1caacbd

Download Submit
C:\Windows\SysWOW64\Cnicfe32.exe

Filesize
400KB

MD5
e0e48fcc7da2bdee9e16e12dc9a9cedc

SHA1
3f0da00529893c21cf51bdf26932bda9c62ac8a2

SHA256
ece2808d7327f780ffb10517d75b60bcc9a449fa8587683a9f5e15c08e99bf83

SHA512
637b4fd646539ddeb0d0270bd088ee2f46fc95ccc507585bb39402980575e369520b0428b4f8549e6cdd6d7714ce61a23229f586ff9464b48fa3e244ad9c31d2

Download Submit
C:\Windows\SysWOW64\Cnkplejl.exe

Filesize
400KB

MD5
da55c3f2b6c133f7ca6f0ceaf2372f33

SHA1
0ff8526b06a74b43cc4edfa2db90e02caec60bd1

SHA256
487e7edcfb61dc09b039dd994082ead78fbb3eb2193f7c85a2ed567f6868d1fa

SHA512
00f159671c76b2baa1d03212e96155b8793fc298600668ff7d66f81ccfca30759f85cd09317e76103729cdb1d4bf4d102dd084e6fb05a88cde3c11b1daaea175

Download Submit
C:\Windows\SysWOW64\Nnjaqjfh.dll

Filesize
7KB

MD5
71b9ba9af1d5f74d7919ab2640ac394f

SHA1
3f07f9b62c15e2df104e167206c855f20c449734

SHA256
f293c0ed73d771496c8b77c985f94d628f3d2409468cd9180592f847ed69920c

SHA512
30fe4f67aa2e214d7836acedb8d13f10c57370f6045616cffc2095b9eca1a4bf3ca06007eb15d31fedd5fa6c117467e61c3567eff3c21d8052cc1ffccefb491a

Download Submit
memory/224-392-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/224-394-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/228-396-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/228-391-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/764-44-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/808-379-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/808-400-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/884-450-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/884-227-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1100-93-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1100-484-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1120-15-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1244-170-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1244-466-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1504-460-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1504-188-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1776-444-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1776-251-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1884-282-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1884-434-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1892-472-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1892-140-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1900-264-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1900-440-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1984-72-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2000-8-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2004-412-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2004-345-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2108-235-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2108-448-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2204-288-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2204-432-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2296-312-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2296-424-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2700-61-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3024-452-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3024-219-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3036-328-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3036-418-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3060-334-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3060-416-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3092-368-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3092-404-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3232-37-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3364-23-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3400-420-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3480-428-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3480-300-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3520-84-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3520-486-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3668-422-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3904-406-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3904-362-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4092-243-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4092-446-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4132-270-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4132-438-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4376-276-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4376-436-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4400-414-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4544-482-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4544-101-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4592-480-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4636-408-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4708-478-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4708-116-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4792-211-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4792-454-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4816-124-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4816-476-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4920-156-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4920-468-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4932-172-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4932-464-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5004-462-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5004-180-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5084-402-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5100-442-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5132-47-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5224-426-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5224-306-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5612-203-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5612-456-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5640-474-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5640-132-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5660-398-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5660-385-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5676-470-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5676-148-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5720-430-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5720-294-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5760-71-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5840-410-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5840-351-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/6084-458-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/6116-0-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v16

Replay Monitor

Loading Replay Monitor...

Downloads