740b3fa29a814632eddf1ccc0d15f71685ef6ae0438d196237db7f0bb680183d

Analysis

max time kernel
82s
max time network
16s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
04/09/2024, 14:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d6d65c7dccab1528b7099712f03e01c0N.exe
Size

260KB
MD5

d6d65c7dccab1528b7099712f03e01c0
SHA1

336ce972c06791a4cc7ac6b6a71d8ed9aa849584
SHA256

740b3fa29a814632eddf1ccc0d15f71685ef6ae0438d196237db7f0bb680183d
SHA512

1f3ffd146e36550184a48f257d34288029850f4f835e449b30ccf260648112873c2804ff71b87fbdf84d1d4d0a2757f734b312c75471ae8b6064d1969be8197d
SSDEEP

1536:GxtnE6acoso8vzxoSBUES5SwziMYiHzhtAia5QrMsQtCnt8qiJPQsZSTorlN33nn:K/vFYi9yQct1iJPQSrl1LtYFroxTSfM

Score

7^/10

discovery persistence upx

Malware Config

Signatures

Executes dropped EXE 52 IoCs

pid	Process
2336	17b13.exe
2800	0b714.exe
2700	52682.exe
2744	dc811.exe
1236	b837b.exe
1956	48dxc.exe
1864	dc9c1.exe
2716	246b7.exe
896	47eab.exe
1716	bc1x7.exe
2600	0d833.exe
1968	456c9.exe
2856	747a4.exe
2104	bb39a.exe
2076	5e3bc.exe
2852	8c497.exe
2700	25d1c.exe
2288	5317d.exe
1756	767da.exe
2228	ae223.exe
1244	a57c2.exe
404	eb64x.exe
1324	dc584.exe
1396	9ad58.exe
2436	9ad4c.exe
2488	d79cb.exe
1900	07388.exe
944	61b4e.exe
2924	71dd1.exe
2568	cc052.exe
2020	a981c.exe
1564	42ec2.exe
492	5b9xa.exe
1504	2e771.exe
576	7e6e3.exe
1648	c0ecd.exe
376	22609.exe
2088	406d4.exe
1776	5x877.exe
896	8756d.exe
1308	64d28.exe
1588	7d951.exe
2960	b93x8.exe
1712	b57db.exe
2664	39a37.exe
2104	66d60.exe
1608	b859b.exe
2632	4362b.exe
3016	2e185.exe
1528	8a67c.exe
2188	94xx6.exe
2268	dcbec.exe

Loads dropped DLL 64 IoCs

pid	Process
2432	d6d65c7dccab1528b7099712f03e01c0N.exe
2432	d6d65c7dccab1528b7099712f03e01c0N.exe
2336	17b13.exe
2336	17b13.exe
2800	0b714.exe
2800	0b714.exe
2700	52682.exe
2700	52682.exe
2744	dc811.exe
2744	dc811.exe
1236	b837b.exe
1236	b837b.exe
1956	48dxc.exe
1956	48dxc.exe
1864	dc9c1.exe
1864	dc9c1.exe
2716	246b7.exe
2716	246b7.exe
896	47eab.exe
896	47eab.exe
1716	bc1x7.exe
1716	bc1x7.exe
2600	0d833.exe
2600	0d833.exe
1968	456c9.exe
1968	456c9.exe
2856	747a4.exe
2856	747a4.exe
2104	bb39a.exe
2104	bb39a.exe
2076	5e3bc.exe
2076	5e3bc.exe
2852	8c497.exe
2852	8c497.exe
2700	25d1c.exe
2700	25d1c.exe
2288	5317d.exe
2288	5317d.exe
1756	767da.exe
1756	767da.exe
2228	ae223.exe
2228	ae223.exe
1244	a57c2.exe
1244	a57c2.exe
404	eb64x.exe
404	eb64x.exe
1324	dc584.exe
1324	dc584.exe
1396	9ad58.exe
1396	9ad58.exe
2436	9ad4c.exe
2436	9ad4c.exe
2488	d79cb.exe
2488	d79cb.exe
1900	07388.exe
1900	07388.exe
944	61b4e.exe
944	61b4e.exe
2924	71dd1.exe
2924	71dd1.exe
2568	cc052.exe
2568	cc052.exe
2020	a981c.exe
2020	a981c.exe

UPX packed file 41 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2432-0-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/files/0x0008000000016d36-8.dat	upx
behavioral1/memory/2432-17-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/files/0x000b0000000122ea-30.dat	upx
behavioral1/memory/2336-32-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/files/0x0009000000016c95-40.dat	upx
behavioral1/memory/2700-49-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/memory/2800-52-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/files/0x000a000000016d47-58.dat	upx
behavioral1/memory/2700-67-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/memory/2744-82-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/files/0x0007000000016db5-97.dat	upx
behavioral1/memory/1236-100-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/files/0x0009000000016dd0-107.dat	upx
behavioral1/files/0x000b000000016d58-128.dat	upx
behavioral1/memory/1864-132-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/files/0x0005000000018697-139.dat	upx
behavioral1/memory/2716-149-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/files/0x00050000000187a2-157.dat	upx
behavioral1/memory/896-166-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/memory/1716-182-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/files/0x0006000000018c44-188.dat	upx
behavioral1/memory/2600-198-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/memory/2856-216-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/memory/1968-217-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/memory/2104-246-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/memory/2700-282-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/memory/404-337-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/memory/2436-371-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/memory/1900-393-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/memory/2924-416-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/memory/2020-440-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/memory/492-451-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/memory/492-462-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/memory/576-485-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/memory/1648-499-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/memory/2088-523-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/memory/1776-534-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/memory/2960-582-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/memory/2664-603-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/memory/3016-651-0x0000000000400000-0x0000000000442000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "dcbec.exe"	dcbec.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\4362b.exe	b859b.exe
File opened for modification	C:\Windows\SysWOW64\47eab.exe	246b7.exe
File opened for modification	C:\Windows\SysWOW64\eb64x.exe	a57c2.exe
File opened for modification	C:\Windows\SysWOW64\2e771.exe	5b9xa.exe
File created	C:\Windows\SysWOW64\bc1x7.exe	47eab.exe
File created	C:\Windows\SysWOW64\ae223.exe	767da.exe
File opened for modification	C:\Windows\SysWOW64\8756d.exe	5x877.exe
File opened for modification	C:\Windows\SysWOW64\246b7.exe	dc9c1.exe
File created	C:\Windows\SysWOW64\4362b.exe	b859b.exe
File created	C:\Windows\SysWOW64\b57db.exe	b93x8.exe
File created	C:\Windows\SysWOW64\456c9.exe	0d833.exe
File created	C:\Windows\SysWOW64\9ad58.exe	dc584.exe
File opened for modification	C:\Windows\SysWOW64\7d951.exe	64d28.exe
File opened for modification	C:\Windows\SysWOW64\25d1c.exe	8c497.exe
File opened for modification	C:\Windows\SysWOW64\0b714.exe	17b13.exe
File created	C:\Windows\SysWOW64\bb39a.exe	747a4.exe
File opened for modification	C:\Windows\SysWOW64\8c497.exe	5e3bc.exe
File opened for modification	C:\Windows\SysWOW64\b859b.exe	66d60.exe
File created	C:\Windows\SysWOW64\47eab.exe	246b7.exe
File created	C:\Windows\SysWOW64\cc052.exe	71dd1.exe
File created	C:\Windows\SysWOW64\a981c.exe	cc052.exe
File opened for modification	C:\Windows\SysWOW64\17b13.exe	d6d65c7dccab1528b7099712f03e01c0N.exe
File opened for modification	C:\Windows\SysWOW64\5e3bc.exe	bb39a.exe
File opened for modification	C:\Windows\SysWOW64\cc052.exe	71dd1.exe
File created	C:\Windows\SysWOW64\5x877.exe	406d4.exe
File created	C:\Windows\SysWOW64\8a67c.exe	2e185.exe
File opened for modification	C:\Windows\SysWOW64\5317d.exe	25d1c.exe
File opened for modification	C:\Windows\SysWOW64\9ad58.exe	dc584.exe
File created	C:\Windows\SysWOW64\61b4e.exe	07388.exe
File created	C:\Windows\SysWOW64\5317d.exe	25d1c.exe
File opened for modification	C:\Windows\SysWOW64\61b4e.exe	07388.exe
File created	C:\Windows\SysWOW64\a57c2.exe	ae223.exe
File opened for modification	C:\Windows\SysWOW64\66d60.exe	39a37.exe
File created	C:\Windows\SysWOW64\94xx6.exe	8a67c.exe
File opened for modification	C:\Windows\SysWOW64\dc9c1.exe	48dxc.exe
File created	C:\Windows\SysWOW64\d79cb.exe	9ad4c.exe
File created	C:\Windows\SysWOW64\7e6e3.exe	2e771.exe
File created	C:\Windows\SysWOW64\747a4.exe	456c9.exe
File created	C:\Windows\SysWOW64\dc584.exe	eb64x.exe
File opened for modification	C:\Windows\SysWOW64\dc584.exe	eb64x.exe
File created	C:\Windows\SysWOW64\246b7.exe	dc9c1.exe
File created	C:\Windows\SysWOW64\767da.exe	5317d.exe
File created	C:\Windows\SysWOW64\eb64x.exe	a57c2.exe
File opened for modification	C:\Windows\SysWOW64\22609.exe	c0ecd.exe
File opened for modification	C:\Windows\SysWOW64\64d28.exe	8756d.exe
File created	C:\Windows\SysWOW64\406d4.exe	22609.exe
File created	C:\Windows\SysWOW64\64d28.exe	8756d.exe
File opened for modification	C:\Windows\SysWOW64\0d833.exe	bc1x7.exe
File opened for modification	C:\Windows\SysWOW64\71dd1.exe	61b4e.exe
File opened for modification	C:\Windows\SysWOW64\5b9xa.exe	42ec2.exe
File opened for modification	C:\Windows\SysWOW64\39a37.exe	b57db.exe
File created	C:\Windows\SysWOW64\22609.exe	c0ecd.exe
File opened for modification	C:\Windows\SysWOW64\b93x8.exe	7d951.exe
File created	C:\Windows\SysWOW64\2e185.exe	4362b.exe
File opened for modification	C:\Windows\SysWOW64\94xx6.exe	8a67c.exe
File created	C:\Windows\SysWOW64\17b13.exe	d6d65c7dccab1528b7099712f03e01c0N.exe
File created	C:\Windows\SysWOW64\48dxc.exe	b837b.exe
File created	C:\Windows\SysWOW64\8c497.exe	5e3bc.exe
File created	C:\Windows\SysWOW64\42ec2.exe	a981c.exe
File created	C:\Windows\SysWOW64\b837b.exe	dc811.exe
File created	C:\Windows\SysWOW64\dc9c1.exe	48dxc.exe
File created	C:\Windows\SysWOW64\5e3bc.exe	bb39a.exe
File opened for modification	C:\Windows\SysWOW64\d79cb.exe	9ad4c.exe
File created	C:\Windows\SysWOW64\2e771.exe	5b9xa.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 53 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	39a37.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	246b7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bc1x7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ae223.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	66d60.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eb64x.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d6d65c7dccab1528b7099712f03e01c0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	94xx6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dc584.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cc052.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c0ecd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	22609.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7d951.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b837b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a57c2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b57db.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	17b13.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	406d4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9ad4c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	61b4e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	64d28.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dcbec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dc9c1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	767da.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	52682.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	25d1c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b93x8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b859b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	07388.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d79cb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	71dd1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	42ec2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2e771.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4362b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8a67c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0b714.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5317d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5b9xa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	47eab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	747a4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7e6e3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2e185.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	48dxc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bb39a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8c497.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dc811.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0d833.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a981c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5x877.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	456c9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5e3bc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9ad58.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8756d.exe

Modifies registry class 20 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	dcbec.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1\0\NodeSlot = "2"	dcbec.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	dcbec.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	dcbec.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 0100000000000000ffffffff	dcbec.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_Classes\Local Settings	dcbec.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	dcbec.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1\0 = 560031000000000000000000170073797374656d333200003e0008000400efbe00000000000000002a00000000000000000000000000000000000000000000000000730079007300740065006d0033003200000018000000	dcbec.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1\0\MRUListEx = ffffffff	dcbec.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	dcbec.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	dcbec.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	dcbec.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	dcbec.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1\MRUListEx = 00000000ffffffff	dcbec.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1\0	dcbec.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags	dcbec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}"	dcbec.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	dcbec.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1 = 520031000000000000000000100057696e646f7773003c0008000400efbe00000000000000002a00000000000000000000000000000000000000000000000000570069006e0064006f0077007300000016000000	dcbec.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1	dcbec.exe

Suspicious use of SetWindowsHookEx 53 IoCs

pid	Process
2432	d6d65c7dccab1528b7099712f03e01c0N.exe
2336	17b13.exe
2800	0b714.exe
2700	52682.exe
2744	dc811.exe
1236	b837b.exe
1956	48dxc.exe
1864	dc9c1.exe
2716	246b7.exe
896	47eab.exe
1716	bc1x7.exe
2600	0d833.exe
1968	456c9.exe
2856	747a4.exe
2104	bb39a.exe
2076	5e3bc.exe
2852	8c497.exe
2700	25d1c.exe
2288	5317d.exe
1756	767da.exe
2228	ae223.exe
1244	a57c2.exe
404	eb64x.exe
1324	dc584.exe
1396	9ad58.exe
2436	9ad4c.exe
2488	d79cb.exe
1900	07388.exe
944	61b4e.exe
2924	71dd1.exe
2568	cc052.exe
2020	a981c.exe
1564	42ec2.exe
492	5b9xa.exe
1504	2e771.exe
576	7e6e3.exe
1648	c0ecd.exe
376	22609.exe
2088	406d4.exe
1776	5x877.exe
896	8756d.exe
1308	64d28.exe
1588	7d951.exe
2960	b93x8.exe
1712	b57db.exe
2664	39a37.exe
2104	66d60.exe
1608	b859b.exe
2632	4362b.exe
3016	2e185.exe
1528	8a67c.exe
2188	94xx6.exe
2268	dcbec.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2432 wrote to memory of 2336	2432	d6d65c7dccab1528b7099712f03e01c0N.exe	31
PID 2432 wrote to memory of 2336	2432	d6d65c7dccab1528b7099712f03e01c0N.exe	31
PID 2432 wrote to memory of 2336	2432	d6d65c7dccab1528b7099712f03e01c0N.exe	31
PID 2432 wrote to memory of 2336	2432	d6d65c7dccab1528b7099712f03e01c0N.exe	31
PID 2336 wrote to memory of 2800	2336	17b13.exe	32
PID 2336 wrote to memory of 2800	2336	17b13.exe	32
PID 2336 wrote to memory of 2800	2336	17b13.exe	32
PID 2336 wrote to memory of 2800	2336	17b13.exe	32
PID 2800 wrote to memory of 2700	2800	0b714.exe	33
PID 2800 wrote to memory of 2700	2800	0b714.exe	33
PID 2800 wrote to memory of 2700	2800	0b714.exe	33
PID 2800 wrote to memory of 2700	2800	0b714.exe	33
PID 2700 wrote to memory of 2744	2700	52682.exe	34
PID 2700 wrote to memory of 2744	2700	52682.exe	34
PID 2700 wrote to memory of 2744	2700	52682.exe	34
PID 2700 wrote to memory of 2744	2700	52682.exe	34
PID 2744 wrote to memory of 1236	2744	dc811.exe	35
PID 2744 wrote to memory of 1236	2744	dc811.exe	35
PID 2744 wrote to memory of 1236	2744	dc811.exe	35
PID 2744 wrote to memory of 1236	2744	dc811.exe	35
PID 1236 wrote to memory of 1956	1236	b837b.exe	36
PID 1236 wrote to memory of 1956	1236	b837b.exe	36
PID 1236 wrote to memory of 1956	1236	b837b.exe	36
PID 1236 wrote to memory of 1956	1236	b837b.exe	36
PID 1956 wrote to memory of 1864	1956	48dxc.exe	37
PID 1956 wrote to memory of 1864	1956	48dxc.exe	37
PID 1956 wrote to memory of 1864	1956	48dxc.exe	37
PID 1956 wrote to memory of 1864	1956	48dxc.exe	37
PID 1864 wrote to memory of 2716	1864	dc9c1.exe	38
PID 1864 wrote to memory of 2716	1864	dc9c1.exe	38
PID 1864 wrote to memory of 2716	1864	dc9c1.exe	38
PID 1864 wrote to memory of 2716	1864	dc9c1.exe	38
PID 2716 wrote to memory of 896	2716	246b7.exe	39
PID 2716 wrote to memory of 896	2716	246b7.exe	39
PID 2716 wrote to memory of 896	2716	246b7.exe	39
PID 2716 wrote to memory of 896	2716	246b7.exe	39
PID 896 wrote to memory of 1716	896	47eab.exe	40
PID 896 wrote to memory of 1716	896	47eab.exe	40
PID 896 wrote to memory of 1716	896	47eab.exe	40
PID 896 wrote to memory of 1716	896	47eab.exe	40
PID 1716 wrote to memory of 2600	1716	bc1x7.exe	41
PID 1716 wrote to memory of 2600	1716	bc1x7.exe	41
PID 1716 wrote to memory of 2600	1716	bc1x7.exe	41
PID 1716 wrote to memory of 2600	1716	bc1x7.exe	41
PID 2600 wrote to memory of 1968	2600	0d833.exe	42
PID 2600 wrote to memory of 1968	2600	0d833.exe	42
PID 2600 wrote to memory of 1968	2600	0d833.exe	42
PID 2600 wrote to memory of 1968	2600	0d833.exe	42
PID 1968 wrote to memory of 2856	1968	456c9.exe	43
PID 1968 wrote to memory of 2856	1968	456c9.exe	43
PID 1968 wrote to memory of 2856	1968	456c9.exe	43
PID 1968 wrote to memory of 2856	1968	456c9.exe	43
PID 2856 wrote to memory of 2104	2856	747a4.exe	44
PID 2856 wrote to memory of 2104	2856	747a4.exe	44
PID 2856 wrote to memory of 2104	2856	747a4.exe	44
PID 2856 wrote to memory of 2104	2856	747a4.exe	44
PID 2104 wrote to memory of 2076	2104	bb39a.exe	45
PID 2104 wrote to memory of 2076	2104	bb39a.exe	45
PID 2104 wrote to memory of 2076	2104	bb39a.exe	45
PID 2104 wrote to memory of 2076	2104	bb39a.exe	45
PID 2076 wrote to memory of 2852	2076	5e3bc.exe	46
PID 2076 wrote to memory of 2852	2076	5e3bc.exe	46
PID 2076 wrote to memory of 2852	2076	5e3bc.exe	46
PID 2076 wrote to memory of 2852	2076	5e3bc.exe	46

C:\Users\Admin\AppData\Local\Temp\d6d65c7dccab1528b7099712f03e01c0N.exe
"C:\Users\Admin\AppData\Local\Temp\d6d65c7dccab1528b7099712f03e01c0N.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2432
- C:\Windows\SysWOW64\17b13.exe
  "C:\Windows\system32\17b13.exe" killauto~~d6d65c7dccab1528b7099712f03e01c0N.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2336
- - C:\Windows\SysWOW64\0b714.exe
    "C:\Windows\system32\0b714.exe" killauto~~17b13.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2800
  - - C:\Windows\SysWOW64\52682.exe
      "C:\Windows\system32\52682.exe" killauto~~0b714.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2700
    - - C:\Windows\SysWOW64\dc811.exe
        
        "C:\Windows\system32\dc811.exe" killauto~~52682.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2744
      - C:\Windows\SysWOW64\b837b.exe
        
        "C:\Windows\system32\b837b.exe" killauto~~dc811.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1236
        
        C:\Windows\SysWOW64\48dxc.exe
        
        "C:\Windows\system32\48dxc.exe" killauto~~b837b.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1956
        
        C:\Windows\SysWOW64\dc9c1.exe
        
        "C:\Windows\system32\dc9c1.exe" killauto~~48dxc.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1864
        
        C:\Windows\SysWOW64\246b7.exe
        
        "C:\Windows\system32\246b7.exe" killauto~~dc9c1.exe
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2716
        
        C:\Windows\SysWOW64\47eab.exe
        
        "C:\Windows\system32\47eab.exe" killauto~~246b7.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:896
        
        C:\Windows\SysWOW64\bc1x7.exe
        
        "C:\Windows\system32\bc1x7.exe" killauto~~47eab.exe
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1716
        
        C:\Windows\SysWOW64\0d833.exe
        
        "C:\Windows\system32\0d833.exe" killauto~~bc1x7.exe
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2600
        
        C:\Windows\SysWOW64\456c9.exe
        
        "C:\Windows\system32\456c9.exe" killauto~~0d833.exe
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1968
        
        C:\Windows\SysWOW64\747a4.exe
        
        "C:\Windows\system32\747a4.exe" killauto~~456c9.exe
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2856
        
        C:\Windows\SysWOW64\bb39a.exe
        
        "C:\Windows\system32\bb39a.exe" killauto~~747a4.exe
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2104
        
        C:\Windows\SysWOW64\5e3bc.exe
        
        "C:\Windows\system32\5e3bc.exe" killauto~~bb39a.exe
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2076
        
        C:\Windows\SysWOW64\8c497.exe
        
        "C:\Windows\system32\8c497.exe" killauto~~5e3bc.exe
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2852
        
        C:\Windows\SysWOW64\25d1c.exe
        
        "C:\Windows\system32\25d1c.exe" killauto~~8c497.exe
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2700
        
        C:\Windows\SysWOW64\5317d.exe
        
        "C:\Windows\system32\5317d.exe" killauto~~25d1c.exe
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2288
        
        C:\Windows\SysWOW64\767da.exe
        
        "C:\Windows\system32\767da.exe" killauto~~5317d.exe
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1756
        
        C:\Windows\SysWOW64\ae223.exe
        
        "C:\Windows\system32\ae223.exe" killauto~~767da.exe
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2228
        
        C:\Windows\SysWOW64\a57c2.exe
        
        "C:\Windows\system32\a57c2.exe" killauto~~ae223.exe
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1244
        
        C:\Windows\SysWOW64\eb64x.exe
        
        "C:\Windows\system32\eb64x.exe" killauto~~a57c2.exe
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:404
        
        C:\Windows\SysWOW64\dc584.exe
        
        "C:\Windows\system32\dc584.exe" killauto~~eb64x.exe
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1324
        
        C:\Windows\SysWOW64\9ad58.exe
        
        "C:\Windows\system32\9ad58.exe" killauto~~dc584.exe
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1396
        
        C:\Windows\SysWOW64\9ad4c.exe
        
        "C:\Windows\system32\9ad4c.exe" killauto~~9ad58.exe
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2436
        
        C:\Windows\SysWOW64\d79cb.exe
        
        "C:\Windows\system32\d79cb.exe" killauto~~9ad4c.exe
        27⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2488
        
        C:\Windows\SysWOW64\07388.exe
        
        "C:\Windows\system32\07388.exe" killauto~~d79cb.exe
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1900
        
        C:\Windows\SysWOW64\61b4e.exe
        
        "C:\Windows\system32\61b4e.exe" killauto~~07388.exe
        29⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:944
        
        C:\Windows\SysWOW64\71dd1.exe
        
        "C:\Windows\system32\71dd1.exe" killauto~~61b4e.exe
        30⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2924
        
        C:\Windows\SysWOW64\cc052.exe
        
        "C:\Windows\system32\cc052.exe" killauto~~71dd1.exe
        31⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2568
        
        C:\Windows\SysWOW64\a981c.exe
        
        "C:\Windows\system32\a981c.exe" killauto~~cc052.exe
        32⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2020
        
        C:\Windows\SysWOW64\42ec2.exe
        
        "C:\Windows\system32\42ec2.exe" killauto~~a981c.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1564
        
        C:\Windows\SysWOW64\5b9xa.exe
        
        "C:\Windows\system32\5b9xa.exe" killauto~~42ec2.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:492
        
        C:\Windows\SysWOW64\2e771.exe
        
        "C:\Windows\system32\2e771.exe" killauto~~5b9xa.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1504
        
        C:\Windows\SysWOW64\7e6e3.exe
        
        "C:\Windows\system32\7e6e3.exe" killauto~~2e771.exe
        36⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:576
        
        C:\Windows\SysWOW64\c0ecd.exe
        
        "C:\Windows\system32\c0ecd.exe" killauto~~7e6e3.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1648
        
        C:\Windows\SysWOW64\22609.exe
        
        "C:\Windows\system32\22609.exe" killauto~~c0ecd.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:376
        
        C:\Windows\SysWOW64\406d4.exe
        
        "C:\Windows\system32\406d4.exe" killauto~~22609.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2088
        
        C:\Windows\SysWOW64\5x877.exe
        
        "C:\Windows\system32\5x877.exe" killauto~~406d4.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1776
        
        C:\Windows\SysWOW64\8756d.exe
        
        "C:\Windows\system32\8756d.exe" killauto~~5x877.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:896
        
        C:\Windows\SysWOW64\64d28.exe
        
        "C:\Windows\system32\64d28.exe" killauto~~8756d.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1308
        
        C:\Windows\SysWOW64\7d951.exe
        
        "C:\Windows\system32\7d951.exe" killauto~~64d28.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1588
        
        C:\Windows\SysWOW64\b93x8.exe
        
        "C:\Windows\system32\b93x8.exe" killauto~~7d951.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2960
        
        C:\Windows\SysWOW64\b57db.exe
        
        "C:\Windows\system32\b57db.exe" killauto~~b93x8.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1712
        
        C:\Windows\SysWOW64\39a37.exe
        
        "C:\Windows\system32\39a37.exe" killauto~~b57db.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2664
        
        C:\Windows\SysWOW64\66d60.exe
        
        "C:\Windows\system32\66d60.exe" killauto~~39a37.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2104
        
        C:\Windows\SysWOW64\b859b.exe
        
        "C:\Windows\system32\b859b.exe" killauto~~66d60.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1608
        
        C:\Windows\SysWOW64\4362b.exe
        
        "C:\Windows\system32\4362b.exe" killauto~~b859b.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2632
        
        C:\Windows\SysWOW64\2e185.exe
        
        "C:\Windows\system32\2e185.exe" killauto~~4362b.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3016
        
        C:\Windows\SysWOW64\8a67c.exe
        
        "C:\Windows\system32\8a67c.exe" killauto~~2e185.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1528
        
        C:\Windows\SysWOW64\94xx6.exe
        
        "C:\Windows\system32\94xx6.exe" killauto~~8a67c.exe
        52⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2188
        
        C:\Windows\SysWOW64\dcbec.exe
        
        "C:\Windows\system32\dcbec.exe" killauto~~94xx6.exe
        53⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:2268

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\0b714.exe

Filesize
260KB

MD5
c93b8cf837df9dadca59b62a2c8312cd

SHA1
ed177b2548da07338b2cd672e8a11226c9438721

SHA256
fe28b71a906b9d95abc0b700901451c5973019f9585705de96f392ac733ad9e7

SHA512
5e6b87778e1177bece4cbbcbac6f412b653dd663dbcac2a9767be763ef46de019cc73285862970d800f52f885ac0c3b6ed8831b2459884785946b6c623ffe48e

Download Submit
C:\Windows\SysWOW64\17b13.exe

Filesize
260KB

MD5
19d72b40a1a78c8ead5d08c8bdeb0a2f

SHA1
5fbddc65a0b4e0ade609ebf249d9272c5cb04730

SHA256
c01177f9f370b0f1772fb69fda2ca1468ce5403535b4c068a0f4a0dfe3f0accf

SHA512
9004ee0c7f474d599dbf502da5417973904a0c5cca0b7ea4228ac57f37158603a9684326586ba53a54801ffc10d0a17fa03e4c6bc5ad3264e35dc3a38cf2ae9f

Download Submit
C:\Windows\SysWOW64\246b7.exe

Filesize
260KB

MD5
90044e721f7be40ba6c805e849d56d2b

SHA1
7a4d1ff8126981c229d2616249887e6cbf3cf63b

SHA256
2b90c1249765d35f99ce3c0bb1656036121efa0bec53745ac44dac8ddbace14e

SHA512
a033177ff7306d08b877e1aca1dc657138c63a52a4240069aebaa3b3b24c3ac2ee3e246d87777300b9aac33ea22895735b8f97e7f7db7c6d63438df41b64b4f4

Download Submit
C:\Windows\SysWOW64\48dxc.exe

Filesize
260KB

MD5
49d606236997742e735e444406a22cd8

SHA1
44834ec7f5f82a8f4ce37b7c67ed9b4f981c060c

SHA256
f36ae5248b0ee4babb3d66a97e3448d2c8b95c2c45ba1d10bb5c1470916574a8

SHA512
6097ac09e5dc486d4d8a547ee0d1097ba90d0c4df4ca8ba5708d43038483726b9643b8e98aaecd68342f7953f5496d4e6827cde0ceb872cca01f66ed13c8f26d

Download Submit
\Windows\SysWOW64\456c9.exe

Filesize
260KB

MD5
f9ecc95b1f9596a3b9a43f6498327ee4

SHA1
508b55b4ad3f523b243d08b1421c3a7c0b1513bb

SHA256
c086b6c48f4bcb8b1dd66fa367e93f2720b46abbb70ff39647bc81102b061c8c

SHA512
576290db4ddfc834a91543a1bb0ec36c89653b97db5445baf48be30edc5fd921ecc02f46b3569dc4e9b9fb0a45d4a929b1226d136a7702ca50bb9bdef72792cb

Download Submit
\Windows\SysWOW64\47eab.exe

Filesize
260KB

MD5
b4b940ad771afcc63448c6794e2d5f68

SHA1
cb0848bb5e38f992ea2011b7a0d443008c7c7d77

SHA256
ce4fc62dd27207659c7a315787bfb98b95929da099c3b9b43a3ce970540eb96e

SHA512
9500b22d48cb00230e317392bdcae177d722055229a144a1b2977268367a6143313da171ff9d1e92b88bcdc7d4a7cbc5f890b140f8dcc8a79a6b24f4932c09f8

Download Submit
\Windows\SysWOW64\52682.exe

Filesize
260KB

MD5
0cd9ddc86b08556ce8cd513f4801867f

SHA1
052ee7d713647786225598bf0103f9f00b1a0bbf

SHA256
f0b7120076f95071155ebef6998895a93155dcd3194700373653ff5619f59c1d

SHA512
30b14097334c325a6b46c1db81ee172939c8f907999fce8858c1adc02410f3435ff9c6b1fda48b18329e71782e909b852eadfcd6a1bd499e0c160adc68414442

Download Submit
\Windows\SysWOW64\bc1x7.exe

Filesize
260KB

MD5
b041766af47e8adcf81702a6a504e08d

SHA1
b1267c6c7c2e46fd1f872529cc8c033c56bc534e

SHA256
a734dabc08d999e897c37337d00d48a42fe301306f9d71eb30cd505be33c8386

SHA512
2bd26e189c375042bca16f9cc7929e27eae8b5a65e0209c0d326185bb54ac3f94ba8c4be7e7e48d1b600cd58ccd695e9ddcc662fc8871a8d1f0f5f830eff97f3

Download Submit
\Windows\SysWOW64\dc811.exe

Filesize
260KB

MD5
69a611130be6f1caed86247c288d2418

SHA1
25d57d89ac0ea000de3e00adcd06c5559fa75ecd

SHA256
c897341483c98cbe9f173e9c01e31b872b0c831182e9fd4fe3536882bc6e5fa9

SHA512
7a7eb8a28f70d28c54fb8c5747a9fe00e2fc05527352ea5a1156a1170cc5734ac785cba7413ca84fa74e4b26fa4321277b10cdc7f62f1342300e79bded129de2

Download Submit
\Windows\SysWOW64\dc9c1.exe

Filesize
260KB

MD5
e45ab801f5c0564a06f8f363ba46bf31

SHA1
60330777f31a0addd94c0c167e12bcd26f2b1a24

SHA256
bb1605f1cf3d870e4d1b18842928f313b48280f4f01c6cc8541342573f4de419

SHA512
eaaafccf6eedf46b6a4e27473c3e1e1e54854ef13739b2dd0dd0082f8300469f1d840eaa4ea4d9d5ddfbf603c3c037b9ae75b62328214462d89c9957f8f2a966

Download Submit
memory/376-510-0x0000000003BC0000-0x0000000003C02000-memory.dmp

Filesize
264KB

Download
memory/376-508-0x0000000003BC0000-0x0000000003C02000-memory.dmp

Filesize
264KB

Download
memory/404-337-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/492-462-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/492-451-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/576-483-0x0000000003B90000-0x0000000003BD2000-memory.dmp

Filesize
264KB

Download
memory/576-484-0x0000000003B90000-0x0000000003BD2000-memory.dmp

Filesize
264KB

Download
memory/576-485-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/896-166-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/896-162-0x0000000003D30000-0x0000000003D72000-memory.dmp

Filesize
264KB

Download
memory/896-161-0x0000000003D30000-0x0000000003D72000-memory.dmp

Filesize
264KB

Download
memory/896-545-0x0000000003CC0000-0x0000000003D02000-memory.dmp

Filesize
264KB

Download
memory/944-403-0x0000000003A90000-0x0000000003AD2000-memory.dmp

Filesize
264KB

Download
memory/944-402-0x0000000003A90000-0x0000000003AD2000-memory.dmp

Filesize
264KB

Download
memory/1236-96-0x0000000003D50000-0x0000000003D92000-memory.dmp

Filesize
264KB

Download
memory/1236-100-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1244-324-0x0000000003C60000-0x0000000003CA2000-memory.dmp

Filesize
264KB

Download
memory/1244-323-0x0000000003C60000-0x0000000003CA2000-memory.dmp

Filesize
264KB

Download
memory/1308-556-0x0000000003BD0000-0x0000000003C12000-memory.dmp

Filesize
264KB

Download
memory/1396-357-0x0000000003C00000-0x0000000003C42000-memory.dmp

Filesize
264KB

Download
memory/1396-353-0x0000000003C00000-0x0000000003C42000-memory.dmp

Filesize
264KB

Download
memory/1504-472-0x0000000003B00000-0x0000000003B42000-memory.dmp

Filesize
264KB

Download
memory/1504-471-0x0000000003B00000-0x0000000003B42000-memory.dmp

Filesize
264KB

Download
memory/1528-662-0x0000000004270000-0x00000000042B2000-memory.dmp

Filesize
264KB

Download
memory/1588-567-0x0000000003A90000-0x0000000003AD2000-memory.dmp

Filesize
264KB

Download
memory/1608-625-0x0000000003C00000-0x0000000003C42000-memory.dmp

Filesize
264KB

Download
memory/1608-626-0x0000000003C00000-0x0000000003C42000-memory.dmp

Filesize
264KB

Download
memory/1648-499-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1648-496-0x0000000003B90000-0x0000000003BD2000-memory.dmp

Filesize
264KB

Download
memory/1712-591-0x0000000003CB0000-0x0000000003CF2000-memory.dmp

Filesize
264KB

Download
memory/1716-182-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1756-301-0x0000000003B80000-0x0000000003BC2000-memory.dmp

Filesize
264KB

Download
memory/1776-534-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1776-532-0x0000000003D60000-0x0000000003DA2000-memory.dmp

Filesize
264KB

Download
memory/1776-533-0x0000000003D60000-0x0000000003DA2000-memory.dmp

Filesize
264KB

Download
memory/1864-127-0x0000000003BB0000-0x0000000003BF2000-memory.dmp

Filesize
264KB

Download
memory/1864-129-0x0000000003BB0000-0x0000000003BF2000-memory.dmp

Filesize
264KB

Download
memory/1864-132-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1900-393-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1968-217-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1968-212-0x0000000003A90000-0x0000000003AD2000-memory.dmp

Filesize
264KB

Download
memory/1968-207-0x0000000003A90000-0x0000000003AD2000-memory.dmp

Filesize
264KB

Download
memory/2020-440-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2020-437-0x00000000042A0000-0x00000000042E2000-memory.dmp

Filesize
264KB

Download
memory/2076-256-0x0000000003C40000-0x0000000003C82000-memory.dmp

Filesize
264KB

Download
memory/2076-257-0x0000000003C40000-0x0000000003C82000-memory.dmp

Filesize
264KB

Download
memory/2088-523-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2088-520-0x0000000003E90000-0x0000000003ED2000-memory.dmp

Filesize
264KB

Download
memory/2104-246-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2104-614-0x0000000003A70000-0x0000000003AB2000-memory.dmp

Filesize
264KB

Download
memory/2228-312-0x0000000003D40000-0x0000000003D82000-memory.dmp

Filesize
264KB

Download
memory/2336-29-0x0000000003A90000-0x0000000003AD2000-memory.dmp

Filesize
264KB

Download
memory/2336-32-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2432-17-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2432-0-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2432-13-0x0000000003C90000-0x0000000003CD2000-memory.dmp

Filesize
264KB

Download
memory/2436-368-0x0000000003B00000-0x0000000003B42000-memory.dmp

Filesize
264KB

Download
memory/2436-371-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2488-380-0x0000000004690000-0x00000000046D2000-memory.dmp

Filesize
264KB

Download
memory/2568-426-0x0000000003BC0000-0x0000000003C02000-memory.dmp

Filesize
264KB

Download
memory/2600-195-0x0000000003BB0000-0x0000000003BF2000-memory.dmp

Filesize
264KB

Download
memory/2600-198-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2632-637-0x0000000003C00000-0x0000000003C42000-memory.dmp

Filesize
264KB

Download
memory/2632-638-0x0000000003C00000-0x0000000003C42000-memory.dmp

Filesize
264KB

Download
memory/2664-602-0x0000000003E10000-0x0000000003E52000-memory.dmp

Filesize
264KB

Download
memory/2664-603-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2700-279-0x0000000003BB0000-0x0000000003BF2000-memory.dmp

Filesize
264KB

Download
memory/2700-65-0x0000000003E00000-0x0000000003E42000-memory.dmp

Filesize
264KB

Download
memory/2700-49-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2700-282-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2700-67-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2716-149-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2716-145-0x0000000003E00000-0x0000000003E42000-memory.dmp

Filesize
264KB

Download
memory/2744-82-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2800-52-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2800-42-0x0000000003A30000-0x0000000003A72000-memory.dmp

Filesize
264KB

Download
memory/2800-47-0x0000000003A30000-0x0000000003A72000-memory.dmp

Filesize
264KB

Download
memory/2852-268-0x0000000003AD0000-0x0000000003B12000-memory.dmp

Filesize
264KB

Download
memory/2856-230-0x0000000003A80000-0x0000000003AC2000-memory.dmp

Filesize
264KB

Download
memory/2856-229-0x0000000003A80000-0x0000000003AC2000-memory.dmp

Filesize
264KB

Download
memory/2856-216-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2924-414-0x00000000040B0000-0x00000000040F2000-memory.dmp

Filesize
264KB

Download
memory/2924-416-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2960-582-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2960-578-0x0000000003FC0000-0x0000000004002000-memory.dmp

Filesize
264KB

Download
memory/2960-579-0x0000000003FC0000-0x0000000004002000-memory.dmp

Filesize
264KB

Download
memory/3016-650-0x00000000040F0000-0x0000000004132000-memory.dmp

Filesize
264KB

Download
memory/3016-649-0x00000000040F0000-0x0000000004132000-memory.dmp

Filesize
264KB

Download
memory/3016-651-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads