Analysis
-
max time kernel
150s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
19/09/2022, 06:44
General
-
Target
eb0e6fb2638a3427cf07b123ae76a4c7fe71032d00f8d633649479aba161c296.exe
-
Size
48KB
-
MD5
97cac431f449341ebc8bce93d7a89228
-
SHA1
9dfd5550aa4b0f0c699372fc06334982a6b4fb08
-
SHA256
eb0e6fb2638a3427cf07b123ae76a4c7fe71032d00f8d633649479aba161c296
-
SHA512
50d609c43cb4aacd99db91cb98aed0a6072aa6c42a1393eabd8fb685bdd8487373720b59c5de41e599bdd1d6fe8f019e9ead8a8b49648adac2564421cc37c06c
-
SSDEEP
768:FEkxgX+7e1sKmiPcbWK2cvlvK+XFcr/rPF6IFRoPuuk5MR/7tfk1Fu7:KtWQsKpK2SvK+1ozd9nG/eu7
Malware Config
Signatures
-
Executes dropped EXE 64 IoCs
-
Drops startup file 64 IoCs
-
Adds Run key to start application 2 TTPs 64 IoCs
-
Drops file in System32 directory 64 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 64 IoCs
-
Suspicious use of SetWindowsHookEx 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\eb0e6fb2638a3427cf07b123ae76a4c7fe71032d00f8d633649479aba161c296.exe"C:\Users\Admin\AppData\Local\Temp\eb0e6fb2638a3427cf07b123ae76a4c7fe71032d00f8d633649479aba161c296.exe"1⤵
- Drops startup file
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\SysWOW64\rwwnw64d.exec:\windows\system32\rwwnw64d.exe DWram2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\SysWOW64\rwwnw64d.exec:\windows\system32\rwwnw64d.exe DWram3⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\SysWOW64\rwwnw64d.exec:\windows\system32\rwwnw64d.exe DWram4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\SysWOW64\rwwnw64d.exec:\windows\system32\rwwnw64d.exe DWram5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\SysWOW64\rwwnw64d.exec:\windows\system32\rwwnw64d.exe DWram6⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\SysWOW64\rwwnw64d.exec:\windows\system32\rwwnw64d.exe DWram7⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\SysWOW64\rwwnw64d.exec:\windows\system32\rwwnw64d.exe DWram8⤵
- Executes dropped EXE
- Drops startup file
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\SysWOW64\rwwnw64d.exec:\windows\system32\rwwnw64d.exe DWram9⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\SysWOW64\rwwnw64d.exec:\windows\system32\rwwnw64d.exe DWram10⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\SysWOW64\rwwnw64d.exec:\windows\system32\rwwnw64d.exe DWram11⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\SysWOW64\rwwnw64d.exec:\windows\system32\rwwnw64d.exe DWram12⤵
- Executes dropped EXE
- Drops startup file
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\SysWOW64\rwwnw64d.exec:\windows\system32\rwwnw64d.exe DWram13⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\SysWOW64\rwwnw64d.exec:\windows\system32\rwwnw64d.exe DWram14⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\SysWOW64\rwwnw64d.exec:\windows\system32\rwwnw64d.exe DWram15⤵
- Executes dropped EXE
- Drops startup file
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\SysWOW64\rwwnw64d.exec:\windows\system32\rwwnw64d.exe DWram16⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\SysWOW64\rwwnw64d.exec:\windows\system32\rwwnw64d.exe DWram17⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\SysWOW64\rwwnw64d.exec:\windows\system32\rwwnw64d.exe DWram18⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\SysWOW64\rwwnw64d.exec:\windows\system32\rwwnw64d.exe DWram19⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\SysWOW64\rwwnw64d.exec:\windows\system32\rwwnw64d.exe DWram20⤵
- Executes dropped EXE
- Drops startup file
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\SysWOW64\rwwnw64d.exec:\windows\system32\rwwnw64d.exe DWram21⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\SysWOW64\rwwnw64d.exec:\windows\system32\rwwnw64d.exe DWram22⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\SysWOW64\rwwnw64d.exec:\windows\system32\rwwnw64d.exe DWram23⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\SysWOW64\rwwnw64d.exec:\windows\system32\rwwnw64d.exe DWram24⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\SysWOW64\rwwnw64d.exec:\windows\system32\rwwnw64d.exe DWram25⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\SysWOW64\rwwnw64d.exec:\windows\system32\rwwnw64d.exe DWram26⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\SysWOW64\rwwnw64d.exec:\windows\system32\rwwnw64d.exe DWram27⤵
- Executes dropped EXE
- Drops startup file
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\SysWOW64\rwwnw64d.exec:\windows\system32\rwwnw64d.exe DWram28⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\SysWOW64\rwwnw64d.exec:\windows\system32\rwwnw64d.exe DWram29⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\SysWOW64\rwwnw64d.exec:\windows\system32\rwwnw64d.exe DWram30⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\SysWOW64\rwwnw64d.exec:\windows\system32\rwwnw64d.exe DWram31⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\SysWOW64\rwwnw64d.exec:\windows\system32\rwwnw64d.exe DWram32⤵
- Executes dropped EXE
- Drops startup file
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\SysWOW64\rwwnw64d.exec:\windows\system32\rwwnw64d.exe DWram33⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
\??\c:\windows\SysWOW64\rwwnw64d.exec:\windows\system32\rwwnw64d.exe DWram34⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Drops file in System32 directory
-
\??\c:\windows\SysWOW64\rwwnw64d.exec:\windows\system32\rwwnw64d.exe DWram35⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
-
\??\c:\windows\SysWOW64\rwwnw64d.exec:\windows\system32\rwwnw64d.exe DWram36⤵
- Executes dropped EXE
- Drops startup file
- Modifies registry class
-
\??\c:\windows\SysWOW64\rwwnw64d.exec:\windows\system32\rwwnw64d.exe DWram37⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Drops file in System32 directory
-
\??\c:\windows\SysWOW64\rwwnw64d.exec:\windows\system32\rwwnw64d.exe DWram38⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Modifies registry class
-
\??\c:\windows\SysWOW64\rwwnw64d.exec:\windows\system32\rwwnw64d.exe DWram39⤵
- Executes dropped EXE
- Modifies registry class
-
\??\c:\windows\SysWOW64\rwwnw64d.exec:\windows\system32\rwwnw64d.exe DWram40⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
-
\??\c:\windows\SysWOW64\rwwnw64d.exec:\windows\system32\rwwnw64d.exe DWram41⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
\??\c:\windows\SysWOW64\rwwnw64d.exec:\windows\system32\rwwnw64d.exe DWram42⤵
- Executes dropped EXE
- Drops file in System32 directory
-
\??\c:\windows\SysWOW64\rwwnw64d.exec:\windows\system32\rwwnw64d.exe DWram43⤵
- Executes dropped EXE
- Drops startup file
- Drops file in System32 directory
-
\??\c:\windows\SysWOW64\rwwnw64d.exec:\windows\system32\rwwnw64d.exe DWram44⤵
- Executes dropped EXE
- Drops startup file
- Drops file in System32 directory
- Modifies registry class
-
\??\c:\windows\SysWOW64\rwwnw64d.exec:\windows\system32\rwwnw64d.exe DWram45⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
\??\c:\windows\SysWOW64\rwwnw64d.exec:\windows\system32\rwwnw64d.exe DWram46⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
-
\??\c:\windows\SysWOW64\rwwnw64d.exec:\windows\system32\rwwnw64d.exe DWram47⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
-
\??\c:\windows\SysWOW64\rwwnw64d.exec:\windows\system32\rwwnw64d.exe DWram48⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Modifies registry class
-
\??\c:\windows\SysWOW64\rwwnw64d.exec:\windows\system32\rwwnw64d.exe DWram49⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
-
\??\c:\windows\SysWOW64\rwwnw64d.exec:\windows\system32\rwwnw64d.exe DWram50⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Drops file in System32 directory
-
\??\c:\windows\SysWOW64\rwwnw64d.exec:\windows\system32\rwwnw64d.exe DWram51⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Modifies registry class
-
\??\c:\windows\SysWOW64\rwwnw64d.exec:\windows\system32\rwwnw64d.exe DWram52⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
\??\c:\windows\SysWOW64\rwwnw64d.exec:\windows\system32\rwwnw64d.exe DWram53⤵
- Executes dropped EXE
- Drops startup file
- Modifies registry class
-
\??\c:\windows\SysWOW64\rwwnw64d.exec:\windows\system32\rwwnw64d.exe DWram54⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
\??\c:\windows\SysWOW64\rwwnw64d.exec:\windows\system32\rwwnw64d.exe DWram55⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
-
\??\c:\windows\SysWOW64\rwwnw64d.exec:\windows\system32\rwwnw64d.exe DWram56⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
-
\??\c:\windows\SysWOW64\rwwnw64d.exec:\windows\system32\rwwnw64d.exe DWram57⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
-
\??\c:\windows\SysWOW64\rwwnw64d.exec:\windows\system32\rwwnw64d.exe DWram58⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
-
\??\c:\windows\SysWOW64\rwwnw64d.exec:\windows\system32\rwwnw64d.exe DWram59⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
\??\c:\windows\SysWOW64\rwwnw64d.exec:\windows\system32\rwwnw64d.exe DWram60⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Modifies registry class
-
\??\c:\windows\SysWOW64\rwwnw64d.exec:\windows\system32\rwwnw64d.exe DWram61⤵
- Executes dropped EXE
- Drops startup file
- Drops file in System32 directory
- Modifies registry class
-
\??\c:\windows\SysWOW64\rwwnw64d.exec:\windows\system32\rwwnw64d.exe DWram62⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Modifies registry class
-
\??\c:\windows\SysWOW64\rwwnw64d.exec:\windows\system32\rwwnw64d.exe DWram63⤵
- Executes dropped EXE
- Drops startup file
- Modifies registry class
-
\??\c:\windows\SysWOW64\rwwnw64d.exec:\windows\system32\rwwnw64d.exe DWram64⤵
- Executes dropped EXE
-
\??\c:\windows\SysWOW64\rwwnw64d.exec:\windows\system32\rwwnw64d.exe DWram65⤵
- Executes dropped EXE
- Drops startup file
- Drops file in System32 directory
-
\??\c:\windows\SysWOW64\rwwnw64d.exec:\windows\system32\rwwnw64d.exe DWram66⤵
- Drops startup file
-
\??\c:\windows\SysWOW64\rwwnw64d.exec:\windows\system32\rwwnw64d.exe DWram67⤵
- Adds Run key to start application
- Modifies registry class
-
\??\c:\windows\SysWOW64\rwwnw64d.exec:\windows\system32\rwwnw64d.exe DWram68⤵
- Drops startup file
- Adds Run key to start application
- Modifies registry class
-
\??\c:\windows\SysWOW64\rwwnw64d.exec:\windows\system32\rwwnw64d.exe DWram69⤵
- Adds Run key to start application
- Modifies registry class
-
\??\c:\windows\SysWOW64\rwwnw64d.exec:\windows\system32\rwwnw64d.exe DWram70⤵
- Adds Run key to start application
- Drops file in System32 directory
-
\??\c:\windows\SysWOW64\rwwnw64d.exec:\windows\system32\rwwnw64d.exe DWram71⤵
- Drops startup file
- Modifies registry class
-
\??\c:\windows\SysWOW64\rwwnw64d.exec:\windows\system32\rwwnw64d.exe DWram72⤵
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
\??\c:\windows\SysWOW64\rwwnw64d.exec:\windows\system32\rwwnw64d.exe DWram73⤵
- Drops file in System32 directory
-
\??\c:\windows\SysWOW64\rwwnw64d.exec:\windows\system32\rwwnw64d.exe DWram74⤵
- Adds Run key to start application
- Drops file in System32 directory
-
\??\c:\windows\SysWOW64\rwwnw64d.exec:\windows\system32\rwwnw64d.exe DWram75⤵
- Drops startup file
- Drops file in System32 directory
-
\??\c:\windows\SysWOW64\rwwnw64d.exec:\windows\system32\rwwnw64d.exe DWram76⤵
- Drops startup file
- Adds Run key to start application
- Drops file in System32 directory
-
\??\c:\windows\SysWOW64\rwwnw64d.exec:\windows\system32\rwwnw64d.exe DWram77⤵
- Drops startup file
- Adds Run key to start application
-
\??\c:\windows\SysWOW64\rwwnw64d.exec:\windows\system32\rwwnw64d.exe DWram78⤵
- Drops startup file
-
\??\c:\windows\SysWOW64\rwwnw64d.exec:\windows\system32\rwwnw64d.exe DWram79⤵
- Adds Run key to start application
-
\??\c:\windows\SysWOW64\rwwnw64d.exec:\windows\system32\rwwnw64d.exe DWram80⤵
- Adds Run key to start application
- Drops file in System32 directory
-
\??\c:\windows\SysWOW64\rwwnw64d.exec:\windows\system32\rwwnw64d.exe DWram81⤵
- Drops startup file
- Adds Run key to start application
- Drops file in System32 directory
-
\??\c:\windows\SysWOW64\rwwnw64d.exec:\windows\system32\rwwnw64d.exe DWram82⤵
- Drops startup file
- Drops file in System32 directory
-
\??\c:\windows\SysWOW64\rwwnw64d.exec:\windows\system32\rwwnw64d.exe DWram83⤵
- Adds Run key to start application
- Modifies registry class
-
\??\c:\windows\SysWOW64\rwwnw64d.exec:\windows\system32\rwwnw64d.exe DWram84⤵
- Drops startup file
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
\??\c:\windows\SysWOW64\rwwnw64d.exec:\windows\system32\rwwnw64d.exe DWram85⤵
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
\??\c:\windows\SysWOW64\rwwnw64d.exec:\windows\system32\rwwnw64d.exe DWram86⤵
- Modifies registry class
-
\??\c:\windows\SysWOW64\rwwnw64d.exec:\windows\system32\rwwnw64d.exe DWram87⤵
- Adds Run key to start application
- Modifies registry class
-
\??\c:\windows\SysWOW64\rwwnw64d.exec:\windows\system32\rwwnw64d.exe DWram88⤵
- Drops startup file
- Adds Run key to start application
- Modifies registry class
-
\??\c:\windows\SysWOW64\rwwnw64d.exec:\windows\system32\rwwnw64d.exe DWram89⤵
- Drops file in System32 directory
-
\??\c:\windows\SysWOW64\rwwnw64d.exec:\windows\system32\rwwnw64d.exe DWram90⤵
- Drops startup file
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
\??\c:\windows\SysWOW64\rwwnw64d.exec:\windows\system32\rwwnw64d.exe DWram91⤵
- Adds Run key to start application
-
\??\c:\windows\SysWOW64\rwwnw64d.exec:\windows\system32\rwwnw64d.exe DWram92⤵
- Adds Run key to start application
- Modifies registry class
-
\??\c:\windows\SysWOW64\rwwnw64d.exec:\windows\system32\rwwnw64d.exe DWram93⤵
-
\??\c:\windows\SysWOW64\rwwnw64d.exec:\windows\system32\rwwnw64d.exe DWram94⤵
- Drops startup file
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
\??\c:\windows\SysWOW64\rwwnw64d.exec:\windows\system32\rwwnw64d.exe DWram95⤵
- Drops startup file
- Drops file in System32 directory
- Modifies registry class
-
\??\c:\windows\SysWOW64\rwwnw64d.exec:\windows\system32\rwwnw64d.exe DWram96⤵
- Drops startup file
- Adds Run key to start application
- Drops file in System32 directory
-
\??\c:\windows\SysWOW64\rwwnw64d.exec:\windows\system32\rwwnw64d.exe DWram97⤵
- Drops file in System32 directory
-
\??\c:\windows\SysWOW64\rwwnw64d.exec:\windows\system32\rwwnw64d.exe DWram98⤵
- Drops startup file
-
\??\c:\windows\SysWOW64\rwwnw64d.exec:\windows\system32\rwwnw64d.exe DWram99⤵
- Adds Run key to start application
- Modifies registry class
-
\??\c:\windows\SysWOW64\rwwnw64d.exec:\windows\system32\rwwnw64d.exe DWram100⤵
- Drops startup file
- Modifies registry class
-
\??\c:\windows\SysWOW64\rwwnw64d.exec:\windows\system32\rwwnw64d.exe DWram101⤵
- Drops startup file
- Drops file in System32 directory
- Modifies registry class
-
\??\c:\windows\SysWOW64\rwwnw64d.exec:\windows\system32\rwwnw64d.exe DWram102⤵
- Drops file in System32 directory
-
\??\c:\windows\SysWOW64\rwwnw64d.exec:\windows\system32\rwwnw64d.exe DWram103⤵
- Adds Run key to start application
- Drops file in System32 directory
-
\??\c:\windows\SysWOW64\rwwnw64d.exec:\windows\system32\rwwnw64d.exe DWram104⤵
- Drops startup file
- Drops file in System32 directory
- Modifies registry class
-
\??\c:\windows\SysWOW64\rwwnw64d.exec:\windows\system32\rwwnw64d.exe DWram105⤵
- Drops startup file
- Adds Run key to start application
- Drops file in System32 directory
-
\??\c:\windows\SysWOW64\rwwnw64d.exec:\windows\system32\rwwnw64d.exe DWram106⤵
- Drops startup file
- Modifies registry class
-
\??\c:\windows\SysWOW64\rwwnw64d.exec:\windows\system32\rwwnw64d.exe DWram107⤵
- Drops startup file
-
\??\c:\windows\SysWOW64\rwwnw64d.exec:\windows\system32\rwwnw64d.exe DWram108⤵
- Drops startup file
- Adds Run key to start application
- Drops file in System32 directory
-
\??\c:\windows\SysWOW64\rwwnw64d.exec:\windows\system32\rwwnw64d.exe DWram109⤵
- Drops startup file
- Drops file in System32 directory
- Modifies registry class
-
\??\c:\windows\SysWOW64\rwwnw64d.exec:\windows\system32\rwwnw64d.exe DWram110⤵
- Drops file in System32 directory
- Modifies registry class
-
\??\c:\windows\SysWOW64\rwwnw64d.exec:\windows\system32\rwwnw64d.exe DWram111⤵
- Drops startup file
- Adds Run key to start application
-
\??\c:\windows\SysWOW64\rwwnw64d.exec:\windows\system32\rwwnw64d.exe DWram112⤵
- Drops startup file
- Drops file in System32 directory
- Modifies registry class
-
\??\c:\windows\SysWOW64\rwwnw64d.exec:\windows\system32\rwwnw64d.exe DWram113⤵
- Adds Run key to start application
- Drops file in System32 directory
-
\??\c:\windows\SysWOW64\rwwnw64d.exec:\windows\system32\rwwnw64d.exe DWram114⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
987B
MD545279d2c42a6275e2ff545e787d78e3e
SHA183ab5e4ae965669a139bb2d01f7e905f163f80d6
SHA25624ba2032fee5820ea62bcd49d9e0f1ff9d61cc0874955a0c7f9ff4f6670ca3d8
SHA512fc9605d8b68e8636c8bca81e06c4550f0a2539eb42f739ebf2637a107c8cfa8896feec67c8018360a2784113be54bea5e091bd2deb8dedab11caf58c995cc892
-
Filesize
987B
MD552472a3884531d71fe7251d9e5b1baad
SHA10428aa2d2bb5609f904f42bbfa9d8b08cef3a04e
SHA256ef7d4cffdb8e951197070016785b513ca7f281352ff49d0cc28bf6198d2042f1
SHA51226b09bee886896a312db40eb7bb100e0e411541988c202379bbce9a71cc9c0b5cad2f6c86d3074c025985b63804f71b3c974ddf5f556da992ea62ddd553e15e4
-
Filesize
32B
MD53f9ab8d5e70b69ed8f844dfcfe3eb0d9
SHA1c90abfcb42452487ae37820d4ce9e48a5c79fb9d
SHA256f022e386f456dba47da9885457d2f5a1927d6922b27ef09012d8144b98f1dacd
SHA5123ab6bb4c6496ceb077f59c7c47b95b643f144585fd56831a7e098765d0ec8c767489a7b8f13adcbfc6c9efc35d46a8331a93e61b53b56d1c4bb3acdd956b73e5
-
Filesize
48KB
MD5836b64bcab25d6dc6d097ccd3b569bd2
SHA191796cbf66d75a235bbb5e83e067ea9d76cfccbb
SHA256ca388c2638abceb908b26a043026939f1198dfdeafe0de392e8b99e66410a173
SHA5125a899c2f6913899a800076758a8ac6ee5bdb145a48b5c00c483cc45bd5216988277895c692b8dafe956ab591cb12f87f58a9182c36751b1a120436f5fd5cd799
-
Filesize
48KB
MD5836b64bcab25d6dc6d097ccd3b569bd2
SHA191796cbf66d75a235bbb5e83e067ea9d76cfccbb
SHA256ca388c2638abceb908b26a043026939f1198dfdeafe0de392e8b99e66410a173
SHA5125a899c2f6913899a800076758a8ac6ee5bdb145a48b5c00c483cc45bd5216988277895c692b8dafe956ab591cb12f87f58a9182c36751b1a120436f5fd5cd799
-
Filesize
48KB
MD5836b64bcab25d6dc6d097ccd3b569bd2
SHA191796cbf66d75a235bbb5e83e067ea9d76cfccbb
SHA256ca388c2638abceb908b26a043026939f1198dfdeafe0de392e8b99e66410a173
SHA5125a899c2f6913899a800076758a8ac6ee5bdb145a48b5c00c483cc45bd5216988277895c692b8dafe956ab591cb12f87f58a9182c36751b1a120436f5fd5cd799
-
Filesize
48KB
MD5836b64bcab25d6dc6d097ccd3b569bd2
SHA191796cbf66d75a235bbb5e83e067ea9d76cfccbb
SHA256ca388c2638abceb908b26a043026939f1198dfdeafe0de392e8b99e66410a173
SHA5125a899c2f6913899a800076758a8ac6ee5bdb145a48b5c00c483cc45bd5216988277895c692b8dafe956ab591cb12f87f58a9182c36751b1a120436f5fd5cd799
-
Filesize
48KB
MD5836b64bcab25d6dc6d097ccd3b569bd2
SHA191796cbf66d75a235bbb5e83e067ea9d76cfccbb
SHA256ca388c2638abceb908b26a043026939f1198dfdeafe0de392e8b99e66410a173
SHA5125a899c2f6913899a800076758a8ac6ee5bdb145a48b5c00c483cc45bd5216988277895c692b8dafe956ab591cb12f87f58a9182c36751b1a120436f5fd5cd799
-
Filesize
48KB
MD5836b64bcab25d6dc6d097ccd3b569bd2
SHA191796cbf66d75a235bbb5e83e067ea9d76cfccbb
SHA256ca388c2638abceb908b26a043026939f1198dfdeafe0de392e8b99e66410a173
SHA5125a899c2f6913899a800076758a8ac6ee5bdb145a48b5c00c483cc45bd5216988277895c692b8dafe956ab591cb12f87f58a9182c36751b1a120436f5fd5cd799
-
Filesize
48KB
MD5836b64bcab25d6dc6d097ccd3b569bd2
SHA191796cbf66d75a235bbb5e83e067ea9d76cfccbb
SHA256ca388c2638abceb908b26a043026939f1198dfdeafe0de392e8b99e66410a173
SHA5125a899c2f6913899a800076758a8ac6ee5bdb145a48b5c00c483cc45bd5216988277895c692b8dafe956ab591cb12f87f58a9182c36751b1a120436f5fd5cd799
-
Filesize
48KB
MD5836b64bcab25d6dc6d097ccd3b569bd2
SHA191796cbf66d75a235bbb5e83e067ea9d76cfccbb
SHA256ca388c2638abceb908b26a043026939f1198dfdeafe0de392e8b99e66410a173
SHA5125a899c2f6913899a800076758a8ac6ee5bdb145a48b5c00c483cc45bd5216988277895c692b8dafe956ab591cb12f87f58a9182c36751b1a120436f5fd5cd799
-
Filesize
48KB
MD5836b64bcab25d6dc6d097ccd3b569bd2
SHA191796cbf66d75a235bbb5e83e067ea9d76cfccbb
SHA256ca388c2638abceb908b26a043026939f1198dfdeafe0de392e8b99e66410a173
SHA5125a899c2f6913899a800076758a8ac6ee5bdb145a48b5c00c483cc45bd5216988277895c692b8dafe956ab591cb12f87f58a9182c36751b1a120436f5fd5cd799
-
Filesize
48KB
MD5836b64bcab25d6dc6d097ccd3b569bd2
SHA191796cbf66d75a235bbb5e83e067ea9d76cfccbb
SHA256ca388c2638abceb908b26a043026939f1198dfdeafe0de392e8b99e66410a173
SHA5125a899c2f6913899a800076758a8ac6ee5bdb145a48b5c00c483cc45bd5216988277895c692b8dafe956ab591cb12f87f58a9182c36751b1a120436f5fd5cd799
-
Filesize
48KB
MD5836b64bcab25d6dc6d097ccd3b569bd2
SHA191796cbf66d75a235bbb5e83e067ea9d76cfccbb
SHA256ca388c2638abceb908b26a043026939f1198dfdeafe0de392e8b99e66410a173
SHA5125a899c2f6913899a800076758a8ac6ee5bdb145a48b5c00c483cc45bd5216988277895c692b8dafe956ab591cb12f87f58a9182c36751b1a120436f5fd5cd799
-
Filesize
48KB
MD5836b64bcab25d6dc6d097ccd3b569bd2
SHA191796cbf66d75a235bbb5e83e067ea9d76cfccbb
SHA256ca388c2638abceb908b26a043026939f1198dfdeafe0de392e8b99e66410a173
SHA5125a899c2f6913899a800076758a8ac6ee5bdb145a48b5c00c483cc45bd5216988277895c692b8dafe956ab591cb12f87f58a9182c36751b1a120436f5fd5cd799
-
Filesize
48KB
MD5836b64bcab25d6dc6d097ccd3b569bd2
SHA191796cbf66d75a235bbb5e83e067ea9d76cfccbb
SHA256ca388c2638abceb908b26a043026939f1198dfdeafe0de392e8b99e66410a173
SHA5125a899c2f6913899a800076758a8ac6ee5bdb145a48b5c00c483cc45bd5216988277895c692b8dafe956ab591cb12f87f58a9182c36751b1a120436f5fd5cd799
-
Filesize
48KB
MD5836b64bcab25d6dc6d097ccd3b569bd2
SHA191796cbf66d75a235bbb5e83e067ea9d76cfccbb
SHA256ca388c2638abceb908b26a043026939f1198dfdeafe0de392e8b99e66410a173
SHA5125a899c2f6913899a800076758a8ac6ee5bdb145a48b5c00c483cc45bd5216988277895c692b8dafe956ab591cb12f87f58a9182c36751b1a120436f5fd5cd799
-
Filesize
48KB
MD5836b64bcab25d6dc6d097ccd3b569bd2
SHA191796cbf66d75a235bbb5e83e067ea9d76cfccbb
SHA256ca388c2638abceb908b26a043026939f1198dfdeafe0de392e8b99e66410a173
SHA5125a899c2f6913899a800076758a8ac6ee5bdb145a48b5c00c483cc45bd5216988277895c692b8dafe956ab591cb12f87f58a9182c36751b1a120436f5fd5cd799
-
Filesize
48KB
MD5836b64bcab25d6dc6d097ccd3b569bd2
SHA191796cbf66d75a235bbb5e83e067ea9d76cfccbb
SHA256ca388c2638abceb908b26a043026939f1198dfdeafe0de392e8b99e66410a173
SHA5125a899c2f6913899a800076758a8ac6ee5bdb145a48b5c00c483cc45bd5216988277895c692b8dafe956ab591cb12f87f58a9182c36751b1a120436f5fd5cd799
-
Filesize
48KB
MD5836b64bcab25d6dc6d097ccd3b569bd2
SHA191796cbf66d75a235bbb5e83e067ea9d76cfccbb
SHA256ca388c2638abceb908b26a043026939f1198dfdeafe0de392e8b99e66410a173
SHA5125a899c2f6913899a800076758a8ac6ee5bdb145a48b5c00c483cc45bd5216988277895c692b8dafe956ab591cb12f87f58a9182c36751b1a120436f5fd5cd799
-
Filesize
48KB
MD5836b64bcab25d6dc6d097ccd3b569bd2
SHA191796cbf66d75a235bbb5e83e067ea9d76cfccbb
SHA256ca388c2638abceb908b26a043026939f1198dfdeafe0de392e8b99e66410a173
SHA5125a899c2f6913899a800076758a8ac6ee5bdb145a48b5c00c483cc45bd5216988277895c692b8dafe956ab591cb12f87f58a9182c36751b1a120436f5fd5cd799
-
Filesize
48KB
MD5836b64bcab25d6dc6d097ccd3b569bd2
SHA191796cbf66d75a235bbb5e83e067ea9d76cfccbb
SHA256ca388c2638abceb908b26a043026939f1198dfdeafe0de392e8b99e66410a173
SHA5125a899c2f6913899a800076758a8ac6ee5bdb145a48b5c00c483cc45bd5216988277895c692b8dafe956ab591cb12f87f58a9182c36751b1a120436f5fd5cd799
-
Filesize
48KB
MD5836b64bcab25d6dc6d097ccd3b569bd2
SHA191796cbf66d75a235bbb5e83e067ea9d76cfccbb
SHA256ca388c2638abceb908b26a043026939f1198dfdeafe0de392e8b99e66410a173
SHA5125a899c2f6913899a800076758a8ac6ee5bdb145a48b5c00c483cc45bd5216988277895c692b8dafe956ab591cb12f87f58a9182c36751b1a120436f5fd5cd799
-
Filesize
48KB
MD5836b64bcab25d6dc6d097ccd3b569bd2
SHA191796cbf66d75a235bbb5e83e067ea9d76cfccbb
SHA256ca388c2638abceb908b26a043026939f1198dfdeafe0de392e8b99e66410a173
SHA5125a899c2f6913899a800076758a8ac6ee5bdb145a48b5c00c483cc45bd5216988277895c692b8dafe956ab591cb12f87f58a9182c36751b1a120436f5fd5cd799
-
Filesize
48KB
MD5836b64bcab25d6dc6d097ccd3b569bd2
SHA191796cbf66d75a235bbb5e83e067ea9d76cfccbb
SHA256ca388c2638abceb908b26a043026939f1198dfdeafe0de392e8b99e66410a173
SHA5125a899c2f6913899a800076758a8ac6ee5bdb145a48b5c00c483cc45bd5216988277895c692b8dafe956ab591cb12f87f58a9182c36751b1a120436f5fd5cd799
-
Filesize
48KB
MD5836b64bcab25d6dc6d097ccd3b569bd2
SHA191796cbf66d75a235bbb5e83e067ea9d76cfccbb
SHA256ca388c2638abceb908b26a043026939f1198dfdeafe0de392e8b99e66410a173
SHA5125a899c2f6913899a800076758a8ac6ee5bdb145a48b5c00c483cc45bd5216988277895c692b8dafe956ab591cb12f87f58a9182c36751b1a120436f5fd5cd799