76fb93f1bd8f807b022add46396c11d05c9f8c559b9186998a9b0732b7554238

Analysis

max time kernel
151s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
19/09/2022, 06:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

76fb93f1bd8f807b022add46396c11d05c9f8c559b9186998a9b0732b7554238.exe
Size

48KB
MD5

0d2a26f9563bd66e9fd4f7530dcecb3d
SHA1

40f3702cdbb2b8487b31b024bba05d1df35f7d0f
SHA256

76fb93f1bd8f807b022add46396c11d05c9f8c559b9186998a9b0732b7554238
SHA512

de613908ca5206fcb3b7c6a40a4296aed7191c143f10ff7abecdb6c4d3491c12daf2c30464903cf9bd342f45ddc690a86024b568408126e9a66ddf9288df0b0e
SSDEEP

768:wTdZuu1Ao2J29ng+nqVshjKrVFRoPKDk53Rx7tfk1Fu/:ESgAo2Q9g4oshjqLbMxeu/

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
4564	rwwnw64d.exe
1852	rwwnw64d.exe
4196	rwwnw64d.exe
3212	rwwnw64d.exe
4776	rwwnw64d.exe
3280	rwwnw64d.exe
5060	rwwnw64d.exe
4448	rwwnw64d.exe
3452	rwwnw64d.exe
1316	rwwnw64d.exe
1484	rwwnw64d.exe
1836	rwwnw64d.exe
4392	rwwnw64d.exe
4644	rwwnw64d.exe
2316	rwwnw64d.exe
3916	rwwnw64d.exe
3856	rwwnw64d.exe
2036	rwwnw64d.exe
1864	rwwnw64d.exe
3312	rwwnw64d.exe
2456	rwwnw64d.exe
3580	rwwnw64d.exe
2284	rwwnw64d.exe
2356	rwwnw64d.exe
1776	rwwnw64d.exe
4992	rwwnw64d.exe
1088	rwwnw64d.exe
2436	rwwnw64d.exe
3992	rwwnw64d.exe
1952	rwwnw64d.exe
2104	rwwnw64d.exe
4556	rwwnw64d.exe
1856	rwwnw64d.exe
268	rwwnw64d.exe
4416	rwwnw64d.exe
1756	rwwnw64d.exe
748	rwwnw64d.exe
3212	rwwnw64d.exe
2816	rwwnw64d.exe
3120	rwwnw64d.exe
3616	rwwnw64d.exe
3548	rwwnw64d.exe
3464	rwwnw64d.exe
5104	rwwnw64d.exe
2752	rwwnw64d.exe
4092	rwwnw64d.exe
2992	rwwnw64d.exe
3604	rwwnw64d.exe
3116	rwwnw64d.exe
4392	rwwnw64d.exe
940	rwwnw64d.exe
64	rwwnw64d.exe
1968	rwwnw64d.exe
1868	rwwnw64d.exe
3960	rwwnw64d.exe
4592	rwwnw64d.exe
2312	rwwnw64d.exe
3488	rwwnw64d.exe
4064	rwwnw64d.exe
1208	rwwnw64d.exe
5012	rwwnw64d.exe
4872	rwwnw64d.exe
3700	rwwnw64d.exe
3720	rwwnw64d.exe

Drops startup file 64 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DW_Start.lnk	rwwnw64d.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DW_Start.lnk	rwwnw64d.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DW_Start.lnk	rwwnw64d.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DW_Start.lnk	rwwnw64d.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DW_Start.lnk	rwwnw64d.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DW_Start.lnk	rwwnw64d.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DW_Start.lnk	rwwnw64d.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DW_Start.lnk	rwwnw64d.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DW_Start.lnk	rwwnw64d.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DW_Start.lnk	rwwnw64d.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DW_Start.lnk	rwwnw64d.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DW_Start.lnk	rwwnw64d.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DW_Start.lnk	rwwnw64d.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DW_Start.lnk	rwwnw64d.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DW_Start.lnk	rwwnw64d.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DW_Start.lnk	rwwnw64d.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DW_Start.lnk	rwwnw64d.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DW_Start.lnk	rwwnw64d.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DW_Start.lnk	rwwnw64d.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DW_Start.lnk	rwwnw64d.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DW_Start.lnk	rwwnw64d.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DW_Start.lnk	rwwnw64d.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DW_Start.lnk	rwwnw64d.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DW_Start.lnk	rwwnw64d.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DW_Start.lnk	rwwnw64d.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DW_Start.lnk	rwwnw64d.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DW_Start.lnk	rwwnw64d.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DW_Start.lnk	rwwnw64d.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DW_Start.lnk	rwwnw64d.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DW_Start.lnk	rwwnw64d.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DW_Start.lnk	rwwnw64d.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DW_Start.lnk	rwwnw64d.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DW_Start.lnk	rwwnw64d.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DW_Start.lnk	rwwnw64d.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DW_Start.lnk	rwwnw64d.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DW_Start.lnk	rwwnw64d.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DW_Start.lnk	rwwnw64d.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DW_Start.lnk	rwwnw64d.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DW_Start.lnk	rwwnw64d.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DW_Start.lnk	rwwnw64d.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DW_Start.lnk	rwwnw64d.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DW_Start.lnk	rwwnw64d.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DW_Start.lnk	rwwnw64d.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DW_Start.lnk	rwwnw64d.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DW_Start.lnk	rwwnw64d.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DW_Start.lnk	rwwnw64d.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DW_Start.lnk	rwwnw64d.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DW_Start.lnk	rwwnw64d.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DW_Start.lnk	rwwnw64d.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DW_Start.lnk	rwwnw64d.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DW_Start.lnk	rwwnw64d.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DW_Start.lnk	rwwnw64d.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DW_Start.lnk	rwwnw64d.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DW_Start.lnk	rwwnw64d.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DW_Start.lnk	rwwnw64d.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DW_Start.lnk	rwwnw64d.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DW_Start.lnk	rwwnw64d.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DW_Start.lnk	rwwnw64d.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DW_Start.lnk	rwwnw64d.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DW_Start.lnk	rwwnw64d.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DW_Start.lnk	rwwnw64d.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DW_Start.lnk	rwwnw64d.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DW_Start.lnk	rwwnw64d.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DW_Start.lnk	rwwnw64d.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	rwwnw64d.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	rwwnw64d.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	rwwnw64d.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	rwwnw64d.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	rwwnw64d.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	rwwnw64d.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	76fb93f1bd8f807b022add46396c11d05c9f8c559b9186998a9b0732b7554238.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	rwwnw64d.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	rwwnw64d.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	rwwnw64d.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	rwwnw64d.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	rwwnw64d.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	rwwnw64d.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	rwwnw64d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\{F5-50-04-47-DW} = "C:\\Users\\Admin\\AppData\\Local\\Temp\\76fb93f1bd8f807b022add46396c11d05c9f8c559b9186998a9b0732b7554238.exe DWrvg"	76fb93f1bd8f807b022add46396c11d05c9f8c559b9186998a9b0732b7554238.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	rwwnw64d.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	rwwnw64d.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	rwwnw64d.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	rwwnw64d.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	rwwnw64d.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	rwwnw64d.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	rwwnw64d.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	rwwnw64d.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	rwwnw64d.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	rwwnw64d.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	rwwnw64d.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	rwwnw64d.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	rwwnw64d.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	rwwnw64d.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	rwwnw64d.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	rwwnw64d.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	rwwnw64d.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	rwwnw64d.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	rwwnw64d.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	rwwnw64d.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	rwwnw64d.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	rwwnw64d.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	rwwnw64d.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	rwwnw64d.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	rwwnw64d.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	rwwnw64d.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	rwwnw64d.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	rwwnw64d.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	rwwnw64d.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	rwwnw64d.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	rwwnw64d.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	rwwnw64d.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	rwwnw64d.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	rwwnw64d.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	rwwnw64d.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	rwwnw64d.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	rwwnw64d.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	rwwnw64d.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	rwwnw64d.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	rwwnw64d.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	rwwnw64d.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	rwwnw64d.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	rwwnw64d.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	rwwnw64d.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	rwwnw64d.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	rwwnw64d.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	rwwnw64d.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	rwwnw64d.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	rwwnw64d.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_19_09_22.log	rwwnw64d.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_19_09_22.log	rwwnw64d.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_19_09_22.log	rwwnw64d.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_19_09_22.log	rwwnw64d.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_19_09_22.log	rwwnw64d.exe
File created	C:\Windows\SysWOW64\msnav32.ax	76fb93f1bd8f807b022add46396c11d05c9f8c559b9186998a9b0732b7554238.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_19_09_22.log	rwwnw64d.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_19_09_22.log	rwwnw64d.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_19_09_22.log	rwwnw64d.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_19_09_22.log	rwwnw64d.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_19_09_22.log	rwwnw64d.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_19_09_22.log	rwwnw64d.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_19_09_22.log	rwwnw64d.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_19_09_22.log	rwwnw64d.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_19_09_22.log	rwwnw64d.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_19_09_22.log	rwwnw64d.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_19_09_22.log	rwwnw64d.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_19_09_22.log	rwwnw64d.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_19_09_22.log	rwwnw64d.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_19_09_22.log	rwwnw64d.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_19_09_22.log	rwwnw64d.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_19_09_22.log	rwwnw64d.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_19_09_22.log	rwwnw64d.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_19_09_22.log	rwwnw64d.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_19_09_22.log	rwwnw64d.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_19_09_22.log	rwwnw64d.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_19_09_22.log	rwwnw64d.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_19_09_22.log	rwwnw64d.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_19_09_22.log	rwwnw64d.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_19_09_22.log	rwwnw64d.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_19_09_22.log	rwwnw64d.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_19_09_22.log	rwwnw64d.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_19_09_22.log	rwwnw64d.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_19_09_22.log	rwwnw64d.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_19_09_22.log	rwwnw64d.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_19_09_22.log	rwwnw64d.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_19_09_22.log	rwwnw64d.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_19_09_22.log	rwwnw64d.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_19_09_22.log	rwwnw64d.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_19_09_22.log	rwwnw64d.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_19_09_22.log	rwwnw64d.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_19_09_22.log	rwwnw64d.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_19_09_22.log	rwwnw64d.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_19_09_22.log	rwwnw64d.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_19_09_22.log	rwwnw64d.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_19_09_22.log	rwwnw64d.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_19_09_22.log	rwwnw64d.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_19_09_22.log	rwwnw64d.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_19_09_22.log	rwwnw64d.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_19_09_22.log	rwwnw64d.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_19_09_22.log	rwwnw64d.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_19_09_22.log	rwwnw64d.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_19_09_22.log	rwwnw64d.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_19_09_22.log	rwwnw64d.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_19_09_22.log	rwwnw64d.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_19_09_22.log	rwwnw64d.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_19_09_22.log	rwwnw64d.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_19_09_22.log	rwwnw64d.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_19_09_22.log	rwwnw64d.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_19_09_22.log	rwwnw64d.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_19_09_22.log	rwwnw64d.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_19_09_22.log	rwwnw64d.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_19_09_22.log	rwwnw64d.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_19_09_22.log	rwwnw64d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\HTTP\shell\open\command	rwwnw64d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\HTTP\shell\open\command	rwwnw64d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\HTTP\shell\open\command	rwwnw64d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\HTTP\shell\open\command	rwwnw64d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\HTTP\shell\open\command	rwwnw64d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\HTTP\shell\open\command	rwwnw64d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\HTTP\shell\open\command	rwwnw64d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\HTTP\shell\open\command	rwwnw64d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\HTTP\shell\open\command	rwwnw64d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\HTTP\shell\open\command	rwwnw64d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\HTTP\shell\open\command	rwwnw64d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\HTTP\shell\open\command	rwwnw64d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\HTTP\shell\open\command	rwwnw64d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\HTTP\shell\open\command	rwwnw64d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\HTTP\shell\open\command	rwwnw64d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\HTTP\shell\open\command	rwwnw64d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\HTTP\shell\open\command	rwwnw64d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\HTTP\shell\open\command	rwwnw64d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\HTTP\shell\open\command	rwwnw64d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\HTTP\shell\open\command	rwwnw64d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\HTTP\shell\open\command	rwwnw64d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\HTTP\shell\open\command	rwwnw64d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\HTTP\shell\open\command	rwwnw64d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\HTTP\shell\open\command	rwwnw64d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\HTTP\shell\open\command	rwwnw64d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\HTTP\shell\open\command	rwwnw64d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\HTTP\shell\open\command	rwwnw64d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\HTTP\shell\open\command	rwwnw64d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\HTTP\shell\open\command	rwwnw64d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\HTTP\shell\open\command	rwwnw64d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\HTTP\shell\open\command	rwwnw64d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\HTTP\shell\open\command	rwwnw64d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\HTTP\shell\open\command	rwwnw64d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\HTTP\shell\open\command	rwwnw64d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\HTTP\shell\open\command	rwwnw64d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\HTTP\shell\open\command	rwwnw64d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\HTTP\shell\open\command	rwwnw64d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\HTTP\shell\open\command	rwwnw64d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\HTTP\shell\open\command	rwwnw64d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\HTTP\shell\open\command	rwwnw64d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\HTTP\shell\open\command	rwwnw64d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\HTTP\shell\open\command	rwwnw64d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\HTTP\shell\open\command	rwwnw64d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\HTTP\shell\open\command	rwwnw64d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\HTTP\shell\open\command	rwwnw64d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\HTTP\shell\open\command	rwwnw64d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\HTTP\shell\open\command	rwwnw64d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\HTTP\shell\open\command	rwwnw64d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\HTTP\shell\open\command	rwwnw64d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\HTTP\shell\open\command	rwwnw64d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\HTTP\shell\open\command	rwwnw64d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\HTTP\shell\open\command	rwwnw64d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\HTTP\shell\open\command	rwwnw64d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\HTTP\shell\open\command	rwwnw64d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\HTTP\shell\open\command	rwwnw64d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\HTTP\shell\open\command	rwwnw64d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\HTTP\shell\open\command	rwwnw64d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\HTTP\shell\open\command	rwwnw64d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\HTTP\shell\open\command	rwwnw64d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\HTTP\shell\open\command	rwwnw64d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\HTTP\shell\open\command	rwwnw64d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\HTTP\shell\open\command	rwwnw64d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\HTTP\shell\open\command	rwwnw64d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\HTTP\shell\open\command	rwwnw64d.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2020	76fb93f1bd8f807b022add46396c11d05c9f8c559b9186998a9b0732b7554238.exe
2020	76fb93f1bd8f807b022add46396c11d05c9f8c559b9186998a9b0732b7554238.exe
4564	rwwnw64d.exe
4564	rwwnw64d.exe
1852	rwwnw64d.exe
1852	rwwnw64d.exe
4196	rwwnw64d.exe
4196	rwwnw64d.exe
3212	rwwnw64d.exe
3212	rwwnw64d.exe
4776	rwwnw64d.exe
4776	rwwnw64d.exe
3280	rwwnw64d.exe
3280	rwwnw64d.exe
5060	rwwnw64d.exe
5060	rwwnw64d.exe
4448	rwwnw64d.exe
4448	rwwnw64d.exe
3452	rwwnw64d.exe
3452	rwwnw64d.exe
1316	rwwnw64d.exe
1316	rwwnw64d.exe
1484	rwwnw64d.exe
1484	rwwnw64d.exe
1836	rwwnw64d.exe
1836	rwwnw64d.exe
4392	rwwnw64d.exe
4392	rwwnw64d.exe
4644	rwwnw64d.exe
4644	rwwnw64d.exe
2316	rwwnw64d.exe
2316	rwwnw64d.exe
3916	rwwnw64d.exe
3916	rwwnw64d.exe
3856	rwwnw64d.exe
3856	rwwnw64d.exe
2036	rwwnw64d.exe
2036	rwwnw64d.exe
1864	rwwnw64d.exe
1864	rwwnw64d.exe
3312	rwwnw64d.exe
3312	rwwnw64d.exe
2456	rwwnw64d.exe
2456	rwwnw64d.exe
3580	rwwnw64d.exe
3580	rwwnw64d.exe
2284	rwwnw64d.exe
2284	rwwnw64d.exe
2356	rwwnw64d.exe
2356	rwwnw64d.exe
1776	rwwnw64d.exe
1776	rwwnw64d.exe
4992	rwwnw64d.exe
4992	rwwnw64d.exe
1088	rwwnw64d.exe
1088	rwwnw64d.exe
2436	rwwnw64d.exe
2436	rwwnw64d.exe
3992	rwwnw64d.exe
3992	rwwnw64d.exe
1952	rwwnw64d.exe
1952	rwwnw64d.exe
2104	rwwnw64d.exe
2104	rwwnw64d.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2020 wrote to memory of 4564	2020	76fb93f1bd8f807b022add46396c11d05c9f8c559b9186998a9b0732b7554238.exe	84
PID 2020 wrote to memory of 4564	2020	76fb93f1bd8f807b022add46396c11d05c9f8c559b9186998a9b0732b7554238.exe	84
PID 2020 wrote to memory of 4564	2020	76fb93f1bd8f807b022add46396c11d05c9f8c559b9186998a9b0732b7554238.exe	84
PID 4564 wrote to memory of 1852	4564	rwwnw64d.exe	85
PID 4564 wrote to memory of 1852	4564	rwwnw64d.exe	85
PID 4564 wrote to memory of 1852	4564	rwwnw64d.exe	85
PID 1852 wrote to memory of 4196	1852	rwwnw64d.exe	88
PID 1852 wrote to memory of 4196	1852	rwwnw64d.exe	88
PID 1852 wrote to memory of 4196	1852	rwwnw64d.exe	88
PID 4196 wrote to memory of 3212	4196	rwwnw64d.exe	90
PID 4196 wrote to memory of 3212	4196	rwwnw64d.exe	90
PID 4196 wrote to memory of 3212	4196	rwwnw64d.exe	90
PID 3212 wrote to memory of 4776	3212	rwwnw64d.exe	91
PID 3212 wrote to memory of 4776	3212	rwwnw64d.exe	91
PID 3212 wrote to memory of 4776	3212	rwwnw64d.exe	91
PID 4776 wrote to memory of 3280	4776	rwwnw64d.exe	93
PID 4776 wrote to memory of 3280	4776	rwwnw64d.exe	93
PID 4776 wrote to memory of 3280	4776	rwwnw64d.exe	93
PID 3280 wrote to memory of 5060	3280	rwwnw64d.exe	94
PID 3280 wrote to memory of 5060	3280	rwwnw64d.exe	94
PID 3280 wrote to memory of 5060	3280	rwwnw64d.exe	94
PID 5060 wrote to memory of 4448	5060	rwwnw64d.exe	95
PID 5060 wrote to memory of 4448	5060	rwwnw64d.exe	95
PID 5060 wrote to memory of 4448	5060	rwwnw64d.exe	95
PID 4448 wrote to memory of 3452	4448	rwwnw64d.exe	98
PID 4448 wrote to memory of 3452	4448	rwwnw64d.exe	98
PID 4448 wrote to memory of 3452	4448	rwwnw64d.exe	98
PID 3452 wrote to memory of 1316	3452	rwwnw64d.exe	99
PID 3452 wrote to memory of 1316	3452	rwwnw64d.exe	99
PID 3452 wrote to memory of 1316	3452	rwwnw64d.exe	99
PID 1316 wrote to memory of 1484	1316	rwwnw64d.exe	100
PID 1316 wrote to memory of 1484	1316	rwwnw64d.exe	100
PID 1316 wrote to memory of 1484	1316	rwwnw64d.exe	100
PID 1484 wrote to memory of 1836	1484	rwwnw64d.exe	101
PID 1484 wrote to memory of 1836	1484	rwwnw64d.exe	101
PID 1484 wrote to memory of 1836	1484	rwwnw64d.exe	101
PID 1836 wrote to memory of 4392	1836	rwwnw64d.exe	102
PID 1836 wrote to memory of 4392	1836	rwwnw64d.exe	102
PID 1836 wrote to memory of 4392	1836	rwwnw64d.exe	102
PID 4392 wrote to memory of 4644	4392	rwwnw64d.exe	103
PID 4392 wrote to memory of 4644	4392	rwwnw64d.exe	103
PID 4392 wrote to memory of 4644	4392	rwwnw64d.exe	103
PID 4644 wrote to memory of 2316	4644	rwwnw64d.exe	104
PID 4644 wrote to memory of 2316	4644	rwwnw64d.exe	104
PID 4644 wrote to memory of 2316	4644	rwwnw64d.exe	104
PID 2316 wrote to memory of 3916	2316	rwwnw64d.exe	105
PID 2316 wrote to memory of 3916	2316	rwwnw64d.exe	105
PID 2316 wrote to memory of 3916	2316	rwwnw64d.exe	105
PID 3916 wrote to memory of 3856	3916	rwwnw64d.exe	106
PID 3916 wrote to memory of 3856	3916	rwwnw64d.exe	106
PID 3916 wrote to memory of 3856	3916	rwwnw64d.exe	106
PID 3856 wrote to memory of 2036	3856	rwwnw64d.exe	107
PID 3856 wrote to memory of 2036	3856	rwwnw64d.exe	107
PID 3856 wrote to memory of 2036	3856	rwwnw64d.exe	107
PID 2036 wrote to memory of 1864	2036	rwwnw64d.exe	108
PID 2036 wrote to memory of 1864	2036	rwwnw64d.exe	108
PID 2036 wrote to memory of 1864	2036	rwwnw64d.exe	108
PID 1864 wrote to memory of 3312	1864	rwwnw64d.exe	109
PID 1864 wrote to memory of 3312	1864	rwwnw64d.exe	109
PID 1864 wrote to memory of 3312	1864	rwwnw64d.exe	109
PID 3312 wrote to memory of 2456	3312	rwwnw64d.exe	110
PID 3312 wrote to memory of 2456	3312	rwwnw64d.exe	110
PID 3312 wrote to memory of 2456	3312	rwwnw64d.exe	110
PID 2456 wrote to memory of 3580	2456	rwwnw64d.exe	112

C:\Users\Admin\AppData\Local\Temp\76fb93f1bd8f807b022add46396c11d05c9f8c559b9186998a9b0732b7554238.exe
"C:\Users\Admin\AppData\Local\Temp\76fb93f1bd8f807b022add46396c11d05c9f8c559b9186998a9b0732b7554238.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2020
- \??\c:\windows\SysWOW64\rwwnw64d.exe
  c:\windows\system32\rwwnw64d.exe DWrvg
  2⤵
  - Executes dropped EXE
  - Drops startup file
  - Adds Run key to start application
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4564
- - \??\c:\windows\SysWOW64\rwwnw64d.exe
    c:\windows\system32\rwwnw64d.exe DWrvg
    3⤵
    - Executes dropped EXE
    - Drops startup file
    - Adds Run key to start application
    - Drops file in System32 directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1852
  - - \??\c:\windows\SysWOW64\rwwnw64d.exe
      c:\windows\system32\rwwnw64d.exe DWrvg
      4⤵
      Executes dropped EXE
      Drops startup file
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4196
    - - \??\c:\windows\SysWOW64\rwwnw64d.exe
        
        c:\windows\system32\rwwnw64d.exe DWrvg
        5⤵
        Executes dropped EXE
        Drops startup file
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3212
      - \??\c:\windows\SysWOW64\rwwnw64d.exe
        
        c:\windows\system32\rwwnw64d.exe DWrvg
        6⤵
        Executes dropped EXE
        Drops startup file
        Adds Run key to start application
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4776
        
        \??\c:\windows\SysWOW64\rwwnw64d.exe
        
        c:\windows\system32\rwwnw64d.exe DWrvg
        7⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3280
        
        \??\c:\windows\SysWOW64\rwwnw64d.exe
        
        c:\windows\system32\rwwnw64d.exe DWrvg
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:5060
        
        \??\c:\windows\SysWOW64\rwwnw64d.exe
        
        c:\windows\system32\rwwnw64d.exe DWrvg
        9⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4448
        
        \??\c:\windows\SysWOW64\rwwnw64d.exe
        
        c:\windows\system32\rwwnw64d.exe DWrvg
        10⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3452
        
        \??\c:\windows\SysWOW64\rwwnw64d.exe
        
        c:\windows\system32\rwwnw64d.exe DWrvg
        11⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1316
        
        \??\c:\windows\SysWOW64\rwwnw64d.exe
        
        c:\windows\system32\rwwnw64d.exe DWrvg
        12⤵
        Executes dropped EXE
        Drops startup file
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1484
        
        \??\c:\windows\SysWOW64\rwwnw64d.exe
        
        c:\windows\system32\rwwnw64d.exe DWrvg
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1836
        
        \??\c:\windows\SysWOW64\rwwnw64d.exe
        
        c:\windows\system32\rwwnw64d.exe DWrvg
        14⤵
        Executes dropped EXE
        Drops startup file
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4392
        
        \??\c:\windows\SysWOW64\rwwnw64d.exe
        
        c:\windows\system32\rwwnw64d.exe DWrvg
        15⤵
        Executes dropped EXE
        Drops startup file
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4644
        
        \??\c:\windows\SysWOW64\rwwnw64d.exe
        
        c:\windows\system32\rwwnw64d.exe DWrvg
        16⤵
        Executes dropped EXE
        Drops startup file
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2316
        
        \??\c:\windows\SysWOW64\rwwnw64d.exe
        
        c:\windows\system32\rwwnw64d.exe DWrvg
        17⤵
        Executes dropped EXE
        Drops startup file
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3916
        
        \??\c:\windows\SysWOW64\rwwnw64d.exe
        
        c:\windows\system32\rwwnw64d.exe DWrvg
        18⤵
        Executes dropped EXE
        Drops startup file
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3856
        
        \??\c:\windows\SysWOW64\rwwnw64d.exe
        
        c:\windows\system32\rwwnw64d.exe DWrvg
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2036
        
        \??\c:\windows\SysWOW64\rwwnw64d.exe
        
        c:\windows\system32\rwwnw64d.exe DWrvg
        20⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1864
        
        \??\c:\windows\SysWOW64\rwwnw64d.exe
        
        c:\windows\system32\rwwnw64d.exe DWrvg
        21⤵
        Executes dropped EXE
        Drops startup file
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3312
        
        \??\c:\windows\SysWOW64\rwwnw64d.exe
        
        c:\windows\system32\rwwnw64d.exe DWrvg
        22⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2456
        
        \??\c:\windows\SysWOW64\rwwnw64d.exe
        
        c:\windows\system32\rwwnw64d.exe DWrvg
        23⤵
        Executes dropped EXE
        Drops startup file
        Adds Run key to start application
        Suspicious use of SetWindowsHookEx
        
        PID:3580
        
        \??\c:\windows\SysWOW64\rwwnw64d.exe
        
        c:\windows\system32\rwwnw64d.exe DWrvg
        24⤵
        Executes dropped EXE
        Drops startup file
        Adds Run key to start application
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:2284
        
        \??\c:\windows\SysWOW64\rwwnw64d.exe
        
        c:\windows\system32\rwwnw64d.exe DWrvg
        25⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2356
        
        \??\c:\windows\SysWOW64\rwwnw64d.exe
        
        c:\windows\system32\rwwnw64d.exe DWrvg
        26⤵
        Executes dropped EXE
        Drops startup file
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:1776
        
        \??\c:\windows\SysWOW64\rwwnw64d.exe
        
        c:\windows\system32\rwwnw64d.exe DWrvg
        27⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:4992
        
        \??\c:\windows\SysWOW64\rwwnw64d.exe
        
        c:\windows\system32\rwwnw64d.exe DWrvg
        28⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:1088
        
        \??\c:\windows\SysWOW64\rwwnw64d.exe
        
        c:\windows\system32\rwwnw64d.exe DWrvg
        29⤵
        Executes dropped EXE
        Drops startup file
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:2436
        
        \??\c:\windows\SysWOW64\rwwnw64d.exe
        
        c:\windows\system32\rwwnw64d.exe DWrvg
        30⤵
        Executes dropped EXE
        Drops startup file
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:3992
        
        \??\c:\windows\SysWOW64\rwwnw64d.exe
        
        c:\windows\system32\rwwnw64d.exe DWrvg
        31⤵
        Executes dropped EXE
        Drops startup file
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:1952
        
        \??\c:\windows\SysWOW64\rwwnw64d.exe
        
        c:\windows\system32\rwwnw64d.exe DWrvg
        32⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:2104
        
        \??\c:\windows\SysWOW64\rwwnw64d.exe
        
        c:\windows\system32\rwwnw64d.exe DWrvg
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4556
        
        \??\c:\windows\SysWOW64\rwwnw64d.exe
        
        c:\windows\system32\rwwnw64d.exe DWrvg
        34⤵
        Executes dropped EXE
        Drops startup file
        
        PID:1856
        
        \??\c:\windows\SysWOW64\rwwnw64d.exe
        
        c:\windows\system32\rwwnw64d.exe DWrvg
        35⤵
        Executes dropped EXE
        Drops startup file
        Drops file in System32 directory
        
        PID:268
        
        \??\c:\windows\SysWOW64\rwwnw64d.exe
        
        c:\windows\system32\rwwnw64d.exe DWrvg
        36⤵
        Executes dropped EXE
        Drops startup file
        Modifies registry class
        
        PID:4416
        
        \??\c:\windows\SysWOW64\rwwnw64d.exe
        
        c:\windows\system32\rwwnw64d.exe DWrvg
        37⤵
        Executes dropped EXE
        Drops startup file
        Adds Run key to start application
        Modifies registry class
        
        PID:1756
        
        \??\c:\windows\SysWOW64\rwwnw64d.exe
        
        c:\windows\system32\rwwnw64d.exe DWrvg
        38⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:748
        
        \??\c:\windows\SysWOW64\rwwnw64d.exe
        
        c:\windows\system32\rwwnw64d.exe DWrvg
        39⤵
        Executes dropped EXE
        Drops startup file
        Adds Run key to start application
        
        PID:3212
        
        \??\c:\windows\SysWOW64\rwwnw64d.exe
        
        c:\windows\system32\rwwnw64d.exe DWrvg
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2816
        
        \??\c:\windows\SysWOW64\rwwnw64d.exe
        
        c:\windows\system32\rwwnw64d.exe DWrvg
        41⤵
        Executes dropped EXE
        
        PID:3120
        
        \??\c:\windows\SysWOW64\rwwnw64d.exe
        
        c:\windows\system32\rwwnw64d.exe DWrvg
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3616
        
        \??\c:\windows\SysWOW64\rwwnw64d.exe
        
        c:\windows\system32\rwwnw64d.exe DWrvg
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3548
        
        \??\c:\windows\SysWOW64\rwwnw64d.exe
        
        c:\windows\system32\rwwnw64d.exe DWrvg
        44⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        
        PID:3464
        
        \??\c:\windows\SysWOW64\rwwnw64d.exe
        
        c:\windows\system32\rwwnw64d.exe DWrvg
        45⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        
        PID:5104
        
        \??\c:\windows\SysWOW64\rwwnw64d.exe
        
        c:\windows\system32\rwwnw64d.exe DWrvg
        46⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        
        PID:2752
        
        \??\c:\windows\SysWOW64\rwwnw64d.exe
        
        c:\windows\system32\rwwnw64d.exe DWrvg
        47⤵
        Executes dropped EXE
        Drops startup file
        Drops file in System32 directory
        
        PID:4092
        
        \??\c:\windows\SysWOW64\rwwnw64d.exe
        
        c:\windows\system32\rwwnw64d.exe DWrvg
        48⤵
        Executes dropped EXE
        Drops startup file
        Drops file in System32 directory
        Modifies registry class
        
        PID:2992
        
        \??\c:\windows\SysWOW64\rwwnw64d.exe
        
        c:\windows\system32\rwwnw64d.exe DWrvg
        49⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:3604
        
        \??\c:\windows\SysWOW64\rwwnw64d.exe
        
        c:\windows\system32\rwwnw64d.exe DWrvg
        50⤵
        Executes dropped EXE
        Drops startup file
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3116
        
        \??\c:\windows\SysWOW64\rwwnw64d.exe
        
        c:\windows\system32\rwwnw64d.exe DWrvg
        51⤵
        Executes dropped EXE
        Drops startup file
        Adds Run key to start application
        
        PID:4392
        
        \??\c:\windows\SysWOW64\rwwnw64d.exe
        
        c:\windows\system32\rwwnw64d.exe DWrvg
        52⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:940
        
        \??\c:\windows\SysWOW64\rwwnw64d.exe
        
        c:\windows\system32\rwwnw64d.exe DWrvg
        53⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        
        PID:64
        
        \??\c:\windows\SysWOW64\rwwnw64d.exe
        
        c:\windows\system32\rwwnw64d.exe DWrvg
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1968
        
        \??\c:\windows\SysWOW64\rwwnw64d.exe
        
        c:\windows\system32\rwwnw64d.exe DWrvg
        55⤵
        Executes dropped EXE
        Drops startup file
        Drops file in System32 directory
        Modifies registry class
        
        PID:1868
        
        \??\c:\windows\SysWOW64\rwwnw64d.exe
        
        c:\windows\system32\rwwnw64d.exe DWrvg
        56⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3960
        
        \??\c:\windows\SysWOW64\rwwnw64d.exe
        
        c:\windows\system32\rwwnw64d.exe DWrvg
        57⤵
        Executes dropped EXE
        Drops startup file
        Adds Run key to start application
        Modifies registry class
        
        PID:4592
        
        \??\c:\windows\SysWOW64\rwwnw64d.exe
        
        c:\windows\system32\rwwnw64d.exe DWrvg
        58⤵
        Executes dropped EXE
        Drops startup file
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2312
        
        \??\c:\windows\SysWOW64\rwwnw64d.exe
        
        c:\windows\system32\rwwnw64d.exe DWrvg
        59⤵
        Executes dropped EXE
        Drops startup file
        
        PID:3488
        
        \??\c:\windows\SysWOW64\rwwnw64d.exe
        
        c:\windows\system32\rwwnw64d.exe DWrvg
        60⤵
        Executes dropped EXE
        Drops startup file
        Modifies registry class
        
        PID:4064
        
        \??\c:\windows\SysWOW64\rwwnw64d.exe
        
        c:\windows\system32\rwwnw64d.exe DWrvg
        61⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        
        PID:1208
        
        \??\c:\windows\SysWOW64\rwwnw64d.exe
        
        c:\windows\system32\rwwnw64d.exe DWrvg
        62⤵
        Executes dropped EXE
        Drops startup file
        Modifies registry class
        
        PID:5012
        
        \??\c:\windows\SysWOW64\rwwnw64d.exe
        
        c:\windows\system32\rwwnw64d.exe DWrvg
        63⤵
        Executes dropped EXE
        Drops startup file
        
        PID:4872
        
        \??\c:\windows\SysWOW64\rwwnw64d.exe
        
        c:\windows\system32\rwwnw64d.exe DWrvg
        64⤵
        Executes dropped EXE
        Drops startup file
        Adds Run key to start application
        
        PID:3700
        
        \??\c:\windows\SysWOW64\rwwnw64d.exe
        
        c:\windows\system32\rwwnw64d.exe DWrvg
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3720
        
        \??\c:\windows\SysWOW64\rwwnw64d.exe
        
        c:\windows\system32\rwwnw64d.exe DWrvg
        66⤵
        Drops startup file
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3440
        
        \??\c:\windows\SysWOW64\rwwnw64d.exe
        
        c:\windows\system32\rwwnw64d.exe DWrvg
        67⤵
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        
        PID:3016
        
        \??\c:\windows\SysWOW64\rwwnw64d.exe
        
        c:\windows\system32\rwwnw64d.exe DWrvg
        68⤵
        Adds Run key to start application
        Modifies registry class
        
        PID:2880
        
        \??\c:\windows\SysWOW64\rwwnw64d.exe
        
        c:\windows\system32\rwwnw64d.exe DWrvg
        69⤵
        Drops startup file
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1268
        
        \??\c:\windows\SysWOW64\rwwnw64d.exe
        
        c:\windows\system32\rwwnw64d.exe DWrvg
        70⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2732
        
        \??\c:\windows\SysWOW64\rwwnw64d.exe
        
        c:\windows\system32\rwwnw64d.exe DWrvg
        71⤵
        Drops startup file
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1264
        
        \??\c:\windows\SysWOW64\rwwnw64d.exe
        
        c:\windows\system32\rwwnw64d.exe DWrvg
        72⤵
        Drops startup file
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        
        PID:5020
        
        \??\c:\windows\SysWOW64\rwwnw64d.exe
        
        c:\windows\system32\rwwnw64d.exe DWrvg
        73⤵
        Adds Run key to start application
        Modifies registry class
        
        PID:1616
        
        \??\c:\windows\SysWOW64\rwwnw64d.exe
        
        c:\windows\system32\rwwnw64d.exe DWrvg
        74⤵
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        
        PID:544
        
        \??\c:\windows\SysWOW64\rwwnw64d.exe
        
        c:\windows\system32\rwwnw64d.exe DWrvg
        75⤵
        Drops startup file
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        
        PID:4996
        
        \??\c:\windows\SysWOW64\rwwnw64d.exe
        
        c:\windows\system32\rwwnw64d.exe DWrvg
        76⤵
        Adds Run key to start application
        
        PID:3320
        
        \??\c:\windows\SysWOW64\rwwnw64d.exe
        
        c:\windows\system32\rwwnw64d.exe DWrvg
        77⤵
        Drops startup file
        Adds Run key to start application
        
        PID:3384
        
        \??\c:\windows\SysWOW64\rwwnw64d.exe
        
        c:\windows\system32\rwwnw64d.exe DWrvg
        78⤵
        Modifies registry class
        
        PID:2404
        
        \??\c:\windows\SysWOW64\rwwnw64d.exe
        
        c:\windows\system32\rwwnw64d.exe DWrvg
        79⤵
        Drops startup file
        Drops file in System32 directory
        Modifies registry class
        
        PID:2436
        
        \??\c:\windows\SysWOW64\rwwnw64d.exe
        
        c:\windows\system32\rwwnw64d.exe DWrvg
        80⤵
        Drops startup file
        Modifies registry class
        
        PID:4924
        
        \??\c:\windows\SysWOW64\rwwnw64d.exe
        
        c:\windows\system32\rwwnw64d.exe DWrvg
        81⤵
        Modifies registry class
        
        PID:2820
        
        \??\c:\windows\SysWOW64\rwwnw64d.exe
        
        c:\windows\system32\rwwnw64d.exe DWrvg
        82⤵
        Drops startup file
        Adds Run key to start application
        
        PID:4400
        
        \??\c:\windows\SysWOW64\rwwnw64d.exe
        
        c:\windows\system32\rwwnw64d.exe DWrvg
        83⤵
        Drops file in System32 directory
        
        PID:1076
        
        \??\c:\windows\SysWOW64\rwwnw64d.exe
        
        c:\windows\system32\rwwnw64d.exe DWrvg
        84⤵
        Modifies registry class
        
        PID:688
        
        \??\c:\windows\SysWOW64\rwwnw64d.exe
        
        c:\windows\system32\rwwnw64d.exe DWrvg
        85⤵
        
        PID:4788
        
        \??\c:\windows\SysWOW64\rwwnw64d.exe
        
        c:\windows\system32\rwwnw64d.exe DWrvg
        86⤵
        Modifies registry class
        
        PID:4524
        
        \??\c:\windows\SysWOW64\rwwnw64d.exe
        
        c:\windows\system32\rwwnw64d.exe DWrvg
        87⤵
        Drops startup file
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:4356
        
        \??\c:\windows\SysWOW64\rwwnw64d.exe
        
        c:\windows\system32\rwwnw64d.exe DWrvg
        88⤵
        Drops startup file
        Drops file in System32 directory
        Modifies registry class
        
        PID:4884
        
        \??\c:\windows\SysWOW64\rwwnw64d.exe
        
        c:\windows\system32\rwwnw64d.exe DWrvg
        89⤵
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        
        PID:4416
        
        \??\c:\windows\SysWOW64\rwwnw64d.exe
        
        c:\windows\system32\rwwnw64d.exe DWrvg
        90⤵
        Drops startup file
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        
        PID:4960
        
        \??\c:\windows\SysWOW64\rwwnw64d.exe
        
        c:\windows\system32\rwwnw64d.exe DWrvg
        91⤵
        Drops startup file
        Modifies registry class
        
        PID:4968
        
        \??\c:\windows\SysWOW64\rwwnw64d.exe
        
        c:\windows\system32\rwwnw64d.exe DWrvg
        92⤵
        
        PID:1152
        
        \??\c:\windows\SysWOW64\rwwnw64d.exe
        
        c:\windows\system32\rwwnw64d.exe DWrvg
        93⤵
        Drops startup file
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        
        PID:4584
        
        \??\c:\windows\SysWOW64\rwwnw64d.exe
        
        c:\windows\system32\rwwnw64d.exe DWrvg
        94⤵
        Drops startup file
        Adds Run key to start application
        Modifies registry class
        
        PID:2600
        
        \??\c:\windows\SysWOW64\rwwnw64d.exe
        
        c:\windows\system32\rwwnw64d.exe DWrvg
        95⤵
        Drops startup file
        Drops file in System32 directory
        Modifies registry class
        
        PID:3276
        
        \??\c:\windows\SysWOW64\rwwnw64d.exe
        
        c:\windows\system32\rwwnw64d.exe DWrvg
        96⤵
        Drops startup file
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3092
        
        \??\c:\windows\SysWOW64\rwwnw64d.exe
        
        c:\windows\system32\rwwnw64d.exe DWrvg
        97⤵
        Drops startup file
        Drops file in System32 directory
        Modifies registry class
        
        PID:4548
        
        \??\c:\windows\SysWOW64\rwwnw64d.exe
        
        c:\windows\system32\rwwnw64d.exe DWrvg
        98⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:884
        
        \??\c:\windows\SysWOW64\rwwnw64d.exe
        
        c:\windows\system32\rwwnw64d.exe DWrvg
        99⤵
        Drops startup file
        Modifies registry class
        
        PID:3116
        
        \??\c:\windows\SysWOW64\rwwnw64d.exe
        
        c:\windows\system32\rwwnw64d.exe DWrvg
        100⤵
        Adds Run key to start application
        Modifies registry class
        
        PID:2332
        
        \??\c:\windows\SysWOW64\rwwnw64d.exe
        
        c:\windows\system32\rwwnw64d.exe DWrvg
        101⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3124
        
        \??\c:\windows\SysWOW64\rwwnw64d.exe
        
        c:\windows\system32\rwwnw64d.exe DWrvg
        102⤵
        
        PID:1236
        
        \??\c:\windows\SysWOW64\rwwnw64d.exe
        
        c:\windows\system32\rwwnw64d.exe DWrvg
        103⤵
        Adds Run key to start application
        
        PID:3524
        
        \??\c:\windows\SysWOW64\rwwnw64d.exe
        
        c:\windows\system32\rwwnw64d.exe DWrvg
        104⤵
        Drops startup file
        Drops file in System32 directory
        
        PID:4712
        
        \??\c:\windows\SysWOW64\rwwnw64d.exe
        
        c:\windows\system32\rwwnw64d.exe DWrvg
        105⤵
        Drops startup file
        Adds Run key to start application
        Modifies registry class
        
        PID:2748
        
        \??\c:\windows\SysWOW64\rwwnw64d.exe
        
        c:\windows\system32\rwwnw64d.exe DWrvg
        106⤵
        Drops startup file
        Drops file in System32 directory
        
        PID:4408
        
        \??\c:\windows\SysWOW64\rwwnw64d.exe
        
        c:\windows\system32\rwwnw64d.exe DWrvg
        107⤵
        
        PID:964
        
        \??\c:\windows\SysWOW64\rwwnw64d.exe
        
        c:\windows\system32\rwwnw64d.exe DWrvg
        108⤵
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        
        PID:3500
        
        \??\c:\windows\SysWOW64\rwwnw64d.exe
        
        c:\windows\system32\rwwnw64d.exe DWrvg
        109⤵
        Drops startup file
        
        PID:4376
        
        \??\c:\windows\SysWOW64\rwwnw64d.exe
        
        c:\windows\system32\rwwnw64d.exe DWrvg
        110⤵
        Adds Run key to start application
        
        PID:564
        
        \??\c:\windows\SysWOW64\rwwnw64d.exe
        
        c:\windows\system32\rwwnw64d.exe DWrvg
        111⤵
        
        PID:2336
        
        \??\c:\windows\SysWOW64\rwwnw64d.exe
        
        c:\windows\system32\rwwnw64d.exe DWrvg
        112⤵
        Drops startup file
        Adds Run key to start application
        
        PID:4860
        
        \??\c:\windows\SysWOW64\rwwnw64d.exe
        
        c:\windows\system32\rwwnw64d.exe DWrvg
        113⤵
        Adds Run key to start application
        
        PID:452
        
        \??\c:\windows\SysWOW64\rwwnw64d.exe
        
        c:\windows\system32\rwwnw64d.exe DWrvg
        114⤵
        
        PID:1192
        
        \??\c:\windows\SysWOW64\rwwnw64d.exe
        
        c:\windows\system32\rwwnw64d.exe DWrvg
        115⤵
        
        PID:3904
        
        \??\c:\windows\SysWOW64\rwwnw64d.exe
        
        c:\windows\system32\rwwnw64d.exe DWrvg
        116⤵
        
        PID:4008
        
        \??\c:\windows\SysWOW64\rwwnw64d.exe
        
        c:\windows\system32\rwwnw64d.exe DWrvg
        117⤵
        Drops startup file
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:4816
        
        \??\c:\windows\SysWOW64\rwwnw64d.exe
        
        c:\windows\system32\rwwnw64d.exe DWrvg
        118⤵
        Drops startup file
        
        PID:3916
        
        \??\c:\windows\SysWOW64\rwwnw64d.exe
        
        c:\windows\system32\rwwnw64d.exe DWrvg
        119⤵
        Adds Run key to start application
        Modifies registry class
        
        PID:1504
        
        \??\c:\windows\SysWOW64\rwwnw64d.exe
        
        c:\windows\system32\rwwnw64d.exe DWrvg
        120⤵
        Adds Run key to start application
        
        PID:4580
        
        \??\c:\windows\SysWOW64\rwwnw64d.exe
        
        c:\windows\system32\rwwnw64d.exe DWrvg
        121⤵
        Modifies registry class
        
        PID:4288
        
        \??\c:\windows\SysWOW64\rwwnw64d.exe
        
        c:\windows\system32\rwwnw64d.exe DWrvg
        122⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3912
        
        \??\c:\windows\SysWOW64\rwwnw64d.exe
        
        c:\windows\system32\rwwnw64d.exe DWrvg
        123⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2304
        
        \??\c:\windows\SysWOW64\rwwnw64d.exe
        
        c:\windows\system32\rwwnw64d.exe DWrvg
        124⤵
        Drops startup file
        Adds Run key to start application
        Modifies registry class
        
        PID:3724
        
        \??\c:\windows\SysWOW64\rwwnw64d.exe
        
        c:\windows\system32\rwwnw64d.exe DWrvg
        125⤵
        Drops startup file
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1828
        
        \??\c:\windows\SysWOW64\rwwnw64d.exe
        
        c:\windows\system32\rwwnw64d.exe DWrvg
        126⤵
        Drops startup file
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:624
        
        \??\c:\windows\SysWOW64\rwwnw64d.exe
        
        c:\windows\system32\rwwnw64d.exe DWrvg
        127⤵
        
        PID:4412

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DW_Start.lnk

Filesize
983B

MD5
bd62a8fa5e6a3136d6a78ea92e8ca20e

SHA1
116373bef45eed792ce740db166ebab38193f640

SHA256
6292be1763b43818ea1b98ccb5fdd6c8bb426e0446ce962ca1a070473c7e85db

SHA512
1ca5486733d0b6edc5593b7128620d95ca1c461830b8bff6f1e200a717d21913242c8e266a3dfc7d32aba85a4a5390b222a71cb99992aba67dcbcee0913eaae9

Download Submit
C:\Windows\SysWOW64\msnav32.ax

Filesize
32B

MD5
e3fded6a6a3f0b050d4c139f20a5df1d

SHA1
142793f762ba6f5fb6d2820df94327410eb026ec

SHA256
ddf8b259cf9cb85ccc04204507025138ce49d47b4150b12a5dfd001ea9851b04

SHA512
b58e73ab6aba50062cf3a64747924bb4487415a98ca46d689fd4a31aa4b71150299821d5c8bbda665cb650a30263e69e1c739d8558264afb6e829d6661983216

Download Submit
C:\Windows\SysWOW64\rwwnw64d.exe

Filesize
48KB

MD5
0d1f862fa60a4d7826edca506716fc2e

SHA1
59b19116710f2c19ff3362b9166f1cafe27bc90b

SHA256
9b20c9b54da07f46f2751fd583bc9f9715e4053578d2e933646ea54ccafc8539

SHA512
45762f2a1b3af6bbc01dc8bb199c08afc5c75e39ea177a4a7755d66b000170e676763bb209fe53e8f7cc9899d95356c43e0c20b6f3a6b3c6c0ab886697793456

Download Submit
C:\Windows\SysWOW64\rwwnw64d.exe

Filesize
48KB

MD5
0d1f862fa60a4d7826edca506716fc2e

SHA1
59b19116710f2c19ff3362b9166f1cafe27bc90b

SHA256
9b20c9b54da07f46f2751fd583bc9f9715e4053578d2e933646ea54ccafc8539

SHA512
45762f2a1b3af6bbc01dc8bb199c08afc5c75e39ea177a4a7755d66b000170e676763bb209fe53e8f7cc9899d95356c43e0c20b6f3a6b3c6c0ab886697793456

Download Submit
C:\Windows\SysWOW64\rwwnw64d.exe

Filesize
48KB

MD5
0d1f862fa60a4d7826edca506716fc2e

SHA1
59b19116710f2c19ff3362b9166f1cafe27bc90b

SHA256
9b20c9b54da07f46f2751fd583bc9f9715e4053578d2e933646ea54ccafc8539

SHA512
45762f2a1b3af6bbc01dc8bb199c08afc5c75e39ea177a4a7755d66b000170e676763bb209fe53e8f7cc9899d95356c43e0c20b6f3a6b3c6c0ab886697793456

Download Submit
C:\Windows\SysWOW64\rwwnw64d.exe

Filesize
48KB

MD5
0d1f862fa60a4d7826edca506716fc2e

SHA1
59b19116710f2c19ff3362b9166f1cafe27bc90b

SHA256
9b20c9b54da07f46f2751fd583bc9f9715e4053578d2e933646ea54ccafc8539

SHA512
45762f2a1b3af6bbc01dc8bb199c08afc5c75e39ea177a4a7755d66b000170e676763bb209fe53e8f7cc9899d95356c43e0c20b6f3a6b3c6c0ab886697793456

Download Submit
C:\Windows\SysWOW64\rwwnw64d.exe

Filesize
48KB

MD5
0d1f862fa60a4d7826edca506716fc2e

SHA1
59b19116710f2c19ff3362b9166f1cafe27bc90b

SHA256
9b20c9b54da07f46f2751fd583bc9f9715e4053578d2e933646ea54ccafc8539

SHA512
45762f2a1b3af6bbc01dc8bb199c08afc5c75e39ea177a4a7755d66b000170e676763bb209fe53e8f7cc9899d95356c43e0c20b6f3a6b3c6c0ab886697793456

Download Submit
C:\Windows\SysWOW64\rwwnw64d.exe

Filesize
48KB

MD5
0d1f862fa60a4d7826edca506716fc2e

SHA1
59b19116710f2c19ff3362b9166f1cafe27bc90b

SHA256
9b20c9b54da07f46f2751fd583bc9f9715e4053578d2e933646ea54ccafc8539

SHA512
45762f2a1b3af6bbc01dc8bb199c08afc5c75e39ea177a4a7755d66b000170e676763bb209fe53e8f7cc9899d95356c43e0c20b6f3a6b3c6c0ab886697793456

Download Submit
C:\Windows\SysWOW64\rwwnw64d.exe

Filesize
48KB

MD5
0d1f862fa60a4d7826edca506716fc2e

SHA1
59b19116710f2c19ff3362b9166f1cafe27bc90b

SHA256
9b20c9b54da07f46f2751fd583bc9f9715e4053578d2e933646ea54ccafc8539

SHA512
45762f2a1b3af6bbc01dc8bb199c08afc5c75e39ea177a4a7755d66b000170e676763bb209fe53e8f7cc9899d95356c43e0c20b6f3a6b3c6c0ab886697793456

Download Submit
C:\Windows\SysWOW64\rwwnw64d.exe

Filesize
48KB

MD5
0d1f862fa60a4d7826edca506716fc2e

SHA1
59b19116710f2c19ff3362b9166f1cafe27bc90b

SHA256
9b20c9b54da07f46f2751fd583bc9f9715e4053578d2e933646ea54ccafc8539

SHA512
45762f2a1b3af6bbc01dc8bb199c08afc5c75e39ea177a4a7755d66b000170e676763bb209fe53e8f7cc9899d95356c43e0c20b6f3a6b3c6c0ab886697793456

Download Submit
C:\Windows\SysWOW64\rwwnw64d.exe

Filesize
48KB

MD5
0d1f862fa60a4d7826edca506716fc2e

SHA1
59b19116710f2c19ff3362b9166f1cafe27bc90b

SHA256
9b20c9b54da07f46f2751fd583bc9f9715e4053578d2e933646ea54ccafc8539

SHA512
45762f2a1b3af6bbc01dc8bb199c08afc5c75e39ea177a4a7755d66b000170e676763bb209fe53e8f7cc9899d95356c43e0c20b6f3a6b3c6c0ab886697793456

Download Submit
C:\Windows\SysWOW64\rwwnw64d.exe

Filesize
48KB

MD5
0d1f862fa60a4d7826edca506716fc2e

SHA1
59b19116710f2c19ff3362b9166f1cafe27bc90b

SHA256
9b20c9b54da07f46f2751fd583bc9f9715e4053578d2e933646ea54ccafc8539

SHA512
45762f2a1b3af6bbc01dc8bb199c08afc5c75e39ea177a4a7755d66b000170e676763bb209fe53e8f7cc9899d95356c43e0c20b6f3a6b3c6c0ab886697793456

Download Submit
C:\Windows\SysWOW64\rwwnw64d.exe

Filesize
48KB

MD5
0d1f862fa60a4d7826edca506716fc2e

SHA1
59b19116710f2c19ff3362b9166f1cafe27bc90b

SHA256
9b20c9b54da07f46f2751fd583bc9f9715e4053578d2e933646ea54ccafc8539

SHA512
45762f2a1b3af6bbc01dc8bb199c08afc5c75e39ea177a4a7755d66b000170e676763bb209fe53e8f7cc9899d95356c43e0c20b6f3a6b3c6c0ab886697793456

Download Submit
C:\Windows\SysWOW64\rwwnw64d.exe

Filesize
48KB

MD5
0d1f862fa60a4d7826edca506716fc2e

SHA1
59b19116710f2c19ff3362b9166f1cafe27bc90b

SHA256
9b20c9b54da07f46f2751fd583bc9f9715e4053578d2e933646ea54ccafc8539

SHA512
45762f2a1b3af6bbc01dc8bb199c08afc5c75e39ea177a4a7755d66b000170e676763bb209fe53e8f7cc9899d95356c43e0c20b6f3a6b3c6c0ab886697793456

Download Submit
C:\Windows\SysWOW64\rwwnw64d.exe

Filesize
48KB

MD5
0d1f862fa60a4d7826edca506716fc2e

SHA1
59b19116710f2c19ff3362b9166f1cafe27bc90b

SHA256
9b20c9b54da07f46f2751fd583bc9f9715e4053578d2e933646ea54ccafc8539

SHA512
45762f2a1b3af6bbc01dc8bb199c08afc5c75e39ea177a4a7755d66b000170e676763bb209fe53e8f7cc9899d95356c43e0c20b6f3a6b3c6c0ab886697793456

Download Submit
C:\Windows\SysWOW64\rwwnw64d.exe

Filesize
48KB

MD5
0d1f862fa60a4d7826edca506716fc2e

SHA1
59b19116710f2c19ff3362b9166f1cafe27bc90b

SHA256
9b20c9b54da07f46f2751fd583bc9f9715e4053578d2e933646ea54ccafc8539

SHA512
45762f2a1b3af6bbc01dc8bb199c08afc5c75e39ea177a4a7755d66b000170e676763bb209fe53e8f7cc9899d95356c43e0c20b6f3a6b3c6c0ab886697793456

Download Submit
C:\Windows\SysWOW64\rwwnw64d.exe

Filesize
48KB

MD5
0d1f862fa60a4d7826edca506716fc2e

SHA1
59b19116710f2c19ff3362b9166f1cafe27bc90b

SHA256
9b20c9b54da07f46f2751fd583bc9f9715e4053578d2e933646ea54ccafc8539

SHA512
45762f2a1b3af6bbc01dc8bb199c08afc5c75e39ea177a4a7755d66b000170e676763bb209fe53e8f7cc9899d95356c43e0c20b6f3a6b3c6c0ab886697793456

Download Submit
C:\Windows\SysWOW64\rwwnw64d.exe

Filesize
48KB

MD5
0d1f862fa60a4d7826edca506716fc2e

SHA1
59b19116710f2c19ff3362b9166f1cafe27bc90b

SHA256
9b20c9b54da07f46f2751fd583bc9f9715e4053578d2e933646ea54ccafc8539

SHA512
45762f2a1b3af6bbc01dc8bb199c08afc5c75e39ea177a4a7755d66b000170e676763bb209fe53e8f7cc9899d95356c43e0c20b6f3a6b3c6c0ab886697793456

Download Submit
C:\Windows\SysWOW64\rwwnw64d.exe

Filesize
48KB

MD5
0d1f862fa60a4d7826edca506716fc2e

SHA1
59b19116710f2c19ff3362b9166f1cafe27bc90b

SHA256
9b20c9b54da07f46f2751fd583bc9f9715e4053578d2e933646ea54ccafc8539

SHA512
45762f2a1b3af6bbc01dc8bb199c08afc5c75e39ea177a4a7755d66b000170e676763bb209fe53e8f7cc9899d95356c43e0c20b6f3a6b3c6c0ab886697793456

Download Submit
C:\Windows\SysWOW64\rwwnw64d.exe

Filesize
48KB

MD5
0d1f862fa60a4d7826edca506716fc2e

SHA1
59b19116710f2c19ff3362b9166f1cafe27bc90b

SHA256
9b20c9b54da07f46f2751fd583bc9f9715e4053578d2e933646ea54ccafc8539

SHA512
45762f2a1b3af6bbc01dc8bb199c08afc5c75e39ea177a4a7755d66b000170e676763bb209fe53e8f7cc9899d95356c43e0c20b6f3a6b3c6c0ab886697793456

Download Submit
C:\Windows\SysWOW64\rwwnw64d.exe

Filesize
48KB

MD5
0d1f862fa60a4d7826edca506716fc2e

SHA1
59b19116710f2c19ff3362b9166f1cafe27bc90b

SHA256
9b20c9b54da07f46f2751fd583bc9f9715e4053578d2e933646ea54ccafc8539

SHA512
45762f2a1b3af6bbc01dc8bb199c08afc5c75e39ea177a4a7755d66b000170e676763bb209fe53e8f7cc9899d95356c43e0c20b6f3a6b3c6c0ab886697793456

Download Submit
C:\Windows\SysWOW64\rwwnw64d.exe

Filesize
48KB

MD5
0d1f862fa60a4d7826edca506716fc2e

SHA1
59b19116710f2c19ff3362b9166f1cafe27bc90b

SHA256
9b20c9b54da07f46f2751fd583bc9f9715e4053578d2e933646ea54ccafc8539

SHA512
45762f2a1b3af6bbc01dc8bb199c08afc5c75e39ea177a4a7755d66b000170e676763bb209fe53e8f7cc9899d95356c43e0c20b6f3a6b3c6c0ab886697793456

Download Submit
C:\Windows\SysWOW64\rwwnw64d.exe

Filesize
48KB

MD5
0d1f862fa60a4d7826edca506716fc2e

SHA1
59b19116710f2c19ff3362b9166f1cafe27bc90b

SHA256
9b20c9b54da07f46f2751fd583bc9f9715e4053578d2e933646ea54ccafc8539

SHA512
45762f2a1b3af6bbc01dc8bb199c08afc5c75e39ea177a4a7755d66b000170e676763bb209fe53e8f7cc9899d95356c43e0c20b6f3a6b3c6c0ab886697793456

Download Submit
C:\Windows\SysWOW64\rwwnw64d.exe

Filesize
48KB

MD5
0d1f862fa60a4d7826edca506716fc2e

SHA1
59b19116710f2c19ff3362b9166f1cafe27bc90b

SHA256
9b20c9b54da07f46f2751fd583bc9f9715e4053578d2e933646ea54ccafc8539

SHA512
45762f2a1b3af6bbc01dc8bb199c08afc5c75e39ea177a4a7755d66b000170e676763bb209fe53e8f7cc9899d95356c43e0c20b6f3a6b3c6c0ab886697793456

Download Submit
\??\c:\windows\SysWOW64\rwwnw64d.exe

Filesize
48KB

MD5
0d1f862fa60a4d7826edca506716fc2e

SHA1
59b19116710f2c19ff3362b9166f1cafe27bc90b

SHA256
9b20c9b54da07f46f2751fd583bc9f9715e4053578d2e933646ea54ccafc8539

SHA512
45762f2a1b3af6bbc01dc8bb199c08afc5c75e39ea177a4a7755d66b000170e676763bb209fe53e8f7cc9899d95356c43e0c20b6f3a6b3c6c0ab886697793456

Download Submit