862720660bdab28c9473c00a3c064f6ad0b4124dc8d02064422cf970281f13e2

Analysis

max time kernel
150s
max time network
125s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
10/01/2024, 05:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4fa98a44f4c4edbf0631c8d90e9287e8.exe
Size

56KB
MD5

4fa98a44f4c4edbf0631c8d90e9287e8
SHA1

cfa0833c274e01b097c4a4a0e644daa96d761164
SHA256

862720660bdab28c9473c00a3c064f6ad0b4124dc8d02064422cf970281f13e2
SHA512

a4bf469a330d3486f0d808c7ddd9af6ea2c23c585b8a3030d58b03f1ee481c5cb6863bd32db7fb72cfe03db1af797d3e0b3a4239d37efa209bd4df7d65cc51fc
SSDEEP

768:uEaz5G7MaEtbwQpeyjaSLyfOPT4xcsrRA9Xu/IC4X3i2AH350azknSRXJuRWQlhL:v4GYUWeypTUuuQj635cSRU3iN/ntN6

Score

7^/10

persistence

Malware Config

Signatures

Drops startup file 64 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	4fa98a44f4c4edbf0631c8d90e9287e8.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe

Executes dropped EXE 64 IoCs

pid	Process
2436	dwdsrngt.exe
2680	dwdsrngt.exe
2844	dwdsrngt.exe
2744	dwdsrngt.exe
2616	dwdsrngt.exe
2624	dwdsrngt.exe
516	dwdsrngt.exe
2816	dwdsrngt.exe
2940	dwdsrngt.exe
1892	dwdsrngt.exe
1876	dwdsrngt.exe
1900	dwdsrngt.exe
2520	dwdsrngt.exe
1732	dwdsrngt.exe
1664	dwdsrngt.exe
1592	dwdsrngt.exe
1604	dwdsrngt.exe
816	dwdsrngt.exe
2468	dwdsrngt.exe
2264	dwdsrngt.exe
1144	dwdsrngt.exe
1152	dwdsrngt.exe
1756	dwdsrngt.exe
1068	dwdsrngt.exe
1636	dwdsrngt.exe
1116	dwdsrngt.exe
1824	dwdsrngt.exe
2176	dwdsrngt.exe
2012	dwdsrngt.exe
1196	dwdsrngt.exe
1736	dwdsrngt.exe
2024	dwdsrngt.exe
1668	dwdsrngt.exe
2288	dwdsrngt.exe
2780	dwdsrngt.exe
2768	dwdsrngt.exe
2436	dwdsrngt.exe
2700	dwdsrngt.exe
2656	dwdsrngt.exe
2792	dwdsrngt.exe
2652	dwdsrngt.exe
2744	dwdsrngt.exe
1256	dwdsrngt.exe
2036	dwdsrngt.exe
624	dwdsrngt.exe
2664	dwdsrngt.exe
2840	dwdsrngt.exe
2920	dwdsrngt.exe
2940	dwdsrngt.exe
1920	dwdsrngt.exe
792	dwdsrngt.exe
2232	dwdsrngt.exe
548	dwdsrngt.exe
2520	dwdsrngt.exe
932	dwdsrngt.exe
856	dwdsrngt.exe
1412	dwdsrngt.exe
2400	dwdsrngt.exe
2532	dwdsrngt.exe
3000	dwdsrngt.exe
2140	dwdsrngt.exe
2412	dwdsrngt.exe
1036	dwdsrngt.exe
1048	dwdsrngt.exe

Loads dropped DLL 64 IoCs

pid	Process
2300	4fa98a44f4c4edbf0631c8d90e9287e8.exe
2300	4fa98a44f4c4edbf0631c8d90e9287e8.exe
2436	dwdsrngt.exe
2436	dwdsrngt.exe
2680	dwdsrngt.exe
2680	dwdsrngt.exe
2844	dwdsrngt.exe
2844	dwdsrngt.exe
2744	dwdsrngt.exe
2744	dwdsrngt.exe
2616	dwdsrngt.exe
2616	dwdsrngt.exe
2624	dwdsrngt.exe
2624	dwdsrngt.exe
516	dwdsrngt.exe
516	dwdsrngt.exe
2816	dwdsrngt.exe
2816	dwdsrngt.exe
2940	dwdsrngt.exe
2940	dwdsrngt.exe
1892	dwdsrngt.exe
1892	dwdsrngt.exe
1876	dwdsrngt.exe
1876	dwdsrngt.exe
1900	dwdsrngt.exe
1900	dwdsrngt.exe
2520	dwdsrngt.exe
2520	dwdsrngt.exe
1732	dwdsrngt.exe
1732	dwdsrngt.exe
1664	dwdsrngt.exe
1664	dwdsrngt.exe
1592	dwdsrngt.exe
1592	dwdsrngt.exe
1604	dwdsrngt.exe
1604	dwdsrngt.exe
816	dwdsrngt.exe
816	dwdsrngt.exe
2468	dwdsrngt.exe
2468	dwdsrngt.exe
2264	dwdsrngt.exe
2264	dwdsrngt.exe
1144	dwdsrngt.exe
1144	dwdsrngt.exe
1152	dwdsrngt.exe
1152	dwdsrngt.exe
1756	dwdsrngt.exe
1756	dwdsrngt.exe
1068	dwdsrngt.exe
1068	dwdsrngt.exe
1636	dwdsrngt.exe
1636	dwdsrngt.exe
1116	dwdsrngt.exe
1116	dwdsrngt.exe
1824	dwdsrngt.exe
1824	dwdsrngt.exe
2176	dwdsrngt.exe
2176	dwdsrngt.exe
2012	dwdsrngt.exe
2012	dwdsrngt.exe
1196	dwdsrngt.exe
1196	dwdsrngt.exe
1736	dwdsrngt.exe
1736	dwdsrngt.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\{2E-E8-8A-AC-ZN} = "C:\\Users\\Admin\\AppData\\Local\\Temp\\4fa98a44f4c4edbf0631c8d90e9287e8.exe CHD001"	4fa98a44f4c4edbf0631c8d90e9287e8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\{2E-E8-8A-AC-ZN} = "c:\\windows\\SysWOW64\\dwdsrngt.exe CHD001"	dwdsrngt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\{E4-43-32-2A-ZN} = "c:\\windows\\SysWOW64\\dwdsrngt.exe CHD001"	dwdsrngt.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_10_01_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_10_01_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_10_01_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_10_01_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_10_01_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_10_01_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_10_01_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_10_01_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_10_01_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_10_01_24.log	4fa98a44f4c4edbf0631c8d90e9287e8.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_10_01_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_10_01_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_10_01_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_10_01_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_10_01_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_10_01_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_10_01_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_10_01_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_10_01_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_10_01_24.log	dwdsrngt.exe
File opened for modification	\??\c:\windows\SysWOW64\dwdsrngt.exe	4fa98a44f4c4edbf0631c8d90e9287e8.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_10_01_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_10_01_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_10_01_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_10_01_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_10_01_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_10_01_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_10_01_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_10_01_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_10_01_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_10_01_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_10_01_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_10_01_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_10_01_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_10_01_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_10_01_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_10_01_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_10_01_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_10_01_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_10_01_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_10_01_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_10_01_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_10_01_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_10_01_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_10_01_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_10_01_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_10_01_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_10_01_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_10_01_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_10_01_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_10_01_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_10_01_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_10_01_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_10_01_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_10_01_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_10_01_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_10_01_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_10_01_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_10_01_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_10_01_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_10_01_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_10_01_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_10_01_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_10_01_24.log	dwdsrngt.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	4fa98a44f4c4edbf0631c8d90e9287e8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2300	4fa98a44f4c4edbf0631c8d90e9287e8.exe
2300	4fa98a44f4c4edbf0631c8d90e9287e8.exe
2436	dwdsrngt.exe
2436	dwdsrngt.exe
2680	dwdsrngt.exe
2680	dwdsrngt.exe
2844	dwdsrngt.exe
2844	dwdsrngt.exe
2744	dwdsrngt.exe
2744	dwdsrngt.exe
2616	dwdsrngt.exe
2616	dwdsrngt.exe
2624	dwdsrngt.exe
2624	dwdsrngt.exe
516	dwdsrngt.exe
516	dwdsrngt.exe
2816	dwdsrngt.exe
2816	dwdsrngt.exe
2940	dwdsrngt.exe
2940	dwdsrngt.exe
1892	dwdsrngt.exe
1892	dwdsrngt.exe
1876	dwdsrngt.exe
1876	dwdsrngt.exe
1900	dwdsrngt.exe
1900	dwdsrngt.exe
2520	dwdsrngt.exe
2520	dwdsrngt.exe
1732	dwdsrngt.exe
1732	dwdsrngt.exe
1664	dwdsrngt.exe
1664	dwdsrngt.exe
1592	dwdsrngt.exe
1592	dwdsrngt.exe
1604	dwdsrngt.exe
1604	dwdsrngt.exe
816	dwdsrngt.exe
816	dwdsrngt.exe
2468	dwdsrngt.exe
2468	dwdsrngt.exe
2264	dwdsrngt.exe
2264	dwdsrngt.exe
1144	dwdsrngt.exe
1144	dwdsrngt.exe
1152	dwdsrngt.exe
1152	dwdsrngt.exe
1756	dwdsrngt.exe
1756	dwdsrngt.exe
1068	dwdsrngt.exe
1068	dwdsrngt.exe
1636	dwdsrngt.exe
1636	dwdsrngt.exe
1116	dwdsrngt.exe
1116	dwdsrngt.exe
1824	dwdsrngt.exe
1824	dwdsrngt.exe
2176	dwdsrngt.exe
2176	dwdsrngt.exe
2012	dwdsrngt.exe
2012	dwdsrngt.exe
1196	dwdsrngt.exe
1196	dwdsrngt.exe
1736	dwdsrngt.exe
1736	dwdsrngt.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2300 wrote to memory of 2436	2300	4fa98a44f4c4edbf0631c8d90e9287e8.exe	28
PID 2300 wrote to memory of 2436	2300	4fa98a44f4c4edbf0631c8d90e9287e8.exe	28
PID 2300 wrote to memory of 2436	2300	4fa98a44f4c4edbf0631c8d90e9287e8.exe	28
PID 2300 wrote to memory of 2436	2300	4fa98a44f4c4edbf0631c8d90e9287e8.exe	28
PID 2436 wrote to memory of 2680	2436	dwdsrngt.exe	29
PID 2436 wrote to memory of 2680	2436	dwdsrngt.exe	29
PID 2436 wrote to memory of 2680	2436	dwdsrngt.exe	29
PID 2436 wrote to memory of 2680	2436	dwdsrngt.exe	29
PID 2680 wrote to memory of 2844	2680	dwdsrngt.exe	30
PID 2680 wrote to memory of 2844	2680	dwdsrngt.exe	30
PID 2680 wrote to memory of 2844	2680	dwdsrngt.exe	30
PID 2680 wrote to memory of 2844	2680	dwdsrngt.exe	30
PID 2844 wrote to memory of 2744	2844	dwdsrngt.exe	31
PID 2844 wrote to memory of 2744	2844	dwdsrngt.exe	31
PID 2844 wrote to memory of 2744	2844	dwdsrngt.exe	31
PID 2844 wrote to memory of 2744	2844	dwdsrngt.exe	31
PID 2744 wrote to memory of 2616	2744	dwdsrngt.exe	32
PID 2744 wrote to memory of 2616	2744	dwdsrngt.exe	32
PID 2744 wrote to memory of 2616	2744	dwdsrngt.exe	32
PID 2744 wrote to memory of 2616	2744	dwdsrngt.exe	32
PID 2616 wrote to memory of 2624	2616	dwdsrngt.exe	33
PID 2616 wrote to memory of 2624	2616	dwdsrngt.exe	33
PID 2616 wrote to memory of 2624	2616	dwdsrngt.exe	33
PID 2616 wrote to memory of 2624	2616	dwdsrngt.exe	33
PID 2624 wrote to memory of 516	2624	dwdsrngt.exe	34
PID 2624 wrote to memory of 516	2624	dwdsrngt.exe	34
PID 2624 wrote to memory of 516	2624	dwdsrngt.exe	34
PID 2624 wrote to memory of 516	2624	dwdsrngt.exe	34
PID 516 wrote to memory of 2816	516	dwdsrngt.exe	35
PID 516 wrote to memory of 2816	516	dwdsrngt.exe	35
PID 516 wrote to memory of 2816	516	dwdsrngt.exe	35
PID 516 wrote to memory of 2816	516	dwdsrngt.exe	35
PID 2816 wrote to memory of 2940	2816	dwdsrngt.exe	36
PID 2816 wrote to memory of 2940	2816	dwdsrngt.exe	36
PID 2816 wrote to memory of 2940	2816	dwdsrngt.exe	36
PID 2816 wrote to memory of 2940	2816	dwdsrngt.exe	36
PID 2940 wrote to memory of 1892	2940	dwdsrngt.exe	37
PID 2940 wrote to memory of 1892	2940	dwdsrngt.exe	37
PID 2940 wrote to memory of 1892	2940	dwdsrngt.exe	37
PID 2940 wrote to memory of 1892	2940	dwdsrngt.exe	37
PID 1892 wrote to memory of 1876	1892	dwdsrngt.exe	38
PID 1892 wrote to memory of 1876	1892	dwdsrngt.exe	38
PID 1892 wrote to memory of 1876	1892	dwdsrngt.exe	38
PID 1892 wrote to memory of 1876	1892	dwdsrngt.exe	38
PID 1876 wrote to memory of 1900	1876	dwdsrngt.exe	39
PID 1876 wrote to memory of 1900	1876	dwdsrngt.exe	39
PID 1876 wrote to memory of 1900	1876	dwdsrngt.exe	39
PID 1876 wrote to memory of 1900	1876	dwdsrngt.exe	39
PID 1900 wrote to memory of 2520	1900	dwdsrngt.exe	40
PID 1900 wrote to memory of 2520	1900	dwdsrngt.exe	40
PID 1900 wrote to memory of 2520	1900	dwdsrngt.exe	40
PID 1900 wrote to memory of 2520	1900	dwdsrngt.exe	40
PID 2520 wrote to memory of 1732	2520	dwdsrngt.exe	41
PID 2520 wrote to memory of 1732	2520	dwdsrngt.exe	41
PID 2520 wrote to memory of 1732	2520	dwdsrngt.exe	41
PID 2520 wrote to memory of 1732	2520	dwdsrngt.exe	41
PID 1732 wrote to memory of 1664	1732	dwdsrngt.exe	42
PID 1732 wrote to memory of 1664	1732	dwdsrngt.exe	42
PID 1732 wrote to memory of 1664	1732	dwdsrngt.exe	42
PID 1732 wrote to memory of 1664	1732	dwdsrngt.exe	42
PID 1664 wrote to memory of 1592	1664	dwdsrngt.exe	43
PID 1664 wrote to memory of 1592	1664	dwdsrngt.exe	43
PID 1664 wrote to memory of 1592	1664	dwdsrngt.exe	43
PID 1664 wrote to memory of 1592	1664	dwdsrngt.exe	43

C:\Users\Admin\AppData\Local\Temp\4fa98a44f4c4edbf0631c8d90e9287e8.exe
"C:\Users\Admin\AppData\Local\Temp\4fa98a44f4c4edbf0631c8d90e9287e8.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2300
- \??\c:\windows\SysWOW64\dwdsrngt.exe
  c:\windows\system32\dwdsrngt.exe CHD001
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2436
- - \??\c:\windows\SysWOW64\dwdsrngt.exe
    c:\windows\system32\dwdsrngt.exe CHD001
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2680
  - - \??\c:\windows\SysWOW64\dwdsrngt.exe
      c:\windows\system32\dwdsrngt.exe CHD001
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Modifies registry class
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2844
    - - \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2744
      - \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2616
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2624
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        8⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:516
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        9⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2816
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        10⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2940
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1892
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        12⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1876
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        13⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1900
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2520
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1732
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        16⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1664
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        17⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:1592
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:1604
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        19⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:816
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        20⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:2468
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        21⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:2264
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        22⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:1144
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        23⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:1152
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:1756
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1068
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:1636
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        27⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:1116
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:1824
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        29⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2176
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        30⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:2012
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        31⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:1196
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        32⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:1736
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        33⤵
        Drops startup file
        Executes dropped EXE
        Modifies registry class
        
        PID:2024
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        34⤵
        Executes dropped EXE
        
        PID:1668
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        35⤵
        Drops startup file
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2288
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        36⤵
        Drops startup file
        Executes dropped EXE
        
        PID:2780
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        37⤵
        Drops startup file
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2768
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        38⤵
        Drops startup file
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2436
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2700
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        40⤵
        Drops startup file
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2656
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2792
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        42⤵
        Drops startup file
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2652
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2744
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        44⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1256
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2036
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:624
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        47⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2664
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        48⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2840
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        49⤵
        Drops startup file
        Executes dropped EXE
        Modifies registry class
        
        PID:2920
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2940
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        51⤵
        Executes dropped EXE
        
        PID:1920
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        52⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:792
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        53⤵
        Executes dropped EXE
        
        PID:2232
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:548
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        55⤵
        Executes dropped EXE
        
        PID:2520
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        56⤵
        Drops startup file
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:932
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:856
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1412
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        59⤵
        Drops startup file
        Executes dropped EXE
        Modifies registry class
        
        PID:2400
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        60⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2532
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        61⤵
        Executes dropped EXE
        
        PID:3000
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2140
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2412
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        64⤵
        Drops startup file
        Executes dropped EXE
        Modifies registry class
        
        PID:1036
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        65⤵
        Drops startup file
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1048
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        66⤵
        Drops file in System32 directory
        
        PID:1260
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        67⤵
        Drops startup file
        Drops file in System32 directory
        Modifies registry class
        
        PID:1512
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        68⤵
        Drops startup file
        
        PID:1192
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        69⤵
        Drops file in System32 directory
        
        PID:2200
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        70⤵
        Drops startup file
        
        PID:2196
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        71⤵
        Modifies registry class
        
        PID:572
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        72⤵
        Drops file in System32 directory
        
        PID:2488
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        73⤵
        Drops startup file
        Drops file in System32 directory
        Modifies registry class
        
        PID:2320
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        74⤵
        Drops startup file
        
        PID:1560
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        75⤵
        Modifies registry class
        
        PID:1216
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        76⤵
        
        PID:2252
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        77⤵
        
        PID:2732
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        78⤵
        Drops startup file
        Modifies registry class
        
        PID:2708
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        79⤵
        Drops file in System32 directory
        
        PID:2828
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        80⤵
        Drops startup file
        
        PID:828
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        81⤵
        Drops startup file
        
        PID:1960
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        82⤵
        Drops file in System32 directory
        
        PID:2080
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        83⤵
        Drops file in System32 directory
        
        PID:2812
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        84⤵
        Drops startup file
        Modifies registry class
        
        PID:1076
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        85⤵
        Drops startup file
        
        PID:2744
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        86⤵
        Drops startup file
        
        PID:1256
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        87⤵
        Drops startup file
        Drops file in System32 directory
        Modifies registry class
        
        PID:2036
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        88⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2864
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        89⤵
        Drops startup file
        
        PID:1120
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        90⤵
        Drops startup file
        
        PID:2948
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        91⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2480
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        92⤵
        Drops startup file
        Modifies registry class
        
        PID:364
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        93⤵
        Drops startup file
        Drops file in System32 directory
        Modifies registry class
        
        PID:2040
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        94⤵
        Drops startup file
        Drops file in System32 directory
        
        PID:1708
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        95⤵
        Drops startup file
        Drops file in System32 directory
        Modifies registry class
        
        PID:2232
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        96⤵
        Drops startup file
        Modifies registry class
        
        PID:1720
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        97⤵
        Modifies registry class
        
        PID:2520
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        98⤵
        Drops startup file
        Modifies registry class
        
        PID:1664
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        99⤵
        Drops file in System32 directory
        
        PID:1648
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        100⤵
        Drops startup file
        Drops file in System32 directory
        Modifies registry class
        
        PID:944
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        101⤵
        
        PID:2428
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        102⤵
        Drops startup file
        Drops file in System32 directory
        
        PID:2116
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        103⤵
        Modifies registry class
        
        PID:2144
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        104⤵
        Drops startup file
        Modifies registry class
        
        PID:2124
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        105⤵
        Modifies registry class
        
        PID:1072
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        106⤵
        Drops startup file
        Drops file in System32 directory
        Modifies registry class
        
        PID:1144
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        107⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1152
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        108⤵
        Drops startup file
        Drops file in System32 directory
        
        PID:536
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        109⤵
        Drops startup file
        Drops file in System32 directory
        
        PID:984
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        110⤵
        Drops startup file
        Drops file in System32 directory
        
        PID:2760
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        111⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1996
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        112⤵
        Drops startup file
        Modifies registry class
        
        PID:284
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        113⤵
        Modifies registry class
        
        PID:2204
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        114⤵
        Drops startup file
        Drops file in System32 directory
        Modifies registry class
        
        PID:1196
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        115⤵
        Drops startup file
        Modifies registry class
        
        PID:2104
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        116⤵
        Adds Run key to start application
        
        PID:2256
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        117⤵
        Drops startup file
        Modifies registry class
        
        PID:2320
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        118⤵
        Drops file in System32 directory
        
        PID:1896
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        119⤵
        Drops startup file
        Drops file in System32 directory
        Modifies registry class
        
        PID:2300
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        120⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2716
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        121⤵
        Drops startup file
        
        PID:2836
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        122⤵
        
        PID:2600
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        123⤵
        Drops startup file
        Drops file in System32 directory
        Modifies registry class
        
        PID:3024
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        124⤵
        Drops startup file
        
        PID:2620
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        125⤵
        Drops startup file
        Drops file in System32 directory
        Modifies registry class
        
        PID:2592
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        126⤵
        
        PID:1868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk

Filesize
920B

MD5
3d59cbebedbd4c1c40fd4121e2149f79

SHA1
6e0156a2387222f55e901642b821de37ea9983a9

SHA256
1cedbdea06328fd63acb1f10bdf1b3a6431e3a37529ea376874d19553453dc87

SHA512
bbe62cdc63760d281f72e96fa7a5fcc6449278931b0d7bb2f57b93467882b1c842bdcc5fc8646b795583a48dbcb8aa7d40f01f3b808c87ade278e4504840480b

Download Submit
C:\Windows\SysWOW64\msnav32.ax

Filesize
17B

MD5
b9b738b5d5b92889336547a6c22d3991

SHA1
55e7ec0184ac63a182d8973d68a7294d493b75e4

SHA256
c327e7bb193088f8afc07ff624422abc3cf7f06bed33b62ba08b443bf306d69f

SHA512
5a2879f1aeb783e1b1895cc7a7fc3f752c6a6173581f71062c0c145bf78e560de848294111a1f1ae79e92e96e604ec455af0e69d073a74e9827dcd0fd5489af7

Download Submit
\Windows\SysWOW64\dwdsrngt.exe

Filesize
56KB

MD5
2b109faee5539d376104195b756a0fbb

SHA1
b1b2e7f3fb9f2339021a225b499ca13841919640

SHA256
c6a0c8db8ab951a97b674acfb11f99855cc270cf6dbce1b57c8da3a6ad51ed89

SHA512
0897fd599ef53a33b5eb2f32aac74bfb7eba62b22c06410208486768c6227fee12101c765fd7d7cf7d183a13bb935852d7c9e03fd053cbd378acf86752067acc

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads