22bcd2550f7b006c8526732ffa661007f426cfc1742179fa6b52a409760c293d

Analysis

max time kernel
119s
max time network
16s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
14/08/2024, 03:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

31efc248b334cc3f2b528a0887bb73e0N.exe
Size

57KB
MD5

31efc248b334cc3f2b528a0887bb73e0
SHA1

c729b6119ceac49543fea81de2bb44087b05fff5
SHA256

22bcd2550f7b006c8526732ffa661007f426cfc1742179fa6b52a409760c293d
SHA512

9e711b230a189d3efec0b9bdf485619c189f8d35b007e45c43260b683f2d0ed68ca2edca7c3525c814d190a1d2f9d2a2c549fc41da0b7ae5e91b5a651dc0af22
SSDEEP

768:uEaz5G7MaEtbwQpeyjaSLyfOPT4xcsrRA9Xu/IC4X3i2AH350azknSRXJuRWQlhj:v4GYUWeypTUuuQj635cSRU3iN/ntNK

Score

7^/10

discovery persistence

Malware Config

Signatures

Drops startup file 64 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe

Executes dropped EXE 64 IoCs

pid	Process
2408	dwdsrngt.exe
2340	dwdsrngt.exe
2844	dwdsrngt.exe
2824	dwdsrngt.exe
2884	dwdsrngt.exe
2768	dwdsrngt.exe
2616	dwdsrngt.exe
2304	dwdsrngt.exe
1448	dwdsrngt.exe
304	dwdsrngt.exe
1044	dwdsrngt.exe
920	dwdsrngt.exe
1636	dwdsrngt.exe
2948	dwdsrngt.exe
2896	dwdsrngt.exe
2224	dwdsrngt.exe
1408	dwdsrngt.exe
1560	dwdsrngt.exe
1760	dwdsrngt.exe
1552	dwdsrngt.exe
2992	dwdsrngt.exe
1060	dwdsrngt.exe
1864	dwdsrngt.exe
2568	dwdsrngt.exe
1748	dwdsrngt.exe
1972	dwdsrngt.exe
568	dwdsrngt.exe
2332	dwdsrngt.exe
2052	dwdsrngt.exe
1352	dwdsrngt.exe
2480	dwdsrngt.exe
2432	dwdsrngt.exe
2016	dwdsrngt.exe
1604	dwdsrngt.exe
2188	dwdsrngt.exe
3032	dwdsrngt.exe
1032	dwdsrngt.exe
1936	dwdsrngt.exe
2244	dwdsrngt.exe
2840	dwdsrngt.exe
2864	dwdsrngt.exe
2804	dwdsrngt.exe
2628	dwdsrngt.exe
2780	dwdsrngt.exe
2600	dwdsrngt.exe
2632	dwdsrngt.exe
2676	dwdsrngt.exe
1988	dwdsrngt.exe
1652	dwdsrngt.exe
1232	dwdsrngt.exe
592	dwdsrngt.exe
2000	dwdsrngt.exe
484	dwdsrngt.exe
892	dwdsrngt.exe
1316	dwdsrngt.exe
2116	dwdsrngt.exe
2908	dwdsrngt.exe
3048	dwdsrngt.exe
1796	dwdsrngt.exe
2920	dwdsrngt.exe
1692	dwdsrngt.exe
1920	dwdsrngt.exe
2784	dwdsrngt.exe
2988	dwdsrngt.exe

Loads dropped DLL 64 IoCs

pid	Process
3024	31efc248b334cc3f2b528a0887bb73e0N.exe
3024	31efc248b334cc3f2b528a0887bb73e0N.exe
2408	dwdsrngt.exe
2408	dwdsrngt.exe
2340	dwdsrngt.exe
2340	dwdsrngt.exe
2844	dwdsrngt.exe
2844	dwdsrngt.exe
2824	dwdsrngt.exe
2824	dwdsrngt.exe
2884	dwdsrngt.exe
2884	dwdsrngt.exe
2768	dwdsrngt.exe
2768	dwdsrngt.exe
2616	dwdsrngt.exe
2616	dwdsrngt.exe
2304	dwdsrngt.exe
2304	dwdsrngt.exe
1448	dwdsrngt.exe
1448	dwdsrngt.exe
304	dwdsrngt.exe
304	dwdsrngt.exe
1044	dwdsrngt.exe
1044	dwdsrngt.exe
920	dwdsrngt.exe
920	dwdsrngt.exe
1636	dwdsrngt.exe
1636	dwdsrngt.exe
2948	dwdsrngt.exe
2948	dwdsrngt.exe
2896	dwdsrngt.exe
2896	dwdsrngt.exe
2224	dwdsrngt.exe
2224	dwdsrngt.exe
1408	dwdsrngt.exe
1408	dwdsrngt.exe
1560	dwdsrngt.exe
1560	dwdsrngt.exe
1760	dwdsrngt.exe
1760	dwdsrngt.exe
1552	dwdsrngt.exe
1552	dwdsrngt.exe
2992	dwdsrngt.exe
2992	dwdsrngt.exe
1060	dwdsrngt.exe
1060	dwdsrngt.exe
1864	dwdsrngt.exe
1864	dwdsrngt.exe
2568	dwdsrngt.exe
2568	dwdsrngt.exe
1748	dwdsrngt.exe
1748	dwdsrngt.exe
1972	dwdsrngt.exe
1972	dwdsrngt.exe
568	dwdsrngt.exe
568	dwdsrngt.exe
2332	dwdsrngt.exe
2332	dwdsrngt.exe
2052	dwdsrngt.exe
2052	dwdsrngt.exe
1352	dwdsrngt.exe
1352	dwdsrngt.exe
2480	dwdsrngt.exe
2480	dwdsrngt.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\{5C-C9-91-17-ZN} = "C:\\Users\\Admin\\AppData\\Local\\Temp\\31efc248b334cc3f2b528a0887bb73e0N.exe CHD001"	31efc248b334cc3f2b528a0887bb73e0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\{5C-C9-91-17-ZN} = "c:\\windows\\SysWOW64\\dwdsrngt.exe CHD001"	dwdsrngt.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_14_08_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_14_08_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_14_08_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_14_08_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_14_08_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_14_08_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_14_08_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_14_08_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_14_08_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_14_08_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_14_08_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_14_08_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_14_08_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_14_08_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_14_08_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_14_08_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_14_08_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_14_08_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_14_08_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_14_08_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_14_08_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_14_08_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_14_08_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_14_08_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_14_08_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_14_08_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_14_08_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_14_08_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_14_08_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_14_08_24.log	dwdsrngt.exe
File opened for modification	\??\c:\windows\SysWOW64\dwdsrngt.exe	31efc248b334cc3f2b528a0887bb73e0N.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_14_08_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_14_08_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_14_08_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_14_08_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_14_08_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_14_08_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_14_08_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_14_08_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_14_08_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_14_08_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_14_08_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_14_08_24.log	31efc248b334cc3f2b528a0887bb73e0N.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_14_08_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_14_08_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_14_08_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_14_08_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_14_08_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_14_08_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_14_08_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_14_08_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_14_08_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_14_08_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_14_08_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_14_08_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_14_08_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_14_08_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_14_08_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_14_08_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_14_08_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_14_08_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_14_08_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_14_08_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_14_08_24.log	dwdsrngt.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	31efc248b334cc3f2b528a0887bb73e0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
3024	31efc248b334cc3f2b528a0887bb73e0N.exe
3024	31efc248b334cc3f2b528a0887bb73e0N.exe
2408	dwdsrngt.exe
2408	dwdsrngt.exe
2340	dwdsrngt.exe
2340	dwdsrngt.exe
2844	dwdsrngt.exe
2844	dwdsrngt.exe
2824	dwdsrngt.exe
2824	dwdsrngt.exe
2884	dwdsrngt.exe
2884	dwdsrngt.exe
2768	dwdsrngt.exe
2768	dwdsrngt.exe
2616	dwdsrngt.exe
2616	dwdsrngt.exe
2304	dwdsrngt.exe
2304	dwdsrngt.exe
1448	dwdsrngt.exe
1448	dwdsrngt.exe
304	dwdsrngt.exe
304	dwdsrngt.exe
1044	dwdsrngt.exe
1044	dwdsrngt.exe
920	dwdsrngt.exe
920	dwdsrngt.exe
1636	dwdsrngt.exe
1636	dwdsrngt.exe
2948	dwdsrngt.exe
2948	dwdsrngt.exe
2896	dwdsrngt.exe
2896	dwdsrngt.exe
2224	dwdsrngt.exe
2224	dwdsrngt.exe
1408	dwdsrngt.exe
1408	dwdsrngt.exe
1560	dwdsrngt.exe
1560	dwdsrngt.exe
1760	dwdsrngt.exe
1760	dwdsrngt.exe
1552	dwdsrngt.exe
1552	dwdsrngt.exe
2992	dwdsrngt.exe
2992	dwdsrngt.exe
1060	dwdsrngt.exe
1060	dwdsrngt.exe
1864	dwdsrngt.exe
1864	dwdsrngt.exe
2568	dwdsrngt.exe
2568	dwdsrngt.exe
1748	dwdsrngt.exe
1748	dwdsrngt.exe
1972	dwdsrngt.exe
1972	dwdsrngt.exe
568	dwdsrngt.exe
568	dwdsrngt.exe
2332	dwdsrngt.exe
2332	dwdsrngt.exe
2052	dwdsrngt.exe
2052	dwdsrngt.exe
1352	dwdsrngt.exe
1352	dwdsrngt.exe
2480	dwdsrngt.exe
2480	dwdsrngt.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3024 wrote to memory of 2408	3024	31efc248b334cc3f2b528a0887bb73e0N.exe	30
PID 3024 wrote to memory of 2408	3024	31efc248b334cc3f2b528a0887bb73e0N.exe	30
PID 3024 wrote to memory of 2408	3024	31efc248b334cc3f2b528a0887bb73e0N.exe	30
PID 3024 wrote to memory of 2408	3024	31efc248b334cc3f2b528a0887bb73e0N.exe	30
PID 2408 wrote to memory of 2340	2408	dwdsrngt.exe	31
PID 2408 wrote to memory of 2340	2408	dwdsrngt.exe	31
PID 2408 wrote to memory of 2340	2408	dwdsrngt.exe	31
PID 2408 wrote to memory of 2340	2408	dwdsrngt.exe	31
PID 2340 wrote to memory of 2844	2340	dwdsrngt.exe	32
PID 2340 wrote to memory of 2844	2340	dwdsrngt.exe	32
PID 2340 wrote to memory of 2844	2340	dwdsrngt.exe	32
PID 2340 wrote to memory of 2844	2340	dwdsrngt.exe	32
PID 2844 wrote to memory of 2824	2844	dwdsrngt.exe	33
PID 2844 wrote to memory of 2824	2844	dwdsrngt.exe	33
PID 2844 wrote to memory of 2824	2844	dwdsrngt.exe	33
PID 2844 wrote to memory of 2824	2844	dwdsrngt.exe	33
PID 2824 wrote to memory of 2884	2824	dwdsrngt.exe	34
PID 2824 wrote to memory of 2884	2824	dwdsrngt.exe	34
PID 2824 wrote to memory of 2884	2824	dwdsrngt.exe	34
PID 2824 wrote to memory of 2884	2824	dwdsrngt.exe	34
PID 2884 wrote to memory of 2768	2884	dwdsrngt.exe	35
PID 2884 wrote to memory of 2768	2884	dwdsrngt.exe	35
PID 2884 wrote to memory of 2768	2884	dwdsrngt.exe	35
PID 2884 wrote to memory of 2768	2884	dwdsrngt.exe	35
PID 2768 wrote to memory of 2616	2768	dwdsrngt.exe	36
PID 2768 wrote to memory of 2616	2768	dwdsrngt.exe	36
PID 2768 wrote to memory of 2616	2768	dwdsrngt.exe	36
PID 2768 wrote to memory of 2616	2768	dwdsrngt.exe	36
PID 2616 wrote to memory of 2304	2616	dwdsrngt.exe	37
PID 2616 wrote to memory of 2304	2616	dwdsrngt.exe	37
PID 2616 wrote to memory of 2304	2616	dwdsrngt.exe	37
PID 2616 wrote to memory of 2304	2616	dwdsrngt.exe	37
PID 2304 wrote to memory of 1448	2304	dwdsrngt.exe	38
PID 2304 wrote to memory of 1448	2304	dwdsrngt.exe	38
PID 2304 wrote to memory of 1448	2304	dwdsrngt.exe	38
PID 2304 wrote to memory of 1448	2304	dwdsrngt.exe	38
PID 1448 wrote to memory of 304	1448	dwdsrngt.exe	39
PID 1448 wrote to memory of 304	1448	dwdsrngt.exe	39
PID 1448 wrote to memory of 304	1448	dwdsrngt.exe	39
PID 1448 wrote to memory of 304	1448	dwdsrngt.exe	39
PID 304 wrote to memory of 1044	304	dwdsrngt.exe	41
PID 304 wrote to memory of 1044	304	dwdsrngt.exe	41
PID 304 wrote to memory of 1044	304	dwdsrngt.exe	41
PID 304 wrote to memory of 1044	304	dwdsrngt.exe	41
PID 1044 wrote to memory of 920	1044	dwdsrngt.exe	42
PID 1044 wrote to memory of 920	1044	dwdsrngt.exe	42
PID 1044 wrote to memory of 920	1044	dwdsrngt.exe	42
PID 1044 wrote to memory of 920	1044	dwdsrngt.exe	42
PID 920 wrote to memory of 1636	920	dwdsrngt.exe	43
PID 920 wrote to memory of 1636	920	dwdsrngt.exe	43
PID 920 wrote to memory of 1636	920	dwdsrngt.exe	43
PID 920 wrote to memory of 1636	920	dwdsrngt.exe	43
PID 1636 wrote to memory of 2948	1636	dwdsrngt.exe	44
PID 1636 wrote to memory of 2948	1636	dwdsrngt.exe	44
PID 1636 wrote to memory of 2948	1636	dwdsrngt.exe	44
PID 1636 wrote to memory of 2948	1636	dwdsrngt.exe	44
PID 2948 wrote to memory of 2896	2948	dwdsrngt.exe	45
PID 2948 wrote to memory of 2896	2948	dwdsrngt.exe	45
PID 2948 wrote to memory of 2896	2948	dwdsrngt.exe	45
PID 2948 wrote to memory of 2896	2948	dwdsrngt.exe	45
PID 2896 wrote to memory of 2224	2896	dwdsrngt.exe	46
PID 2896 wrote to memory of 2224	2896	dwdsrngt.exe	46
PID 2896 wrote to memory of 2224	2896	dwdsrngt.exe	46
PID 2896 wrote to memory of 2224	2896	dwdsrngt.exe	46

C:\Users\Admin\AppData\Local\Temp\31efc248b334cc3f2b528a0887bb73e0N.exe
"C:\Users\Admin\AppData\Local\Temp\31efc248b334cc3f2b528a0887bb73e0N.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3024
- \??\c:\windows\SysWOW64\dwdsrngt.exe
  c:\windows\system32\dwdsrngt.exe CHD001
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2408
- - \??\c:\windows\SysWOW64\dwdsrngt.exe
    c:\windows\system32\dwdsrngt.exe CHD001
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2340
  - - \??\c:\windows\SysWOW64\dwdsrngt.exe
      c:\windows\system32\dwdsrngt.exe CHD001
      4⤵
      Drops startup file
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2844
    - - \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        5⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2824
      - \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2884
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2768
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        8⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2616
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2304
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1448
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        11⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:304
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        12⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1044
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        13⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:920
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1636
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        15⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2948
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2896
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        17⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2224
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        18⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1408
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        19⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1560
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        20⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:1760
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        21⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:1552
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2992
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        23⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1060
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        24⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:1864
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:2568
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        26⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1748
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        27⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:1972
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:568
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        29⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2332
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        30⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:2052
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        31⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1352
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        32⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:2480
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        33⤵
        Drops startup file
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2432
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        34⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2016
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        35⤵
        Drops startup file
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1604
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        36⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2188
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3032
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        38⤵
        Drops startup file
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1032
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1936
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        40⤵
        Drops startup file
        Executes dropped EXE
        
        PID:2244
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        41⤵
        Drops startup file
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2840
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        42⤵
        Drops startup file
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2864
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2804
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        44⤵
        Drops startup file
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2628
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        45⤵
        Executes dropped EXE
        
        PID:2780
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        46⤵
        Drops startup file
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2600
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        47⤵
        Drops startup file
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2632
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        48⤵
        Drops startup file
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2676
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        49⤵
        Drops startup file
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1988
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        50⤵
        Drops startup file
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1652
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        51⤵
        Drops startup file
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1232
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        52⤵
        Drops startup file
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:592
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        53⤵
        Drops startup file
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2000
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        54⤵
        Drops startup file
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:484
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        55⤵
        Drops startup file
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:892
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1316
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        57⤵
        Drops startup file
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2116
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        58⤵
        Drops startup file
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2908
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        59⤵
        Drops startup file
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3048
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1796
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        61⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2920
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        62⤵
        Executes dropped EXE
        
        PID:1692
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        63⤵
        Drops startup file
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1920
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        64⤵
        Drops startup file
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2784
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        65⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2988
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        66⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1736
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        67⤵
        Drops file in System32 directory
        
        PID:1252
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        68⤵
        Drops startup file
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:880
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        69⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1856
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        70⤵
        Drops startup file
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1664
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        71⤵
        System Location Discovery: System Language Discovery
        
        PID:1012
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        72⤵
        Drops startup file
        Drops file in System32 directory
        
        PID:2300
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        73⤵
        Drops startup file
        Drops file in System32 directory
        Modifies registry class
        
        PID:1496
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        74⤵
        Drops startup file
        Drops file in System32 directory
        Modifies registry class
        
        PID:988
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        75⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1352
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        76⤵
        Drops startup file
        Drops file in System32 directory
        
        PID:1828
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        77⤵
        
        PID:1508
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        78⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3020
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        79⤵
        Drops startup file
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3024
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        80⤵
        Drops startup file
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2960
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        81⤵
        Drops startup file
        Drops file in System32 directory
        Modifies registry class
        
        PID:2308
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        82⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2892
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        83⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2980
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        84⤵
        Drops file in System32 directory
        
        PID:2756
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        85⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2840
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        86⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2844
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        87⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:2804
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        88⤵
        Drops startup file
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2604
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        89⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2800
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        90⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2620
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        91⤵
        Modifies registry class
        
        PID:3056
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        92⤵
        Drops startup file
        
        PID:684
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        93⤵
        Drops startup file
        Modifies registry class
        
        PID:1744
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        94⤵
        System Location Discovery: System Language Discovery
        
        PID:2500
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        95⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:664
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        96⤵
        Drops startup file
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1140
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        97⤵
        Drops startup file
        Modifies registry class
        
        PID:1928
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        98⤵
        Drops file in System32 directory
        
        PID:2952
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        99⤵
        Drops file in System32 directory
        
        PID:2860
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        100⤵
        Modifies registry class
        
        PID:2916
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        101⤵
        Drops startup file
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2180
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        102⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1532
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        103⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2368
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        104⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2200
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        105⤵
        Modifies registry class
        
        PID:2320
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        106⤵
        Drops startup file
        Drops file in System32 directory
        Modifies registry class
        
        PID:2572
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        107⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:2124
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        108⤵
        Drops startup file
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1588
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        109⤵
        Drops startup file
        Drops file in System32 directory
        Modifies registry class
        
        PID:620
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        110⤵
        Drops startup file
        Drops file in System32 directory
        
        PID:1424
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        111⤵
        Drops startup file
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:796
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        112⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1252
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        113⤵
        System Location Discovery: System Language Discovery
        
        PID:704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk

Filesize
920B

MD5
1f7918fb84e616d713361a3ac15e556b

SHA1
82e833873f52c8adcf06b89c81e3dffbfb93fe15

SHA256
bd062f28b95f0c676e6b7d4b86152334d7d7b0faf48055d952523b4bf2449a15

SHA512
aefcefb425d589ce679aa7a69f26a07bb354d735e4d40d449b787839b93f4134e660de10d530d5239e3e60ed7414a61a46bb674db29f117119ef0ba3b5f59698

Download Submit
C:\Windows\SysWOW64\msnav32.ax

Filesize
17B

MD5
b9b738b5d5b92889336547a6c22d3991

SHA1
55e7ec0184ac63a182d8973d68a7294d493b75e4

SHA256
c327e7bb193088f8afc07ff624422abc3cf7f06bed33b62ba08b443bf306d69f

SHA512
5a2879f1aeb783e1b1895cc7a7fc3f752c6a6173581f71062c0c145bf78e560de848294111a1f1ae79e92e96e604ec455af0e69d073a74e9827dcd0fd5489af7

Download Submit
\Windows\SysWOW64\dwdsrngt.exe

Filesize
57KB

MD5
34f18146d0f2876c5745930b94ec0d3d

SHA1
eb474a15d39e543e13c2bb4d22e9821e983c711e

SHA256
5fee6076a7e7ba874bb7781c20564cd893523089e42611c043ab173572aa6115

SHA512
b1fd664cfdb707100d6cb620b85bc957d5f3f8dd2148dd833b9dd3c86a5fe2f9f0562a9e7a91742631567da1f0e2c8dabf4531216ed8668f6977c533e955e39d

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads