df73b74159ae2e68c68fff5bde3855cb4eba0c33fc8a3a1e59daedb5a820b875

Analysis

max time kernel
150s
max time network
123s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
12/10/2024, 18:36

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

3b7f4e25a0cb707b27fa16593b702140_JaffaCakes118.exe
Size

56KB
MD5

3b7f4e25a0cb707b27fa16593b702140
SHA1

68421dadab83d22d850deda562a2c3e06bcb4268
SHA256

df73b74159ae2e68c68fff5bde3855cb4eba0c33fc8a3a1e59daedb5a820b875
SHA512

61ee3919afea21db049386cc0a132a1740457de33d1d47e8b543577d4012ac2242db473d5c9ecae6aee875a0f56861a2903146fa8088917fb38312e4bb66ee19
SSDEEP

768:uEaz5G7MaEtbwQpeyjaSLyfOPT4xcsrRA9Xu/IC4X3i2AH350azknSRXJuRWQlhA:v4GYUWeypTUuuQj635cSRU3iN/ntNL

Score

7^/10

discovery persistence

Malware Config

Signatures

Drops startup file 64 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe

Executes dropped EXE 64 IoCs

pid	Process
2924	dwdsrngt.exe
2904	dwdsrngt.exe
2724	dwdsrngt.exe
1668	dwdsrngt.exe
316	dwdsrngt.exe
1196	dwdsrngt.exe
912	dwdsrngt.exe
1652	dwdsrngt.exe
3004	dwdsrngt.exe
1684	dwdsrngt.exe
2176	dwdsrngt.exe
2372	dwdsrngt.exe
700	dwdsrngt.exe
2144	dwdsrngt.exe
2384	dwdsrngt.exe
2356	dwdsrngt.exe
2532	dwdsrngt.exe
1060	dwdsrngt.exe
952	dwdsrngt.exe
2640	dwdsrngt.exe
1320	dwdsrngt.exe
1916	dwdsrngt.exe
1512	dwdsrngt.exe
548	dwdsrngt.exe
324	dwdsrngt.exe
1692	dwdsrngt.exe
2312	dwdsrngt.exe
1620	dwdsrngt.exe
1064	dwdsrngt.exe
1688	dwdsrngt.exe
2308	dwdsrngt.exe
2600	dwdsrngt.exe
2856	dwdsrngt.exe
2864	dwdsrngt.exe
2912	dwdsrngt.exe
2704	dwdsrngt.exe
2896	dwdsrngt.exe
2788	dwdsrngt.exe
2724	dwdsrngt.exe
2264	dwdsrngt.exe
1276	dwdsrngt.exe
1596	dwdsrngt.exe
1996	dwdsrngt.exe
3068	dwdsrngt.exe
912	dwdsrngt.exe
2260	dwdsrngt.exe
2736	dwdsrngt.exe
2420	dwdsrngt.exe
2960	dwdsrngt.exe
2084	dwdsrngt.exe
868	dwdsrngt.exe
648	dwdsrngt.exe
516	dwdsrngt.exe
2388	dwdsrngt.exe
2360	dwdsrngt.exe
1980	dwdsrngt.exe
2244	dwdsrngt.exe
2320	dwdsrngt.exe
2400	dwdsrngt.exe
788	dwdsrngt.exe
804	dwdsrngt.exe
1512	dwdsrngt.exe
548	dwdsrngt.exe
2448	dwdsrngt.exe

Loads dropped DLL 64 IoCs

pid	Process
2796	3b7f4e25a0cb707b27fa16593b702140_JaffaCakes118.exe
2796	3b7f4e25a0cb707b27fa16593b702140_JaffaCakes118.exe
2924	dwdsrngt.exe
2924	dwdsrngt.exe
2904	dwdsrngt.exe
2904	dwdsrngt.exe
2724	dwdsrngt.exe
2724	dwdsrngt.exe
1668	dwdsrngt.exe
1668	dwdsrngt.exe
316	dwdsrngt.exe
316	dwdsrngt.exe
1196	dwdsrngt.exe
1196	dwdsrngt.exe
912	dwdsrngt.exe
912	dwdsrngt.exe
1652	dwdsrngt.exe
1652	dwdsrngt.exe
3004	dwdsrngt.exe
3004	dwdsrngt.exe
1684	dwdsrngt.exe
1684	dwdsrngt.exe
2176	dwdsrngt.exe
2176	dwdsrngt.exe
2372	dwdsrngt.exe
2372	dwdsrngt.exe
700	dwdsrngt.exe
700	dwdsrngt.exe
2144	dwdsrngt.exe
2144	dwdsrngt.exe
2384	dwdsrngt.exe
2384	dwdsrngt.exe
2356	dwdsrngt.exe
2356	dwdsrngt.exe
2532	dwdsrngt.exe
2532	dwdsrngt.exe
1060	dwdsrngt.exe
1060	dwdsrngt.exe
952	dwdsrngt.exe
952	dwdsrngt.exe
2640	dwdsrngt.exe
2640	dwdsrngt.exe
1320	dwdsrngt.exe
1320	dwdsrngt.exe
1916	dwdsrngt.exe
1916	dwdsrngt.exe
1512	dwdsrngt.exe
1512	dwdsrngt.exe
548	dwdsrngt.exe
548	dwdsrngt.exe
324	dwdsrngt.exe
324	dwdsrngt.exe
1692	dwdsrngt.exe
1692	dwdsrngt.exe
2312	dwdsrngt.exe
2312	dwdsrngt.exe
1620	dwdsrngt.exe
1620	dwdsrngt.exe
1064	dwdsrngt.exe
1064	dwdsrngt.exe
1688	dwdsrngt.exe
1688	dwdsrngt.exe
2308	dwdsrngt.exe
2308	dwdsrngt.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\{D6-62-2F-F4-ZN} = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3b7f4e25a0cb707b27fa16593b702140_JaffaCakes118.exe CHD001"	3b7f4e25a0cb707b27fa16593b702140_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\{D6-62-2F-F4-ZN} = "c:\\windows\\SysWOW64\\dwdsrngt.exe CHD001"	dwdsrngt.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_12_10_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_12_10_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_12_10_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_12_10_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_12_10_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_12_10_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_12_10_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_12_10_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_12_10_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_12_10_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_12_10_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_12_10_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_12_10_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_12_10_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_12_10_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_12_10_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_12_10_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_12_10_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_12_10_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_12_10_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_12_10_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_12_10_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_12_10_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_12_10_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_12_10_24.log	dwdsrngt.exe
File created	C:\Windows\SysWOW64\msnav32.ax	3b7f4e25a0cb707b27fa16593b702140_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_12_10_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_12_10_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_12_10_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_12_10_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_12_10_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_12_10_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_12_10_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_12_10_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_12_10_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_12_10_24.log	3b7f4e25a0cb707b27fa16593b702140_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_12_10_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_12_10_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_12_10_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_12_10_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_12_10_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_12_10_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_12_10_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_12_10_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_12_10_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_12_10_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_12_10_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_12_10_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_12_10_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_12_10_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_12_10_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_12_10_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_12_10_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_12_10_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_12_10_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_12_10_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_12_10_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_12_10_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_12_10_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_12_10_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_12_10_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_12_10_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_12_10_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_12_10_24.log	dwdsrngt.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	3b7f4e25a0cb707b27fa16593b702140_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2796	3b7f4e25a0cb707b27fa16593b702140_JaffaCakes118.exe
2796	3b7f4e25a0cb707b27fa16593b702140_JaffaCakes118.exe
2924	dwdsrngt.exe
2924	dwdsrngt.exe
2904	dwdsrngt.exe
2904	dwdsrngt.exe
2724	dwdsrngt.exe
2724	dwdsrngt.exe
1668	dwdsrngt.exe
1668	dwdsrngt.exe
316	dwdsrngt.exe
316	dwdsrngt.exe
1196	dwdsrngt.exe
1196	dwdsrngt.exe
912	dwdsrngt.exe
912	dwdsrngt.exe
1652	dwdsrngt.exe
1652	dwdsrngt.exe
3004	dwdsrngt.exe
3004	dwdsrngt.exe
1684	dwdsrngt.exe
1684	dwdsrngt.exe
2176	dwdsrngt.exe
2176	dwdsrngt.exe
2372	dwdsrngt.exe
2372	dwdsrngt.exe
700	dwdsrngt.exe
700	dwdsrngt.exe
2144	dwdsrngt.exe
2144	dwdsrngt.exe
2384	dwdsrngt.exe
2384	dwdsrngt.exe
2356	dwdsrngt.exe
2356	dwdsrngt.exe
2532	dwdsrngt.exe
2532	dwdsrngt.exe
1060	dwdsrngt.exe
1060	dwdsrngt.exe
952	dwdsrngt.exe
952	dwdsrngt.exe
2640	dwdsrngt.exe
2640	dwdsrngt.exe
1320	dwdsrngt.exe
1320	dwdsrngt.exe
1916	dwdsrngt.exe
1916	dwdsrngt.exe
1512	dwdsrngt.exe
1512	dwdsrngt.exe
548	dwdsrngt.exe
548	dwdsrngt.exe
324	dwdsrngt.exe
324	dwdsrngt.exe
1692	dwdsrngt.exe
1692	dwdsrngt.exe
2312	dwdsrngt.exe
2312	dwdsrngt.exe
1620	dwdsrngt.exe
1620	dwdsrngt.exe
1064	dwdsrngt.exe
1064	dwdsrngt.exe
1688	dwdsrngt.exe
1688	dwdsrngt.exe
2308	dwdsrngt.exe
2308	dwdsrngt.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2796 wrote to memory of 2924	2796	3b7f4e25a0cb707b27fa16593b702140_JaffaCakes118.exe	30
PID 2796 wrote to memory of 2924	2796	3b7f4e25a0cb707b27fa16593b702140_JaffaCakes118.exe	30
PID 2796 wrote to memory of 2924	2796	3b7f4e25a0cb707b27fa16593b702140_JaffaCakes118.exe	30
PID 2796 wrote to memory of 2924	2796	3b7f4e25a0cb707b27fa16593b702140_JaffaCakes118.exe	30
PID 2924 wrote to memory of 2904	2924	dwdsrngt.exe	31
PID 2924 wrote to memory of 2904	2924	dwdsrngt.exe	31
PID 2924 wrote to memory of 2904	2924	dwdsrngt.exe	31
PID 2924 wrote to memory of 2904	2924	dwdsrngt.exe	31
PID 2904 wrote to memory of 2724	2904	dwdsrngt.exe	32
PID 2904 wrote to memory of 2724	2904	dwdsrngt.exe	32
PID 2904 wrote to memory of 2724	2904	dwdsrngt.exe	32
PID 2904 wrote to memory of 2724	2904	dwdsrngt.exe	32
PID 2724 wrote to memory of 1668	2724	dwdsrngt.exe	33
PID 2724 wrote to memory of 1668	2724	dwdsrngt.exe	33
PID 2724 wrote to memory of 1668	2724	dwdsrngt.exe	33
PID 2724 wrote to memory of 1668	2724	dwdsrngt.exe	33
PID 1668 wrote to memory of 316	1668	dwdsrngt.exe	34
PID 1668 wrote to memory of 316	1668	dwdsrngt.exe	34
PID 1668 wrote to memory of 316	1668	dwdsrngt.exe	34
PID 1668 wrote to memory of 316	1668	dwdsrngt.exe	34
PID 316 wrote to memory of 1196	316	dwdsrngt.exe	35
PID 316 wrote to memory of 1196	316	dwdsrngt.exe	35
PID 316 wrote to memory of 1196	316	dwdsrngt.exe	35
PID 316 wrote to memory of 1196	316	dwdsrngt.exe	35
PID 1196 wrote to memory of 912	1196	dwdsrngt.exe	36
PID 1196 wrote to memory of 912	1196	dwdsrngt.exe	36
PID 1196 wrote to memory of 912	1196	dwdsrngt.exe	36
PID 1196 wrote to memory of 912	1196	dwdsrngt.exe	36
PID 912 wrote to memory of 1652	912	dwdsrngt.exe	37
PID 912 wrote to memory of 1652	912	dwdsrngt.exe	37
PID 912 wrote to memory of 1652	912	dwdsrngt.exe	37
PID 912 wrote to memory of 1652	912	dwdsrngt.exe	37
PID 1652 wrote to memory of 3004	1652	dwdsrngt.exe	38
PID 1652 wrote to memory of 3004	1652	dwdsrngt.exe	38
PID 1652 wrote to memory of 3004	1652	dwdsrngt.exe	38
PID 1652 wrote to memory of 3004	1652	dwdsrngt.exe	38
PID 3004 wrote to memory of 1684	3004	dwdsrngt.exe	39
PID 3004 wrote to memory of 1684	3004	dwdsrngt.exe	39
PID 3004 wrote to memory of 1684	3004	dwdsrngt.exe	39
PID 3004 wrote to memory of 1684	3004	dwdsrngt.exe	39
PID 1684 wrote to memory of 2176	1684	dwdsrngt.exe	40
PID 1684 wrote to memory of 2176	1684	dwdsrngt.exe	40
PID 1684 wrote to memory of 2176	1684	dwdsrngt.exe	40
PID 1684 wrote to memory of 2176	1684	dwdsrngt.exe	40
PID 2176 wrote to memory of 2372	2176	dwdsrngt.exe	41
PID 2176 wrote to memory of 2372	2176	dwdsrngt.exe	41
PID 2176 wrote to memory of 2372	2176	dwdsrngt.exe	41
PID 2176 wrote to memory of 2372	2176	dwdsrngt.exe	41
PID 2372 wrote to memory of 700	2372	dwdsrngt.exe	42
PID 2372 wrote to memory of 700	2372	dwdsrngt.exe	42
PID 2372 wrote to memory of 700	2372	dwdsrngt.exe	42
PID 2372 wrote to memory of 700	2372	dwdsrngt.exe	42
PID 700 wrote to memory of 2144	700	dwdsrngt.exe	43
PID 700 wrote to memory of 2144	700	dwdsrngt.exe	43
PID 700 wrote to memory of 2144	700	dwdsrngt.exe	43
PID 700 wrote to memory of 2144	700	dwdsrngt.exe	43
PID 2144 wrote to memory of 2384	2144	dwdsrngt.exe	44
PID 2144 wrote to memory of 2384	2144	dwdsrngt.exe	44
PID 2144 wrote to memory of 2384	2144	dwdsrngt.exe	44
PID 2144 wrote to memory of 2384	2144	dwdsrngt.exe	44
PID 2384 wrote to memory of 2356	2384	dwdsrngt.exe	45
PID 2384 wrote to memory of 2356	2384	dwdsrngt.exe	45
PID 2384 wrote to memory of 2356	2384	dwdsrngt.exe	45
PID 2384 wrote to memory of 2356	2384	dwdsrngt.exe	45

C:\Users\Admin\AppData\Local\Temp\3b7f4e25a0cb707b27fa16593b702140_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3b7f4e25a0cb707b27fa16593b702140_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2796
- \??\c:\windows\SysWOW64\dwdsrngt.exe
  c:\windows\system32\dwdsrngt.exe CHD001
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2924
- - \??\c:\windows\SysWOW64\dwdsrngt.exe
    c:\windows\system32\dwdsrngt.exe CHD001
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2904
  - - \??\c:\windows\SysWOW64\dwdsrngt.exe
      c:\windows\system32\dwdsrngt.exe CHD001
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2724
    - - \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1668
      - \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        6⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:316
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        7⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1196
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        8⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:912
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        9⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1652
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3004
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1684
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        12⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2176
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        13⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2372
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:700
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        15⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2144
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        16⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2384
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        17⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:2356
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2532
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:1060
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        20⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:952
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        21⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2640
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        22⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1320
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        23⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1916
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1512
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        25⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:548
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:324
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        27⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:1692
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        28⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2312
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        29⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:1620
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        30⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:1064
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        31⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:1688
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        32⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:2308
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2600
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        34⤵
        Drops startup file
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2856
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        35⤵
        Drops startup file
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2864
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        36⤵
        Drops startup file
        Executes dropped EXE
        
        PID:2912
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        37⤵
        Drops startup file
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2704
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        38⤵
        Executes dropped EXE
        
        PID:2896
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        39⤵
        Drops startup file
        Executes dropped EXE
        
        PID:2788
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        40⤵
        Drops startup file
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2724
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2264
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        42⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1276
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        43⤵
        Drops startup file
        Executes dropped EXE
        Modifies registry class
        
        PID:1596
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1996
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3068
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        46⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:912
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        47⤵
        Drops startup file
        Executes dropped EXE
        Modifies registry class
        
        PID:2260
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        48⤵
        Drops startup file
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2736
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        49⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2420
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        50⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2960
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        51⤵
        Drops startup file
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2084
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        52⤵
        Drops startup file
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:868
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        53⤵
        Drops startup file
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:648
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        54⤵
        Drops startup file
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:516
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        55⤵
        Drops startup file
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2388
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        56⤵
        Drops startup file
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2360
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        57⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1980
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        58⤵
        Drops startup file
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2244
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        59⤵
        Drops startup file
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2320
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        60⤵
        Drops startup file
        Executes dropped EXE
        Modifies registry class
        
        PID:2400
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:788
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:804
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        63⤵
        Drops startup file
        Executes dropped EXE
        Modifies registry class
        
        PID:1512
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:548
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        65⤵
        Drops startup file
        Executes dropped EXE
        Modifies registry class
        
        PID:2448
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        66⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1580
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        67⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:2312
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        68⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1876
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        69⤵
        Drops startup file
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:996
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        70⤵
        Drops startup file
        Drops file in System32 directory
        Modifies registry class
        
        PID:1768
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        71⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2308
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        72⤵
        Drops startup file
        Drops file in System32 directory
        
        PID:1560
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        73⤵
        Drops startup file
        Modifies registry class
        
        PID:2772
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        74⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3052
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        75⤵
        Drops startup file
        
        PID:2848
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        76⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2836
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        77⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2712
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        78⤵
        System Location Discovery: System Language Discovery
        
        PID:2688
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        79⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1236
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        80⤵
        Drops file in System32 directory
        
        PID:1888
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        81⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3016
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        82⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:2072
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        83⤵
        Drops startup file
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2216
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        84⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2852
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        85⤵
        Drops startup file
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2928
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        86⤵
        System Location Discovery: System Language Discovery
        
        PID:2652
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        87⤵
        Modifies registry class
        
        PID:2512
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        88⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2768
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        89⤵
        Drops startup file
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:908
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        90⤵
        Modifies registry class
        
        PID:1656
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        91⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:1612
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        92⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:676
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        93⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2220
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        94⤵
        Drops file in System32 directory
        
        PID:1084
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        95⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2064
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        96⤵
        
        PID:2608
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        97⤵
        Drops startup file
        Drops file in System32 directory
        Modifies registry class
        
        PID:2232
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        98⤵
        Drops file in System32 directory
        
        PID:2240
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        99⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2244
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        100⤵
        Drops startup file
        Drops file in System32 directory
        
        PID:520
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        101⤵
        
        PID:2128
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        102⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2552
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        103⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:1548
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        104⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1816
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        105⤵
        Modifies registry class
        
        PID:2764
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        106⤵
        Modifies registry class
        
        PID:1588
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        107⤵
        Drops startup file
        Modifies registry class
        
        PID:2576
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        108⤵
        Drops startup file
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2056
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        109⤵
        Drops startup file
        Modifies registry class
        
        PID:1900
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        110⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2296
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        111⤵
        Drops startup file
        Drops file in System32 directory
        
        PID:1472
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        112⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1768
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        113⤵
        Drops startup file
        Drops file in System32 directory
        Modifies registry class
        
        PID:944
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        114⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2936
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        115⤵
        
        PID:980
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        116⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3052
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        117⤵
        Modifies registry class
        
        PID:2784
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        118⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2840
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        119⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2712
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        120⤵
        Modifies registry class
        
        PID:2788
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        121⤵
        Drops startup file
        Drops file in System32 directory
        
        PID:2648
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        122⤵
        Drops startup file
        Drops file in System32 directory
        Modifies registry class
        
        PID:832
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        123⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2976
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        124⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2072
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        125⤵
        Drops startup file
        Drops file in System32 directory
        
        PID:2216
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        126⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1880
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        127⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2496
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        128⤵
        
        PID:1644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk

Filesize
916B

MD5
ad0e6f3e45fe04b16a9b41549ee5d643

SHA1
b1da6da0cc4bba23a03cd355728299fc6a9cf3b3

SHA256
9a05eb9102a4818433513898ffabba3ee9af46344c607685dbb4b6627c7deff0

SHA512
42ec8ccb5d131dcc940986699235aa54bc99dbeb7430b0b2eee423c307d9a3774840d1645a4af9738d69951077f10c9346938cfc39341153c9844d9e7554806c

Download Submit
C:\Windows\SysWOW64\msnav32.ax

Filesize
17B

MD5
b9b738b5d5b92889336547a6c22d3991

SHA1
55e7ec0184ac63a182d8973d68a7294d493b75e4

SHA256
c327e7bb193088f8afc07ff624422abc3cf7f06bed33b62ba08b443bf306d69f

SHA512
5a2879f1aeb783e1b1895cc7a7fc3f752c6a6173581f71062c0c145bf78e560de848294111a1f1ae79e92e96e604ec455af0e69d073a74e9827dcd0fd5489af7

Download Submit
\Windows\SysWOW64\dwdsrngt.exe

Filesize
56KB

MD5
04cfe435588fb137ecd630c59354d890

SHA1
21d298505b8079d0b61b4fb4c4ea93b5338f9bd5

SHA256
6619412821bade58a2b687001c838eccd247b117b7699874fe962b5d5e3a6cd2

SHA512
f66d863fde30dc16a0346cd3bd052ec7b20c6ba1246fe29cfa8901cc2623576d0abd43f2ad07f2e44d32c9d7900baed88a350b8519f9041f0bf0ca061a3ad584

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads