8fcc76b2ce9751b9c2dae8c96e9d6d0f5a8585decb3700d256772b75a8eff0b9

General

Target

8fcc76b2ce9751b9c2dae8c96e9d6d0f5a8585decb3700d256772b75a8eff0b9.exe
Size

56KB
MD5

cca34c9d021e1f5078fe708e8f819ee0
SHA1

ffd9c7f917d17d0bc8f5fa89937a5536740e1eba
SHA256

8fcc76b2ce9751b9c2dae8c96e9d6d0f5a8585decb3700d256772b75a8eff0b9
SHA512

600a25f2299cd6c673e1bf3d89fa4b78ff173ec1853d01b8795a7533997c9ae58eb744be1f53e5a6c5d8cc540112adc840c9bdae46ee3d202e8ed83c736c199c
SSDEEP

768:uEaz5G7MaEtbwQpeyjaSLyfOPT4xcsrRA9Xu/IC4X3i2AH350azknSRXJuRWQlhd:v4GYUWeypTUuuQj635cSRU3iN/ntNm

Score

7^/10

discovery persistence

Malware Config

Signatures

Drops startup file 64 IoCs

Processes:

dwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe

Executes dropped EXE 64 IoCs

Processes:

dwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exe

pid	process
3560	dwdsrngt.exe
3176	dwdsrngt.exe
1380	dwdsrngt.exe
2312	dwdsrngt.exe
4648	dwdsrngt.exe
3812	dwdsrngt.exe
1208	dwdsrngt.exe
1636	dwdsrngt.exe
4484	dwdsrngt.exe
1628	dwdsrngt.exe
2524	dwdsrngt.exe
2544	dwdsrngt.exe
644	dwdsrngt.exe
388	dwdsrngt.exe
4264	dwdsrngt.exe
2084	dwdsrngt.exe
4704	dwdsrngt.exe
2112	dwdsrngt.exe
2952	dwdsrngt.exe
60	dwdsrngt.exe
860	dwdsrngt.exe
1688	dwdsrngt.exe
3320	dwdsrngt.exe
2484	dwdsrngt.exe
1264	dwdsrngt.exe
3856	dwdsrngt.exe
1724	dwdsrngt.exe
4820	dwdsrngt.exe
3724	dwdsrngt.exe
1972	dwdsrngt.exe
5012	dwdsrngt.exe
2332	dwdsrngt.exe
4532	dwdsrngt.exe
2252	dwdsrngt.exe
592	dwdsrngt.exe
1856	dwdsrngt.exe
3388	dwdsrngt.exe
2940	dwdsrngt.exe
3560	dwdsrngt.exe
1376	dwdsrngt.exe
4632	dwdsrngt.exe
4508	dwdsrngt.exe
3016	dwdsrngt.exe
4648	dwdsrngt.exe
3064	dwdsrngt.exe
4884	dwdsrngt.exe
1672	dwdsrngt.exe
3804	dwdsrngt.exe
2508	dwdsrngt.exe
4476	dwdsrngt.exe
3836	dwdsrngt.exe
1852	dwdsrngt.exe
4764	dwdsrngt.exe
2468	dwdsrngt.exe
3324	dwdsrngt.exe
3508	dwdsrngt.exe
4712	dwdsrngt.exe
2968	dwdsrngt.exe
4264	dwdsrngt.exe
2660	dwdsrngt.exe
4828	dwdsrngt.exe
212	dwdsrngt.exe
1820	dwdsrngt.exe
2952	dwdsrngt.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

dwdsrngt.exe8fcc76b2ce9751b9c2dae8c96e9d6d0f5a8585decb3700d256772b75a8eff0b9.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\{63-30-09-93-ZN} = "c:\\windows\\SysWOW64\\dwdsrngt.exe CHD001"	dwdsrngt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\{63-30-09-93-ZN} = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8fcc76b2ce9751b9c2dae8c96e9d6d0f5a8585decb3700d256772b75a8eff0b9.exe CHD001"	8fcc76b2ce9751b9c2dae8c96e9d6d0f5a8585decb3700d256772b75a8eff0b9.exe

Drops file in System32 directory 64 IoCs

Processes:

dwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_26_11_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_26_11_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_26_11_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_26_11_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_26_11_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_26_11_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_26_11_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_26_11_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_26_11_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_26_11_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_26_11_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_26_11_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_26_11_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_26_11_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_26_11_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_26_11_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_26_11_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_26_11_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_26_11_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_26_11_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_26_11_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_26_11_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_26_11_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_26_11_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_26_11_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_26_11_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_26_11_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_26_11_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_26_11_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_26_11_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_26_11_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_26_11_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_26_11_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_26_11_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_26_11_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_26_11_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_26_11_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_26_11_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_26_11_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_26_11_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_26_11_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_26_11_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_26_11_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_26_11_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_26_11_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_26_11_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_26_11_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_26_11_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_26_11_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_26_11_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_26_11_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_26_11_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_26_11_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_26_11_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_26_11_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_26_11_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_26_11_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_26_11_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_26_11_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_26_11_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_26_11_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_26_11_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_26_11_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_26_11_24.log	dwdsrngt.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

dwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exe8fcc76b2ce9751b9c2dae8c96e9d6d0f5a8585decb3700d256772b75a8eff0b9.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8fcc76b2ce9751b9c2dae8c96e9d6d0f5a8585decb3700d256772b75a8eff0b9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe

Modifies registry class 64 IoCs

Processes:

dwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exe8fcc76b2ce9751b9c2dae8c96e9d6d0f5a8585decb3700d256772b75a8eff0b9.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	8fcc76b2ce9751b9c2dae8c96e9d6d0f5a8585decb3700d256772b75a8eff0b9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

8fcc76b2ce9751b9c2dae8c96e9d6d0f5a8585decb3700d256772b75a8eff0b9.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exe

pid	process
1572	8fcc76b2ce9751b9c2dae8c96e9d6d0f5a8585decb3700d256772b75a8eff0b9.exe
1572	8fcc76b2ce9751b9c2dae8c96e9d6d0f5a8585decb3700d256772b75a8eff0b9.exe
3560	dwdsrngt.exe
3560	dwdsrngt.exe
3176	dwdsrngt.exe
3176	dwdsrngt.exe
1380	dwdsrngt.exe
1380	dwdsrngt.exe
2312	dwdsrngt.exe
2312	dwdsrngt.exe
4648	dwdsrngt.exe
4648	dwdsrngt.exe
3812	dwdsrngt.exe
3812	dwdsrngt.exe
1208	dwdsrngt.exe
1208	dwdsrngt.exe
1636	dwdsrngt.exe
1636	dwdsrngt.exe
4484	dwdsrngt.exe
4484	dwdsrngt.exe
1628	dwdsrngt.exe
1628	dwdsrngt.exe
2524	dwdsrngt.exe
2524	dwdsrngt.exe
2544	dwdsrngt.exe
2544	dwdsrngt.exe
644	dwdsrngt.exe
644	dwdsrngt.exe
388	dwdsrngt.exe
388	dwdsrngt.exe
4264	dwdsrngt.exe
4264	dwdsrngt.exe
2084	dwdsrngt.exe
2084	dwdsrngt.exe
4704	dwdsrngt.exe
4704	dwdsrngt.exe
2112	dwdsrngt.exe
2112	dwdsrngt.exe
2952	dwdsrngt.exe
2952	dwdsrngt.exe
60	dwdsrngt.exe
60	dwdsrngt.exe
860	dwdsrngt.exe
860	dwdsrngt.exe
1688	dwdsrngt.exe
1688	dwdsrngt.exe
3320	dwdsrngt.exe
3320	dwdsrngt.exe
2484	dwdsrngt.exe
2484	dwdsrngt.exe
1264	dwdsrngt.exe
1264	dwdsrngt.exe
3856	dwdsrngt.exe
3856	dwdsrngt.exe
1724	dwdsrngt.exe
1724	dwdsrngt.exe
4820	dwdsrngt.exe
4820	dwdsrngt.exe
3724	dwdsrngt.exe
3724	dwdsrngt.exe
1972	dwdsrngt.exe
1972	dwdsrngt.exe
5012	dwdsrngt.exe
5012	dwdsrngt.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

8fcc76b2ce9751b9c2dae8c96e9d6d0f5a8585decb3700d256772b75a8eff0b9.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exedwdsrngt.exe

description	pid	process	target process
PID 1572 wrote to memory of 3560	1572	8fcc76b2ce9751b9c2dae8c96e9d6d0f5a8585decb3700d256772b75a8eff0b9.exe	dwdsrngt.exe
PID 1572 wrote to memory of 3560	1572	8fcc76b2ce9751b9c2dae8c96e9d6d0f5a8585decb3700d256772b75a8eff0b9.exe	dwdsrngt.exe
PID 1572 wrote to memory of 3560	1572	8fcc76b2ce9751b9c2dae8c96e9d6d0f5a8585decb3700d256772b75a8eff0b9.exe	dwdsrngt.exe
PID 3560 wrote to memory of 3176	3560	dwdsrngt.exe	dwdsrngt.exe
PID 3560 wrote to memory of 3176	3560	dwdsrngt.exe	dwdsrngt.exe
PID 3560 wrote to memory of 3176	3560	dwdsrngt.exe	dwdsrngt.exe
PID 3176 wrote to memory of 1380	3176	dwdsrngt.exe	dwdsrngt.exe
PID 3176 wrote to memory of 1380	3176	dwdsrngt.exe	dwdsrngt.exe
PID 3176 wrote to memory of 1380	3176	dwdsrngt.exe	dwdsrngt.exe
PID 1380 wrote to memory of 2312	1380	dwdsrngt.exe	dwdsrngt.exe
PID 1380 wrote to memory of 2312	1380	dwdsrngt.exe	dwdsrngt.exe
PID 1380 wrote to memory of 2312	1380	dwdsrngt.exe	dwdsrngt.exe
PID 2312 wrote to memory of 4648	2312	dwdsrngt.exe	dwdsrngt.exe
PID 2312 wrote to memory of 4648	2312	dwdsrngt.exe	dwdsrngt.exe
PID 2312 wrote to memory of 4648	2312	dwdsrngt.exe	dwdsrngt.exe
PID 4648 wrote to memory of 3812	4648	dwdsrngt.exe	dwdsrngt.exe
PID 4648 wrote to memory of 3812	4648	dwdsrngt.exe	dwdsrngt.exe
PID 4648 wrote to memory of 3812	4648	dwdsrngt.exe	dwdsrngt.exe
PID 3812 wrote to memory of 1208	3812	dwdsrngt.exe	dwdsrngt.exe
PID 3812 wrote to memory of 1208	3812	dwdsrngt.exe	dwdsrngt.exe
PID 3812 wrote to memory of 1208	3812	dwdsrngt.exe	dwdsrngt.exe
PID 1208 wrote to memory of 1636	1208	dwdsrngt.exe	dwdsrngt.exe
PID 1208 wrote to memory of 1636	1208	dwdsrngt.exe	dwdsrngt.exe
PID 1208 wrote to memory of 1636	1208	dwdsrngt.exe	dwdsrngt.exe
PID 1636 wrote to memory of 4484	1636	dwdsrngt.exe	dwdsrngt.exe
PID 1636 wrote to memory of 4484	1636	dwdsrngt.exe	dwdsrngt.exe
PID 1636 wrote to memory of 4484	1636	dwdsrngt.exe	dwdsrngt.exe
PID 4484 wrote to memory of 1628	4484	dwdsrngt.exe	dwdsrngt.exe
PID 4484 wrote to memory of 1628	4484	dwdsrngt.exe	dwdsrngt.exe
PID 4484 wrote to memory of 1628	4484	dwdsrngt.exe	dwdsrngt.exe
PID 1628 wrote to memory of 2524	1628	dwdsrngt.exe	dwdsrngt.exe
PID 1628 wrote to memory of 2524	1628	dwdsrngt.exe	dwdsrngt.exe
PID 1628 wrote to memory of 2524	1628	dwdsrngt.exe	dwdsrngt.exe
PID 2524 wrote to memory of 2544	2524	dwdsrngt.exe	dwdsrngt.exe
PID 2524 wrote to memory of 2544	2524	dwdsrngt.exe	dwdsrngt.exe
PID 2524 wrote to memory of 2544	2524	dwdsrngt.exe	dwdsrngt.exe
PID 2544 wrote to memory of 644	2544	dwdsrngt.exe	dwdsrngt.exe
PID 2544 wrote to memory of 644	2544	dwdsrngt.exe	dwdsrngt.exe
PID 2544 wrote to memory of 644	2544	dwdsrngt.exe	dwdsrngt.exe
PID 644 wrote to memory of 388	644	dwdsrngt.exe	dwdsrngt.exe
PID 644 wrote to memory of 388	644	dwdsrngt.exe	dwdsrngt.exe
PID 644 wrote to memory of 388	644	dwdsrngt.exe	dwdsrngt.exe
PID 388 wrote to memory of 4264	388	dwdsrngt.exe	dwdsrngt.exe
PID 388 wrote to memory of 4264	388	dwdsrngt.exe	dwdsrngt.exe
PID 388 wrote to memory of 4264	388	dwdsrngt.exe	dwdsrngt.exe
PID 4264 wrote to memory of 2084	4264	dwdsrngt.exe	dwdsrngt.exe
PID 4264 wrote to memory of 2084	4264	dwdsrngt.exe	dwdsrngt.exe
PID 4264 wrote to memory of 2084	4264	dwdsrngt.exe	dwdsrngt.exe
PID 2084 wrote to memory of 4704	2084	dwdsrngt.exe	dwdsrngt.exe
PID 2084 wrote to memory of 4704	2084	dwdsrngt.exe	dwdsrngt.exe
PID 2084 wrote to memory of 4704	2084	dwdsrngt.exe	dwdsrngt.exe
PID 4704 wrote to memory of 2112	4704	dwdsrngt.exe	dwdsrngt.exe
PID 4704 wrote to memory of 2112	4704	dwdsrngt.exe	dwdsrngt.exe
PID 4704 wrote to memory of 2112	4704	dwdsrngt.exe	dwdsrngt.exe
PID 2112 wrote to memory of 2952	2112	dwdsrngt.exe	dwdsrngt.exe
PID 2112 wrote to memory of 2952	2112	dwdsrngt.exe	dwdsrngt.exe
PID 2112 wrote to memory of 2952	2112	dwdsrngt.exe	dwdsrngt.exe
PID 2952 wrote to memory of 60	2952	dwdsrngt.exe	dwdsrngt.exe
PID 2952 wrote to memory of 60	2952	dwdsrngt.exe	dwdsrngt.exe
PID 2952 wrote to memory of 60	2952	dwdsrngt.exe	dwdsrngt.exe
PID 60 wrote to memory of 860	60	dwdsrngt.exe	dwdsrngt.exe
PID 60 wrote to memory of 860	60	dwdsrngt.exe	dwdsrngt.exe
PID 60 wrote to memory of 860	60	dwdsrngt.exe	dwdsrngt.exe
PID 860 wrote to memory of 1688	860	dwdsrngt.exe	dwdsrngt.exe

C:\Users\Admin\AppData\Local\Temp\8fcc76b2ce9751b9c2dae8c96e9d6d0f5a8585decb3700d256772b75a8eff0b9.exe
"C:\Users\Admin\AppData\Local\Temp\8fcc76b2ce9751b9c2dae8c96e9d6d0f5a8585decb3700d256772b75a8eff0b9.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1572
- \??\c:\windows\SysWOW64\dwdsrngt.exe
  c:\windows\system32\dwdsrngt.exe CHD001
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3560
- - \??\c:\windows\SysWOW64\dwdsrngt.exe
    c:\windows\system32\dwdsrngt.exe CHD001
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3176
  - - \??\c:\windows\SysWOW64\dwdsrngt.exe
      c:\windows\system32\dwdsrngt.exe CHD001
      4⤵
      Drops startup file
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1380
    - - \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2312
      - \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4648
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        7⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3812
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        8⤵
        Drops startup file
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1208
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        9⤵
        Drops startup file
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1636
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        10⤵
        Drops startup file
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4484
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        11⤵
        Drops startup file
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1628
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        12⤵
        Drops startup file
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2524
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2544
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:644
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        15⤵
        Drops startup file
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:388
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4264
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2084
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4704
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        19⤵
        Drops startup file
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2112
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2952
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        21⤵
        Drops startup file
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:60
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:860
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:1688
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        24⤵
        Drops startup file
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3320
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        25⤵
        Drops startup file
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:2484
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:1264
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        27⤵
        Drops startup file
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:3856
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:1724
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:4820
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        30⤵
        Drops startup file
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:3724
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:1972
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        32⤵
        Drops startup file
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:5012
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        33⤵
        Drops startup file
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2332
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        34⤵
        Drops startup file
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4532
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        35⤵
        Drops startup file
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2252
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        36⤵
        Drops startup file
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:592
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        37⤵
        Drops startup file
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1856
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3388
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        39⤵
        Drops startup file
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2940
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        40⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3560
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        41⤵
        Drops startup file
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1376
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        42⤵
        Drops startup file
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4632
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        43⤵
        Drops startup file
        Executes dropped EXE
        
        PID:4508
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3016
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        45⤵
        Drops startup file
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4648
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        46⤵
        Drops startup file
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3064
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        47⤵
        Drops startup file
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4884
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        48⤵
        Drops startup file
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1672
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        49⤵
        Drops startup file
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3804
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        50⤵
        Drops startup file
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2508
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        51⤵
        Drops startup file
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4476
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        52⤵
        Drops startup file
        Executes dropped EXE
        Modifies registry class
        
        PID:3836
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        53⤵
        Drops startup file
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1852
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        54⤵
        Drops startup file
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4764
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        55⤵
        Drops startup file
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2468
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3324
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        57⤵
        Drops startup file
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3508
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        58⤵
        Drops startup file
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4712
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        59⤵
        Drops startup file
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2968
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        60⤵
        Drops startup file
        Executes dropped EXE
        Modifies registry class
        
        PID:4264
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        61⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2660
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        62⤵
        Drops startup file
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4828
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:212
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        64⤵
        Drops startup file
        Executes dropped EXE
        Modifies registry class
        
        PID:1820
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        65⤵
        Drops startup file
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2952
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        66⤵
        Drops startup file
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4052
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        67⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4156
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        68⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2128
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        69⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4544
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        70⤵
        Drops startup file
        Modifies registry class
        
        PID:3416
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        71⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2732
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        72⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:2900
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        73⤵
        Drops startup file
        Drops file in System32 directory
        Modifies registry class
        
        PID:4928
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        74⤵
        Drops startup file
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3104
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        75⤵
        Drops startup file
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4008
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        76⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2412
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        77⤵
        Drops file in System32 directory
        
        PID:2096
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        78⤵
        Drops startup file
        Drops file in System32 directory
        Modifies registry class
        
        PID:4892
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        79⤵
        Drops startup file
        Drops file in System32 directory
        
        PID:3564
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        80⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1488
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        81⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4520
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        82⤵
        Drops startup file
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1576
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        83⤵
        Drops startup file
        
        PID:1600
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        84⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:320
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        85⤵
        Drops startup file
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4668
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        86⤵
        
        PID:1888
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        87⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:3388
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        88⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4816
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        89⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4724
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        90⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3792
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        91⤵
        Drops file in System32 directory
        
        PID:1432
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        92⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3344
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        93⤵
        Drops startup file
        Drops file in System32 directory
        Modifies registry class
        
        PID:3636
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        94⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:228
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        95⤵
        Drops startup file
        Drops file in System32 directory
        Modifies registry class
        
        PID:2724
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        96⤵
        Drops startup file
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4884
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        97⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3648
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        98⤵
        Drops startup file
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4020
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        99⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1088
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        100⤵
        System Location Discovery: System Language Discovery
        
        PID:3208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk

Filesize
985B

MD5
ab6d92389a060fa6b8d7c33edfc7c3a7

SHA1
28f1d92c1f946fede2163ff6b0bf5863e144e144

SHA256
9d9f20ef0fc0cd9886a9ba6609162cf0c633a2428b797453e34813c4a991a79b

SHA512
5deba662bf7f98dd88de2130c1793c12be4bafb5d51a0ac0ccd983adad0404485528f5a3de48f626bd0dccfc50a8ce266d7452e73b6d001fd82ae2b6ca9dad54

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk

Filesize
985B

MD5
c2d0da40736fd6f124a29367b1808c6c

SHA1
6c40fc1a2f4f65240c473faa37e92c7e477a4dc9

SHA256
22bbbbe74eabe7f59639996bae8dd60c4d3eec3fe3384306d9cc12b5accb56af

SHA512
9a88a162ab4ff011d6b06d90f135339763ad87a39f20a69bf730225e104e056fad725e3200282cea8620e4491c5b9678e5a33a57f883afff470db7d98df7be16

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk

Filesize
985B

MD5
0ea0a87fb29524074d7882f1deafdc9d

SHA1
31b42a8d1880ee1ba98c7e0334c40507dedecda4

SHA256
12d6273abde616d397be4ea1f19a43e76507e5a94416b1c83189961125c3c5a3

SHA512
46976ece6121c84a83262d3eb1b08006b1e2c4fc9b782c22932cb44cee660b6c5843091224898c35737c89320ba61ab1e29a50a637677c0d3e319c156fc59b23

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk

Filesize
985B

MD5
a426c430f1fd37893b14411c5a2281ba

SHA1
cff027aea16d01ee14ab8c618bd45454e2867614

SHA256
b07f330c438d89f978baa3dcff7df22c9b54713feeb4de4732ad5a0451c7932c

SHA512
4ad9a7f8981c1221c6f852abc473ddab6e63d3f92ac97b9ecd459980fada9716571b9307acc2bdeb5cfb5adcf3429a8173237330853bd4a6191d2f312c8967ad

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk

Filesize
985B

MD5
f5d3e68a494ea0495161f967c82a75da

SHA1
b27e1542e9afe34c2bb949f07b261348cbe19ef6

SHA256
ecf024e2ce24bdbaa4265d8c4467e99b2d6de223cee7e30ca9157f311b617f72

SHA512
3f5b36e5a7593cd49604dbff2f2544774c0843ae2220622b9291c1b664690c2faf5f2995d8bd5b6eb6dda75bdd5513ea9434ce0d57cfff71f08cc06757d14b75

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\SysWOW64\dwdsrngt.exe

Filesize
56KB

MD5
20ed83e4e1b743d8462fe86abdc9d9d8

SHA1
aabf315b1c56dcdd85b161df971f492df9917432

SHA256
44da0c4969be4c37e6eddd4334aa660a53e868db2fd4ad405c10547485c4b453

SHA512
2e7f7352f230b83d84e81ed201dc79ded5edd06dad806af5331accf4e8beb3929162ba3b91e8b7ddeb0e8324aafa2e2586fc33096be1a48864f0ea4b5ba4011d

Download Submit
C:\Windows\SysWOW64\msnav32.ax

Filesize
17B

MD5
b9b738b5d5b92889336547a6c22d3991

SHA1
55e7ec0184ac63a182d8973d68a7294d493b75e4

SHA256
c327e7bb193088f8afc07ff624422abc3cf7f06bed33b62ba08b443bf306d69f

SHA512
5a2879f1aeb783e1b1895cc7a7fc3f752c6a6173581f71062c0c145bf78e560de848294111a1f1ae79e92e96e604ec455af0e69d073a74e9827dcd0fd5489af7

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads