341c37f0a0998f5b3a6b5ba4b1528dfebb3897102294e4b2c136ac2da8f93db5

Analysis

max time kernel
149s
max time network
18s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
26/07/2024, 12:22

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

7409a53b4bdf27b01443fa9ef82ef2ff_JaffaCakes118.exe
Size

44KB
MD5

7409a53b4bdf27b01443fa9ef82ef2ff
SHA1

97b2a8914d03ee069b6465f508b7192fb35baaad
SHA256

341c37f0a0998f5b3a6b5ba4b1528dfebb3897102294e4b2c136ac2da8f93db5
SHA512

587948f1ad2216fa72e1bcf4ca7b300a6689edb4ae6d38ec72fbdacd75c446668eefa2ea1ad01eda6a657e3fc40f740c4cdacbf60ac5024d3e1186fbbe917cae
SSDEEP

768:4bZf4IlYHLIaHR2dXvq50wh5E9g7uUh7986dOGpRo7t845kFEntNO0:4lf4pXHiX+0whSgThZeGpX+ntk0

Score

7^/10

discovery

Malware Config

Signatures

Drops startup file 64 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	7409a53b4bdf27b01443fa9ef82ef2ff_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe

Executes dropped EXE 64 IoCs

pid	Process
3068	dwdsregt.exe
2912	dwdsregt.exe
2108	dwdsregt.exe
2564	dwdsregt.exe
2656	dwdsregt.exe
2260	dwdsregt.exe
1708	dwdsregt.exe
1744	dwdsregt.exe
476	dwdsregt.exe
2948	dwdsregt.exe
3032	dwdsregt.exe
2524	dwdsregt.exe
1212	dwdsregt.exe
2556	dwdsregt.exe
2856	dwdsregt.exe
2168	dwdsregt.exe
264	dwdsregt.exe
532	dwdsregt.exe
1956	dwdsregt.exe
2552	dwdsregt.exe
1380	dwdsregt.exe
1848	dwdsregt.exe
1736	dwdsregt.exe
2252	dwdsregt.exe
2340	dwdsregt.exe
2272	dwdsregt.exe
1628	dwdsregt.exe
1500	dwdsregt.exe
2240	dwdsregt.exe
1584	dwdsregt.exe
324	dwdsregt.exe
2804	dwdsregt.exe
2812	dwdsregt.exe
2796	dwdsregt.exe
2684	dwdsregt.exe
2108	dwdsregt.exe
884	dwdsregt.exe
2472	dwdsregt.exe
280	dwdsregt.exe
2936	dwdsregt.exe
2528	dwdsregt.exe
1316	dwdsregt.exe
1332	dwdsregt.exe
2988	dwdsregt.exe
2752	dwdsregt.exe
3044	dwdsregt.exe
3048	dwdsregt.exe
2944	dwdsregt.exe
684	dwdsregt.exe
1676	dwdsregt.exe
992	dwdsregt.exe
2556	dwdsregt.exe
2856	dwdsregt.exe
2168	dwdsregt.exe
264	dwdsregt.exe
580	dwdsregt.exe
1648	dwdsregt.exe
2084	dwdsregt.exe
2136	dwdsregt.exe
2612	dwdsregt.exe
1620	dwdsregt.exe
968	dwdsregt.exe
1964	dwdsregt.exe
1496	dwdsregt.exe

Loads dropped DLL 64 IoCs

pid	Process
964	7409a53b4bdf27b01443fa9ef82ef2ff_JaffaCakes118.exe
964	7409a53b4bdf27b01443fa9ef82ef2ff_JaffaCakes118.exe
3068	dwdsregt.exe
3068	dwdsregt.exe
2912	dwdsregt.exe
2912	dwdsregt.exe
2108	dwdsregt.exe
2108	dwdsregt.exe
2564	dwdsregt.exe
2564	dwdsregt.exe
2656	dwdsregt.exe
2656	dwdsregt.exe
2260	dwdsregt.exe
2260	dwdsregt.exe
1708	dwdsregt.exe
1708	dwdsregt.exe
1744	dwdsregt.exe
1744	dwdsregt.exe
476	dwdsregt.exe
476	dwdsregt.exe
2948	dwdsregt.exe
2948	dwdsregt.exe
3032	dwdsregt.exe
3032	dwdsregt.exe
2524	dwdsregt.exe
2524	dwdsregt.exe
1212	dwdsregt.exe
1212	dwdsregt.exe
2556	dwdsregt.exe
2556	dwdsregt.exe
2856	dwdsregt.exe
2856	dwdsregt.exe
2168	dwdsregt.exe
2168	dwdsregt.exe
264	dwdsregt.exe
264	dwdsregt.exe
532	dwdsregt.exe
532	dwdsregt.exe
1956	dwdsregt.exe
1956	dwdsregt.exe
2552	dwdsregt.exe
2552	dwdsregt.exe
1380	dwdsregt.exe
1380	dwdsregt.exe
1848	dwdsregt.exe
1848	dwdsregt.exe
1736	dwdsregt.exe
1736	dwdsregt.exe
2252	dwdsregt.exe
2252	dwdsregt.exe
2340	dwdsregt.exe
2340	dwdsregt.exe
2272	dwdsregt.exe
2272	dwdsregt.exe
1628	dwdsregt.exe
1628	dwdsregt.exe
1500	dwdsregt.exe
1500	dwdsregt.exe
2240	dwdsregt.exe
2240	dwdsregt.exe
1584	dwdsregt.exe
1584	dwdsregt.exe
324	dwdsregt.exe
324	dwdsregt.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_26_07_24.log	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_26_07_24.log	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\msnav32.ax	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_26_07_24.log	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\msnav32.ax	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\msnav32.ax	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_26_07_24.log	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_26_07_24.log	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\msnav32.ax	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_26_07_24.log	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_26_07_24.log	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\msnav32.ax	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_26_07_24.log	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_26_07_24.log	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_26_07_24.log	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\msnav32.ax	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\msnav32.ax	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_26_07_24.log	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_26_07_24.log	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\msnav32.ax	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_26_07_24.log	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\msnav32.ax	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_26_07_24.log	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\msnav32.ax	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\msnav32.ax	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_26_07_24.log	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_26_07_24.log	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\msnav32.ax	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\msnav32.ax	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\msnav32.ax	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_26_07_24.log	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_26_07_24.log	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\msnav32.ax	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_26_07_24.log	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_26_07_24.log	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\msnav32.ax	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_26_07_24.log	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\msnav32.ax	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_26_07_24.log	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\msnav32.ax	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_26_07_24.log	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\msnav32.ax	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_26_07_24.log	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\msnav32.ax	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\msnav32.ax	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_26_07_24.log	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_26_07_24.log	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_26_07_24.log	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_26_07_24.log	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\msnav32.ax	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_26_07_24.log	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\msnav32.ax	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\msnav32.ax	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\msnav32.ax	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\msnav32.ax	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_26_07_24.log	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\msnav32.ax	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\msnav32.ax	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_26_07_24.log	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\msnav32.ax	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\msnav32.ax	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_26_07_24.log	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_26_07_24.log	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\msnav32.ax	dwdsregt.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
964	7409a53b4bdf27b01443fa9ef82ef2ff_JaffaCakes118.exe
3068	dwdsregt.exe
2912	dwdsregt.exe
2108	dwdsregt.exe
2564	dwdsregt.exe
2656	dwdsregt.exe
2260	dwdsregt.exe
1708	dwdsregt.exe
1744	dwdsregt.exe
476	dwdsregt.exe
2948	dwdsregt.exe
3032	dwdsregt.exe
2524	dwdsregt.exe
1212	dwdsregt.exe
2556	dwdsregt.exe
2856	dwdsregt.exe
2168	dwdsregt.exe
264	dwdsregt.exe
532	dwdsregt.exe
1956	dwdsregt.exe
2552	dwdsregt.exe
1380	dwdsregt.exe
1848	dwdsregt.exe
1736	dwdsregt.exe
2252	dwdsregt.exe
2340	dwdsregt.exe
2272	dwdsregt.exe
1628	dwdsregt.exe
1500	dwdsregt.exe
2240	dwdsregt.exe
1584	dwdsregt.exe
324	dwdsregt.exe
2804	dwdsregt.exe
2812	dwdsregt.exe
2796	dwdsregt.exe
2684	dwdsregt.exe
2108	dwdsregt.exe
884	dwdsregt.exe
2472	dwdsregt.exe
280	dwdsregt.exe
2936	dwdsregt.exe
2528	dwdsregt.exe
1316	dwdsregt.exe
1332	dwdsregt.exe
2988	dwdsregt.exe
2752	dwdsregt.exe
3044	dwdsregt.exe
3048	dwdsregt.exe
2944	dwdsregt.exe
684	dwdsregt.exe
1676	dwdsregt.exe
992	dwdsregt.exe
2556	dwdsregt.exe
2856	dwdsregt.exe
2168	dwdsregt.exe
264	dwdsregt.exe
580	dwdsregt.exe
1648	dwdsregt.exe
2084	dwdsregt.exe
2136	dwdsregt.exe
2612	dwdsregt.exe
1620	dwdsregt.exe
968	dwdsregt.exe
1964	dwdsregt.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 964 wrote to memory of 3068	964	7409a53b4bdf27b01443fa9ef82ef2ff_JaffaCakes118.exe	30
PID 964 wrote to memory of 3068	964	7409a53b4bdf27b01443fa9ef82ef2ff_JaffaCakes118.exe	30
PID 964 wrote to memory of 3068	964	7409a53b4bdf27b01443fa9ef82ef2ff_JaffaCakes118.exe	30
PID 964 wrote to memory of 3068	964	7409a53b4bdf27b01443fa9ef82ef2ff_JaffaCakes118.exe	30
PID 3068 wrote to memory of 2912	3068	dwdsregt.exe	31
PID 3068 wrote to memory of 2912	3068	dwdsregt.exe	31
PID 3068 wrote to memory of 2912	3068	dwdsregt.exe	31
PID 3068 wrote to memory of 2912	3068	dwdsregt.exe	31
PID 2912 wrote to memory of 2108	2912	dwdsregt.exe	32
PID 2912 wrote to memory of 2108	2912	dwdsregt.exe	32
PID 2912 wrote to memory of 2108	2912	dwdsregt.exe	32
PID 2912 wrote to memory of 2108	2912	dwdsregt.exe	32
PID 2108 wrote to memory of 2564	2108	dwdsregt.exe	33
PID 2108 wrote to memory of 2564	2108	dwdsregt.exe	33
PID 2108 wrote to memory of 2564	2108	dwdsregt.exe	33
PID 2108 wrote to memory of 2564	2108	dwdsregt.exe	33
PID 2564 wrote to memory of 2656	2564	dwdsregt.exe	34
PID 2564 wrote to memory of 2656	2564	dwdsregt.exe	34
PID 2564 wrote to memory of 2656	2564	dwdsregt.exe	34
PID 2564 wrote to memory of 2656	2564	dwdsregt.exe	34
PID 2656 wrote to memory of 2260	2656	dwdsregt.exe	35
PID 2656 wrote to memory of 2260	2656	dwdsregt.exe	35
PID 2656 wrote to memory of 2260	2656	dwdsregt.exe	35
PID 2656 wrote to memory of 2260	2656	dwdsregt.exe	35
PID 2260 wrote to memory of 1708	2260	dwdsregt.exe	36
PID 2260 wrote to memory of 1708	2260	dwdsregt.exe	36
PID 2260 wrote to memory of 1708	2260	dwdsregt.exe	36
PID 2260 wrote to memory of 1708	2260	dwdsregt.exe	36
PID 1708 wrote to memory of 1744	1708	dwdsregt.exe	37
PID 1708 wrote to memory of 1744	1708	dwdsregt.exe	37
PID 1708 wrote to memory of 1744	1708	dwdsregt.exe	37
PID 1708 wrote to memory of 1744	1708	dwdsregt.exe	37
PID 1744 wrote to memory of 476	1744	dwdsregt.exe	38
PID 1744 wrote to memory of 476	1744	dwdsregt.exe	38
PID 1744 wrote to memory of 476	1744	dwdsregt.exe	38
PID 1744 wrote to memory of 476	1744	dwdsregt.exe	38
PID 476 wrote to memory of 2948	476	dwdsregt.exe	39
PID 476 wrote to memory of 2948	476	dwdsregt.exe	39
PID 476 wrote to memory of 2948	476	dwdsregt.exe	39
PID 476 wrote to memory of 2948	476	dwdsregt.exe	39
PID 2948 wrote to memory of 3032	2948	dwdsregt.exe	40
PID 2948 wrote to memory of 3032	2948	dwdsregt.exe	40
PID 2948 wrote to memory of 3032	2948	dwdsregt.exe	40
PID 2948 wrote to memory of 3032	2948	dwdsregt.exe	40
PID 3032 wrote to memory of 2524	3032	dwdsregt.exe	41
PID 3032 wrote to memory of 2524	3032	dwdsregt.exe	41
PID 3032 wrote to memory of 2524	3032	dwdsregt.exe	41
PID 3032 wrote to memory of 2524	3032	dwdsregt.exe	41
PID 2524 wrote to memory of 1212	2524	dwdsregt.exe	42
PID 2524 wrote to memory of 1212	2524	dwdsregt.exe	42
PID 2524 wrote to memory of 1212	2524	dwdsregt.exe	42
PID 2524 wrote to memory of 1212	2524	dwdsregt.exe	42
PID 1212 wrote to memory of 2556	1212	dwdsregt.exe	43
PID 1212 wrote to memory of 2556	1212	dwdsregt.exe	43
PID 1212 wrote to memory of 2556	1212	dwdsregt.exe	43
PID 1212 wrote to memory of 2556	1212	dwdsregt.exe	43
PID 2556 wrote to memory of 2856	2556	dwdsregt.exe	44
PID 2556 wrote to memory of 2856	2556	dwdsregt.exe	44
PID 2556 wrote to memory of 2856	2556	dwdsregt.exe	44
PID 2556 wrote to memory of 2856	2556	dwdsregt.exe	44
PID 2856 wrote to memory of 2168	2856	dwdsregt.exe	45
PID 2856 wrote to memory of 2168	2856	dwdsregt.exe	45
PID 2856 wrote to memory of 2168	2856	dwdsregt.exe	45
PID 2856 wrote to memory of 2168	2856	dwdsregt.exe	45

C:\Users\Admin\AppData\Local\Temp\7409a53b4bdf27b01443fa9ef82ef2ff_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\7409a53b4bdf27b01443fa9ef82ef2ff_JaffaCakes118.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:964
- \??\c:\windows\SysWOW64\dwdsregt.exe
  c:\windows\system32\dwdsregt.exe OLI001
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3068
- - \??\c:\windows\SysWOW64\dwdsregt.exe
    c:\windows\system32\dwdsregt.exe OLI001
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2912
  - - \??\c:\windows\SysWOW64\dwdsregt.exe
      c:\windows\system32\dwdsregt.exe OLI001
      4⤵
      Drops startup file
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2108
    - - \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2564
      - \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2656
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        7⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2260
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1708
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1744
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:476
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2948
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        12⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3032
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2524
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        14⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1212
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        15⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2556
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2856
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        17⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:2168
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:264
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        19⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:532
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1956
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2552
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        22⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1380
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        23⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1848
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1736
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        25⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2252
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2340
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        27⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2272
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1628
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        29⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1500
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        30⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:2240
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        31⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1584
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        32⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:324
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        33⤵
        Drops startup file
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:2804
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2812
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2796
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2684
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        37⤵
        Drops startup file
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2108
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        38⤵
        Drops startup file
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:884
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        39⤵
        Drops startup file
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2472
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        40⤵
        Drops startup file
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:280
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2936
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        42⤵
        Drops startup file
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2528
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:1316
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:1332
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2988
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        46⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2752
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        47⤵
        Drops startup file
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3044
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        48⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3048
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        49⤵
        Drops startup file
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:2944
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        50⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:684
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        51⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1676
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        52⤵
        Drops startup file
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:992
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        53⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2556
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        54⤵
        Drops startup file
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2856
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:2168
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        56⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:264
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        57⤵
        Drops startup file
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:580
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        58⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1648
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2084
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        60⤵
        Drops startup file
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2136
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        61⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2612
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1620
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        63⤵
        Drops startup file
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:968
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        64⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1964
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        65⤵
        Drops startup file
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1496
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        66⤵
        
        PID:2248
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        67⤵
        Drops startup file
        Drops file in System32 directory
        
        PID:1596
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        68⤵
        Drops file in System32 directory
        
        PID:1996
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        69⤵
        
        PID:2372
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        70⤵
        Drops startup file
        
        PID:2896
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        71⤵
        
        PID:2788
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        72⤵
        Drops startup file
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:764
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        73⤵
        Drops file in System32 directory
        
        PID:2780
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        74⤵
        Drops file in System32 directory
        
        PID:2708
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        75⤵
        Drops file in System32 directory
        
        PID:2736
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        76⤵
        System Location Discovery: System Language Discovery
        
        PID:2600
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        77⤵
        
        PID:1916
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        78⤵
        Drops startup file
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:760
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        79⤵
        Drops startup file
        
        PID:1476
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        80⤵
        Drops startup file
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2760
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        81⤵
        Drops file in System32 directory
        
        PID:2232
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        82⤵
        Drops startup file
        Drops file in System32 directory
        
        PID:2992
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        83⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:2940
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        84⤵
        Drops startup file
        
        PID:2180
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        85⤵
        System Location Discovery: System Language Discovery
        
        PID:2308
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        86⤵
        Drops startup file
        Drops file in System32 directory
        
        PID:3040
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        87⤵
        System Location Discovery: System Language Discovery
        
        PID:1852
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        88⤵
        
        PID:2644
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        89⤵
        Drops file in System32 directory
        
        PID:2104
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        90⤵
        System Location Discovery: System Language Discovery
        
        PID:2160
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        91⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:2368
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        92⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:904
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        93⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:1216
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        94⤵
        Drops file in System32 directory
        
        PID:1512
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        95⤵
        Drops startup file
        Drops file in System32 directory
        
        PID:2624
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        96⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:1780
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        97⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1920
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        98⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1892
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        99⤵
        Drops startup file
        
        PID:2748
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        100⤵
        
        PID:2632
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        101⤵
        
        PID:1172
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        102⤵
        
        PID:2984
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        103⤵
        
        PID:1704
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        104⤵
        Drops startup file
        Drops file in System32 directory
        
        PID:1600
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        105⤵
        Drops startup file
        
        PID:2512
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        106⤵
        Drops startup file
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1684
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        107⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:1576
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        108⤵
        Drops startup file
        Drops file in System32 directory
        
        PID:1720
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        109⤵
        Drops file in System32 directory
        
        PID:2888
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        110⤵
        
        PID:2892
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        111⤵
        Drops startup file
        
        PID:2864
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        112⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2868
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        113⤵
        Drops startup file
        Drops file in System32 directory
        
        PID:2852
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        114⤵
        Drops startup file
        Drops file in System32 directory
        
        PID:2692
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        115⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:2784
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        116⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:2720
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        117⤵
        Drops file in System32 directory
        
        PID:1604
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        118⤵
        
        PID:1192
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        119⤵
        System Location Discovery: System Language Discovery
        
        PID:2648
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        120⤵
        
        PID:1332
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        121⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:1200
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        122⤵
        System Location Discovery: System Language Discovery
        
        PID:476
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        123⤵
        
        PID:2948
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        124⤵
        Drops startup file
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:916
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        125⤵
        System Location Discovery: System Language Discovery
        
        PID:1840
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        126⤵
        Drops startup file
        
        PID:940
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        127⤵
        
        PID:308
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        128⤵
        
        PID:2212
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        129⤵
        Drops file in System32 directory
        
        PID:2200
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        130⤵
        Drops startup file
        
        PID:2360
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        131⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:904
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        132⤵
        
        PID:772
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        133⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:756
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        134⤵
        Drops file in System32 directory
        
        PID:2548
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        135⤵
        Drops startup file
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2552
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        136⤵
        Drops startup file
        
        PID:2080
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        137⤵
        Drops startup file
        
        PID:2072
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        138⤵
        Drops startup file
        
        PID:1472
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        139⤵
        Drops startup file
        Drops file in System32 directory
        
        PID:2496
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        140⤵
        
        PID:816
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        141⤵
        System Location Discovery: System Language Discovery
        
        PID:2376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk

Filesize
920B

MD5
0febfe6379cdd5e5ae1b71d9c480eda6

SHA1
98931694d11e5b6381ea54c461ba807e87665118

SHA256
19870e83787e5a0f6e6edea4af1eb2f0f1059ec8f4c3ee9bdce24b886a4d0fbd

SHA512
0fbd976e14d84a1edce7a424e400009919c67b174830e31b786864b143749e2ff928effb27c95df0bc9c5e4486cb7dbc5e8973c350c95ed277f9928b4715c9e7

Download Submit
C:\Windows\SysWOW64\msnav32.ax

Filesize
28B

MD5
9233a571164f54cadc0fae89fcfb2349

SHA1
8ee1aa7b1e38707f3ef0628f6632ca373c60e045

SHA256
b0892decdc2868d962f9c89fdc84e5ce4a9aa4bc6e855e568836ddeca8d956db

SHA512
e643537539b447df5bbd185053cc869ae8bfc79ece4bb7d9ce29dc55eae1031bff56d513687a7ad66ea6a181529f4879cbb3234080d7424420e4917b74429c80

Download Submit
\Windows\SysWOW64\dwdsregt.exe

Filesize
44KB

MD5
fa1eaa7a640df233e2e804b09e6da61d

SHA1
731cb37046a2b226489676f823858603ceca7a68

SHA256
f39d169fbf218491492b733b55d22dfc3e472d73fbd3d7413a42e1a5e672e2c2

SHA512
9140c68f38052cad7e17cf2592a488cc6e84fd13855ac88c9f512b4fa8b7daca5542b1ffa5534685b025f58aaec4da36d44fe1b0c3f2a345e8c8e1fbec447492

Download Submit