341c37f0a0998f5b3a6b5ba4b1528dfebb3897102294e4b2c136ac2da8f93db5

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
26/07/2024, 12:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7409a53b4bdf27b01443fa9ef82ef2ff_JaffaCakes118.exe
Size

44KB
MD5

7409a53b4bdf27b01443fa9ef82ef2ff
SHA1

97b2a8914d03ee069b6465f508b7192fb35baaad
SHA256

341c37f0a0998f5b3a6b5ba4b1528dfebb3897102294e4b2c136ac2da8f93db5
SHA512

587948f1ad2216fa72e1bcf4ca7b300a6689edb4ae6d38ec72fbdacd75c446668eefa2ea1ad01eda6a657e3fc40f740c4cdacbf60ac5024d3e1186fbbe917cae
SSDEEP

768:4bZf4IlYHLIaHR2dXvq50wh5E9g7uUh7986dOGpRo7t845kFEntNO0:4lf4pXHiX+0whSgThZeGpX+ntk0

Score

7^/10

discovery

Malware Config

Signatures

Drops startup file 64 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	7409a53b4bdf27b01443fa9ef82ef2ff_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe

Executes dropped EXE 64 IoCs

pid	Process
2140	dwdsregt.exe
2896	dwdsregt.exe
3580	dwdsregt.exe
3940	dwdsregt.exe
3888	dwdsregt.exe
4844	dwdsregt.exe
1012	dwdsregt.exe
1944	dwdsregt.exe
4888	dwdsregt.exe
5072	dwdsregt.exe
3872	dwdsregt.exe
4372	dwdsregt.exe
1016	dwdsregt.exe
792	dwdsregt.exe
3316	dwdsregt.exe
4320	dwdsregt.exe
3956	dwdsregt.exe
5000	dwdsregt.exe
4312	dwdsregt.exe
2784	dwdsregt.exe
4544	dwdsregt.exe
2000	dwdsregt.exe
3060	dwdsregt.exe
3188	dwdsregt.exe
2896	dwdsregt.exe
3580	dwdsregt.exe
908	dwdsregt.exe
2076	dwdsregt.exe
3260	dwdsregt.exe
2280	dwdsregt.exe
4804	dwdsregt.exe
4724	dwdsregt.exe
4036	dwdsregt.exe
112	dwdsregt.exe
2208	dwdsregt.exe
4344	dwdsregt.exe
4848	dwdsregt.exe
2604	dwdsregt.exe
3400	dwdsregt.exe
236	dwdsregt.exe
4348	dwdsregt.exe
4308	dwdsregt.exe
3460	dwdsregt.exe
4788	dwdsregt.exe
1716	dwdsregt.exe
2712	dwdsregt.exe
4364	dwdsregt.exe
2024	dwdsregt.exe
1948	dwdsregt.exe
4696	dwdsregt.exe
2420	dwdsregt.exe
1008	dwdsregt.exe
436	dwdsregt.exe
3668	dwdsregt.exe
264	dwdsregt.exe
2136	dwdsregt.exe
1856	dwdsregt.exe
3260	dwdsregt.exe
4888	dwdsregt.exe
3604	dwdsregt.exe
2668	dwdsregt.exe
4212	dwdsregt.exe
112	dwdsregt.exe
2664	dwdsregt.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\msnav32.ax	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\msnav32.ax	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_26_07_24.log	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\msnav32.ax	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\msnav32.ax	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_26_07_24.log	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\msnav32.ax	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_26_07_24.log	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\msnav32.ax	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_26_07_24.log	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_26_07_24.log	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_26_07_24.log	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\msnav32.ax	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_26_07_24.log	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_26_07_24.log	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\msnav32.ax	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\msnav32.ax	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\msnav32.ax	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\msnav32.ax	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_26_07_24.log	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\msnav32.ax	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_26_07_24.log	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_26_07_24.log	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\msnav32.ax	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_26_07_24.log	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\msnav32.ax	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\msnav32.ax	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_26_07_24.log	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\msnav32.ax	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_26_07_24.log	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_26_07_24.log	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\msnav32.ax	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_26_07_24.log	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_26_07_24.log	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_26_07_24.log	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_26_07_24.log	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\msnav32.ax	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_26_07_24.log	dwdsregt.exe
File created	C:\Windows\SysWOW64\msnav32.ax	7409a53b4bdf27b01443fa9ef82ef2ff_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_26_07_24.log	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_26_07_24.log	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_26_07_24.log	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\msnav32.ax	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\msnav32.ax	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\msnav32.ax	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_26_07_24.log	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\msnav32.ax	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\msnav32.ax	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_26_07_24.log	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\msnav32.ax	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_26_07_24.log	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\msnav32.ax	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\msnav32.ax	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\msnav32.ax	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\msnav32.ax	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_26_07_24.log	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_26_07_24.log	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\msnav32.ax	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_26_07_24.log	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\msnav32.ax	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\msnav32.ax	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\msnav32.ax	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_26_07_24.log	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\msnav32.ax	dwdsregt.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
3568	7409a53b4bdf27b01443fa9ef82ef2ff_JaffaCakes118.exe
2140	dwdsregt.exe
2896	dwdsregt.exe
3580	dwdsregt.exe
3940	dwdsregt.exe
3888	dwdsregt.exe
4844	dwdsregt.exe
1012	dwdsregt.exe
1944	dwdsregt.exe
4888	dwdsregt.exe
5072	dwdsregt.exe
3872	dwdsregt.exe
4372	dwdsregt.exe
1016	dwdsregt.exe
792	dwdsregt.exe
3316	dwdsregt.exe
4320	dwdsregt.exe
3956	dwdsregt.exe
5000	dwdsregt.exe
4312	dwdsregt.exe
2784	dwdsregt.exe
4544	dwdsregt.exe
2000	dwdsregt.exe
3060	dwdsregt.exe
3188	dwdsregt.exe
2896	dwdsregt.exe
3580	dwdsregt.exe
908	dwdsregt.exe
2076	dwdsregt.exe
3260	dwdsregt.exe
2280	dwdsregt.exe
4804	dwdsregt.exe
4724	dwdsregt.exe
4036	dwdsregt.exe
112	dwdsregt.exe
2208	dwdsregt.exe
4344	dwdsregt.exe
4848	dwdsregt.exe
2604	dwdsregt.exe
3400	dwdsregt.exe
236	dwdsregt.exe
4348	dwdsregt.exe
4308	dwdsregt.exe
3460	dwdsregt.exe
4788	dwdsregt.exe
1716	dwdsregt.exe
2712	dwdsregt.exe
4364	dwdsregt.exe
2024	dwdsregt.exe
1948	dwdsregt.exe
4696	dwdsregt.exe
2420	dwdsregt.exe
1008	dwdsregt.exe
436	dwdsregt.exe
3668	dwdsregt.exe
264	dwdsregt.exe
2136	dwdsregt.exe
1856	dwdsregt.exe
3260	dwdsregt.exe
4888	dwdsregt.exe
3604	dwdsregt.exe
2668	dwdsregt.exe
4212	dwdsregt.exe
112	dwdsregt.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3568 wrote to memory of 2140	3568	7409a53b4bdf27b01443fa9ef82ef2ff_JaffaCakes118.exe	87
PID 3568 wrote to memory of 2140	3568	7409a53b4bdf27b01443fa9ef82ef2ff_JaffaCakes118.exe	87
PID 3568 wrote to memory of 2140	3568	7409a53b4bdf27b01443fa9ef82ef2ff_JaffaCakes118.exe	87
PID 2140 wrote to memory of 2896	2140	dwdsregt.exe	89
PID 2140 wrote to memory of 2896	2140	dwdsregt.exe	89
PID 2140 wrote to memory of 2896	2140	dwdsregt.exe	89
PID 2896 wrote to memory of 3580	2896	dwdsregt.exe	92
PID 2896 wrote to memory of 3580	2896	dwdsregt.exe	92
PID 2896 wrote to memory of 3580	2896	dwdsregt.exe	92
PID 3580 wrote to memory of 3940	3580	dwdsregt.exe	95
PID 3580 wrote to memory of 3940	3580	dwdsregt.exe	95
PID 3580 wrote to memory of 3940	3580	dwdsregt.exe	95
PID 3940 wrote to memory of 3888	3940	dwdsregt.exe	96
PID 3940 wrote to memory of 3888	3940	dwdsregt.exe	96
PID 3940 wrote to memory of 3888	3940	dwdsregt.exe	96
PID 3888 wrote to memory of 4844	3888	dwdsregt.exe	97
PID 3888 wrote to memory of 4844	3888	dwdsregt.exe	97
PID 3888 wrote to memory of 4844	3888	dwdsregt.exe	97
PID 4844 wrote to memory of 1012	4844	dwdsregt.exe	99
PID 4844 wrote to memory of 1012	4844	dwdsregt.exe	99
PID 4844 wrote to memory of 1012	4844	dwdsregt.exe	99
PID 1012 wrote to memory of 1944	1012	dwdsregt.exe	100
PID 1012 wrote to memory of 1944	1012	dwdsregt.exe	100
PID 1012 wrote to memory of 1944	1012	dwdsregt.exe	100
PID 1944 wrote to memory of 4888	1944	dwdsregt.exe	103
PID 1944 wrote to memory of 4888	1944	dwdsregt.exe	103
PID 1944 wrote to memory of 4888	1944	dwdsregt.exe	103
PID 4888 wrote to memory of 5072	4888	dwdsregt.exe	104
PID 4888 wrote to memory of 5072	4888	dwdsregt.exe	104
PID 4888 wrote to memory of 5072	4888	dwdsregt.exe	104
PID 5072 wrote to memory of 3872	5072	dwdsregt.exe	105
PID 5072 wrote to memory of 3872	5072	dwdsregt.exe	105
PID 5072 wrote to memory of 3872	5072	dwdsregt.exe	105
PID 3872 wrote to memory of 4372	3872	dwdsregt.exe	106
PID 3872 wrote to memory of 4372	3872	dwdsregt.exe	106
PID 3872 wrote to memory of 4372	3872	dwdsregt.exe	106
PID 4372 wrote to memory of 1016	4372	dwdsregt.exe	107
PID 4372 wrote to memory of 1016	4372	dwdsregt.exe	107
PID 4372 wrote to memory of 1016	4372	dwdsregt.exe	107
PID 1016 wrote to memory of 792	1016	dwdsregt.exe	108
PID 1016 wrote to memory of 792	1016	dwdsregt.exe	108
PID 1016 wrote to memory of 792	1016	dwdsregt.exe	108
PID 792 wrote to memory of 3316	792	dwdsregt.exe	109
PID 792 wrote to memory of 3316	792	dwdsregt.exe	109
PID 792 wrote to memory of 3316	792	dwdsregt.exe	109
PID 3316 wrote to memory of 4320	3316	dwdsregt.exe	110
PID 3316 wrote to memory of 4320	3316	dwdsregt.exe	110
PID 3316 wrote to memory of 4320	3316	dwdsregt.exe	110
PID 4320 wrote to memory of 3956	4320	dwdsregt.exe	111
PID 4320 wrote to memory of 3956	4320	dwdsregt.exe	111
PID 4320 wrote to memory of 3956	4320	dwdsregt.exe	111
PID 3956 wrote to memory of 5000	3956	dwdsregt.exe	112
PID 3956 wrote to memory of 5000	3956	dwdsregt.exe	112
PID 3956 wrote to memory of 5000	3956	dwdsregt.exe	112
PID 5000 wrote to memory of 4312	5000	dwdsregt.exe	113
PID 5000 wrote to memory of 4312	5000	dwdsregt.exe	113
PID 5000 wrote to memory of 4312	5000	dwdsregt.exe	113
PID 4312 wrote to memory of 2784	4312	dwdsregt.exe	114
PID 4312 wrote to memory of 2784	4312	dwdsregt.exe	114
PID 4312 wrote to memory of 2784	4312	dwdsregt.exe	114
PID 2784 wrote to memory of 4544	2784	dwdsregt.exe	115
PID 2784 wrote to memory of 4544	2784	dwdsregt.exe	115
PID 2784 wrote to memory of 4544	2784	dwdsregt.exe	115
PID 4544 wrote to memory of 2000	4544	dwdsregt.exe	116

C:\Users\Admin\AppData\Local\Temp\7409a53b4bdf27b01443fa9ef82ef2ff_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\7409a53b4bdf27b01443fa9ef82ef2ff_JaffaCakes118.exe"
1⤵
- Drops startup file
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3568
- \??\c:\windows\SysWOW64\dwdsregt.exe
  c:\windows\system32\dwdsregt.exe OLI001
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2140
- - \??\c:\windows\SysWOW64\dwdsregt.exe
    c:\windows\system32\dwdsregt.exe OLI001
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2896
  - - \??\c:\windows\SysWOW64\dwdsregt.exe
      c:\windows\system32\dwdsregt.exe OLI001
      4⤵
      Drops startup file
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3580
    - - \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3940
      - \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3888
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        7⤵
        Drops startup file
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4844
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        8⤵
        Drops startup file
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1012
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        9⤵
        Drops startup file
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1944
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        10⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4888
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:5072
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3872
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        13⤵
        Drops startup file
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4372
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1016
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        15⤵
        Drops startup file
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:792
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3316
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        17⤵
        Drops startup file
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4320
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        18⤵
        Drops startup file
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3956
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:5000
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        20⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4312
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        21⤵
        Drops startup file
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2784
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        22⤵
        Drops startup file
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4544
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        23⤵
        Drops startup file
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:2000
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        24⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3060
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        25⤵
        Drops startup file
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3188
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        26⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2896
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        27⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3580
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:908
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2076
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        30⤵
        Drops startup file
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:3260
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        31⤵
        Drops startup file
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2280
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        32⤵
        Drops startup file
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4804
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        33⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4724
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        34⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4036
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        35⤵
        Drops startup file
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:112
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        36⤵
        Drops startup file
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2208
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4344
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        38⤵
        Drops startup file
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4848
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        39⤵
        Drops startup file
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2604
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        40⤵
        Drops startup file
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:3400
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:236
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        42⤵
        Drops startup file
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4348
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        43⤵
        Drops startup file
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4308
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        44⤵
        Drops startup file
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3460
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:4788
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        46⤵
        Drops startup file
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1716
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        47⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2712
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4364
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2024
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        50⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1948
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        51⤵
        Drops startup file
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4696
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        52⤵
        Drops startup file
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2420
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        53⤵
        Drops startup file
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1008
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        54⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:436
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3668
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        56⤵
        Drops startup file
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:264
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        57⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2136
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        58⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1856
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        59⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3260
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:4888
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        61⤵
        Drops startup file
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3604
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2668
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:4212
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        64⤵
        Drops startup file
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:112
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        65⤵
        Drops startup file
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2664
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        66⤵
        System Location Discovery: System Language Discovery
        
        PID:2120
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        67⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:4848
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        68⤵
        Drops startup file
        
        PID:3644
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        69⤵
        Drops startup file
        
        PID:3844
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        70⤵
        Drops startup file
        Drops file in System32 directory
        
        PID:3400
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        71⤵
        
        PID:236
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        72⤵
        Drops startup file
        Drops file in System32 directory
        
        PID:4348
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        73⤵
        Drops file in System32 directory
        
        PID:4316
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        74⤵
        System Location Discovery: System Language Discovery
        
        PID:4796
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        75⤵
        System Location Discovery: System Language Discovery
        
        PID:2376
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        76⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4680
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        77⤵
        Drops startup file
        
        PID:3392
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        78⤵
        
        PID:4540
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        79⤵
        Drops startup file
        Drops file in System32 directory
        
        PID:4744
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        80⤵
        
        PID:1524
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        81⤵
        Drops startup file
        
        PID:2532
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        82⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:4548
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        83⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1284
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        84⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3656
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        85⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:1392
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        86⤵
        Drops startup file
        Drops file in System32 directory
        
        PID:1828
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        87⤵
        Drops startup file
        
        PID:2232
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        88⤵
        Drops startup file
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3056
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        89⤵
        System Location Discovery: System Language Discovery
        
        PID:4888
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        90⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1632
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        91⤵
        Drops startup file
        Drops file in System32 directory
        
        PID:1684
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        92⤵
        System Location Discovery: System Language Discovery
        
        PID:2860
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        93⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:3480
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        94⤵
        
        PID:2348
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        95⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4076
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        96⤵
        
        PID:5112
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        97⤵
        Drops startup file
        
        PID:464
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        98⤵
        Drops startup file
        Drops file in System32 directory
        
        PID:1200
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        99⤵
        Drops startup file
        
        PID:4788
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        100⤵
        Drops startup file
        
        PID:1716
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        101⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1968
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        102⤵
        Drops startup file
        
        PID:4540
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        103⤵
        Drops file in System32 directory
        
        PID:2024
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        104⤵
        Drops startup file
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1732
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        105⤵
        Drops file in System32 directory
        
        PID:756
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        106⤵
        System Location Discovery: System Language Discovery
        
        PID:2268
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        107⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1284
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        108⤵
        Drops startup file
        Drops file in System32 directory
        
        PID:2504
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        109⤵
        
        PID:3580
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        110⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:3396
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        111⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2332
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        112⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:1932
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        113⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:3376
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        114⤵
        
        PID:3748
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        115⤵
        Drops startup file
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5076
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        116⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2352
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        117⤵
        System Location Discovery: System Language Discovery
        
        PID:1924
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        118⤵
        
        PID:2392
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        119⤵
        Drops file in System32 directory
        
        PID:2744
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        120⤵
        Drops startup file
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2020
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        121⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:868
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        122⤵
        Drops file in System32 directory
        
        PID:1344
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        123⤵
        System Location Discovery: System Language Discovery
        
        PID:4424
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        124⤵
        Drops startup file
        Drops file in System32 directory
        
        PID:4580
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        125⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:1016
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        126⤵
        System Location Discovery: System Language Discovery
        
        PID:3616
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        127⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3316
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        128⤵
        Drops startup file
        Drops file in System32 directory
        
        PID:3460
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        129⤵
        Drops file in System32 directory
        
        PID:4940
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        130⤵
        
        PID:2304
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe OLI001
        131⤵
        System Location Discovery: System Language Discovery
        
        PID:2776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk

Filesize
985B

MD5
43dd9464124b9d65d37cf9283d2d1986

SHA1
55921f649a78788503da072eeae3bd606c3c2312

SHA256
e8f54e9325aafc8f65c4170778527500991a8c4b2fed5a95bcb14974b8200fd3

SHA512
af46696b00c9cfba4d9d60cffa5df3544cc9deb8cb8889734621ce4f0e46c7e0bfa10845d45fd8e2dfabee1722ba7e2eb196fb69148d99d933f3da982bc31f1a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk

Filesize
985B

MD5
d5eeb39c69d0a5928ccd63f75eff95b5

SHA1
5c47103852171682d7db5e65666947e18420850f

SHA256
772782af65689791e3b5a0091dc2ec96a8aef489e4ac75640ec87c99be4f6d38

SHA512
bedae2b2183a83344eff07dbe9a0eee7c993328547a5f133f110a5839fde3ad14c8838693787e32f90f2aba62959e776fb2e1e46260846d51b301148c6e1397c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk

Filesize
985B

MD5
7bd1b6032ce9a29e151993b2d4c4c619

SHA1
2ab3a8bd061d168596cb92b0e960bf7dbd3aaada

SHA256
9d1a64e5e3329cadcef3a1510e5d68e960b99f4a5695042fcd63f87df807abf1

SHA512
0b9991ac1004e68b4c41a16f5b55d3519c1744c32060c8b22b2158a70c981042a4dbe7443f0c07617759d81e27d776e3d7da45814b7546b0a145f293468649f0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk

Filesize
985B

MD5
169c429a1a0ad0f180e120e57f17e2cd

SHA1
2f727c2a14bfd4047dde1264190d9be401ea2401

SHA256
05c6269a6adb47c45c83b29aef2da6f5afdcd1141a70829779f5320c71bed28c

SHA512
d587209e6b87fa53d359993c76a3aa39913dbffd2e5692ad015578e131cb83d1799c5108ac45769052f87976551959bed27bc4a9da387305eaa0c7f1e9f67378

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk

Filesize
985B

MD5
7003afbc63b8430a641d3e5c6c96f65b

SHA1
caa5db83040a5028e65e7caf2a5345075f2c5884

SHA256
a1787fed15b4858a7f21d5d2c59f5b7120de215c2638b02c65b34c50c4c6cb09

SHA512
11abba34d0d390657b1a3180fb866eec66ffafd9f225db00472ca277f6907c6a95792dc59523bd786a0a92fe74c8c9b1c8432698ff5fb9496eaca4efb5d0bfed

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk

Filesize
985B

MD5
5e954ae2f6aa315313089c50bf8bbb5b

SHA1
77c4aad6e7a0674d487a5e6d246f19e04c313522

SHA256
f8c03524b4698e9b477e3ed380e9c1c9920bda52f1f2f252bbcf92e9e8c61b49

SHA512
599b07631bf935901218ee16a4294680636c1cd1f3145fc95e05940a92e6625c9920172024bf8575019f5f7032944f9e57aec3bee3171d083a86c037306222e1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk

Filesize
985B

MD5
0c753c8862b07e6fbf0a0db67a105e12

SHA1
111fabe5558f0e1d41ec847be3196cc7edeeab5b

SHA256
9b39a3bb39171f4a6fa7891bc9cd67813801c1ec66915111c1f52bb52954389d

SHA512
350c1e058bdecef0c8de06e58dbeb52d08f820165e07ddb3cf5b705ad899d96de0a879aa00aa95b27c8f4666b087c3dac142dafcfdeab5ad811e39c008e25ef2

Download Submit
C:\Windows\SysWOW64\dwdsregt.exe

Filesize
44KB

MD5
cc8e9c4b94c3f8efdbe7d6225e3faa31

SHA1
12f7f596bdc7264a45c2447ce795d4672a6addef

SHA256
8abde24f05361d66a73e6f8ee7079fbf5a7480b11be96c168f21372a9adec1a3

SHA512
1aaf2bf48841008eec3f1b6978fb0f2b5cf340d82dcddd7b6f444f958f42c8bb3fd238ca967c8873494f937c4f11850b9a51c484e9c7542e20a0a8689be65eba

Download Submit
C:\Windows\SysWOW64\msnav32.ax

Filesize
28B

MD5
9233a571164f54cadc0fae89fcfb2349

SHA1
8ee1aa7b1e38707f3ef0628f6632ca373c60e045

SHA256
b0892decdc2868d962f9c89fdc84e5ce4a9aa4bc6e855e568836ddeca8d956db

SHA512
e643537539b447df5bbd185053cc869ae8bfc79ece4bb7d9ce29dc55eae1031bff56d513687a7ad66ea6a181529f4879cbb3234080d7424420e4917b74429c80

Download Submit