f11ce451be90b7384aa7d1171e12fe0542751904c3af7be7af0641be3457b898

Analysis

max time kernel
150s
max time network
125s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
01/10/2024, 15:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

066ab0936561ad4dfa2fae261e88c9f8_JaffaCakes118.exe
Size

44KB
MD5

066ab0936561ad4dfa2fae261e88c9f8
SHA1

7744b1527f945a003aecb8fd13152900e3e841ff
SHA256

f11ce451be90b7384aa7d1171e12fe0542751904c3af7be7af0641be3457b898
SHA512

2527baed6050f6c16caedd94ebdb7909ad16d25498762b39bc00d14caa0d4d4800242ae57814a0c12f6dbf4765409ca9023f3d1849bd7fbad3b312ff48b66a79
SSDEEP

768:ZXZfQIti1+IyHp2dXX4ssh5E9g72Uh7986dO9pRo7t8L5ZFEntNO0:ZJfQ/WHKXIsshSgbhZe9pt+ntk0

Score

7^/10

discovery

Malware Config

Signatures

Drops startup file 64 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Z_Start.lnk	066ab0936561ad4dfa2fae261e88c9f8_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Z_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Z_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Z_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Z_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Z_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Z_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Z_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Z_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Z_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Z_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Z_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Z_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Z_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Z_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Z_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Z_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Z_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Z_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Z_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Z_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Z_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Z_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Z_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Z_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Z_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Z_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Z_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Z_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Z_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Z_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Z_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Z_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Z_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Z_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Z_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Z_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Z_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Z_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Z_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Z_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Z_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Z_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Z_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Z_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Z_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Z_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Z_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Z_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Z_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Z_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Z_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Z_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Z_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Z_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Z_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Z_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Z_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Z_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Z_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Z_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Z_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Z_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Z_Start.lnk	dwdsregt.exe

Executes dropped EXE 64 IoCs

pid	Process
2832	dwdsregt.exe
2804	dwdsregt.exe
2572	dwdsregt.exe
3052	dwdsregt.exe
1608	dwdsregt.exe
1392	dwdsregt.exe
2392	dwdsregt.exe
1348	dwdsregt.exe
1112	dwdsregt.exe
3020	dwdsregt.exe
1324	dwdsregt.exe
772	dwdsregt.exe
468	dwdsregt.exe
2204	dwdsregt.exe
1792	dwdsregt.exe
668	dwdsregt.exe
1288	dwdsregt.exe
2156	dwdsregt.exe
1136	dwdsregt.exe
1880	dwdsregt.exe
1772	dwdsregt.exe
1096	dwdsregt.exe
2452	dwdsregt.exe
1012	dwdsregt.exe
2208	dwdsregt.exe
2076	dwdsregt.exe
2680	dwdsregt.exe
2860	dwdsregt.exe
2792	dwdsregt.exe
2776	dwdsregt.exe
2492	dwdsregt.exe
2832	dwdsregt.exe
2744	dwdsregt.exe
2148	dwdsregt.exe
2232	dwdsregt.exe
1268	dwdsregt.exe
2868	dwdsregt.exe
2268	dwdsregt.exe
1392	dwdsregt.exe
1592	dwdsregt.exe
2368	dwdsregt.exe
2644	dwdsregt.exe
2900	dwdsregt.exe
1828	dwdsregt.exe
2272	dwdsregt.exe
1964	dwdsregt.exe
2180	dwdsregt.exe
772	dwdsregt.exe
2284	dwdsregt.exe
1988	dwdsregt.exe
2972	dwdsregt.exe
2480	dwdsregt.exe
1856	dwdsregt.exe
1168	dwdsregt.exe
1636	dwdsregt.exe
528	dwdsregt.exe
572	dwdsregt.exe
1832	dwdsregt.exe
1156	dwdsregt.exe
680	dwdsregt.exe
3016	dwdsregt.exe
2072	dwdsregt.exe
1572	dwdsregt.exe
2816	dwdsregt.exe

Loads dropped DLL 64 IoCs

pid	Process
2776	066ab0936561ad4dfa2fae261e88c9f8_JaffaCakes118.exe
2776	066ab0936561ad4dfa2fae261e88c9f8_JaffaCakes118.exe
2832	dwdsregt.exe
2832	dwdsregt.exe
2804	dwdsregt.exe
2804	dwdsregt.exe
2572	dwdsregt.exe
2572	dwdsregt.exe
3052	dwdsregt.exe
3052	dwdsregt.exe
1608	dwdsregt.exe
1608	dwdsregt.exe
1392	dwdsregt.exe
1392	dwdsregt.exe
2392	dwdsregt.exe
2392	dwdsregt.exe
1348	dwdsregt.exe
1348	dwdsregt.exe
1112	dwdsregt.exe
1112	dwdsregt.exe
3020	dwdsregt.exe
3020	dwdsregt.exe
1324	dwdsregt.exe
1324	dwdsregt.exe
772	dwdsregt.exe
772	dwdsregt.exe
468	dwdsregt.exe
468	dwdsregt.exe
2204	dwdsregt.exe
2204	dwdsregt.exe
1792	dwdsregt.exe
1792	dwdsregt.exe
668	dwdsregt.exe
668	dwdsregt.exe
1288	dwdsregt.exe
1288	dwdsregt.exe
2156	dwdsregt.exe
2156	dwdsregt.exe
1136	dwdsregt.exe
1136	dwdsregt.exe
1880	dwdsregt.exe
1880	dwdsregt.exe
1772	dwdsregt.exe
1772	dwdsregt.exe
1096	dwdsregt.exe
1096	dwdsregt.exe
2452	dwdsregt.exe
2452	dwdsregt.exe
1012	dwdsregt.exe
1012	dwdsregt.exe
2208	dwdsregt.exe
2208	dwdsregt.exe
2076	dwdsregt.exe
2076	dwdsregt.exe
2680	dwdsregt.exe
2680	dwdsregt.exe
2860	dwdsregt.exe
2860	dwdsregt.exe
2792	dwdsregt.exe
2792	dwdsregt.exe
2776	dwdsregt.exe
2776	dwdsregt.exe
2492	dwdsregt.exe
2492	dwdsregt.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_01_10_24.log	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\msnav32.ax	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_01_10_24.log	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_01_10_24.log	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\msnav32.ax	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_01_10_24.log	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_01_10_24.log	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_01_10_24.log	066ab0936561ad4dfa2fae261e88c9f8_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_01_10_24.log	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_01_10_24.log	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_01_10_24.log	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_01_10_24.log	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\msnav32.ax	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\msnav32.ax	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_01_10_24.log	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_01_10_24.log	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_01_10_24.log	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_01_10_24.log	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_01_10_24.log	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_01_10_24.log	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\msnav32.ax	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\msnav32.ax	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_01_10_24.log	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\msnav32.ax	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\msnav32.ax	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_01_10_24.log	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_01_10_24.log	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_01_10_24.log	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\msnav32.ax	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\msnav32.ax	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_01_10_24.log	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\msnav32.ax	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_01_10_24.log	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\msnav32.ax	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_01_10_24.log	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\msnav32.ax	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\msnav32.ax	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\msnav32.ax	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\msnav32.ax	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\msnav32.ax	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\msnav32.ax	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\msnav32.ax	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_01_10_24.log	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_01_10_24.log	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\msnav32.ax	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_01_10_24.log	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\msnav32.ax	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\msnav32.ax	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_01_10_24.log	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\msnav32.ax	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\msnav32.ax	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_01_10_24.log	dwdsregt.exe
File opened for modification	\??\c:\windows\SysWOW64\dwdsregt.exe	066ab0936561ad4dfa2fae261e88c9f8_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_01_10_24.log	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\msnav32.ax	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_01_10_24.log	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\msnav32.ax	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\msnav32.ax	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\msnav32.ax	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_01_10_24.log	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_01_10_24.log	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\msnav32.ax	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_01_10_24.log	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_01_10_24.log	dwdsregt.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2776	066ab0936561ad4dfa2fae261e88c9f8_JaffaCakes118.exe
2832	dwdsregt.exe
2804	dwdsregt.exe
2572	dwdsregt.exe
3052	dwdsregt.exe
1608	dwdsregt.exe
1392	dwdsregt.exe
2392	dwdsregt.exe
1348	dwdsregt.exe
1112	dwdsregt.exe
3020	dwdsregt.exe
1324	dwdsregt.exe
772	dwdsregt.exe
468	dwdsregt.exe
2204	dwdsregt.exe
1792	dwdsregt.exe
668	dwdsregt.exe
1288	dwdsregt.exe
2156	dwdsregt.exe
1136	dwdsregt.exe
1880	dwdsregt.exe
1772	dwdsregt.exe
1096	dwdsregt.exe
2452	dwdsregt.exe
1012	dwdsregt.exe
2208	dwdsregt.exe
2076	dwdsregt.exe
2680	dwdsregt.exe
2792	dwdsregt.exe
2776	dwdsregt.exe
2492	dwdsregt.exe
2832	dwdsregt.exe
2744	dwdsregt.exe
2148	dwdsregt.exe
2232	dwdsregt.exe
1268	dwdsregt.exe
2868	dwdsregt.exe
2268	dwdsregt.exe
1392	dwdsregt.exe
1592	dwdsregt.exe
2368	dwdsregt.exe
2644	dwdsregt.exe
2900	dwdsregt.exe
1828	dwdsregt.exe
2272	dwdsregt.exe
1964	dwdsregt.exe
2180	dwdsregt.exe
772	dwdsregt.exe
2284	dwdsregt.exe
1988	dwdsregt.exe
2972	dwdsregt.exe
2480	dwdsregt.exe
1856	dwdsregt.exe
1168	dwdsregt.exe
1636	dwdsregt.exe
528	dwdsregt.exe
572	dwdsregt.exe
1832	dwdsregt.exe
1156	dwdsregt.exe
680	dwdsregt.exe
3016	dwdsregt.exe
2072	dwdsregt.exe
1572	dwdsregt.exe
2816	dwdsregt.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2776 wrote to memory of 2832	2776	066ab0936561ad4dfa2fae261e88c9f8_JaffaCakes118.exe	30
PID 2776 wrote to memory of 2832	2776	066ab0936561ad4dfa2fae261e88c9f8_JaffaCakes118.exe	30
PID 2776 wrote to memory of 2832	2776	066ab0936561ad4dfa2fae261e88c9f8_JaffaCakes118.exe	30
PID 2776 wrote to memory of 2832	2776	066ab0936561ad4dfa2fae261e88c9f8_JaffaCakes118.exe	30
PID 2832 wrote to memory of 2804	2832	dwdsregt.exe	31
PID 2832 wrote to memory of 2804	2832	dwdsregt.exe	31
PID 2832 wrote to memory of 2804	2832	dwdsregt.exe	31
PID 2832 wrote to memory of 2804	2832	dwdsregt.exe	31
PID 2804 wrote to memory of 2572	2804	dwdsregt.exe	32
PID 2804 wrote to memory of 2572	2804	dwdsregt.exe	32
PID 2804 wrote to memory of 2572	2804	dwdsregt.exe	32
PID 2804 wrote to memory of 2572	2804	dwdsregt.exe	32
PID 2572 wrote to memory of 3052	2572	dwdsregt.exe	33
PID 2572 wrote to memory of 3052	2572	dwdsregt.exe	33
PID 2572 wrote to memory of 3052	2572	dwdsregt.exe	33
PID 2572 wrote to memory of 3052	2572	dwdsregt.exe	33
PID 3052 wrote to memory of 1608	3052	dwdsregt.exe	34
PID 3052 wrote to memory of 1608	3052	dwdsregt.exe	34
PID 3052 wrote to memory of 1608	3052	dwdsregt.exe	34
PID 3052 wrote to memory of 1608	3052	dwdsregt.exe	34
PID 1608 wrote to memory of 1392	1608	dwdsregt.exe	35
PID 1608 wrote to memory of 1392	1608	dwdsregt.exe	35
PID 1608 wrote to memory of 1392	1608	dwdsregt.exe	35
PID 1608 wrote to memory of 1392	1608	dwdsregt.exe	35
PID 1392 wrote to memory of 2392	1392	dwdsregt.exe	36
PID 1392 wrote to memory of 2392	1392	dwdsregt.exe	36
PID 1392 wrote to memory of 2392	1392	dwdsregt.exe	36
PID 1392 wrote to memory of 2392	1392	dwdsregt.exe	36
PID 2392 wrote to memory of 1348	2392	dwdsregt.exe	37
PID 2392 wrote to memory of 1348	2392	dwdsregt.exe	37
PID 2392 wrote to memory of 1348	2392	dwdsregt.exe	37
PID 2392 wrote to memory of 1348	2392	dwdsregt.exe	37
PID 1348 wrote to memory of 1112	1348	dwdsregt.exe	38
PID 1348 wrote to memory of 1112	1348	dwdsregt.exe	38
PID 1348 wrote to memory of 1112	1348	dwdsregt.exe	38
PID 1348 wrote to memory of 1112	1348	dwdsregt.exe	38
PID 1112 wrote to memory of 3020	1112	dwdsregt.exe	39
PID 1112 wrote to memory of 3020	1112	dwdsregt.exe	39
PID 1112 wrote to memory of 3020	1112	dwdsregt.exe	39
PID 1112 wrote to memory of 3020	1112	dwdsregt.exe	39
PID 3020 wrote to memory of 1324	3020	dwdsregt.exe	40
PID 3020 wrote to memory of 1324	3020	dwdsregt.exe	40
PID 3020 wrote to memory of 1324	3020	dwdsregt.exe	40
PID 3020 wrote to memory of 1324	3020	dwdsregt.exe	40
PID 1324 wrote to memory of 772	1324	dwdsregt.exe	41
PID 1324 wrote to memory of 772	1324	dwdsregt.exe	41
PID 1324 wrote to memory of 772	1324	dwdsregt.exe	41
PID 1324 wrote to memory of 772	1324	dwdsregt.exe	41
PID 772 wrote to memory of 468	772	dwdsregt.exe	42
PID 772 wrote to memory of 468	772	dwdsregt.exe	42
PID 772 wrote to memory of 468	772	dwdsregt.exe	42
PID 772 wrote to memory of 468	772	dwdsregt.exe	42
PID 468 wrote to memory of 2204	468	dwdsregt.exe	43
PID 468 wrote to memory of 2204	468	dwdsregt.exe	43
PID 468 wrote to memory of 2204	468	dwdsregt.exe	43
PID 468 wrote to memory of 2204	468	dwdsregt.exe	43
PID 2204 wrote to memory of 1792	2204	dwdsregt.exe	44
PID 2204 wrote to memory of 1792	2204	dwdsregt.exe	44
PID 2204 wrote to memory of 1792	2204	dwdsregt.exe	44
PID 2204 wrote to memory of 1792	2204	dwdsregt.exe	44
PID 1792 wrote to memory of 668	1792	dwdsregt.exe	45
PID 1792 wrote to memory of 668	1792	dwdsregt.exe	45
PID 1792 wrote to memory of 668	1792	dwdsregt.exe	45
PID 1792 wrote to memory of 668	1792	dwdsregt.exe	45

C:\Users\Admin\AppData\Local\Temp\066ab0936561ad4dfa2fae261e88c9f8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\066ab0936561ad4dfa2fae261e88c9f8_JaffaCakes118.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2776
- \??\c:\windows\SysWOW64\dwdsregt.exe
  c:\windows\system32\dwdsregt.exe GID002
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2832
- - \??\c:\windows\SysWOW64\dwdsregt.exe
    c:\windows\system32\dwdsregt.exe GID002
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2804
  - - \??\c:\windows\SysWOW64\dwdsregt.exe
      c:\windows\system32\dwdsregt.exe GID002
      4⤵
      Drops startup file
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2572
    - - \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe GID002
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3052
      - \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe GID002
        6⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1608
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe GID002
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1392
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe GID002
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2392
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe GID002
        9⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1348
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe GID002
        10⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1112
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe GID002
        11⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3020
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe GID002
        12⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1324
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe GID002
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:772
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe GID002
        14⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:468
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe GID002
        15⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2204
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe GID002
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1792
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe GID002
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:668
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe GID002
        18⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1288
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe GID002
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2156
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe GID002
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:1136
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe GID002
        21⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:1880
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe GID002
        22⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1772
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe GID002
        23⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:1096
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe GID002
        24⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2452
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe GID002
        25⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1012
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe GID002
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:2208
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe GID002
        27⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:2076
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe GID002
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2680
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe GID002
        29⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2860
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe GID002
        30⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2792
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe GID002
        31⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2776
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe GID002
        32⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:2492
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe GID002
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2832
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe GID002
        34⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2744
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe GID002
        35⤵
        Drops startup file
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2148
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe GID002
        36⤵
        Drops startup file
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2232
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe GID002
        37⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1268
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe GID002
        38⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2868
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe GID002
        39⤵
        Drops startup file
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:2268
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe GID002
        40⤵
        Drops startup file
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1392
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe GID002
        41⤵
        Drops startup file
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1592
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe GID002
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2368
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe GID002
        43⤵
        Drops startup file
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:2644
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe GID002
        44⤵
        Drops startup file
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2900
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe GID002
        45⤵
        Drops startup file
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1828
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe GID002
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2272
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe GID002
        47⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1964
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe GID002
        48⤵
        Drops startup file
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:2180
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe GID002
        49⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:772
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe GID002
        50⤵
        Drops startup file
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:2284
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe GID002
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1988
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe GID002
        52⤵
        Drops startup file
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:2972
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe GID002
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2480
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe GID002
        54⤵
        Drops startup file
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1856
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe GID002
        55⤵
        Drops startup file
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:1168
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe GID002
        56⤵
        Drops startup file
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:1636
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe GID002
        57⤵
        Drops startup file
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:528
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe GID002
        58⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:572
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe GID002
        59⤵
        Drops startup file
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1832
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe GID002
        60⤵
        Drops startup file
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1156
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe GID002
        61⤵
        Drops startup file
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:680
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe GID002
        62⤵
        Drops startup file
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3016
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe GID002
        63⤵
        Drops startup file
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2072
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe GID002
        64⤵
        Drops startup file
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1572
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe GID002
        65⤵
        Drops startup file
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2816
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe GID002
        66⤵
        System Location Discovery: System Language Discovery
        
        PID:3064
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe GID002
        67⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:2724
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe GID002
        68⤵
        System Location Discovery: System Language Discovery
        
        PID:976
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe GID002
        69⤵
        System Location Discovery: System Language Discovery
        
        PID:2636
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe GID002
        70⤵
        
        PID:2648
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe GID002
        71⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3048
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe GID002
        72⤵
        Drops file in System32 directory
        
        PID:872
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe GID002
        73⤵
        
        PID:364
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe GID002
        74⤵
        Drops startup file
        
        PID:1596
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe GID002
        75⤵
        Drops startup file
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1612
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe GID002
        76⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:2036
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe GID002
        77⤵
        Drops startup file
        Drops file in System32 directory
        
        PID:2392
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe GID002
        78⤵
        Drops startup file
        Drops file in System32 directory
        
        PID:1152
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe GID002
        79⤵
        System Location Discovery: System Language Discovery
        
        PID:2864
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe GID002
        80⤵
        Drops startup file
        Drops file in System32 directory
        
        PID:2904
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe GID002
        81⤵
        System Location Discovery: System Language Discovery
        
        PID:576
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe GID002
        82⤵
        Drops file in System32 directory
        
        PID:2272
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe GID002
        83⤵
        
        PID:556
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe GID002
        84⤵
        
        PID:2180
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe GID002
        85⤵
        System Location Discovery: System Language Discovery
        
        PID:468
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe GID002
        86⤵
        
        PID:2204
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe GID002
        87⤵
        Drops file in System32 directory
        
        PID:2004
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe GID002
        88⤵
        
        PID:828
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe GID002
        89⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:428
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe GID002
        90⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2156
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe GID002
        91⤵
        System Location Discovery: System Language Discovery
        
        PID:1656
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe GID002
        92⤵
        System Location Discovery: System Language Discovery
        
        PID:3004
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe GID002
        93⤵
        
        PID:912
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe GID002
        94⤵
        Drops file in System32 directory
        
        PID:1820
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe GID002
        95⤵
        
        PID:2088
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe GID002
        96⤵
        
        PID:2948
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe GID002
        97⤵
        Drops startup file
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1328
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe GID002
        98⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:2084
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe GID002
        99⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:2488
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe GID002
        100⤵
        Drops startup file
        
        PID:1576
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe GID002
        101⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2728
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe GID002
        102⤵
        
        PID:2780
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe GID002
        103⤵
        
        PID:2852
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe GID002
        104⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2724
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe GID002
        105⤵
        Drops startup file
        Drops file in System32 directory
        
        PID:2056
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe GID002
        106⤵
        Drops startup file
        
        PID:2576
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe GID002
        107⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3052
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe GID002
        108⤵
        Drops startup file
        
        PID:2132
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe GID002
        109⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1608
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe GID002
        110⤵
        Drops startup file
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2124
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe GID002
        111⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2352
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe GID002
        112⤵
        System Location Discovery: System Language Discovery
        
        PID:1604
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe GID002
        113⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:924
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe GID002
        114⤵
        Drops startup file
        
        PID:2940
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe GID002
        115⤵
        
        PID:2184
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe GID002
        116⤵
        Drops startup file
        
        PID:2808
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe GID002
        117⤵
        System Location Discovery: System Language Discovery
        
        PID:2912
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe GID002
        118⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:1952
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe GID002
        119⤵
        
        PID:1944
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe GID002
        120⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2152
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe GID002
        121⤵
        Drops startup file
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2260
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe GID002
        122⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:2316
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe GID002
        123⤵
        Drops startup file
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1812
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe GID002
        124⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:536
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe GID002
        125⤵
        System Location Discovery: System Language Discovery
        
        PID:828
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe GID002
        126⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:1288
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe GID002
        127⤵
        Drops startup file
        
        PID:1524
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe GID002
        128⤵
        Drops startup file
        Drops file in System32 directory
        
        PID:1656
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe GID002
        129⤵
        System Location Discovery: System Language Discovery
        
        PID:956
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe GID002
        130⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:1096
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe GID002
        131⤵
        
        PID:2996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Z_Start.lnk

Filesize
914B

MD5
bbce1d4b7e0796eea6cd319940bb9c12

SHA1
a8a0d480e1d7ef4f7a537a521d5612d6dcf3d381

SHA256
307e2334026a878a092fa9f64cb07b5d01edfc76b13b64a62e8e79f559e700f2

SHA512
15108b9a58a0063e8565dbca7077e48ac1b19c62503d08175eab0a8fba0f4ccb9b4fe6c9fa53a8056d03c96f0e1c35ad1984d7a292e8d0a117deb74f40640477

Download Submit
C:\Windows\SysWOW64\msnav32.ax

Filesize
28B

MD5
d518e0ec313acdc44ebbdd3c48f16863

SHA1
1c56d128fa3bf2038cafb2c13e17185b57583cb3

SHA256
e14720a7da4a8095e008c7c79d1d4a625b67dd95bdbfb246e778bc34029ac28a

SHA512
3b012bc37559be84094fa21e48a6b565d550388b00d3d650bac5c5817b7a371a51260e1624222928f2036200ff90ea5d546bbcae55268044d2c295a814b28394

Download Submit
\Windows\SysWOW64\dwdsregt.exe

Filesize
44KB

MD5
34cd97816039f431fa958da38979d436

SHA1
c8d3ca15a7836f1a666695f046dbda39dee3c75f

SHA256
0a59f2cc4c49681491d32ee2aef5b8e22a6856931caa8278bc75f78c2fe02f90

SHA512
1f77292eb77b66e70bf1c3e31126e85ff0b2580741c9736a757765ac0ddf07c821152ba7ca1b68879542a3bad10bb3626a2ca52cd713d9952706c10e0b8047c2

Download Submit