bd564910525c66d85064008b1b0bd83d0098de2fc3dc61d2ffa49e04195ed842

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
23/08/2024, 22:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bd5b9329dce9d28b3ef8aba91494d54e_JaffaCakes118.exe
Size

48KB
MD5

bd5b9329dce9d28b3ef8aba91494d54e
SHA1

9f3838987cf3636cb555d927829a77da660b9e18
SHA256

bd564910525c66d85064008b1b0bd83d0098de2fc3dc61d2ffa49e04195ed842
SHA512

75d28683402913fa65bd149aba35124a79fbc091450e05b8d03906c29862702a0363f1c42d410f80e5f5a866542ce63ce16a8631a4fe4bd60ef4e1661ee21a57
SSDEEP

768:dbZf4IlYHLIaHR2dXvq50wh5E9g7uUh7986dOXpRo7t845kFEntNOY:dlf4pXHiX+0whSgThZeXpX+ntkY

Score

7^/10

discovery

Malware Config

Signatures

Drops startup file 64 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	bd5b9329dce9d28b3ef8aba91494d54e_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsregt.exe

Executes dropped EXE 64 IoCs

pid	Process
2456	dwdsregt.exe
3720	dwdsregt.exe
2068	dwdsregt.exe
3028	dwdsregt.exe
680	dwdsregt.exe
1216	dwdsregt.exe
2428	dwdsregt.exe
3904	dwdsregt.exe
1512	dwdsregt.exe
4264	dwdsregt.exe
4448	dwdsregt.exe
1748	dwdsregt.exe
396	dwdsregt.exe
4216	dwdsregt.exe
5060	dwdsregt.exe
780	dwdsregt.exe
1608	dwdsregt.exe
2028	dwdsregt.exe
4004	dwdsregt.exe
3984	dwdsregt.exe
1040	dwdsregt.exe
2952	dwdsregt.exe
4268	dwdsregt.exe
4892	dwdsregt.exe
1448	dwdsregt.exe
4580	dwdsregt.exe
3720	dwdsregt.exe
924	dwdsregt.exe
2360	dwdsregt.exe
4732	dwdsregt.exe
1044	dwdsregt.exe
4020	dwdsregt.exe
1596	dwdsregt.exe
1512	dwdsregt.exe
5004	dwdsregt.exe
2888	dwdsregt.exe
4172	dwdsregt.exe
4332	dwdsregt.exe
380	dwdsregt.exe
3340	dwdsregt.exe
3616	dwdsregt.exe
4848	dwdsregt.exe
2620	dwdsregt.exe
4280	dwdsregt.exe
4072	dwdsregt.exe
3680	dwdsregt.exe
1608	dwdsregt.exe
2028	dwdsregt.exe
3404	dwdsregt.exe
3984	dwdsregt.exe
1040	dwdsregt.exe
2952	dwdsregt.exe
4852	dwdsregt.exe
4960	dwdsregt.exe
5048	dwdsregt.exe
2388	dwdsregt.exe
4576	dwdsregt.exe
1556	dwdsregt.exe
1280	dwdsregt.exe
3940	dwdsregt.exe
1264	dwdsregt.exe
2408	dwdsregt.exe
4020	dwdsregt.exe
3272	dwdsregt.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_23_08_24.log	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_23_08_24.log	bd5b9329dce9d28b3ef8aba91494d54e_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\msnav32.ax	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_23_08_24.log	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_23_08_24.log	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\msnav32.ax	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\msnav32.ax	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_23_08_24.log	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\msnav32.ax	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_23_08_24.log	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_23_08_24.log	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\msnav32.ax	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_23_08_24.log	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_23_08_24.log	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_23_08_24.log	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_23_08_24.log	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_23_08_24.log	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_23_08_24.log	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_23_08_24.log	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\msnav32.ax	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\msnav32.ax	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_23_08_24.log	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_23_08_24.log	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\msnav32.ax	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_23_08_24.log	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\msnav32.ax	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\msnav32.ax	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_23_08_24.log	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\msnav32.ax	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\msnav32.ax	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\msnav32.ax	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\msnav32.ax	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_23_08_24.log	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_23_08_24.log	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_23_08_24.log	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\msnav32.ax	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\msnav32.ax	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_23_08_24.log	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_23_08_24.log	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_23_08_24.log	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\msnav32.ax	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_23_08_24.log	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\msnav32.ax	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\msnav32.ax	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_23_08_24.log	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\msnav32.ax	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\msnav32.ax	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\msnav32.ax	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_23_08_24.log	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\msnav32.ax	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\msnav32.ax	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_23_08_24.log	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_23_08_24.log	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\msnav32.ax	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\msnav32.ax	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_23_08_24.log	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_23_08_24.log	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_23_08_24.log	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\msnav32.ax	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\msnav32.ax	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_23_08_24.log	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_23_08_24.log	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\msnav32.ax	dwdsregt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_23_08_24.log	dwdsregt.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsregt.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2816	bd5b9329dce9d28b3ef8aba91494d54e_JaffaCakes118.exe
2456	dwdsregt.exe
3720	dwdsregt.exe
2068	dwdsregt.exe
3028	dwdsregt.exe
680	dwdsregt.exe
1216	dwdsregt.exe
2428	dwdsregt.exe
3904	dwdsregt.exe
1512	dwdsregt.exe
4264	dwdsregt.exe
4448	dwdsregt.exe
1748	dwdsregt.exe
396	dwdsregt.exe
4216	dwdsregt.exe
5060	dwdsregt.exe
780	dwdsregt.exe
1608	dwdsregt.exe
2028	dwdsregt.exe
4004	dwdsregt.exe
3984	dwdsregt.exe
1040	dwdsregt.exe
2952	dwdsregt.exe
4268	dwdsregt.exe
4892	dwdsregt.exe
1448	dwdsregt.exe
4580	dwdsregt.exe
3720	dwdsregt.exe
924	dwdsregt.exe
2360	dwdsregt.exe
4732	dwdsregt.exe
1044	dwdsregt.exe
4020	dwdsregt.exe
1596	dwdsregt.exe
1512	dwdsregt.exe
5004	dwdsregt.exe
2888	dwdsregt.exe
4172	dwdsregt.exe
4332	dwdsregt.exe
380	dwdsregt.exe
3340	dwdsregt.exe
3616	dwdsregt.exe
4848	dwdsregt.exe
2620	dwdsregt.exe
4280	dwdsregt.exe
4072	dwdsregt.exe
3680	dwdsregt.exe
1608	dwdsregt.exe
2028	dwdsregt.exe
3404	dwdsregt.exe
3984	dwdsregt.exe
1040	dwdsregt.exe
2952	dwdsregt.exe
4852	dwdsregt.exe
4960	dwdsregt.exe
5048	dwdsregt.exe
2388	dwdsregt.exe
4576	dwdsregt.exe
1556	dwdsregt.exe
1280	dwdsregt.exe
3940	dwdsregt.exe
1264	dwdsregt.exe
2408	dwdsregt.exe
4020	dwdsregt.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2816 wrote to memory of 2456	2816	bd5b9329dce9d28b3ef8aba91494d54e_JaffaCakes118.exe	89
PID 2816 wrote to memory of 2456	2816	bd5b9329dce9d28b3ef8aba91494d54e_JaffaCakes118.exe	89
PID 2816 wrote to memory of 2456	2816	bd5b9329dce9d28b3ef8aba91494d54e_JaffaCakes118.exe	89
PID 2456 wrote to memory of 3720	2456	dwdsregt.exe	90
PID 2456 wrote to memory of 3720	2456	dwdsregt.exe	90
PID 2456 wrote to memory of 3720	2456	dwdsregt.exe	90
PID 3720 wrote to memory of 2068	3720	dwdsregt.exe	93
PID 3720 wrote to memory of 2068	3720	dwdsregt.exe	93
PID 3720 wrote to memory of 2068	3720	dwdsregt.exe	93
PID 2068 wrote to memory of 3028	2068	dwdsregt.exe	96
PID 2068 wrote to memory of 3028	2068	dwdsregt.exe	96
PID 2068 wrote to memory of 3028	2068	dwdsregt.exe	96
PID 3028 wrote to memory of 680	3028	dwdsregt.exe	97
PID 3028 wrote to memory of 680	3028	dwdsregt.exe	97
PID 3028 wrote to memory of 680	3028	dwdsregt.exe	97
PID 680 wrote to memory of 1216	680	dwdsregt.exe	98
PID 680 wrote to memory of 1216	680	dwdsregt.exe	98
PID 680 wrote to memory of 1216	680	dwdsregt.exe	98
PID 1216 wrote to memory of 2428	1216	dwdsregt.exe	100
PID 1216 wrote to memory of 2428	1216	dwdsregt.exe	100
PID 1216 wrote to memory of 2428	1216	dwdsregt.exe	100
PID 2428 wrote to memory of 3904	2428	dwdsregt.exe	101
PID 2428 wrote to memory of 3904	2428	dwdsregt.exe	101
PID 2428 wrote to memory of 3904	2428	dwdsregt.exe	101
PID 3904 wrote to memory of 1512	3904	dwdsregt.exe	103
PID 3904 wrote to memory of 1512	3904	dwdsregt.exe	103
PID 3904 wrote to memory of 1512	3904	dwdsregt.exe	103
PID 1512 wrote to memory of 4264	1512	dwdsregt.exe	105
PID 1512 wrote to memory of 4264	1512	dwdsregt.exe	105
PID 1512 wrote to memory of 4264	1512	dwdsregt.exe	105
PID 4264 wrote to memory of 4448	4264	dwdsregt.exe	106
PID 4264 wrote to memory of 4448	4264	dwdsregt.exe	106
PID 4264 wrote to memory of 4448	4264	dwdsregt.exe	106
PID 4448 wrote to memory of 1748	4448	dwdsregt.exe	107
PID 4448 wrote to memory of 1748	4448	dwdsregt.exe	107
PID 4448 wrote to memory of 1748	4448	dwdsregt.exe	107
PID 1748 wrote to memory of 396	1748	dwdsregt.exe	108
PID 1748 wrote to memory of 396	1748	dwdsregt.exe	108
PID 1748 wrote to memory of 396	1748	dwdsregt.exe	108
PID 396 wrote to memory of 4216	396	dwdsregt.exe	109
PID 396 wrote to memory of 4216	396	dwdsregt.exe	109
PID 396 wrote to memory of 4216	396	dwdsregt.exe	109
PID 4216 wrote to memory of 5060	4216	dwdsregt.exe	110
PID 4216 wrote to memory of 5060	4216	dwdsregt.exe	110
PID 4216 wrote to memory of 5060	4216	dwdsregt.exe	110
PID 5060 wrote to memory of 780	5060	dwdsregt.exe	111
PID 5060 wrote to memory of 780	5060	dwdsregt.exe	111
PID 5060 wrote to memory of 780	5060	dwdsregt.exe	111
PID 780 wrote to memory of 1608	780	dwdsregt.exe	112
PID 780 wrote to memory of 1608	780	dwdsregt.exe	112
PID 780 wrote to memory of 1608	780	dwdsregt.exe	112
PID 1608 wrote to memory of 2028	1608	dwdsregt.exe	113
PID 1608 wrote to memory of 2028	1608	dwdsregt.exe	113
PID 1608 wrote to memory of 2028	1608	dwdsregt.exe	113
PID 2028 wrote to memory of 4004	2028	dwdsregt.exe	114
PID 2028 wrote to memory of 4004	2028	dwdsregt.exe	114
PID 2028 wrote to memory of 4004	2028	dwdsregt.exe	114
PID 4004 wrote to memory of 3984	4004	dwdsregt.exe	115
PID 4004 wrote to memory of 3984	4004	dwdsregt.exe	115
PID 4004 wrote to memory of 3984	4004	dwdsregt.exe	115
PID 3984 wrote to memory of 1040	3984	dwdsregt.exe	116
PID 3984 wrote to memory of 1040	3984	dwdsregt.exe	116
PID 3984 wrote to memory of 1040	3984	dwdsregt.exe	116
PID 1040 wrote to memory of 2952	1040	dwdsregt.exe	117

C:\Users\Admin\AppData\Local\Temp\bd5b9329dce9d28b3ef8aba91494d54e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\bd5b9329dce9d28b3ef8aba91494d54e_JaffaCakes118.exe"
1⤵
- Drops startup file
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2816
- \??\c:\windows\SysWOW64\dwdsregt.exe
  c:\windows\system32\dwdsregt.exe ELT001
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2456
- - \??\c:\windows\SysWOW64\dwdsregt.exe
    c:\windows\system32\dwdsregt.exe ELT001
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3720
  - - \??\c:\windows\SysWOW64\dwdsregt.exe
      c:\windows\system32\dwdsregt.exe ELT001
      4⤵
      Drops startup file
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2068
    - - \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        5⤵
        Drops startup file
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3028
      - \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:680
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        7⤵
        Drops startup file
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1216
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        8⤵
        Drops startup file
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2428
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3904
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1512
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        11⤵
        Drops startup file
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4264
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        12⤵
        Drops startup file
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4448
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        13⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1748
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        14⤵
        Drops startup file
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:396
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        15⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4216
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        16⤵
        Drops startup file
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:5060
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        17⤵
        Drops startup file
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:780
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        18⤵
        Drops startup file
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1608
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2028
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4004
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        21⤵
        Drops startup file
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3984
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        22⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1040
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        23⤵
        Drops startup file
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2952
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4268
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4892
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        26⤵
        Drops startup file
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1448
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4580
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        28⤵
        Drops startup file
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3720
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        29⤵
        Drops startup file
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:924
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:2360
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4732
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        32⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1044
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4020
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        34⤵
        Drops startup file
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:1596
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        35⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1512
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5004
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        37⤵
        Drops startup file
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2888
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        38⤵
        Drops startup file
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4172
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        39⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4332
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        40⤵
        Drops startup file
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:380
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3340
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        42⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3616
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        43⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4848
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        44⤵
        Drops startup file
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:2620
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4280
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        46⤵
        Drops startup file
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4072
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        47⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3680
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        48⤵
        Drops startup file
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1608
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        49⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2028
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        50⤵
        Drops startup file
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3404
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:3984
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        52⤵
        Drops startup file
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1040
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:2952
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        54⤵
        Drops startup file
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4852
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        55⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4960
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5048
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        57⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2388
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        58⤵
        Drops startup file
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:4576
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        59⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1556
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        60⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1280
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        61⤵
        Drops startup file
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3940
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        62⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1264
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        63⤵
        Drops startup file
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:2408
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        64⤵
        Drops startup file
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4020
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        65⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3272
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        66⤵
        
        PID:2684
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        67⤵
        Drops file in System32 directory
        
        PID:856
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        68⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:3708
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        69⤵
        
        PID:1700
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        70⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:2764
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        71⤵
        System Location Discovery: System Language Discovery
        
        PID:4332
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        72⤵
        Drops startup file
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:700
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        73⤵
        Drops file in System32 directory
        
        PID:2564
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        74⤵
        System Location Discovery: System Language Discovery
        
        PID:4596
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        75⤵
        Drops startup file
        
        PID:3120
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        76⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:3240
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        77⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:2372
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        78⤵
        Drops file in System32 directory
        
        PID:2892
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        79⤵
        
        PID:4072
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        80⤵
        Drops startup file
        Drops file in System32 directory
        
        PID:5056
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        81⤵
        Drops startup file
        
        PID:4396
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        82⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:548
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        83⤵
        Drops startup file
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:212
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        84⤵
        Drops startup file
        
        PID:1920
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        85⤵
        
        PID:3876
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        86⤵
        Drops file in System32 directory
        
        PID:4820
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        87⤵
        Drops startup file
        Drops file in System32 directory
        
        PID:1764
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        88⤵
        Drops startup file
        Drops file in System32 directory
        
        PID:2800
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        89⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1448
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        90⤵
        
        PID:3460
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        91⤵
        Drops startup file
        
        PID:4616
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        92⤵
        Drops file in System32 directory
        
        PID:1708
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        93⤵
        Drops startup file
        
        PID:4588
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        94⤵
        Drops startup file
        
        PID:396
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        95⤵
        System Location Discovery: System Language Discovery
        
        PID:4548
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        96⤵
        System Location Discovery: System Language Discovery
        
        PID:2132
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        97⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:4248
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        98⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:4896
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        99⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3944
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        100⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1664
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        101⤵
        System Location Discovery: System Language Discovery
        
        PID:3480
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        102⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2028
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        103⤵
        Drops file in System32 directory
        
        PID:212
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        104⤵
        Drops startup file
        Drops file in System32 directory
        
        PID:3228
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        105⤵
        System Location Discovery: System Language Discovery
        
        PID:3876
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        106⤵
        Drops startup file
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4348
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        107⤵
        Drops startup file
        
        PID:1800
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        108⤵
        
        PID:1408
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        109⤵
        
        PID:2436
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        110⤵
        Drops startup file
        Drops file in System32 directory
        
        PID:2420
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        111⤵
        Drops startup file
        Drops file in System32 directory
        
        PID:4972
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        112⤵
        Drops startup file
        Drops file in System32 directory
        
        PID:2556
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        113⤵
        System Location Discovery: System Language Discovery
        
        PID:3960
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        114⤵
        Drops startup file
        Drops file in System32 directory
        
        PID:4344
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        115⤵
        Drops startup file
        
        PID:1792
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        116⤵
        Drops startup file
        
        PID:2932
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        117⤵
        System Location Discovery: System Language Discovery
        
        PID:532
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        118⤵
        System Location Discovery: System Language Discovery
        
        PID:3200
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        119⤵
        Drops file in System32 directory
        
        PID:1076
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        120⤵
        Drops file in System32 directory
        
        PID:1512
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        121⤵
        Drops startup file
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3196
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        122⤵
        Drops startup file
        
        PID:2444
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        123⤵
        Drops file in System32 directory
        
        PID:4596
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        124⤵
        Drops startup file
        Drops file in System32 directory
        
        PID:4432
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        125⤵
        System Location Discovery: System Language Discovery
        
        PID:4736
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        126⤵
        System Location Discovery: System Language Discovery
        
        PID:2148
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        127⤵
        
        PID:1700
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        128⤵
        Drops startup file
        
        PID:2296
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        129⤵
        Drops startup file
        
        PID:2172
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        130⤵
        System Location Discovery: System Language Discovery
        
        PID:4412
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        131⤵
        Drops startup file
        
        PID:716
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        132⤵
        
        PID:4032
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        133⤵
        Drops file in System32 directory
        
        PID:4804
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        134⤵
        
        PID:4268
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        135⤵
        Drops file in System32 directory
        
        PID:2584
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        136⤵
        Drops startup file
        
        PID:4084
        
        \??\c:\windows\SysWOW64\dwdsregt.exe
        
        c:\windows\system32\dwdsregt.exe ELT001
        137⤵
        
        PID:1660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk

Filesize
985B

MD5
7232e50087f66e717d9dd6e5f4feba31

SHA1
b75bf11f793c31074409bb447b8fcd40e28944a9

SHA256
73d915f7c8835273fba65932229dc1ebacb22c76a4f9620279b2b04a2f220f28

SHA512
11ca4e8033e626d6e0d14be9326cc7a475a4176aa37d947a7ee8bb0b371ab638c1f6500622a9fc8ebc0375122ab253ab321d432249ef289d0129c63a50781317

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk

Filesize
985B

MD5
ba651fd88215ffeeb013c1fed00d5540

SHA1
edf4ad0c4f6c50bdf75bc294588f6951524bc3d1

SHA256
ce2b02c6ab98237e0c48e109b3fe16471413801cfbce95ae75d588c8105bc11d

SHA512
ab6cdf5b6939335a153b294da2c0336800a1f98989c09bdec4b88479f11e30ccbad0b3855da20321dcd3df5cbe31c33f11f9f353d88e338215d539ee52e94472

Download Submit
C:\Windows\SysWOW64\dwdsregt.exe

Filesize
48KB

MD5
bb81811cc1461fc2ecae7ebda90daf7b

SHA1
1a14b2f044362c807243ea558e747f3efd78acf2

SHA256
8f198cd079947dd123ff2ffaf4e6a7db88124a0142501334d91f66a8cb20acde

SHA512
7ef5d3397e023bbeca4dfca6d0fff1897730ce66745826eab1debffd95f9b7c1e991d4abf6c4b76aa0519d984eaf26ad8485f49d7bd5d61fa72d7be773a6613f

Download Submit
C:\Windows\SysWOW64\msnav32.ax

Filesize
28B

MD5
86df414e635e6c22c3898390e616ce37

SHA1
051f5fe21d7f3505a7e6fea1ccb9a50dbb276180

SHA256
b8b3c5f83231c277da334b1ebe828e8568da57079d5b62ddfd902aca18c11e4b

SHA512
05ed903b23b88a2040dc72ed1adb1f899b6a7dbac7be91f3639aaae734ad6565d832cd550c0eb92a021b977e43d76700117a5e3ccf6151bfddc3d3077c5c8a63

Download Submit