2f4aa35003418807ea4d8fcdbea11259a879e07960ac778a59c66cb37907e92b

Analysis

max time kernel
150s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
28/03/2025, 09:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_8a8b6168b4618452923d207145ce05fe.exe
Size

80KB
MD5

8a8b6168b4618452923d207145ce05fe
SHA1

85df3268dad82c4e7355c05b87324e56107d2cc6
SHA256

2f4aa35003418807ea4d8fcdbea11259a879e07960ac778a59c66cb37907e92b
SHA512

2b2089a9eb23f6b72632d5e7434266cddeed7ea4fd0851ee9bb8e2fdcfface1cee11f16376e269d67c62b27e9d6302aaf6c534d8acc3acd55769cfe67dc49d62
SSDEEP

1536:EsPdg+Y16Lti8n42APNR2dcScLcPcxeTanuUHWOls3xxNMq39gk34iS6G:qM4PNEdcScLcPcfnuH0yG

Score

10^/10

defense_evasion discovery persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	tauoga.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	JaffaCakes118_8a8b6168b4618452923d207145ce05fe.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	JaffaCakes118_8a8b6168b4618452923d207145ce05fe.exe

Executes dropped EXE 64 IoCs

pid	Process
5652	tauoga.exe
1424	tauoga.exe
4976	tauoga.exe
5384	tauoga.exe
4612	tauoga.exe
1924	tauoga.exe
4072	tauoga.exe
2776	tauoga.exe
3032	tauoga.exe
2204	tauoga.exe
2240	tauoga.exe
3252	tauoga.exe
932	tauoga.exe
4048	tauoga.exe
5896	tauoga.exe
2288	tauoga.exe
2888	tauoga.exe
2772	tauoga.exe
3324	tauoga.exe
3872	tauoga.exe
60	tauoga.exe
4652	tauoga.exe
3120	tauoga.exe
5680	tauoga.exe
2660	tauoga.exe
4820	tauoga.exe
4576	tauoga.exe
4240	tauoga.exe
1720	tauoga.exe
3940	tauoga.exe
5804	tauoga.exe
3916	tauoga.exe
4052	tauoga.exe
1868	tauoga.exe
1412	tauoga.exe
1404	tauoga.exe
3636	tauoga.exe
372	tauoga.exe
5996	tauoga.exe
1612	tauoga.exe
5252	tauoga.exe
3324	tauoga.exe
4928	tauoga.exe
4996	tauoga.exe
4980	tauoga.exe
3920	tauoga.exe
3620	tauoga.exe
4188	tauoga.exe
3708	tauoga.exe
2204	tauoga.exe
2816	tauoga.exe
5356	tauoga.exe
3776	tauoga.exe
5908	tauoga.exe
5936	tauoga.exe
1416	tauoga.exe
4376	tauoga.exe
4396	tauoga.exe
3016	tauoga.exe
3656	tauoga.exe
5072	tauoga.exe
1364	tauoga.exe
2084	tauoga.exe
4720	tauoga.exe

Adds Run key to start application 2 TTPs 27 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tauoga = "C:\\Users\\Admin\\tauoga.exe /d"	tauoga.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tauoga = "C:\\Users\\Admin\\tauoga.exe /z"	tauoga.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tauoga = "C:\\Users\\Admin\\tauoga.exe /w"	tauoga.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tauoga = "C:\\Users\\Admin\\tauoga.exe /n"	tauoga.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tauoga = "C:\\Users\\Admin\\tauoga.exe /h"	tauoga.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tauoga = "C:\\Users\\Admin\\tauoga.exe /q"	tauoga.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tauoga = "C:\\Users\\Admin\\tauoga.exe /i"	tauoga.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tauoga = "C:\\Users\\Admin\\tauoga.exe /f"	tauoga.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tauoga = "C:\\Users\\Admin\\tauoga.exe /v"	tauoga.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tauoga = "C:\\Users\\Admin\\tauoga.exe /g"	tauoga.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tauoga = "C:\\Users\\Admin\\tauoga.exe /b"	tauoga.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tauoga = "C:\\Users\\Admin\\tauoga.exe /m"	tauoga.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tauoga = "C:\\Users\\Admin\\tauoga.exe /l"	tauoga.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tauoga = "C:\\Users\\Admin\\tauoga.exe /t"	tauoga.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tauoga = "C:\\Users\\Admin\\tauoga.exe /s"	tauoga.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tauoga = "C:\\Users\\Admin\\tauoga.exe /k"	tauoga.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tauoga = "C:\\Users\\Admin\\tauoga.exe /a"	tauoga.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tauoga = "C:\\Users\\Admin\\tauoga.exe /t"	JaffaCakes118_8a8b6168b4618452923d207145ce05fe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tauoga = "C:\\Users\\Admin\\tauoga.exe /p"	tauoga.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tauoga = "C:\\Users\\Admin\\tauoga.exe /j"	tauoga.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tauoga = "C:\\Users\\Admin\\tauoga.exe /o"	tauoga.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tauoga = "C:\\Users\\Admin\\tauoga.exe /c"	tauoga.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tauoga = "C:\\Users\\Admin\\tauoga.exe /r"	tauoga.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tauoga = "C:\\Users\\Admin\\tauoga.exe /x"	tauoga.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tauoga = "C:\\Users\\Admin\\tauoga.exe /y"	tauoga.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tauoga = "C:\\Users\\Admin\\tauoga.exe /u"	tauoga.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tauoga = "C:\\Users\\Admin\\tauoga.exe /e"	tauoga.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tauoga.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tauoga.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tauoga.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tauoga.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tauoga.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tauoga.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tauoga.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tauoga.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tauoga.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tauoga.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tauoga.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tauoga.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tauoga.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tauoga.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tauoga.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tauoga.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tauoga.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tauoga.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tauoga.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tauoga.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tauoga.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tauoga.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tauoga.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tauoga.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tauoga.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tauoga.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tauoga.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tauoga.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tauoga.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tauoga.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tauoga.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tauoga.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tauoga.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tauoga.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tauoga.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tauoga.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tauoga.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tauoga.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tauoga.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tauoga.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tauoga.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tauoga.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tauoga.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tauoga.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tauoga.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tauoga.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tauoga.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tauoga.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tauoga.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tauoga.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tauoga.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tauoga.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tauoga.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tauoga.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tauoga.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tauoga.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tauoga.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tauoga.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tauoga.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tauoga.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tauoga.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tauoga.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tauoga.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tauoga.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2184	JaffaCakes118_8a8b6168b4618452923d207145ce05fe.exe
2184	JaffaCakes118_8a8b6168b4618452923d207145ce05fe.exe
5652	tauoga.exe
5652	tauoga.exe
5652	tauoga.exe
5652	tauoga.exe
5652	tauoga.exe
5652	tauoga.exe
5652	tauoga.exe
5652	tauoga.exe
5652	tauoga.exe
5652	tauoga.exe
5652	tauoga.exe
5652	tauoga.exe
5652	tauoga.exe
5652	tauoga.exe
5652	tauoga.exe
5652	tauoga.exe
5652	tauoga.exe
5652	tauoga.exe
5652	tauoga.exe
5652	tauoga.exe
5652	tauoga.exe
5652	tauoga.exe
5652	tauoga.exe
5652	tauoga.exe
5652	tauoga.exe
5652	tauoga.exe
5652	tauoga.exe
5652	tauoga.exe
5652	tauoga.exe
5652	tauoga.exe
5652	tauoga.exe
5652	tauoga.exe
5652	tauoga.exe
5652	tauoga.exe
5652	tauoga.exe
5652	tauoga.exe
5652	tauoga.exe
5652	tauoga.exe
5652	tauoga.exe
5652	tauoga.exe
5652	tauoga.exe
5652	tauoga.exe
5652	tauoga.exe
5652	tauoga.exe
5652	tauoga.exe
5652	tauoga.exe
5652	tauoga.exe
5652	tauoga.exe
5652	tauoga.exe
5652	tauoga.exe
5652	tauoga.exe
5652	tauoga.exe
5652	tauoga.exe
5652	tauoga.exe
5652	tauoga.exe
5652	tauoga.exe
5652	tauoga.exe
5652	tauoga.exe
5652	tauoga.exe
5652	tauoga.exe
5652	tauoga.exe
5652	tauoga.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2184	JaffaCakes118_8a8b6168b4618452923d207145ce05fe.exe
5652	tauoga.exe
1424	tauoga.exe
4976	tauoga.exe
5384	tauoga.exe
4612	tauoga.exe
1924	tauoga.exe
4072	tauoga.exe
2776	tauoga.exe
3032	tauoga.exe
2204	tauoga.exe
2240	tauoga.exe
3252	tauoga.exe
932	tauoga.exe
4048	tauoga.exe
5896	tauoga.exe
2288	tauoga.exe
2888	tauoga.exe
2772	tauoga.exe
3324	tauoga.exe
3872	tauoga.exe
60	tauoga.exe
4652	tauoga.exe
3120	tauoga.exe
5680	tauoga.exe
2660	tauoga.exe
4820	tauoga.exe
4576	tauoga.exe
4240	tauoga.exe
1720	tauoga.exe
3940	tauoga.exe
5804	tauoga.exe
3916	tauoga.exe
4052	tauoga.exe
1868	tauoga.exe
1412	tauoga.exe
1404	tauoga.exe
3636	tauoga.exe
372	tauoga.exe
5996	tauoga.exe
1612	tauoga.exe
5252	tauoga.exe
3324	tauoga.exe
4928	tauoga.exe
4996	tauoga.exe
4980	tauoga.exe
3920	tauoga.exe
3620	tauoga.exe
4188	tauoga.exe
3708	tauoga.exe
2204	tauoga.exe
2816	tauoga.exe
5356	tauoga.exe
3776	tauoga.exe
5908	tauoga.exe
5936	tauoga.exe
1416	tauoga.exe
4376	tauoga.exe
4396	tauoga.exe
3016	tauoga.exe
3656	tauoga.exe
5072	tauoga.exe
1364	tauoga.exe
2084	tauoga.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2184 wrote to memory of 5652	2184	JaffaCakes118_8a8b6168b4618452923d207145ce05fe.exe	92
PID 2184 wrote to memory of 5652	2184	JaffaCakes118_8a8b6168b4618452923d207145ce05fe.exe	92
PID 2184 wrote to memory of 5652	2184	JaffaCakes118_8a8b6168b4618452923d207145ce05fe.exe	92
PID 1956 wrote to memory of 1424	1956	cmd.exe	95
PID 1956 wrote to memory of 1424	1956	cmd.exe	95
PID 1956 wrote to memory of 1424	1956	cmd.exe	95
PID 4868 wrote to memory of 4976	4868	cmd.exe	99
PID 4868 wrote to memory of 4976	4868	cmd.exe	99
PID 4868 wrote to memory of 4976	4868	cmd.exe	99
PID 5104 wrote to memory of 5384	5104	cmd.exe	102
PID 5104 wrote to memory of 5384	5104	cmd.exe	102
PID 5104 wrote to memory of 5384	5104	cmd.exe	102
PID 4032 wrote to memory of 4612	4032	cmd.exe	105
PID 4032 wrote to memory of 4612	4032	cmd.exe	105
PID 4032 wrote to memory of 4612	4032	cmd.exe	105
PID 2636 wrote to memory of 1924	2636	cmd.exe	108
PID 2636 wrote to memory of 1924	2636	cmd.exe	108
PID 2636 wrote to memory of 1924	2636	cmd.exe	108
PID 1164 wrote to memory of 4072	1164	cmd.exe	113
PID 1164 wrote to memory of 4072	1164	cmd.exe	113
PID 1164 wrote to memory of 4072	1164	cmd.exe	113
PID 3304 wrote to memory of 2776	3304	cmd.exe	116
PID 3304 wrote to memory of 2776	3304	cmd.exe	116
PID 3304 wrote to memory of 2776	3304	cmd.exe	116
PID 1588 wrote to memory of 3032	1588	cmd.exe	119
PID 1588 wrote to memory of 3032	1588	cmd.exe	119
PID 1588 wrote to memory of 3032	1588	cmd.exe	119
PID 4260 wrote to memory of 2204	4260	cmd.exe	122
PID 4260 wrote to memory of 2204	4260	cmd.exe	122
PID 4260 wrote to memory of 2204	4260	cmd.exe	122
PID 5844 wrote to memory of 2240	5844	cmd.exe	125
PID 5844 wrote to memory of 2240	5844	cmd.exe	125
PID 5844 wrote to memory of 2240	5844	cmd.exe	125
PID 4380 wrote to memory of 3252	4380	cmd.exe	128
PID 4380 wrote to memory of 3252	4380	cmd.exe	128
PID 4380 wrote to memory of 3252	4380	cmd.exe	128
PID 3344 wrote to memory of 932	3344	cmd.exe	131
PID 3344 wrote to memory of 932	3344	cmd.exe	131
PID 3344 wrote to memory of 932	3344	cmd.exe	131
PID 2908 wrote to memory of 4048	2908	cmd.exe	134
PID 2908 wrote to memory of 4048	2908	cmd.exe	134
PID 2908 wrote to memory of 4048	2908	cmd.exe	134
PID 5324 wrote to memory of 5896	5324	cmd.exe	137
PID 5324 wrote to memory of 5896	5324	cmd.exe	137
PID 5324 wrote to memory of 5896	5324	cmd.exe	137
PID 5660 wrote to memory of 2288	5660	cmd.exe	140
PID 5660 wrote to memory of 2288	5660	cmd.exe	140
PID 5660 wrote to memory of 2288	5660	cmd.exe	140
PID 4084 wrote to memory of 2888	4084	cmd.exe	143
PID 4084 wrote to memory of 2888	4084	cmd.exe	143
PID 4084 wrote to memory of 2888	4084	cmd.exe	143
PID 4412 wrote to memory of 2772	4412	cmd.exe	146
PID 4412 wrote to memory of 2772	4412	cmd.exe	146
PID 4412 wrote to memory of 2772	4412	cmd.exe	146
PID 3512 wrote to memory of 3324	3512	cmd.exe	149
PID 3512 wrote to memory of 3324	3512	cmd.exe	149
PID 3512 wrote to memory of 3324	3512	cmd.exe	149
PID 5620 wrote to memory of 3872	5620	cmd.exe	152
PID 5620 wrote to memory of 3872	5620	cmd.exe	152
PID 5620 wrote to memory of 3872	5620	cmd.exe	152
PID 1420 wrote to memory of 60	1420	cmd.exe	155
PID 1420 wrote to memory of 60	1420	cmd.exe	155
PID 1420 wrote to memory of 60	1420	cmd.exe	155
PID 2140 wrote to memory of 4652	2140	cmd.exe	158

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8a8b6168b4618452923d207145ce05fe.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8a8b6168b4618452923d207145ce05fe.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2184
- C:\Users\Admin\tauoga.exe
  "C:\Users\Admin\tauoga.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:5652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /t
1⤵
- Suspicious use of WriteProcessMemory
PID:1956
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /t
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /l
1⤵
- Suspicious use of WriteProcessMemory
PID:4868
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /l
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /p
1⤵
- Suspicious use of WriteProcessMemory
PID:5104
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /p
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /j
1⤵
- Suspicious use of WriteProcessMemory
PID:4032
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /j
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /o
1⤵
- Suspicious use of WriteProcessMemory
PID:2636
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /o
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /u
1⤵
- Suspicious use of WriteProcessMemory
PID:1164
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /u
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4072

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /h
1⤵
- Suspicious use of WriteProcessMemory
PID:3304
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /h
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /t
1⤵
- Suspicious use of WriteProcessMemory
PID:1588
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /t
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /q
1⤵
- Suspicious use of WriteProcessMemory
PID:4260
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /q
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2204

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /i
1⤵
- Suspicious use of WriteProcessMemory
PID:5844
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /i
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2240

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /e
1⤵
- Suspicious use of WriteProcessMemory
PID:4380
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /e
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3252

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /c
1⤵
- Suspicious use of WriteProcessMemory
PID:3344
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /c
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /e
1⤵
- Suspicious use of WriteProcessMemory
PID:2908
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /e
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /i
1⤵
- Suspicious use of WriteProcessMemory
PID:5324
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /i
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /f
1⤵
- Suspicious use of WriteProcessMemory
PID:5660
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /f
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2288

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /u
1⤵
- Suspicious use of WriteProcessMemory
PID:4084
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /u
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /q
1⤵
- Suspicious use of WriteProcessMemory
PID:4412
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /q
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /j
1⤵
- Suspicious use of WriteProcessMemory
PID:3512
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /j
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3324

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /r
1⤵
- Suspicious use of WriteProcessMemory
PID:5620
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /r
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /v
1⤵
- Suspicious use of WriteProcessMemory
PID:1420
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /v
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:60

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /e
1⤵
- Suspicious use of WriteProcessMemory
PID:2140
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /e
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /d
1⤵
PID:5024
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /d
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /t
1⤵
PID:2316
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /t
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:5680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /i
1⤵
PID:2024
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /i
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /h
1⤵
PID:5664
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /h
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /g
1⤵
PID:4964
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /g
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4576

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /s
1⤵
PID:3532
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /s
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4240

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /j
1⤵
PID:3692
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /j
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /r
1⤵
PID:4808
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /r
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /u
1⤵
PID:1640
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /u
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:5804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /l
1⤵
PID:1068
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /l
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /l
1⤵
PID:3708
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /l
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /i
1⤵
PID:4304
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /i
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /x
1⤵
PID:772
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /x
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /e
1⤵
PID:1564
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /e
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /z
1⤵
PID:5204
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /z
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /t
1⤵
PID:3628
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /t
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /b
1⤵
PID:1228
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /b
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /j
1⤵
PID:5816
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /j
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /e
1⤵
PID:2552
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /e
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:5252

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /b
1⤵
PID:116
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /b
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3324

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /x
1⤵
PID:2616
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /x
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /r
1⤵
PID:5864
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /r
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /t
1⤵
PID:4972
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /t
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /o
1⤵
PID:4956
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /o
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /w
1⤵
PID:5116
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /w
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /g
1⤵
PID:4256
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /g
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /v
1⤵
PID:5592
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /v
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /h
1⤵
PID:1580
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /h
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2204

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /x
1⤵
PID:1852
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /x
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /e
1⤵
PID:4004
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /e
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5356

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /f
1⤵
PID:4000
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /f
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /i
1⤵
PID:5060
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /i
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:5908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /q
1⤵
PID:2020
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /q
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /y
1⤵
PID:5420
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /y
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /o
1⤵
PID:2796
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /o
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4376

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /e
1⤵
PID:2296
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /e
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /t
1⤵
PID:2088
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /t
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /u
1⤵
PID:3116
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /u
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /c
1⤵
PID:220
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /c
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:5072

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /w
1⤵
PID:2316
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /w
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1364

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /p
1⤵
PID:3120
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /p
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /m
1⤵
PID:5984
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /m
  2⤵
  - Executes dropped EXE
  PID:4720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /m
1⤵
PID:4880
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /m
  2⤵
  PID:4904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /j
1⤵
PID:4836
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /j
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /y
1⤵
PID:1016
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /y
  2⤵
  PID:4884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /k
1⤵
PID:2024
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /k
  2⤵
  PID:3588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /p
1⤵
PID:2636
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /p
  2⤵
  - System Location Discovery: System Language Discovery
  PID:100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /y
1⤵
PID:1120
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /y
  2⤵
  PID:1732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /v
1⤵
PID:1924
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /v
  2⤵
  PID:3212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /o
1⤵
PID:6116
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /o
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1240

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /f
1⤵
PID:3032
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /z
1⤵
PID:1948
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /z
  2⤵
  PID:1868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /c
1⤵
PID:3252
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /c
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /c
1⤵
PID:1352
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /c
  2⤵
  PID:2504

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /n
1⤵
PID:5788
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /n
  2⤵
  PID:3452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /q
1⤵
PID:5364
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /q
  2⤵
  PID:2276

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /i
1⤵
PID:5572
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /i
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /w
1⤵
PID:5648
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /w
  2⤵
  PID:5684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /x
1⤵
PID:5320
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /x
  2⤵
  PID:5816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /s
1⤵
PID:6108
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /s
  2⤵
  PID:1700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /f
1⤵
PID:5252
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /k
1⤵
PID:2676
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /k
  2⤵
  PID:5900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /d
1⤵
PID:2088
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /d
  2⤵
  PID:4652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /x
1⤵
PID:6008
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /x
  2⤵
  PID:1540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /e
1⤵
PID:2144
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /e
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1364

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /x
1⤵
PID:1928
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /x
  2⤵
  PID:2408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /l
1⤵
PID:5052
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /l
  2⤵
  PID:4804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /h
1⤵
PID:384
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /h
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /m
1⤵
PID:4708
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /m
  2⤵
  PID:4952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /f
1⤵
PID:3488
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /f
  2⤵
  PID:4884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /x
1⤵
PID:4288
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /x
  2⤵
  PID:3588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /t
1⤵
PID:3852
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /t
  2⤵
  PID:3596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /b
1⤵
PID:1144
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /b
  2⤵
  PID:5832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /j
1⤵
PID:2904
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /j
  2⤵
  PID:2776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /t
1⤵
PID:3300
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /t
  2⤵
  PID:3576

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /r
1⤵
PID:3708
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /r
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /f
1⤵
PID:1644
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /f
  2⤵
  PID:3680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /n
1⤵
PID:2872
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /n
  2⤵
  PID:5540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /v
1⤵
PID:3420
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /v
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /m
1⤵
PID:2672
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /m
  2⤵
  PID:2276

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /u
1⤵
PID:4204
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /u
  2⤵
  PID:2112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /m
1⤵
PID:5936
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /m
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /k
1⤵
PID:5456
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /k
  2⤵
  - System Location Discovery: System Language Discovery
  PID:824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /g
1⤵
PID:5644
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /g
  2⤵
  PID:3980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /x
1⤵
PID:3036
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /x
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /h
1⤵
PID:6108
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /h
  2⤵
  PID:4404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /j
1⤵
PID:952
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /j
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /t
1⤵
PID:5676
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /t
  2⤵
  PID:4516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /p
1⤵
PID:3656
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /p
  2⤵
  PID:3216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /s
1⤵
PID:2312
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /s
  2⤵
  PID:4408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /h
1⤵
PID:5876
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /h
  2⤵
  PID:1956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /g
1⤵
PID:3716
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /g
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /v
1⤵
PID:1356
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /v
  2⤵
  PID:4436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /g
1⤵
PID:3520
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /g
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /y
1⤵
PID:5000
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /y
  2⤵
  PID:4200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /e
1⤵
PID:4868
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /e
  2⤵
  PID:4008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /a
1⤵
PID:1032
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /a
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /f
1⤵
PID:3044
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /f
  2⤵
  PID:4740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /v
1⤵
PID:1840
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /v
  2⤵
  PID:3852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /t
1⤵
PID:3048
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /t
  2⤵
  PID:6132

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /c
1⤵
PID:3896
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /c
  2⤵
  PID:4612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /y
1⤵
PID:5960
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /y
  2⤵
  PID:4468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /a
1⤵
PID:1924
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /a
  2⤵
  PID:1832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /t
1⤵
PID:6116
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /t
  2⤵
  PID:4184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /w
1⤵
PID:4752
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /w
  2⤵
  PID:1828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /t
1⤵
PID:6140
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /t
  2⤵
  PID:1644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /d
1⤵
PID:4380
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /d
  2⤵
  PID:3516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /x
1⤵
PID:6104
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /x
  2⤵
  PID:5568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /d
1⤵
PID:5908
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /d
  2⤵
  PID:4104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /v
1⤵
PID:4044
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /v
  2⤵
  PID:4056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /p
1⤵
PID:5444
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /p
  2⤵
  PID:5380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /n
1⤵
PID:3024
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /n
  2⤵
  - System Location Discovery: System Language Discovery
  PID:432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /e
1⤵
PID:1028
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /e
  2⤵
  PID:5420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /s
1⤵
PID:2736
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /s
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /s
1⤵
PID:4112
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /s
  2⤵
  PID:3364

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /l
1⤵
PID:3640
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /l
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /y
1⤵
PID:5860
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /y
  2⤵
  PID:4232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /b
1⤵
PID:2552
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /b
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /g
1⤵
PID:4940
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /g
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /u
1⤵
PID:2312
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /u
  2⤵
  PID:4824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /e
1⤵
PID:5972
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /e
  2⤵
  PID:5856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /p
1⤵
PID:4720
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /p
  2⤵
  PID:5620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /b
1⤵
PID:5052
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /b
  2⤵
  PID:3988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /c
1⤵
PID:784
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /c
  2⤵
  PID:4100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /g
1⤵
PID:4880
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /g
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /d
1⤵
PID:1268
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /d
  2⤵
  PID:4124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /g
1⤵
PID:4932
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /g
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4288

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /c
1⤵
PID:5104
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /c
  2⤵
  PID:3724

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /b
1⤵
PID:5608
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /b
  2⤵
  PID:2892

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /o
1⤵
PID:5016
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /o
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /x
1⤵
PID:4032
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /x
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /j
1⤵
PID:3560
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /j
  2⤵
  PID:6056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /b
1⤵
PID:972
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /b
  2⤵
  PID:2204

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /o
1⤵
PID:3240
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /o
  2⤵
  PID:1800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /k
1⤵
PID:3712
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /k
  2⤵
  PID:4024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /u
1⤵
PID:2340
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /u
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /v
1⤵
PID:1940
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /v
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2504

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /s
1⤵
PID:2268
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /s
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /q
1⤵
PID:4140
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /q
  2⤵
  PID:4048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /i
1⤵
PID:1348
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /i
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /w
1⤵
PID:1012
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /w
  2⤵
  PID:3268

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /i
1⤵
PID:2612
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /i
  2⤵
  PID:968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /k
1⤵
PID:5828
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /k
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /h
1⤵
PID:5320
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /h
  2⤵
  PID:4548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /a
1⤵
PID:3984
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /a
  2⤵
  PID:5408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /r
1⤵
PID:3036
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /r
  2⤵
  PID:4412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /h
1⤵
PID:2404
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /h
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /m
1⤵
PID:4440
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /m
  2⤵
  PID:4844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /l
1⤵
PID:2616
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /l
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /q
1⤵
PID:4644
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /q
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /e
1⤵
PID:5024
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /e
  2⤵
  PID:1036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /r
1⤵
PID:2408
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /r
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /u
1⤵
PID:3400
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /u
  2⤵
  PID:4136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /t
1⤵
PID:3988
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /t
  2⤵
  PID:2004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /y
1⤵
PID:4864
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /y
  2⤵
  PID:5984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /l
1⤵
PID:4872
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /l
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /h
1⤵
PID:1720
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /h
  2⤵
  PID:4816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /r
1⤵
PID:4180
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /r
  2⤵
  PID:5336

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /n
1⤵
PID:3596
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /n
  2⤵
  - System Location Discovery: System Language Discovery
  PID:184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /q
1⤵
PID:4340
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /q
  2⤵
  PID:2136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /d
1⤵
PID:4316
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /d
  2⤵
  PID:224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /m
1⤵
PID:5360
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /m
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /z
1⤵
PID:6112
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /z
  2⤵
  PID:5564

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /r
1⤵
PID:2424
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /r
  2⤵
  PID:2932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /f
1⤵
PID:3708
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /f
  2⤵
  PID:5736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /c
1⤵
PID:3712
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /c
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /w
1⤵
PID:3516
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /w
  2⤵
  PID:5212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /q
1⤵
PID:6104
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /q
  2⤵
  PID:2268

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /g
1⤵
PID:4048
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /g
  2⤵
  PID:4056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /w
1⤵
PID:2020
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /w
  2⤵
  PID:5992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /s
1⤵
PID:2956
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /s
  2⤵
  PID:5444

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /n
1⤵
PID:6004
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /n
  2⤵
  PID:5600

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /y
1⤵
PID:5996
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /n
1⤵
PID:2796
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /n
  2⤵
  PID:1724

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /a
1⤵
PID:5764
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /a
  2⤵
  PID:5900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /t
1⤵
PID:3324
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /t
  2⤵
  PID:2788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /j
1⤵
PID:4396
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /j
  2⤵
  PID:4208

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /w
1⤵
PID:1864
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /w
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /o
1⤵
PID:2552
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /o
  2⤵
  PID:5304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /y
1⤵
PID:3656
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /y
  2⤵
  PID:820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /h
1⤵
PID:1540
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /h
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /m
1⤵
PID:5532
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /m
  2⤵
  - System Location Discovery: System Language Discovery
  PID:744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /s
1⤵
PID:2140
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /s
  2⤵
  PID:3120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /f
1⤵
PID:3520
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /f
  2⤵
  PID:5384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /e
1⤵
PID:4128
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /e
  2⤵
  PID:2028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /l
1⤵
PID:4984
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /l
  2⤵
  PID:4124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /m
1⤵
PID:4876
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /m
  2⤵
  PID:3664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /p
1⤵
PID:4180
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /p
  2⤵
  PID:4832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\tauoga.exe /u
1⤵
PID:100
- C:\Users\Admin\tauoga.exe
  C:\Users\Admin\tauoga.exe /u
  2⤵
  PID:4504

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\tauoga.exe

Filesize
80KB

MD5
26c3e9adb5444febe4dc92138010c6a0

SHA1
312eeaddb9a00bb9fbc61ffe399a7cb70cb4a5fe

SHA256
ca5599a119d3d675558003504a345762325e402a2fe550c156a6633abec449b8

SHA512
89a19df2182a46fa6eec3d37ae8a7851fedcf5c6061d11d416b6d3f4f8518daf75d7b965438f57ae2078939390bbec16f4cf7ad42773999dbb68eff5893da95f

Download Submit