Analysis
-
max time kernel
121s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
13/03/2024, 01:33
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
c4a1f44a5c576186736313a99a791b81.exe
Resource
win7-20240221-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
c4a1f44a5c576186736313a99a791b81.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
5 signatures
150 seconds
General
-
Target
c4a1f44a5c576186736313a99a791b81.exe
-
Size
53KB
-
MD5
c4a1f44a5c576186736313a99a791b81
-
SHA1
e6ec692203e1297fbd3ead2fc928672b81874849
-
SHA256
401aaa34f2559f9b809f20c3b30ee006210ee690b9961083993b02b41c934582
-
SHA512
1a8d02232cc9b0e190ea6610c47a5aa025ccd590a47cac40d0ad3f2966d357dcd4abc7f08a6c1d6dd2a4b8049720da3bf3c0499bd69c1f528ef1293d3b3daeb3
-
SSDEEP
1536:+SF6oQgY0aJe70mA7jOl0J7XFj0sPoWdAGl0:uCYi7NlM7JAr
Score
7/10
Malware Config
Signatures
-
Executes dropped EXE 64 IoCs
pid Process 2100 c4a1f44a5c576186736313a99a791b81.exe 2996 msmsgs.exe 2624 msmsgs.exe 2264 msmsgs.exe 2580 msmsgs.exe 2712 msmsgs.exe 2584 msmsgs.exe 2952 msmsgs.exe 2132 msmsgs.exe 2336 msmsgs.exe 668 msmsgs.exe 1512 msmsgs.exe 2736 msmsgs.exe 528 msmsgs.exe 2876 msmsgs.exe 1120 msmsgs.exe 2268 msmsgs.exe 1800 msmsgs.exe 1664 msmsgs.exe 2648 msmsgs.exe 1948 msmsgs.exe 1684 msmsgs.exe 1528 msmsgs.exe 1196 msmsgs.exe 2204 msmsgs.exe 3020 msmsgs.exe 2296 msmsgs.exe 1760 msmsgs.exe 2240 msmsgs.exe 1160 msmsgs.exe 1932 msmsgs.exe 1748 msmsgs.exe 1296 msmsgs.exe 1784 msmsgs.exe 1780 msmsgs.exe 2128 msmsgs.exe 3068 msmsgs.exe 1940 msmsgs.exe 1348 msmsgs.exe 1812 msmsgs.exe 896 msmsgs.exe 2176 msmsgs.exe 2344 msmsgs.exe 1612 msmsgs.exe 2604 msmsgs.exe 2628 msmsgs.exe 2560 msmsgs.exe 2572 msmsgs.exe 2456 msmsgs.exe 2764 msmsgs.exe 2448 msmsgs.exe 2668 msmsgs.exe 2712 msmsgs.exe 1700 msmsgs.exe 2904 msmsgs.exe 524 msmsgs.exe 472 msmsgs.exe 1188 msmsgs.exe 2772 msmsgs.exe 2864 msmsgs.exe 2896 msmsgs.exe 812 msmsgs.exe 1504 msmsgs.exe 808 msmsgs.exe -
Loads dropped DLL 64 IoCs
pid Process 2344 c4a1f44a5c576186736313a99a791b81.exe 2100 c4a1f44a5c576186736313a99a791b81.exe 2100 c4a1f44a5c576186736313a99a791b81.exe 2996 msmsgs.exe 2624 msmsgs.exe 2624 msmsgs.exe 2264 msmsgs.exe 2580 msmsgs.exe 2580 msmsgs.exe 2712 msmsgs.exe 2584 msmsgs.exe 2584 msmsgs.exe 2132 msmsgs.exe 2132 msmsgs.exe 668 msmsgs.exe 668 msmsgs.exe 2736 msmsgs.exe 2736 msmsgs.exe 2876 msmsgs.exe 2876 msmsgs.exe 2268 msmsgs.exe 2268 msmsgs.exe 1664 msmsgs.exe 1664 msmsgs.exe 1948 msmsgs.exe 1948 msmsgs.exe 1528 msmsgs.exe 1528 msmsgs.exe 2204 msmsgs.exe 2204 msmsgs.exe 2296 msmsgs.exe 2296 msmsgs.exe 2240 msmsgs.exe 2240 msmsgs.exe 1932 msmsgs.exe 1932 msmsgs.exe 1296 msmsgs.exe 1296 msmsgs.exe 1780 msmsgs.exe 1780 msmsgs.exe 3068 msmsgs.exe 3068 msmsgs.exe 1348 msmsgs.exe 1348 msmsgs.exe 896 msmsgs.exe 896 msmsgs.exe 2344 msmsgs.exe 2344 msmsgs.exe 2604 msmsgs.exe 2604 msmsgs.exe 2560 msmsgs.exe 2560 msmsgs.exe 2456 msmsgs.exe 2456 msmsgs.exe 2448 msmsgs.exe 2448 msmsgs.exe 2712 msmsgs.exe 2712 msmsgs.exe 2904 msmsgs.exe 2904 msmsgs.exe 472 msmsgs.exe 472 msmsgs.exe 2772 msmsgs.exe 2772 msmsgs.exe -
resource yara_rule behavioral1/memory/2100-7-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral1/memory/2100-9-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral1/memory/2100-8-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral1/memory/2100-10-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral1/memory/2100-12-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral1/memory/2624-31-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral1/memory/2624-32-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral1/memory/2624-33-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral1/memory/2580-47-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral1/memory/2580-49-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral1/memory/2580-48-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral1/memory/2584-65-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral1/memory/2132-81-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral1/memory/668-93-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral1/memory/668-94-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral1/memory/668-95-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral1/memory/2736-110-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral1/memory/2876-126-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral1/memory/2268-141-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral1/memory/1664-156-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral1/memory/1948-171-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral1/memory/1528-185-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral1/memory/2204-201-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral1/memory/2296-216-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral1/memory/2240-231-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral1/memory/1932-243-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral1/memory/1296-254-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral1/memory/1780-265-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral1/memory/3068-276-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral1/memory/1348-287-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral1/memory/896-298-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral1/memory/2344-309-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral1/memory/2604-320-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral1/memory/2560-331-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral1/memory/2456-342-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral1/memory/2448-353-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral1/memory/2712-364-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral1/memory/2904-375-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral1/memory/472-386-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral1/memory/2772-398-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral1/memory/2896-408-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral1/memory/1504-420-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral1/memory/1120-430-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral1/memory/1800-441-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral1/memory/1644-453-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral1/memory/2304-463-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral1/memory/2988-474-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral1/memory/2832-483-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral1/memory/2832-487-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral1/memory/1728-497-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral1/memory/436-508-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral1/memory/1744-519-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral1/memory/1344-534-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral1/memory/608-541-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral1/memory/2244-552-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral1/memory/1716-567-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral1/memory/2212-574-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral1/memory/1604-585-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral1/memory/2656-596-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral1/memory/2672-607-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral1/memory/1972-618-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral1/memory/2780-629-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral1/memory/2232-640-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral1/memory/1492-651-0x0000000000400000-0x000000000044B000-memory.dmp upx -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\msmsgs.exe msmsgs.exe File created C:\Windows\SysWOW64\msmsgs.exe msmsgs.exe File created C:\Windows\SysWOW64\msmsgs.exe msmsgs.exe File created C:\Windows\SysWOW64\msmsgs.exe msmsgs.exe File opened for modification C:\Windows\SysWOW64\msmsgs.exe msmsgs.exe File created C:\Windows\SysWOW64\msmsgs.exe msmsgs.exe File created C:\Windows\SysWOW64\msmsgs.exe msmsgs.exe File opened for modification C:\Windows\SysWOW64\msmsgs.exe msmsgs.exe File opened for modification C:\Windows\SysWOW64\msmsgs.exe msmsgs.exe File created C:\Windows\SysWOW64\msmsgs.exe msmsgs.exe File opened for modification C:\Windows\SysWOW64\msmsgs.exe msmsgs.exe File opened for modification C:\Windows\SysWOW64\msmsgs.exe msmsgs.exe File opened for modification C:\Windows\SysWOW64\msmsgs.exe msmsgs.exe File opened for modification C:\Windows\SysWOW64\msmsgs.exe msmsgs.exe File opened for modification C:\Windows\SysWOW64\msmsgs.exe msmsgs.exe File opened for modification C:\Windows\SysWOW64\msmsgs.exe msmsgs.exe File created C:\Windows\SysWOW64\msmsgs.exe msmsgs.exe File created C:\Windows\SysWOW64\msmsgs.exe msmsgs.exe File created C:\Windows\SysWOW64\msmsgs.exe msmsgs.exe File opened for modification C:\Windows\SysWOW64\msmsgs.exe msmsgs.exe File opened for modification C:\Windows\SysWOW64\msmsgs.exe msmsgs.exe File created C:\Windows\SysWOW64\msmsgs.exe msmsgs.exe File created C:\Windows\SysWOW64\msmsgs.exe msmsgs.exe File created C:\Windows\SysWOW64\msmsgs.exe msmsgs.exe File created C:\Windows\SysWOW64\msmsgs.exe msmsgs.exe File created C:\Windows\SysWOW64\msmsgs.exe msmsgs.exe File created C:\Windows\SysWOW64\msmsgs.exe msmsgs.exe File created C:\Windows\SysWOW64\msmsgs.exe msmsgs.exe File created C:\Windows\SysWOW64\msmsgs.exe msmsgs.exe File opened for modification C:\Windows\SysWOW64\msmsgs.exe msmsgs.exe File opened for modification C:\Windows\SysWOW64\msmsgs.exe msmsgs.exe File opened for modification C:\Windows\SysWOW64\msmsgs.exe msmsgs.exe File created C:\Windows\SysWOW64\msmsgs.exe msmsgs.exe File opened for modification C:\Windows\SysWOW64\msmsgs.exe msmsgs.exe File opened for modification C:\Windows\SysWOW64\msmsgs.exe msmsgs.exe File created C:\Windows\SysWOW64\msmsgs.exe msmsgs.exe File created C:\Windows\SysWOW64\msmsgs.exe msmsgs.exe File opened for modification C:\Windows\SysWOW64\msmsgs.exe msmsgs.exe File opened for modification C:\Windows\SysWOW64\msmsgs.exe msmsgs.exe File created C:\Windows\SysWOW64\msmsgs.exe msmsgs.exe File opened for modification C:\Windows\SysWOW64\msmsgs.exe msmsgs.exe File opened for modification C:\Windows\SysWOW64\msmsgs.exe c4a1f44a5c576186736313a99a791b81.exe File opened for modification C:\Windows\SysWOW64\msmsgs.exe msmsgs.exe File created C:\Windows\SysWOW64\msmsgs.exe msmsgs.exe File created C:\Windows\SysWOW64\msmsgs.exe msmsgs.exe File created C:\Windows\SysWOW64\msmsgs.exe msmsgs.exe File opened for modification C:\Windows\SysWOW64\msmsgs.exe msmsgs.exe File opened for modification C:\Windows\SysWOW64\msmsgs.exe msmsgs.exe File opened for modification C:\Windows\SysWOW64\msmsgs.exe msmsgs.exe File opened for modification C:\Windows\SysWOW64\msmsgs.exe msmsgs.exe File opened for modification C:\Windows\SysWOW64\msmsgs.exe msmsgs.exe File opened for modification C:\Windows\SysWOW64\msmsgs.exe msmsgs.exe File created C:\Windows\SysWOW64\msmsgs.exe msmsgs.exe File opened for modification C:\Windows\SysWOW64\msmsgs.exe msmsgs.exe File created C:\Windows\SysWOW64\msmsgs.exe msmsgs.exe File created C:\Windows\SysWOW64\msmsgs.exe msmsgs.exe File created C:\Windows\SysWOW64\msmsgs.exe msmsgs.exe File opened for modification C:\Windows\SysWOW64\msmsgs.exe msmsgs.exe File opened for modification C:\Windows\SysWOW64\msmsgs.exe msmsgs.exe File created C:\Windows\SysWOW64\msmsgs.exe msmsgs.exe File created C:\Windows\SysWOW64\msmsgs.exe msmsgs.exe File opened for modification C:\Windows\SysWOW64\msmsgs.exe msmsgs.exe File opened for modification C:\Windows\SysWOW64\msmsgs.exe msmsgs.exe File opened for modification C:\Windows\SysWOW64\msmsgs.exe msmsgs.exe -
Suspicious use of SetThreadContext 64 IoCs
description pid Process procid_target PID 2344 set thread context of 2100 2344 c4a1f44a5c576186736313a99a791b81.exe 28 PID 2996 set thread context of 2624 2996 msmsgs.exe 30 PID 2264 set thread context of 2580 2264 msmsgs.exe 32 PID 2712 set thread context of 2584 2712 msmsgs.exe 34 PID 2952 set thread context of 2132 2952 msmsgs.exe 36 PID 2336 set thread context of 668 2336 msmsgs.exe 38 PID 1512 set thread context of 2736 1512 msmsgs.exe 40 PID 528 set thread context of 2876 528 msmsgs.exe 42 PID 1120 set thread context of 2268 1120 msmsgs.exe 44 PID 1800 set thread context of 1664 1800 msmsgs.exe 46 PID 2648 set thread context of 1948 2648 msmsgs.exe 48 PID 1684 set thread context of 1528 1684 msmsgs.exe 50 PID 1196 set thread context of 2204 1196 msmsgs.exe 52 PID 3020 set thread context of 2296 3020 msmsgs.exe 54 PID 1760 set thread context of 2240 1760 msmsgs.exe 56 PID 1160 set thread context of 1932 1160 msmsgs.exe 58 PID 1748 set thread context of 1296 1748 msmsgs.exe 60 PID 1784 set thread context of 1780 1784 msmsgs.exe 62 PID 2128 set thread context of 3068 2128 msmsgs.exe 64 PID 1940 set thread context of 1348 1940 msmsgs.exe 66 PID 1812 set thread context of 896 1812 msmsgs.exe 68 PID 2176 set thread context of 2344 2176 msmsgs.exe 70 PID 1612 set thread context of 2604 1612 msmsgs.exe 72 PID 2628 set thread context of 2560 2628 msmsgs.exe 74 PID 2572 set thread context of 2456 2572 msmsgs.exe 76 PID 2764 set thread context of 2448 2764 msmsgs.exe 78 PID 2668 set thread context of 2712 2668 msmsgs.exe 80 PID 1700 set thread context of 2904 1700 msmsgs.exe 82 PID 524 set thread context of 472 524 msmsgs.exe 84 PID 1188 set thread context of 2772 1188 msmsgs.exe 86 PID 2864 set thread context of 2896 2864 msmsgs.exe 88 PID 812 set thread context of 1504 812 msmsgs.exe 90 PID 808 set thread context of 1120 808 msmsgs.exe 92 PID 280 set thread context of 1800 280 msmsgs.exe 94 PID 2396 set thread context of 1644 2396 msmsgs.exe 96 PID 1384 set thread context of 2304 1384 msmsgs.exe 98 PID 1632 set thread context of 2988 1632 msmsgs.exe 100 PID 2828 set thread context of 2832 2828 msmsgs.exe 102 PID 2208 set thread context of 1728 2208 msmsgs.exe 104 PID 2280 set thread context of 436 2280 msmsgs.exe 106 PID 1740 set thread context of 1744 1740 msmsgs.exe 108 PID 1620 set thread context of 1344 1620 msmsgs.exe 110 PID 240 set thread context of 608 240 msmsgs.exe 112 PID 3036 set thread context of 2244 3036 msmsgs.exe 114 PID 824 set thread context of 1716 824 msmsgs.exe 116 PID 2940 set thread context of 2212 2940 msmsgs.exe 118 PID 2176 set thread context of 1604 2176 msmsgs.exe 120 PID 1608 set thread context of 2656 1608 msmsgs.exe 122 PID 2092 set thread context of 2672 2092 msmsgs.exe 124 PID 2880 set thread context of 1972 2880 msmsgs.exe 126 PID 2216 set thread context of 2780 2216 msmsgs.exe 128 PID 2444 set thread context of 2232 2444 msmsgs.exe 130 PID 1964 set thread context of 1492 1964 msmsgs.exe 132 PID 2920 set thread context of 580 2920 msmsgs.exe 134 PID 1188 set thread context of 2752 1188 msmsgs.exe 136 PID 1072 set thread context of 1820 1072 msmsgs.exe 138 PID 2036 set thread context of 920 2036 msmsgs.exe 140 PID 1616 set thread context of 2720 1616 msmsgs.exe 142 PID 2664 set thread context of 832 2664 msmsgs.exe 144 PID 2768 set thread context of 1244 2768 msmsgs.exe 146 PID 2312 set thread context of 996 2312 msmsgs.exe 148 PID 2116 set thread context of 2136 2116 msmsgs.exe 150 PID 2148 set thread context of 2376 2148 msmsgs.exe 152 PID 1928 set thread context of 2184 1928 msmsgs.exe 154 -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2344 wrote to memory of 2100 2344 c4a1f44a5c576186736313a99a791b81.exe 28 PID 2344 wrote to memory of 2100 2344 c4a1f44a5c576186736313a99a791b81.exe 28 PID 2344 wrote to memory of 2100 2344 c4a1f44a5c576186736313a99a791b81.exe 28 PID 2344 wrote to memory of 2100 2344 c4a1f44a5c576186736313a99a791b81.exe 28 PID 2344 wrote to memory of 2100 2344 c4a1f44a5c576186736313a99a791b81.exe 28 PID 2344 wrote to memory of 2100 2344 c4a1f44a5c576186736313a99a791b81.exe 28 PID 2100 wrote to memory of 2996 2100 c4a1f44a5c576186736313a99a791b81.exe 29 PID 2100 wrote to memory of 2996 2100 c4a1f44a5c576186736313a99a791b81.exe 29 PID 2100 wrote to memory of 2996 2100 c4a1f44a5c576186736313a99a791b81.exe 29 PID 2100 wrote to memory of 2996 2100 c4a1f44a5c576186736313a99a791b81.exe 29 PID 2996 wrote to memory of 2624 2996 msmsgs.exe 30 PID 2996 wrote to memory of 2624 2996 msmsgs.exe 30 PID 2996 wrote to memory of 2624 2996 msmsgs.exe 30 PID 2996 wrote to memory of 2624 2996 msmsgs.exe 30 PID 2996 wrote to memory of 2624 2996 msmsgs.exe 30 PID 2996 wrote to memory of 2624 2996 msmsgs.exe 30 PID 2624 wrote to memory of 2264 2624 msmsgs.exe 31 PID 2624 wrote to memory of 2264 2624 msmsgs.exe 31 PID 2624 wrote to memory of 2264 2624 msmsgs.exe 31 PID 2624 wrote to memory of 2264 2624 msmsgs.exe 31 PID 2264 wrote to memory of 2580 2264 msmsgs.exe 32 PID 2264 wrote to memory of 2580 2264 msmsgs.exe 32 PID 2264 wrote to memory of 2580 2264 msmsgs.exe 32 PID 2264 wrote to memory of 2580 2264 msmsgs.exe 32 PID 2264 wrote to memory of 2580 2264 msmsgs.exe 32 PID 2264 wrote to memory of 2580 2264 msmsgs.exe 32 PID 2580 wrote to memory of 2712 2580 msmsgs.exe 33 PID 2580 wrote to memory of 2712 2580 msmsgs.exe 33 PID 2580 wrote to memory of 2712 2580 msmsgs.exe 33 PID 2580 wrote to memory of 2712 2580 msmsgs.exe 33 PID 2712 wrote to memory of 2584 2712 msmsgs.exe 34 PID 2712 wrote to memory of 2584 2712 msmsgs.exe 34 PID 2712 wrote to memory of 2584 2712 msmsgs.exe 34 PID 2712 wrote to memory of 2584 2712 msmsgs.exe 34 PID 2712 wrote to memory of 2584 2712 msmsgs.exe 34 PID 2712 wrote to memory of 2584 2712 msmsgs.exe 34 PID 2584 wrote to memory of 2952 2584 msmsgs.exe 35 PID 2584 wrote to memory of 2952 2584 msmsgs.exe 35 PID 2584 wrote to memory of 2952 2584 msmsgs.exe 35 PID 2584 wrote to memory of 2952 2584 msmsgs.exe 35 PID 2952 wrote to memory of 2132 2952 msmsgs.exe 36 PID 2952 wrote to memory of 2132 2952 msmsgs.exe 36 PID 2952 wrote to memory of 2132 2952 msmsgs.exe 36 PID 2952 wrote to memory of 2132 2952 msmsgs.exe 36 PID 2952 wrote to memory of 2132 2952 msmsgs.exe 36 PID 2952 wrote to memory of 2132 2952 msmsgs.exe 36 PID 2132 wrote to memory of 2336 2132 msmsgs.exe 37 PID 2132 wrote to memory of 2336 2132 msmsgs.exe 37 PID 2132 wrote to memory of 2336 2132 msmsgs.exe 37 PID 2132 wrote to memory of 2336 2132 msmsgs.exe 37 PID 2336 wrote to memory of 668 2336 msmsgs.exe 38 PID 2336 wrote to memory of 668 2336 msmsgs.exe 38 PID 2336 wrote to memory of 668 2336 msmsgs.exe 38 PID 2336 wrote to memory of 668 2336 msmsgs.exe 38 PID 2336 wrote to memory of 668 2336 msmsgs.exe 38 PID 2336 wrote to memory of 668 2336 msmsgs.exe 38 PID 668 wrote to memory of 1512 668 msmsgs.exe 39 PID 668 wrote to memory of 1512 668 msmsgs.exe 39 PID 668 wrote to memory of 1512 668 msmsgs.exe 39 PID 668 wrote to memory of 1512 668 msmsgs.exe 39 PID 1512 wrote to memory of 2736 1512 msmsgs.exe 40 PID 1512 wrote to memory of 2736 1512 msmsgs.exe 40 PID 1512 wrote to memory of 2736 1512 msmsgs.exe 40 PID 1512 wrote to memory of 2736 1512 msmsgs.exe 40
Processes
-
C:\Users\Admin\AppData\Local\Temp\c4a1f44a5c576186736313a99a791b81.exe"C:\Users\Admin\AppData\Local\Temp\c4a1f44a5c576186736313a99a791b81.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2344 -
C:\Users\Admin\AppData\Local\Temp\c4a1f44a5c576186736313a99a791b81.exeC:\Users\Admin\AppData\Local\Temp\c4a1f44a5c576186736313a99a791b81.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Windows\SysWOW64\msmsgs.exe"C:\Windows\system32\msmsgs.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2996 -
C:\Windows\SysWOW64\msmsgs.exeC:\Windows\SysWOW64\msmsgs.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Windows\SysWOW64\msmsgs.exe"C:\Windows\system32\msmsgs.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2264 -
C:\Windows\SysWOW64\msmsgs.exeC:\Windows\SysWOW64\msmsgs.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Windows\SysWOW64\msmsgs.exe"C:\Windows\system32\msmsgs.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\SysWOW64\msmsgs.exeC:\Windows\SysWOW64\msmsgs.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Windows\SysWOW64\msmsgs.exe"C:\Windows\system32\msmsgs.exe"9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2952 -
C:\Windows\SysWOW64\msmsgs.exeC:\Windows\SysWOW64\msmsgs.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\Windows\SysWOW64\msmsgs.exe"C:\Windows\system32\msmsgs.exe"11⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2336 -
C:\Windows\SysWOW64\msmsgs.exeC:\Windows\SysWOW64\msmsgs.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:668 -
C:\Windows\SysWOW64\msmsgs.exe"C:\Windows\system32\msmsgs.exe"13⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1512 -
C:\Windows\SysWOW64\msmsgs.exeC:\Windows\SysWOW64\msmsgs.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2736 -
C:\Windows\SysWOW64\msmsgs.exe"C:\Windows\system32\msmsgs.exe"15⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:528 -
C:\Windows\SysWOW64\msmsgs.exeC:\Windows\SysWOW64\msmsgs.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2876 -
C:\Windows\SysWOW64\msmsgs.exe"C:\Windows\system32\msmsgs.exe"17⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1120 -
C:\Windows\SysWOW64\msmsgs.exeC:\Windows\SysWOW64\msmsgs.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2268 -
C:\Windows\SysWOW64\msmsgs.exe"C:\Windows\system32\msmsgs.exe"19⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1800 -
C:\Windows\SysWOW64\msmsgs.exeC:\Windows\SysWOW64\msmsgs.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1664 -
C:\Windows\SysWOW64\msmsgs.exe"C:\Windows\system32\msmsgs.exe"21⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2648 -
C:\Windows\SysWOW64\msmsgs.exeC:\Windows\SysWOW64\msmsgs.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1948 -
C:\Windows\SysWOW64\msmsgs.exe"C:\Windows\system32\msmsgs.exe"23⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1684 -
C:\Windows\SysWOW64\msmsgs.exeC:\Windows\SysWOW64\msmsgs.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1528 -
C:\Windows\SysWOW64\msmsgs.exe"C:\Windows\system32\msmsgs.exe"25⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
PID:1196 -
C:\Windows\SysWOW64\msmsgs.exeC:\Windows\SysWOW64\msmsgs.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2204 -
C:\Windows\SysWOW64\msmsgs.exe"C:\Windows\system32\msmsgs.exe"27⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3020 -
C:\Windows\SysWOW64\msmsgs.exeC:\Windows\SysWOW64\msmsgs.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2296 -
C:\Windows\SysWOW64\msmsgs.exe"C:\Windows\system32\msmsgs.exe"29⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1760 -
C:\Windows\SysWOW64\msmsgs.exeC:\Windows\SysWOW64\msmsgs.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2240 -
C:\Windows\SysWOW64\msmsgs.exe"C:\Windows\system32\msmsgs.exe"31⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1160 -
C:\Windows\SysWOW64\msmsgs.exeC:\Windows\SysWOW64\msmsgs.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1932 -
C:\Windows\SysWOW64\msmsgs.exe"C:\Windows\system32\msmsgs.exe"33⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1748 -
C:\Windows\SysWOW64\msmsgs.exeC:\Windows\SysWOW64\msmsgs.exe34⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1296 -
C:\Windows\SysWOW64\msmsgs.exe"C:\Windows\system32\msmsgs.exe"35⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1784 -
C:\Windows\SysWOW64\msmsgs.exeC:\Windows\SysWOW64\msmsgs.exe36⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1780 -
C:\Windows\SysWOW64\msmsgs.exe"C:\Windows\system32\msmsgs.exe"37⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2128 -
C:\Windows\SysWOW64\msmsgs.exeC:\Windows\SysWOW64\msmsgs.exe38⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3068 -
C:\Windows\SysWOW64\msmsgs.exe"C:\Windows\system32\msmsgs.exe"39⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1940 -
C:\Windows\SysWOW64\msmsgs.exeC:\Windows\SysWOW64\msmsgs.exe40⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1348 -
C:\Windows\SysWOW64\msmsgs.exe"C:\Windows\system32\msmsgs.exe"41⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1812 -
C:\Windows\SysWOW64\msmsgs.exeC:\Windows\SysWOW64\msmsgs.exe42⤵
- Executes dropped EXE
- Loads dropped DLL
PID:896 -
C:\Windows\SysWOW64\msmsgs.exe"C:\Windows\system32\msmsgs.exe"43⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2176 -
C:\Windows\SysWOW64\msmsgs.exeC:\Windows\SysWOW64\msmsgs.exe44⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2344 -
C:\Windows\SysWOW64\msmsgs.exe"C:\Windows\system32\msmsgs.exe"45⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
PID:1612 -
C:\Windows\SysWOW64\msmsgs.exeC:\Windows\SysWOW64\msmsgs.exe46⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2604 -
C:\Windows\SysWOW64\msmsgs.exe"C:\Windows\system32\msmsgs.exe"47⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
PID:2628 -
C:\Windows\SysWOW64\msmsgs.exeC:\Windows\SysWOW64\msmsgs.exe48⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2560 -
C:\Windows\SysWOW64\msmsgs.exe"C:\Windows\system32\msmsgs.exe"49⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2572 -
C:\Windows\SysWOW64\msmsgs.exeC:\Windows\SysWOW64\msmsgs.exe50⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2456 -
C:\Windows\SysWOW64\msmsgs.exe"C:\Windows\system32\msmsgs.exe"51⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2764 -
C:\Windows\SysWOW64\msmsgs.exeC:\Windows\SysWOW64\msmsgs.exe52⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2448 -
C:\Windows\SysWOW64\msmsgs.exe"C:\Windows\system32\msmsgs.exe"53⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2668 -
C:\Windows\SysWOW64\msmsgs.exeC:\Windows\SysWOW64\msmsgs.exe54⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2712 -
C:\Windows\SysWOW64\msmsgs.exe"C:\Windows\system32\msmsgs.exe"55⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1700 -
C:\Windows\SysWOW64\msmsgs.exeC:\Windows\SysWOW64\msmsgs.exe56⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2904 -
C:\Windows\SysWOW64\msmsgs.exe"C:\Windows\system32\msmsgs.exe"57⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
PID:524 -
C:\Windows\SysWOW64\msmsgs.exeC:\Windows\SysWOW64\msmsgs.exe58⤵
- Executes dropped EXE
- Loads dropped DLL
PID:472 -
C:\Windows\SysWOW64\msmsgs.exe"C:\Windows\system32\msmsgs.exe"59⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1188 -
C:\Windows\SysWOW64\msmsgs.exeC:\Windows\SysWOW64\msmsgs.exe60⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2772 -
C:\Windows\SysWOW64\msmsgs.exe"C:\Windows\system32\msmsgs.exe"61⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2864 -
C:\Windows\SysWOW64\msmsgs.exeC:\Windows\SysWOW64\msmsgs.exe62⤵
- Executes dropped EXE
PID:2896 -
C:\Windows\SysWOW64\msmsgs.exe"C:\Windows\system32\msmsgs.exe"63⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:812 -
C:\Windows\SysWOW64\msmsgs.exeC:\Windows\SysWOW64\msmsgs.exe64⤵
- Executes dropped EXE
PID:1504 -
C:\Windows\SysWOW64\msmsgs.exe"C:\Windows\system32\msmsgs.exe"65⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:808 -
C:\Windows\SysWOW64\msmsgs.exeC:\Windows\SysWOW64\msmsgs.exe66⤵PID:1120
-
C:\Windows\SysWOW64\msmsgs.exe"C:\Windows\system32\msmsgs.exe"67⤵
- Suspicious use of SetThreadContext
PID:280 -
C:\Windows\SysWOW64\msmsgs.exeC:\Windows\SysWOW64\msmsgs.exe68⤵PID:1800
-
C:\Windows\SysWOW64\msmsgs.exe"C:\Windows\system32\msmsgs.exe"69⤵
- Suspicious use of SetThreadContext
PID:2396 -
C:\Windows\SysWOW64\msmsgs.exeC:\Windows\SysWOW64\msmsgs.exe70⤵PID:1644
-
C:\Windows\SysWOW64\msmsgs.exe"C:\Windows\system32\msmsgs.exe"71⤵
- Suspicious use of SetThreadContext
PID:1384 -
C:\Windows\SysWOW64\msmsgs.exeC:\Windows\SysWOW64\msmsgs.exe72⤵PID:2304
-
C:\Windows\SysWOW64\msmsgs.exe"C:\Windows\system32\msmsgs.exe"73⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
PID:1632 -
C:\Windows\SysWOW64\msmsgs.exeC:\Windows\SysWOW64\msmsgs.exe74⤵PID:2988
-
C:\Windows\SysWOW64\msmsgs.exe"C:\Windows\system32\msmsgs.exe"75⤵
- Suspicious use of SetThreadContext
PID:2828 -
C:\Windows\SysWOW64\msmsgs.exeC:\Windows\SysWOW64\msmsgs.exe76⤵PID:2832
-
C:\Windows\SysWOW64\msmsgs.exe"C:\Windows\system32\msmsgs.exe"77⤵
- Suspicious use of SetThreadContext
PID:2208 -
C:\Windows\SysWOW64\msmsgs.exeC:\Windows\SysWOW64\msmsgs.exe78⤵PID:1728
-
C:\Windows\SysWOW64\msmsgs.exe"C:\Windows\system32\msmsgs.exe"79⤵
- Suspicious use of SetThreadContext
PID:2280 -
C:\Windows\SysWOW64\msmsgs.exeC:\Windows\SysWOW64\msmsgs.exe80⤵PID:436
-
C:\Windows\SysWOW64\msmsgs.exe"C:\Windows\system32\msmsgs.exe"81⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
PID:1740 -
C:\Windows\SysWOW64\msmsgs.exeC:\Windows\SysWOW64\msmsgs.exe82⤵
- Drops file in System32 directory
PID:1744 -
C:\Windows\SysWOW64\msmsgs.exe"C:\Windows\system32\msmsgs.exe"83⤵
- Suspicious use of SetThreadContext
PID:1620 -
C:\Windows\SysWOW64\msmsgs.exeC:\Windows\SysWOW64\msmsgs.exe84⤵
- Drops file in System32 directory
PID:1344 -
C:\Windows\SysWOW64\msmsgs.exe"C:\Windows\system32\msmsgs.exe"85⤵
- Suspicious use of SetThreadContext
PID:240 -
C:\Windows\SysWOW64\msmsgs.exeC:\Windows\SysWOW64\msmsgs.exe86⤵PID:608
-
C:\Windows\SysWOW64\msmsgs.exe"C:\Windows\system32\msmsgs.exe"87⤵
- Suspicious use of SetThreadContext
PID:3036 -
C:\Windows\SysWOW64\msmsgs.exeC:\Windows\SysWOW64\msmsgs.exe88⤵PID:2244
-
C:\Windows\SysWOW64\msmsgs.exe"C:\Windows\system32\msmsgs.exe"89⤵
- Suspicious use of SetThreadContext
PID:824 -
C:\Windows\SysWOW64\msmsgs.exeC:\Windows\SysWOW64\msmsgs.exe90⤵PID:1716
-
C:\Windows\SysWOW64\msmsgs.exe"C:\Windows\system32\msmsgs.exe"91⤵
- Suspicious use of SetThreadContext
PID:2940 -
C:\Windows\SysWOW64\msmsgs.exeC:\Windows\SysWOW64\msmsgs.exe92⤵PID:2212
-
C:\Windows\SysWOW64\msmsgs.exe"C:\Windows\system32\msmsgs.exe"93⤵
- Suspicious use of SetThreadContext
PID:2176 -
C:\Windows\SysWOW64\msmsgs.exeC:\Windows\SysWOW64\msmsgs.exe94⤵
- Drops file in System32 directory
PID:1604 -
C:\Windows\SysWOW64\msmsgs.exe"C:\Windows\system32\msmsgs.exe"95⤵
- Suspicious use of SetThreadContext
PID:1608 -
C:\Windows\SysWOW64\msmsgs.exeC:\Windows\SysWOW64\msmsgs.exe96⤵
- Drops file in System32 directory
PID:2656 -
C:\Windows\SysWOW64\msmsgs.exe"C:\Windows\system32\msmsgs.exe"97⤵
- Suspicious use of SetThreadContext
PID:2092 -
C:\Windows\SysWOW64\msmsgs.exeC:\Windows\SysWOW64\msmsgs.exe98⤵PID:2672
-
C:\Windows\SysWOW64\msmsgs.exe"C:\Windows\system32\msmsgs.exe"99⤵
- Suspicious use of SetThreadContext
PID:2880 -
C:\Windows\SysWOW64\msmsgs.exeC:\Windows\SysWOW64\msmsgs.exe100⤵PID:1972
-
C:\Windows\SysWOW64\msmsgs.exe"C:\Windows\system32\msmsgs.exe"101⤵
- Suspicious use of SetThreadContext
PID:2216 -
C:\Windows\SysWOW64\msmsgs.exeC:\Windows\SysWOW64\msmsgs.exe102⤵PID:2780
-
C:\Windows\SysWOW64\msmsgs.exe"C:\Windows\system32\msmsgs.exe"103⤵
- Suspicious use of SetThreadContext
PID:2444 -
C:\Windows\SysWOW64\msmsgs.exeC:\Windows\SysWOW64\msmsgs.exe104⤵PID:2232
-
C:\Windows\SysWOW64\msmsgs.exe"C:\Windows\system32\msmsgs.exe"105⤵
- Suspicious use of SetThreadContext
PID:1964 -
C:\Windows\SysWOW64\msmsgs.exeC:\Windows\SysWOW64\msmsgs.exe106⤵PID:1492
-
C:\Windows\SysWOW64\msmsgs.exe"C:\Windows\system32\msmsgs.exe"107⤵
- Suspicious use of SetThreadContext
PID:2920 -
C:\Windows\SysWOW64\msmsgs.exeC:\Windows\SysWOW64\msmsgs.exe108⤵PID:580
-
C:\Windows\SysWOW64\msmsgs.exe"C:\Windows\system32\msmsgs.exe"109⤵
- Suspicious use of SetThreadContext
PID:1188 -
C:\Windows\SysWOW64\msmsgs.exeC:\Windows\SysWOW64\msmsgs.exe110⤵PID:2752
-
C:\Windows\SysWOW64\msmsgs.exe"C:\Windows\system32\msmsgs.exe"111⤵
- Suspicious use of SetThreadContext
PID:1072 -
C:\Windows\SysWOW64\msmsgs.exeC:\Windows\SysWOW64\msmsgs.exe112⤵
- Drops file in System32 directory
PID:1820 -
C:\Windows\SysWOW64\msmsgs.exe"C:\Windows\system32\msmsgs.exe"113⤵
- Suspicious use of SetThreadContext
PID:2036 -
C:\Windows\SysWOW64\msmsgs.exeC:\Windows\SysWOW64\msmsgs.exe114⤵PID:920
-
C:\Windows\SysWOW64\msmsgs.exe"C:\Windows\system32\msmsgs.exe"115⤵
- Suspicious use of SetThreadContext
PID:1616 -
C:\Windows\SysWOW64\msmsgs.exeC:\Windows\SysWOW64\msmsgs.exe116⤵PID:2720
-
C:\Windows\SysWOW64\msmsgs.exe"C:\Windows\system32\msmsgs.exe"117⤵
- Suspicious use of SetThreadContext
PID:2664 -
C:\Windows\SysWOW64\msmsgs.exeC:\Windows\SysWOW64\msmsgs.exe118⤵PID:832
-
C:\Windows\SysWOW64\msmsgs.exe"C:\Windows\system32\msmsgs.exe"119⤵
- Suspicious use of SetThreadContext
PID:2768 -
C:\Windows\SysWOW64\msmsgs.exeC:\Windows\SysWOW64\msmsgs.exe120⤵PID:1244
-
C:\Windows\SysWOW64\msmsgs.exe"C:\Windows\system32\msmsgs.exe"121⤵
- Suspicious use of SetThreadContext
PID:2312
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-