Analysis
-
max time kernel
76s -
max time network
155s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
09-05-2024 15:44
Static task
static1
Behavioral task
behavioral1
Sample
DevxExecutor.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
DevxExecutor.exe
Resource
win10-20240404-en
Behavioral task
behavioral3
Sample
DevxExecutor.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral4
Sample
DevxExecutor.exe
Resource
win11-20240426-en
General
-
Target
DevxExecutor.exe
-
Size
44.1MB
-
MD5
e4897ef7419e128b1f7473119ce0bd07
-
SHA1
5aad252412a5923438f30cb9c397731a9b020121
-
SHA256
6d5ba38a5e9bde7939ac5dcb8fdcb970701168064d30abcf518cf8d272a0f581
-
SHA512
db66ea2cb3f5f30934ab071e1dd2e7b41f6dc5c4be125f1d2d6aab627b3be8b6cf8fcbed517a414cdf037a068414b178176edba2e28de6419b65269e0abb162c
-
SSDEEP
786432:NCZkrrfdktmLX8t8lBBvUPlZIOPuOI64zlNWtVMoOIsuXzfVib4a9BWN:N4GlkcLMtUzilKUINzmtVkMfWo
Malware Config
Signatures
-
Deletes Windows Defender Definitions 2 TTPs 1 IoCs
Uses mpcmdrun utility to delete all AV definitions.
pid Process 7228 MpCmdRun.exe -
MilleniumRat
MilleniumRat is a remote access trojan written in C#.
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
description pid Process procid_target PID 10288 created 5140 10288 WerFault.exe 516 -
Suspicious use of NtCreateUserProcessOtherParentProcess 13 IoCs
description pid Process procid_target PID 1436 created 3384 1436 setup.exe 54 PID 1436 created 3384 1436 setup.exe 54 PID 1436 created 3384 1436 setup.exe 54 PID 1436 created 3384 1436 setup.exe 54 PID 1436 created 3384 1436 setup.exe 54 PID 1436 created 3384 1436 setup.exe 54 PID 5580 created 3384 5580 updater.exe 54 PID 8380 created 5140 8380 svchost.exe 516 PID 5580 created 3384 5580 updater.exe 54 PID 5580 created 3384 5580 updater.exe 54 PID 5580 created 3384 5580 updater.exe 54 PID 5580 created 3384 5580 updater.exe 54 PID 5580 created 3384 5580 updater.exe 54 -
pid Process 5692 powershell.exe 512 powershell.exe 2136 powershell.exe 10124 powershell.exe 3376 powershell.exe -
Contacts a large (1198) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 64 IoCs
pid Process 4548 cstealer.exe 2304 cstealer.exe 356 main.exe 5044 cstealer.exe 4460 main.exe 4468 cstealer.exe 3288 cstealer.exe 2608 cstealer.exe 3900 Build.exe 1048 cstealer.exe 2344 cstealer.exe 840 cstealer.exe 700 hacn.exe 3860 based.exe 3780 hacn.exe 2988 based.exe 2348 cstealer.exe 1668 s.exe 3372 cstealer.exe 1736 main.exe 5108 svchost.exe 1136 cstealer.exe 1436 setup.exe 3900 svchost.exe 10068 cstealer.exe 5216 cstealer.exe 7420 cstealer.exe 6156 cstealer.exe 6868 cstealer.exe 7056 cstealer.exe 7584 cstealer.exe 7796 cstealer.exe 4924 cstealer.exe 8132 cstealer.exe 9316 cstealer.exe 9392 cstealer.exe 8364 cstealer.exe 8488 cstealer.exe 8564 cstealer.exe 8676 cstealer.exe 8740 cstealer.exe 9640 cstealer.exe 9564 rar.exe 9176 cstealer.exe 9028 cstealer.exe 1440 cstealer.exe 10108 cstealer.exe 5504 cstealer.exe 3532 cstealer.exe 1532 cstealer.exe 6176 Update.exe 5736 cstealer.exe 1544 cstealer.exe 2648 cstealer.exe 6316 cstealer.exe 6668 cstealer.exe 6712 cstealer.exe 6936 cstealer.exe 7032 cstealer.exe 6812 cstealer.exe 7200 cstealer.exe 6028 cstealer.exe 976 cstealer.exe 9872 cstealer.exe -
Loads dropped DLL 64 IoCs
pid Process 2304 cstealer.exe 2304 cstealer.exe 2304 cstealer.exe 2304 cstealer.exe 2304 cstealer.exe 2304 cstealer.exe 2304 cstealer.exe 2304 cstealer.exe 2304 cstealer.exe 2304 cstealer.exe 2304 cstealer.exe 2304 cstealer.exe 2304 cstealer.exe 2304 cstealer.exe 2304 cstealer.exe 2304 cstealer.exe 2304 cstealer.exe 2304 cstealer.exe 2304 cstealer.exe 4460 main.exe 4460 main.exe 4468 cstealer.exe 4468 cstealer.exe 4468 cstealer.exe 4468 cstealer.exe 4468 cstealer.exe 4468 cstealer.exe 4468 cstealer.exe 4468 cstealer.exe 4468 cstealer.exe 4468 cstealer.exe 4468 cstealer.exe 4468 cstealer.exe 4468 cstealer.exe 4468 cstealer.exe 4468 cstealer.exe 4468 cstealer.exe 4468 cstealer.exe 4468 cstealer.exe 4468 cstealer.exe 2608 cstealer.exe 2608 cstealer.exe 2608 cstealer.exe 2608 cstealer.exe 2608 cstealer.exe 2608 cstealer.exe 2608 cstealer.exe 2608 cstealer.exe 2608 cstealer.exe 2608 cstealer.exe 2608 cstealer.exe 2608 cstealer.exe 2608 cstealer.exe 2608 cstealer.exe 2608 cstealer.exe 2608 cstealer.exe 2608 cstealer.exe 2608 cstealer.exe 2608 cstealer.exe 2344 cstealer.exe 2344 cstealer.exe 2344 cstealer.exe 2344 cstealer.exe 2344 cstealer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral2/files/0x000700000001ac44-117.dat upx behavioral2/memory/4460-170-0x00007FFCAC7F0000-0x00007FFCACDD8000-memory.dmp upx behavioral2/memory/4460-131-0x00007FFCAC7F0000-0x00007FFCACDD8000-memory.dmp upx behavioral2/memory/2988-270-0x00007FFCAA590000-0x00007FFCAAB78000-memory.dmp upx behavioral2/memory/2988-274-0x00007FFCBB040000-0x00007FFCBB04F000-memory.dmp upx behavioral2/memory/2988-273-0x00007FFCB98B0000-0x00007FFCB98D4000-memory.dmp upx behavioral2/memory/2988-290-0x00007FFCA9E40000-0x00007FFCA9FB3000-memory.dmp upx behavioral2/memory/2988-289-0x00007FFCB7930000-0x00007FFCB7953000-memory.dmp upx behavioral2/memory/2988-315-0x00007FFCB7900000-0x00007FFCB792E000-memory.dmp upx behavioral2/memory/2988-314-0x00007FFCB84B0000-0x00007FFCB84BD000-memory.dmp upx behavioral2/memory/2988-377-0x00007FFCA9C80000-0x00007FFCA9D38000-memory.dmp upx behavioral2/memory/2988-406-0x00007FFCA66D0000-0x00007FFCA67EC000-memory.dmp upx behavioral2/memory/2988-405-0x00007FFCB7290000-0x00007FFCB729D000-memory.dmp upx behavioral2/memory/2988-404-0x00007FFCA67F0000-0x00007FFCA6804000-memory.dmp upx behavioral2/memory/2988-403-0x00007FFCAA590000-0x00007FFCAAB78000-memory.dmp upx behavioral2/memory/2988-2370-0x00007FFCB98B0000-0x00007FFCB98D4000-memory.dmp upx behavioral2/memory/2988-382-0x00007FFCA97D0000-0x00007FFCA9B45000-memory.dmp upx behavioral2/memory/2988-313-0x00007FFCB9680000-0x00007FFCB9699000-memory.dmp upx behavioral2/memory/2988-287-0x00007FFCB96A0000-0x00007FFCB96B9000-memory.dmp upx behavioral2/memory/2988-286-0x00007FFCB96C0000-0x00007FFCB96ED000-memory.dmp upx behavioral2/memory/2988-3109-0x00007FFCB7930000-0x00007FFCB7953000-memory.dmp upx behavioral2/memory/2988-4475-0x00007FFCA9E40000-0x00007FFCA9FB3000-memory.dmp upx behavioral2/memory/2988-4618-0x00007FFCAA590000-0x00007FFCAAB78000-memory.dmp upx behavioral2/memory/2988-4617-0x00007FFCB7290000-0x00007FFCB729D000-memory.dmp upx behavioral2/memory/2988-4616-0x00007FFCA67F0000-0x00007FFCA6804000-memory.dmp upx behavioral2/memory/2988-4615-0x00007FFCA97D0000-0x00007FFCA9B45000-memory.dmp upx behavioral2/memory/2988-4614-0x00007FFCA9C80000-0x00007FFCA9D38000-memory.dmp upx behavioral2/memory/2988-4613-0x00007FFCB7900000-0x00007FFCB792E000-memory.dmp upx behavioral2/memory/2988-4612-0x00007FFCB84B0000-0x00007FFCB84BD000-memory.dmp upx behavioral2/memory/2988-4611-0x00007FFCB9680000-0x00007FFCB9699000-memory.dmp upx behavioral2/memory/2988-4610-0x00007FFCA66D0000-0x00007FFCA67EC000-memory.dmp upx behavioral2/memory/2988-4609-0x00007FFCB7930000-0x00007FFCB7953000-memory.dmp upx behavioral2/memory/2988-4608-0x00007FFCA9E40000-0x00007FFCA9FB3000-memory.dmp upx behavioral2/memory/2988-4607-0x00007FFCB96C0000-0x00007FFCB96ED000-memory.dmp upx behavioral2/memory/2988-4606-0x00007FFCBB040000-0x00007FFCBB04F000-memory.dmp upx behavioral2/memory/2988-4605-0x00007FFCB98B0000-0x00007FFCB98D4000-memory.dmp upx behavioral2/memory/2988-4604-0x00007FFCB96A0000-0x00007FFCB96B9000-memory.dmp upx -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Windows\CurrentVersion\Run\кокершмидт = "C:\\ProgramData\\svchost.exe" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Windows\CurrentVersion\Run\ChromeUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\GoogleChromeUpdateLog\\Update.exe" reg.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs
flow ioc 10 raw.githubusercontent.com 11 raw.githubusercontent.com 12 raw.githubusercontent.com 64 discord.com 65 discord.com -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 3 ip-api.com 18 api.ipify.org 19 api.ipify.org -
Drops file in System32 directory 3 IoCs
description ioc Process File opened for modification C:\Windows\System32\Tasks\GoogleUpdateTaskMachineQC svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log powershell.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 3900 svchost.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 1436 set thread context of 1636 1436 setup.exe 354 PID 5580 set thread context of 9780 5580 updater.exe 527 PID 5580 set thread context of 11432 5580 updater.exe 530 PID 5580 set thread context of 12956 5580 updater.exe 531 -
Drops file in Program Files directory 1 IoCs
description ioc Process File created C:\Program Files\Google\Chrome\updater.exe setup.exe -
Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 6256 sc.exe 5428 sc.exe 4140 sc.exe 8720 sc.exe 6100 sc.exe 7544 sc.exe 3056 sc.exe 10232 sc.exe 9588 sc.exe 5012 sc.exe -
Detects Pyinstaller 2 IoCs
resource yara_rule behavioral2/files/0x000900000001ab34-9.dat pyinstaller behavioral2/files/0x000700000001ac34-79.dat pyinstaller -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 wmiprvse.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 wmiprvse.exe Key security queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 wmiprvse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information wmiprvse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString wmiprvse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier wmiprvse.exe Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 Update.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier Update.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3688 schtasks.exe 10104 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 9780 timeout.exe -
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.
pid Process 5384 WMIC.exe -
Enumerates processes with tasklist 1 TTPs 3 IoCs
pid Process 5836 tasklist.exe 9684 tasklist.exe 60 tasklist.exe -
Enumerates system info in registry 2 TTPs 1 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier wmiprvse.exe -
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.
pid Process 5684 systeminfo.exe -
Modifies data under HKEY_USERS 47 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe -
Modifies registry key 1 TTPs 1 IoCs
pid Process 9712 reg.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 512 powershell.exe 512 powershell.exe 4996 powershell.exe 4996 powershell.exe 2136 powershell.exe 2136 powershell.exe 512 powershell.exe 512 powershell.exe 4996 powershell.exe 4996 powershell.exe 1736 main.exe 1736 main.exe 1736 main.exe 1736 main.exe 1736 main.exe 1736 main.exe 1736 main.exe 1736 main.exe 512 powershell.exe 1736 main.exe 1736 main.exe 5340 powershell.exe 1736 main.exe 1736 main.exe 1736 main.exe 1736 main.exe 1736 main.exe 1736 main.exe 1736 main.exe 1736 main.exe 5340 powershell.exe 2136 powershell.exe 5340 powershell.exe 4996 powershell.exe 4996 powershell.exe 2136 powershell.exe 2136 powershell.exe 5340 powershell.exe 5692 powershell.exe 5692 powershell.exe 5692 powershell.exe 5692 powershell.exe 7836 powershell.exe 7836 powershell.exe 7836 powershell.exe 7836 powershell.exe 7384 powershell.exe 7384 powershell.exe 7384 powershell.exe 7384 powershell.exe 3872 powershell.exe 3872 powershell.exe 3872 powershell.exe 3872 powershell.exe 5400 powershell.exe 5400 powershell.exe 5400 powershell.exe 5400 powershell.exe 6176 Update.exe 6176 Update.exe 6176 Update.exe 6176 Update.exe 6176 Update.exe 6176 Update.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3384 Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1736 main.exe Token: SeDebugPrivilege 512 powershell.exe Token: SeDebugPrivilege 4996 powershell.exe Token: SeDebugPrivilege 60 tasklist.exe Token: SeDebugPrivilege 2136 powershell.exe Token: SeDebugPrivilege 5340 powershell.exe Token: SeDebugPrivilege 5836 tasklist.exe Token: SeIncreaseQuotaPrivilege 5764 WMIC.exe Token: SeSecurityPrivilege 5764 WMIC.exe Token: SeTakeOwnershipPrivilege 5764 WMIC.exe Token: SeLoadDriverPrivilege 5764 WMIC.exe Token: SeSystemProfilePrivilege 5764 WMIC.exe Token: SeSystemtimePrivilege 5764 WMIC.exe Token: SeProfSingleProcessPrivilege 5764 WMIC.exe Token: SeIncBasePriorityPrivilege 5764 WMIC.exe Token: SeCreatePagefilePrivilege 5764 WMIC.exe Token: SeBackupPrivilege 5764 WMIC.exe Token: SeRestorePrivilege 5764 WMIC.exe Token: SeShutdownPrivilege 5764 WMIC.exe Token: SeDebugPrivilege 5764 WMIC.exe Token: SeSystemEnvironmentPrivilege 5764 WMIC.exe Token: SeRemoteShutdownPrivilege 5764 WMIC.exe Token: SeUndockPrivilege 5764 WMIC.exe Token: SeManageVolumePrivilege 5764 WMIC.exe Token: 33 5764 WMIC.exe Token: 34 5764 WMIC.exe Token: 35 5764 WMIC.exe Token: 36 5764 WMIC.exe Token: SeIncreaseQuotaPrivilege 512 powershell.exe Token: SeSecurityPrivilege 512 powershell.exe Token: SeTakeOwnershipPrivilege 512 powershell.exe Token: SeLoadDriverPrivilege 512 powershell.exe Token: SeSystemProfilePrivilege 512 powershell.exe Token: SeSystemtimePrivilege 512 powershell.exe Token: SeProfSingleProcessPrivilege 512 powershell.exe Token: SeIncBasePriorityPrivilege 512 powershell.exe Token: SeCreatePagefilePrivilege 512 powershell.exe Token: SeBackupPrivilege 512 powershell.exe Token: SeRestorePrivilege 512 powershell.exe Token: SeShutdownPrivilege 512 powershell.exe Token: SeDebugPrivilege 512 powershell.exe Token: SeSystemEnvironmentPrivilege 512 powershell.exe Token: SeRemoteShutdownPrivilege 512 powershell.exe Token: SeUndockPrivilege 512 powershell.exe Token: SeManageVolumePrivilege 512 powershell.exe Token: 33 512 powershell.exe Token: 34 512 powershell.exe Token: 35 512 powershell.exe Token: 36 512 powershell.exe Token: SeDebugPrivilege 5692 powershell.exe Token: SeIncreaseQuotaPrivilege 2136 powershell.exe Token: SeSecurityPrivilege 2136 powershell.exe Token: SeTakeOwnershipPrivilege 2136 powershell.exe Token: SeLoadDriverPrivilege 2136 powershell.exe Token: SeSystemProfilePrivilege 2136 powershell.exe Token: SeSystemtimePrivilege 2136 powershell.exe Token: SeProfSingleProcessPrivilege 2136 powershell.exe Token: SeIncBasePriorityPrivilege 2136 powershell.exe Token: SeCreatePagefilePrivilege 2136 powershell.exe Token: SeBackupPrivilege 2136 powershell.exe Token: SeRestorePrivilege 2136 powershell.exe Token: SeShutdownPrivilege 2136 powershell.exe Token: SeDebugPrivilege 2136 powershell.exe Token: SeSystemEnvironmentPrivilege 2136 powershell.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 1016 dwm.exe 1016 dwm.exe 1016 dwm.exe 1016 dwm.exe 1016 dwm.exe 1016 dwm.exe 1016 dwm.exe 1016 dwm.exe 1016 dwm.exe 1016 dwm.exe 1016 dwm.exe 1016 dwm.exe 1016 dwm.exe 1016 dwm.exe 1016 dwm.exe 1016 dwm.exe 1016 dwm.exe 1016 dwm.exe 1016 dwm.exe 1016 dwm.exe 1016 dwm.exe 1016 dwm.exe 1016 dwm.exe 1016 dwm.exe 1016 dwm.exe 1016 dwm.exe 1016 dwm.exe 1016 dwm.exe 1016 dwm.exe 1016 dwm.exe 1016 dwm.exe 1016 dwm.exe 1016 dwm.exe 1016 dwm.exe 1016 dwm.exe 1016 dwm.exe 1016 dwm.exe 1016 dwm.exe 1016 dwm.exe 1016 dwm.exe 1016 dwm.exe 1016 dwm.exe 1016 dwm.exe 1016 dwm.exe 1016 dwm.exe 1016 dwm.exe 1016 dwm.exe 1016 dwm.exe 1016 dwm.exe 1016 dwm.exe 1016 dwm.exe 1016 dwm.exe 1016 dwm.exe 1016 dwm.exe 1016 dwm.exe 1016 dwm.exe 1016 dwm.exe 1016 dwm.exe 1016 dwm.exe 1016 dwm.exe 1016 dwm.exe 1016 dwm.exe 1016 dwm.exe 1016 dwm.exe -
Suspicious use of SetWindowsHookEx 11 IoCs
pid Process 10372 Conhost.exe 3560 Conhost.exe 6176 Update.exe 7204 Conhost.exe 9600 Conhost.exe 5608 Conhost.exe 5180 Conhost.exe 10548 Conhost.exe 8372 Conhost.exe 4836 Conhost.exe 7964 Conhost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3428 wrote to memory of 4548 3428 DevxExecutor.exe 73 PID 3428 wrote to memory of 4548 3428 DevxExecutor.exe 73 PID 4548 wrote to memory of 2304 4548 cstealer.exe 74 PID 4548 wrote to memory of 2304 4548 cstealer.exe 74 PID 3428 wrote to memory of 356 3428 DevxExecutor.exe 75 PID 3428 wrote to memory of 356 3428 DevxExecutor.exe 75 PID 2304 wrote to memory of 2280 2304 cstealer.exe 76 PID 2304 wrote to memory of 2280 2304 cstealer.exe 76 PID 2280 wrote to memory of 5044 2280 cmd.exe 78 PID 2280 wrote to memory of 5044 2280 cmd.exe 78 PID 356 wrote to memory of 4460 356 main.exe 136 PID 356 wrote to memory of 4460 356 main.exe 136 PID 5044 wrote to memory of 4468 5044 cstealer.exe 80 PID 5044 wrote to memory of 4468 5044 cstealer.exe 80 PID 4460 wrote to memory of 1796 4460 main.exe 81 PID 4460 wrote to memory of 1796 4460 main.exe 81 PID 4468 wrote to memory of 3824 4468 cstealer.exe 83 PID 4468 wrote to memory of 3824 4468 cstealer.exe 83 PID 3824 wrote to memory of 3288 3824 cmd.exe 85 PID 3824 wrote to memory of 3288 3824 cmd.exe 85 PID 3288 wrote to memory of 2608 3288 cstealer.exe 87 PID 3288 wrote to memory of 2608 3288 cstealer.exe 87 PID 1796 wrote to memory of 3900 1796 cmd.exe 119 PID 1796 wrote to memory of 3900 1796 cmd.exe 119 PID 1796 wrote to memory of 3900 1796 cmd.exe 119 PID 2608 wrote to memory of 4456 2608 cstealer.exe 88 PID 2608 wrote to memory of 4456 2608 cstealer.exe 88 PID 4456 wrote to memory of 1048 4456 cmd.exe 90 PID 4456 wrote to memory of 1048 4456 cmd.exe 90 PID 1048 wrote to memory of 2344 1048 cstealer.exe 91 PID 1048 wrote to memory of 2344 1048 cstealer.exe 91 PID 2344 wrote to memory of 2376 2344 cstealer.exe 93 PID 2344 wrote to memory of 2376 2344 cstealer.exe 93 PID 3900 wrote to memory of 700 3900 Build.exe 92 PID 3900 wrote to memory of 700 3900 Build.exe 92 PID 2376 wrote to memory of 840 2376 cmd.exe 96 PID 2376 wrote to memory of 840 2376 cmd.exe 96 PID 3900 wrote to memory of 3860 3900 Build.exe 425 PID 3900 wrote to memory of 3860 3900 Build.exe 425 PID 700 wrote to memory of 3780 700 hacn.exe 98 PID 700 wrote to memory of 3780 700 hacn.exe 98 PID 3860 wrote to memory of 2988 3860 based.exe 99 PID 3860 wrote to memory of 2988 3860 based.exe 99 PID 840 wrote to memory of 2348 840 cstealer.exe 100 PID 840 wrote to memory of 2348 840 cstealer.exe 100 PID 3780 wrote to memory of 1604 3780 hacn.exe 101 PID 3780 wrote to memory of 1604 3780 hacn.exe 101 PID 1604 wrote to memory of 1668 1604 cmd.exe 103 PID 1604 wrote to memory of 1668 1604 cmd.exe 103 PID 1604 wrote to memory of 1668 1604 cmd.exe 103 PID 2348 wrote to memory of 520 2348 cstealer.exe 104 PID 2348 wrote to memory of 520 2348 cstealer.exe 104 PID 1668 wrote to memory of 1736 1668 s.exe 106 PID 1668 wrote to memory of 1736 1668 s.exe 106 PID 520 wrote to memory of 3372 520 cmd.exe 107 PID 520 wrote to memory of 3372 520 cmd.exe 107 PID 1668 wrote to memory of 5108 1668 s.exe 108 PID 1668 wrote to memory of 5108 1668 s.exe 108 PID 3372 wrote to memory of 1136 3372 cstealer.exe 110 PID 3372 wrote to memory of 1136 3372 cstealer.exe 110 PID 1668 wrote to memory of 1436 1668 s.exe 109 PID 1668 wrote to memory of 1436 1668 s.exe 109 PID 2988 wrote to memory of 1928 2988 based.exe 111 PID 2988 wrote to memory of 1928 2988 based.exe 111 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:556
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵
- Suspicious use of FindShellTrayWindow
PID:1016
-
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵PID:644
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k dcomlaunch -s PlugPlay1⤵PID:728
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k dcomlaunch -s LSM1⤵PID:920
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservicenetworkrestricted -s lmhosts1⤵PID:440
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s gpsvc1⤵PID:380
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s NcbService1⤵PID:628
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservicenetworkrestricted -s EventLog1⤵PID:1092
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Schedule1⤵
- Drops file in System32 directory
PID:1108 -
c:\windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}2⤵PID:2924
-
-
C:\Program Files\Google\Chrome\updater.exe"C:\Program Files\Google\Chrome\updater.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of SetThreadContext
PID:5580
-
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s nsi1⤵PID:1192
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s ProfSvc1⤵PID:1216
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s EventSystem1⤵PID:1240
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Themes1⤵PID:1252
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservicenetworkrestricted -s Dhcp1⤵PID:1376
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s SENS1⤵PID:1420
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s UserManager1⤵PID:1456
-
c:\windows\system32\sihost.exesihost.exe2⤵PID:2588
-
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s AudioEndpointBuilder1⤵PID:1512
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s NlaSvc1⤵PID:1572
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s Dnscache1⤵PID:1620
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted1⤵PID:1628
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted1⤵PID:1740
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted1⤵PID:1748
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k appmodel -s StateRepository1⤵PID:1776
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection1⤵PID:1816
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s netprofm1⤵PID:1868
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵PID:2028
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s LanmanWorkstation1⤵PID:2080
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Winmgmt1⤵PID:2168
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k appmodel -s tiledatamodelsvc1⤵PID:2240
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s LanmanServer1⤵PID:2548
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s IKEEXT1⤵PID:2564
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservicenetworkrestricted -s PolicyAgent1⤵PID:2572
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc1⤵PID:2632
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Browser1⤵PID:2756
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵PID:2788
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s CryptSvc1⤵PID:2796
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s TrkWks1⤵PID:2812
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s WpnService1⤵PID:2820
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:2996
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s TokenBroker1⤵PID:3080
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:3384 -
C:\Users\Admin\AppData\Local\Temp\DevxExecutor.exe"C:\Users\Admin\AppData\Local\Temp\DevxExecutor.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3428 -
C:\Users\Admin\AppData\Local\Temp\cstealer.exe"C:\Users\Admin\AppData\Local\Temp\cstealer.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4548 -
C:\Users\Admin\AppData\Local\Temp\cstealer.exe"C:\Users\Admin\AppData\Local\Temp\cstealer.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2304 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"5⤵
- Suspicious use of WriteProcessMemory
PID:2280 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵PID:3320
-
-
C:\Users\Admin\AppData\Local\Temp\cstealer.exe"C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5044 -
C:\Users\Admin\AppData\Local\Temp\cstealer.exe"C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4468 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"8⤵
- Suspicious use of WriteProcessMemory
PID:3824 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV19⤵PID:3400
-
-
C:\Users\Admin\AppData\Local\Temp\cstealer.exe"C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3288 -
C:\Users\Admin\AppData\Local\Temp\cstealer.exe"C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"11⤵
- Suspicious use of WriteProcessMemory
PID:4456 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV112⤵PID:1924
-
-
C:\Users\Admin\AppData\Local\Temp\cstealer.exe"C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1048 -
C:\Users\Admin\AppData\Local\Temp\cstealer.exe"C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2344 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"14⤵
- Suspicious use of WriteProcessMemory
PID:2376 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV115⤵PID:4376
-
-
C:\Users\Admin\AppData\Local\Temp\cstealer.exe"C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:840 -
C:\Users\Admin\AppData\Local\Temp\cstealer.exe"C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"17⤵
- Suspicious use of WriteProcessMemory
PID:520 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV118⤵PID:1508
-
-
C:\Users\Admin\AppData\Local\Temp\cstealer.exe"C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3372 -
C:\Users\Admin\AppData\Local\Temp\cstealer.exe"C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet19⤵
- Executes dropped EXE
PID:1136 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"20⤵PID:3132
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV121⤵PID:972
-
-
C:\Users\Admin\AppData\Local\Temp\cstealer.exe"C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet21⤵
- Executes dropped EXE
PID:10068 -
C:\Users\Admin\AppData\Local\Temp\cstealer.exe"C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet22⤵
- Executes dropped EXE
PID:5216 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"23⤵PID:5732
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV124⤵PID:5700
-
-
C:\Users\Admin\AppData\Local\Temp\cstealer.exe"C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet24⤵
- Executes dropped EXE
PID:7420 -
C:\Users\Admin\AppData\Local\Temp\cstealer.exe"C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet25⤵
- Executes dropped EXE
PID:6156 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"26⤵PID:6436
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV127⤵PID:6448
-
-
C:\Users\Admin\AppData\Local\Temp\cstealer.exe"C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet27⤵
- Executes dropped EXE
PID:6868 -
C:\Users\Admin\AppData\Local\Temp\cstealer.exe"C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet28⤵
- Executes dropped EXE
PID:7056 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"29⤵PID:7272
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV130⤵PID:7276
-
-
C:\Users\Admin\AppData\Local\Temp\cstealer.exe"C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet30⤵
- Executes dropped EXE
PID:7584 -
C:\Users\Admin\AppData\Local\Temp\cstealer.exe"C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet31⤵
- Executes dropped EXE
PID:7796 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"32⤵PID:8008
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV133⤵PID:8020
-
-
C:\Users\Admin\AppData\Local\Temp\cstealer.exe"C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet33⤵
- Executes dropped EXE
PID:4924 -
C:\Users\Admin\AppData\Local\Temp\cstealer.exe"C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet34⤵
- Executes dropped EXE
PID:8132 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"35⤵PID:9288
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV136⤵PID:9296
-
-
C:\Users\Admin\AppData\Local\Temp\cstealer.exe"C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet36⤵
- Executes dropped EXE
PID:9316 -
C:\Users\Admin\AppData\Local\Temp\cstealer.exe"C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet37⤵
- Executes dropped EXE
PID:9392 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"38⤵PID:8324
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV139⤵PID:8332
-
-
C:\Users\Admin\AppData\Local\Temp\cstealer.exe"C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet39⤵
- Executes dropped EXE
PID:8364 -
C:\Users\Admin\AppData\Local\Temp\cstealer.exe"C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet40⤵
- Executes dropped EXE
PID:8488 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"41⤵PID:8524
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV142⤵PID:8532
-
-
C:\Users\Admin\AppData\Local\Temp\cstealer.exe"C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet42⤵
- Executes dropped EXE
PID:8564 -
C:\Users\Admin\AppData\Local\Temp\cstealer.exe"C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet43⤵
- Executes dropped EXE
PID:8676 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"44⤵PID:8704
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV145⤵PID:8708
-
-
C:\Users\Admin\AppData\Local\Temp\cstealer.exe"C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet45⤵
- Executes dropped EXE
PID:8740 -
C:\Users\Admin\AppData\Local\Temp\cstealer.exe"C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet46⤵
- Executes dropped EXE
PID:9640 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"47⤵PID:9440
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV148⤵PID:9432
-
-
C:\Users\Admin\AppData\Local\Temp\cstealer.exe"C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet48⤵
- Executes dropped EXE
PID:9176 -
C:\Users\Admin\AppData\Local\Temp\cstealer.exe"C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet49⤵
- Executes dropped EXE
PID:9028 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"50⤵PID:1408
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV151⤵PID:1664
-
-
C:\Users\Admin\AppData\Local\Temp\cstealer.exe"C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet51⤵
- Executes dropped EXE
PID:1440 -
C:\Users\Admin\AppData\Local\Temp\cstealer.exe"C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet52⤵
- Executes dropped EXE
PID:10108 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"53⤵PID:5240
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV154⤵PID:5628
-
-
C:\Users\Admin\AppData\Local\Temp\cstealer.exe"C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet54⤵
- Executes dropped EXE
PID:5504 -
C:\Users\Admin\AppData\Local\Temp\cstealer.exe"C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet55⤵
- Executes dropped EXE
PID:3532 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"56⤵PID:5984
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV157⤵PID:5996
-
-
C:\Users\Admin\AppData\Local\Temp\cstealer.exe"C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet57⤵
- Executes dropped EXE
PID:1532 -
C:\Users\Admin\AppData\Local\Temp\cstealer.exe"C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet58⤵
- Executes dropped EXE
PID:5736 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"59⤵PID:6392
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV160⤵PID:3844
-
-
C:\Users\Admin\AppData\Local\Temp\cstealer.exe"C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet60⤵
- Executes dropped EXE
PID:1544 -
C:\Users\Admin\AppData\Local\Temp\cstealer.exe"C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet61⤵
- Executes dropped EXE
PID:2648 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"62⤵PID:6452
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV163⤵PID:6524
-
-
C:\Users\Admin\AppData\Local\Temp\cstealer.exe"C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet63⤵
- Executes dropped EXE
PID:6316 -
C:\Users\Admin\AppData\Local\Temp\cstealer.exe"C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet64⤵
- Executes dropped EXE
PID:6668 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"65⤵PID:6644
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV166⤵PID:6484
-
-
C:\Users\Admin\AppData\Local\Temp\cstealer.exe"C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet66⤵
- Executes dropped EXE
PID:6712 -
C:\Users\Admin\AppData\Local\Temp\cstealer.exe"C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet67⤵
- Executes dropped EXE
PID:6936 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"68⤵PID:6864
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV169⤵PID:6856
-
-
C:\Users\Admin\AppData\Local\Temp\cstealer.exe"C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet69⤵
- Executes dropped EXE
PID:7032 -
C:\Users\Admin\AppData\Local\Temp\cstealer.exe"C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet70⤵
- Executes dropped EXE
PID:6812 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"71⤵PID:7108
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV172⤵PID:7180
-
-
C:\Users\Admin\AppData\Local\Temp\cstealer.exe"C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet72⤵
- Executes dropped EXE
PID:7200 -
C:\Users\Admin\AppData\Local\Temp\cstealer.exe"C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet73⤵
- Executes dropped EXE
PID:6028 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"74⤵PID:7240
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV175⤵PID:7236
-
-
C:\Users\Admin\AppData\Local\Temp\cstealer.exe"C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet75⤵
- Executes dropped EXE
PID:976 -
C:\Users\Admin\AppData\Local\Temp\cstealer.exe"C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet76⤵
- Executes dropped EXE
PID:9872 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"77⤵PID:424
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV178⤵PID:2444
-
-
C:\Users\Admin\AppData\Local\Temp\cstealer.exe"C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet78⤵PID:10224
-
C:\Users\Admin\AppData\Local\Temp\cstealer.exe"C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet79⤵PID:7572
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"80⤵PID:3864
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV181⤵PID:4088
-
-
C:\Users\Admin\AppData\Local\Temp\cstealer.exe"C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet81⤵PID:7632
-
C:\Users\Admin\AppData\Local\Temp\cstealer.exe"C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet82⤵PID:3568
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"83⤵PID:7708
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV184⤵PID:7736
-
-
C:\Users\Admin\AppData\Local\Temp\cstealer.exe"C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet84⤵PID:3040
-
C:\Users\Admin\AppData\Local\Temp\cstealer.exe"C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet85⤵PID:2072
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"86⤵PID:3340
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV187⤵PID:8000
-
-
C:\Users\Admin\AppData\Local\Temp\cstealer.exe"C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet87⤵PID:8076
-
C:\Users\Admin\AppData\Local\Temp\cstealer.exe"C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet88⤵PID:7328
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"89⤵PID:7832
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV190⤵PID:7804
-
-
C:\Users\Admin\AppData\Local\Temp\cstealer.exe"C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet90⤵PID:7364
-
C:\Users\Admin\AppData\Local\Temp\cstealer.exe"C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet91⤵PID:9276
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"92⤵PID:8212
-
C:\Users\Admin\AppData\Local\Temp\cstealer.exe"C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet93⤵PID:7424
-
C:\Users\Admin\AppData\Local\Temp\cstealer.exe"C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet94⤵PID:8104
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"95⤵PID:8304
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV196⤵PID:8296
-
-
C:\Users\Admin\AppData\Local\Temp\cstealer.exe"C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet96⤵PID:8256
-
C:\Users\Admin\AppData\Local\Temp\cstealer.exe"C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet97⤵PID:8480
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"98⤵PID:8536
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV199⤵PID:8576
-
-
C:\Users\Admin\AppData\Local\Temp\cstealer.exe"C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet99⤵PID:8616
-
C:\Users\Admin\AppData\Local\Temp\cstealer.exe"C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet100⤵PID:7436
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"101⤵PID:8752
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1102⤵PID:5868
-
-
C:\Users\Admin\AppData\Local\Temp\cstealer.exe"C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet102⤵PID:8784
-
C:\Users\Admin\AppData\Local\Temp\cstealer.exe"C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet103⤵PID:8828
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"104⤵PID:9484
-
C:\Users\Admin\AppData\Local\Temp\cstealer.exe"C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet105⤵PID:7428
-
C:\Users\Admin\AppData\Local\Temp\cstealer.exe"C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet106⤵PID:9052
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"107⤵PID:1764
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1108⤵PID:4524
-
-
C:\Users\Admin\AppData\Local\Temp\cstealer.exe"C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet108⤵PID:9516
-
C:\Users\Admin\AppData\Local\Temp\cstealer.exe"C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet109⤵PID:9728
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"110⤵PID:9808
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1111⤵PID:9744
-
-
C:\Users\Admin\AppData\Local\Temp\cstealer.exe"C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet111⤵PID:9764
-
C:\Users\Admin\AppData\Local\Temp\cstealer.exe"C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet112⤵PID:10080
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"113⤵PID:10236
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1114⤵PID:5232
-
-
C:\Users\Admin\AppData\Local\Temp\cstealer.exe"C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet114⤵PID:3872
-
C:\Users\Admin\AppData\Local\Temp\cstealer.exe"C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet115⤵PID:5160
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"116⤵PID:6012
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1117⤵PID:6136
-
-
C:\Users\Admin\AppData\Local\Temp\cstealer.exe"C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet117⤵PID:6196
-
C:\Users\Admin\AppData\Local\Temp\cstealer.exe"C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet118⤵PID:5912
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"119⤵PID:5916
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1120⤵PID:5940
-
-
C:\Users\Admin\AppData\Local\Temp\cstealer.exe"C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet120⤵PID:5360
-
C:\Users\Admin\AppData\Local\Temp\cstealer.exe"C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet121⤵PID:5676
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"122⤵PID:9256
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-